feat(phase-3): workstream 4 — AGNTCY Federation

Implements cross-IdP token verification for the AGNTCY ecosystem:

- Migration 015: federation_partners table (issuer, jwks_uri,
  allowed_organizations JSONB, status, expires_at)
- FederationService: registerPartner (JWKS validation at registration),
  listPartners, getPartner, updatePartner, deletePartner,
  verifyFederatedToken (alg:none rejected, RS256/ES256 only,
  allowedOrganizations filter, expiry enforcement)
- JWKS caching in Redis (TTL: FEDERATION_JWKS_CACHE_TTL_SECONDS);
  cache invalidated on partner delete and jwks_uri change
- FederationController + routes: 5 admin:orgs endpoints +
  POST /federation/verify (agents:read)
- OPA policy: 5 federation admin endpoint → admin:orgs mappings
- 499 unit tests passing; 94.69% statement coverage on FederationService

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

policies/authz.rego

@@ -81,6 +81,18 @@ normalise_path(path) := "/api/v1/organizations" if {
     path == "/api/v1/organizations"
 }
 
+normalise_path(path) := "/api/v1/federation/partners/:id" if {
+    regex.match(`^/api/v1/federation/partners/[^/]+$`, path)
+}
+
+normalise_path(path) := "/api/v1/federation/partners" if {
+    path == "/api/v1/federation/partners"
+}
+
+normalise_path(path) := "/api/v1/federation/trust" if {
+    path == "/api/v1/federation/trust"
+}
+
 # ─── Core allow rule ──────────────────────────────────────────────────────────
 # allow = true if every required scope for the endpoint is present in input.scopes.