[C-2] add_file() and restore() bypass all VFS limits

[chaliy]

Finding C-2: VFS Limit Bypass via Public API

Severity: CRITICAL
File: crates/bashkit/src/fs/memory.rs:658-698 (add_file), 549-603 (restore)
Threat ID: TM-ESC-012 (new)

Description

InMemoryFs::add_file() is a pub method that:

• Does NOT call validate_path() (no path depth/length/unicode checks)
• Does NOT call check_write_limits() (no file size, total bytes, or file count limits)

Any code with access to InMemoryFs (including via OverlayFs::upper()) can bypass all filesystem limits.

Similarly, restore() deserializes a VfsSnapshot and inserts all entries without any validation or limit checks.

Compounding Factor

OverlayFs::upper() (line 241) returns &InMemoryFs constructed with FsLimits::unlimited(), so:

overlay.upper().add_file("/huge", &vec![0u8; 1_000_000_000], 0o644);
// Bypasses all OverlayFs-level limits

Recommended Fix

Option A: Make add_file() call validate_path() and check_write_limits().
Option B: Make add_file() pub(crate) and document it is only safe during construction.
Option C: Remove OverlayFs::upper() from public API, or return a limited view.

For restore(): validate entries against current limits after deserialization.

Write a failing test first per AGENTS.md.