chore: Phase 2 OpenSpec scoping — proposal, design, specs, tasks

8 workstreams scoped per OpenSpec standards:
1. HashiCorp Vault integration (secret management)
2. Python SDK (sentryagent-idp)
3. Go SDK (idp-sdk-go)
4. Java SDK (ai.sentryagent:idp-sdk)
5. OPA policy engine (dynamic ABAC, hot-reload Rego)
6. Web Dashboard UI (React 18 + TypeScript)
7. Prometheus + Grafana monitoring (7 metrics, pre-built dashboard)
8. Multi-region Terraform deployment (AWS + GCP)

Status: proposed — awaiting CEO dependency approvals (A0.1–A0.5)
before any implementation begins.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

openspec/changes/phase-2-production-ready/specs/python-sdk/spec.md

@@ -0,0 +1,24 @@
+# Spec: Python SDK (`sentryagent-idp`)
+
+**Status**: Pending CEO approval
+**Workstream**: 2 of 8
+
+## Scope
+- `sdk-python/` directory at project root
+- `AgentIdPClient` with sync and async variants
+- `TokenManager` with 60s auto-refresh
+- Service clients: `AgentRegistryClient`, `CredentialClient`, `TokenClient`, `AuditClient`
+- `AgentIdPError` typed exception
+- Full type hints — `mypy --strict` clean
+- `sdk-python/README.md` with installation and usage
+
+## Acceptance Criteria
+- [ ] All 14 API endpoints covered
+- [ ] Sync client: `requests` library
+- [ ] Async client: `httpx` library
+- [ ] `mypy --strict` passes with zero errors
+- [ ] Zero untyped code
+- [ ] `AgentIdPError` raised (not raw requests/httpx exceptions) on all failure paths
+- [ ] `TokenManager` tested: caches token, refreshes at exp-60s
+- [ ] `pyproject.toml` with: name=sentryagent-idp, python>=3.9, dependencies declared
+- [ ] README matches Node.js SDK structure