feat: Phase 1 P1 — Dockerfile, AGNTCY alignment docs, Node.js SDK

Three remaining Phase 1 P1 deliverables: 1. Dockerfile — multi-stage build (builder + production), node:18-alpine, non-root USER node, .dockerignore excluding secrets and dev artifacts 2. AGNTCY alignment docs (docs/agntcy/) — README and alignment.md mapping all 6 AGNTCY domains to AgentIdP features with Phase 2/3 pending items noted 3. Node.js SDK (@sentryagent/idp-sdk) — TypeScript strict, zero any, native fetch (Node 18+), TokenManager with 60s auto-refresh, service clients for all 14 endpoints (agents, credentials, tokens, audit), AgentIdPError typed error hierarchy, full README All three changes tracked under openspec/changes/ with tasks marked complete. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-28 14:46:53 +00:00
parent d94a8cedc0
commit aa5167835e
34 changed files with 1572 additions and 0 deletions
--- a/openspec/changes/nodejs-sdk/.openspec.yaml
+++ b/openspec/changes/nodejs-sdk/.openspec.yaml
@@ -0,0 +1,2 @@
+schema: spec-driven
+created: 2026-03-28
--- a/openspec/changes/nodejs-sdk/design.md
+++ b/openspec/changes/nodejs-sdk/design.md
@@ -0,0 +1,39 @@
+## Context
+The SDK wraps the AgentIdP REST API. It must handle authentication transparently — caller provides `clientId` + `clientSecret`, SDK manages token acquisition and refresh automatically.
+
+## Architecture
+- Single entrypoint: `sdk/src/index.ts` exports `AgentIdPClient` and all types
+- `AgentIdPClient` constructor takes `{ baseUrl, clientId, clientSecret }`
+- Internal `TokenManager` handles token acquisition, caching, and refresh (re-issues when expired)
+- Four service classes: `AgentRegistryClient`, `CredentialClient`, `TokenClient`, `AuditClient`
+- `AgentIdPClient` composes all four
+- HTTP: native `fetch` (Node 18+ built-in) — no axios dependency
+- Types: re-exported from `sdk/src/types.ts` — mirrors the main app types
+
+## Standards
+- TypeScript strict mode, zero `any`
+- DRY: shared `request()` helper handles auth header, JSON parse, error mapping
+- All errors are typed `AgentIdPError` with `code` and `message`
+- JSDoc on all public methods
+
+## Package structure
+```
+sdk/
+  src/
+    index.ts          — exports AgentIdPClient + all types
+    client.ts         — AgentIdPClient (composes all services)
+    token-manager.ts  — token acquisition and refresh
+    services/
+      agents.ts       — AgentRegistryClient
+      credentials.ts  — CredentialClient
+      token.ts        — TokenClient
+      audit.ts        — AuditClient
+    types.ts          — all request/response types
+    errors.ts         — AgentIdPError class
+  package.json
+  tsconfig.json
+  README.md
+```
+
+## Open Questions
+*(none)*
--- a/openspec/changes/nodejs-sdk/proposal.md
+++ b/openspec/changes/nodejs-sdk/proposal.md
@@ -0,0 +1,13 @@
+## Why
+Bedroom developers currently must write raw HTTP calls to use AgentIdP. A Node.js SDK removes that friction — developers install one package and get a fully typed, auto-authenticating client. This is a Phase 1 P1 deliverable and a core developer experience improvement.
+
+## What Changes
+- New `sdk/` directory at project root containing a self-contained TypeScript npm package
+- `AgentIdPClient` class: handles auth, token refresh, and exposes typed methods for all 14 endpoints
+- Covers all four services: AgentRegistry, Credentials, Token, AuditLog
+- Full TypeScript types — zero `any`, strict mode
+- Published as `@sentryagent/idp-sdk` (package name)
+
+## What Does Not Change
+- No API changes
+- No changes to the main application source
--- a/openspec/changes/nodejs-sdk/specs/client/spec.md
+++ b/openspec/changes/nodejs-sdk/specs/client/spec.md
@@ -0,0 +1,7 @@
+## ADDED Requirements
+
+### Requirement: AgentIdPClient class exists and handles auth transparently
+The SDK SHALL provide an `AgentIdPClient` class that accepts `baseUrl`, `clientId`, and `clientSecret` in its constructor and manages token acquisition and refresh automatically. Callers never handle tokens directly.
+
+### Requirement: TokenManager caches and refreshes tokens
+The SDK SHALL cache the access token in memory and re-issue it via `POST /token` when it is expired or within 60 seconds of expiry. Token refresh is transparent to the caller.
--- a/openspec/changes/nodejs-sdk/specs/services/spec.md
+++ b/openspec/changes/nodejs-sdk/specs/services/spec.md
@@ -0,0 +1,7 @@
+## ADDED Requirements
+
+### Requirement: All 14 endpoints are wrapped as typed SDK methods
+The SDK SHALL expose typed methods for all 14 AgentIdP endpoints across four service namespaces: `agents` (5 methods), `credentials` (4 methods), `token` (3 methods), `audit` (2 methods).
+
+### Requirement: All errors are typed AgentIdPError instances
+The SDK SHALL throw `AgentIdPError` with `code`, `message`, `httpStatus`, and optional `details` for all API errors. Never throw raw fetch errors.
--- a/openspec/changes/nodejs-sdk/specs/types/spec.md
+++ b/openspec/changes/nodejs-sdk/specs/types/spec.md
@@ -0,0 +1,4 @@
+## ADDED Requirements
+
+### Requirement: Full TypeScript types exported from sdk package
+The SDK SHALL export TypeScript interfaces for all request bodies, response shapes, and error types. Zero `any` types. All types derived from the OpenAPI specs.
--- a/openspec/changes/nodejs-sdk/tasks.md
+++ b/openspec/changes/nodejs-sdk/tasks.md
@@ -0,0 +1,35 @@
+## 1. Package Setup
+
+- [x] 1.1 Create `sdk/` directory and `sdk/src/` subdirectories
+- [x] 1.2 Write `sdk/package.json` — name: @sentryagent/idp-sdk, main, types, scripts (build, test)
+- [x] 1.3 Write `sdk/tsconfig.json` — strict mode, target ES2020, declaration: true
+- [x] 1.4 Write `sdk/README.md` — installation, quick example, full API reference
+
+## 2. Types
+
+- [x] 2.1 Write `sdk/src/types.ts` — all request/response interfaces for all 14 endpoints
+- [x] 2.2 Write `sdk/src/errors.ts` — AgentIdPError class with code, message, httpStatus, details
+
+## 3. Core Client
+
+- [x] 3.1 Write `sdk/src/token-manager.ts` — TokenManager: acquires, caches, refreshes tokens; re-issues when exp - 60s
+- [x] 3.2 Write `sdk/src/request.ts` — shared request() helper: sets Authorization header, parses JSON, maps errors to AgentIdPError
+
+## 4. Service Clients
+
+- [x] 4.1 Write `sdk/src/services/agents.ts` — AgentRegistryClient: registerAgent, listAgents, getAgent, updateAgent, decommissionAgent
+- [x] 4.2 Write `sdk/src/services/credentials.ts` — CredentialClient: generateCredential, listCredentials, rotateCredential, revokeCredential
+- [x] 4.3 Write `sdk/src/services/token.ts` — TokenClient: introspectToken, revokeToken (issueToken handled by TokenManager)
+- [x] 4.4 Write `sdk/src/services/audit.ts` — AuditClient: queryAuditLog, getAuditEvent
+
+## 5. Main Entry Point
+
+- [x] 5.1 Write `sdk/src/client.ts` — AgentIdPClient: composes all service clients, exposes agents, credentials, token, audit namespaces
+- [x] 5.2 Write `sdk/src/index.ts` — exports AgentIdPClient and all public types
+
+## 6. QA
+
+- [x] 6.1 Verify TypeScript compiles with zero errors (npm run build in sdk/)
+- [x] 6.2 Verify zero `any` types across all SDK files
+- [x] 6.3 Verify all 14 endpoints have corresponding SDK methods
+- [x] 6.4 Verify AgentIdPError is thrown (not raw errors) for all failure paths