feat: add Presidio PII detection and redaction (RFC-013) (#118)

* feat: add Presidio PII detection and redaction (RFC-013)

Introduces optional PII detection via Microsoft Presidio for content
before it is stored by remember(). Disabled by default; no new core
dependencies. Requires pip install zettelforge[pii].

Key features:
- Three actions: log (warn only), redact (replace with placeholder),
  block (raise exception before storage)
- CTI allowlist for IP_ADDRESS, URL, DOMAIN_NAME (legitimate indicators)
- Lazy SDK loading -- ImportError deferred to first detect() call
- Graceful degradation when presidio-analyzer is not installed
- Config via governance.pii section in config.yaml
- Env overrides: ZETTELFORGE_PII_ENABLED, ZETTELFORGE_PII_ACTION

Files:
- src/zettelforge/pii_validator.py -- PIIValidator, PIIDetection, PIIBlockedError
- src/zettelforge/config.py -- PIIConfig dataclass, pii field on GovernanceConfig
- src/zettelforge/governance_validator.py -- PIIValidator integration, validate_remember()
- src/zettelforge/memory_manager.py -- PII config wired to GovernanceValidator
- pyproject.toml -- pii optional extra (presidio-analyzer, spacy)
- config.default.yaml -- PII documentation with examples
- tests/test_pii_validator.py -- 26 unit tests
- docs/how-to/configure-pii.md -- setup guide
- docs/rfcs/RFC-013-presidio-pii-detection.md -- RFC document

RFC: docs/rfcs/RFC-013-presidio-pii-detection.md

* style: fix UP006 type annotations in pii_validator and governance_validator

Replace typing.List/Dict/Tuple/Optional with built-in list/dict/tuple
and | None syntax. All files are under from __future__ import annotations
so these are PEP 604 compatible at runtime.

* style: replace `List[str]` with `list[str]` to satisfy UP006/F821

The PR was authored before #109 (UP rule batch) landed, which removed
`from typing import List` across the codebase as part of the PEP 585
modernization. After rebase, `List` was undefined here. Drop-in
replacement with the built-in `list` matches the rest of the
post-#109 codebase.

* style: fix UP006/UP037 type annotations in config.py

Add from __future__ import annotations, replace List[str] with list[str],
remove unnecessary quotes from type annotation (re.Match[str]).
Also removes the unused Dict and Optional imports that were only needed
for PIIConfig.

* fix: handle nested PIIConfig dataclass in _apply_yaml

When config.default.yaml contains governance.pii section, _apply_yaml
was setting cfg.governance.pii = raw_dict instead of populating the
existing PIIConfig dataclass. Add nested handling for the 'pii' key
to properly merge dict values into the dataclass fields.

This caused AttributeError: 'dict' object has no attribute 'enabled'
in all downstream tests that load the default config.

* fix(rfc-013): governance enforce() ordering + nlp_engine stub shape

Two test failures remained on top of e05cf67's nested-PIIConfig fix:

## 1. enforce("remember", None) silently returned instead of raising

The new `enforce()` short-circuited on `operation == "remember"` and
returned data unchanged when it wasn't a string, bypassing the
`validate_operation()` GOV-011 check that
`test_governance_violation_raises` depends on. Reordered so the
structural validation runs first; the PII path runs only after data
passes the str/has-content check.

## 2. tests/test_pii_validator.py stub patched the wrong target

`from presidio_analyzer.nlp_engine import NlpEngineProvider` resolves
`NlpEngineProvider` as a module attribute on `presidio_analyzer.nlp_engine`,
which is a *module* — not a class. The stub installed a class
(`_StubNlpEngine`) at that sys.modules slot, so the import raised
`ImportError: cannot import name 'NlpEngineProvider' from '_StubNlpEngine'`.
Built a real `types.ModuleType` for the submodule with
`NlpEngineProvider = _StubNlpProvider` attached.

Also renamed `test_validate_remember_rejects_empty_string` to
`test_validate_remember_rejects_invalid_data` and switched the
operation from `"synthesize"` to `"remember"` — the test name said one
thing, the body asserted something only the remember path validates.

25/25 tests pass in test_governance.py + test_pii_validator.py.

* fix: address all Copilot/Codex review comments on PR #118

Fixed 6 issues identified in the automated review:

1. PII text leakage in validate() log — removed raw PII text from
   structured log entities; now logs only entity_type and score.

2. CTI allowlist filter location — moved from constructor to detect()
   time so that entities=None (detect-all mode) filters out IP_ADDRESS,
   URL, and DOMAIN_NAME at runtime instead of at construction.

3. Overlapping span resolution — greedy algorithm now resolves
   containment (longest span wins) instead of only exact (start,end)
   deduplication. Prevents sub-spans from being redacted separately.

4. PIIConfig.entities=[] → PIIValidator entities=None — empty list
   in config means "detect all supported types". Convert [] to None
   in constructor so Presidio receives entities=None (semantic for
   'detect all') instead of entities=[] (semantic for 'detect none').

5. PIIBlockedError handling — caught in validate_remember() and
   converted to GovernanceViolationError so memory_manager's existing
   except GovernanceViolationError handler covers the block action.

6. Unused imports — removed unused field import from pii_validator,
   unused importlib/patch imports from test file, unused
   _make_mock_analyzer helper.

Also fixed merge conflicts from rebase in governance_validator.py
and test_pii_validator.py.

* style: remove unused MagicMock import from test_pii_validator.py

* test: fix CTI allowlist test for detect-time filtering

Allowlist filtering moved from constructor to detect() in the
review fix. Updated test_cti_allowlist_filters_entities to match
the new behavior: constructor preserves user-specified entities
as-is, filtering happens at runtime in detect() instead.
Also added test for empty-list-to-None conversion.

Author: rolandpg

config.default.yaml

@@ -329,6 +329,15 @@ synthesis:
 # Validation rules applied before remember() and recall() operations.
 # Enforces data classification, retention, access control, and audit logging.
 #
+# PII detection (RFC-013, optional) uses Microsoft Presidio to scan content
+# for personally identifiable information before storage. Disabled by default.
+# Requires: pip install zettelforge[pii]
+#
+# PII action options:
+#   log       — detect and warn, pass content through unchanged
+#   redact    — replace PII with [REDACTED] before storage
+#   block     — raise exception if any PII is detected
+#
 # Examples:
 #   # Production (default)
 #   enabled: true
@@ -341,9 +350,41 @@ synthesis:
 #   enabled: true
 #   min_content_length: 20
 #
+#   # PII log-only (see what PII flows through your pipeline)
+#   enabled: true
+#   min_content_length: 1
+#   pii:
+#     enabled: true
+#     action: log
+#
+#   # PII redact (automatically remove PII before storage)
+#   enabled: true
+#   min_content_length: 1
+#   pii:
+#     enabled: true
+#     action: redact
+#
+#   # PII block (strict — reject content with detected PII)
+#   enabled: true
+#   min_content_length: 1
+#   pii:
+#     enabled: true
+#     action: block
+#
+# Env overrides:
+#   ZETTELFORGE_PII_ENABLED=true
+#   ZETTELFORGE_PII_ACTION=redact
+#
 governance:
   enabled: true
   min_content_length: 1
+  pii:
+    enabled: false
+    action: log
+    redact_placeholder: "[REDACTED]"
+    entities: []
+    language: en
+    nlp_model: en_core_web_sm
 
 
 # ── Cache ───────────────────────────────────────────────────────────────────

docs/how-to/configure-pii.md

@@ -0,0 +1,217 @@
+---
+title: "Configure PII Detection and Redaction"
+description: "Set up Microsoft Presidio for PII detection in ZettelForge. Scan content for personally identifiable information before storage, with configurable log/redact/block policies."
+diataxis_type: "how-to"
+audience: "Compliance Officer, SOC Manager, FedRAMP Engineer"
+tags: [pii, governance, compliance, presidio, privacy, fedramp, gdpr]
+last_updated: "2026-04-25"
+version: "2.5.0"
+---
+
+# Configure PII Detection and Redaction
+
+ZettelForge uses [Microsoft Presidio](https://github.com/microsoft/presidio) (open-source, MIT license) to detect and optionally redact PII (Personally Identifiable Information) from content before it is stored in the vector database and knowledge graph.
+
+PII detection is **disabled by default** with no new core dependencies. It is a fully optional feature -- `pip install zettelforge[pii]` activates it.
+
+## Prerequisites
+
+- ZettelForge installed
+- `pip install zettelforge[pii]` to install presidio-analyzer, presidio-anonymizer, and spaCy
+- About ~12-50 MB of disk space for the spaCy model (auto-downloads on first use)
+
+## How It Works
+
+Presidio runs **in-process** as a validation step inside `GovernanceValidator`, invoked before every `remember()` operation:
+
+```
+remember(content)
+  -> GovernanceValidator.validate_remember(content)
+    -> PIIValidator.validate(content)
+      -> presidio-analyzer scans for 20+ PII types
+    -> Returns (passed, processed_content, detections)
+  -> Returns processed_content (possibly redacted)
+-> MemoryStore.save(processed_content)
+```
+
+Three actions control what happens when PII is detected:
+
+| Action | Behavior | Use Case |
+|:-------|:---------|:---------|
+| `log` | Detect, log a warning, pass content through unchanged | Discovery -- see what PII is in your pipeline |
+| `redact` | Replace PII with `[REDACTED]` before storage | Compliance -- prevent PII persistence |
+| `block` | Raise an exception, storage is cancelled | Strict environments -- no PII allowed through |
+
+## Configuration
+
+Add a `pii:` section under `governance:` in your `config.yaml`:
+
+```yaml
+governance:
+  enabled: true
+  pii:
+    enabled: true       # enable PII detection
+    action: log          # log | redact | block
+    redact_placeholder: "[REDACTED]"
+    entities: []         # empty = all PII types
+    language: en
+    nlp_model: en_core_web_sm
+```
+
+### Entity Filtering
+
+The `entities` list lets you scope detection to specific PII types. When empty (default), all supported types are detected.
+
+Common entity types:
+
+| Entity | Example | Notes |
+|:-------|:--------|:------|
+| `EMAIL_ADDRESS` | `user@example.com` | Enables spam from phishing reports |
+| `PHONE_NUMBER` | `(555) 123-4567` | |
+| `PERSON` | `John Smith` | |
+| `CREDIT_CARD` | `4111-1111-1111-1111` | |
+| `SSN` | `123-45-6789` | |
+| `CRYPTO` | `1A1zP1eP5QGefi2DMP` | Bitcoin addresses |
+| `LOCATION` | `New York City` | |
+| `ORGANIZATION` | `Microsoft Corp` | |
+
+IP addresses, URLs, and domain names are **exempt from detection by default** -- these are legitimate CTI indicators (IOCs), not PII in the threat intelligence context. To include them, set `entities` explicitly:
+
+```yaml
+pii:
+  enabled: true
+  entities: ["IP_ADDRESS", "EMAIL_ADDRESS"]   # IPs will now be detected
+```
+
+## Example Configurations
+
+### 1. Log-Only (Discovery Mode)
+
+Use this first to understand what PII flows through your pipeline without changing any data:
+
+```yaml
+governance:
+  pii:
+    enabled: true
+    action: log
+```
+
+Every PII detection is logged as a structured `pii_detected` log event with count, entity types, and scores. Content is stored unchanged.
+
+### 2. Redact (Compliance Mode)
+
+Automatically replace PII with placeholders before storage:
+
+```yaml
+governance:
+  pii:
+    enabled: true
+    action: redact
+    redact_placeholder: "[PII REMOVED]"
+```
+
+The redacted content is what gets stored and indexed. The original content with PII is never persisted.
+
+### 3. Block (Strict Mode)
+
+Reject any content containing PII entirely:
+
+```yaml
+governance:
+  pii:
+    enabled: true
+    action: block
+```
+
+If PII is detected, `remember()` raises a `PIIBlockedError` and the operation is cancelled. The calling code receives the exception and can handle it (e.g., ask the user to retry without PII).
+
+### 4. Targeted Detection (Only Emails and Phones)
+
+Scope detection to specific entity types to reduce noise:
+
+```yaml
+governance:
+  pii:
+    enabled: true
+    action: redact
+    entities: ["EMAIL_ADDRESS", "PHONE_NUMBER"]
+```
+
+### 5. Complete Compliance Setup (FedRAMP-aligned)
+
+```yaml
+governance:
+  enabled: true
+  min_content_length: 1
+  pii:
+    enabled: true
+    action: redact
+    redact_placeholder: "[REDACTED]"
+    entities: []
+    language: en
+    nlp_model: en_core_web_sm
+```
+
+## Environment Variables
+
+| Variable | Maps To | Default |
+|:---------|:--------|:--------|
+| `ZETTELFORGE_PII_ENABLED` | `governance.pii.enabled` | `false` |
+| `ZETTELFORGE_PII_ACTION` | `governance.pii.action` | `log` |
+
+## spaCy Model Download
+
+The spaCy NLP model downloads automatically on the first `remember()` call after PII is enabled. The download is a one-time cost:
+
+| Model | Size | Speed | Notes |
+|:------|:-----|:------|:------|
+| `en_core_web_sm` | ~12 MB | Fast | Default. Good accuracy for standard PII |
+| `en_core_web_md` | ~40 MB | Medium | Better person/location disambiguation |
+| `en_core_web_lg` | ~560 MB | Slow | Best accuracy, word vectors |
+| `en_core_web_trf` | ~400 MB | Slowest | Transformer-based, best for context |
+
+To pre-download (recommended for air-gapped deployments):
+
+```bash
+python -m spacy download en_core_web_sm
+```
+
+## Verification
+
+After configuration, test that PII detection is working:
+
+```python
+from zettelforge import MemoryManager
+
+mm = MemoryManager()
+
+# This should trigger a PII warning if action=log
+note, status = mm.remember(
+    "Contact analyst John Smith at john@example.com or 555-1234 for details."
+)
+```
+
+With `action=log`, you will see a `pii_detected` structured log event.
+
+With `action=redact`, the stored content will have PII replaced:
+
+```python
+print(note.content.raw)
+# "Contact analyst [REDACTED] at [REDACTED] or [REDACTED] for details."
+```
+
+With `action=block`, `remember()` will raise `PIIBlockedError`.
+
+## Performance Impact
+
+- First call: ~2-3 seconds (spaCy model loading). Subsequent calls are fast.
+- Detection latency: ~50-200ms per `remember()` depending on content length and model size.
+- No network calls (all detection is local).
+- No impact when `governance.pii.enabled: false` (disabled by default).
+
+## Related
+
+- [Configuration Reference](../reference/configuration.md) -- all `config.yaml` keys
+- [Governance Controls](../reference/governance-controls.md) -- GOV-013 PII enforcement
+- [Microsoft Presidio](https://github.com/microsoft/presidio) -- upstream project
+- RFC-013: PII Detection and Redaction via Microsoft Presidio