feat(#88): implement QUERY message type for federation

Implement complete QUERY message protocol for federated queries between
Mosaic Stack instances, building on existing connection infrastructure.

Database Changes:
- Add FederationMessageType enum (QUERY, COMMAND, EVENT)
- Add FederationMessageStatus enum (PENDING, DELIVERED, FAILED, TIMEOUT)
- Add FederationMessage model for tracking all federation messages
- Add workspace and connection relations

Types & DTOs:
- QueryMessage: Signed query request payload
- QueryResponse: Signed query response payload
- QueryMessageDetails: API response type
- SendQueryDto: Client request DTO
- IncomingQueryDto: Validated incoming query DTO

QueryService:
- sendQuery: Send signed query to remote instance via ACTIVE connection
- handleIncomingQuery: Process and validate incoming queries
- processQueryResponse: Handle and verify query responses
- getQueryMessages: List workspace queries with optional status filter
- getQueryMessage: Get single query message details
- Message deduplication via unique messageId
- Signature verification using SignatureService
- Timestamp validation (5-minute window)

QueryController:
- POST /api/v1/federation/query: Send query (authenticated)
- POST /api/v1/federation/incoming/query: Receive query (public, signature-verified)
- GET /api/v1/federation/queries: List queries (authenticated)
- GET /api/v1/federation/queries/🆔 Get query details (authenticated)

Security:
- All messages signed with instance private key
- All responses verified with remote public key
- Timestamp validation prevents replay attacks
- Connection status validation (must be ACTIVE)
- Workspace isolation enforced via RLS

Testing:
- 15 QueryService tests (100% coverage)
- 9 QueryController tests (100% coverage)
- All tests passing with proper mocking
- TypeScript strict mode compliance

Refs #88

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

apps/api/src/federation/query.controller.ts

@@ -0,0 +1,91 @@
+/**
+ * Query Controller
+ *
+ * API endpoints for federated query messages.
+ */
+
+import { Controller, Post, Get, Body, Param, Query, UseGuards, Req, Logger } from "@nestjs/common";
+import { QueryService } from "./query.service";
+import { AuthGuard } from "../auth/guards/auth.guard";
+import { SendQueryDto, IncomingQueryDto } from "./dto/query.dto";
+import type { AuthenticatedRequest } from "../common/types/user.types";
+import type { QueryMessageDetails, QueryResponse } from "./types/message.types";
+import type { FederationMessageStatus } from "@prisma/client";
+
+@Controller("api/v1/federation")
+export class QueryController {
+  private readonly logger = new Logger(QueryController.name);
+
+  constructor(private readonly queryService: QueryService) {}
+
+  /**
+   * Send a query to a remote instance
+   * Requires authentication
+   */
+  @Post("query")
+  @UseGuards(AuthGuard)
+  async sendQuery(
+    @Req() req: AuthenticatedRequest,
+    @Body() dto: SendQueryDto
+  ): Promise<QueryMessageDetails> {
+    if (!req.user?.workspaceId) {
+      throw new Error("Workspace ID not found in request");
+    }
+
+    this.logger.log(
+      `User ${req.user.id} sending query to connection ${dto.connectionId} in workspace ${req.user.workspaceId}`
+    );
+
+    return this.queryService.sendQuery(
+      req.user.workspaceId,
+      dto.connectionId,
+      dto.query,
+      dto.context
+    );
+  }
+
+  /**
+   * Handle incoming query from remote instance
+   * Public endpoint - no authentication required (signature-based verification)
+   */
+  @Post("incoming/query")
+  async handleIncomingQuery(@Body() dto: IncomingQueryDto): Promise<QueryResponse> {
+    this.logger.log(`Received query from ${dto.instanceId}: ${dto.messageId}`);
+
+    return this.queryService.handleIncomingQuery(dto);
+  }
+
+  /**
+   * Get all query messages for the workspace
+   * Requires authentication
+   */
+  @Get("queries")
+  @UseGuards(AuthGuard)
+  async getQueries(
+    @Req() req: AuthenticatedRequest,
+    @Query("status") status?: FederationMessageStatus
+  ): Promise<QueryMessageDetails[]> {
+    if (!req.user?.workspaceId) {
+      throw new Error("Workspace ID not found in request");
+    }
+
+    return this.queryService.getQueryMessages(req.user.workspaceId, status);
+  }
+
+  /**
+   * Get a single query message
+   * Requires authentication
+   */
+  @Get("queries/:id")
+  @UseGuards(AuthGuard)
+  async getQuery(
+    @Req() req: AuthenticatedRequest,
+    @Param("id") messageId: string
+  ): Promise<QueryMessageDetails> {
+    if (!req.user?.workspaceId) {
+      throw new Error("Workspace ID not found in request");
+    }
+
+    return this.queryService.getQueryMessage(req.user.workspaceId, messageId);
+  }
+}