feat(#284): Reduce timestamp validation window to 60s with replay attack prevention

Security improvements:
- Reduce timestamp tolerance from 5 minutes to 60 seconds
- Add nonce-based replay attack prevention using Redis
- Store signature nonce with 60s TTL matching tolerance window
- Reject replayed messages with same signature

Changes:
- Update SignatureService.TIMESTAMP_TOLERANCE_MS to 60s
- Add Redis client injection to SignatureService
- Make verifyConnectionRequest async for nonce checking
- Create RedisProvider for shared Redis client
- Update ConnectionService to await signature verification
- Add comprehensive test coverage for replay prevention

Part of M7.1 Remediation Sprint P1 security fixes.

Fixes #284

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

apps/api/src/common/providers/redis.provider.ts

@@ -0,0 +1,54 @@
+/**
+ * Redis Provider
+ *
+ * Provides Redis/Valkey client instance for the application.
+ */
+
+import { Logger } from "@nestjs/common";
+import type { Provider } from "@nestjs/common";
+import Redis from "ioredis";
+
+/**
+ * Factory function to create Redis client instance
+ */
+function createRedisClient(): Redis {
+  const logger = new Logger("RedisProvider");
+  const valkeyUrl = process.env.VALKEY_URL ?? "redis://localhost:6379";
+
+  logger.log(`Connecting to Valkey at ${valkeyUrl}`);
+
+  const client = new Redis(valkeyUrl, {
+    maxRetriesPerRequest: 3,
+    retryStrategy: (times) => {
+      const delay = Math.min(times * 50, 2000);
+      logger.warn(
+        `Valkey connection retry attempt ${times.toString()}, waiting ${delay.toString()}ms`
+      );
+      return delay;
+    },
+    reconnectOnError: (err) => {
+      logger.error("Valkey connection error:", err.message);
+      return true;
+    },
+  });
+
+  client.on("connect", () => {
+    logger.log("Connected to Valkey");
+  });
+
+  client.on("error", (err) => {
+    logger.error("Valkey error:", err.message);
+  });
+
+  return client;
+}
+
+/**
+ * Redis Client Provider
+ *
+ * Provides a singleton Redis client instance for dependency injection.
+ */
+export const RedisProvider: Provider = {
+  provide: "REDIS_CLIENT",
+  useFactory: createRedisClient,
+};

apps/api/src/federation/connection.service.spec.ts

@@ -102,7 +102,7 @@ describe("ConnectionService", () => {
           provide: SignatureService,
           useValue: {
             signMessage: vi.fn().mockResolvedValue("mock-signature"),
-            verifyConnectionRequest: vi.fn().mockReturnValue({ valid: true }),
+            verifyConnectionRequest: vi.fn().mockResolvedValue({ valid: true }),
           },
         },
         {
@@ -441,7 +441,7 @@ describe("ConnectionService", () => {
     });
 
     it("should create pending connection for valid request", async () => {
-      vi.spyOn(signatureService, "verifyConnectionRequest").mockReturnValue({ valid: true });
+      vi.spyOn(signatureService, "verifyConnectionRequest").mockResolvedValue({ valid: true });
       vi.spyOn(prismaService.federationConnection, "create").mockResolvedValue(mockConnection);
 
       const result = await service.handleIncomingConnectionRequest(mockWorkspaceId, mockRequest);
@@ -451,7 +451,7 @@ describe("ConnectionService", () => {
     });
 
     it("should reject request with invalid signature", async () => {
-      vi.spyOn(signatureService, "verifyConnectionRequest").mockReturnValue({
+      vi.spyOn(signatureService, "verifyConnectionRequest").mockResolvedValue({
         valid: false,
         error: "Invalid signature",
       });
@@ -462,7 +462,7 @@ describe("ConnectionService", () => {
     });
 
     it("should log incoming connection attempt", async () => {
-      vi.spyOn(signatureService, "verifyConnectionRequest").mockReturnValue({ valid: true });
+      vi.spyOn(signatureService, "verifyConnectionRequest").mockResolvedValue({ valid: true });
       vi.spyOn(prismaService.federationConnection, "create").mockResolvedValue(mockConnection);
       const auditSpy = vi.spyOn(auditService, "logIncomingConnectionAttempt");
 
@@ -477,7 +477,7 @@ describe("ConnectionService", () => {
     });
 
     it("should log connection created on success", async () => {
-      vi.spyOn(signatureService, "verifyConnectionRequest").mockReturnValue({ valid: true });
+      vi.spyOn(signatureService, "verifyConnectionRequest").mockResolvedValue({ valid: true });
       vi.spyOn(prismaService.federationConnection, "create").mockResolvedValue(mockConnection);
       const auditSpy = vi.spyOn(auditService, "logIncomingConnectionCreated");
 
@@ -492,7 +492,7 @@ describe("ConnectionService", () => {
     });
 
     it("should log connection rejected on invalid signature", async () => {
-      vi.spyOn(signatureService, "verifyConnectionRequest").mockReturnValue({
+      vi.spyOn(signatureService, "verifyConnectionRequest").mockResolvedValue({
         valid: false,
         error: "Invalid signature",
       });

apps/api/src/federation/connection.service.ts

@@ -286,7 +286,7 @@ export class ConnectionService {
     });
 
     // Verify signature
-    const validation = this.signatureService.verifyConnectionRequest(request);
+    const validation = await this.signatureService.verifyConnectionRequest(request);
 
     if (!validation.valid) {
       const errorMsg: string = validation.error ?? "Unknown error";

apps/api/src/federation/federation.module.ts

@@ -20,6 +20,7 @@ import { OIDCService } from "./oidc.service";
 import { CommandService } from "./command.service";
 import { FederationAgentService } from "./federation-agent.service";
 import { PrismaModule } from "../prisma/prisma.module";
+import { RedisProvider } from "../common/providers/redis.provider";
 
 @Module({
   imports: [
@@ -52,6 +53,7 @@ import { PrismaModule } from "../prisma/prisma.module";
   ],
   controllers: [FederationController, FederationAuthController],
   providers: [
+    RedisProvider,
     FederationService,
     CryptoService,
     FederationAuditService,

apps/api/src/federation/signature.service.spec.ts

@@ -9,10 +9,12 @@ import { Test, TestingModule } from "@nestjs/testing";
 import { SignatureService } from "./signature.service";
 import { FederationService } from "./federation.service";
 import { generateKeyPairSync } from "crypto";
+import type Redis from "ioredis";
 
 describe("SignatureService", () => {
   let service: SignatureService;
   let mockFederationService: Partial<FederationService>;
+  let mockRedis: Partial<Redis>;
 
   // Test keypair
   const { publicKey, privateKey } = generateKeyPairSync("rsa", {
@@ -37,6 +39,12 @@ describe("SignatureService", () => {
       }),
     };
 
+    mockRedis = {
+      get: vi.fn().mockResolvedValue(null),
+      set: vi.fn().mockResolvedValue("OK"),
+      setex: vi.fn().mockResolvedValue("OK"),
+    };
+
     const module: TestingModule = await Test.createTestingModule({
       providers: [
         SignatureService,
@@ -44,6 +52,10 @@ describe("SignatureService", () => {
           provide: FederationService,
           useValue: mockFederationService,
         },
+        {
+          provide: "REDIS_CLIENT",
+          useValue: mockRedis,
+        },
       ],
     }).compile();
 
@@ -168,16 +180,16 @@ describe("SignatureService", () => {
       expect(result).toBe(true);
     });
 
-    it("should accept timestamps within 5 minutes", () => {
+    it("should accept timestamps within 60 seconds", () => {
-      const fourMinutesAgo = Date.now() - 4 * 60 * 1000;
+      const fiftySecondsAgo = Date.now() - 50 * 1000;
-      const result = service.validateTimestamp(fourMinutesAgo);
+      const result = service.validateTimestamp(fiftySecondsAgo);
 
       expect(result).toBe(true);
     });
 
-    it("should reject timestamps older than 5 minutes", () => {
+    it("should reject timestamps older than 60 seconds", () => {
-      const sixMinutesAgo = Date.now() - 6 * 60 * 1000;
+      const twoMinutesAgo = Date.now() - 2 * 60 * 1000;
-      const result = service.validateTimestamp(sixMinutesAgo);
+      const result = service.validateTimestamp(twoMinutesAgo);
 
       expect(result).toBe(false);
     });
@@ -226,7 +238,7 @@ describe("SignatureService", () => {
   });
 
   describe("verifyConnectionRequest", () => {
-    it("should verify a valid connection request", () => {
+    it("should verify a valid connection request", async () => {
       const timestamp = Date.now();
       const request = {
         instanceId: "instance-123",
@@ -239,13 +251,14 @@ describe("SignatureService", () => {
       const signature = service.sign(request, privateKey);
       const signedRequest = { ...request, signature };
 
-      const result = service.verifyConnectionRequest(signedRequest);
+      const result = await service.verifyConnectionRequest(signedRequest);
 
       expect(result.valid).toBe(true);
       expect(result.error).toBeUndefined();
+      expect(mockRedis.setex).toHaveBeenCalled();
     });
 
-    it("should reject request with invalid signature", () => {
+    it("should reject request with invalid signature", async () => {
       const request = {
         instanceId: "instance-123",
         instanceUrl: "https://test.example.com",
@@ -255,13 +268,13 @@ describe("SignatureService", () => {
         signature: "invalid-signature",
       };
 
-      const result = service.verifyConnectionRequest(request);
+      const result = await service.verifyConnectionRequest(request);
 
       expect(result.valid).toBe(false);
       expect(result.error).toContain("signature");
     });
 
-    it("should reject request with expired timestamp", () => {
+    it("should reject request with expired timestamp", async () => {
       const expiredTimestamp = Date.now() - 10 * 60 * 1000; // 10 minutes ago
       const request = {
         instanceId: "instance-123",
@@ -274,10 +287,92 @@ describe("SignatureService", () => {
       const signature = service.sign(request, privateKey);
       const signedRequest = { ...request, signature };
 
-      const result = service.verifyConnectionRequest(signedRequest);
+      const result = await service.verifyConnectionRequest(signedRequest);
 
       expect(result.valid).toBe(false);
       expect(result.error).toContain("timestamp");
     });
   });
+
+  describe("replay attack prevention", () => {
+    it("should reject replayed message with same signature", async () => {
+      const timestamp = Date.now();
+      const request = {
+        instanceId: "instance-123",
+        instanceUrl: "https://test.example.com",
+        publicKey,
+        capabilities: {},
+        timestamp,
+      };
+
+      const signature = service.sign(request, privateKey);
+      const signedRequest = { ...request, signature };
+
+      // First request should succeed
+      const result1 = await service.verifyConnectionRequest(signedRequest);
+      expect(result1.valid).toBe(true);
+
+      // Mock Redis to indicate nonce was already used
+      mockRedis.get = vi.fn().mockResolvedValue("1");
+
+      // Second request with same signature should be rejected
+      const result2 = await service.verifyConnectionRequest(signedRequest);
+      expect(result2.valid).toBe(false);
+      expect(result2.error).toContain("replay");
+    });
+
+    it("should store nonce with 60 second TTL", async () => {
+      const timestamp = Date.now();
+      const request = {
+        instanceId: "instance-123",
+        instanceUrl: "https://test.example.com",
+        publicKey,
+        capabilities: {},
+        timestamp,
+      };
+
+      const signature = service.sign(request, privateKey);
+      const signedRequest = { ...request, signature };
+
+      await service.verifyConnectionRequest(signedRequest);
+
+      expect(mockRedis.setex).toHaveBeenCalledWith(expect.stringContaining("nonce:"), 60, "1");
+    });
+
+    it("should allow different messages with different signatures", async () => {
+      const timestamp1 = Date.now();
+      const request1 = {
+        instanceId: "instance-123",
+        instanceUrl: "https://test.example.com",
+        publicKey,
+        capabilities: {},
+        timestamp: timestamp1,
+      };
+
+      const signature1 = service.sign(request1, privateKey);
+      const signedRequest1 = { ...request1, signature: signature1 };
+
+      const result1 = await service.verifyConnectionRequest(signedRequest1);
+      expect(result1.valid).toBe(true);
+
+      // Different timestamp creates different signature
+      const timestamp2 = Date.now() + 1;
+      const request2 = {
+        instanceId: "instance-123",
+        instanceUrl: "https://test.example.com",
+        publicKey,
+        capabilities: {},
+        timestamp: timestamp2,
+      };
+
+      const signature2 = service.sign(request2, privateKey);
+      const signedRequest2 = { ...request2, signature: signature2 };
+
+      // Reset mock to simulate nonce not found
+      mockRedis.get = vi.fn().mockResolvedValue(null);
+
+      const result2 = await service.verifyConnectionRequest(signedRequest2);
+      expect(result2.valid).toBe(true);
+    });
+  });
 });

apps/api/src/federation/signature.service.ts

@@ -4,7 +4,7 @@
  * Handles message signing and verification for federation protocol.
  */
 
-import { Injectable, Logger } from "@nestjs/common";
+import { Injectable, Logger, Inject } from "@nestjs/common";
 import { createSign, createVerify } from "crypto";
 import { FederationService } from "./federation.service";
 import type {
@@ -12,14 +12,19 @@ import type {
   SignatureValidationResult,
   ConnectionRequest,
 } from "./types/connection.types";
+import type Redis from "ioredis";
 
 @Injectable()
 export class SignatureService {
   private readonly logger = new Logger(SignatureService.name);
-  private readonly TIMESTAMP_TOLERANCE_MS = 5 * 60 * 1000; // 5 minutes
+  private readonly TIMESTAMP_TOLERANCE_MS = 60 * 1000; // 60 seconds
   private readonly CLOCK_SKEW_TOLERANCE_MS = 60 * 1000; // 1 minute for future timestamps
+  private readonly NONCE_TTL_SECONDS = 60; // Nonce TTL matches tolerance window
 
-  constructor(private readonly federationService: FederationService) {}
+  constructor(
+    private readonly federationService: FederationService,
+    @Inject("REDIS_CLIENT") private readonly redis: Redis
+  ) {}
 
   /**
    * Sign a message with a private key
@@ -153,7 +158,7 @@ export class SignatureService {
   /**
    * Verify a connection request signature
    */
-  verifyConnectionRequest(request: ConnectionRequest): SignatureValidationResult {
+  async verifyConnectionRequest(request: ConnectionRequest): Promise<SignatureValidationResult> {
     // Extract signature and create message for verification
     const { signature, ...message } = request;
 
@@ -165,14 +170,30 @@ export class SignatureService {
       };
     }
 
+    // Check for replay attack (nonce already used)
+    const nonceKey = `nonce:${signature}`;
+    const nonceExists = await this.redis.get(nonceKey);
+
+    if (nonceExists) {
+      this.logger.warn("Replay attack detected: signature already used");
+      return {
+        valid: false,
+        error: "Request rejected: potential replay attack detected",
+      };
+    }
+
     // Verify signature using the public key from the request
     const result = this.verify(message, signature, request.publicKey);
 
     if (!result.valid) {
       const errorMsg = result.error ?? "Unknown error";
       this.logger.warn(`Connection request signature verification failed: ${errorMsg}`);
+      return result;
     }
 
+    // Store nonce to prevent replay attacks
+    await this.redis.setex(nonceKey, this.NONCE_TTL_SECONDS, "1");
+
     return result;
   }
 

docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-common-providers-redis.provider.ts_20260203-2140_1_remediation_needed.md

@@ -0,0 +1,20 @@
+# QA Remediation Report
+
+**File:** /home/jwoltje/src/mosaic-stack/apps/api/src/common/providers/redis.provider.ts
+**Tool Used:** Write
+**Epic:** general
+**Iteration:** 1
+**Generated:** 2026-02-03 21:40:52
+
+## Status
+
+Pending QA validation
+
+## Next Steps
+
+This report was created by the QA automation hook.
+To process this report, run:
+
+```bash
+claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-common-providers-redis.provider.ts_20260203-2140_1_remediation_needed.md"
+```

docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-common-providers-redis.provider.ts_20260203-2142_1_remediation_needed.md

@@ -0,0 +1,20 @@
+# QA Remediation Report
+
+**File:** /home/jwoltje/src/mosaic-stack/apps/api/src/common/providers/redis.provider.ts
+**Tool Used:** Edit
+**Epic:** general
+**Iteration:** 1
+**Generated:** 2026-02-03 21:42:52
+
+## Status
+
+Pending QA validation
+
+## Next Steps
+
+This report was created by the QA automation hook.
+To process this report, run:
+
+```bash
+claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-common-providers-redis.provider.ts_20260203-2142_1_remediation_needed.md"
+```

docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-command.service.spec.ts_20260203-2132_1_remediation_needed.md

@@ -0,0 +1,20 @@
+# QA Remediation Report
+
+**File:** /home/jwoltje/src/mosaic-stack/apps/api/src/federation/command.service.spec.ts
+**Tool Used:** Edit
+**Epic:** general
+**Iteration:** 1
+**Generated:** 2026-02-03 21:32:08
+
+## Status
+
+Pending QA validation
+
+## Next Steps
+
+This report was created by the QA automation hook.
+To process this report, run:
+
+```bash
+claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-command.service.spec.ts_20260203-2132_1_remediation_needed.md"
+```

docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-command.service.spec.ts_20260203-2132_2_remediation_needed.md

@@ -0,0 +1,20 @@
+# QA Remediation Report
+
+**File:** /home/jwoltje/src/mosaic-stack/apps/api/src/federation/command.service.spec.ts
+**Tool Used:** Edit
+**Epic:** general
+**Iteration:** 2
+**Generated:** 2026-02-03 21:32:14
+
+## Status
+
+Pending QA validation
+
+## Next Steps
+
+This report was created by the QA automation hook.
+To process this report, run:
+
+```bash
+claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-command.service.spec.ts_20260203-2132_2_remediation_needed.md"
+```

docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-command.service.ts_20260203-2132_1_remediation_needed.md

@@ -0,0 +1,20 @@
+# QA Remediation Report
+
+**File:** /home/jwoltje/src/mosaic-stack/apps/api/src/federation/command.service.ts
+**Tool Used:** Edit
+**Epic:** general
+**Iteration:** 1
+**Generated:** 2026-02-03 21:32:27
+
+## Status
+
+Pending QA validation
+
+## Next Steps
+
+This report was created by the QA automation hook.
+To process this report, run:
+
+```bash
+claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-command.service.ts_20260203-2132_1_remediation_needed.md"
+```

docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-command.service.ts_20260203-2132_2_remediation_needed.md

@@ -0,0 +1,20 @@
+# QA Remediation Report
+
+**File:** /home/jwoltje/src/mosaic-stack/apps/api/src/federation/command.service.ts
+**Tool Used:** Edit
+**Epic:** general
+**Iteration:** 2
+**Generated:** 2026-02-03 21:32:33
+
+## Status
+
+Pending QA validation
+
+## Next Steps
+
+This report was created by the QA automation hook.
+To process this report, run:
+
+```bash
+claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-command.service.ts_20260203-2132_2_remediation_needed.md"
+```

docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-connection.service.spec.ts_20260203-2141_1_remediation_needed.md

@@ -0,0 +1,20 @@
+# QA Remediation Report
+
+**File:** /home/jwoltje/src/mosaic-stack/apps/api/src/federation/connection.service.spec.ts
+**Tool Used:** Edit
+**Epic:** general
+**Iteration:** 1
+**Generated:** 2026-02-03 21:41:26
+
+## Status
+
+Pending QA validation
+
+## Next Steps
+
+This report was created by the QA automation hook.
+To process this report, run:
+
+```bash
+claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-connection.service.spec.ts_20260203-2141_1_remediation_needed.md"
+```

docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-connection.service.spec.ts_20260203-2141_2_remediation_needed.md

@@ -0,0 +1,20 @@
+# QA Remediation Report
+
+**File:** /home/jwoltje/src/mosaic-stack/apps/api/src/federation/connection.service.spec.ts
+**Tool Used:** Edit
+**Epic:** general
+**Iteration:** 2
+**Generated:** 2026-02-03 21:41:46
+
+## Status
+
+Pending QA validation
+
+## Next Steps
+
+This report was created by the QA automation hook.
+To process this report, run:
+
+```bash
+claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-connection.service.spec.ts_20260203-2141_2_remediation_needed.md"
+```

docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-connection.service.ts_20260203-2141_1_remediation_needed.md

@@ -0,0 +1,20 @@
+# QA Remediation Report
+
+**File:** /home/jwoltje/src/mosaic-stack/apps/api/src/federation/connection.service.ts
+**Tool Used:** Edit
+**Epic:** general
+**Iteration:** 1
+**Generated:** 2026-02-03 21:41:19
+
+## Status
+
+Pending QA validation
+
+## Next Steps
+
+This report was created by the QA automation hook.
+To process this report, run:
+
+```bash
+claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-connection.service.ts_20260203-2141_1_remediation_needed.md"
+```

docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-crypto.service.spec.ts_20260203-2134_1_remediation_needed.md

@@ -0,0 +1,20 @@
+# QA Remediation Report
+
+**File:** /home/jwoltje/src/mosaic-stack/apps/api/src/federation/crypto.service.spec.ts
+**Tool Used:** Edit
+**Epic:** general
+**Iteration:** 1
+**Generated:** 2026-02-03 21:34:34
+
+## Status
+
+Pending QA validation
+
+## Next Steps
+
+This report was created by the QA automation hook.
+To process this report, run:
+
+```bash
+claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-crypto.service.spec.ts_20260203-2134_1_remediation_needed.md"
+```

docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-crypto.service.spec.ts_20260203-2134_2_remediation_needed.md

@@ -0,0 +1,20 @@
+# QA Remediation Report
+
+**File:** /home/jwoltje/src/mosaic-stack/apps/api/src/federation/crypto.service.spec.ts
+**Tool Used:** Edit
+**Epic:** general
+**Iteration:** 2
+**Generated:** 2026-02-03 21:34:43
+
+## Status
+
+Pending QA validation
+
+## Next Steps
+
+This report was created by the QA automation hook.
+To process this report, run:
+
+```bash
+claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-crypto.service.spec.ts_20260203-2134_2_remediation_needed.md"
+```

docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-crypto.service.spec.ts_20260203-2135_1_remediation_needed.md

@@ -0,0 +1,20 @@
+# QA Remediation Report
+
+**File:** /home/jwoltje/src/mosaic-stack/apps/api/src/federation/crypto.service.spec.ts
+**Tool Used:** Edit
+**Epic:** general
+**Iteration:** 1
+**Generated:** 2026-02-03 21:35:03
+
+## Status
+
+Pending QA validation
+
+## Next Steps
+
+This report was created by the QA automation hook.
+To process this report, run:
+
+```bash
+claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-crypto.service.spec.ts_20260203-2135_1_remediation_needed.md"
+```

docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-crypto.service.ts_20260203-2134_1_remediation_needed.md

@@ -0,0 +1,20 @@
+# QA Remediation Report
+
+**File:** /home/jwoltje/src/mosaic-stack/apps/api/src/federation/crypto.service.ts
+**Tool Used:** Edit
+**Epic:** general
+**Iteration:** 1
+**Generated:** 2026-02-03 21:34:54
+
+## Status
+
+Pending QA validation
+
+## Next Steps
+
+This report was created by the QA automation hook.
+To process this report, run:
+
+```bash
+claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-crypto.service.ts_20260203-2134_1_remediation_needed.md"
+```

docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-federation.module.ts_20260203-2141_1_remediation_needed.md

@@ -0,0 +1,20 @@
+# QA Remediation Report
+
+**File:** /home/jwoltje/src/mosaic-stack/apps/api/src/federation/federation.module.ts
+**Tool Used:** Edit
+**Epic:** general
+**Iteration:** 1
+**Generated:** 2026-02-03 21:41:01
+
+## Status
+
+Pending QA validation
+
+## Next Steps
+
+This report was created by the QA automation hook.
+To process this report, run:
+
+```bash
+claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-federation.module.ts_20260203-2141_1_remediation_needed.md"
+```

docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-federation.module.ts_20260203-2141_2_remediation_needed.md

@@ -0,0 +1,20 @@
+# QA Remediation Report
+
+**File:** /home/jwoltje/src/mosaic-stack/apps/api/src/federation/federation.module.ts
+**Tool Used:** Edit
+**Epic:** general
+**Iteration:** 2
+**Generated:** 2026-02-03 21:41:04
+
+## Status
+
+Pending QA validation
+
+## Next Steps
+
+This report was created by the QA automation hook.
+To process this report, run:
+
+```bash
+claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-federation.module.ts_20260203-2141_2_remediation_needed.md"
+```

docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-federation.service.spec.ts_20260203-2133_1_remediation_needed.md

@@ -0,0 +1,20 @@
+# QA Remediation Report
+
+**File:** /home/jwoltje/src/mosaic-stack/apps/api/src/federation/federation.service.spec.ts
+**Tool Used:** Edit
+**Epic:** general
+**Iteration:** 1
+**Generated:** 2026-02-03 21:33:33
+
+## Status
+
+Pending QA validation
+
+## Next Steps
+
+This report was created by the QA automation hook.
+To process this report, run:
+
+```bash
+claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-federation.service.spec.ts_20260203-2133_1_remediation_needed.md"
+```

docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-federation.service.ts_20260203-2133_1_remediation_needed.md

@@ -0,0 +1,20 @@
+# QA Remediation Report
+
+**File:** /home/jwoltje/src/mosaic-stack/apps/api/src/federation/federation.service.ts
+**Tool Used:** Edit
+**Epic:** general
+**Iteration:** 1
+**Generated:** 2026-02-03 21:33:44
+
+## Status
+
+Pending QA validation
+
+## Next Steps
+
+This report was created by the QA automation hook.
+To process this report, run:
+
+```bash
+claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-federation.service.ts_20260203-2133_1_remediation_needed.md"
+```

docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-identity-linking.controller.spec.ts_20260203-2136_1_remediation_needed.md

@@ -0,0 +1,20 @@
+# QA Remediation Report
+
+**File:** /home/jwoltje/src/mosaic-stack/apps/api/src/federation/identity-linking.controller.spec.ts
+**Tool Used:** Edit
+**Epic:** general
+**Iteration:** 1
+**Generated:** 2026-02-03 21:36:16
+
+## Status
+
+Pending QA validation
+
+## Next Steps
+
+This report was created by the QA automation hook.
+To process this report, run:
+
+```bash
+claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-identity-linking.controller.spec.ts_20260203-2136_1_remediation_needed.md"
+```

docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-identity-linking.controller.ts_20260203-2135_1_remediation_needed.md

@@ -0,0 +1,20 @@
+# QA Remediation Report
+
+**File:** /home/jwoltje/src/mosaic-stack/apps/api/src/federation/identity-linking.controller.ts
+**Tool Used:** Edit
+**Epic:** general
+**Iteration:** 1
+**Generated:** 2026-02-03 21:35:54
+
+## Status
+
+Pending QA validation
+
+## Next Steps
+
+This report was created by the QA automation hook.
+To process this report, run:
+
+```bash
+claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-identity-linking.controller.ts_20260203-2135_1_remediation_needed.md"
+```

docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-identity-linking.controller.ts_20260203-2136_1_remediation_needed.md

@@ -0,0 +1,20 @@
+# QA Remediation Report
+
+**File:** /home/jwoltje/src/mosaic-stack/apps/api/src/federation/identity-linking.controller.ts
+**Tool Used:** Edit
+**Epic:** general
+**Iteration:** 1
+**Generated:** 2026-02-03 21:36:00
+
+## Status
+
+Pending QA validation
+
+## Next Steps
+
+This report was created by the QA automation hook.
+To process this report, run:
+
+```bash
+claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-identity-linking.controller.ts_20260203-2136_1_remediation_needed.md"
+```

docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-query.service.spec.ts_20260203-2131_1_remediation_needed.md

@@ -0,0 +1,20 @@
+# QA Remediation Report
+
+**File:** /home/jwoltje/src/mosaic-stack/apps/api/src/federation/query.service.spec.ts
+**Tool Used:** Edit
+**Epic:** general
+**Iteration:** 1
+**Generated:** 2026-02-03 21:31:21
+
+## Status
+
+Pending QA validation
+
+## Next Steps
+
+This report was created by the QA automation hook.
+To process this report, run:
+
+```bash
+claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-query.service.spec.ts_20260203-2131_1_remediation_needed.md"
+```

docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-query.service.spec.ts_20260203-2131_2_remediation_needed.md

@@ -0,0 +1,20 @@
+# QA Remediation Report
+
+**File:** /home/jwoltje/src/mosaic-stack/apps/api/src/federation/query.service.spec.ts
+**Tool Used:** Edit
+**Epic:** general
+**Iteration:** 2
+**Generated:** 2026-02-03 21:31:26
+
+## Status
+
+Pending QA validation
+
+## Next Steps
+
+This report was created by the QA automation hook.
+To process this report, run:
+
+```bash
+claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-query.service.spec.ts_20260203-2131_2_remediation_needed.md"
+```

docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-query.service.spec.ts_20260203-2131_3_remediation_needed.md

@@ -0,0 +1,20 @@
+# QA Remediation Report
+
+**File:** /home/jwoltje/src/mosaic-stack/apps/api/src/federation/query.service.spec.ts
+**Tool Used:** Edit
+**Epic:** general
+**Iteration:** 3
+**Generated:** 2026-02-03 21:31:33
+
+## Status
+
+Pending QA validation
+
+## Next Steps
+
+This report was created by the QA automation hook.
+To process this report, run:
+
+```bash
+claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-query.service.spec.ts_20260203-2131_3_remediation_needed.md"
+```

docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-query.service.ts_20260203-2131_1_remediation_needed.md

@@ -0,0 +1,20 @@
+# QA Remediation Report
+
+**File:** /home/jwoltje/src/mosaic-stack/apps/api/src/federation/query.service.ts
+**Tool Used:** Edit
+**Epic:** general
+**Iteration:** 1
+**Generated:** 2026-02-03 21:31:53
+
+## Status
+
+Pending QA validation
+
+## Next Steps
+
+This report was created by the QA automation hook.
+To process this report, run:
+
+```bash
+claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-query.service.ts_20260203-2131_1_remediation_needed.md"
+```

docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-query.service.ts_20260203-2131_2_remediation_needed.md

@@ -0,0 +1,20 @@
+# QA Remediation Report
+
+**File:** /home/jwoltje/src/mosaic-stack/apps/api/src/federation/query.service.ts
+**Tool Used:** Edit
+**Epic:** general
+**Iteration:** 2
+**Generated:** 2026-02-03 21:31:59
+
+## Status
+
+Pending QA validation
+
+## Next Steps
+
+This report was created by the QA automation hook.
+To process this report, run:
+
+```bash
+claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-query.service.ts_20260203-2131_2_remediation_needed.md"
+```

docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-signature.service.spec.ts_20260203-2139_1_remediation_needed.md

@@ -0,0 +1,20 @@
+# QA Remediation Report
+
+**File:** /home/jwoltje/src/mosaic-stack/apps/api/src/federation/signature.service.spec.ts
+**Tool Used:** Edit
+**Epic:** general
+**Iteration:** 1
+**Generated:** 2026-02-03 21:39:35
+
+## Status
+
+Pending QA validation
+
+## Next Steps
+
+This report was created by the QA automation hook.
+To process this report, run:
+
+```bash
+claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-signature.service.spec.ts_20260203-2139_1_remediation_needed.md"
+```

docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-signature.service.spec.ts_20260203-2139_2_remediation_needed.md

@@ -0,0 +1,20 @@
+# QA Remediation Report
+
+**File:** /home/jwoltje/src/mosaic-stack/apps/api/src/federation/signature.service.spec.ts
+**Tool Used:** Edit
+**Epic:** general
+**Iteration:** 2
+**Generated:** 2026-02-03 21:39:40
+
+## Status
+
+Pending QA validation
+
+## Next Steps
+
+This report was created by the QA automation hook.
+To process this report, run:
+
+```bash
+claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-signature.service.spec.ts_20260203-2139_2_remediation_needed.md"
+```

docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-signature.service.spec.ts_20260203-2139_3_remediation_needed.md

@@ -0,0 +1,20 @@
+# QA Remediation Report
+
+**File:** /home/jwoltje/src/mosaic-stack/apps/api/src/federation/signature.service.spec.ts
+**Tool Used:** Edit
+**Epic:** general
+**Iteration:** 3
+**Generated:** 2026-02-03 21:39:49
+
+## Status
+
+Pending QA validation
+
+## Next Steps
+
+This report was created by the QA automation hook.
+To process this report, run:
+
+```bash
+claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-signature.service.spec.ts_20260203-2139_3_remediation_needed.md"
+```

docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-signature.service.spec.ts_20260203-2140_1_remediation_needed.md

@@ -0,0 +1,20 @@
+# QA Remediation Report
+
+**File:** /home/jwoltje/src/mosaic-stack/apps/api/src/federation/signature.service.spec.ts
+**Tool Used:** Edit
+**Epic:** general
+**Iteration:** 1
+**Generated:** 2026-02-03 21:40:07
+
+## Status
+
+Pending QA validation
+
+## Next Steps
+
+This report was created by the QA automation hook.
+To process this report, run:
+
+```bash
+claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-signature.service.spec.ts_20260203-2140_1_remediation_needed.md"
+```

docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-signature.service.ts_20260203-2140_1_remediation_needed.md

@@ -0,0 +1,20 @@
+# QA Remediation Report
+
+**File:** /home/jwoltje/src/mosaic-stack/apps/api/src/federation/signature.service.ts
+**Tool Used:** Edit
+**Epic:** general
+**Iteration:** 1
+**Generated:** 2026-02-03 21:40:34
+
+## Status
+
+Pending QA validation
+
+## Next Steps
+
+This report was created by the QA automation hook.
+To process this report, run:
+
+```bash
+claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-signature.service.ts_20260203-2140_1_remediation_needed.md"
+```

docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-signature.service.ts_20260203-2140_2_remediation_needed.md

@@ -0,0 +1,20 @@
+# QA Remediation Report
+
+**File:** /home/jwoltje/src/mosaic-stack/apps/api/src/federation/signature.service.ts
+**Tool Used:** Edit
+**Epic:** general
+**Iteration:** 2
+**Generated:** 2026-02-03 21:40:44
+
+## Status
+
+Pending QA validation
+
+## Next Steps
+
+This report was created by the QA automation hook.
+To process this report, run:
+
+```bash
+claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-federation-signature.service.ts_20260203-2140_2_remediation_needed.md"
+```

docs/scratchpads/p1-security-fixes.md

@@ -0,0 +1,73 @@
+# M7.1 P1 Security Fixes (#283-#290)
+
+## Objective
+
+Complete remaining P1 security issues in M7.1 Remediation Sprint
+
+## Issues to Fix
+
+### #283 - Enforce connection status validation in queries
+
+- **Impact**: Authorization gap - operations proceed on non-ACTIVE connections
+- **Fix**: Add status check to Prisma queries
+- **Files**: command.service.ts, query.service.ts
+
+### #284 - Reduce timestamp validation window
+
+- **Impact**: 5-minute replay attack window
+- **Fix**: Reduce to 60s + add nonce tracking with Redis
+- **Files**: signature.service.ts
+
+### #285 - Add input sanitization
+
+- **Impact**: XSS risk on user-controlled fields
+- **Fix**: Sanitize connection metadata, identity metadata, rejection reasons, command payloads
+- **Files**: Multiple DTOs and services
+
+### #286 - Add workspace access validation guard
+
+- **Impact**: Authorization gap - no workspace membership validation
+- **Fix**: Create WorkspaceAccessGuard
+- **Files**: New guard + controllers
+
+### #287 - Prevent sensitive data in logs
+
+- **Impact**: Data leakage, PII exposure, GDPR violations
+- **Fix**: Use appropriate log levels + redact sensitive data
+- **Files**: All federation services
+
+### #288 - Upgrade RSA key size
+
+- **Impact**: Future-proofing against quantum computing
+- **Fix**: Change from 2048 to 4096 bits
+- **Files**: federation.service.ts
+
+### #289 - Prevent private key decryption error leaks
+
+- **Impact**: Sensitive data in error messages
+- **Fix**: Don't log error details with potential sensitive data
+- **Files**: crypto.service.ts
+
+### #290 - Secure identity verification endpoint
+
+- **Impact**: Public endpoint with no auth
+- **Fix**: Add AuthGuard + rate limiting
+- **Files**: identity-linking.controller.ts
+
+## Progress
+
+- [ ] #283 - Connection status validation
+- [ ] #284 - Timestamp validation window
+- [ ] #285 - Input sanitization
+- [ ] #286 - Workspace access guard
+- [ ] #287 - Sensitive data in logs
+- [ ] #288 - RSA key size upgrade
+- [ ] #289 - Decryption error leaks
+- [ ] #290 - Identity endpoint security
+
+## Testing Strategy
+
+- Minimum 85% coverage for all changes
+- TDD approach: write tests first
+- Security-focused test cases
+- Integration tests for guards and validation