groups:
  - name: evidence-locker
    rules:
      - alert: EvidenceLockerRetentionDrift
        expr: evidence_retention_days != 180
        for: 10m
        labels:
          severity: warning
          team: devops
        annotations:
          summary: "Evidence locker retention drift"
          description: "Configured retention {{ $value }}d differs from target 180d."

      - alert: EvidenceLockerWormDisabled
        expr: evidence_worm_enabled == 0
        for: 5m
        labels:
          severity: critical
          team: devops
        annotations:
          summary: "WORM/immutability disabled"
          description: "Evidence locker WORM not enabled."

      - alert: EvidenceLockerBackupLag
        expr: (time() - evidence_last_backup_seconds) > 3600
        for: 10m
        labels:
          severity: warning
          team: devops
        annotations:
          summary: "Evidence locker backup lag > 1h"
          description: "Last backup older than 1 hour."