stack/docs/reports/qa/gateway-security-20260313.md

QA Report — Gateway Security Hardening

Scope

• Chat HTTP auth guard hardening
• Chat WebSocket session validation
• DTO validation rules for chat and conversation payloads
• Ownership regression coverage for by-id routes

TDD

• Required: yes
• Applied: yes
• Red step: targeted tests failed on socket session reshaping and DTO role/length mismatches
• Green step: targeted tests passed after runtime and DTO alignment

Baseline Verification

Command	Result	Evidence
pnpm --filter @mosaicstack/gateway test -- src/chat/__tests__/chat-security.test.ts src/__tests__/resource-ownership.test.ts	pass	3 test files passed, 20 tests passed
pnpm typecheck	pass	turbo completed 18/18 package typecheck tasks
pnpm lint	pass	turbo completed 18/18 package lint tasks
pnpm format:check	pass	All matched files use Prettier code style!

Situational Verification

Acceptance Criterion	Verification Method	Evidence
Chat controller requires auth and current-user context	source assertion test	chat-security.test.ts checks @UseGuards(AuthGuard) and @CurrentUser() user: { id: string }
WebSocket handshake requires Better Auth session	unit tests for validateSocketSession()	null handshake returns null; valid handshake returns original session object
Conversation messages reject non-user/assistant roles	class-validator test	system role fails validation
Conversation messages enforce a 32k max length	class-validator test	32_001 chars fail validation
Chat request payload enforces a 10k max length	class-validator test	10_001 chars fail validation
By-id routes reject cross-user access	ownership regression tests	conversations, projects, missions, tasks each raise ForbiddenException for non-owner access

Residual Risk

• No live HTTP or WebSocket smoke test against a running gateway process was executed in this session.