groups:
  - name: provenance
    rules:
      - alert: ProvenanceKeyRotationOverdue
        expr: (time() - provenance_last_key_rotation_seconds) > 60*60*24*90
        for: 10m
        labels:
          severity: warning
          team: devops
        annotations:
          summary: "Provenance signing key rotation overdue"
          description: "Last rotation {{ $value }} seconds ago (>90d)."

      - alert: ProvenanceSignerFailures
        expr: rate(provenance_sign_failures_total[5m]) > 0
        for: 5m
        labels:
          severity: critical
          team: devops
        annotations:
          summary: "Provenance signer failures detected"
          description: "Signer failure rate non-zero in last 5m."