🛡️ Sentinel: [HIGH] Fix SQL injection risk in SQLite PRAGMA execution

[mapleleaflatte03]

🚨 Severity: HIGH
💡 Vulnerability: The MERIDIAN_OBSERVABILITY_SQLITE_JOURNAL_MODE environment variable was directly concatenated into an SQLite PRAGMA journal_mode command using an f-string in intelligence/company/meridian_platform/observability_store.py. Because Python's sqlite3 driver does not support parameterized queries (?) for PRAGMA statements, this direct concatenation creates a risk of SQL injection or execution disruption if the environment variable is manipulated.
🎯 Impact: While an attacker would need control over the process environment variables, successfully manipulating this variable could allow them to crash the database connection, alter other PRAGMA configurations, or potentially execute arbitrary statements depending on the underlying SQLite version's PRAGMA handling.
🔧 Fix: Added strict allowlist validation ({'DELETE', 'TRUNCATE', 'PERSIST', 'MEMORY', 'WAL', 'OFF', 'DEFAULT', ''}). If the configured journal mode is not in this safe set, it safely falls back to the default 'WAL' mode before the string is formatted into the SQL command.
✅ Verification: Ran the test suite for meridian_platform using PYTHONPATH=intelligence/company/meridian_platform:intelligence:kernel python3 -m unittest discover -s intelligence/company/meridian_platform -p 'test_*.py'. Verified that the fallback mechanism works safely without introducing new regressions. Checked diff via git diff.

---

PR created automatically by Jules for task 13737727808466033423 started by @mapleleaflatte03

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.