feat(#86): implement Authentik OIDC integration for federation

Implements federated authentication infrastructure using OIDC:

- Add FederatedIdentity model to Prisma schema for identity mapping
- Create OIDCService with identity linking and token validation
- Add FederationAuthController with 5 endpoints:
  * POST /auth/initiate - Start federated auth flow
  * POST /auth/link - Link identity to remote instance
  * GET /auth/identities - List user's federated identities
  * DELETE /auth/identities/:id - Revoke identity
  * POST /auth/validate - Validate federated token
- Create comprehensive type definitions for OIDC flows
- Add audit logging for security events
- Write 24 passing tests (14 service + 10 controller)
- Achieve 79% coverage for OIDCService, 100% for controller

Notes:
- Token validation and auth URL generation are placeholder implementations
- Full JWT validation will be added when federation OIDC is actively used
- Identity mappings enforce workspace isolation
- All endpoints require authentication except /validate

Refs #86

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

apps/api/src/federation/signature.service.ts

@@ -156,15 +156,9 @@ export class SignatureService {
    * @returns A new object with sorted keys
    */
   private sortObjectKeys(obj: SignableMessage): SignableMessage {
-    // Handle null and primitives
-    // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition
-    if (obj === null || typeof obj !== "object") {
-      return obj;
-    }
-
     // Handle arrays - recursively sort elements
     if (Array.isArray(obj)) {
-      const sortedArray = obj.map((item: unknown) => {
+      const sortedArray = obj.map((item: unknown): unknown => {
         if (typeof item === "object" && item !== null) {
           return this.sortObjectKeys(item as SignableMessage);
         }