Files

SentryAgent.ai Developer 7593bfe1c1 chore: Phase 2 OpenSpec scoping — proposal, design, specs, tasks

8 workstreams scoped per OpenSpec standards:
1. HashiCorp Vault integration (secret management)
2. Python SDK (sentryagent-idp)
3. Go SDK (idp-sdk-go)
4. Java SDK (ai.sentryagent:idp-sdk)
5. OPA policy engine (dynamic ABAC, hot-reload Rego)
6. Web Dashboard UI (React 18 + TypeScript)
7. Prometheus + Grafana monitoring (7 metrics, pre-built dashboard)
8. Multi-region Terraform deployment (AWS + GCP)

Status: proposed — awaiting CEO dependency approvals (A0.1–A0.5)
before any implementation begins.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-28 14:53:09 +00:00

928 B

Raw Blame History

Spec: HashiCorp Vault Integration

Status: Pending CEO approval Workstream: 1 of 8

Scope

VaultClient class wrapping node-vault
005_add_vault_path.sql migration
Updated CredentialService to write secrets to Vault instead of PostgreSQL
New env vars: VAULT_ADDR, VAULT_TOKEN, VAULT_MOUNT
Migration guide: bcrypt → Vault coexistence strategy

Acceptance Criteria

New credentials: secret written to Vault KV v2, vault_path stored in PostgreSQL
Credential rotation: Vault versioned update, vault_path unchanged
Credential revocation: Vault secret deleted, DB status = revoked
Existing bcrypt credentials continue to work until rotated
VaultClient follows existing service interface pattern (DRY, SOLID)
Zero any types, TypeScript strict
VAULT_ADDR / VAULT_TOKEN validation at startup (fail-fast)
DevOps docs updated with Vault setup section

928 B Raw Blame History

Spec: HashiCorp Vault Integration

Scope

Acceptance Criteria

928 B

Raw Blame History