chore: archive Phase 1 P1 OpenSpec changes

Archive dockerfile, agntcy-alignment-docs, and nodejs-sdk changes
now that implementation is complete and pushed to develop.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

openspec/changes/archive/2026-03-28-agntcy-alignment-docs/.openspec.yaml

@@ -0,0 +1,2 @@
+schema: spec-driven
+created: 2026-03-28

openspec/changes/archive/2026-03-28-agntcy-alignment-docs/design.md

@@ -0,0 +1,13 @@
+## Context
+AGNTCY is the Linux Foundation open standard for AI agent identity, interoperability, and governance. AgentIdP implements the non-human identity model defined by AGNTCY. This document makes that alignment explicit and verifiable.
+
+## Goals
+- Engineers and architects can verify AGNTCY compliance without reading the full standard
+- The mapping is explicit: each AGNTCY concept is matched to a specific AgentIdP API feature
+- Both compliant and pending/out-of-scope items are documented honestly
+
+## Folder: docs/agntcy/
+Separate from developers/ and devops/ — this is a standards alignment reference, not a how-to guide.
+
+## Open Questions
+*(none)*

openspec/changes/archive/2026-03-28-agntcy-alignment-docs/proposal.md

@@ -0,0 +1,11 @@
+## Why
+AGNTCY alignment documentation is a Phase 1 P1 deliverable. SentryAgent.ai positions itself as AGNTCY-compliant, but there is no document explaining what AGNTCY is, how AgentIdP maps to its model, and what that means for developers and operators adopting the platform.
+
+## What Changes
+- New `docs/agntcy/` folder
+- `alignment.md` — formal mapping of AgentIdP concepts to AGNTCY standard concepts
+- `README.md` — entry point explaining what AGNTCY is and why it matters
+
+## What Does Not Change
+- No source code changes
+- No API changes

openspec/changes/archive/2026-03-28-agntcy-alignment-docs/specs/alignment/spec.md

@@ -0,0 +1,4 @@
+## ADDED Requirements
+
+### Requirement: AGNTCY alignment docs exist at docs/agntcy/
+The system SHALL provide documentation in `docs/agntcy/` explaining the AGNTCY standard and how AgentIdP implements its non-human identity model, with explicit feature-by-feature mapping.

openspec/changes/archive/2026-03-28-agntcy-alignment-docs/tasks.md

@@ -0,0 +1,17 @@
+## 1. docs/agntcy/README.md
+
+- [x] 1.1 Write intro: what AGNTCY is (Linux Foundation, AI agent interoperability standard)
+- [x] 1.2 Write why it matters: standardised agent identity, cross-system interoperability
+- [x] 1.3 Link to alignment.md
+
+## 2. docs/agntcy/alignment.md
+
+- [x] 2.1 Write AGNTCY core concepts section: non-human identity, agent registry, credential management, lifecycle, audit
+- [x] 2.2 Write AgentIdP implementation mapping table: each AGNTCY concept → AgentIdP feature → API endpoint
+- [x] 2.3 Write compliance status section: what is implemented (Phase 1), what is pending (Phase 2+)
+- [x] 2.4 Write interoperability section: how AgentIdP-registered agents can be identified by other AGNTCY-compliant systems
+
+## 3. QA
+
+- [x] 3.1 Verify all API endpoints referenced in the mapping table exist
+- [x] 3.2 Verify compliance status is honest — no overclaiming

openspec/changes/archive/2026-03-28-dockerfile/.openspec.yaml

@@ -0,0 +1,2 @@
+schema: spec-driven
+created: 2026-03-28

openspec/changes/archive/2026-03-28-dockerfile/design.md

@@ -0,0 +1,13 @@
+## Context
+Node.js 18+, TypeScript compiled to `dist/`. Production image must be minimal, non-root, and use the compiled output only.
+
+## Decisions
+- Multi-stage build: `builder` stage compiles TypeScript; `production` stage copies `dist/` only
+- Base image: `node:18-alpine` — minimal footprint
+- Non-root user: `node` user (built into node alpine image)
+- No dev dependencies in production image — only `npm ci --omit=dev`
+- Health check: `wget` on `localhost:3000/health` — but no `/health` endpoint exists yet, so omit health check from Dockerfile; it is set in docker-compose.yml via pg_isready/redis-cli patterns
+- `.dockerignore` excludes: `node_modules`, `dist`, `coverage`, `tests`, `.env`, `*.pem`, `vj_notes`, `.cto-workspace`, `.claude`
+
+## Open Questions
+*(none)*

openspec/changes/archive/2026-03-28-dockerfile/proposal.md

@@ -0,0 +1,11 @@
+## Why
+The `docker-compose.yml` `app` service references a `Dockerfile` that does not exist. Docker containerisation is a Phase 1 P1 item. Without it, the full docker-compose stack cannot start and the DevOps deployment path is incomplete.
+
+## What Changes
+- New `Dockerfile` at project root — multi-stage build (builder + production)
+- New `.dockerignore` — excludes `node_modules`, `dist`, test files, `.env`
+- `docker-compose.yml` `app` service becomes fully functional
+
+## What Does Not Change
+- No source code changes
+- No dependency changes

openspec/changes/archive/2026-03-28-dockerfile/specs/container/spec.md

@@ -0,0 +1,7 @@
+## ADDED Requirements
+
+### Requirement: Dockerfile exists at project root
+The system SHALL provide a multi-stage `Dockerfile` that builds the TypeScript source and produces a minimal production image running as a non-root user.
+
+### Requirement: .dockerignore exists at project root
+The system SHALL provide a `.dockerignore` that excludes development artifacts, secrets, and test files from the Docker build context.

openspec/changes/archive/2026-03-28-dockerfile/tasks.md

@@ -0,0 +1,14 @@
+## 1. Dockerfile
+
+- [x] 1.1 Write multi-stage Dockerfile: builder stage (node:18-alpine, npm ci, npm run build)
+- [x] 1.2 Write production stage: node:18-alpine, npm ci --omit=dev, copy dist/, USER node
+- [x] 1.3 Set EXPOSE 3000, CMD ["node", "dist/server.js"]
+
+## 2. .dockerignore
+
+- [x] 2.1 Write .dockerignore excluding: node_modules, dist, coverage, tests, .env, *.pem, vj_notes, .cto-workspace, .claude, next_steps.md
+
+## 3. QA
+
+- [x] 3.1 Verify Dockerfile build stages are correct and complete
+- [x] 3.2 Verify .dockerignore covers all sensitive/unnecessary files

openspec/changes/archive/2026-03-28-nodejs-sdk/.openspec.yaml

@@ -0,0 +1,2 @@
+schema: spec-driven
+created: 2026-03-28

openspec/changes/archive/2026-03-28-nodejs-sdk/design.md

@@ -0,0 +1,39 @@
+## Context
+The SDK wraps the AgentIdP REST API. It must handle authentication transparently — caller provides `clientId` + `clientSecret`, SDK manages token acquisition and refresh automatically.
+
+## Architecture
+- Single entrypoint: `sdk/src/index.ts` exports `AgentIdPClient` and all types
+- `AgentIdPClient` constructor takes `{ baseUrl, clientId, clientSecret }`
+- Internal `TokenManager` handles token acquisition, caching, and refresh (re-issues when expired)
+- Four service classes: `AgentRegistryClient`, `CredentialClient`, `TokenClient`, `AuditClient`
+- `AgentIdPClient` composes all four
+- HTTP: native `fetch` (Node 18+ built-in) — no axios dependency
+- Types: re-exported from `sdk/src/types.ts` — mirrors the main app types
+
+## Standards
+- TypeScript strict mode, zero `any`
+- DRY: shared `request()` helper handles auth header, JSON parse, error mapping
+- All errors are typed `AgentIdPError` with `code` and `message`
+- JSDoc on all public methods
+
+## Package structure
+```
+sdk/
+  src/
+    index.ts          — exports AgentIdPClient + all types
+    client.ts         — AgentIdPClient (composes all services)
+    token-manager.ts  — token acquisition and refresh
+    services/
+      agents.ts       — AgentRegistryClient
+      credentials.ts  — CredentialClient
+      token.ts        — TokenClient
+      audit.ts        — AuditClient
+    types.ts          — all request/response types
+    errors.ts         — AgentIdPError class
+  package.json
+  tsconfig.json
+  README.md
+```
+
+## Open Questions
+*(none)*

openspec/changes/archive/2026-03-28-nodejs-sdk/proposal.md

@@ -0,0 +1,13 @@
+## Why
+Bedroom developers currently must write raw HTTP calls to use AgentIdP. A Node.js SDK removes that friction — developers install one package and get a fully typed, auto-authenticating client. This is a Phase 1 P1 deliverable and a core developer experience improvement.
+
+## What Changes
+- New `sdk/` directory at project root containing a self-contained TypeScript npm package
+- `AgentIdPClient` class: handles auth, token refresh, and exposes typed methods for all 14 endpoints
+- Covers all four services: AgentRegistry, Credentials, Token, AuditLog
+- Full TypeScript types — zero `any`, strict mode
+- Published as `@sentryagent/idp-sdk` (package name)
+
+## What Does Not Change
+- No API changes
+- No changes to the main application source

openspec/changes/archive/2026-03-28-nodejs-sdk/specs/client/spec.md

@@ -0,0 +1,7 @@
+## ADDED Requirements
+
+### Requirement: AgentIdPClient class exists and handles auth transparently
+The SDK SHALL provide an `AgentIdPClient` class that accepts `baseUrl`, `clientId`, and `clientSecret` in its constructor and manages token acquisition and refresh automatically. Callers never handle tokens directly.
+
+### Requirement: TokenManager caches and refreshes tokens
+The SDK SHALL cache the access token in memory and re-issue it via `POST /token` when it is expired or within 60 seconds of expiry. Token refresh is transparent to the caller.

openspec/changes/archive/2026-03-28-nodejs-sdk/specs/services/spec.md

@@ -0,0 +1,7 @@
+## ADDED Requirements
+
+### Requirement: All 14 endpoints are wrapped as typed SDK methods
+The SDK SHALL expose typed methods for all 14 AgentIdP endpoints across four service namespaces: `agents` (5 methods), `credentials` (4 methods), `token` (3 methods), `audit` (2 methods).
+
+### Requirement: All errors are typed AgentIdPError instances
+The SDK SHALL throw `AgentIdPError` with `code`, `message`, `httpStatus`, and optional `details` for all API errors. Never throw raw fetch errors.

openspec/changes/archive/2026-03-28-nodejs-sdk/specs/types/spec.md

@@ -0,0 +1,4 @@
+## ADDED Requirements
+
+### Requirement: Full TypeScript types exported from sdk package
+The SDK SHALL export TypeScript interfaces for all request bodies, response shapes, and error types. Zero `any` types. All types derived from the OpenAPI specs.

openspec/changes/archive/2026-03-28-nodejs-sdk/tasks.md

@@ -0,0 +1,35 @@
+## 1. Package Setup
+
+- [x] 1.1 Create `sdk/` directory and `sdk/src/` subdirectories
+- [x] 1.2 Write `sdk/package.json` — name: @sentryagent/idp-sdk, main, types, scripts (build, test)
+- [x] 1.3 Write `sdk/tsconfig.json` — strict mode, target ES2020, declaration: true
+- [x] 1.4 Write `sdk/README.md` — installation, quick example, full API reference
+
+## 2. Types
+
+- [x] 2.1 Write `sdk/src/types.ts` — all request/response interfaces for all 14 endpoints
+- [x] 2.2 Write `sdk/src/errors.ts` — AgentIdPError class with code, message, httpStatus, details
+
+## 3. Core Client
+
+- [x] 3.1 Write `sdk/src/token-manager.ts` — TokenManager: acquires, caches, refreshes tokens; re-issues when exp - 60s
+- [x] 3.2 Write `sdk/src/request.ts` — shared request() helper: sets Authorization header, parses JSON, maps errors to AgentIdPError
+
+## 4. Service Clients
+
+- [x] 4.1 Write `sdk/src/services/agents.ts` — AgentRegistryClient: registerAgent, listAgents, getAgent, updateAgent, decommissionAgent
+- [x] 4.2 Write `sdk/src/services/credentials.ts` — CredentialClient: generateCredential, listCredentials, rotateCredential, revokeCredential
+- [x] 4.3 Write `sdk/src/services/token.ts` — TokenClient: introspectToken, revokeToken (issueToken handled by TokenManager)
+- [x] 4.4 Write `sdk/src/services/audit.ts` — AuditClient: queryAuditLog, getAuditEvent
+
+## 5. Main Entry Point
+
+- [x] 5.1 Write `sdk/src/client.ts` — AgentIdPClient: composes all service clients, exposes agents, credentials, token, audit namespaces
+- [x] 5.2 Write `sdk/src/index.ts` — exports AgentIdPClient and all public types
+
+## 6. QA
+
+- [x] 6.1 Verify TypeScript compiles with zero errors (npm run build in sdk/)
+- [x] 6.2 Verify zero `any` types across all SDK files
+- [x] 6.3 Verify all 14 endpoints have corresponding SDK methods
+- [x] 6.4 Verify AgentIdPError is thrown (not raw errors) for all failure paths