chore: Phase 2 OpenSpec scoping — proposal, design, specs, tasks

8 workstreams scoped per OpenSpec standards:
1. HashiCorp Vault integration (secret management)
2. Python SDK (sentryagent-idp)
3. Go SDK (idp-sdk-go)
4. Java SDK (ai.sentryagent:idp-sdk)
5. OPA policy engine (dynamic ABAC, hot-reload Rego)
6. Web Dashboard UI (React 18 + TypeScript)
7. Prometheus + Grafana monitoring (7 metrics, pre-built dashboard)
8. Multi-region Terraform deployment (AWS + GCP)

Status: proposed — awaiting CEO dependency approvals (A0.1–A0.5)
before any implementation begins.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

openspec/changes/phase-2-production-ready/specs/go-sdk/spec.md

@@ -0,0 +1,23 @@
+# Spec: Go SDK (`github.com/sentryagent/idp-sdk-go`)
+
+**Status**: Pending CEO approval
+**Workstream**: 3 of 8
+
+## Scope
+- `sdk-go/` directory at project root
+- Context-aware `AgentIdPClient` using standard library `net/http`
+- `TokenManager` with mutex-guarded cache and 60s auto-refresh
+- Service clients: `AgentRegistryClient`, `CredentialClient`, `TokenClient`, `AuditClient`
+- Idiomatic Go error type `AgentIdPError` implementing `error` interface
+- `go.mod` module: `github.com/sentryagent/idp-sdk-go`
+- `sdk-go/README.md`
+
+## Acceptance Criteria
+- [ ] All 14 endpoints covered
+- [ ] All methods take `context.Context` as first argument
+- [ ] No panics — all errors returned as `error`
+- [ ] `AgentIdPError` implements `error` and exposes `.Code`, `.HTTPStatus`, `.Details`
+- [ ] `TokenManager` is goroutine-safe (`sync.Mutex` on cache)
+- [ ] `go vet` and `staticcheck` pass with zero warnings
+- [ ] `go test ./...` with >80% coverage
+- [ ] README matches Node.js SDK structure