fix(gateway): security hardening — auth guards, ownership checks, validation, rate limiting

docs/reports/code-review/gateway-security-20260313.md

@@ -0,0 +1,23 @@
+# Code Review Report — Gateway Security Hardening
+
+## Scope Reviewed
+
+- `apps/gateway/src/chat/chat.gateway-auth.ts`
+- `apps/gateway/src/chat/chat.gateway.ts`
+- `apps/gateway/src/conversations/conversations.dto.ts`
+- `apps/gateway/src/chat/__tests__/chat-security.test.ts`
+
+## Findings
+
+- No blocker findings in the final changed surface.
+
+## Review Summary
+
+- Correctness: socket auth helper now returns Better Auth session data unchanged, and gateway disconnects clients whose handshake does not narrow to a valid session payload
+- Security: conversation role validation now rejects `system`; conversation content ceiling is 32k; chat request ceiling remains 10k
+- Testing: targeted auth, ownership, and DTO regression tests pass
+- Quality: `pnpm typecheck`, `pnpm lint`, and `pnpm format:check` all pass after the final edits
+
+## Residual Risk
+
+- `chat.gateway.ts` uses local narrowing around an `unknown` session result because the requested helper contract intentionally returns `unknown`.

docs/reports/qa/gateway-security-20260313.md

@@ -0,0 +1,39 @@
+# QA Report — Gateway Security Hardening
+
+## Scope
+
+- Chat HTTP auth guard hardening
+- Chat WebSocket session validation
+- DTO validation rules for chat and conversation payloads
+- Ownership regression coverage for by-id routes
+
+## TDD
+
+- Required: yes
+- Applied: yes
+- Red step: targeted tests failed on socket session reshaping and DTO role/length mismatches
+- Green step: targeted tests passed after runtime and DTO alignment
+
+## Baseline Verification
+
+| Command | Result | Evidence |
+| --- | --- | --- |
+| `pnpm --filter @mosaic/gateway test -- src/chat/__tests__/chat-security.test.ts src/__tests__/resource-ownership.test.ts` | pass | 3 test files passed, 20 tests passed |
+| `pnpm typecheck` | pass | turbo completed 18/18 package typecheck tasks |
+| `pnpm lint` | pass | turbo completed 18/18 package lint tasks |
+| `pnpm format:check` | pass | `All matched files use Prettier code style!` |
+
+## Situational Verification
+
+| Acceptance Criterion | Verification Method | Evidence |
+| --- | --- | --- |
+| Chat controller requires auth and current-user context | source assertion test | `chat-security.test.ts` checks `@UseGuards(AuthGuard)` and `@CurrentUser() user: { id: string }` |
+| WebSocket handshake requires Better Auth session | unit tests for `validateSocketSession()` | null handshake returns `null`; valid handshake returns original session object |
+| Conversation messages reject non-user/assistant roles | class-validator test | `system` role fails validation |
+| Conversation messages enforce a 32k max length | class-validator test | `32_001` chars fail validation |
+| Chat request payload enforces a 10k max length | class-validator test | `10_001` chars fail validation |
+| By-id routes reject cross-user access | ownership regression tests | conversations, projects, missions, tasks each raise `ForbiddenException` for non-owner access |
+
+## Residual Risk
+
+- No live HTTP or WebSocket smoke test against a running gateway process was executed in this session.