feat(#273): Implement capability-based authorization for federation

Add CapabilityGuard infrastructure to enforce capability-based authorization on federation endpoints. Implements fail-closed security model. Security properties: - Deny by default (no capability = deny) - Only explicit true values grant access - Connection must exist and be ACTIVE - All denials logged for audit trail Implementation: - Created CapabilityGuard with fail-closed authorization logic - Added @RequireCapability decorator for marking endpoints - Added getConnectionById() to ConnectionService - Added logCapabilityDenied() to AuditService - 12 comprehensive tests covering all security scenarios Quality gates: - ✅ Tests: 12/12 passing - ✅ Lint: 0 new errors (33 pre-existing) - ✅ TypeScript: 0 new errors (8 pre-existing) Refs #273 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-03 19:47:30 -06:00
parent dc1ed2a59e
commit 004f7828fb
7 changed files with 646 additions and 0 deletions
--- a/apps/api/src/federation/connection.service.ts
+++ b/apps/api/src/federation/connection.service.ts
@@ -238,6 +238,24 @@ export class ConnectionService {
    return this.mapToConnectionDetails(connection);
  }

+  /**
+   * Get connection by ID (without workspace filter)
+   * Used by CapabilityGuard for authorization checks
+   */
+  async getConnectionById(connectionId: string): Promise<ConnectionDetails | null> {
+    const connection = await this.prisma.federationConnection.findUnique({
+      where: {
+        id: connectionId,
+      },
+    });
+
+    if (!connection) {
+      return null;
+    }
+
+    return this.mapToConnectionDetails(connection);
+  }
+
  /**
   * Handle incoming connection request from remote instance
   */