fix(#276): Add comprehensive audit logging for incoming connections

Implemented comprehensive audit logging for all incoming federation
connection attempts to provide visibility and security monitoring.

Changes:
- Added logIncomingConnectionAttempt() to FederationAuditService
- Added logIncomingConnectionCreated() to FederationAuditService
- Added logIncomingConnectionRejected() to FederationAuditService
- Injected FederationAuditService into ConnectionService
- Updated handleIncomingConnectionRequest() to log all connection events

Audit logging captures:
- All incoming connection attempts with remote instance details
- Successful connection creations with connection ID
- Rejected connections with failure reason and error details
- Workspace ID for all events (security compliance)
- All events marked as securityEvent: true

Testing:
- Added 3 new tests for audit logging verification
- All 24 connection service tests passing
- Quality gates: lint, typecheck, build all passing

Security Impact:
- Provides visibility into all incoming connection attempts
- Enables security monitoring and threat detection
- Audit trail for compliance requirements
- Foundation for future authorization controls

Note: This implements Phase 1 (audit logging) of issue #276.
Full authorization (allowlist/denylist, admin approval) will be
implemented in a follow-up issue requiring schema changes.

Fixes #276

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

apps/api/src/federation/connection.service.spec.ts

@@ -10,6 +10,7 @@ import { HttpService } from "@nestjs/axios";
 import { ConnectionService } from "./connection.service";
 import { FederationService } from "./federation.service";
 import { SignatureService } from "./signature.service";
+import { FederationAuditService } from "./audit.service";
 import { PrismaService } from "../prisma/prisma.service";
 import { FederationConnectionStatus } from "@prisma/client";
 import { FederationConnection } from "@prisma/client";
@@ -22,6 +23,7 @@ describe("ConnectionService", () => {
   let federationService: FederationService;
   let signatureService: SignatureService;
   let httpService: HttpService;
+  let auditService: FederationAuditService;
 
   const mockWorkspaceId = "workspace-123";
   const mockRemoteUrl = "https://remote.example.com";
@@ -110,6 +112,14 @@ describe("ConnectionService", () => {
             post: vi.fn(),
           },
         },
+        {
+          provide: FederationAuditService,
+          useValue: {
+            logIncomingConnectionAttempt: vi.fn(),
+            logIncomingConnectionCreated: vi.fn(),
+            logIncomingConnectionRejected: vi.fn(),
+          },
+        },
       ],
     }).compile();
 
@@ -118,6 +128,7 @@ describe("ConnectionService", () => {
     federationService = module.get<FederationService>(FederationService);
     signatureService = module.get<SignatureService>(SignatureService);
     httpService = module.get<HttpService>(HttpService);
+    auditService = module.get<FederationAuditService>(FederationAuditService);
   });
 
   it("should be defined", () => {
@@ -449,5 +460,55 @@ describe("ConnectionService", () => {
         service.handleIncomingConnectionRequest(mockWorkspaceId, mockRequest)
       ).rejects.toThrow("Invalid connection request signature");
     });
+
+    it("should log incoming connection attempt", async () => {
+      vi.spyOn(signatureService, "verifyConnectionRequest").mockReturnValue({ valid: true });
+      vi.spyOn(prismaService.federationConnection, "create").mockResolvedValue(mockConnection);
+      const auditSpy = vi.spyOn(auditService, "logIncomingConnectionAttempt");
+
+      await service.handleIncomingConnectionRequest(mockWorkspaceId, mockRequest);
+
+      expect(auditSpy).toHaveBeenCalledWith({
+        workspaceId: mockWorkspaceId,
+        remoteInstanceId: mockRequest.instanceId,
+        remoteUrl: mockRequest.instanceUrl,
+        timestamp: mockRequest.timestamp,
+      });
+    });
+
+    it("should log connection created on success", async () => {
+      vi.spyOn(signatureService, "verifyConnectionRequest").mockReturnValue({ valid: true });
+      vi.spyOn(prismaService.federationConnection, "create").mockResolvedValue(mockConnection);
+      const auditSpy = vi.spyOn(auditService, "logIncomingConnectionCreated");
+
+      await service.handleIncomingConnectionRequest(mockWorkspaceId, mockRequest);
+
+      expect(auditSpy).toHaveBeenCalledWith({
+        workspaceId: mockWorkspaceId,
+        connectionId: mockConnection.id,
+        remoteInstanceId: mockRequest.instanceId,
+        remoteUrl: mockRequest.instanceUrl,
+      });
+    });
+
+    it("should log connection rejected on invalid signature", async () => {
+      vi.spyOn(signatureService, "verifyConnectionRequest").mockReturnValue({
+        valid: false,
+        error: "Invalid signature",
+      });
+      const auditSpy = vi.spyOn(auditService, "logIncomingConnectionRejected");
+
+      await expect(
+        service.handleIncomingConnectionRequest(mockWorkspaceId, mockRequest)
+      ).rejects.toThrow();
+
+      expect(auditSpy).toHaveBeenCalledWith({
+        workspaceId: mockWorkspaceId,
+        remoteInstanceId: mockRequest.instanceId,
+        remoteUrl: mockRequest.instanceUrl,
+        reason: "Invalid signature",
+        error: "Invalid signature",
+      });
+    });
   });
 });