feat(#93): implement agent spawn via federation

Implements FED-010: Agent Spawn via Federation feature that enables
spawning and managing Claude agents on remote federated Mosaic Stack
instances via COMMAND message type.

Features:
- Federation agent command types (spawn, status, kill)
- FederationAgentService for handling agent operations
- Integration with orchestrator's agent spawner/lifecycle services
- API endpoints for spawning, querying status, and killing agents
- Full command routing through federation COMMAND infrastructure
- Comprehensive test coverage (12/12 tests passing)

Architecture:
- Hub → Spoke: Spawn agents on remote instances
- Command flow: FederationController → FederationAgentService →
  CommandService → Remote Orchestrator
- Response handling: Remote orchestrator returns agent status/results
- Security: Connection validation, signature verification

Files created:
- apps/api/src/federation/types/federation-agent.types.ts
- apps/api/src/federation/federation-agent.service.ts
- apps/api/src/federation/federation-agent.service.spec.ts

Files modified:
- apps/api/src/federation/command.service.ts (agent command routing)
- apps/api/src/federation/federation.controller.ts (agent endpoints)
- apps/api/src/federation/federation.module.ts (service registration)
- apps/orchestrator/src/api/agents/agents.controller.ts (status endpoint)
- apps/orchestrator/src/api/agents/agents.module.ts (lifecycle integration)

Testing:
- 12/12 tests passing for FederationAgentService
- All command service tests passing
- TypeScript compilation successful
- Linting passed

Refs #93

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

apps/api/src/common/guards/workspace.guard.spec.ts

@@ -58,10 +58,7 @@ describe("WorkspaceGuard", () => {
     const workspaceId = "workspace-456";
 
     it("should allow access when user is a workspace member (via header)", async () => {
-      const context = createMockExecutionContext(
-        { id: userId },
-        { "x-workspace-id": workspaceId }
-      );
+      const context = createMockExecutionContext({ id: userId }, { "x-workspace-id": workspaceId });
 
       mockPrismaService.workspaceMember.findUnique.mockResolvedValue({
         workspaceId,
@@ -87,11 +84,7 @@ describe("WorkspaceGuard", () => {
     });
 
     it("should allow access when user is a workspace member (via URL param)", async () => {
-      const context = createMockExecutionContext(
-        { id: userId },
-        {},
-        { workspaceId }
-      );
+      const context = createMockExecutionContext({ id: userId }, {}, { workspaceId });
 
       mockPrismaService.workspaceMember.findUnique.mockResolvedValue({
         workspaceId,
@@ -105,12 +98,7 @@ describe("WorkspaceGuard", () => {
     });
 
     it("should allow access when user is a workspace member (via body)", async () => {
-      const context = createMockExecutionContext(
-        { id: userId },
-        {},
-        {},
-        { workspaceId }
-      );
+      const context = createMockExecutionContext({ id: userId }, {}, {}, { workspaceId });
 
       mockPrismaService.workspaceMember.findUnique.mockResolvedValue({
         workspaceId,
@@ -154,59 +142,38 @@ describe("WorkspaceGuard", () => {
     });
 
     it("should throw ForbiddenException when user is not authenticated", async () => {
-      const context = createMockExecutionContext(
-        null,
-        { "x-workspace-id": workspaceId }
-      );
+      const context = createMockExecutionContext(null, { "x-workspace-id": workspaceId });
 
-      await expect(guard.canActivate(context)).rejects.toThrow(
-        ForbiddenException
-      );
-      await expect(guard.canActivate(context)).rejects.toThrow(
-        "User not authenticated"
-      );
+      await expect(guard.canActivate(context)).rejects.toThrow(ForbiddenException);
+      await expect(guard.canActivate(context)).rejects.toThrow("User not authenticated");
     });
 
     it("should throw BadRequestException when workspace ID is missing", async () => {
       const context = createMockExecutionContext({ id: userId });
 
-      await expect(guard.canActivate(context)).rejects.toThrow(
-        BadRequestException
-      );
-      await expect(guard.canActivate(context)).rejects.toThrow(
-        "Workspace ID is required"
-      );
+      await expect(guard.canActivate(context)).rejects.toThrow(BadRequestException);
+      await expect(guard.canActivate(context)).rejects.toThrow("Workspace ID is required");
     });
 
     it("should throw ForbiddenException when user is not a workspace member", async () => {
-      const context = createMockExecutionContext(
-        { id: userId },
-        { "x-workspace-id": workspaceId }
-      );
+      const context = createMockExecutionContext({ id: userId }, { "x-workspace-id": workspaceId });
 
       mockPrismaService.workspaceMember.findUnique.mockResolvedValue(null);
 
-      await expect(guard.canActivate(context)).rejects.toThrow(
-        ForbiddenException
-      );
+      await expect(guard.canActivate(context)).rejects.toThrow(ForbiddenException);
       await expect(guard.canActivate(context)).rejects.toThrow(
         "You do not have access to this workspace"
       );
     });
 
     it("should handle database errors gracefully", async () => {
-      const context = createMockExecutionContext(
-        { id: userId },
-        { "x-workspace-id": workspaceId }
-      );
+      const context = createMockExecutionContext({ id: userId }, { "x-workspace-id": workspaceId });
 
       mockPrismaService.workspaceMember.findUnique.mockRejectedValue(
         new Error("Database connection failed")
       );
 
-      await expect(guard.canActivate(context)).rejects.toThrow(
-        ForbiddenException
-      );
+      await expect(guard.canActivate(context)).rejects.toThrow(ForbiddenException);
     });
   });
 });