chore: Phase 2 OpenSpec scoping — proposal, design, specs, tasks

8 workstreams scoped per OpenSpec standards:
1. HashiCorp Vault integration (secret management)
2. Python SDK (sentryagent-idp)
3. Go SDK (idp-sdk-go)
4. Java SDK (ai.sentryagent:idp-sdk)
5. OPA policy engine (dynamic ABAC, hot-reload Rego)
6. Web Dashboard UI (React 18 + TypeScript)
7. Prometheus + Grafana monitoring (7 metrics, pre-built dashboard)
8. Multi-region Terraform deployment (AWS + GCP)

Status: proposed — awaiting CEO dependency approvals (A0.1–A0.5)
before any implementation begins.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

openspec/changes/phase-2-production-ready/specs/vault/spec.md

@@ -0,0 +1,21 @@
+# Spec: HashiCorp Vault Integration
+
+**Status**: Pending CEO approval
+**Workstream**: 1 of 8
+
+## Scope
+- VaultClient class wrapping `node-vault`
+- `005_add_vault_path.sql` migration
+- Updated CredentialService to write secrets to Vault instead of PostgreSQL
+- New env vars: VAULT_ADDR, VAULT_TOKEN, VAULT_MOUNT
+- Migration guide: bcrypt → Vault coexistence strategy
+
+## Acceptance Criteria
+- [ ] New credentials: secret written to Vault KV v2, `vault_path` stored in PostgreSQL
+- [ ] Credential rotation: Vault versioned update, `vault_path` unchanged
+- [ ] Credential revocation: Vault secret deleted, DB status = `revoked`
+- [ ] Existing bcrypt credentials continue to work until rotated
+- [ ] VaultClient follows existing service interface pattern (DRY, SOLID)
+- [ ] Zero `any` types, TypeScript strict
+- [ ] `VAULT_ADDR` / `VAULT_TOKEN` validation at startup (fail-fast)
+- [ ] DevOps docs updated with Vault setup section