feat(#93): implement agent spawn via federation

Implements FED-010: Agent Spawn via Federation feature that enables
spawning and managing Claude agents on remote federated Mosaic Stack
instances via COMMAND message type.

Features:
- Federation agent command types (spawn, status, kill)
- FederationAgentService for handling agent operations
- Integration with orchestrator's agent spawner/lifecycle services
- API endpoints for spawning, querying status, and killing agents
- Full command routing through federation COMMAND infrastructure
- Comprehensive test coverage (12/12 tests passing)

Architecture:
- Hub → Spoke: Spawn agents on remote instances
- Command flow: FederationController → FederationAgentService →
  CommandService → Remote Orchestrator
- Response handling: Remote orchestrator returns agent status/results
- Security: Connection validation, signature verification

Files created:
- apps/api/src/federation/types/federation-agent.types.ts
- apps/api/src/federation/federation-agent.service.ts
- apps/api/src/federation/federation-agent.service.spec.ts

Files modified:
- apps/api/src/federation/command.service.ts (agent command routing)
- apps/api/src/federation/federation.controller.ts (agent endpoints)
- apps/api/src/federation/federation.module.ts (service registration)
- apps/orchestrator/src/api/agents/agents.controller.ts (status endpoint)
- apps/orchestrator/src/api/agents/agents.module.ts (lifecycle integration)

Testing:
- 12/12 tests passing for FederationAgentService
- All command service tests passing
- TypeScript compilation successful
- Linting passed

Refs #93

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

apps/api/src/stitcher/stitcher.security.spec.ts

@@ -55,9 +55,7 @@ describe("StitcherController - Security", () => {
         }),
       };
 
-      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(
-        UnauthorizedException
-      );
+      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(UnauthorizedException);
     });
 
     it("POST /stitcher/dispatch should require authentication", async () => {
@@ -67,9 +65,7 @@ describe("StitcherController - Security", () => {
         }),
       };
 
-      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(
-        UnauthorizedException
-      );
+      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(UnauthorizedException);
     });
   });
 
@@ -96,9 +92,7 @@ describe("StitcherController - Security", () => {
         }),
       };
 
-      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(
-        UnauthorizedException
-      );
+      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(UnauthorizedException);
       await expect(guard.canActivate(mockContext as any)).rejects.toThrow("Invalid API key");
     });
 
@@ -111,9 +105,7 @@ describe("StitcherController - Security", () => {
         }),
       };
 
-      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(
-        UnauthorizedException
-      );
+      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(UnauthorizedException);
       await expect(guard.canActivate(mockContext as any)).rejects.toThrow("No API key provided");
     });
   });
@@ -133,9 +125,7 @@ describe("StitcherController - Security", () => {
         }),
       };
 
-      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(
-        UnauthorizedException
-      );
+      await expect(guard.canActivate(mockContext as any)).rejects.toThrow(UnauthorizedException);
     });
   });
 });