feat(#87): implement cross-instance identity linking for federation

Implements FED-004: Cross-Instance Identity Linking, building on the
foundation from FED-001, FED-002, and FED-003.

New Services:
- IdentityLinkingService: Handles identity verification and mapping
  with signature validation and OIDC token verification
- IdentityResolutionService: Resolves identities between local and
  remote instances with support for bulk operations

New API Endpoints (IdentityLinkingController):
- POST /api/v1/federation/identity/verify - Verify remote identity
- POST /api/v1/federation/identity/resolve - Resolve remote to local user
- POST /api/v1/federation/identity/bulk-resolve - Bulk resolution
- GET /api/v1/federation/identity/me - Get current user's identities
- POST /api/v1/federation/identity/link - Create identity mapping
- PATCH /api/v1/federation/identity/:id - Update mapping
- DELETE /api/v1/federation/identity/:id - Revoke mapping
- GET /api/v1/federation/identity/:id/validate - Validate mapping

Security Features:
- Signature verification using remote instance public keys
- OIDC token validation before creating mappings
- Timestamp validation to prevent replay attacks
- Workspace isolation via authentication guards
- Comprehensive audit logging for all identity operations

Enhancements:
- Added SignatureService.verifyMessage() for remote signature verification
- Added FederationService.getConnectionByRemoteInstanceId()
- Extended FederationAuditService with identity logging methods
- Created comprehensive DTOs with class-validator decorators

Testing:
- 38 new tests (19 service + 7 resolution + 12 controller)
- All 132 federation tests passing
- TypeScript compilation passing with no errors
- High test coverage achieved (>85% requirement exceeded)

Technical Details:
- Leverages existing FederatedIdentity model from FED-003
- Uses RSA SHA-256 signatures for cryptographic verification
- Supports one identity mapping per remote instance per user
- Resolution service optimized for read-heavy operations
- Built following TDD principles (Red-Green-Refactor)

Closes #87

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

apps/api/src/federation/audit.service.ts

@@ -62,4 +62,46 @@ export class FederationAuditService {
       securityEvent: true,
     });
   }
+
+  /**
+   * Log identity verification attempt
+   */
+  logIdentityVerification(userId: string, remoteInstanceId: string, success: boolean): void {
+    const level = success ? "log" : "warn";
+    this.logger[level]({
+      event: "FEDERATION_IDENTITY_VERIFIED",
+      userId,
+      remoteInstanceId,
+      success,
+      timestamp: new Date().toISOString(),
+      securityEvent: true,
+    });
+  }
+
+  /**
+   * Log identity linking (create mapping)
+   */
+  logIdentityLinking(localUserId: string, remoteInstanceId: string, remoteUserId: string): void {
+    this.logger.log({
+      event: "FEDERATION_IDENTITY_LINKED",
+      localUserId,
+      remoteUserId,
+      remoteInstanceId,
+      timestamp: new Date().toISOString(),
+      securityEvent: true,
+    });
+  }
+
+  /**
+   * Log identity revocation (remove mapping)
+   */
+  logIdentityRevocation(localUserId: string, remoteInstanceId: string): void {
+    this.logger.warn({
+      event: "FEDERATION_IDENTITY_REVOKED",
+      localUserId,
+      remoteInstanceId,
+      timestamp: new Date().toISOString(),
+      securityEvent: true,
+    });
+  }
 }