projecta-rrr 1.24.4 → 1.24.5

package/AGENTS.md

@@ -96,4 +96,4 @@ The RRR loop follows five steps:
 - Use `$rrr-help` for full skill catalogue
 - Trigger phrases are case-sensitive: `$rrr-plan-phase` not `$rrr-PlanPhase`
 
-<!-- generated: 2026-05-12T23:35:46.267Z | source: commands/rrr/*.md | count: 59 skills -->
+<!-- generated: 2026-05-13T01:06:46.790Z | source: commands/rrr/*.md | count: 59 skills -->

package/CHANGELOG.md

@@ -4,6 +4,16 @@ All notable changes to RRR will be documented in this file.
 
 Format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [1.24.5] - 2026-05-13
+
+### Added
+- **Coordinator auth modes** — `$rrr-provision-coordinator` now writes an `auth` block with `mode: claude-code-subscription` (default) or `mode: anthropic-api-key`. Subscription mode uses `~/.claude/.credentials.json` injected via the Cloudflare Secret `CLAUDE_CREDENTIALS_JSON`, eliminating the need for `ANTHROPIC_API_KEY` on the coordinator.
+- **Cloudflare AI Gateway option** — when `--auth-mode anthropic-api-key`, optional `--ai-gateway-account-id <id> --ai-gateway-id <id> [--ai-gateway-authenticated]` flags wire `ANTHROPIC_BASE_URL` to a gateway URL and add `CF_AI_GATEWAY_TOKEN` to required secrets when authenticated.
+
+### Changed
+- **Coordinator README** — generated README now includes the sandbox boot snippet that writes `CLAUDE_CREDENTIALS_JSON` to `~/.claude/.credentials.json`, and only documents AI Gateway when API-key mode is selected.
+- **`$rrr-coordinator-status`** — checks for `~/.claude/.credentials.json` or `CLAUDE_CREDENTIALS_JSON` env when subscription mode is active; falls back to API key / AI Gateway env checks otherwise.
+
 ## [1.24.4] - 2026-05-12
 
 ### Fixed

package/commands/rrr/provision-coordinator.md

@@ -1,7 +1,7 @@
 ---
 name: rrr:provision-coordinator
 description: Create the Cloudflare coordinator contract for RRR team mode integration review
-argument-hint: "[--provider cloudflare-sandbox] [--name <coordinator-name>]"
+argument-hint: "[--auth-mode claude-code-subscription|anthropic-api-key] [--ai-gateway-account-id <id> --ai-gateway-id <id> [--ai-gateway-authenticated]] [--provider cloudflare-sandbox] [--name <coordinator-name>]"
 allowed-tools:
   - Read
   - Write
@@ -32,8 +32,13 @@ Prepare the repo's coordinator contract so a reusable Cloudflare Claude Code/San
 
 </process>
 
+<auth_modes>
+- `claude-code-subscription` (default) — coordinator runs Claude Code authenticated by an Anthropic subscription. Store the contents of `~/.claude/.credentials.json` as the Cloudflare Secret `CLAUDE_CREDENTIALS_JSON`; sandbox boot writes it to disk so Claude Code resumes the session. No `ANTHROPIC_API_KEY` required.
+- `anthropic-api-key` — coordinator uses `ANTHROPIC_API_KEY` (per-token billing). Pair with `--ai-gateway-account-id <id> --ai-gateway-id <id>` to route Anthropic traffic through Cloudflare AI Gateway for caching, rate limits, and observability. Add `--ai-gateway-authenticated` if the gateway requires `cf-aig-authorization: Bearer $CF_AI_GATEWAY_TOKEN`.
+</auth_modes>
+
 <constraints>
 - Coordinator is report-first; never auto-merge to the base branch.
 - Developer work remains in team Sprites and team branches.
-- Do not store secrets in planning files.
+- Do not store secrets in planning files — `CLAUDE_CREDENTIALS_JSON` and AI Gateway tokens belong in Cloudflare Secrets.
 </constraints>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "projecta-rrr",
-  "version": "1.24.4",
+  "version": "1.24.5",
   "description": "A meta-prompting, context engineering and spec-driven development system for Claude Code by Projecta.ai",
   "bin": {
     "projecta-rrr": "bin/install.js",

package/rrr/lib/team-mode/manager.js

@@ -1,6 +1,7 @@
 'use strict';
 
 const fs = require('fs');
+const os = require('os');
 const path = require('path');
 const { execFileSync } = require('child_process');
 const { resolvePlanningContext, requireTeamName } = require('./state-router');
@@ -514,6 +515,61 @@ function coordinatorConfigPath(projectRoot) {
   return path.join(projectRoot, '.planning', 'coordinator', 'COORDINATOR.json');
 }
 
+function buildAiGatewayBlock(opts) {
+  const accountId = opts.aiGatewayAccountId || opts.cfAccountId || null;
+  const gatewayId = opts.aiGatewayId || null;
+  if (!accountId || !gatewayId) return null;
+  const authenticated = opts.aiGatewayAuthenticated === true || opts.aiGatewayAuthenticated === 'true';
+  const baseUrl = `https://gateway.ai.cloudflare.com/v1/${accountId}/${gatewayId}/anthropic`;
+  return {
+    provider: 'cloudflare-ai-gateway',
+    account_id: accountId,
+    gateway_id: gatewayId,
+    anthropic_base_url: baseUrl,
+    authenticated,
+    runtime_env: { ANTHROPIC_BASE_URL: baseUrl },
+    notes: [
+      'Only used when auth_mode = anthropic-api-key.',
+      'Set ANTHROPIC_BASE_URL to route Anthropic API calls through the gateway.',
+      authenticated
+        ? 'Authenticated gateway: send `cf-aig-authorization: Bearer $CF_AI_GATEWAY_TOKEN` header on every request.'
+        : 'Unauthenticated gateway: ANTHROPIC_API_KEY is the only credential; gateway URL is the access boundary.'
+    ]
+  };
+}
+
+function buildAuthBlock(opts) {
+  const mode = opts.authMode || 'claude-code-subscription';
+  if (mode === 'claude-code-subscription') {
+    return {
+      mode,
+      description: 'Coordinator uses Claude Code with an Anthropic subscription (Max/Pro). No ANTHROPIC_API_KEY required.',
+      credentials_path: '~/.claude/.credentials.json',
+      injection: [
+        'Persist the credentials file once (after a one-time `claude login`).',
+        'For a Cloudflare sandbox: write the stored credentials JSON to ~/.claude/.credentials.json on container start (from a CF Secret, KV, or D1 row).',
+        'For a Sprite: run `claude login` once interactively, then `sprite checkpoint create` to capture the authenticated state.'
+      ],
+      required_secrets: ['GITHUB_TOKEN', 'CLAUDE_CREDENTIALS_JSON'],
+      notes: [
+        'CLAUDE_CREDENTIALS_JSON holds the contents of ~/.claude/.credentials.json — store as a CF Secret, not in repo.',
+        'Subscription billing applies; no per-token API cost.'
+      ]
+    };
+  }
+  if (mode === 'anthropic-api-key') {
+    return {
+      mode,
+      description: 'Coordinator authenticates Claude Code with ANTHROPIC_API_KEY (per-token billing).',
+      required_secrets: ['ANTHROPIC_API_KEY', 'GITHUB_TOKEN'],
+      notes: [
+        'Optional: pair with Cloudflare AI Gateway via --ai-gateway-account-id/--ai-gateway-id for caching, rate limits, and observability.'
+      ]
+    };
+  }
+  throw new Error(`unknown auth_mode: ${mode}`);
+}
+
 function writeCoordinatorProvision(options) {
   const opts = options || {};
   const projectRoot = opts.projectRoot || process.cwd();
@@ -521,8 +577,13 @@ function writeCoordinatorProvision(options) {
   const runtime = readRuntimeManifest(projectRoot);
   const dir = path.join(projectRoot, '.planning', 'coordinator');
   ensureDir(dir);
+  const auth = buildAuthBlock(opts);
+  const aiGateway = auth.mode === 'anthropic-api-key' ? buildAiGatewayBlock(opts) : null;
+  const requiredSecrets = [...auth.required_secrets];
+  if (aiGateway && aiGateway.authenticated) requiredSecrets.push('CF_AI_GATEWAY_TOKEN');
+
   const config = {
-    schema_version: 1,
+    schema_version: 2,
     provider: opts.provider || 'cloudflare-sandbox',
     name: opts.name || `rrr-coordinator-${repoNameFor(teamConfig).toLowerCase()}`,
     generated_at: new Date().toISOString(),
@@ -532,7 +593,9 @@ function writeCoordinatorProvision(options) {
     integration_branch: teamConfig.github.integration_branch,
     runtime_manifest: path.relative(projectRoot, runtimeManifestPath(projectRoot)),
     report_first: true,
-    required_secrets: ['ANTHROPIC_API_KEY', 'GITHUB_TOKEN'],
+    auth,
+    ai_gateway: aiGateway,
+    required_secrets: requiredSecrets,
     responsibilities: [
       'clone repository into ephemeral sandbox',
       'merge team branches into integration branch',
@@ -542,6 +605,7 @@ function writeCoordinatorProvision(options) {
     ]
   };
   writeJson(coordinatorConfigPath(projectRoot), config);
+
   const readme = [
     `# ${config.name}`,
     '',
@@ -554,11 +618,67 @@ function writeCoordinatorProvision(options) {
     `Base branch: ${config.base_branch}`,
     `Integration branch: ${config.integration_branch}`,
     `Runtime manifest: ${config.runtime_manifest}`,
+    '',
+    '## Auth',
+    '',
+    `Mode: \`${auth.mode}\``,
+    '',
+    auth.description
+  ];
+
+  if (auth.mode === 'claude-code-subscription') {
+    readme.push(
+      '',
+      '### Credentials injection',
+      '',
+      ...auth.injection.map(line => `- ${line}`),
+      '',
+      'Cloudflare sandbox boot snippet:',
+      '',
+      '```bash',
+      'mkdir -p ~/.claude',
+      'printf "%s" "$CLAUDE_CREDENTIALS_JSON" > ~/.claude/.credentials.json',
+      'chmod 600 ~/.claude/.credentials.json',
+      'claude --version  # verifies authenticated',
+      '```'
+    );
+  }
+
+  readme.push(
     '',
     '## Required Secrets',
     '',
-    '- `ANTHROPIC_API_KEY` for Claude Code.',
-    '- `GITHUB_TOKEN` or GitHub App installation token for read/write repo access.',
+    ...requiredSecrets.map(s => `- \`${s}\``)
+  );
+
+  if (aiGateway) {
+    readme.push(
+      '',
+      '## Cloudflare AI Gateway (optional)',
+      '',
+      `Account: ${aiGateway.account_id}`,
+      `Gateway: ${aiGateway.gateway_id}`,
+      `Anthropic base URL: ${aiGateway.anthropic_base_url}`,
+      `Authenticated: ${aiGateway.authenticated ? 'yes' : 'no'}`,
+      '',
+      '```bash',
+      `export ANTHROPIC_BASE_URL="${aiGateway.anthropic_base_url}"`,
+      'export ANTHROPIC_API_KEY="$ANTHROPIC_API_KEY"',
+      aiGateway.authenticated
+        ? '# header: cf-aig-authorization: Bearer $CF_AI_GATEWAY_TOKEN'
+        : '# unauthenticated gateway — URL is the access boundary',
+      '```'
+    );
+  } else if (auth.mode === 'anthropic-api-key') {
+    readme.push(
+      '',
+      '## Cloudflare AI Gateway',
+      '',
+      'Not configured. Re-run with `--ai-gateway-account-id <id> --ai-gateway-id <id>` to route Anthropic API traffic through Cloudflare AI Gateway.'
+    );
+  }
+
+  readme.push(
     '',
     '## Execution Contract',
     '',
@@ -566,8 +686,9 @@ function writeCoordinatorProvision(options) {
     '- GitHub remains the source of truth for branches, PRs, reviews, and checks.',
     '- Coordinator is report-first: it writes reports and recommendations only; humans approve final merges.',
     '- Developer work stays in Sprites/team branches.'
-  ].join('\n');
-  atomicWrite(path.join(dir, 'README.md'), `${readme}\n`);
+  );
+
+  atomicWrite(path.join(dir, 'README.md'), `${readme.join('\n')}\n`);
   return { config, runtime, dir };
 }
 
@@ -579,8 +700,36 @@ function readCoordinatorStatus(projectRoot) {
   checks.push({ name: 'runtime manifest', ok: fs.existsSync(runtimeManifestPath(root)), detail: path.relative(root, runtimeManifestPath(root)) });
   const wrangler = execCapture('npx', ['wrangler', '--version'], { cwd: root });
   checks.push({ name: 'wrangler available', ok: wrangler.ok, detail: wrangler.output || 'not available' });
-  checks.push({ name: 'ANTHROPIC_API_KEY present', ok: !!process.env.ANTHROPIC_API_KEY, detail: process.env.ANTHROPIC_API_KEY ? 'present' : 'missing locally' });
   checks.push({ name: 'GITHUB_TOKEN present', ok: !!process.env.GITHUB_TOKEN, detail: process.env.GITHUB_TOKEN ? 'present' : 'missing locally' });
+
+  const authMode = config && config.auth ? config.auth.mode : (config && config.ai_gateway ? 'anthropic-api-key' : 'claude-code-subscription');
+  if (authMode === 'claude-code-subscription') {
+    const credsPath = path.join(os.homedir(), '.claude', '.credentials.json');
+    const localCreds = fs.existsSync(credsPath);
+    checks.push({
+      name: 'Claude Code subscription credentials',
+      ok: localCreds || !!process.env.CLAUDE_CREDENTIALS_JSON,
+      detail: localCreds ? credsPath : (process.env.CLAUDE_CREDENTIALS_JSON ? 'CLAUDE_CREDENTIALS_JSON env present' : 'missing locally (run `claude login` or set CLAUDE_CREDENTIALS_JSON)')
+    });
+  } else {
+    checks.push({ name: 'ANTHROPIC_API_KEY present', ok: !!process.env.ANTHROPIC_API_KEY, detail: process.env.ANTHROPIC_API_KEY ? 'present' : 'missing locally' });
+    if (config && config.ai_gateway) {
+      const expectedBase = config.ai_gateway.anthropic_base_url;
+      const baseUrl = process.env.ANTHROPIC_BASE_URL;
+      checks.push({
+        name: 'ANTHROPIC_BASE_URL routes to AI Gateway',
+        ok: baseUrl === expectedBase,
+        detail: baseUrl ? (baseUrl === expectedBase ? expectedBase : `mismatch: ${baseUrl}`) : `missing locally (expected ${expectedBase})`
+      });
+      if (config.ai_gateway.authenticated) {
+        checks.push({
+          name: 'CF_AI_GATEWAY_TOKEN present',
+          ok: !!process.env.CF_AI_GATEWAY_TOKEN,
+          detail: process.env.CF_AI_GATEWAY_TOKEN ? 'present' : 'missing locally (authenticated gateway requires it)'
+        });
+      }
+    }
+  }
   return { config, checks };
 }
 

package/scripts/rrr-team-mode.js

@@ -73,7 +73,7 @@ Usage:
   node scripts/rrr-team-mode.js runtime-init
   node scripts/rrr-team-mode.js provision-sprites [--apply] [--teams team-runtime]
   node scripts/rrr-team-mode.js sprite-status [--live]
-  node scripts/rrr-team-mode.js provision-coordinator
+  node scripts/rrr-team-mode.js provision-coordinator [--auth-mode claude-code-subscription|anthropic-api-key] [--ai-gateway-account-id <id> --ai-gateway-id <id> [--ai-gateway-authenticated]]
   node scripts/rrr-team-mode.js coordinator-status
 
 Notes:
@@ -224,10 +224,18 @@ function main() {
       const result = writeCoordinatorProvision({
         projectRoot,
         provider: args.provider,
-        name: args.name
+        name: args.name,
+        authMode: args['auth-mode'] || args.authMode,
+        aiGatewayAccountId: args['ai-gateway-account-id'] || args['cf-account-id'],
+        aiGatewayId: args['ai-gateway-id'],
+        aiGatewayAuthenticated: args['ai-gateway-authenticated'] === true || args['ai-gateway-authenticated'] === 'true'
       });
       console.log(`Wrote ${path.relative(projectRoot, path.join(result.dir, 'COORDINATOR.json'))}`);
       console.log(`Wrote ${path.relative(projectRoot, path.join(result.dir, 'README.md'))}`);
+      console.log(`Auth mode: ${result.config.auth.mode}`);
+      if (result.config.ai_gateway) {
+        console.log(`AI Gateway: ${result.config.ai_gateway.anthropic_base_url}`);
+      }
       return;
     }