feat(#360): Add federation credential isolation

Implement explicit deny-lists in QueryService and CommandService to prevent
user credentials from leaking across federation boundaries.

## Changes

### Core Implementation
- QueryService: Block all credential-related queries with keyword detection
- CommandService: Block all credential operations (create/update/delete/read)
- Case-insensitive keyword matching for both queries and commands

### Security Features
- Deny-list includes: credential, api_key, secret, token, password, oauth
- Errors returned for blocked operations
- No impact on existing allowed operations (tasks, events, projects, agent commands)

### Testing
- Added 2 unit tests to query.service.spec.ts
- Added 3 unit tests to command.service.spec.ts
- Added 8 integration tests in credential-isolation.integration.spec.ts
- All 377 federation tests passing

### Documentation
- Created comprehensive security doc at docs/security/federation-credential-isolation.md
- Documents 4 security guarantees (G1-G4)
- Includes testing strategy and incident response procedures

## Security Guarantees

1. G1: Credential Confidentiality - Credentials never leave instance in plaintext
2. G2: Cross-Instance Isolation - Compromised key on one instance doesn't affect others
3. G3: Query/Command Isolation - Federated instances cannot query/modify credentials
4. G4: Accidental Exposure Prevention - Credentials cannot leak via messages

## Defense-in-Depth

This implementation adds application-layer protection on top of existing:
- Transit key separation (mosaic-credentials vs mosaic-federation)
- Per-instance OpenBao servers
- Workspace-scoped credential access

Fixes #360

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

apps/api/src/federation/query.service.spec.ts

@@ -704,5 +704,81 @@ describe("QueryService", () => {
       expect(result.success).toBe(false);
       expect(result.error).toContain("workspaceId");
     });
+
+    it("should reject queries for UserCredential entity type", async () => {
+      const queryMessage = {
+        messageId: "msg-1",
+        instanceId: "remote-instance-1",
+        query: "credentials",
+        context: { workspaceId: "workspace-1" },
+        timestamp: Date.now(),
+        signature: "valid-signature",
+      };
+
+      const mockConnection = {
+        id: "connection-1",
+        workspaceId: "workspace-1",
+        remoteInstanceId: "remote-instance-1",
+        status: FederationConnectionStatus.ACTIVE,
+      };
+
+      const mockIdentity = {
+        instanceId: "local-instance-1",
+      };
+
+      mockPrisma.federationConnection.findFirst.mockResolvedValue(mockConnection);
+      mockSignatureService.validateTimestamp.mockReturnValue(true);
+      mockSignatureService.verifyMessage.mockResolvedValue({ valid: true });
+      mockFederationService.getInstanceIdentity.mockResolvedValue(mockIdentity);
+      mockSignatureService.signMessage.mockResolvedValue("response-signature");
+
+      const result = await service.handleIncomingQuery(queryMessage);
+
+      expect(result).toBeDefined();
+      expect(result.success).toBe(false);
+      expect(result.error).toContain("Credential queries are not allowed");
+    });
+
+    it("should reject queries containing credential-related keywords", async () => {
+      const credentialQueries = [
+        "SELECT * FROM user_credentials",
+        "get all credentials",
+        "show my api keys",
+        "list oauth tokens",
+      ];
+
+      const mockConnection = {
+        id: "connection-1",
+        workspaceId: "workspace-1",
+        remoteInstanceId: "remote-instance-1",
+        status: FederationConnectionStatus.ACTIVE,
+      };
+
+      const mockIdentity = {
+        instanceId: "local-instance-1",
+      };
+
+      mockPrisma.federationConnection.findFirst.mockResolvedValue(mockConnection);
+      mockSignatureService.validateTimestamp.mockReturnValue(true);
+      mockSignatureService.verifyMessage.mockResolvedValue({ valid: true });
+      mockFederationService.getInstanceIdentity.mockResolvedValue(mockIdentity);
+      mockSignatureService.signMessage.mockResolvedValue("response-signature");
+
+      for (const query of credentialQueries) {
+        const queryMessage = {
+          messageId: `msg-${Math.random()}`,
+          instanceId: "remote-instance-1",
+          query,
+          context: { workspaceId: "workspace-1" },
+          timestamp: Date.now(),
+          signature: "valid-signature",
+        };
+
+        const result = await service.handleIncomingQuery(queryMessage);
+
+        expect(result.success).toBe(false);
+        expect(result.error).toContain("Credential queries are not allowed");
+      }
+    });
   });
 });