chore(openspec): archive all completed changes, sync 14 new specs to library

Archived 4 completed OpenSpec changes (2026-04-02):
- phase-3-enterprise (100/100 tasks) — 6 Phase 3 capabilities synced
- devops-documentation (48/48 tasks) — 3 new + 1 merged capability
- bedroom-developer-docs (33/33 tasks) — 4 new capabilities synced
- engineering-docs (superseded by 2026-03-29 archive) — no tasks

Main spec library grows from 21 → 35 capabilities (+14 new):
federation, multi-tenancy, oidc, soc2, w3c-dids, webhooks,
database, operations, system-overview, api-reference, core-concepts,
developer-guides, quick-start + deployment (merged additive requirements)

Active changes: 0 — project board is clear for Phase 4 planning.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

openspec/specs/core-concepts/spec.md

@@ -0,0 +1,43 @@
+## ADDED Requirements
+
+### Requirement: Core concepts guide exists at docs/developers/concepts.md
+The system SHALL provide a concepts guide at `docs/developers/concepts.md` that explains the AgentIdP model in plain English with no assumed prior knowledge of AGNTCY or OAuth 2.0.
+
+#### Scenario: Developer understands what AgentIdP is
+- **WHEN** a developer reads the concepts guide
+- **THEN** they SHALL be able to explain in one sentence what SentryAgent.ai AgentIdP does and why they need it
+
+### Requirement: Concepts guide explains what an AI agent identity is
+The guide SHALL explain in plain English what it means to give an AI agent an identity — how it differs from a human user account and why agents need their own identity model.
+
+#### Scenario: Agent identity vs human identity distinction is clear
+- **WHEN** the developer reads the agent identity section
+- **THEN** they SHALL understand that agents are non-human, machine-operated identities that need persistent, auditable credentials — not session-based logins
+
+### Requirement: Concepts guide explains the AGNTCY alignment
+The guide SHALL explain what AGNTCY is (Linux Foundation standard), why SentryAgent.ai aligns to it, and what benefit that gives the developer — without requiring the developer to read the AGNTCY specification.
+
+#### Scenario: Developer understands AGNTCY without external reading
+- **WHEN** the developer reads the AGNTCY section
+- **THEN** they SHALL understand that AGNTCY-aligned agent IDs are interoperable across the AI agent ecosystem, and that SentryAgent.ai implements this for free
+
+### Requirement: Concepts guide explains the agent lifecycle
+The guide SHALL explain the four lifecycle states of an agent (active, suspended, decommissioned) and what each state means for credential and token behaviour.
+
+#### Scenario: Developer understands what happens when an agent is decommissioned
+- **WHEN** the developer reads the lifecycle section
+- **THEN** they SHALL understand that decommissioning is irreversible, all credentials are revoked, and no new tokens can be issued
+
+### Requirement: Concepts guide explains OAuth 2.0 Client Credentials in plain English
+The guide SHALL explain the Client Credentials grant in plain English — no RFC references, no formal OAuth jargon — focused on how agents use it to authenticate.
+
+#### Scenario: Developer understands client_id and client_secret without prior OAuth knowledge
+- **WHEN** the developer reads the OAuth section
+- **THEN** they SHALL understand that client_id identifies the agent and client_secret proves it — analogous to a username and password for machines
+
+### Requirement: Concepts guide explains the free-tier limits
+The guide SHALL document all free-tier limits (100 agents, 10,000 tokens/month, 100 req/min, 90-day audit retention) in a clear table.
+
+#### Scenario: Developer knows the limits before hitting them
+- **WHEN** the developer reads the free-tier section
+- **THEN** they SHALL see a table with all four limits and a note on what happens when each is exceeded