stack/docs/scratchpads/p1-security-fixes.md

# M7.1 P1 Security Fixes (#283-#290)

## Objective

Complete remaining P1 security issues in M7.1 Remediation Sprint

## Issues to Fix

### #283 - Enforce connection status validation in queries

- **Impact**: Authorization gap - operations proceed on non-ACTIVE connections
- **Fix**: Add status check to Prisma queries
- **Files**: command.service.ts, query.service.ts

### #284 - Reduce timestamp validation window

- **Impact**: 5-minute replay attack window
- **Fix**: Reduce to 60s + add nonce tracking with Redis
- **Files**: signature.service.ts

### #285 - Add input sanitization

- **Impact**: XSS risk on user-controlled fields
- **Fix**: Sanitize connection metadata, identity metadata, rejection reasons, command payloads
- **Files**: Multiple DTOs and services

### #286 - Add workspace access validation guard

- **Impact**: Authorization gap - no workspace membership validation
- **Fix**: Create WorkspaceAccessGuard
- **Files**: New guard + controllers

### #287 - Prevent sensitive data in logs

- **Impact**: Data leakage, PII exposure, GDPR violations
- **Fix**: Use appropriate log levels + redact sensitive data
- **Files**: All federation services

### #288 - Upgrade RSA key size

- **Impact**: Future-proofing against quantum computing
- **Fix**: Change from 2048 to 4096 bits
- **Files**: federation.service.ts

### #289 - Prevent private key decryption error leaks

- **Impact**: Sensitive data in error messages
- **Fix**: Don't log error details with potential sensitive data
- **Files**: crypto.service.ts

### #290 - Secure identity verification endpoint

- **Impact**: Public endpoint with no auth
- **Fix**: Add AuthGuard + rate limiting
- **Files**: identity-linking.controller.ts

## Progress

- [ ] #283 - Connection status validation
- [ ] #284 - Timestamp validation window
- [ ] #285 - Input sanitization
- [ ] #286 - Workspace access guard
- [ ] #287 - Sensitive data in logs
- [ ] #288 - RSA key size upgrade
- [ ] #289 - Decryption error leaks
- [ ] #290 - Identity endpoint security

## Testing Strategy

- Minimum 85% coverage for all changes
- TDD approach: write tests first
- Security-focused test cases
- Integration tests for guards and validation