Fix QA validation issues and add M7.1 security fixes (#318)

Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>

docs/scratchpads/280-encryption-key-logging.md

@@ -0,0 +1,63 @@
+# Issue #280: Prevent encryption key exposure via logging
+
+## Objective
+
+Ensure encryption key validation errors don't expose the key value in error messages or logs. Prevent complete compromise of federation security.
+
+## Security Impact
+
+- Key exposure leads to ability to decrypt all private keys
+- Complete compromise of federation security
+- Attacker gains access to all federated communications
+
+## Location
+
+`apps/api/src/federation/crypto.service.ts:17-30`
+
+## Approach
+
+1. Write tests that verify error messages don't contain key material
+2. Update validation logic to not include key in error messages
+3. Ensure structured logging masks sensitive data
+4. Add tests for various invalid key scenarios
+
+## Implementation Plan
+
+- [x] Write tests for key validation errors (RED)
+- [x] Update error messages to remove key exposure (GREEN)
+- [x] Verify no key material in logs
+- [x] Run quality gates
+- [x] Commit and push
+- [x] Close issue
+
+## Results
+
+**Status:** ✅ COMPLETE
+
+**Commit:** 9caaf91
+
+**Test Coverage:**
+
+- 18 tests covering all encryption/decryption scenarios
+- Tests verify error messages don't expose key values
+- Tests cover various invalid key formats
+
+**Security Improvements:**
+
+- Removed error object from logger calls to prevent stack trace leakage
+- Generic error messages without sensitive details
+- All crypto operations now safely log errors
+
+## Testing
+
+- Invalid key format (wrong length)
+- Non-hex characters in key
+- Empty key
+- Verify error messages are generic
+- Verify no key material in logs
+
+## Notes
+
+- Current error message includes key via template literal
+- Need to sanitize all error paths
+- Consider using a constant error message