You are performing a mandatory code review and security audit of MS22 Phase 1 modules in ~/src/mosaic-stack.

## Objective
Audit all MS22 modules for correctness, missing dependencies, and security issues. Produce a written report regardless of findings. If nothing needs fixing, that is itself a valid result — document it.

## MS22 Modules to Audit
- apps/api/src/container-lifecycle/
- apps/api/src/crypto/
- apps/api/src/agent-config/
- apps/api/src/onboarding/
- apps/api/src/fleet-settings/
- apps/api/src/chat-proxy/

## What to Check

### 1. NestJS Module Dependency Audit
For each *.module.ts file:
- Does it import every module whose services/guards are used in its controllers/services?
- Are all providers listed that are used?
- Are exports correct?

### 2. Security Review
- fleet-settings: are admin-only routes properly guarded? Can a non-admin access provider secrets?
- agent-config: is the bearer token guard timing-safe? Is the internal route isolated?
- onboarding: can onboarding be re-run after completion?
- crypto: is AES-256-GCM implemented correctly? IV uniqueness, auth tag verification?
- chat-proxy: can a user proxy to another user's container?

### 3. Input Validation
- Are DTOs using class-validator decorators?
- Any unvalidated inputs?

### 4. Error Handling
- Are errors leaking sensitive data?
- Are Prisma errors caught before reaching HTTP layer?

## Process — MANDATORY, follow exactly

1. git checkout main && git pull --ff-only origin main
2. Read each module file carefully
3. Create branch: fix/ms22-audit
4. Write a report file at docs/audits/ms22-phase1-audit.md documenting:
   - Each module reviewed
   - Findings (or "no issues found") per module
   - Security assessment
   - Changes made (if any)
5. If you found issues: fix them, include fixes in the same commit
6. If no issues found: still commit the report file
7. Run quality gates: pnpm turbo lint typecheck --filter=@mosaic/api
8. Commit: "fix(api): MS22 Phase 1 audit report and fixes"
9. Push: git push origin fix/ms22-audit
10. Create PR: ~/.config/mosaic/tools/git/pr-create.sh -t "fix(api): MS22 Phase 1 post-coding audit" -b "Mandatory post-coding audit of all MS22 Phase 1 modules. Report at docs/audits/ms22-phase1-audit.md."

DO NOT exit without pushing and creating a PR. The audit report is required even if all modules are clean.

When completely finished:
openclaw system event --text "Done: MS22 audit PR ready — check docs/audits/ms22-phase1-audit.md" --mode now