🛡️ Sentinel: [HIGH] Fix SQL injection risk in SQLite PRAGMA configuration

[mapleleaflatte03]

🚨 Severity: HIGH

💡 Vulnerability: Found an unsafe string interpolation pattern where an environment variable (MERIDIAN_OBSERVABILITY_SQLITE_JOURNAL_MODE) was directly injected into an execution of a PRAGMA SQL query without prior sanitation (conn.execute(f'PRAGMA journal_mode={configured_journal_mode}')). Because SQLite's PRAGMA commands do not support standard parameterized queries (like ?), developers often resort to f-strings or concatenation, which introduces SQL injection vulnerabilities if the input isn't strictly validated.

🎯 Impact: Since this value is derived from an environment variable (os.environ), a malicious actor or an attacker with partial system access could set this environment variable to perform SQL injection against the application's observability database during connection initialization.

🔧 Fix: Introduced a strict allowlist validation ({'DELETE', 'TRUNCATE', 'PERSIST', 'MEMORY', 'WAL'}) for the configured_journal_mode variable before attempting to execute the PRAGMA command. Invalid values are silently ignored, preventing the execution of arbitrary injected SQL commands while preserving the application's expected fallback behavior.

✅ Verification:

1. Confirmed the strict allowlist accurately reflects all safe and valid SQLite journal modes.
2. Verified unit tests passed using PYTHONPATH=intelligence/company/meridian_platform:intelligence:kernel python3 -m unittest discover -s intelligence/company/meridian_platform/ -p "test_*.py".
3. Created a learning record in .jules/sentinel.md to document the lack of parameterization support in SQLite PRAGMA commands and the strict allowlist mitigation pattern.

---

PR created automatically by Jules for task 11182321657558099376 started by @mapleleaflatte03

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.