Implement WP-0011 hub service, CLI, and deployment artifacts

Add FederationHubAPI spec, hub registration schema, FastAPI hub with SQLite
persistence, reuse-surface hub CLI client, Dockerfile, and hub tests. Activate
workplan; T05 deploy and T06 ops docs remain open pending railiance01 cutover.

schemas/hub-registration.schema.yaml

@@ -0,0 +1,148 @@
+$schema: https://json-schema.org/draft/2020-12/schema
+$id: https://reuse-surface.local/schemas/hub-registration.schema.yaml
+title: Federation Hub Repo Registration
+description: >
+  Schema for a repository registration stored by the federation hub service.
+  Extends federation source fields with hub metadata.
+type: object
+additionalProperties: false
+required: [repo, url, enabled, domain]
+properties:
+  repo:
+    type: string
+    minLength: 1
+    pattern: '^[a-z][a-z0-9-]*$'
+    description: Stable repository slug (primary key)
+  url:
+    type: string
+    format: uri
+    pattern: '^https?://'
+    description: Published HTTP(S) URL to capabilities.yaml
+  enabled:
+    type: boolean
+  required:
+    type: boolean
+    default: false
+  domain:
+    type: string
+    minLength: 1
+    description: Capability domain label (e.g. helix_forge)
+  description:
+    type: string
+  cache_ttl_seconds:
+    type: integer
+    minimum: 0
+    default: 86400
+  auth_env:
+    type: string
+    minLength: 1
+    description: >
+      Hub-side environment variable name holding a token for fetching this
+      source index (not exposed in API responses)
+  auth_header:
+    type: string
+    minLength: 1
+    default: Authorization
+  registered_at:
+    type: string
+    format: date-time
+    description: Hub metadata — set on create
+  updated_at:
+    type: string
+    format: date-time
+    description: Hub metadata — set on create/update
+  registered_by:
+    type: string
+    description: Optional actor label from write token or client header
+$defs:
+  registration_request:
+    type: object
+    additionalProperties: false
+    required: [repo, url, domain]
+    properties:
+      repo:
+        type: string
+        minLength: 1
+        pattern: '^[a-z][a-z0-9-]*$'
+      url:
+        type: string
+        format: uri
+        pattern: '^https?://'
+      enabled:
+        type: boolean
+        default: true
+      required:
+        type: boolean
+        default: false
+      domain:
+        type: string
+        minLength: 1
+      description:
+        type: string
+      cache_ttl_seconds:
+        type: integer
+        minimum: 0
+        default: 86400
+      auth_env:
+        type: string
+        minLength: 1
+      auth_header:
+        type: string
+        minLength: 1
+        default: Authorization
+      registered_by:
+        type: string
+  registration_update:
+    type: object
+    additionalProperties: false
+    properties:
+      url:
+        type: string
+        format: uri
+        pattern: '^https?://'
+      enabled:
+        type: boolean
+      required:
+        type: boolean
+      domain:
+        type: string
+        minLength: 1
+      description:
+        type: string
+      cache_ttl_seconds:
+        type: integer
+        minimum: 0
+      auth_env:
+        type: string
+        minLength: 1
+      auth_header:
+        type: string
+        minLength: 1
+      registered_by:
+        type: string
+    minProperties: 1
+  repo_list:
+    type: object
+    additionalProperties: false
+    required: [repos, count]
+    properties:
+      repos:
+        type: array
+        items:
+          $ref: '#'
+      count:
+        type: integer
+        minimum: 0
+  error_response:
+    type: object
+    additionalProperties: false
+    required: [error, message]
+    properties:
+      error:
+        type: string
+      message:
+        type: string
+      details:
+        type: array
+        items:
+          type: string