feat(#273): Implement capability-based authorization for federation

Add CapabilityGuard infrastructure to enforce capability-based authorization
on federation endpoints. Implements fail-closed security model.

Security properties:
- Deny by default (no capability = deny)
- Only explicit true values grant access
- Connection must exist and be ACTIVE
- All denials logged for audit trail

Implementation:
- Created CapabilityGuard with fail-closed authorization logic
- Added @RequireCapability decorator for marking endpoints
- Added getConnectionById() to ConnectionService
- Added logCapabilityDenied() to AuditService
- 12 comprehensive tests covering all security scenarios

Quality gates:
- ✅ Tests: 12/12 passing
- ✅ Lint: 0 new errors (33 pre-existing)
- ✅ TypeScript: 0 new errors (8 pre-existing)

Refs #273

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

apps/api/src/federation/audit.service.ts

@@ -123,4 +123,23 @@ export class FederationAuditService {
       securityEvent: true,
     });
   }
+
+  /**
+   * Log capability denial (security event)
+   * Logged when remote instance attempts operation without required capability
+   */
+  logCapabilityDenied(
+    remoteInstanceId: string,
+    requiredCapability: string,
+    requestedUrl: string
+  ): void {
+    this.logger.warn({
+      event: "FEDERATION_CAPABILITY_DENIED",
+      remoteInstanceId,
+      requiredCapability,
+      requestedUrl,
+      timestamp: new Date().toISOString(),
+      securityEvent: true,
+    });
+  }
 }