Enhance ChatAgent with file navigation, web browsing, scratchpad tools, and write security guardrails

[kovtcharov]

Summary

This PR adds comprehensive file system navigation, web browsing tools, structured data analysis, and write security guardrails to the ChatAgent.

Write Security Guardrails (src/gaia/security.py)

• Blocked system directories: Windows (C:\Windows, Program Files) and Unix (/etc, /bin, /usr/lib) system paths are blocked for writes
• Sensitive file protection: .env, credentials.json, SSH keys (id_rsa, id_ed25519), certificates (.pem, .key, .crt), and other secrets are never writable
• Write size limits: 10 MB maximum per write operation to prevent runaway file creation
• Overwrite confirmation prompts: User is prompted before overwriting existing files
• Timestamped backups: Automatic .bak copies created before file modification
• Audit logging: All write operations logged to ~/.gaia/cache/file_audit.log with timestamp, operation type, path, size, and status
• Symlink resolution: Paths resolved via os.path.realpath() to prevent TOCTOU bypass
• Fixed ChatAgent write_file: Previously had zero security checks — now enforces full PathValidator + write guardrails
• Fixed CodeAgent write_file/edit_file: Generic file tools were missing PathValidator — now enforced

File System Navigation Tools (src/gaia/agents/tools/filesystem_tools.py)

• browse_directory: List folder contents with file sizes, dates, and type indicators
• tree: Visual directory tree with configurable depth, exclusion patterns, and platform-aware defaults
• find_files: Search by name, content, size, date, and file type with multi-scope search (current dir → common locations → full drives)
• file_info: Detailed metadata — size, type, MIME, modification date, line counts, PDF page counts
• read_file: Smart file reading with type detection — text, CSV (tabular), JSON (formatted), PDF (text extraction)
• bookmark: Save, list, and remove bookmarks for quick access to important locations

File System Index Service (src/gaia/filesystem/)

• FileSystemIndexService: Persistent SQLite-backed file index with FTS5 full-text search
• auto_categorize: Automatic file categorization by extension (code, document, spreadsheet, image, video, audio, data, archive, config)
• Supports incremental scanning and update-on-change for efficient re-indexing

Browser Tools (src/gaia/agents/tools/browser_tools.py)

• fetch_page: Fetch web pages with content extraction modes — readable text, raw HTML, links, or tables as JSON
• search_web: DuckDuckGo web search (no API key required) with configurable result count
• download_file: Download files from the web to local disk with size limits and path validation

Web Client (src/gaia/web/client.py)

• Rate limiting: Per-domain request throttling (configurable delay between requests)
• SSRF prevention: Blocked schemes (file://, ftp://), blocked ports (SSH, SMTP, DB ports), private IP detection
• Content extraction: BeautifulSoup-based text extraction with boilerplate removal (nav, footer, scripts stripped)
• Table extraction: HTML tables parsed to structured JSON
• Size limits: Configurable max download size (default 100 MB)
• User-Agent rotation: Realistic browser user-agent strings

Scratchpad Tools (src/gaia/agents/tools/scratchpad_tools.py)

• create_table: Create SQLite tables for structured data accumulation
• insert_data: Insert rows from extracted document data
• query_data: Run SQL queries (SELECT only) with formatted results — supports SUM, AVG, GROUP BY for analysis
• list_tables: Show all scratchpad tables with row counts and schemas
• drop_table: Clean up tables when analysis is complete

Scratchpad Service (src/gaia/scratchpad/service.py)

• SQLite-backed working memory for multi-document data analysis
• Table name prefixing (scratch_) to isolate scratchpad data
• Read-only query enforcement (SELECT only) to prevent data mutation via query tool
• Schema introspection and row count tracking

ChatAgent Integration (src/gaia/agents/chat/agent.py)

• Integrated FileSystemToolsMixin, ScratchpadToolsMixin, and BrowserToolsMixin
• Config toggles: enable_filesystem, enable_scratchpad, enable_browser (all default to True)
• Updated system prompt with new tool workflows: file search + auto-index, data analysis pipeline, web research, download + analyze
• Replaced legacy search_file/search_directory tools with enhanced find_files/browse_directory
• Graceful degradation: each service initializes independently with fallback on import errors

CI Updates (.github/workflows/test_unit.yml)

• Added beautifulsoup4 and requests to test dependencies for browser tool tests

New Modules

Module	Files	Description
src/gaia/filesystem/	index.py, categorizer.py	Persistent file index with FTS5 search and auto-categorization
src/gaia/web/	client.py	HTTP client with rate limiting, SSRF prevention, content extraction
src/gaia/scratchpad/	service.py	SQLite working memory for structured data analysis
src/gaia/agents/tools/filesystem_tools.py	—	File system navigation mixin (6 tools)
src/gaia/agents/tools/browser_tools.py	—	Web browsing mixin (3 tools)
src/gaia/agents/tools/scratchpad_tools.py	—	Data analysis mixin (5 tools)

Test Coverage

Test File	Focus
test_file_write_guardrails.py	Blocked directories, sensitive files, size limits, backups, audit logging, overwrite prompts
test_security_edge_cases.py	Symlink resolution, path traversal, platform-specific edge cases
test_filesystem_tools_mixin.py	browse_directory, tree, find_files, file_info, read_file, bookmarks
test_filesystem_index.py	FTS5 search, incremental scanning, categorization
test_categorizer.py	Extension-based file categorization
test_browser_tools.py	URL validation, SSRF prevention, content extraction, rate limiting
test_web_client_edge_cases.py	Timeout handling, redirect limits, encoding detection
test_scratchpad_service.py	Table CRUD, SQL injection prevention, schema introspection
test_scratchpad_tools_mixin.py	Tool registration, query formatting, error handling
test_service_edge_cases.py	Concurrent access, large datasets, cleanup
test_chat_agent_integration.py	End-to-end ChatAgent with all new mixins

Test plan

• All unit tests pass (11 new test files, ~8000 lines of test code)
• All 3 modified source files parse and import cleanly
• Integration test: write to safe file succeeds, write to .env blocked, edit creates backup
• Platform test: case-insensitive path comparison on Windows verified
• Manual: run gaia chat and test file browsing, web search, scratchpad tools
• Manual: verify audit log written to ~/.gaia/cache/file_audit.log after write operations

🤖 Generated with Claude Code

[kovtcharov]

@claude review this PR.

[github-actions]

Claude finished @kovtcharov's task —— View job

---

PR Review Complete

• Read PR diff and changed files
• Review security module (src/gaia/security.py)
• Review filesystem tools (src/gaia/agents/tools/filesystem_tools.py)
• Review browser tools and web client
• Review scratchpad service
• Review ChatAgent integration
• Review CodeAgent file_io.py security fixes
• Check CodeQL security alerts
• Provide comprehensive review feedback

---

Overall Assessment: ✅ Approve with Minor Suggestions

This is a well-designed, security-conscious PR that adds significant functionality to the ChatAgent. The write security guardrails, SSRF prevention, and audit logging are particularly well-implemented. Below are my detailed findings.

---

🟢 Strengths

Security Module (src/gaia/security.py)

• Excellent blocked directory coverage for both Windows and Unix systems
• Sensitive file protection (.env, keys, certificates) is comprehensive
• Symlink resolution via os.path.realpath() prevents TOCTOU attacks
• Fail-closed design: blocks writes when path validation fails
• Audit logging provides valuable forensics capability

Web Client (src/gaia/web/client.py)

• Robust SSRF prevention: validates scheme, port, and resolved IP addresses
• Manual redirect following with validation at each hop prevents redirect-based SSRF
• Per-domain rate limiting prevents accidental DoS
• Content-Length validation before download prevents memory exhaustion
• Path traversal protection in download() via save_path.resolve() check

Scratchpad Service (src/gaia/scratchpad/service.py)

• Good SQL injection prevention via _sanitize_name()
• Read-only query enforcement (SELECT only) is correctly implemented
• Resource limits (100 tables, 1M rows) prevent runaway resource usage
• WAL mode enables concurrent access

CodeAgent File I/O (src/gaia/agents/code/tools/file_io.py)

• Fixed missing PathValidator checks on write_file and edit_file tools
• Automatic backup creation before overwrites
• Audit logging integrated

---

🟡 Minor Issues (Non-blocking)

1. CodeQL Alert: URL Substring Sanitization in Tests
tests/unit/test_browser_tools.py:155-162

The CodeQL alerts about URL substring sanitization are false positives in this context. These are unit tests validating rate limiter domain tracking, not security-sensitive URL validation. The test code:

self.client._rate_limit_wait("example.com")
assert "example.com" in self.client._domain_last_request

is simply checking that domains are correctly stored in the rate limit tracking dictionary. No action needed.

2. CodeQL Alert: DOM Text as HTML
src/gaia/apps/jira/webui/public/js/modules/chat-ui.js:51

The sanitizeHTML() function at line 49-64 already addresses this by removing dangerous elements (script, iframe, etc.) and stripping event handlers. However, consider adding data: and vbscript: to the URL scheme check at line 58:

// Current check:
if (attr.name === 'href' && attr.value.trimStart().toLowerCase().startsWith('javascript:'))

// Suggested enhancement:
const dangerousSchemes = ['javascript:', 'data:', 'vbscript:'];
if (attr.name === 'href' && dangerousSchemes.some(s => attr.value.trimStart().toLowerCase().startsWith(s)))

3. CodeQL Alert: Polynomial Regex
src/gaia/agents/emr/dashboard/server.py:76-84

The regex patterns in sanitize_error_response() could theoretically cause ReDoS with crafted input. However, these are applied to error messages (internal content), not user input. The risk is low since error messages come from Python exceptions. If you want to harden this, consider using simpler patterns or adding a length limit before regex processing.

4. Potential Enhancement: Browser Tools Path Validation
src/gaia/agents/tools/browser_tools.py:259-266

The download_file tool checks is_path_allowed but doesn't call validate_write() to check blocked directories. Consider:

# After path validation:
is_blocked, reason = mixin._path_validator.is_write_blocked(resolved_dir)
if is_blocked:
    return f"Error: {reason}"

---

🔴 Security Alerts from CodeQL (Already Addressed or Pre-existing)

The following alerts appear to be pre-existing issues or already addressed in this PR:

Alert	File	Status
Server-side URL redirect	docs/server.js:295	✅ Fixed in this PR - Added // prefix check
Clear-text password logging	jira/agent.py:654	⚠️ Pre-existing - Only logs URL path, not credentials
Uncontrolled path expression	emr/dashboard/server.py:1659	✅ Fixed in this PR - Added path validation
CDN integrity check	eval/webapp/public/index.html:9-10	🟡 Pre-existing - Consider adding SRI hashes

---

📋 Test Coverage

The test coverage is excellent:

• 11 new test files with ~8000 lines of tests
• Comprehensive security edge case testing (symlinks, TOCTOU, path traversal)
• SSRF prevention tests
• SQL injection prevention tests

---

Summary

This PR significantly improves GAIA's security posture by:

1. Adding comprehensive write guardrails
2. Implementing robust SSRF prevention for web browsing
3. Fixing missing PathValidator checks in CodeAgent tools
4. Adding audit logging for all file mutations

The minor suggestions above are non-blocking. The code is ready to merge.

---