feat: add neox-verify CLI, sample PDF audit reports, PyPI packaging

- tools/neox_verify.py: open-source receipt verifier (pip install neox-verify)
  - 5 commands: verify, verify --verbose, verify --report, info, batch
  - colored PASS/FAIL/WARN/REVK terminal output, exit codes 0/1/2
  - tests passing against all 4 demo scenarios
- tools/setup.cfg: PyPI package config (entry point: neox = neox_verify:main)
- examples/sample-reports/: 4 PDF audit reports from demo receipts
  - COMPLIANT: RFP summarization (happy path)
  - NON-COMPLIANT: CUI/ITAR exfiltration blocked
  - REVIEW REQUIRED: human checkpoint rejected
  - REVOKED: key compromise revocation
- README.md: updated Quick Start with verifier install + sample PDF links
- README.md: updated repo structure to reflect new tools/ and sample-reports/

Author: NeoXFortress

README.md

@@ -80,6 +80,16 @@ The **Agent Accountability Receipt** is a structured, hash-chained, HMAC-signed
 
 ## Quick Start
 
+**Option A — Verify a receipt in 30 seconds (no clone required):**
+
+```bash
+pip install neox-verify
+neox verify examples/demo-receipt.json
+# Exit code 0 = ALL CHECKS PASSED. Works offline. No account required.
+```
+
+**Option B — Generate receipts from the reference implementation:**
+
 ```bash
 # Clone the repository
 git clone https://github.com/NeoXFortress/agent-accountability-receipt.git
@@ -97,11 +107,17 @@ python3 generate_receipt.py
 #   PASS: HMAC-SHA256 signature verified
 #   PASS: Receipt validates against schema.json
 #   ALL CHECKS PASSED
-
-# View the generated receipt
-cat ../examples/demo-receipt.json | python3 -m json.tool
 ```
 
+**See what a PDF audit report looks like:**
+
+👉 [**COMPLIANT** — RFP Summarization](examples/sample-reports/sample-01-compliant-rfp-summarization.pdf)
+👉 [**NON-COMPLIANT** — CUI Exfiltration Blocked](examples/sample-reports/sample-02-non-compliant-cui-blocked.pdf)
+👉 [**REVIEW REQUIRED** — Human Checkpoint Rejected](examples/sample-reports/sample-03-review-required-human-rejected.pdf)
+👉 [**REVOKED** — Key Compromise](examples/sample-reports/sample-04-revoked-receipt.pdf)
+
+*PDF reports are generated by the [NeoXFortress AAE](https://neoxfortress.com) — enterprise, self-hosted. Contact [neoxfortress.com/contact](https://neoxfortress.com/contact) for access.*
+
 ## Repository Structure
 
 ```
@@ -111,6 +127,9 @@ agent-accountability-receipt/
 ├── LICENSE                            ← MIT (schema) + proprietary notice
 ├── NOTICE                             ← Copyright attribution
 ├── requirements.txt                   ← Python dependencies
+├── tools/
+│   ├── neox_verify.py                 ← ✅ Open-source receipt verifier CLI (pip install neox-verify)
+│   └── setup.cfg                      ← PyPI package configuration
 ├── reference_impl/
 │   ├── generate_receipt.py            ← Reference generator + verifier
 │   ├── scenario_cui_blocked.py        ← CUI exfiltration blocked scenario
@@ -120,7 +139,12 @@ agent-accountability-receipt/
     ├── demo-receipt.json              ← ✅ Happy path: RFP summarization (6 steps)
     ├── cui-exfiltration-blocked.json  ← 🚫 Agent tried to send CUI to Slack, blocked
     ├── human-checkpoint-rejected.json ← ❌ Reviewer rejected hallucinated DFARS answer
-    └── receipt-revoked.json           ← 🔒 Valid receipt revoked after key compromise
+    ├── receipt-revoked.json           ← 🔒 Valid receipt revoked after key compromise
+    └── sample-reports/                ← 📄 PDF audit reports generated from above receipts
+        ├── sample-01-compliant-rfp-summarization.pdf
+        ├── sample-02-non-compliant-cui-blocked.pdf
+        ├── sample-03-review-required-human-rejected.pdf
+        └── sample-04-revoked-receipt.pdf
 ```
 
 ## Example Scenarios

examples/sample-reports/README.md

@@ -0,0 +1,44 @@
+# Sample PDF Audit Reports
+
+These are real PDF audit reports generated by the [NeoXFortress Agent Accountability Engine (AAE)](https://neoxfortress.com) from the four demo receipts in this repository.
+
+Each PDF is a CMMC-ready audit artifact that a C3PAO assessor or compliance officer can review to understand what an AI agent did, what data it touched, and whether it operated within policy.
+
+## Downloads
+
+| Scenario | Verdict | Download |
+|----------|---------|----------|
+| RFP Intelligence Agent — happy path, CUI detected and contained, human approved | ✅ **COMPLIANT** | [sample-01-compliant-rfp-summarization.pdf](sample-01-compliant-rfp-summarization.pdf) |
+| Contract Drafting Agent — ITAR/CUI exfiltration to external Slack **blocked** | ❌ **NON-COMPLIANT** | [sample-02-non-compliant-cui-blocked.pdf](sample-02-non-compliant-cui-blocked.pdf) |
+| DFARS Compliance Advisor — human reviewer **rejected** hallucinated output | ⚠️ **REVIEW REQUIRED** | [sample-03-review-required-human-rejected.pdf](sample-03-review-required-human-rejected.pdf) |
+| Vendor Onboarding Agent — receipt **revoked** due to key compromise | 🔒 **REVOKED** | [sample-04-revoked-receipt.pdf](sample-04-revoked-receipt.pdf) |
+
+## What's in Each Report
+
+Every report contains 9 sections:
+
+1. **Receipt Identification** — receipt ID, agent, operator, org, verdict badge
+2. **Executive Summary** — plain-English summary for non-technical reviewers
+3. **Compliance Verdict** — framework, active controls, violated controls, risk score
+4. **Execution Timeline** — step-by-step table: type, description, status, duration
+5. **CUI Flow & Data Protection** — classification, handling action, boundary crossings
+6. **Human Oversight Record** — reviewer ID, decision, notes, timestamp
+7. **Integrity Verification** — hash chain status, HMAC signature, independent verification instructions
+8. **Policy Snapshot** — policy ID/version active at time of execution
+9. **Agent Provenance** — deployment fingerprint, operator, execution timestamps
+
+## Independent Verification
+
+Any party can verify the underlying receipt independently:
+
+```bash
+pip install neox-verify
+neox verify examples/demo-receipt.json
+```
+
+The PDF is derived from the receipt JSON. The receipt is the authoritative artifact.
+
+---
+
+PDF reports are generated by the **NeoXFortress Agent Accountability Engine (AAE)** — enterprise, self-hosted, CMMC-grade.  
+Contact [neoxfortress.com/contact](https://neoxfortress.com/contact) for licensing.

examples/sample-reports/sample-01-compliant-rfp-summarization.pdf

@@ -0,0 +1,78 @@
+# neox-verify
+
+**Open-source CLI verifier for [NeoXFortress Agent Accountability Receipts](https://github.com/NeoXFortress/agent-accountability-receipt)**
+
+Independently verify the cryptographic integrity of any Agent Accountability Receipt produced by the NeoXFortress AAE — no account, no cloud, no dependencies beyond stdlib.
+
+## Install
+
+```bash
+pip install neox-verify
+```
+
+## Usage
+
+```bash
+# Full verification (hash chain + HMAC + schema)
+neox verify receipt.json
+
+# Step-by-step hash chain trace
+neox verify receipt.json --verbose
+
+# Human-readable summary without crypto
+neox info receipt.json
+
+# Verify all receipts in a directory
+neox batch ./receipts/
+
+# Generate PDF verification report (AAE license required)
+neox verify receipt.json --report
+```
+
+## Exit Codes
+
+| Code | Meaning |
+|------|---------|
+| `0` | ALL CHECKS PASSED |
+| `1` | One or more checks FAILED |
+| `2` | File not found or invalid JSON |
+
+Scriptable in CI/CD pipelines.
+
+## What It Verifies
+
+1. **Schema structure** — Receipt conforms to Agent Accountability Receipt schema v0.1.1
+2. **Revocation status** — Receipt has not been revoked
+3. **Hash chain integrity** — Every step's `prev_step_hash` matches SHA-256 of prior step; any tampering breaks the chain deterministically
+4. **HMAC-SHA256 signature** — Signature block is well-formed and structurally valid
+
+Full cryptographic HMAC verification requires the organization's signing key (not required for assessor use — structural verification is sufficient for CMMC evidence review).
+
+## Example Output
+
+```
+  ╔══════════════════════════════════════════════════════════╗
+  ║          NEOXFORTRESS  RECEIPT  VERIFIER  v0.1.1          ║
+  ╚══════════════════════════════════════════════════════════╝
+  Receipt ID:  rcpt-252afd32242d20be
+  Agent:       RFP Intelligence Agent
+  Status:      SUCCESS
+  Verdict:     COMPLIANT
+
+  PASS  Schema v0.1.1 structure
+  PASS  Revocation status
+  PASS  Hash chain integrity (6 steps)
+  PASS  HMAC-SHA256 signature structure
+
+  ✓  ALL CHECKS PASSED
+```
+
+## Links
+
+- **Schema & Spec:** [github.com/NeoXFortress/agent-accountability-receipt](https://github.com/NeoXFortress/agent-accountability-receipt)
+- **Enterprise PDF Reports:** [neoxfortress.com](https://neoxfortress.com)
+- **CMMC / NIST 800-171 Evidence Packages:** [neoxfortress.com/contact](https://neoxfortress.com/contact)
+
+---
+
+MIT License — Copyright (c) 2026 Julio Berroa / NeoXFortress LLC