feat: marque MVP foundation — spec, codegen, engine pipeline

[bashandbone]

Summary

Lands the foundational work for the marque MVP (branch 001-marque-mvp): the ratified feature spec, Phase 1 workspace restructure (new marque-ism leaf crate + dev scaffolding), and Phase 2 (ODNI CVE XML→Rust codegen, typed IsmAttributes, FixProposal/AppliedFix type split, FR-016 deterministic fix ordering with overlap guard, layered config with hard-fail validators, and a Clock-injected engine). Unblocks Phase 3 (US1 rules + CLI) where real spans will be wired through the scanner.

Changes

Spec & contracts (51c4aa7 — 17 expert-panel findings)

• Audit-record reconciled with AppliedFix (input, source enum, schema_version)

• FR-005a NDJSON atomic-write contract with error-frame recovery

• FR-016 total-order fix application: (span.end DESC, span.start DESC, rule_id ASC, replacement ASC)

• US2/US3 acceptance scenarios rewritten with literal-byte fixtures

• SC-001 scoped to native; SC-001b advisory WASM latency bar

• FR-008 severity=off invariant: unrepresentable on emitted diagnostics

• FR-010 (committed [user] refusal) and FR-011 (schema version match) validators

Phase 1 — workspace restructure (71e1f11)

• New marque-ism leaf crate owning Span, IsmAttributes, TokenSet, CapcoTokenSet, build.rs codegen, and ODNI schemas (resolves the circular dependency between marque-core and marque-capco)

• marque-rules depends directly on marque-ism

• marque-core retains thin re-exports for back-compat

• Test corpus scaffolding (CORPUS_CONTRACT.md, CORPUS_PROVENANCE.md)

• Criterion benchmark skeletons; scripts/check.sh; .config/nextest.toml

Phase 1 review fixes (a46086b — critical/high/medium)

• Guard Engine::fix against placeholder Span(0,0) (output-corruption prevention)

• Filter remaining_diagnostics to exclude already-applied fixes

• Span::as_str returns Result instead of panicking

• CoreError::InvalidUtf8, proper CRLF handling, full CAB scan, dedup CVE_TOKENS

• PartialOrd/Ord on RuleId for FR-016 sort

Phase 2 — foundational crates (dacea46)

• Real ODNI CVE XML and XSD parsing → typed Rust enums (SciControl, DissemControl, SarIdentifier, DeclassExemption, ExemptFrom) + TRIGRAPHS + sorted/deduplicated ALL_CVE_TOKENS + validators + migrations, with T010 schema-version pinning

• marque-rules: FixProposal (pure data) vs AppliedFix (engine-only promotion via __engine_promote); FixSource enum; Severity::Off as first variant; Diagnostic carries citation

• marque-engine: Engine with Clock injection, FixMode::{Apply, DryRun}, config-driven severity overrides, FR-016 sort + overlap guard (reverse-walk window) + HashSet<(RuleId, Span)> for O(1) remaining_diagnostics filter

• marque-config: layered load with FR-010/FR-011 hard-fail, confidence_threshold validation, MARQUE_CONFIDENCE_THRESHOLD env binding

• marque-capco: E001 banner abbreviation, E002 missing/misordered USA trigraph, E004 separator count (stub), E005 declass in banner

• marque-core/parser: uses generated enum parse() for SCI/dissem/SAR/declass; Classification remains hand-written (portion + banner forms)

• New Clock trait + SystemClock/FixedClock for deterministic audit timestamps in tests

• Engine::fix_with_threshold plumbs --confidence CLI flag and server FixRequest.confidence_threshold through with InvalidThreshold validation

• Server now calls marque_config::load() (runs FR-011 check instead of Config::default() fallback)

• Silent-fallback cluster fixed: MARQUE_CONFIDENCE_THRESHOLD parse failure → ConfigError::InvalidEnvVar; rule severity string typos → ConfigError::UnknownSeverity; current_dir() failure → exit 74

• Safety hardening: Trigraph inner field private with try_new ASCII validator (infallible as_str via from_utf8_unchecked + SAFETY comment); RuleId/FixedClock fields private with new constructors; FixProposal::new confidence check is release-mode assert! (not debug_assert!); Span::new release-mode assert + try_as_slice checked variant

• Ergonomics/perf: AppliedFix.classifier_id and .input are Arc<str> for O(1) clone; BatchEngine.lint_many/fix_many yield Result<_, BatchError> instead of aborting on JoinError; Severity has Display/as_str (server/CLI/wasm stop using format!(\"{:?}\")); canonicalize uses binary_search over sorted ALL_CVE_TOKENS

• Build-script hardening: resolve_idents asserts generated enum variants are non-empty and unique; XML/XSD unescape failures now panic with file context instead of silently truncating

Files Changed

820 files changed, +7612 / -853.

The bulk of the file count is the ODNI ISM v2022-DEC schema bundle (CVE XML, XSD, Schematron, RNG) relocated into crates/marque-ism/schemas/ISM-v2022-DEC/ during Phase 1. The source/test churn is concentrated in crates/marque-{ism,rules,engine,capco,config,core,server,wasm}/src/ and marque/src/main.rs.

| Area | Status |

|---|---|

| specs/001-marque-mvp/ (spec, contracts, data model, tasks) | Added/Modified |

| crates/marque-ism/ (new crate + schemas + build.rs codegen) | Added |

| crates/marque-{rules,engine,capco,config,core}/src/ | Modified |

| crates/marque-{server,wasm}/src/ | Modified |

| marque/src/main.rs (CLI) | Modified |

| crates/marque-engine/src/clock.rs | Added |

| tests/corpus/ (contract + provenance + fixture scaffolding) | Added |

| scripts/check.sh, .config/nextest.toml, benches/ | Added |

Testing

• Unit tests: 45 new tests across marque-config (8), marque-engine (7), marque-ism (17), marque-rules (10), plus 3 existing marque-core scanner tests — zero failures

• Engine coverage: FR-016 reverse-order application, C-1 overlap guard, FixMode::DryRun, fix_with_threshold validation (NaN, out-of-range, boundaries), FixedClock determinism

• Config coverage: set_confidence_threshold boundaries + NaN rejection, rule severity string validation (case-sensitivity, empty, typos), exit_code() matrix

• Type invariants: Trigraph::try_new ASCII enforcement, Span::new panic on inverted bounds, Span::try_as_slice bounds safety, FixProposal::new release-mode confidence assert, generated CVE token sorted-and-unique invariant

• Static checks: cargo clippy --workspace --all-targets -- -D warnings clean; cargo fmt --check clean

• Build: cargo check --workspace and cargo build --workspace both succeed

Test plan

• CI runs cargo check --workspace

• CI runs cargo clippy --workspace --all-targets -- -D warnings

• CI runs cargo test --workspace (or cargo nextest run --workspace)

• CI runs cargo fmt --check

• Manual: marque check <file> on a fixture with a banner marking exits 0 when clean

• Manual: marque fix --dry-run <file> reports would-apply count without mutating source

• Manual: MARQUE_CONFIDENCE_THRESHOLD=bananas marque check x exits 65 with clear error

• Manual: .marque.toml with banner-abbreviation = "err" (typo) exits 65 with clear error

Related Issues

None linked.

Notes for Reviewers

• PR size: This is a large PR because it bundles the ratified spec, Phase 1 workspace restructure, and Phase 2 foundational crates. The schema file count inflates the stat; the code review surface is the crates/marque-*/src/ and marque/src/main.rs diffs, plus build.rs.

• Phase 2 review artifact: The full local review report (4 CRITICAL + 10 HIGH + 10 MEDIUM + 9 LOW) is at .claude/PRPs/reviews/phase-2-local-review.md in the working tree (not committed). All 14 prioritized findings are resolved in the Phase 2 commit — see the commit body for the full mapping.

• Known Phase 3 TODOs left in code: RuleContext zone/position are hardcoded to Body with a TODO(phase-3) marker; rule fixes emit Span::new(0, 0) placeholders that are filtered by the engine's is_empty() guard until Phase 3 wires real per-token spans from the scanner. The C-1 overlap guard landed now specifically to protect Phase 3's real spans.

🤖 Generated with Claude Code

[Copilot]

Pull request overview

Foundational MVP work for “marque” across spec/contracts, schema/codegen, core parsing types, config loading/validation, and engine fix application (ordering/overlap guards, clock injection), plus CLI/server/WASM plumbing updates.

Changes:

• Introduces marque-ism with generated ODNI CVE-derived enums/tables and token utilities; updates core scanner/parser to use typed attributes and renamed candidate types.
• Refactors rules/engine contracts (FixProposal vs AppliedFix, deterministic fix ordering, overlap guard, injected clock) and propagates API changes through CLI/server/WASM.
• Implements layered config loading with hard-fail validators (schema pinning, severity/threshold validation) and improved error handling/exit codes.

Reviewed changes

Copilot reviewed 24 out of 25 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
marque/src/main.rs	CLI config loading hard-fail + fix_with_threshold wiring + JSON severity output updates
crates/marque-wasm/src/lib.rs	WASM wrapper updates for new engine fix API + stable severity/message serialization
crates/marque-server/src/main.rs	Server now loads layered config + request-level confidence override support
crates/marque-rules/src/lib.rs	New contracts: RuleId constructor, Severity::Off, FixProposal/AppliedFix, Diagnostic::new
crates/marque-ism/src/token_set.rs	Switches token data to build.rs-generated ALL_CVE_TOKENS/TRIGRAPHS + binary_search canonicalize
crates/marque-ism/src/span.rs	Stronger span invariants + try_as_slice + candidate rename to MarkingCandidate
crates/marque-ism/src/lib.rs	Re-exports generated CVE enums + schema version constant + updated span exports
crates/marque-ism/src/attrs.rs	Typed CVE-derived attribute fields + hardened Trigraph construction/infallible as_str
crates/marque-ism/Cargo.toml	Dependency updates for codegen/build hardening (toml, memchr in build)
crates/marque-ism/build.rs	Real ODNI CVE/XSD parsing → generated Rust enums/tables + schema pinning assertion
crates/marque-extract/src/lib.rs	Re-export ordering cleanup
crates/marque-engine/src/pipeline.rs	Updates pipeline candidate type to MarkingCandidate
crates/marque-engine/src/output.rs	Fix result now returns AppliedFix; fix_count requires fix.is_some()
crates/marque-engine/src/lib.rs	Exposes clock + FixMode/InvalidThreshold + adds default_ruleset() helper
crates/marque-engine/src/engine.rs	Adds FixMode, injected clock, fix ordering/overlap guard, threshold override API
crates/marque-engine/src/clock.rs	New Clock abstraction with SystemClock and FixedClock
crates/marque-engine/src/batch.rs	Batch APIs now return per-document Result via BatchError, and use new fix API
crates/marque-core/src/span.rs	Re-export updates for renamed candidate type
crates/marque-core/src/scanner.rs	Scanner now returns Vec<MarkingCandidate>
crates/marque-core/src/parser.rs	Parser now emits typed CVE enums + updated CAB parsing + trigraph validation via try_new
crates/marque-core/src/attrs.rs	Updates re-exports to match new marque-ism::attrs surface
crates/marque-config/src/lib.rs	Layered config loader with FR-010/FR-011 hard-fails + severity/env/threshold validation
crates/marque-config/Cargo.toml	Adds deps on marque-ism and marque-rules for schema/severity validation
crates/marque-capco/src/rules.rs	Updates rules to new FixProposal/Diagnostic::new APIs + rule id changes
Cargo.lock	Locks dependency graph changes from added/removed deps

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

In print_json_diagnostics, d.message is a Box<str> (and is behind &Diagnostic from .iter()), so "message": d.message attempts to move out of a shared reference and will not compile. Use a borrowed form like d.message.as_ref() (or d.message.to_string()), and make the same adjustment anywhere else this file formats/prints diag.message or fix.replacement from a borrowed diagnostic/fix.

[Copilot]

Engine::fix_inner currently auto-applies any FixProposal whose confidence meets the threshold, regardless of the diagnostic's (possibly overridden) Severity. This means a rule configured as warn/error can still have its fix applied during fix, which contradicts the Severity::Fix contract and also disagrees with LintResult::fix_count() (which counts only Severity::Fix + fix.is_some()). Filter fixes by d.severity == Severity::Fix (after overrides) before collecting proposals.

Suggested change

	.iter()
	.iter()
	.filter(|d| d.severity == Severity::Fix)

[Copilot]

The CLI currently doesn't populate AppliedFix.input for audit records, even though AppliedFix has an input field intended to be set at the boundary (e.g., file path or "-" for stdin). After obtaining the FixResult, set result.applied[*].input to path.display().to_string() (and consider also wiring stdin as "-") so downstream audit NDJSON can attribute fixes to a specific input.

Suggested change

	let result = match engine.fix_with_threshold(&source, mode, confidence) {
	Ok(r) => r,
	Err(e) => {
	eprintln!("error: {e}");
	return 65; // EX_DATAERR per contracts/cli.md
	}
	};
	let mut result = match engine.fix_with_threshold(&source, mode, confidence) {
	Ok(r) => r,
	Err(e) => {
	eprintln!("error: {e}");
	return 65; // EX_DATAERR per contracts/cli.md
	}
	};
	let input = path.display().to_string();
	for applied_fix in &mut result.applied {
	applied_fix.input = input.clone();
	}

[Copilot]

DeclassifyInBannerRule checks attrs.declassify_on for banner candidates, but the parser only populates declassify_on/declass_exemption when parsing CAB lines (see marque-core/src/parser.rs, parse_cab). As a result, this rule will never fire for actual banner markings. Either parse declass tokens into IsmAttributes during banner/portion parsing, or change the rule to look at the field(s) that are actually populated for banner candidates.

[Copilot]

marque_config::load is documented (and the spec contract in specs/001-marque-mvp/contracts/cli.md) as discovering .marque.toml by walking upward from the current working directory, but this implementation only checks project_root/.marque.toml and never searches parent directories. Either implement the upward walk (stopping at git root/filesystem root per contract) or update the contract/docs so CLI/server behavior is consistent.

[Copilot]

The .marque.local.toml layer is parsed into ConfigFile, but merge_user_into only applies the [user] section and ignores rules, corrections, capco.version, and confidence_threshold from the local file. This conflicts with the stated precedence chain (.marque.local.toml overriding .marque.toml). Either merge the non-user fields for the local layer as well, or reject them with a clear error to avoid silent no-ops.

[Copilot]

This comment says emit_empty_enum produces a "placeholder variant", but emit_empty_enum actually emits an empty enum (pub enum SarIdentifier {}), which is uninhabited and has no variants. Either update the comment to reflect the uninhabited type, or emit a real placeholder/unknown variant if you need the enum to be constructible in downstream code.

Suggested change

	// Emit a minimal enum with a placeholder variant so it's usable
	// Emit an empty (uninhabited) enum for type-system completeness.

[Copilot]

marque_config::load is called with cwd here, so config resolution is limited to the current directory. The CLI contract (specs/001-marque-mvp/contracts/cli.md "Configuration discovery") describes walking upward to find .marque.toml and then looking for .marque.local.toml alongside it. Consider moving that discovery logic into marque_config (or doing it here) so the CLI matches the contract.

[bashandbone]

@copilot apply changes based on the comments in this thread

Let me give some guidance on how this should work functionally. The CAB declassify on date is essentially the furthest date in the future from the observed dates (if any), or typically, 25 years from the date of the material, whichever is longest (some things have shorter default declassifications, like fleeting/tactical information -- typically 10 years -- and others, like HUMINT can default to 50). If there are banner markings with declassification information, then we need a way of identifying that max for a given page or document.

Similarly, a banner marking can be thought of as a composite of the portion markings on a given page, or where 'page' doesn't apply, the materials. The banner is the most restrictive sum of its portion marking parts. So architecturally, it's important that we maintain some understanding of at least the maximums observed for a given 'page'

An example to illustrate --

(S//NF) An example paragraph.

(DEU C//REL TO USA, DEU, NATO) Another example paragraph.

The banner here would be SECRET//FGI DEU//NOFORN

If the architecture does not currently allow this kind of resolution, then now is a good time to identify it and brainstorm solutions.

[bashandbone]

Second-pass review — would approve (self-PR, GH blocks explicit approval)

Previous comment on this PR was corrupted by an ANSI-injecting cat alias; this is the intended clean version.

Validation: clippy clean, 45 unit + 1 doctest pass, fmt clean, mergeable. No blocking issues.

Full report: .claude/PRPs/reviews/pr-3-review.md (working tree, not committed).

Focus-area results (all clean)

• Overlap guard correctness — walked adjacent, contained, identical, and overlapping span cases under the FR-016 reverse-end sort. fix.span.end <= previous.span.start handles all four correctly.
• Trigraph::as_str from_utf8_unchecked soundness — no construction path outside try_new (ASCII validator) or the USA const.
• Severity::Off gate — short-circuits before any diagnostic is produced.
• Send/Sync — all bounds correctly declared; BatchEngine Arc<Engine> is sound.
• -0.0 / subnormal handling in fix_with_threshold — correct.

Findings: 0 CRITICAL · 3 HIGH · 5 MEDIUM · 4 LOW

HIGH (not blocking, worth a follow-up)

• H-1 BatchError does not distinguish panic from cancellation — BatchError::TaskFailed(JoinError) wraps JoinError whole, but JoinError::is_panic() vs is_cancelled() matter for CI pipelines that need to alert on bugs vs quietly retry on cancellation. Recommend forwarding is_panic()/is_cancelled() on BatchError. (batch.rs:48–77)
• H-2 AppliedFix::__engine_promote is pub #[doc(hidden)] — the doc explicitly admits "enforced by convention and code review, not by the type system." Any downstream crate can construct an AppliedFix bypassing the engine's confidence gate, FR-016 sort, and C-1 overlap guard, injecting arbitrary audit records. For a security tool whose audit log is the compliance output, this is a meaningful integrity gap. Full fix requires crate-boundary restructuring; recommend documenting as a known risk in CLAUDE.md under architectural invariants. (rules/lib.rs:246–261)
• H-3 fix_with_threshold has no test for INFINITY / NEG_INFINITY rejection — the validation correctly rejects both, but the test suite only covers NaN, -0.1, 1.1. Two-line test addition. (engine.rs:146–149)

MEDIUM

• M-1 resolve_idents has no non-empty assertion on required CVE files — an empty CVEnumISMDissem.xml would silently produce zero dissem diagnostics. (build.rs:192–209)
• M-2 Duplicate-ident collision panic names only one of the two colliding values. (build.rs:204)
• M-3 TRIGRAPHS slice is unsorted so is_trigraph still uses linear scan; ALL_CVE_TOKENS went through a BTreeSet for binary_search. Symmetrical cleanup. (build.rs + token_set.rs:44)
• M-4 Threshold filter path has no test at the boundary (0.94 excluded, 0.95 included).
• M-5 Zero-length-span filter path (which masks Phase 2 placeholder spans) has no dedicated test.

LOW

• L-1 BatchOptions.max_concurrent_docs drives both ConcurrencyController and buffer_unordered; doc comment only mentions one.
• L-2 merge_user_into does not treat empty-string classifier_id as absent.
• L-3 Severity doc describes a future .max() merge design that diverges from the current last-write-wins merge_project_into.
• L-4 Closely related to M-4: all test proposals use 1.0 confidence, so the Config-supplied threshold path is never exercised.

Recommendation

Merge as-is. Follow-up items for the Phase 3 opening commit or a small cleanup pass:

• H-1 (add is_panic()/is_cancelled() forwarding on BatchError)
• H-3 (two-line test for INFINITY rejection)
• M-1, M-4, M-5 (defensive test coverage)

H-2 is a CLAUDE.md documentation update.

[Copilot]

@copilot apply changes based on the comments in this thread

Let me give some guidance on how this should work functional...

Addressed in b8789c8. Here's what was changed and how the architecture now supports the functional requirements you described:

E005 fix — parse_marking_string in marque-core/src/parser.rs now recognizes declass exemption codes (25X1, 50X1-HUM, etc.) and date strings (YYYYMMDD / YYYY) in banner and portion blocks, populating attrs.declass_exemption / attrs.declassify_on so DeclassifyInBannerRule (E005) actually fires for real banner markings. 9 unit tests added.

PageContext architecture — Added marque_ism::PageContext (crates/marque-ism/src/page_context.rs) for page-level accumulation with the following aggregation rules matching CAPCO requirements:

• expected_classification() → max() (most restrictive wins)
• expected_sci/sar/dissem_controls() → union (any control on any portion applies to the page)
• expected_rel_to() → intersection — with NOFORN superseding REL TO entirely (your example: (S//NF) + (DEU C//REL TO USA, DEU, NATO) → banner REL TO is empty, NOFORN applies)
• expected_declassify_on() → max date (furthest out, YYYYMMDD lexicographic ordering)
• expected_declass_exemption() → last-seen placeholder; duration-aware ordering is a Phase 3 TODO

RuleContext now carries Option<Arc<PageContext>> (populated for banner/CAB candidates). The engine builds the context in document order, with lazy Arc caching invalidated on each new portion, so the snapshot a banner rule sees reflects all preceding portions. Phase 3 banner-vs-portions validation rules (e.g., detecting that the observed banner is less restrictive than the expected composite) can now consume this directly from ctx.page_context.

[bashandbone]

Follow-up review on b8789c8 — E005 parser fix + PageContext architecture

Pulled, built, tested locally against the new commit.

Validation: clippy clean across --all-targets, 60 unit tests + 1 doctest, zero failures. (Growth: +15 tests — marque-core 3→12 for declass parsing, marque-ism 17→23 for PageContext.) Trivial rustfmt drift on two files not blocking — fixing in a follow-up style: commit.

What landed, against the stated requirements

E005 real-rule path: parse_marking_string in marque-core/src/parser.rs now falls through to DeclassExemption::parse(block) and the new is_declass_date(block) predicate, so declass exemption codes (25X1, 50X1-HUM, …) and YYYYMMDD / YYYY free-text dates appearing inside a banner/portion marking populate attrs.declass_exemption / attrs.declassify_on. DeclassifyInBannerRule now fires on real markings instead of being a dead path. ✓

PageContext aggregation semantics (crates/marque-ism/src/page_context.rs):

Rule	Requirement	Implementation	Verdict
expected_classification	most restrictive wins	.max() over Option<Classification>	✓
expected_sci_controls	union	BTreeSet collect → Vec	✓
expected_sar_identifiers	union	BTreeSet collect → Vec	✓
expected_dissem_controls	union	BTreeSet collect → Vec	✓
expected_rel_to	intersection, NOFORN supersedes	any_noforn → empty, else intersect	✓
expected_declassify_on	furthest-out date	lexicographic max_by on &str	✓ (with caveat — see below)
expected_declass_exemption	most specific	last-seen placeholder, Phase 3 TODO	✓ (acknowledged TODO)

The (S//NF) + (DEU C//REL TO USA, DEU, NATO) example is covered by the noforn_supersedes_rel_to test: any NOFORN portion zeroes out the expected REL TO, forcing the banner to carry NOFORN instead. Matches the spec exactly.

Engine integration (crates/marque-engine/src/engine.rs): the lint loop builds PageContext in document order, accumulates every MarkingType::Portion parse, and hands banner/CAB candidates an Arc<PageContext> via RuleContext.page_context. The Arc is cached per page-snapshot and invalidated on every new portion — so successive banners in the same page share one allocation, and a banner after new portions gets a fresh snapshot. Clean.

Correctness observations

O-1 — Lexicographic date comparison is subtly correct for this encoding, worth a comment
page_context.rs:186 — .max_by(|a, b| a.cmp(b)) on declass date strings. This works correctly because:

• YYYYMMDD vs YYYYMMDD → pure lex = chronological ordering
• YYYY vs YYYYMMDD with shared prefix → shorter (YYYY) < longer (YYYYMMDD), which matches the semantic "YYYY = Jan 1 of YYYY, which is ≤ any date within that year"
• Different YYYYs → lex order = chronological

So the ordering happens to be correct under the "YYYY means Jan 1" convention documented in is_declass_date. Worth a two-line inline comment on the max_by pinning the invariant — if someone changes the encoding to "YYYY = end of year" in the future, the lex compare silently goes wrong in the mixed case.

O-2 — PageContext never resets between pages
engine.rs:82 has the correct TODO(phase-3) noting that page-break detection is a scanner-level concern. Today the context accumulates across the entire document, so a banner on "page 2" sees portion data from "page 1". For Phase 2 single-unit markings this is correct; for paginated documents it over-restricts. Phase 3 scanner work will add page-break candidates that reset the accumulator. No action needed now.

O-3 — page_context.add_portion(parsed.attrs.clone()) clones IsmAttributes per portion
engine.rs:97 — IsmAttributes has Box<[T]> fields whose clone is O(n) in slice contents. For documents with hundreds of portions this adds up. A Phase 3 optimization could store Arc<IsmAttributes> in PageContext::portions so add_portion is O(1). Not a blocker — portion counts per document are typically small.

O-4 — PageContext accessor methods allocate a BTreeSet + Vec per call
expected_sci_controls() etc. recompute the union from scratch on each invocation. A Phase 3 banner-vs-portion validation rule that calls multiple expected_* helpers would re-walk the portions list each time. Memoization (e.g., compute all aggregates once after the last portion is added, stash in OnceCell) is a Phase 3 optimization, not needed today.

O-5 — expected_declass_exemption Phase 3 TODO on duration-aware ordering — already called out in the doc comment. EO 13526 §3.3(b) duration ranking (50X1-HUM > 50X1 > 25X1 etc.) needs a hand-coded comparator because the CVE-defined Ord on DeclassExemption is alphabetical on the CVE token, not semantically ordered by retention length. Correctly deferred.

Rustfmt drift

Two files have trivial single-line reformatting that cargo fmt --check catches:

• crates/marque-core/src/parser.rs (13 insertions / some reflow)
• crates/marque-ism/src/page_context.rs (one .into_boxed_slice() line wrap in a test fixture)

Landing in a follow-up style: commit.

Decision

APPROVE. Copilot's architecture answer is tight and matches the stated functional requirements exactly. The four observations above are Phase 3 polish / documentation, not blockers. The only code change needed on top of b8789c8 is the rustfmt drift — trivial.

Suggested small improvements (can land with the Phase 3 opener or as follow-ups):

• O-1: two-line comment pinning the lex-compare invariant on expected_declassify_on
• O-3: Arc<IsmAttributes> internally in PageContext::portions once portion counts grow
• O-4: memoize expected_* aggregates in OnceCell after the last add_portion — needs a "sealed" state on PageContext
• Phase 3 duration_aware_max for DeclassExemption (already noted in code)

Ready to merge.