git.stella-ops.org/ops/devops/attestation/ALERTS.md

# Attestation Alerts & Dashboards (DEVOPS-ATTEST-75-001)

## Prometheus alert rules
File: `ops/devops/attestation/attestation-alerts.yaml`
- `AttestorSignLatencyP95High`: p95 signing latency > 2s for 5m.
- `AttestorVerifyLatencyP95High`: p95 verification latency > 2s for 5m.
- `AttestorVerifyFailureRate`: verification failures / requests > 2% over 5m.
- `AttestorKeyRotationStale`: key not rotated in 30d.

Metrics expected:
- `attestor_sign_duration_seconds_bucket`
- `attestor_verify_duration_seconds_bucket`
- `attestor_verify_failures_total`
- `attestor_verify_requests_total`
- `attestor_key_last_rotated_seconds` (gauge of Unix epoch seconds of last rotation)

## Grafana
File: `ops/devops/attestation/grafana/attestation-latency.json`
- Panels: signing p50/p95, verification p50/p95, failure rate, key-age gauge, last 24h error counts.

## Runbook
- Verify exporters scrape `attestor-*` metrics from Attestor service.
- Ensure alertmanager routes `team=devops` to on-call.
- Key rotation alert: rotate via standard KMS workflow; acknowledge alert after new metric value observed.