## Why

Phases 1–3 delivered a complete, enterprise-grade AgentIdP — authenticated, federated, multi-tenanted, and SOC 2 prepared. The product now needs to reach developers: Phase 4 shifts from building infrastructure to growing the ecosystem by making SentryAgent.ai frictionless to discover, adopt, and operate at scale in production.

## What Changes

- **Production Hardening**: Replace in-memory rate limiter with Redis-backed distributed limiter; tune database connection pooling; add detailed health endpoint; introduce k6 load test suite
- **Public Developer Portal**: Next.js 14 public website with interactive API explorer (Swagger UI), guided agent registration wizard, free tier docs, and SDK links
- **CLI Tool** (`sentryagent`): npm-installable CLI for register-agent, list-agents, issue-token, rotate-credentials, and tail-audit-log with `~/.sentryagent/config.json` and shell completion
- **Agent Marketplace**: Searchable public registry of AGNTCY-compliant agents with DID documents, capabilities, and publisher profiles — powered by existing agent registry and DID infrastructure
- **GitHub Actions Integration**: `sentryagent/register-agent` and `sentryagent/issue-token` Actions using OIDC federation with GitHub's OIDC provider — published to the GitHub Actions Marketplace
- **Billing & Usage Metering**: Stripe integration for paid tier; per-tenant usage tracking (API calls, active agents, token issuances); free tier limits enforced; usage dashboard in existing web dashboard

## Capabilities

### New Capabilities

- `production-hardening`: Redis-backed rate limiting, connection pooling, detailed health endpoint, and k6 load test suite
- `developer-portal`: Next.js 14 public website with Swagger UI API explorer, onboarding wizard, and SDK links
- `cli-tool`: `sentryagent` npm CLI with full agent lifecycle commands and shell completion
- `agent-marketplace`: Searchable public registry of published AGNTCY-compliant agents with DID documents
- `github-actions`: `register-agent` and `issue-token` GitHub Actions using OIDC federation
- `billing-metering`: Stripe-backed paid tier, per-tenant usage tracking, free tier enforcement, and usage dashboard

### Modified Capabilities

- `web-dashboard`: Usage metering panel added to existing dashboard (new billing/usage tab)
- `monitoring`: New Prometheus metrics for rate limiter hits, connection pool saturation, and per-tenant API call counters

## Impact

**Code affected:**
- `src/middleware/rateLimiter.ts` — replace express-rate-limit (in-memory) with ioredis-backed limiter
- `src/infrastructure/database.ts` — pg connection pool tuning
- `src/routes/health.ts` — add `/health/detailed` endpoint
- `src/services/UsageService.ts` — new service for per-tenant metering
- `src/controllers/BillingController.ts` — new controller for Stripe webhooks and subscription management
- `portal/` — new Next.js 14 application (separate directory)
- `cli/` — new CLI package (separate directory)
- `marketplace/` — new marketplace routes added to existing Express API
- `.github/actions/` — two new GitHub Actions

**New dependencies (CEO approved):**
- `ioredis` — Redis-backed rate limiting (WS1)
- `next` + `tailwindcss` — Developer portal (WS2)
- `swagger-ui-react` — Interactive API explorer (WS2)
- `commander` + `chalk` — CLI framework (WS3)
- `stripe` — Billing (WS6)

**Delivery sequence:** WS1 → WS2 + WS3 (parallel) → WS4 → WS5 → WS6