v0.31.0 — the shared verified brain

Completes the substrate's four hero verbs (gate, sight, recall/remember, verify): any agent over MCP can now read and write a shared verified brain — and trust does not travel.

Highlights

• verel_recall(query, scope, kind, k) — reads via the scope lattice, resolving DOWN (self < team < org < global; most specific wins) and surfacing trust/confidence/support/provenance/fingerprint.
• verel_remember(fact, scope, evidence, author) — writes a CANDIDATE. The caller's self-asserted trust is ignored; a verifiable evidence receipt records attested grounding but does NOT auto-promote (the receipt attests a run, not the fact). A forged receipt can't launder trust; a VERIFIED belief is protected from silent overwrite.
• One persistent brain per server (VEREL_MEMORY_STORE or ~/.config/verel/brain.db), fixed and not agent-controllable; bounded inputs; parameterized SQL.

Security

Audit → 3-round adversarial red-team: store/input/DoS clean; the trust hard-guarantee (no verified without a genuine runner-signed receipt) holds; two soft-trust paths fixed. The unauthenticated-author and trust-blind-ranking items are documented as the deferred multi-principal remote-brain auth layer — acceptable under the local single-principal model.

390-test suite; ruff + mypy clean. pip install verel