# Evidence Locker Incident Mode

> Sprint 55 / Task EVID-OBS-55-001 – retention & debug hooks

Incident mode is a service-wide switch that increases forensic fidelity when StellaOps enters a suspected compromise or SLO breach. The Evidence Locker reacts to the flag in four ways:

1. **Extended retention.** Every newly sealed bundle receives an `ExpiresAt` timestamp of `CreatedAt + Incident.RetentionExtensionDays` so downstream TTL jobs keep artefacts long enough for investigation.
2. **Debug artefacts.** Snapshot requests emit an `incident/request-*.json` payload into the object store. The payload captures the normalized request metadata/materials plus the incident stamp so offline replay tooling has everything it needs. The manifest surfaces the artefact under the `incident/` section and packaging streams it alongside the canonical bundle files.
3. **Manifest metadata.** Bundles carry `incident.mode`, `incident.changedAt`, and `incident.retentionExtensionDays` metadata so verifiers and auditors can see exactly when the mode toggled and how long retention was extended.
4. **Operational signals.** Activation/deactivation events are published to the Timeline Indexer (and, via the notifier stub, to the future Notify integration). The `IEvidenceTimelinePublisher` now emits `evidence.incident.mode` with `state` and retention attributes, giving Ops a canonical audit trail.
5. **Signed activation/exit (EB7).** Incident toggles MUST be recorded inside the bundle manifest (`incident` block) and in the DSSE predicate with signer identity and timestamp. Offline environments must still include the activation record even when no Rekor entry is possible; when online, include transparency log pointers alongside the incident record.

Configuration lives under `EvidenceLocker:Incident`:

```jsonc
"EvidenceLocker": {
  "Incident": {
    "Enabled": true,
    "RetentionExtensionDays": 60,
    "CaptureRequestSnapshot": true
  }
}
```

`IncidentModeManager` watches the options and raises events whenever the state flips. Tests cover retention math, timeline/notifier fan-out, and the new debug artefact path.

## Recording rules (EB7)
- Manifest fields (see `bundle.manifest.schema.json`): `incident.activatedAt`, `incident.activatedBy`, `incident.reason`, and optional `incident.deactivatedAt`, `incident.deactivatedBy`.
- DSSE predicate: include `incident` block mirroring the manifest plus `signer` (provider/keyid) and `log_policy` (`submit` | `skip-offline`).
- CLI/API: activation/deactivation commands must require a reason string and emit a signed record even when the state is unchanged (idempotent write with identical payload hash).