Add defense-grade compliance modules for federal document processing

Bump version to 0.2.0. Add five new compliance modules:

- CUI Detection (32 CFR Part 2002 / NIST 800-171): Detects CUI markings,
  classification banners (UNCLASSIFIED through TS//SCI), dissemination
  controls (NOFORN, REL TO, ORCON, PROPIN, FISA), validates CUI Registry
  categories, flags marking deficiencies, generates handling recommendations.

- Enhanced PII/PHI Detection: 30+ detection categories with confidence
  scoring. Covers HIPAA PHI (MRN, health plan IDs, patient IDs), defense
  PII (DoD ID, CAC, clearances, CAGE, DUNS), financial PII (routing
  numbers, SWIFT/BIC, EIN/TIN), and ITAR/EAR markers. Maps to HIPAA,
  Privacy Act, GLBA, PCI DSS, DFARS, and NIST 800-53 SI-4/SI-19.

- Document Sanitization: Metadata stripping, EXIF detection, hidden text
  (zero-width chars, CSS hiding), macro/script quarantine, embedded file
  scanning, hyperlink exfiltration analysis, font fingerprinting, tracked
  changes detection, hidden Excel sheets. SHA-256 integrity verification.

- Export Control Screening (ITAR/EAR): USML categories I-XXI, ECCN
  patterns with CCL mapping, 60+ controlled technology keywords (encryption,
  night vision, propulsion, guidance, stealth, DEW, nuclear, cyber), foreign
  person/entity detection for deemed exports, dual-use indicators.

- Audit Trail (FedRAMP-ready): Tamper-evident SHA-256 hash chain, CEF
  export for SIEM integration, chain-of-custody reporting, integrity
  verification. Maps to NIST 800-53 AU-2/3/6/8/9/11/12 and 800-171 3.3.x.

Pipeline integration via --cui-scan, --sanitize, --export-control,
--defense-mode, --audit-log, and --compliance-report CLI flags.

Comprehensive test suites for all five modules (170+ test cases).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: marc-shade

README.md

@@ -2,3 +2,5 @@
 from .ingest import ingest
 
 __all__ = ["ingest", "main"]
+
+__version__ = "0.2.0"

docsingest/__init__.py

@@ -1,4 +1,6 @@
 import argparse
+import json
+import os
 import sys
 from typing import Optional
 
@@ -19,10 +21,10 @@ def main(argv: Optional[list[str]] = None) -> int:
 
     parser.add_argument("directory", help="Path to the directory containing documents")
 
-    parser.add_argument("-o", "--output", default="document_context.md", 
+    parser.add_argument("-o", "--output", default="document_context.md",
                         help="Output markdown file path (default: document_context.md)")
 
-    parser.add_argument("--agent", default=None, 
+    parser.add_argument("--agent", default=None,
                         help="Initial AI agent prompt (default: Comprehensive Compliance Prompt)")
 
     # Restore hidden arguments for visibility
@@ -32,12 +34,45 @@ def main(argv: Optional[list[str]] = None) -> int:
     parser.add_argument("--compress", action="store_true", help="Compress document content")
     parser.add_argument("--compression-level", type=float, default=0.5, help="Compression level (0-1)")
 
+    # Defense compliance flags
+    compliance_group = parser.add_argument_group("Defense Compliance Options")
+    compliance_group.add_argument(
+        "--cui-scan", action="store_true",
+        help="Enable CUI (Controlled Unclassified Information) detection per 32 CFR Part 2002"
+    )
+    compliance_group.add_argument(
+        "--sanitize", action="store_true",
+        help="Enable document sanitization (metadata stripping, hidden content detection)"
+    )
+    compliance_group.add_argument(
+        "--export-control", action="store_true",
+        help="Enable ITAR/EAR export control screening"
+    )
+    compliance_group.add_argument(
+        "--defense-mode", action="store_true",
+        help="Enable ALL compliance features (CUI, sanitization, export control, enhanced PII)"
+    )
+    compliance_group.add_argument(
+        "--audit-log", type=str, default=None, metavar="PATH",
+        help="Path for audit trail output (JSON lines with SHA-256 hash chain)"
+    )
+    compliance_group.add_argument(
+        "--compliance-report", type=str, default=None, metavar="PATH",
+        help="Path for separate compliance report output (Markdown)"
+    )
+
     args = parser.parse_args(argv)
 
     try:
         # Use default compliance prompt if not specified
         agent_prompt = args.agent or args.prompt or DEFAULT_COMPLIANCE_PROMPT
 
+        # Determine which compliance features are enabled
+        cui_scan = args.cui_scan or args.defense_mode
+        sanitize = args.sanitize or args.defense_mode
+        export_control = args.export_control or args.defense_mode
+        enhanced_pii = args.defense_mode  # Enhanced PII only in defense mode or when PII is enabled
+
         # Perform document ingestion
         summary, tree, content, pii_reports = ingest(
             args.directory,
@@ -46,7 +81,13 @@ def main(argv: Optional[list[str]] = None) -> int:
             pii_analysis=not args.no_pii_analysis if hasattr(args, 'no_pii_analysis') else True,
             verbose=args.verbose if hasattr(args, 'verbose') else False,
             compress_content=args.compress if hasattr(args, 'compress') else False,
-            compression_level=args.compression_level if hasattr(args, 'compression_level') else 0.5
+            compression_level=args.compression_level if hasattr(args, 'compression_level') else 0.5,
+            cui_scan=cui_scan,
+            sanitize=sanitize,
+            export_control=export_control,
+            enhanced_pii=enhanced_pii,
+            audit_log_path=args.audit_log,
+            compliance_report_path=args.compliance_report,
         )
 
         # Print summary to console
@@ -61,6 +102,11 @@ def main(argv: Optional[list[str]] = None) -> int:
         # Indicate successful completion
         print(f"\nDocument analysis complete. Output: {args.output}")
 
+        if args.compliance_report:
+            print(f"Compliance report: {args.compliance_report}")
+        if args.audit_log:
+            print(f"Audit trail: {args.audit_log}")
+
         return 0
 
     except Exception as e:

docsingest/cli.py

@@ -0,0 +1,29 @@
+"""
+Defense-grade compliance modules for docsingest.
+
+Provides CUI detection, enhanced PII/PHI detection, document sanitization,
+export control screening, and FedRAMP-ready audit trail capabilities.
+
+Compliance Frameworks Supported:
+- NIST SP 800-171 (CUI Protection)
+- NIST SP 800-53 (Security Controls)
+- ITAR (22 CFR 120-130)
+- EAR (15 CFR 730-774)
+- HIPAA (Health Insurance Portability and Accountability Act)
+- 32 CFR Part 2002 (CUI Program)
+- FedRAMP (Federal Risk and Authorization Management Program)
+"""
+
+from docsingest.compliance.cui_detector import CUIDetector
+from docsingest.compliance.enhanced_pii import EnhancedPIIDetector
+from docsingest.compliance.sanitizer import DocumentSanitizer
+from docsingest.compliance.export_control import ExportControlScreener
+from docsingest.compliance.audit_trail import AuditTrail
+
+__all__ = [
+    "CUIDetector",
+    "EnhancedPIIDetector",
+    "DocumentSanitizer",
+    "ExportControlScreener",
+    "AuditTrail",
+]