# Incident/Forensic Mode (High-Fidelity Sampling)

## Module
Telemetry

## Status
IMPLEMENTED

## Description
Incident/forensic mode service that enables high-fidelity (100%) sampling during security incidents for detailed investigation.

## Implementation Details
- **IIncidentModeService interface**: `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/IIncidentModeService.cs` -- `IsActive`, `CurrentState`, `ActivateAsync` (actor, tenantId, TTL override, reason), `DeactivateAsync`; manages incident mode state with per-tenant granularity
- **IncidentModeService**: `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/IncidentModeService.cs` -- default implementation with activation/deactivation lifecycle
- **IncidentModeOptions**: `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/IncidentModeOptions.cs` -- configurable default TTL and sampling rates
- **ISealedModeTelemetryService**: `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/ISealedModeTelemetryService.cs` -- `IsIncidentModeOverrideActive` property enables incident mode to override sealed mode sampling rate
- **Tests**: `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core.Tests/IncidentModeServiceTests.cs`
- **Source**: Feature matrix scan

## E2E Test Plan
- [ ] Verify incident mode activation increases sampling rate to 100%
- [ ] Test TTL override correctly expires incident mode after configured duration
- [ ] Verify incident mode tags are attached to all telemetry during active period
- [ ] Test incident mode overrides sealed mode sampling restrictions
- [ ] Verify deactivation restores normal sampling rates
- [ ] Test per-tenant incident mode isolation