semi implemented and features implemented save checkpoint

docs/features/unchecked/telemetry/telemetry-exporter-guard.md

@@ -0,0 +1,25 @@
+# Telemetry Exporter Guard
+
+## Module
+Telemetry
+
+## Status
+IMPLEMENTED
+
+## Description
+Guard that prevents telemetry export to unauthorized endpoints, enforcing sealed-mode restrictions.
+
+## Implementation Details
+- **TelemetryExporterGuard**: `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/TelemetryExporterGuard.cs` -- `IsExporterAllowed(descriptor, options, signal, endpoint, out decision)` that applies `IEgressPolicy` from `StellaOps.AirGap.Policy`; returns allow/deny with `EgressDecision` details; logs enforcement results
+- **TelemetrySignal**: `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/TelemetrySignal.cs` -- signal types (traces, metrics, logs) for per-signal guard evaluation
+- **TelemetryServiceDescriptor**: `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/TelemetryServiceDescriptor.cs` -- service identity for guard evaluation
+- **StellaOpsTelemetryOptions.CollectorOptions**: `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/StellaOpsTelemetryOptions.cs` -- collector endpoint and component configuration
+- **Tests**: `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core.Tests/TelemetryExporterGuardTests.cs`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify guard blocks telemetry export to unauthorized endpoints when air-gap policy is active
+- [ ] Test guard allows export when no egress policy is configured (permissive default)
+- [ ] Verify per-signal guard evaluation (traces, metrics, logs can have different policies)
+- [ ] Test guard logs enforcement decisions for audit trail
+- [ ] Verify integration with SealedModeTelemetryService for complete export blocking