save checkpoint

docs/features/checked/telemetry/incident-forensic-mode.md

@@ -0,0 +1,26 @@
+# Incident/Forensic Mode (High-Fidelity Sampling)
+
+## Module
+Telemetry
+
+## Status
+IMPLEMENTED
+
+## Description
+Incident/forensic mode service that enables high-fidelity (100%) sampling during security incidents for detailed investigation.
+
+## Implementation Details
+- **IIncidentModeService interface**: `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/IIncidentModeService.cs` -- `IsActive`, `CurrentState`, `ActivateAsync` (actor, tenantId, TTL override, reason), `DeactivateAsync`; manages incident mode state with per-tenant granularity
+- **IncidentModeService**: `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/IncidentModeService.cs` -- default implementation with activation/deactivation lifecycle
+- **IncidentModeOptions**: `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/IncidentModeOptions.cs` -- configurable default TTL and sampling rates
+- **ISealedModeTelemetryService**: `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/ISealedModeTelemetryService.cs` -- `IsIncidentModeOverrideActive` property enables incident mode to override sealed mode sampling rate
+- **Tests**: `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core.Tests/IncidentModeServiceTests.cs`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify incident mode activation increases sampling rate to 100%
+- [ ] Test TTL override correctly expires incident mode after configured duration
+- [ ] Verify incident mode tags are attached to all telemetry during active period
+- [ ] Test incident mode overrides sealed mode sampling restrictions
+- [ ] Verify deactivation restores normal sampling rates
+- [ ] Test per-tenant incident mode isolation