# Telemetry Exporter Guard

## Module
Telemetry

## Status
IMPLEMENTED

## Description
Guard that prevents telemetry export to unauthorized endpoints, enforcing sealed-mode restrictions.

## Implementation Details
- **TelemetryExporterGuard**: `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/TelemetryExporterGuard.cs` -- `IsExporterAllowed(descriptor, options, signal, endpoint, out decision)` that applies `IEgressPolicy` from `StellaOps.AirGap.Policy`; returns allow/deny with `EgressDecision` details; logs enforcement results
- **TelemetrySignal**: `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/TelemetrySignal.cs` -- signal types (traces, metrics, logs) for per-signal guard evaluation
- **TelemetryServiceDescriptor**: `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/TelemetryServiceDescriptor.cs` -- service identity for guard evaluation
- **StellaOpsTelemetryOptions.CollectorOptions**: `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/StellaOpsTelemetryOptions.cs` -- collector endpoint and component configuration
- **Tests**: `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core.Tests/TelemetryExporterGuardTests.cs`
- **Source**: Feature matrix scan

## E2E Test Plan
- [ ] Verify guard blocks telemetry export to unauthorized endpoints when air-gap policy is active
- [ ] Test guard allows export when no egress policy is configured (permissive default)
- [ ] Verify per-signal guard evaluation (traces, metrics, logs can have different policies)
- [ ] Test guard logs enforcement decisions for audit trail
- [ ] Verify integration with SealedModeTelemetryService for complete export blocking