fix(#338): Validate DEFAULT_WORKSPACE_ID as UUID

- Add federation.config.ts with UUID v4 validation for DEFAULT_WORKSPACE_ID
- Validate at module initialization (fail fast if misconfigured)
- Replace hardcoded "default" fallback with proper validation
- Add 18 tests covering valid UUIDs, invalid formats, and missing values
- Clear error messages with expected UUID format

Refs #338

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

apps/api/src/federation/federation.controller.ts

@@ -10,6 +10,7 @@ import { Throttle } from "@nestjs/throttler";
 import { FederationService } from "./federation.service";
 import { FederationAuditService } from "./audit.service";
 import { ConnectionService } from "./connection.service";
+import { getDefaultWorkspaceId } from "./federation.config";
 import { AuthGuard } from "../auth/guards/auth.guard";
 import { AdminGuard } from "../auth/guards/admin.guard";
 import { WorkspaceGuard } from "../common/guards/workspace.guard";
@@ -225,8 +226,8 @@ export class FederationController {
     // LIMITATION: Incoming connections are created in a default workspace
     // TODO: Future enhancement - Allow configuration of which workspace handles incoming connections
     // This could be based on routing rules, instance configuration, or a dedicated federation workspace
-    // For now, uses DEFAULT_WORKSPACE_ID environment variable or falls back to "default"
-    const workspaceId = process.env.DEFAULT_WORKSPACE_ID ?? "default";
+    // Issue #338: Validate DEFAULT_WORKSPACE_ID is a valid UUID (throws if invalid/missing)
+    const workspaceId = getDefaultWorkspaceId();
 
     const connection = await this.connectionService.handleIncomingConnectionRequest(
       workspaceId,