stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
44cd1827c23f37e4fc31f6cd89a57efcb3dd1fb8
git.stella-ops.org/docs/features/checked/telemetry/incident-forensic-mode.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

1.7 KiB
Raw Blame History

Incident/Forensic Mode (High-Fidelity Sampling)

Module

Telemetry

Status

IMPLEMENTED

Description

Incident/forensic mode service that enables high-fidelity (100%) sampling during security incidents for detailed investigation.

Implementation Details

  • IIncidentModeService interface: src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/IIncidentModeService.cs -- IsActive, CurrentState, ActivateAsync (actor, tenantId, TTL override, reason), DeactivateAsync; manages incident mode state with per-tenant granularity
  • IncidentModeService: src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/IncidentModeService.cs -- default implementation with activation/deactivation lifecycle
  • IncidentModeOptions: src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/IncidentModeOptions.cs -- configurable default TTL and sampling rates
  • ISealedModeTelemetryService: src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/ISealedModeTelemetryService.cs -- IsIncidentModeOverrideActive property enables incident mode to override sealed mode sampling rate
  • Tests: src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core.Tests/IncidentModeServiceTests.cs
  • Source: Feature matrix scan

E2E Test Plan

  • Verify incident mode activation increases sampling rate to 100%
  • Test TTL override correctly expires incident mode after configured duration
  • Verify incident mode tags are attached to all telemetry during active period
  • Test incident mode overrides sealed mode sampling restrictions
  • Verify deactivation restores normal sampling rates
  • Test per-tenant incident mode isolation