chore: Phase 2 OpenSpec scoping — proposal, design, specs, tasks

8 workstreams scoped per OpenSpec standards:
1. HashiCorp Vault integration (secret management)
2. Python SDK (sentryagent-idp)
3. Go SDK (idp-sdk-go)
4. Java SDK (ai.sentryagent:idp-sdk)
5. OPA policy engine (dynamic ABAC, hot-reload Rego)
6. Web Dashboard UI (React 18 + TypeScript)
7. Prometheus + Grafana monitoring (7 metrics, pre-built dashboard)
8. Multi-region Terraform deployment (AWS + GCP)

Status: proposed — awaiting CEO dependency approvals (A0.1–A0.5)
before any implementation begins.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

openspec/changes/phase-2-production-ready/specs/java-sdk/spec.md

@@ -0,0 +1,23 @@
+# Spec: Java SDK (`ai.sentryagent:idp-sdk`)
+
+**Status**: Pending CEO approval
+**Workstream**: 4 of 8
+
+## Scope
+- `sdk-java/` directory at project root
+- `AgentIdPClient` with sync and `CompletableFuture` async variants
+- `TokenManager` with thread-safe cache and 60s auto-refresh
+- Service clients: `AgentRegistryClient`, `CredentialClient`, `TokenClient`, `AuditClient`
+- `AgentIdPException` extending `RuntimeException` with `code`, `httpStatus`, `details`
+- `pom.xml`: groupId=`ai.sentryagent`, artifactId=`idp-sdk`, Java 17+
+- `sdk-java/README.md`
+
+## Acceptance Criteria
+- [ ] All 14 endpoints covered
+- [ ] Sync methods return typed POJOs; async methods return `CompletableFuture<T>`
+- [ ] `AgentIdPException` thrown (not raw IOException) on all failure paths
+- [ ] `TokenManager` is thread-safe (`synchronized` on cache)
+- [ ] Apache HttpClient 5 for HTTP transport
+- [ ] Jackson for JSON serialization
+- [ ] `mvn verify` passes with >80% coverage (JUnit 5)
+- [ ] README matches Node.js SDK structure