feat(#93): implement agent spawn via federation

Implements FED-010: Agent Spawn via Federation feature that enables
spawning and managing Claude agents on remote federated Mosaic Stack
instances via COMMAND message type.

Features:
- Federation agent command types (spawn, status, kill)
- FederationAgentService for handling agent operations
- Integration with orchestrator's agent spawner/lifecycle services
- API endpoints for spawning, querying status, and killing agents
- Full command routing through federation COMMAND infrastructure
- Comprehensive test coverage (12/12 tests passing)

Architecture:
- Hub → Spoke: Spawn agents on remote instances
- Command flow: FederationController → FederationAgentService →
  CommandService → Remote Orchestrator
- Response handling: Remote orchestrator returns agent status/results
- Security: Connection validation, signature verification

Files created:
- apps/api/src/federation/types/federation-agent.types.ts
- apps/api/src/federation/federation-agent.service.ts
- apps/api/src/federation/federation-agent.service.spec.ts

Files modified:
- apps/api/src/federation/command.service.ts (agent command routing)
- apps/api/src/federation/federation.controller.ts (agent endpoints)
- apps/api/src/federation/federation.module.ts (service registration)
- apps/orchestrator/src/api/agents/agents.controller.ts (status endpoint)
- apps/orchestrator/src/api/agents/agents.module.ts (lifecycle integration)

Testing:
- 12/12 tests passing for FederationAgentService
- All command service tests passing
- TypeScript compilation successful
- Linting passed

Refs #93

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

docs/scratchpads/192-fix-cors-configuration.md

@@ -1,16 +1,20 @@
 # Issue #192: Fix CORS Configuration for Cookie-Based Authentication
 
 ## Objective
+
 Fix CORS configuration in the API to properly support cookie-based authentication with credentials across origins.
 
 ## Problem
+
 Current CORS settings are blocking cookie-based authentication flow. Likely issues:
+
 - Credentials not enabled
 - Wildcard origin with credentials (invalid combination)
 - Incorrect cookie SameSite settings
 - Missing Access-Control-Allow-Credentials header
 
 ## Approach
+
 1. **Investigation Phase**
    - Read current CORS configuration in main.ts and app.module.ts
    - Check authentication module CORS settings
@@ -33,6 +37,7 @@ Current CORS settings are blocking cookie-based authentication flow. Likely issu
    - Security review
 
 ## Progress
+
 - [x] Create scratchpad
 - [x] Read current CORS configuration
 - [x] Read authentication module setup
@@ -44,25 +49,32 @@ Current CORS settings are blocking cookie-based authentication flow. Likely issu
 - [ ] Update issue #192
 
 ## Findings
+
 ### Current Configuration (main.ts:44)
+
 ```typescript
 app.enableCors();
 ```
+
 **Problem**: Uses default CORS settings with no credentials support.
 
 ### Better-Auth Configuration (auth.config.ts:31-36)
+
 ```typescript
 trustedOrigins: [
   process.env.NEXT_PUBLIC_APP_URL ?? "http://localhost:3000",
   "http://localhost:3001", // API origin (dev)
   "https://app.mosaicstack.dev", // Production web
   "https://api.mosaicstack.dev", // Production API
-]
+];
 ```
+
 Good! Better-Auth already has trusted origins configured.
 
 ## Testing
+
 ### Test Scenarios
+
 1. OPTIONS preflight with credentials
 2. Cookie transmission in cross-origin requests
 3. Access-Control-Allow-Credentials header presence
@@ -70,6 +82,7 @@ Good! Better-Auth already has trusted origins configured.
 5. Cookie SameSite settings
 
 ### Security Considerations
+
 - No wildcard origins with credentials (security violation)
 - Proper origin whitelist validation
 - Secure cookie settings (HttpOnly, Secure, SameSite)
@@ -78,9 +91,11 @@ Good! Better-Auth already has trusted origins configured.
 ## Security Review
 
 ### CORS Configuration Changes ✓ APPROVED
+
 **File**: `apps/api/src/main.ts`
 
 #### Security Measures Implemented
+
 1. **Origin Whitelist** - Specific allowed origins, no wildcard
    - `http://localhost:3000` (dev frontend)
    - `http://localhost:3001` (dev API)
@@ -106,6 +121,7 @@ Good! Better-Auth already has trusted origins configured.
    - `Access-Control-Max-Age: 86400` (24h preflight cache)
 
 #### Attack Surface Analysis
+
 - ✅ **No CORS bypass vulnerabilities** - Exact origin matching
 - ✅ **No wildcard + credentials** - Security violation prevented
 - ✅ **No subdomain wildcards** - Prevents subdomain takeover attacks
@@ -113,26 +129,33 @@ Good! Better-Auth already has trusted origins configured.
 - ✅ **Preflight caching** - 24h cache reduces preflight overhead
 
 #### Compliance
+
 - ✅ **OWASP CORS Best Practices**
 - ✅ **MDN Web Security Guidelines**
 - ✅ **Better-Auth Integration** - Aligns with `trustedOrigins` config
 
 ### Environment Variables
+
 Added `NEXT_PUBLIC_APP_URL` to:
+
 - `.env.example` (template)
 - `.env` (local development)
 
 ## Notes
+
 **CRITICAL**: This blocks the entire authentication flow.
 
 ### Implementation Summary
+
 Fixed CORS configuration to enable cookie-based authentication by:
+
 1. Adding explicit origin whitelist function
 2. Enabling `credentials: true`
 3. Configuring proper security headers
 4. Adding environment variable support
 
 ### CORS + Credentials Rules
+
 - `credentials: true` required for cookies
 - Cannot use `origin: '*'` with credentials
 - Must specify exact origins or use dynamic validation
@@ -140,6 +163,7 @@ Fixed CORS configuration to enable cookie-based authentication by:
 - Cookies must have appropriate SameSite setting
 
 ### Cookie Settings for Cross-Origin
+
 - `HttpOnly: true` - Prevent XSS
 - `Secure: true` - HTTPS only (production)
 - `SameSite: 'lax'` or `'none'` - Cross-origin support