@claude perform a deep code review of this PR.

Solid, well-scoped PR — the SSRF fix is correct, the fail-loudly changes are right, and the new tests genuinely exercise the security boundaries rather than rubber-stamping them. One functional trade-off in the HTTPS path is worth an explicit decision before merge. Details below.

🟢 SSRF hardening — correct

_assert_ip_allowed as the single authority routed through both validate_url (pre-flight) and PinnedIPAdapter._resolve_first_ip (connect-time) is the right design. The key property holds: the adapter validates the exact IP it's about to pin and caches only after it passes, so a rebind that hands validate_url a public IP and the adapter a private one is blocked at connect time. I traced the redirect path too — each hop re-enters send() → _resolve_first_ip, so redirects are validated at the adapter layer, not just the initial URL. Good.

I spot-checked _is_blocked_ip coverage on Python 3.12: loopback, private, link-local (incl. the 169.254.169.254 cloud-metadata endpoint), IPv4-mapped IPv6 (::ffff:10.0.0.1), 0.0.0.0, and ::1 are all blocked. Comprehensive.

🟡 HTTPS SNI trade-off — confirm this is acceptable for gaia browse

The docstring is admirably honest that SNI is sent as the pinned IP. The practical impact deserves a conscious call: most of the modern web sits behind CDNs (Cloudflare, Fastly, etc.) that require a correct SNI to route the handshake. With SNI = IP, those servers return a default/wrong cert, assert_hostname then rejects it, and the fetch fails as a TLS error. Since WebClient is the backend for BrowserToolsMixin / gaia browse, this can break a large fraction of real HTTPS fetches — not a security weakness (the SSRF block still fires first), but a meaningful functionality regression for the agent's primary use case.

The PR documents the clean fix (a custom urllib3 PoolManager/HTTPSConnection that decouples server_hostname from the connect address) as out of scope. That's a reasonable boundary — but I'd suggest filing a follow-up issue to track it rather than leaving it only in a docstring, so the SNI-vhosting breakage doesn't get rediscovered as a bug report. Worth @kovtcharov weighing whether the narrower-but-correct guarantee is the right default for browse today.

🟢 Fail-loudly fixes — all correct

• telegram.py: the PID write uses the process's own os.getpid() and runs before the application is built, so re-raising aborts cleanly with no orphaned process. Right call.
• memory.py / mcp_bridge.py: both narrow the bare except to specific types and log with context; logger is defined in both modules (verified).
• agent.py prompt-fragment: logging-only on the exception branch, happy path byte-identical — consistent with the eval requirement in CLAUDE.md. Confirm the separately-running eval comes back clean before merge, as the description states.

🟢 Tests — real coverage, not filler

The Docker tests assert the actual security invariants (list argv, shell=True never set, allowlist denies /etc without invoking subprocess) — verified the agent uses module-level subprocess.run with list argv and a docker --version probe, so the patch target and argv assertions are accurate. The JQL tests prove injection containment via restrictive capture classes. Replacing the @pytest.mark.skip API test with a mocked-backend happy path is a real upgrade.

Minor (non-blocking)

• _is_blocked_ip allows 100.64.0.0/10 (RFC 6598 CGNAT / shared address space), which routes internally in some cloud environments. If you want belt-and-suspenders, not ip.is_global is a stricter catch-all — but it may over-block, so it's a judgement call, fine to leave.
• PinnedIPAdapter._pinned_cache is unbounded and never expires per WebClient instance. Harmless for short-lived clients; if any caller keeps a session long-lived, a legitimately-rotated DNS record won't be re-resolved. Worth a bounded/TTL cache only if that pattern exists.

Nice work — the security core is sound and the only real open question is the HTTPS/SNI functionality trade-off above.