groups:
  - name: attestor-latency
    rules:
      - alert: AttestorSignLatencyP95High
        expr: histogram_quantile(0.95, sum(rate(attestor_sign_duration_seconds_bucket[5m])) by (le)) > 2
        for: 5m
        labels:
          severity: warning
          team: devops
        annotations:
          summary: "Attestor signing latency p95 high"
          description: "Signing p95 is {{ $value }}s over the last 5m (threshold 2s)."
      - alert: AttestorVerifyLatencyP95High
        expr: histogram_quantile(0.95, sum(rate(attestor_verify_duration_seconds_bucket[5m])) by (le)) > 2
        for: 5m
        labels:
          severity: warning
          team: devops
        annotations:
          summary: "Attestor verification latency p95 high"
          description: "Verification p95 is {{ $value }}s over the last 5m (threshold 2s)."
  - name: attestor-errors
    rules:
      - alert: AttestorVerifyFailureRate
        expr: rate(attestor_verify_failures_total[5m]) / rate(attestor_verify_requests_total[5m]) > 0.02
        for: 5m
        labels:
          severity: critical
          team: devops
        annotations:
          summary: "Attestor verification failure rate above 2%"
          description: "Verification failure rate is {{ $value | humanizePercentage }} over last 5m."
  - name: attestor-keys
    rules:
      - alert: AttestorKeyRotationStale
        expr: (time() - attestor_key_last_rotated_seconds) > 60*60*24*30
        for: 10m
        labels:
          severity: warning
          team: devops
        annotations:
          summary: "Attestor signing key rotation overdue"
          description: "Signing key has not rotated in >30d ({{ $value }} seconds)."