feat(#93): implement agent spawn via federation

Implements FED-010: Agent Spawn via Federation feature that enables
spawning and managing Claude agents on remote federated Mosaic Stack
instances via COMMAND message type.

Features:
- Federation agent command types (spawn, status, kill)
- FederationAgentService for handling agent operations
- Integration with orchestrator's agent spawner/lifecycle services
- API endpoints for spawning, querying status, and killing agents
- Full command routing through federation COMMAND infrastructure
- Comprehensive test coverage (12/12 tests passing)

Architecture:
- Hub → Spoke: Spawn agents on remote instances
- Command flow: FederationController → FederationAgentService →
  CommandService → Remote Orchestrator
- Response handling: Remote orchestrator returns agent status/results
- Security: Connection validation, signature verification

Files created:
- apps/api/src/federation/types/federation-agent.types.ts
- apps/api/src/federation/federation-agent.service.ts
- apps/api/src/federation/federation-agent.service.spec.ts

Files modified:
- apps/api/src/federation/command.service.ts (agent command routing)
- apps/api/src/federation/federation.controller.ts (agent endpoints)
- apps/api/src/federation/federation.module.ts (service registration)
- apps/orchestrator/src/api/agents/agents.controller.ts (status endpoint)
- apps/orchestrator/src/api/agents/agents.module.ts (lifecycle integration)

Testing:
- 12/12 tests passing for FederationAgentService
- All command service tests passing
- TypeScript compilation successful
- Linting passed

Refs #93

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

docs/scratchpads/security-fixes-activity-api.md

@@ -1,6 +1,7 @@
 # Security Fixes for Activity API Module
 
 ## Objective
+
 Fix critical security issues in the Activity API module identified during code review.
 
 ## Issues Fixed
@@ -8,10 +9,12 @@ Fix critical security issues in the Activity API module identified during code r
 ### 1. Added DTO Validation (Issue #1 from code review)
 
 **Files Modified:**
+
 - `/apps/api/src/activity/dto/query-activity-log.dto.ts`
 - `/apps/api/src/activity/dto/create-activity-log.dto.ts`
 
 **Changes:**
+
 - Installed `class-validator` and `class-transformer` packages
 - Added validation decorators to all DTO fields:
   - `@IsUUID()` for ID fields
@@ -25,10 +28,12 @@ Fix critical security issues in the Activity API module identified during code r
 - Enabled global ValidationPipe in `main.ts` with transformation enabled
 
 **Tests Created:**
+
 - `/apps/api/src/activity/dto/query-activity-log.dto.spec.ts` (21 tests)
 - `/apps/api/src/activity/dto/create-activity-log.dto.spec.ts` (22 tests)
 
 **Benefits:**
+
 - Validates all input data before processing
 - Prevents invalid data types from reaching business logic
 - Provides clear error messages for invalid input
@@ -39,20 +44,24 @@ Fix critical security issues in the Activity API module identified during code r
 ### 2. Added Authentication Guards (Issue #2 from code review)
 
 **Files Modified:**
+
 - `/apps/api/src/activity/activity.controller.ts`
 
 **Changes:**
+
 - Added `@UseGuards(AuthGuard)` decorator to controller class
 - All endpoints now require authentication
 - Modified endpoints to extract `workspaceId` from authenticated user context instead of query parameters
 - Added proper error handling for missing workspace context
 
 **Key Security Improvements:**
+
 - Users can only access their own workspace data
 - WorkspaceId is now enforced from the authenticated session, preventing workspace ID spoofing
 - Unauthorized access attempts are blocked at the guard level
 
 **Tests Updated:**
+
 - `/apps/api/src/activity/activity.controller.spec.ts`
 - Added mock AuthGuard setup
 - Updated all test cases to include authenticated user context
@@ -63,9 +72,11 @@ Fix critical security issues in the Activity API module identified during code r
 ### 3. Added Sensitive Data Sanitization (Issue #4 from code review)
 
 **Files Modified:**
+
 - `/apps/api/src/activity/interceptors/activity-logging.interceptor.ts`
 
 **Changes:**
+
 - Implemented `sanitizeSensitiveData()` private method
 - Redacts sensitive fields before logging:
   - `password`
@@ -82,6 +93,7 @@ Fix critical security issues in the Activity API module identified during code r
 - Non-sensitive fields remain unchanged
 
 **Tests Created:**
+
 - Added 9 new test cases in `/apps/api/src/activity/interceptors/activity-logging.interceptor.spec.ts`
 - Tests cover:
   - Password redaction
@@ -93,6 +105,7 @@ Fix critical security issues in the Activity API module identified during code r
   - Non-sensitive field preservation
 
 **Benefits:**
+
 - Prevents accidental logging of sensitive data
 - Protects user credentials and payment information
 - Maintains audit trail without security risks
@@ -103,12 +116,14 @@ Fix critical security issues in the Activity API module identified during code r
 ## Test Results
 
 All tests passing:
+
 ```
 Test Files  5 passed (5)
 Tests       135 passed (135)
 ```
 
 ### Test Coverage:
+
 - DTO Validation Tests: 43 tests
 - Controller Tests: 12 tests (with auth)
 - Interceptor Tests: 23 tests (including sanitization)
@@ -130,6 +145,7 @@ Tests       135 passed (135)
 ## Configuration Changes
 
 **`/apps/api/src/main.ts`:**
+
 - Added global ValidationPipe configuration:
   ```typescript
   app.useGlobalPipes(
@@ -149,12 +165,14 @@ Tests       135 passed (135)
 ## Security Impact
 
 ### Before:
+
 1. No input validation - any data could be passed
 2. No authentication on activity endpoints
 3. WorkspaceId could be spoofed via query parameters
 4. Sensitive data logged in plain text
 
 ### After:
+
 1. All inputs validated and type-checked
 2. All endpoints require authentication
 3. WorkspaceId enforced from authenticated session