Implement ledger metrics for observability and add tests for Ruby packages endpoints

- Added `LedgerMetrics` class to record write latency and total events for ledger operations.
- Created comprehensive tests for Ruby packages endpoints, covering scenarios for missing inventory, successful retrieval, and identifier handling.
- Introduced `TestSurfaceSecretsScope` for managing environment variables during tests.
- Developed `ProvenanceMongoExtensions` for attaching DSSE provenance and trust information to event documents.
- Implemented `EventProvenanceWriter` and `EventWriter` classes for managing event provenance in MongoDB.
- Established MongoDB indexes for efficient querying of events based on provenance and trust.
- Added models and JSON parsing logic for DSSE provenance and trust information.

offline/notifier/templates/attestation/tmpl-attest-expiry-warning.email.en-us.template.json

@@ -0,0 +1,16 @@
+{
+  "schemaVersion": "notify.template@1",
+  "templateId": "tmpl-attest-expiry-warning-email-en-us",
+  "tenantId": "bootstrap",
+  "channelType": "email",
+  "key": "tmpl-attest-expiry-warning",
+  "locale": "en-us",
+  "renderMode": "html",
+  "format": "email",
+  "description": "Expiry warning for attestations approaching their expiration window.",
+  "body": "<h2>Attestation expiry notice</h2>\n<p>The attestation for <code>{{payload.subject.repository}}</code> (digest {{payload.subject.digest}}) expires on <strong>{{payload.attestation.expiresAt}}</strong>.</p>\n<ul>\n  <li>Issued: {{payload.attestation.issuedAt}}</li>\n  <li>Signer: <code>{{payload.signer.kid}}</code> ({{payload.signer.algorithm}})</li>\n  <li>Time remaining: {{expires_in payload.attestation.expiresAt event.ts}}</li>\n</ul>\n<p>Please rotate the attestation before expiry using <a href=\"{{payload.links.docs}}\">these instructions</a>.</p>\n<p>Console: <a href=\"{{payload.links.console}}\">{{payload.links.console}}</a></p>\n",
+  "metadata": {
+    "author": "notifications-bootstrap",
+    "version": "2025-11-12"
+  }
+}

offline/notifier/templates/attestation/tmpl-attest-key-rotation.email.en-us.template.json

@@ -0,0 +1,16 @@
+{
+  "schemaVersion": "notify.template@1",
+  "templateId": "tmpl-attest-key-rotation-email-en-us",
+  "tenantId": "bootstrap",
+  "channelType": "email",
+  "key": "tmpl-attest-key-rotation",
+  "locale": "en-us",
+  "renderMode": "html",
+  "format": "email",
+  "description": "Email bulletin for attestation key rotation or revocation events.",
+  "body": "<h2>Attestation key rotation notice</h2>\n<p>Authority rotated or revoked signing keys at {{payload.rotation.executedAt}}.</p>\n<ul>\n  <li>Rotation batch: {{payload.rotation.batchId}}</li>\n  <li>Impacted services: {{payload.rotation.impactedServices}}</li>\n  <li>Reason: {{payload.rotation.reason}}</li>\n</ul>\n<p>Recommended action: {{payload.recommendation}}</p>\n<p>Docs: <a href=\"{{payload.links.docs}}\">Rotation playbook</a></p>\n",
+  "metadata": {
+    "author": "notifications-bootstrap",
+    "version": "2025-11-12"
+  }
+}

offline/notifier/templates/attestation/tmpl-attest-key-rotation.webhook.en-us.template.json

@@ -0,0 +1,16 @@
+{
+  "schemaVersion": "notify.template@1",
+  "templateId": "tmpl-attest-key-rotation-webhook-en-us",
+  "tenantId": "bootstrap",
+  "channelType": "webhook",
+  "key": "tmpl-attest-key-rotation",
+  "locale": "en-us",
+  "renderMode": "json",
+  "format": "webhook",
+  "description": "Webhook payload for attestation key rotation/revocation events.",
+  "body": "{\n  \"event\": \"authority.keys.rotated\",\n  \"tenantId\": \"{{event.tenant}}\",\n  \"batchId\": \"{{payload.rotation.batchId}}\",\n  \"executedAt\": \"{{payload.rotation.executedAt}}\",\n  \"impactedServices\": \"{{payload.rotation.impactedServices}}\",\n  \"reason\": \"{{payload.rotation.reason}}\",\n  \"links\": {\n    \"docs\": \"{{payload.links.docs}}\",\n    \"console\": \"{{payload.links.console}}\"\n  }\n}\n",
+  "metadata": {
+    "author": "notifications-bootstrap",
+    "version": "2025-11-12"
+  }
+}

offline/notifier/templates/attestation/tmpl-attest-transparency-anomaly.slack.en-us.template.json

@@ -0,0 +1,16 @@
+{
+  "schemaVersion": "notify.template@1",
+  "templateId": "tmpl-attest-transparency-anomaly-slack-en-us",
+  "tenantId": "bootstrap",
+  "channelType": "slack",
+  "key": "tmpl-attest-transparency-anomaly",
+  "locale": "en-us",
+  "renderMode": "markdown",
+  "format": "slack",
+  "description": "Slack alert for transparency witness anomalies.",
+  "body": ":warning: Transparency anomaly detected for `{{payload.subject.digest}}`\nWitness: `{{payload.transparency.witnessId}}` ({{payload.transparency.classification}})\nRekor index: {{payload.transparency.rekorIndex}}\nAnomaly window: {{payload.transparency.windowStart}} → {{payload.transparency.windowEnd}}\nRecommended action: {{payload.recommendation}}\nConsole details: {{link \"Open in Console\" payload.links.console}}\n",
+  "metadata": {
+    "author": "notifications-bootstrap",
+    "version": "2025-11-12"
+  }
+}

offline/notifier/templates/attestation/tmpl-attest-transparency-anomaly.webhook.en-us.template.json

@@ -0,0 +1,16 @@
+{
+  "schemaVersion": "notify.template@1",
+  "templateId": "tmpl-attest-transparency-anomaly-webhook-en-us",
+  "tenantId": "bootstrap",
+  "channelType": "webhook",
+  "key": "tmpl-attest-transparency-anomaly",
+  "locale": "en-us",
+  "renderMode": "json",
+  "format": "webhook",
+  "description": "Webhook payload for Rekor transparency anomalies.",
+  "body": "{\n  \"event\": \"attestor.transparency.anomaly\",\n  \"tenantId\": \"{{event.tenant}}\",\n  \"subjectDigest\": \"{{payload.subject.digest}}\",\n  \"witnessId\": \"{{payload.transparency.witnessId}}\",\n  \"classification\": \"{{payload.transparency.classification}}\",\n  \"rekorIndex\": {{payload.transparency.rekorIndex}},\n  \"window\": {\n    \"start\": \"{{payload.transparency.windowStart}}\",\n    \"end\": \"{{payload.transparency.windowEnd}}\"\n  },\n  \"links\": {\n    \"console\": \"{{payload.links.console}}\",\n    \"rekor\": \"{{payload.links.rekor}}\"\n  },\n  \"recommendation\": \"{{payload.recommendation}}\"\n}\n",
+  "metadata": {
+    "author": "notifications-bootstrap",
+    "version": "2025-11-12"
+  }
+}

offline/notifier/templates/attestation/tmpl-attest-verify-fail.email.en-us.template.json

@@ -0,0 +1,16 @@
+{
+  "schemaVersion": "notify.template@1",
+  "templateId": "tmpl-attest-verify-fail-email-en-us",
+  "tenantId": "bootstrap",
+  "channelType": "email",
+  "key": "tmpl-attest-verify-fail",
+  "locale": "en-us",
+  "renderMode": "html",
+  "format": "email",
+  "description": "Email notice for attestation verification failures.",
+  "body": "<h2>Attestation verification failure</h2>\n<p>The attestation for <code>{{payload.subject.repository}}</code> (digest {{payload.subject.digest}}) failed verification at {{event.ts}}.</p>\n<ul>\n  <li>Reason: <code>{{payload.failure.reasonCode}}</code> — {{payload.failure.reason}}</li>\n  <li>Signer: <code>{{payload.signer.kid}}</code> ({{payload.signer.algorithm}})</li>\n  <li>Rekor entry: <a href=\"{{payload.links.rekor}}\">{{payload.links.rekor}}</a></li>\n  <li>Last valid attestation: <a href=\"{{payload.links.console}}\">Console report</a></li>\n</ul>\n<p>{{payload.recommendation}}</p>\n",
+  "metadata": {
+    "author": "notifications-bootstrap",
+    "version": "2025-11-12"
+  }
+}

offline/notifier/templates/attestation/tmpl-attest-verify-fail.slack.en-us.template.json

@@ -0,0 +1,16 @@
+{
+  "schemaVersion": "notify.template@1",
+  "templateId": "tmpl-attest-verify-fail-slack-en-us",
+  "tenantId": "bootstrap",
+  "channelType": "slack",
+  "key": "tmpl-attest-verify-fail",
+  "locale": "en-us",
+  "renderMode": "markdown",
+  "format": "slack",
+  "description": "Slack alert for attestation verification failures with Rekor traceability.",
+  "body": ":rotating_light: {{attestation_status_badge payload.failure.status}} verification failed for `{{payload.subject.digest}}`\nSigner: `{{fingerprint payload.signer.kid}}` ({{payload.signer.algorithm}})\nReason: `{{payload.failure.reasonCode}}` — {{payload.failure.reason}}\nLast valid attestation: {{link \"Console\" payload.links.console}}\nRekor entry: {{link \"Transparency log\" payload.links.rekor}}\nRecommended action: {{payload.recommendation}}\n",
+  "metadata": {
+    "author": "notifications-bootstrap",
+    "version": "2025-11-12"
+  }
+}

offline/notifier/templates/attestation/tmpl-attest-verify-fail.webhook.en-us.template.json

@@ -0,0 +1,16 @@
+{
+  "schemaVersion": "notify.template@1",
+  "templateId": "tmpl-attest-verify-fail-webhook-en-us",
+  "tenantId": "bootstrap",
+  "channelType": "webhook",
+  "key": "tmpl-attest-verify-fail",
+  "locale": "en-us",
+  "renderMode": "json",
+  "format": "webhook",
+  "description": "JSON payload for Pager/SOC integrations on attestation verification failures.",
+  "body": "{\n  \"event\": \"attestor.verification.failed\",\n  \"tenantId\": \"{{event.tenant}}\",\n  \"subjectDigest\": \"{{payload.subject.digest}}\",\n  \"repository\": \"{{payload.subject.repository}}\",\n  \"reasonCode\": \"{{payload.failure.reasonCode}}\",\n  \"reason\": \"{{payload.failure.reason}}\",\n  \"signer\": {\n    \"kid\": \"{{payload.signer.kid}}\",\n    \"algorithm\": \"{{payload.signer.algorithm}}\"\n  },\n  \"rekor\": {\n    \"url\": \"{{payload.links.rekor}}\",\n    \"uuid\": \"{{payload.rekor.uuid}}\",\n    \"index\": {{payload.rekor.index}}\n  },\n  \"recommendation\": \"{{payload.recommendation}}\"\n}\n",
+  "metadata": {
+    "author": "notifications-bootstrap",
+    "version": "2025-11-12"
+  }
+}