fix(#276): Add comprehensive audit logging for incoming connections

Implemented comprehensive audit logging for all incoming federation
connection attempts to provide visibility and security monitoring.

Changes:
- Added logIncomingConnectionAttempt() to FederationAuditService
- Added logIncomingConnectionCreated() to FederationAuditService
- Added logIncomingConnectionRejected() to FederationAuditService
- Injected FederationAuditService into ConnectionService
- Updated handleIncomingConnectionRequest() to log all connection events

Audit logging captures:
- All incoming connection attempts with remote instance details
- Successful connection creations with connection ID
- Rejected connections with failure reason and error details
- Workspace ID for all events (security compliance)
- All events marked as securityEvent: true

Testing:
- Added 3 new tests for audit logging verification
- All 24 connection service tests passing
- Quality gates: lint, typecheck, build all passing

Security Impact:
- Provides visibility into all incoming connection attempts
- Enables security monitoring and threat detection
- Audit trail for compliance requirements
- Foundation for future authorization controls

Note: This implements Phase 1 (audit logging) of issue #276.
Full authorization (allowlist/denylist, admin approval) will be
implemented in a follow-up issue requiring schema changes.

Fixes #276

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

apps/api/src/federation/connection.service.ts

@@ -17,6 +17,7 @@ import { FederationConnectionStatus, Prisma } from "@prisma/client";
 import { PrismaService } from "../prisma/prisma.service";
 import { FederationService } from "./federation.service";
 import { SignatureService } from "./signature.service";
+import { FederationAuditService } from "./audit.service";
 import { firstValueFrom } from "rxjs";
 import type { ConnectionRequest, ConnectionDetails } from "./types/connection.types";
 import type { PublicInstanceIdentity } from "./types/instance.types";
@@ -29,7 +30,8 @@ export class ConnectionService {
     private readonly prisma: PrismaService,
     private readonly federationService: FederationService,
     private readonly signatureService: SignatureService,
-    private readonly httpService: HttpService
+    private readonly httpService: HttpService,
+    private readonly auditService: FederationAuditService
   ) {}
 
   /**
@@ -275,12 +277,30 @@ export class ConnectionService {
   ): Promise<ConnectionDetails> {
     this.logger.log(`Received connection request from ${request.instanceId}`);
 
+    // Audit log: Incoming connection attempt
+    this.auditService.logIncomingConnectionAttempt({
+      workspaceId,
+      remoteInstanceId: request.instanceId,
+      remoteUrl: request.instanceUrl,
+      timestamp: request.timestamp,
+    });
+
     // Verify signature
     const validation = this.signatureService.verifyConnectionRequest(request);
 
     if (!validation.valid) {
       const errorMsg: string = validation.error ?? "Unknown error";
       this.logger.warn(`Invalid connection request from ${request.instanceId}: ${errorMsg}`);
+
+      // Audit log: Connection rejected
+      this.auditService.logIncomingConnectionRejected({
+        workspaceId,
+        remoteInstanceId: request.instanceId,
+        remoteUrl: request.instanceUrl,
+        reason: "Invalid signature",
+        error: errorMsg,
+      });
+
       throw new UnauthorizedException("Invalid connection request signature");
     }
 
@@ -301,6 +321,14 @@ export class ConnectionService {
 
     this.logger.log(`Created pending connection ${connection.id} from ${request.instanceId}`);
 
+    // Audit log: Connection created
+    this.auditService.logIncomingConnectionCreated({
+      workspaceId,
+      connectionId: connection.id,
+      remoteInstanceId: request.instanceId,
+      remoteUrl: request.instanceUrl,
+    });
+
     return this.mapToConnectionDetails(connection);
   }