Add DFIR memory model, SQLite append-only store, SANS-aligned docs, and tests

[TimothyVang]

Motivation

• Provide a minimal, SANS-aligned evidence-backed memory subsystem so incident response workflows can retain audited artifacts without overbuilding a full agentic runner.
• Define explicit controlled-evolution rules and approval gates to keep persistent memory tied to evidence and chain-of-custody principles.
• Anchor the v1 implementation with a lightweight 2-week plan document to scope and guide phased development.

Description

• Add planning and design docs: docs/DFIR_AGENTIC_V1_PLAN.md and docs/DFIR_MEMORY.md describing the v1 roadmap, memory layers, allowed operations, and validation rules.
• Introduce Pydantic schemas in verdict/schemas/memory.py defining MemoryType, ApprovalState, MemoryOperation, MemoryEntry, and MemoryUpdateProposal with validation logic enforcing evidence, timestamps, and version constraints.
• Implement an SQLite-backed append-only store in verdict/memory/store.py with MemoryStore supporting put_entry, get_latest_entry, list_entries_by_scope, put_proposal, approve_proposal, and get_proposal_state semantics.
• Add package export verdict/memory/__init__.py and unit tests tests/schemas/test_memory_schema.py and tests/memory/test_memory_store.py covering schema validation, versioning, proposal lifecycle, and scope/confidence queries.

Testing

• Ran the schema unit tests with pytest tests/schemas/test_memory_schema.py and they passed.
• Ran the memory store unit tests with pytest tests/memory/test_memory_store.py and they passed.
• Tests exercise validation failures, append-only versioning, proposal storage, approval transitions, and scope/confidence listing behavior.

---

Codex Task

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1e0e84da9b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Select latest approved version per memory ID

list_entries_by_scope computes the max version across all states and only then filters to approved rows, so a memory with v1=approved and v2=proposed/rejected disappears from retrieval entirely. In DFIR workflows this hides the most recent validated memory and can cause the runner to miss known-good patterns whenever a newer unapproved draft exists. Filter by approval_state='approved' inside the MAX(version) subquery (or rank approved rows) so each memory_id returns its latest approved version.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Enforce monotonic version progression on inserts

put_entry inserts caller-supplied versions without checking prior versions for that memory_id, so the store accepts gaps and out-of-order history (for example inserting version=5 first or regressing after a higher version). This violates the commit’s append-only versioning contract and can permanently skew lineage/audit interpretation because version order is treated as canonical in reads. Validate against the current max version and require the next expected version before insert.

Useful? React with 👍 / 👎.