feat(#285): Add input sanitization for XSS prevention

Security improvements:
- Create sanitization utility using sanitize-html library
- Add @Sanitize() and @SanitizeObject() decorators for DTOs
- Apply sanitization to vulnerable fields:
  - Connection rejection/disconnection reasons
  - Connection metadata
  - Identity linking metadata
  - Command payloads
- Remove script tags, event handlers, javascript: URLs
- Prevent data exfiltration, CSS-based XSS, SVG-based XSS

Changes:
- Add sanitize.util.ts with recursive sanitization functions
- Add sanitize.decorator.ts for class-transformer integration
- Update connection.dto.ts with sanitization decorators
- Update identity-linking.dto.ts with sanitization decorators
- Update command.dto.ts with sanitization decorators
- Add comprehensive test coverage including attack vectors

Part of M7.1 Remediation Sprint P1 security fixes.

Fixes #285

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

apps/api/src/federation/dto/connection.dto.ts

@@ -5,6 +5,7 @@
  */
 
 import { IsString, IsUrl, IsOptional, IsObject, IsNumber } from "class-validator";
+import { Sanitize, SanitizeObject } from "../../common/decorators/sanitize.decorator";
 
 /**
  * DTO for initiating a connection
@@ -20,6 +21,7 @@ export class InitiateConnectionDto {
 export class AcceptConnectionDto {
   @IsOptional()
   @IsObject()
+  @SanitizeObject()
   metadata?: Record<string, unknown>;
 }
 
@@ -28,6 +30,7 @@ export class AcceptConnectionDto {
  */
 export class RejectConnectionDto {
   @IsString()
+  @Sanitize()
   reason!: string;
 }
 
@@ -37,6 +40,7 @@ export class RejectConnectionDto {
 export class DisconnectConnectionDto {
   @IsOptional()
   @IsString()
+  @Sanitize()
   reason?: string;
 }