feat: Phase 1 P1 — Dockerfile, AGNTCY alignment docs, Node.js SDK

Three remaining Phase 1 P1 deliverables: 1. Dockerfile — multi-stage build (builder + production), node:18-alpine, non-root USER node, .dockerignore excluding secrets and dev artifacts 2. AGNTCY alignment docs (docs/agntcy/) — README and alignment.md mapping all 6 AGNTCY domains to AgentIdP features with Phase 2/3 pending items noted 3. Node.js SDK (@sentryagent/idp-sdk) — TypeScript strict, zero any, native fetch (Node 18+), TokenManager with 60s auto-refresh, service clients for all 14 endpoints (agents, credentials, tokens, audit), AgentIdPError typed error hierarchy, full README All three changes tracked under openspec/changes/ with tasks marked complete. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-28 14:46:53 +00:00
parent d94a8cedc0
commit aa5167835e
34 changed files with 1572 additions and 0 deletions
--- a/openspec/changes/dockerfile/.openspec.yaml
+++ b/openspec/changes/dockerfile/.openspec.yaml
@@ -0,0 +1,2 @@
+schema: spec-driven
+created: 2026-03-28
--- a/openspec/changes/dockerfile/design.md
+++ b/openspec/changes/dockerfile/design.md
@@ -0,0 +1,13 @@
+## Context
+Node.js 18+, TypeScript compiled to `dist/`. Production image must be minimal, non-root, and use the compiled output only.
+
+## Decisions
+- Multi-stage build: `builder` stage compiles TypeScript; `production` stage copies `dist/` only
+- Base image: `node:18-alpine` — minimal footprint
+- Non-root user: `node` user (built into node alpine image)
+- No dev dependencies in production image — only `npm ci --omit=dev`
+- Health check: `wget` on `localhost:3000/health` — but no `/health` endpoint exists yet, so omit health check from Dockerfile; it is set in docker-compose.yml via pg_isready/redis-cli patterns
+- `.dockerignore` excludes: `node_modules`, `dist`, `coverage`, `tests`, `.env`, `*.pem`, `vj_notes`, `.cto-workspace`, `.claude`
+
+## Open Questions
+*(none)*
--- a/openspec/changes/dockerfile/proposal.md
+++ b/openspec/changes/dockerfile/proposal.md
@@ -0,0 +1,11 @@
+## Why
+The `docker-compose.yml` `app` service references a `Dockerfile` that does not exist. Docker containerisation is a Phase 1 P1 item. Without it, the full docker-compose stack cannot start and the DevOps deployment path is incomplete.
+
+## What Changes
+- New `Dockerfile` at project root — multi-stage build (builder + production)
+- New `.dockerignore` — excludes `node_modules`, `dist`, test files, `.env`
+- `docker-compose.yml` `app` service becomes fully functional
+
+## What Does Not Change
+- No source code changes
+- No dependency changes
--- a/openspec/changes/dockerfile/specs/container/spec.md
+++ b/openspec/changes/dockerfile/specs/container/spec.md
@@ -0,0 +1,7 @@
+## ADDED Requirements
+
+### Requirement: Dockerfile exists at project root
+The system SHALL provide a multi-stage `Dockerfile` that builds the TypeScript source and produces a minimal production image running as a non-root user.
+
+### Requirement: .dockerignore exists at project root
+The system SHALL provide a `.dockerignore` that excludes development artifacts, secrets, and test files from the Docker build context.
--- a/openspec/changes/dockerfile/tasks.md
+++ b/openspec/changes/dockerfile/tasks.md
@@ -0,0 +1,14 @@
+## 1. Dockerfile
+
+- [x] 1.1 Write multi-stage Dockerfile: builder stage (node:18-alpine, npm ci, npm run build)
+- [x] 1.2 Write production stage: node:18-alpine, npm ci --omit=dev, copy dist/, USER node
+- [x] 1.3 Set EXPOSE 3000, CMD ["node", "dist/server.js"]
+
+## 2. .dockerignore
+
+- [x] 2.1 Write .dockerignore excluding: node_modules, dist, coverage, tests, .env, *.pem, vj_notes, .cto-workspace, .claude, next_steps.md
+
+## 3. QA
+
+- [x] 3.1 Verify Dockerfile build stages are correct and complete
+- [x] 3.2 Verify .dockerignore covers all sensitive/unnecessary files