feat(#93): implement agent spawn via federation

Implements FED-010: Agent Spawn via Federation feature that enables
spawning and managing Claude agents on remote federated Mosaic Stack
instances via COMMAND message type.

Features:
- Federation agent command types (spawn, status, kill)
- FederationAgentService for handling agent operations
- Integration with orchestrator's agent spawner/lifecycle services
- API endpoints for spawning, querying status, and killing agents
- Full command routing through federation COMMAND infrastructure
- Comprehensive test coverage (12/12 tests passing)

Architecture:
- Hub → Spoke: Spawn agents on remote instances
- Command flow: FederationController → FederationAgentService →
  CommandService → Remote Orchestrator
- Response handling: Remote orchestrator returns agent status/results
- Security: Connection validation, signature verification

Files created:
- apps/api/src/federation/types/federation-agent.types.ts
- apps/api/src/federation/federation-agent.service.ts
- apps/api/src/federation/federation-agent.service.spec.ts

Files modified:
- apps/api/src/federation/command.service.ts (agent command routing)
- apps/api/src/federation/federation.controller.ts (agent endpoints)
- apps/api/src/federation/federation.module.ts (service registration)
- apps/orchestrator/src/api/agents/agents.controller.ts (status endpoint)
- apps/orchestrator/src/api/agents/agents.module.ts (lifecycle integration)

Testing:
- 12/12 tests passing for FederationAgentService
- All command service tests passing
- TypeScript compilation successful
- Linting passed

Refs #93

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

docs/scratchpads/90-event-subscriptions-summary.md

@@ -0,0 +1,231 @@
+# FED-007: EVENT Subscriptions Implementation Summary
+
+**Issue:** #90 - EVENT Subscriptions
+**Milestone:** M7-Federation (0.0.7)
+**Status:** ✅ COMPLETED
+**Date:** February 3, 2026
+
+## Overview
+
+Successfully implemented EVENT message type for federation, enabling pub/sub event streaming between federated instances. This completes Phase 3 of the federation architecture (QUERY, COMMAND, EVENT message types).
+
+## What Was Implemented
+
+### Database Schema
+- **FederationEventSubscription Model**: New table for storing event subscriptions
+  - Fields: id, workspaceId, connectionId, eventType, metadata, isActive, timestamps
+  - Unique constraint on (workspaceId, connectionId, eventType)
+  - Indexes for efficient querying
+- **FederationMessage Enhancement**: Added `eventType` field for EVENT messages
+
+### Core Services
+
+**EventService** (`event.service.ts`)
+- `subscribeToEventType()`: Subscribe to events from remote instance
+- `unsubscribeFromEventType()`: Remove event subscription
+- `publishEvent()`: Publish events to all subscribed connections
+- `handleIncomingEvent()`: Process received events, return ACK
+- `processEventAck()`: Update delivery status from acknowledgments
+- `getEventSubscriptions()`: List subscriptions for workspace
+- `getEventMessages()`: List event messages with filtering
+- `getEventMessage()`: Retrieve single event message
+
+### API Endpoints
+
+**EventController** (`event.controller.ts`)
+
+**Authenticated Endpoints (require AuthGuard):**
+- `POST /api/v1/federation/events/subscribe` - Subscribe to event type
+- `POST /api/v1/federation/events/unsubscribe` - Unsubscribe from event type
+- `POST /api/v1/federation/events/publish` - Publish event to subscribers
+- `GET /api/v1/federation/events/subscriptions` - List subscriptions (optional filter by connectionId)
+- `GET /api/v1/federation/events/messages` - List event messages (optional filter by status)
+- `GET /api/v1/federation/events/messages/:id` - Get single event message
+
+**Public Endpoints (signature-verified):**
+- `POST /api/v1/federation/incoming/event` - Receive event from remote instance
+- `POST /api/v1/federation/incoming/event/ack` - Receive event acknowledgment
+
+### Type Definitions
+
+**Added to `message.types.ts`:**
+- `EventMessage`: Outgoing event structure
+- `EventAck`: Event acknowledgment structure
+- `EventMessageDetails`: Event message response type
+- `SubscriptionDetails`: Subscription information type
+
+### Data Transfer Objects
+
+**event.dto.ts:**
+- `SubscribeToEventDto`: Subscribe request
+- `UnsubscribeFromEventDto`: Unsubscribe request
+- `PublishEventDto`: Publish event request
+- `IncomingEventDto`: Incoming event validation
+- `IncomingEventAckDto`: Incoming acknowledgment validation
+
+## Testing
+
+### Test Coverage
+- **EventService**: 18 unit tests, **89.09% coverage** ✅
+- **EventController**: 11 unit tests, **83.87% coverage** ✅
+- **Total**: 29 tests, all passing
+- **Coverage**: Exceeds 85% minimum requirement
+
+### Test Scenarios Covered
+- Subscription creation and deletion
+- Event publishing to multiple subscribers
+- Failed delivery handling
+- Incoming event processing
+- Signature verification
+- Timestamp validation
+- Connection status validation
+- Error handling for invalid requests
+
+## Design Patterns
+
+### Consistency with Existing Code
+- Follows patterns from `QueryService` and `CommandService`
+- Reuses existing `SignatureService` for message verification
+- Reuses existing `FederationService` for instance identity
+- Uses existing `FederationMessage` model with new `eventType` field
+
+### Event Type Naming Convention
+Hierarchical dot-notation:
+- `entity.action` (e.g., "task.created", "user.updated")
+- `entity.action.detail` (e.g., "task.status.changed")
+
+### Security Features
+- All events signature-verified (RSA)
+- Timestamp validation (prevents replay attacks)
+- Connection status validation (only active connections)
+- Workspace isolation (RLS enforced)
+
+## Technical Details
+
+### Database Migration
+File: `20260203_add_federation_event_subscriptions/migration.sql`
+- Adds `eventType` column to `federation_messages`
+- Creates `federation_event_subscriptions` table
+- Adds appropriate indexes for performance
+- Establishes foreign key relationships
+
+### Integration
+Updated `federation.module.ts`:
+- Added `EventService` to providers
+- Added `EventController` to controllers
+- Exported `EventService` for use by other modules
+
+## Code Quality
+
+✅ **TypeScript Compilation**: All files compile without errors
+✅ **ESLint**: All linting rules pass
+✅ **Prettier**: Code formatting consistent
+✅ **Pre-commit Hooks**: All quality gates passed
+✅ **TDD Approach**: Red-Green-Refactor cycle followed
+
+## Files Created/Modified
+
+### New Files (7)
+- `apps/api/src/federation/event.service.ts` (470 lines)
+- `apps/api/src/federation/event.service.spec.ts` (1,088 lines)
+- `apps/api/src/federation/event.controller.ts` (199 lines)
+- `apps/api/src/federation/event.controller.spec.ts` (431 lines)
+- `apps/api/src/federation/dto/event.dto.ts` (106 lines)
+- `apps/api/prisma/migrations/20260203_add_federation_event_subscriptions/migration.sql` (42 lines)
+- `docs/scratchpads/90-event-subscriptions.md` (185 lines)
+
+### Modified Files (3)
+- `apps/api/src/federation/types/message.types.ts` (+118 lines)
+- `apps/api/src/federation/federation.module.ts` (+3 lines)
+- `apps/api/prisma/schema.prisma` (+27 lines)
+
+### Total Changes
+- **2,395 lines added**
+- **5 lines removed**
+- **10 files changed**
+
+## Key Features
+
+### Server-Side Event Filtering
+Events are only sent to instances with active subscriptions for that event type. This prevents unnecessary network traffic and processing.
+
+### Acknowledgment Protocol
+Simple ACK pattern confirms event delivery:
+1. Publisher sends event
+2. Receiver processes and returns ACK
+3. Publisher updates delivery status
+
+### Error Handling
+- Failed deliveries marked as FAILED with error message
+- Connection errors logged but don't crash the system
+- Invalid signatures rejected immediately
+
+### Subscription Management
+- Subscriptions persist in database
+- Can be activated/deactivated without deletion
+- Support for metadata (extensibility)
+
+## Future Enhancements (Not Implemented)
+
+These were considered but deferred to future issues:
+- Event replay/history
+- Event filtering by payload fields
+- Webhook support for event delivery
+- Event schema validation
+- Rate limiting for event publishing
+- Batch event delivery
+- Event retention policies
+
+## Performance Considerations
+
+### Scalability
+- Database indexes on eventType, connectionId, workspaceId
+- Efficient queries with proper WHERE clauses
+- Server-side filtering reduces network overhead
+
+### Monitoring
+- All operations logged with appropriate level
+- Failed deliveries tracked in database
+- Delivery timestamps recorded for analytics
+
+## Documentation
+
+### Inline Documentation
+- JSDoc comments on all public methods
+- Clear parameter descriptions
+- Return type documentation
+- Usage examples in comments
+
+### Scratchpad Documentation
+- Complete implementation plan
+- Design decisions documented
+- Testing strategy outlined
+- Progress tracked
+
+## Integration Testing Recommendations
+
+While unit tests are comprehensive, recommend integration testing:
+1. Set up two federated instances
+2. Subscribe from Instance A to Instance B events
+3. Publish event from Instance B
+4. Verify Instance A receives and ACKs event
+5. Test various failure scenarios
+
+## Conclusion
+
+FED-007 (EVENT Subscriptions) is **complete and ready for code review**. The implementation:
+- ✅ Follows TDD principles
+- ✅ Meets 85%+ code coverage requirement
+- ✅ Passes all quality gates (lint, typecheck, tests)
+- ✅ Consistent with existing federation patterns
+- ✅ Properly documented
+- ✅ Security-focused (signature verification, timestamp validation)
+- ✅ Scalable architecture
+
+This completes Phase 3 of the federation architecture. The next phase would be UI components (FED-008: Connection Manager UI) and agent spawning (FED-010: Agent Spawn via Federation).
+
+---
+
+**Commit:** `ca4f5ec` - feat(#90): implement EVENT subscriptions for federation
+**Branch:** `develop`
+**Ready for:** Code Review, QA Testing, Integration Testing