All 8 tasks checked off. Change archived to openspec/changes/archive/
per OpenSpec protocol. Implementation committed in 5943ff1.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
All findings from the inaugural LeadValidator audit resolved and
confirmed. Release gate: PASS.
VV_ISSUE_002 (BLOCKER): 15 OpenAPI specs verified present covering
all 20 route groups (46 endpoints documented in docs/openapi/)
VV_ISSUE_003 (MAJOR): Remove any types from src/db/pool.ts —
replaced pool.query shim with unknown[] + Object.defineProperty,
zero any types, eslint-disable suppressions removed
VV_ISSUE_004 (MAJOR): Remove raw Pool from ScaffoldController and
HealthDetailedController — injected AgentRepository/CredentialRepository
and DbProbe interface respectively; added CredentialRepository.findActiveClientId()
VV_ISSUE_005 (MAJOR): Add unit tests for 5 untested services —
ComplianceStatusStore, EventPublisher, MarketplaceService,
OIDCTrustPolicyService, UsageService
VV_ISSUE_006 (MAJOR): Add integration tests for 7 missing route
groups — analytics, billing, tiers, webhooks, marketplace,
oidc-trust-policies, oidc-token-exchange
VV_ISSUE_001 (MINOR): Create missing design.md and tasks.md in 4
OpenSpec archives — all archives now complete
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Fixes a critical bug where VALIDATOR.md contained a copy of start-validator.sh
(making the validator unlaunchable). Introduces a fully independent V&V Architect
agent that audits the codebase against the PRD and OpenSpec outside the CTO's
chain of command.
Changes:
- VALIDATOR.md: rewritten as proper system prompt (8-phase audit methodology,
issue format, severity model, communication protocol)
- scripts/start-validator.sh: isolated workspace setup, sanity check, auto-init
ledger, validator-specific CLAUDE.md (no CEO context contamination)
- openspec/vv_audit/LEDGER.md: shared audit ledger index (CEO release gate view)
- openspec/changes/archive/2026-04-07-vv-architect-setup/: full OpenSpec artifacts
(proposal.md, design.md, tasks.md — 28 tasks, all complete)
Note: .cto-workspace/CLAUDE.md updated (gitignored — persists on disk only).
#vv-findings hub channel created for real-time validator notifications.
CEO approved 2026-04-07.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Analytics Dashboard, API Gateway Tiers, AGNTCY Compliance all delivered.
Development freeze now in effect per CEO directive — no Phase 7.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Implements scaffold ZIP generator, Stoplight Elements API explorer, and CLI scaffold command:
Scaffold API:
- 25 template files for TypeScript/Python/Go/Java/Rust in src/templates/scaffold/
- ScaffoldService: in-memory ZIP via archiver, variable injection (AGENT_ID/NAME/CLIENT_ID/API_URL)
- ScaffoldController: tenant ownership check (403), language validation (400), ZIP stream response
- Route GET /sdk/scaffold/:agentId with rate limiter (10 req/min per tenant)
- Prometheus: scaffold_generated_total + scaffold_generation_duration_ms histogram
Portal:
- Replaced swagger-ui-react with @stoplight/elements API component
- Dynamic import (ssr: false) for browser-only DOM dependency
- Type declarations for @stoplight/elements and CSS module
CLI:
- sentryagent scaffold --agent-id <id> [--language typescript] [--out .]
- Raw fetch for binary ZIP stream → unzipper.Extract() → prints next steps
- Human-readable 400/403/404 error messages
Tests: 19 tests (unit + integration), ScaffoldService 80%+ branch coverage
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Fix 7 test fixtures missing isPublic field added in WS4 Marketplace
- Add portal/.next/ to .gitignore (build artifacts should not be tracked)
- Mark all Phase 4 tasks 11.1-11.11 complete in tasks.md
QA results: 611/611 tests pass, tsc zero errors, portal build OK, CLI build OK
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- DB migration 023: tenant_subscriptions and usage_events tables
- UsageMeteringMiddleware: in-memory counters, 60s flush to DB via UPSERT
- FreeTierEnforcementMiddleware: 10 agents / 1,000 calls/day limits, Redis cache
- UsageService: getDailyUsage and getActiveAgentCount
- BillingService: Stripe checkout sessions, webhook verification, subscription status
- POST /billing/checkout, POST /billing/webhook, GET /billing/usage endpoints
- BILLING_ENABLED=false disables enforcement without breaking metering
- Dashboard: Usage tab with Free Tier/Pro badges and metric cards
- 19 unit tests passing across billing services and middleware
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
All 100/100 tasks checked. All 6 workstreams complete. QA-approved.
SOC 2 audit window can begin.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Implements W3C DID Core 1.0 per-agent identity for every registered agent:
Schema:
- agent_did_keys table: stores EC P-256 public key JWK + Vault path for private key
- agents.did + agents.did_created_at columns
Key management:
- EC P-256 key pair generated on every agent registration via Node.js crypto
- Private key stored in Vault KV v2 (dev:no-vault marker when Vault not configured)
- Public key JWK stored in PostgreSQL agent_did_keys table
API (4 new endpoints):
- GET /.well-known/did.json — instance DID Document (public, cached)
- GET /api/v1/agents/:id/did — per-agent DID Document (public, 410 for decommissioned)
- GET /api/v1/agents/:id/did/resolve — W3C DID Resolution result (agents:read scope)
- GET /api/v1/agents/:id/did/card — AGNTCY agent card (public)
Implementation:
- DIDService: DID construction, key generation, Redis caching (TTL configurable)
- DIDController: 410 Gone for decommissioned agents, correct Content-Type on resolve
- AgentService: calls DIDService.generateDIDForAgent on every new registration
Tests: 429 passing, DIDService 98.93% coverage, private key absence verified in all responses
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Complete docs/engineering/ suite — 12 documents covering company overview,
system architecture, tech stack ADRs, codebase structure, service deep dives,
annotated code walkthroughs, dev setup, engineering workflow, testing strategy,
deployment/ops, SDK guide, and README index. All content verified against
source files. All 82 tasks in openspec/changes/engineering-docs/tasks.md
marked complete.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Java 17 SDK in sdk-java/:
- AgentIdPClient composing AgentRegistryClient, CredentialClient,
TokenClient, AuditClient — all 14 endpoints covered
- Both sync methods and CompletableFuture<T> async counterparts on each client
- Thread-safe TokenManager (synchronized) with 60s refresh buffer
- AgentIdPException (extends RuntimeException) with Code/HTTPStatus/Details
- Builder pattern for all request types; Jackson 2.17 for JSON
- Zero external HTTP dependencies — java.net.http.HttpClient (Java 11+)
- No-dep JDK HttpServer used for unit tests (no WireMock needed)
- mvn verify: 49/49 tests passed | JaCoCo coverage gate: >80% ✓
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Archive dockerfile, agntcy-alignment-docs, and nodejs-sdk changes
now that implementation is complete and pushed to develop.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Three remaining Phase 1 P1 deliverables:
1. Dockerfile — multi-stage build (builder + production), node:18-alpine,
non-root USER node, .dockerignore excluding secrets and dev artifacts
2. AGNTCY alignment docs (docs/agntcy/) — README and alignment.md mapping
all 6 AGNTCY domains to AgentIdP features with Phase 2/3 pending items noted
3. Node.js SDK (@sentryagent/idp-sdk) — TypeScript strict, zero any, native
fetch (Node 18+), TokenManager with 60s auto-refresh, service clients for
all 14 endpoints (agents, credentials, tokens, audit), AgentIdPError typed
error hierarchy, full README
All three changes tracked under openspec/changes/ with tasks marked complete.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds the full devops-documentation OpenSpec change implementation.
Separate from docs/developers/ — serves a different audience (operators,
not API consumers).
docs/devops/:
- README.md — index and system overview
- architecture.md — components, ports, data flow, Redis key patterns
- environment-variables.md — all 7 env vars (required + optional, formats, .env example)
- database.md — 4-table schema, indexes, constraints, migration runner
- local-development.md — docker-compose setup, health checks, startup, Dockerfile gap noted
- security.md — RSA key generation/rotation, CORS, bcrypt, secret storage guidance
- operations.md — startup order, graceful shutdown, log reference, troubleshooting
QA gates: 48/48 tasks complete. All env vars verified against source.
All table names verified against migrations. All ports verified against
docker-compose.yml. All internal links resolve.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
