fix(security): CodeAgent write tools missing blocklist/guardrails

[kovtcharov-amd]

Problem

write_python_file, edit_python_file, write_markdown_file, and replace_function in src/gaia/agents/code/tools/file_io.py only call self.path_validator.is_path_allowed() — they have no blocklist check, no sensitive-file protection, no size limit, no audit logging, and no backup.

The PR #495 fixes for write_file and edit_file added full validate_write / is_write_blocked guardrails, but these four tools were missed.

Impact

• ChatAgent: Not affected (strips these tools from the registry)
• CodeAgent: An LLM could use write_python_file to write to a blocked path if it's within the allowlist

Fix

Apply the same PathValidator.validate_write() + is_write_blocked() pattern used in write_file (line 530) and edit_file (line 622) to all four tools.

Files

• src/gaia/agents/code/tools/file_io.py — lines 224-244, 268-343, 502-527, 874-978

Found during code review of #495.

[github-actions]

Confirmed the gap, with two corrections to the framing that should help whoever picks this up:

1. PR #495 hasn't merged yet. It's still OPEN, so the validate_write / is_write_blocked helpers don't exist in src/gaia/security.py on main today — only PathValidator.is_path_allowed() does (src/gaia/security.py:97). The fix here can't just "apply the same pattern as write_file / edit_file" until #495 lands, because that pattern doesn't exist yet.

2. On main, write_file and edit_file are actually more exposed than the four tools called out, not less. The issue says lines 530 and 622 already have full guardrails — they don't:

• write_file (line 530) — does Path(...).resolve() and writes. No is_path_allowed check, no blocklist.
• edit_file (line 588) — same: resolves, reads, writes. No is_path_allowed check.
• write_python_file (line 224), edit_python_file (line 269), write_markdown_file (line 504), replace_function (line 777) — all call is_path_allowed ✅, but no blocklist / size limit / audit / backup tied to security.

So the real picture is: all six write tools in code/tools/file_io.py need the new guardrails once they land, with two of them (write_file, edit_file) currently missing even allowlist enforcement.

🟡 Suggested path forward:

• Easiest: expand the scope of Enhance ChatAgent with file navigation, web browsing, scratchpad tools, and write security guardrails #495 so it ships guardrails on all six tools in one go. Otherwise reviewers will be staring at a fix that protects write_file while leaving write_python_file exposed, when both are reachable from the same CodeAgent.
• If Enhance ChatAgent with file navigation, web browsing, scratchpad tools, and write security guardrails #495 ships first as-is, this issue becomes the natural follow-up — but please update its description so the next person reads "all four tools missing blocklist (and write_file/edit_file missing it on main until Enhance ChatAgent with file navigation, web browsing, scratchpad tools, and write security guardrails #495 merges)" rather than the current "fixed in Enhance ChatAgent with file navigation, web browsing, scratchpad tools, and write security guardrails #495" phrasing.

Either way, when this work lands it should:

• Use a single _validate_and_write(path, content, op_name) helper so all six call sites stay in lockstep.
• Add coverage in tests/ (existing test_file_write_guardrails.py from Enhance ChatAgent with file navigation, web browsing, scratchpad tools, and write security guardrails #495 is the right place — extend its parametrization to cover these tool names, not just write_file).

Tagging @kovtcharov-amd for visibility on the scoping question (one PR vs. follow-up).

cc relevant guidance: docs/sdk/security.mdx and the "No Silent Fallbacks" section in CLAUDE.md — blocklist hits should raise actionable errors, not return {"status": "error", ...} that the LLM can paper over.