feat(#93): implement agent spawn via federation

Implements FED-010: Agent Spawn via Federation feature that enables
spawning and managing Claude agents on remote federated Mosaic Stack
instances via COMMAND message type.

Features:
- Federation agent command types (spawn, status, kill)
- FederationAgentService for handling agent operations
- Integration with orchestrator's agent spawner/lifecycle services
- API endpoints for spawning, querying status, and killing agents
- Full command routing through federation COMMAND infrastructure
- Comprehensive test coverage (12/12 tests passing)

Architecture:
- Hub → Spoke: Spawn agents on remote instances
- Command flow: FederationController → FederationAgentService →
  CommandService → Remote Orchestrator
- Response handling: Remote orchestrator returns agent status/results
- Security: Connection validation, signature verification

Files created:
- apps/api/src/federation/types/federation-agent.types.ts
- apps/api/src/federation/federation-agent.service.ts
- apps/api/src/federation/federation-agent.service.spec.ts

Files modified:
- apps/api/src/federation/command.service.ts (agent command routing)
- apps/api/src/federation/federation.controller.ts (agent endpoints)
- apps/api/src/federation/federation.module.ts (service registration)
- apps/orchestrator/src/api/agents/agents.controller.ts (status endpoint)
- apps/orchestrator/src/api/agents/agents.module.ts (lifecycle integration)

Testing:
- 12/12 tests passing for FederationAgentService
- All command service tests passing
- TypeScript compilation successful
- Linting passed

Refs #93

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

docs/scratchpads/188-sanitize-discord-logs.md

@@ -1,14 +1,17 @@
 # Issue #188: Sanitize Discord error logs to prevent secret exposure
 
 ## Objective
+
 Implement log sanitization in Discord error logging to prevent exposure of sensitive information including API keys, tokens, credentials, and PII.
 
 ## Security Context
+
 - **Priority**: P1 SECURITY
 - **Risk**: Credential leakage through logs
 - **Impact**: Could expose authentication tokens, API keys, passwords to unauthorized parties
 
 ## Approach
+
 1. **Discovery Phase**: Locate all Discord logging points
 2. **Test Phase**: Write tests for log sanitization (TDD)
 3. **Implementation Phase**: Create sanitization utility
@@ -16,6 +19,7 @@ Implement log sanitization in Discord error logging to prevent exposure of sensi
 5. **Verification Phase**: Ensure all tests pass with ≥85% coverage
 
 ## Progress
+
 - [x] Create scratchpad
 - [x] Locate Discord error logging code
 - [x] Identify sensitive data patterns to redact
@@ -30,6 +34,7 @@ Implement log sanitization in Discord error logging to prevent exposure of sensi
 ## Discovery
 
 ### Sensitive Data to Redact
+
 1. **Authentication**: API keys, tokens, bearer tokens
 2. **Headers**: Authorization headers, API key headers
 3. **Credentials**: Passwords, secrets, client secrets
@@ -38,12 +43,14 @@ Implement log sanitization in Discord error logging to prevent exposure of sensi
 6. **Identifiers**: Workspace IDs (if considered sensitive)
 
 ### Logging Points Found
+
 - **discord.service.ts:84** - `this.logger.error("Discord client error:", error)`
   - This logs raw error objects which may contain sensitive data
   - Error objects from Discord.js may contain authentication tokens
   - Error stack traces may reveal environment variables or configuration
 
 ### Implementation Plan
+
 1. Create `apps/api/src/common/utils/log-sanitizer.ts`
 2. Create `apps/api/src/common/utils/log-sanitizer.spec.ts` (TDD - tests first)
 3. Implement sanitization patterns:
@@ -56,12 +63,15 @@ Implement log sanitization in Discord error logging to prevent exposure of sensi
 5. Export from common/utils/index.ts
 
 ## Testing
+
 TDD approach:
+
 1. RED - Write failing tests for sanitization
 2. GREEN - Implement minimal sanitization logic
 3. REFACTOR - Improve code quality
 
 Test cases:
+
 - Sanitize string with API key
 - Sanitize string with bearer token
 - Sanitize string with password
@@ -76,22 +86,27 @@ Test cases:
 ## Implementation Summary
 
 ### Files Created
+
 1. `/home/localadmin/src/mosaic-stack/apps/api/src/common/utils/log-sanitizer.ts` - Core sanitization utility
 2. `/home/localadmin/src/mosaic-stack/apps/api/src/common/utils/log-sanitizer.spec.ts` - Comprehensive test suite (32 tests)
 
 ### Files Modified
+
 1. `/home/localadmin/src/mosaic-stack/apps/api/src/common/utils/index.ts` - Export sanitization function
 2. `/home/localadmin/src/mosaic-stack/apps/api/src/bridge/discord/discord.service.ts` - Integrate sanitization
 3. `/home/localadmin/src/mosaic-stack/apps/api/src/bridge/discord/discord.service.spec.ts` - Add security tests
 
 ### Test Results
+
 - **Log Sanitizer Tests**: 32/32 passed (100%)
 - **Discord Service Tests**: 25/25 passed (100%)
 - **Code Coverage**: 97.43% (exceeds 85% requirement)
 
 ### Security Patterns Implemented
+
 The sanitizer detects and redacts:
-1. API keys (sk_live_*, pk_test_*)
+
+1. API keys (sk*live*_, pk*test*_)
 2. Bearer tokens
 3. Discord bot tokens (specific format)
 4. JWT tokens
@@ -103,6 +118,7 @@ The sanitizer detects and redacts:
 10. Generic tokens in text
 
 ### Key Features
+
 - Deep object traversal (handles nested objects and arrays)
 - Circular reference detection
 - Error object handling (preserves Error structure)
@@ -113,7 +129,9 @@ The sanitizer detects and redacts:
 ## Security Review
 
 ### Threat Model
+
 **Before**: Discord error logging could expose:
+
 - Bot authentication tokens
 - API keys in error messages
 - User credentials from failed authentication
@@ -123,7 +141,9 @@ The sanitizer detects and redacts:
 **After**: All sensitive patterns are automatically redacted before logging.
 
 ### Validation
+
 Tested scenarios:
+
 1. ✅ Discord bot token in error message → Redacted
 2. ✅ API keys in error objects → Redacted
 3. ✅ Authorization headers → Redacted
@@ -131,18 +151,21 @@ Tested scenarios:
 5. ✅ Non-sensitive error data → Preserved
 
 ### Risk Assessment
+
 - **Pre-mitigation**: P1 - Critical (credential exposure possible)
 - **Post-mitigation**: P4 - Low (mechanical prevention in place)
 
 ## Completion Status
 
 **Implementation: COMPLETE**
+
 - All code written and tested (57/57 tests passing)
 - 97.43% code coverage (exceeds 85% requirement)
 - TDD process followed correctly (RED → GREEN → REFACTOR)
 - Security validation complete
 
 **Commit Status: BLOCKED by pre-existing lint issues**
+
 - My files pass lint individually
 - Pre-commit hooks enforce package-level linting (per Quality Rails)
 - @mosaic/api package has 602 pre-existing lint errors
@@ -151,6 +174,7 @@ Tested scenarios:
 
 **Recommendation:**
 Either:
+
 1. Fix all @mosaic/api lint issues first (out of scope for this issue)
 2. Temporarily disable strict linting for @mosaic/api during transition
 3. Commit with --no-verify and address lint in separate issue
@@ -159,6 +183,7 @@ The security fix itself is complete and tested. The log sanitization is function
 and prevents secret exposure in Discord error logging.
 
 ## Notes
+
 - Focus on Discord error logging as primary use case
 - Make utility reusable for other logging scenarios
 - Consider performance (this will be called frequently)