semi implemented and features implemented save checkpoint

docs/features/unchecked/cli/incident-response-cli.md

@@ -0,0 +1,28 @@
+# Incident Response CLI
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+CLI commands for incident response lifecycle management. Users can start incident mode with severity/scope/description (auto-creates evidence holds and sends notifications), view incident status with timeline, end incidents with resolution notes and optional evidence hold release/report generation, and list all incidents filtered by status.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/IncidentCommandGroup.cs` -- `IncidentCommandGroup` for `stella incident` commands
+- **IR Commands**: `src/Cli/StellaOps.Cli/Commands/Ir/IrCommandGroup.cs` -- incident response operations
+- **Commands**:
+  - `stella incident start --severity <level> --scope <scope> --description <text>` -- start incident mode (auto-creates evidence holds, sends notifications)
+  - `stella incident status <incident-id>` -- view incident status with timeline
+  - `stella incident end <incident-id> --resolution <text>` -- end incident. Options: `--release-holds`, `--generate-report`
+  - `stella incident list` -- list incidents. Options: `--status open|closed|all`
+
+## E2E Test Plan
+- [ ] Run `stella incident start --severity critical --scope "production" --description "CVE-2024-1234 exploited"` and verify incident created
+- [ ] Verify evidence holds auto-created on incident start
+- [ ] Verify notifications sent on incident start
+- [ ] Run `stella incident status <id>` and verify timeline displayed
+- [ ] Run `stella incident end <id> --resolution "Patched" --release-holds --generate-report` and verify incident closed
+- [ ] Run `stella incident list --status open` and verify open incidents listed
+- [ ] Verify `--format json` output