Add memory retention, deletion, and redaction controls

[romgenie]

Local source: coven-code/issues/16-add-memory-retention-deletion-and-redaction-controls.md

Summary

Hosted memory needs lifecycle controls: retention periods, deletion, redaction, expiry, and audit history. A hosted GitHub App reviewer will store codebase facts, transcripts, findings, and possibly sensitive security context.

Current Evidence

• session_storage.rs supports tombstones and truncation for transcript entries.
• Memory files can be appended and synced, but there is no comprehensive retention policy for hosted memory.
• Auto-extracted memories include dates in markdown headings but no expiry metadata.
• team_memory_sync.rs supports checksums and ETags, not retention or deletion semantics.

Problem

Without lifecycle controls:

• Stale memory can influence future reviews indefinitely.
• Customers cannot request deletion of repo memory.
• Security-sensitive facts may persist beyond the incident.
• Redaction requires manual file edits with uncertain sync behavior.

Proposed Design

Add memory lifecycle metadata:

created_at: ...
expires_at: ...
retention_class: standard | short_lived | security | legal_hold
redacted_at: ...
deleted_at: ...

Add operations:

• list memory by tenant/repo/domain
• expire memory
• redact memory content while preserving audit stub
• delete memory for repo/install/tenant
• export memory audit ledger

Acceptance Criteria

• Hosted memory loader excludes expired/deleted entries.
• Redacted entries do not expose original content to the model.
• Deletion can remove all memory for a repo/install/tenant.
• Tests cover expiry filtering, redaction, and deletion.
• Sync handles deleted/redacted entries deterministically.
• Documentation covers retention defaults and operator controls.

Compliance Notes

The audit ledger should prove deletion/redaction occurred without retaining the sensitive content being removed.