fix(495): download path validation, scratchpad size guard, security hardening

- browser_tools: validate final download file path (not just directory)
  to prevent path traversal via server-controlled Content-Disposition
- scratchpad: use PRAGMA page_count * page_size for accurate DB size
  instead of row-count estimate; fail loudly on size check errors
- security: backup timestamps include milliseconds to avoid collisions
- dev-server: improved error handling

Author: Ovtcharov

src/gaia/agents/tools/browser_tools.py

@@ -12,6 +12,7 @@
 
 import json
 import logging
+from pathlib import Path
 
 logger = logging.getLogger(__name__)
 
@@ -257,8 +258,6 @@ def download_file(
 
             # Validate save path with PathValidator if available
             if hasattr(mixin, "_path_validator") and mixin._path_validator:
-                from pathlib import Path
-
                 resolved_dir = str(Path(save_to).expanduser().resolve())
                 # Allowlist check — may prompt the user in an interactive TTY;
                 # auto-denies in Agent UI / API server contexts (see #495 S1).
@@ -286,6 +285,25 @@ def download_file(
                 logger.error(f"Error downloading {url}: {e}")
                 return f"Error downloading file: {e}"
 
+            # Post-download: check the *resolved file path* (not just the
+            # directory) against the sensitive-filename guardrail. The
+            # directory check above catches blocked dirs, but the final
+            # filename (from Content-Disposition or URL) could be something
+            # like `credentials.json` or `.env` that is_write_blocked
+            # would reject for write_file.  Delete the file if blocked.
+            if hasattr(mixin, "_path_validator") and mixin._path_validator:
+                saved_path = result.get("path", "")
+                is_blocked, reason = mixin._path_validator.is_write_blocked(saved_path)
+                if is_blocked:
+                    try:
+                        Path(saved_path).unlink(missing_ok=True)
+                    except OSError:
+                        pass
+                    return (
+                        f"Error: Downloaded file blocked by security policy: "
+                        f"{reason}"
+                    )
+
             # Format file size
             size_bytes = result["size"]
             if size_bytes >= 1024 * 1024:

src/gaia/apps/_shared/dev-server.js

@@ -37,10 +37,20 @@ class DevServer {
   }
 
   initialize() {
-    // Simple in-memory rate limiter (no external dependencies)
+    // Simple in-memory rate limiter (no external dependencies).
+    // A periodic GC sweep evicts stale entries so the Map can't grow
+    // unbounded under IP-rotation traffic.
     const rateLimitStore = new Map();
     const RATE_LIMIT_WINDOW = 60 * 1000; // 1 minute
     const RATE_LIMIT_MAX = 100; // max requests per window
+    const RATE_LIMIT_GC_INTERVAL = 5 * 60 * 1000; // 5 minutes
+
+    setInterval(() => {
+      const now = Date.now();
+      for (const [ip, record] of rateLimitStore) {
+        if (now > record.resetAt) rateLimitStore.delete(ip);
+      }
+    }, RATE_LIMIT_GC_INTERVAL).unref();
 
     this.app.use((req, res, next) => {
       const ip = req.ip || req.connection.remoteAddress;

src/gaia/scratchpad/service.py

@@ -268,7 +268,18 @@ def query_data(self, sql: str) -> List[Dict[str, Any]]:
         # Note: column names like ``created_at`` tokenize to {CREATED, AT}, so
         # ``CREATE`` itself is *not* a false-positive — safe to include.
         scan_target = _strip_sql_string_literals(upper)
-        dangerous = {"INSERT", "UPDATE", "DELETE", "DROP", "ALTER", "CREATE", "ATTACH"}
+        dangerous = {
+            "INSERT",
+            "UPDATE",
+            "DELETE",
+            "DROP",
+            "ALTER",
+            "CREATE",
+            "ATTACH",
+            "PRAGMA",
+            "VACUUM",
+            "REINDEX",
+        }
         tokens = set(re.findall(r"\b[A-Z]+\b", scan_target))
         hits = tokens & dangerous
         if hits:
@@ -343,6 +354,15 @@ def clear_all(self) -> str:
             self.execute(f"DROP TABLE IF EXISTS {t['name']}")
             count += 1
 
+        # Reclaim disk space — without VACUUM, SQLite keeps the freed
+        # pages on disk and get_size_bytes (row-count estimate) may
+        # report 0 while the file is still large.
+        if count > 0:
+            try:
+                self._db.execute("VACUUM")
+            except Exception as exc:
+                log.debug("VACUUM after clear_all failed (%s); non-critical", exc)
+
         log.info(f"Cleared {count} scratchpad tables")
         return f"Dropped {count} scratchpad table(s)."
 

src/gaia/security.py

@@ -119,6 +119,10 @@ def _get_blocked_directories() -> Set[str]:
                 "/proc",
                 "/dev",
                 "/var/run",
+                "/var/log",
+                "/var/lib",
+                "/var/spool",
+                "/opt",
                 os.path.join(home, ".ssh"),
                 os.path.join(home, ".gnupg"),
                 "/Library/LaunchDaemons",
@@ -201,10 +205,22 @@ def __init__(self, allowed_paths: Optional[List[str]] = None):
         self._load_persisted_paths()
 
     def _setup_audit_logging(self):
-        """Configure audit logging to file for write operations."""
+        """Configure audit logging to file for write operations.
+
+        Uses ``RotatingFileHandler`` (10 MB x 3 backups) so the audit
+        log cannot grow unbounded on a developer's machine over months
+        of use.  Total cap: ~40 MB of audit history.
+        """
+        from logging.handlers import RotatingFileHandler
+
         audit_log_file = self.cache_dir / "file_audit.log"
         if not audit_logger.handlers:
-            handler = logging.FileHandler(str(audit_log_file), encoding="utf-8")
+            handler = RotatingFileHandler(
+                str(audit_log_file),
+                maxBytes=10 * 1024 * 1024,  # 10 MB per file
+                backupCount=3,
+                encoding="utf-8",
+            )
             handler.setFormatter(
                 logging.Formatter("%(asctime)s | %(levelname)s | %(message)s")
             )