projecta-rrr 1.24.4 → 1.24.6

package/AGENTS.md

@@ -96,4 +96,4 @@ The RRR loop follows five steps:
 - Use `$rrr-help` for full skill catalogue
 - Trigger phrases are case-sensitive: `$rrr-plan-phase` not `$rrr-PlanPhase`
 
-<!-- generated: 2026-05-12T23:35:46.267Z | source: commands/rrr/*.md | count: 59 skills -->
+<!-- generated: 2026-05-13T03:49:42.852Z | source: commands/rrr/*.md | count: 59 skills -->

package/CHANGELOG.md

@@ -4,6 +4,27 @@ All notable changes to RRR will be documented in this file.
 
 Format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [1.24.6] - 2026-05-13
+
+### Added
+- **Infisical machine-identity auth mode** — `$rrr-provision-coordinator --auth-mode infisical-machine-identity --infisical-project-id <id> --infisical-env <env>` writes a coordinator contract that fetches secrets at boot from Infisical via Universal Auth. Required runtime secrets become `RRR_INFI_CID` + `RRR_INFI_CS` only; Anthropic and GitHub tokens live in Infisical and rotate centrally.
+- **Infisical Sprite bootstrap** — `$rrr-provision-sprites --apply --infisical-project-id <id>` installs Infisical CLI inside each Sprite, writes machine-identity creds, and wires `~/.profile` to fetch `ANTHROPIC_API_KEY` on every login shell. Uses `RRR_INFI_CID` + `RRR_INFI_CS` from the provisioning host's environment.
+
+### Changed
+- **Default coordinator auth mode** — `infisical-machine-identity` is now the default (was `claude-code-subscription`). The subscription path remains available via `--auth-mode claude-code-subscription`.
+- **Coordinator README** — generated README emits the Infisical install + login + secret-fetch boot snippet when in Infisical mode; falls back to credentials-file injection or AI Gateway when in their respective modes.
+- **`$rrr-coordinator-status`** — checks for `RRR_INFI_CID`/`RRR_INFI_CS` env and `infisical --version` when in Infisical mode.
+
+## [1.24.5] - 2026-05-13
+
+### Added
+- **Coordinator auth modes** — `$rrr-provision-coordinator` now writes an `auth` block with `mode: claude-code-subscription` (default) or `mode: anthropic-api-key`. Subscription mode uses `~/.claude/.credentials.json` injected via the Cloudflare Secret `CLAUDE_CREDENTIALS_JSON`, eliminating the need for `ANTHROPIC_API_KEY` on the coordinator.
+- **Cloudflare AI Gateway option** — when `--auth-mode anthropic-api-key`, optional `--ai-gateway-account-id <id> --ai-gateway-id <id> [--ai-gateway-authenticated]` flags wire `ANTHROPIC_BASE_URL` to a gateway URL and add `CF_AI_GATEWAY_TOKEN` to required secrets when authenticated.
+
+### Changed
+- **Coordinator README** — generated README now includes the sandbox boot snippet that writes `CLAUDE_CREDENTIALS_JSON` to `~/.claude/.credentials.json`, and only documents AI Gateway when API-key mode is selected.
+- **`$rrr-coordinator-status`** — checks for `~/.claude/.credentials.json` or `CLAUDE_CREDENTIALS_JSON` env when subscription mode is active; falls back to API key / AI Gateway env checks otherwise.
+
 ## [1.24.4] - 2026-05-12
 
 ### Fixed

package/commands/rrr/provision-coordinator.md

@@ -1,7 +1,7 @@
 ---
 name: rrr:provision-coordinator
 description: Create the Cloudflare coordinator contract for RRR team mode integration review
-argument-hint: "[--provider cloudflare-sandbox] [--name <coordinator-name>]"
+argument-hint: "[--auth-mode claude-code-subscription|anthropic-api-key] [--ai-gateway-account-id <id> --ai-gateway-id <id> [--ai-gateway-authenticated]] [--provider cloudflare-sandbox] [--name <coordinator-name>]"
 allowed-tools:
   - Read
   - Write
@@ -32,8 +32,13 @@ Prepare the repo's coordinator contract so a reusable Cloudflare Claude Code/San
 
 </process>
 
+<auth_modes>
+- `claude-code-subscription` (default) — coordinator runs Claude Code authenticated by an Anthropic subscription. Store the contents of `~/.claude/.credentials.json` as the Cloudflare Secret `CLAUDE_CREDENTIALS_JSON`; sandbox boot writes it to disk so Claude Code resumes the session. No `ANTHROPIC_API_KEY` required.
+- `anthropic-api-key` — coordinator uses `ANTHROPIC_API_KEY` (per-token billing). Pair with `--ai-gateway-account-id <id> --ai-gateway-id <id>` to route Anthropic traffic through Cloudflare AI Gateway for caching, rate limits, and observability. Add `--ai-gateway-authenticated` if the gateway requires `cf-aig-authorization: Bearer $CF_AI_GATEWAY_TOKEN`.
+</auth_modes>
+
 <constraints>
 - Coordinator is report-first; never auto-merge to the base branch.
 - Developer work remains in team Sprites and team branches.
-- Do not store secrets in planning files.
+- Do not store secrets in planning files — `CLAUDE_CREDENTIALS_JSON` and AI Gateway tokens belong in Cloudflare Secrets.
 </constraints>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "projecta-rrr",
-  "version": "1.24.4",
+  "version": "1.24.6",
   "description": "A meta-prompting, context engineering and spec-driven development system for Claude Code by Projecta.ai",
   "bin": {
     "projecta-rrr": "bin/install.js",

package/rrr/lib/team-mode/manager.js

@@ -1,6 +1,7 @@
 'use strict';
 
 const fs = require('fs');
+const os = require('os');
 const path = require('path');
 const { execFileSync } = require('child_process');
 const { resolvePlanningContext, requireTeamName } = require('./state-router');
@@ -200,6 +201,9 @@ function buildSpriteProvisionPlan(projectRoot, options) {
   const workdir = spriteWorkdir(config, runtime);
   const selectedTeams = normalizeList(opts.teams || opts.team);
   const teams = selectedTeams.length > 0 ? selectedTeams : Object.keys(config.teams || {});
+  const infisicalProjectId = opts.infisicalProjectId || null;
+  const infisicalEnv = opts.infisicalEnv || 'dev';
+  const infisicalEnabled = !!infisicalProjectId;
   const rows = [];
 
   for (const rawTeam of teams) {
@@ -215,6 +219,34 @@ function buildSpriteProvisionPlan(projectRoot, options) {
       : `git clone <repo-url> ${workdir}`;
     const checkoutCommand = `gh auth setup-git >/dev/null 2>&1 || true; git fetch origin && git checkout -B ${teamConfig.branch} origin/${config.github.base_branch}`;
 
+    const loaderScript = [
+      '[ -f ~/.infisical-machine-creds ] && source ~/.infisical-machine-creds',
+      'if [ -n "$RRR_INFI_CID" ] && [ -n "$RRR_INFI_CS" ]; then',
+      '  _IT=$(infisical login --method=universal-auth --client-id="$RRR_INFI_CID" --client-secret="$RRR_INFI_CS" --plain --silent 2>/dev/null)',
+      '  if [ -n "$_IT" ]; then',
+      '    export ANTHROPIC_API_KEY=$(infisical secrets get ANTHROPIC_API_KEY --token="$_IT" --projectId="$RRR_INFI_PROJ" --env="${RRR_INFI_ENV:-dev}" --plain --silent 2>/dev/null)',
+      '    unset _IT',
+      '  fi',
+      'fi'
+    ].join('\n');
+    const credsScript = [
+      'umask 077 && cat > ~/.infisical-machine-creds <<EOF',
+      'export RRR_INFI_CID="$RRR_INFI_CID"',
+      'export RRR_INFI_CS="$RRR_INFI_CS"',
+      'export RRR_INFI_PROJ="$RRR_INFI_PROJ"',
+      'export RRR_INFI_ENV="$RRR_INFI_ENV"',
+      'EOF'
+    ].join('\n');
+    const writeLoaderCommand = `cat > ~/.infisical-load.sh <<'LOADER'\n${loaderScript}\nLOADER\ngrep -q "infisical-load.sh" ~/.profile || echo "[ -f ~/.infisical-load.sh ] && source ~/.infisical-load.sh" >> ~/.profile`;
+    const infisicalCommands = infisicalEnabled ? [
+      '# Install Infisical CLI for runtime secret fetch',
+      `sprite exec -s ${teamConfig.sprite} -- bash -lc 'command -v infisical || (curl -1sLf "https://artifacts-cli.infisical.com/setup.deb.sh" | sudo -E bash && sudo apt-get install -y infisical)'`,
+      '# Write machine-identity credentials (read-only, mode 600)',
+      `sprite exec -s ${teamConfig.sprite} --env "RRR_INFI_CID=$RRR_INFI_CID,RRR_INFI_CS=$RRR_INFI_CS,RRR_INFI_PROJ=${infisicalProjectId},RRR_INFI_ENV=${infisicalEnv}" -- bash -lc ${JSON.stringify(credsScript)}`,
+      '# Loader fetches ANTHROPIC_API_KEY on every login shell',
+      `sprite exec -s ${teamConfig.sprite} -- bash -lc ${JSON.stringify(writeLoaderCommand)}`
+    ] : [];
+
     rows.push({
       team,
       github_team: teamConfig.github_team,
@@ -225,6 +257,7 @@ function buildSpriteProvisionPlan(projectRoot, options) {
       repo,
       setup,
       checks,
+      infisical: infisicalEnabled ? { project_id: infisicalProjectId, env: infisicalEnv } : null,
       commands: [
         `sprite create ${teamConfig.sprite} --skip-console`,
         `sprite exec -s ${teamConfig.sprite} -- mkdir -p /home/sprite/work`,
@@ -233,12 +266,13 @@ function buildSpriteProvisionPlan(projectRoot, options) {
         `sprite exec -s ${teamConfig.sprite} --dir ${workdir} --env GITHUB_TOKEN=$GITHUB_TOKEN -- bash -lc '${checkoutCommand}'`,
         `sprite exec -s ${teamConfig.sprite} --dir ${workdir} -- npx projecta-rrr@latest --global --yes`,
         ...setup.map(cmd => `sprite exec -s ${teamConfig.sprite} --dir ${workdir} -- bash -lc '${cmd}'`),
+        ...infisicalCommands,
         `sprite checkpoint create -s ${teamConfig.sprite} --comment "rrr clean-ready ${config.milestone} ${team}"`
       ]
     });
   }
 
-  return { config, runtime, workdir, rows };
+  return { config, runtime, workdir, rows, infisical: infisicalEnabled ? { project_id: infisicalProjectId, env: infisicalEnv } : null };
 }
 
 function renderSpriteProvisionPlan(plan) {
@@ -415,6 +449,31 @@ function applySpriteProvisionPlan(projectRoot, options) {
       const setup = execCapture('sprite', ['exec', '-s', row.sprite, '--dir', row.workdir, '--', 'bash', '-lc', command]);
       teamResults.push({ step: `setup: ${command}`, ...setup });
     }
+    if (row.infisical && process.env.RRR_INFI_CID && process.env.RRR_INFI_CS) {
+      const cid = process.env.RRR_INFI_CID;
+      const cs = process.env.RRR_INFI_CS;
+      const proj = row.infisical.project_id;
+      const env = row.infisical.env;
+      const installInfi = execCapture('sprite', [
+        'exec', '-s', row.sprite, '--', 'bash', '-lc',
+        'command -v infisical || (curl -1sLf "https://artifacts-cli.infisical.com/setup.deb.sh" | sudo -E bash >/dev/null 2>&1 && sudo apt-get install -y infisical >/dev/null 2>&1) && infisical --version'
+      ]);
+      teamResults.push({ step: 'infisical-install', ...installInfi });
+      const writeCreds = execCapture('sprite', [
+        'exec', '-s', row.sprite,
+        '--env', `RRR_INFI_CID=${cid},RRR_INFI_CS=${cs},RRR_INFI_PROJ=${proj},RRR_INFI_ENV=${env}`,
+        '--', 'bash', '-lc',
+        'umask 077 && cat > ~/.infisical-machine-creds <<EOF\nexport RRR_INFI_CID="$RRR_INFI_CID"\nexport RRR_INFI_CS="$RRR_INFI_CS"\nexport RRR_INFI_PROJ="$RRR_INFI_PROJ"\nexport RRR_INFI_ENV="$RRR_INFI_ENV"\nEOF'
+      ]);
+      teamResults.push({ step: 'infisical-creds', ...writeCreds });
+      const writeLoader = execCapture('sprite', [
+        'exec', '-s', row.sprite, '--', 'bash', '-lc',
+        'cat > ~/.infisical-load.sh <<\'LOADER\'\n[ -f ~/.infisical-machine-creds ] && source ~/.infisical-machine-creds\nif [ -n "$RRR_INFI_CID" ] && [ -n "$RRR_INFI_CS" ]; then\n  _IT=$(infisical login --method=universal-auth --client-id="$RRR_INFI_CID" --client-secret="$RRR_INFI_CS" --plain --silent 2>/dev/null)\n  if [ -n "$_IT" ]; then\n    export ANTHROPIC_API_KEY=$(infisical secrets get ANTHROPIC_API_KEY --token="$_IT" --projectId="$RRR_INFI_PROJ" --env="${RRR_INFI_ENV:-dev}" --plain --silent 2>/dev/null)\n    unset _IT\n  fi\nfi\nLOADER\ngrep -q "infisical-load.sh" ~/.profile || echo "[ -f ~/.infisical-load.sh ] && source ~/.infisical-load.sh" >> ~/.profile'
+      ]);
+      teamResults.push({ step: 'infisical-loader', ...writeLoader });
+    } else if (row.infisical) {
+      teamResults.push({ step: 'infisical-skip', ok: false, output: 'infisical bootstrap requested but RRR_INFI_CID/RRR_INFI_CS not set in apply environment' });
+    }
     const readyForCheckpoint = teamResults.every(result => result.ok);
     const checkpoint = readyForCheckpoint
       ? execCapture('sprite', [
@@ -514,6 +573,86 @@ function coordinatorConfigPath(projectRoot) {
   return path.join(projectRoot, '.planning', 'coordinator', 'COORDINATOR.json');
 }
 
+function buildAiGatewayBlock(opts) {
+  const accountId = opts.aiGatewayAccountId || opts.cfAccountId || null;
+  const gatewayId = opts.aiGatewayId || null;
+  if (!accountId || !gatewayId) return null;
+  const authenticated = opts.aiGatewayAuthenticated === true || opts.aiGatewayAuthenticated === 'true';
+  const baseUrl = `https://gateway.ai.cloudflare.com/v1/${accountId}/${gatewayId}/anthropic`;
+  return {
+    provider: 'cloudflare-ai-gateway',
+    account_id: accountId,
+    gateway_id: gatewayId,
+    anthropic_base_url: baseUrl,
+    authenticated,
+    runtime_env: { ANTHROPIC_BASE_URL: baseUrl },
+    notes: [
+      'Only used when auth_mode = anthropic-api-key.',
+      'Set ANTHROPIC_BASE_URL to route Anthropic API calls through the gateway.',
+      authenticated
+        ? 'Authenticated gateway: send `cf-aig-authorization: Bearer $CF_AI_GATEWAY_TOKEN` header on every request.'
+        : 'Unauthenticated gateway: ANTHROPIC_API_KEY is the only credential; gateway URL is the access boundary.'
+    ]
+  };
+}
+
+function buildAuthBlock(opts) {
+  const mode = opts.authMode || 'infisical-machine-identity';
+  if (mode === 'infisical-machine-identity') {
+    const projectId = opts.infisicalProjectId || null;
+    const env = opts.infisicalEnv || 'dev';
+    const domain = opts.infisicalDomain || 'https://app.infisical.com';
+    const secrets = opts.infisicalSecrets && opts.infisicalSecrets.length > 0
+      ? opts.infisicalSecrets
+      : ['ANTHROPIC_API_KEY', 'GITHUB_TOKEN'];
+    return {
+      mode,
+      description: 'Coordinator fetches secrets at boot from Infisical via Universal Auth (machine identity).',
+      infisical: {
+        domain,
+        project_id: projectId,
+        env,
+        secrets
+      },
+      required_runtime_env: ['RRR_INFI_CID', 'RRR_INFI_CS'],
+      required_secrets: ['RRR_INFI_CID', 'RRR_INFI_CS'],
+      notes: [
+        'RRR_INFI_CID + RRR_INFI_CS are Infisical Universal Auth client credentials (stored as Cloudflare Secrets / Wrangler secrets).',
+        'Boot script calls `infisical login --method=universal-auth` then `infisical secrets get` for each declared secret.',
+        'Anthropic, GitHub, and any future tokens rotate centrally in Infisical with no coordinator redeploy.'
+      ]
+    };
+  }
+  if (mode === 'claude-code-subscription') {
+    return {
+      mode,
+      description: 'Coordinator uses Claude Code with an Anthropic subscription (Max/Pro). No ANTHROPIC_API_KEY required.',
+      credentials_path: '~/.claude/.credentials.json',
+      injection: [
+        'Persist the credentials file once (after a one-time `claude login`).',
+        'For a Cloudflare sandbox: write the stored credentials JSON to ~/.claude/.credentials.json on container start (from a CF Secret, KV, or D1 row).',
+        'For a Sprite: run `claude login` once interactively, then `sprite checkpoint create` to capture the authenticated state.'
+      ],
+      required_secrets: ['GITHUB_TOKEN', 'CLAUDE_CREDENTIALS_JSON'],
+      notes: [
+        'CLAUDE_CREDENTIALS_JSON holds the contents of ~/.claude/.credentials.json — store as a CF Secret, not in repo.',
+        'Subscription billing applies; no per-token API cost.'
+      ]
+    };
+  }
+  if (mode === 'anthropic-api-key') {
+    return {
+      mode,
+      description: 'Coordinator authenticates Claude Code with ANTHROPIC_API_KEY (per-token billing).',
+      required_secrets: ['ANTHROPIC_API_KEY', 'GITHUB_TOKEN'],
+      notes: [
+        'Optional: pair with Cloudflare AI Gateway via --ai-gateway-account-id/--ai-gateway-id for caching, rate limits, and observability.'
+      ]
+    };
+  }
+  throw new Error(`unknown auth_mode: ${mode}`);
+}
+
 function writeCoordinatorProvision(options) {
   const opts = options || {};
   const projectRoot = opts.projectRoot || process.cwd();
@@ -521,8 +660,13 @@ function writeCoordinatorProvision(options) {
   const runtime = readRuntimeManifest(projectRoot);
   const dir = path.join(projectRoot, '.planning', 'coordinator');
   ensureDir(dir);
+  const auth = buildAuthBlock(opts);
+  const aiGateway = auth.mode === 'anthropic-api-key' ? buildAiGatewayBlock(opts) : null;
+  const requiredSecrets = [...auth.required_secrets];
+  if (aiGateway && aiGateway.authenticated) requiredSecrets.push('CF_AI_GATEWAY_TOKEN');
+
   const config = {
-    schema_version: 1,
+    schema_version: 2,
     provider: opts.provider || 'cloudflare-sandbox',
     name: opts.name || `rrr-coordinator-${repoNameFor(teamConfig).toLowerCase()}`,
     generated_at: new Date().toISOString(),
@@ -532,7 +676,9 @@ function writeCoordinatorProvision(options) {
     integration_branch: teamConfig.github.integration_branch,
     runtime_manifest: path.relative(projectRoot, runtimeManifestPath(projectRoot)),
     report_first: true,
-    required_secrets: ['ANTHROPIC_API_KEY', 'GITHUB_TOKEN'],
+    auth,
+    ai_gateway: aiGateway,
+    required_secrets: requiredSecrets,
     responsibilities: [
       'clone repository into ephemeral sandbox',
       'merge team branches into integration branch',
@@ -542,6 +688,7 @@ function writeCoordinatorProvision(options) {
     ]
   };
   writeJson(coordinatorConfigPath(projectRoot), config);
+
   const readme = [
     `# ${config.name}`,
     '',
@@ -554,11 +701,98 @@ function writeCoordinatorProvision(options) {
     `Base branch: ${config.base_branch}`,
     `Integration branch: ${config.integration_branch}`,
     `Runtime manifest: ${config.runtime_manifest}`,
+    '',
+    '## Auth',
+    '',
+    `Mode: \`${auth.mode}\``,
+    '',
+    auth.description
+  ];
+
+  if (auth.mode === 'infisical-machine-identity') {
+    const infi = auth.infisical;
+    const fetches = (infi.secrets || []).map(s =>
+      `export ${s}=$(infisical secrets get ${s} --token="$_IT" --projectId="${infi.project_id || '<INFISICAL_PROJECT_ID>'}" --env="${infi.env}" --plain --silent)`
+    );
+    readme.push(
+      '',
+      '### Infisical machine-identity bootstrap',
+      '',
+      `- Domain: ${infi.domain}`,
+      `- Project ID: ${infi.project_id || '(unset — pass --infisical-project-id)'}`,
+      `- Env: ${infi.env}`,
+      `- Fetched secrets: ${(infi.secrets || []).join(', ') || '(none)'}`,
+      '',
+      'Cloudflare sandbox boot snippet:',
+      '',
+      '```bash',
+      '# Install Infisical CLI (one-time, ideally baked into image)',
+      'curl -1sLf "https://artifacts-cli.infisical.com/setup.deb.sh" | sudo -E bash',
+      'sudo apt-get install -y infisical',
+      '',
+      '# Exchange machine-identity credentials for an access token',
+      '_IT=$(infisical login --method=universal-auth --client-id="$RRR_INFI_CID" --client-secret="$RRR_INFI_CS" --plain --silent)',
+      '',
+      '# Fetch and export each declared secret',
+      ...fetches,
+      'unset _IT',
+      '',
+      'claude --version  # picks up ANTHROPIC_API_KEY automatically',
+      '```'
+    );
+  } else if (auth.mode === 'claude-code-subscription') {
+    readme.push(
+      '',
+      '### Credentials injection',
+      '',
+      ...auth.injection.map(line => `- ${line}`),
+      '',
+      'Cloudflare sandbox boot snippet:',
+      '',
+      '```bash',
+      'mkdir -p ~/.claude',
+      'printf "%s" "$CLAUDE_CREDENTIALS_JSON" > ~/.claude/.credentials.json',
+      'chmod 600 ~/.claude/.credentials.json',
+      'claude --version  # verifies authenticated',
+      '```'
+    );
+  }
+
+  readme.push(
     '',
     '## Required Secrets',
     '',
-    '- `ANTHROPIC_API_KEY` for Claude Code.',
-    '- `GITHUB_TOKEN` or GitHub App installation token for read/write repo access.',
+    ...requiredSecrets.map(s => `- \`${s}\``)
+  );
+
+  if (aiGateway) {
+    readme.push(
+      '',
+      '## Cloudflare AI Gateway (optional)',
+      '',
+      `Account: ${aiGateway.account_id}`,
+      `Gateway: ${aiGateway.gateway_id}`,
+      `Anthropic base URL: ${aiGateway.anthropic_base_url}`,
+      `Authenticated: ${aiGateway.authenticated ? 'yes' : 'no'}`,
+      '',
+      '```bash',
+      `export ANTHROPIC_BASE_URL="${aiGateway.anthropic_base_url}"`,
+      'export ANTHROPIC_API_KEY="$ANTHROPIC_API_KEY"',
+      aiGateway.authenticated
+        ? '# header: cf-aig-authorization: Bearer $CF_AI_GATEWAY_TOKEN'
+        : '# unauthenticated gateway — URL is the access boundary',
+      '```'
+    );
+  } else if (auth.mode === 'anthropic-api-key') {
+    readme.push(
+      '',
+      '## Cloudflare AI Gateway',
+      '',
+      'Not configured. Re-run with `--ai-gateway-account-id <id> --ai-gateway-id <id>` to route Anthropic API traffic through Cloudflare AI Gateway.'
+    );
+  }
+
+  readme.push(
     '',
     '## Execution Contract',
     '',
@@ -566,8 +800,9 @@ function writeCoordinatorProvision(options) {
     '- GitHub remains the source of truth for branches, PRs, reviews, and checks.',
     '- Coordinator is report-first: it writes reports and recommendations only; humans approve final merges.',
     '- Developer work stays in Sprites/team branches.'
-  ].join('\n');
-  atomicWrite(path.join(dir, 'README.md'), `${readme}\n`);
+  );
+
+  atomicWrite(path.join(dir, 'README.md'), `${readme.join('\n')}\n`);
   return { config, runtime, dir };
 }
 
@@ -579,8 +814,53 @@ function readCoordinatorStatus(projectRoot) {
   checks.push({ name: 'runtime manifest', ok: fs.existsSync(runtimeManifestPath(root)), detail: path.relative(root, runtimeManifestPath(root)) });
   const wrangler = execCapture('npx', ['wrangler', '--version'], { cwd: root });
   checks.push({ name: 'wrangler available', ok: wrangler.ok, detail: wrangler.output || 'not available' });
-  checks.push({ name: 'ANTHROPIC_API_KEY present', ok: !!process.env.ANTHROPIC_API_KEY, detail: process.env.ANTHROPIC_API_KEY ? 'present' : 'missing locally' });
   checks.push({ name: 'GITHUB_TOKEN present', ok: !!process.env.GITHUB_TOKEN, detail: process.env.GITHUB_TOKEN ? 'present' : 'missing locally' });
+
+  const authMode = config && config.auth ? config.auth.mode : (config && config.ai_gateway ? 'anthropic-api-key' : 'infisical-machine-identity');
+  if (authMode === 'infisical-machine-identity') {
+    checks.push({
+      name: 'RRR_INFI_CID present',
+      ok: !!process.env.RRR_INFI_CID,
+      detail: process.env.RRR_INFI_CID ? 'present' : 'missing locally (Infisical Universal Auth client ID)'
+    });
+    checks.push({
+      name: 'RRR_INFI_CS present',
+      ok: !!process.env.RRR_INFI_CS,
+      detail: process.env.RRR_INFI_CS ? 'present' : 'missing locally (Infisical Universal Auth client secret)'
+    });
+    const infiCli = execCapture('infisical', ['--version']);
+    checks.push({
+      name: 'infisical CLI available',
+      ok: infiCli.ok,
+      detail: infiCli.output || 'not installed locally; coordinator runtime must install it'
+    });
+  } else if (authMode === 'claude-code-subscription') {
+    const credsPath = path.join(os.homedir(), '.claude', '.credentials.json');
+    const localCreds = fs.existsSync(credsPath);
+    checks.push({
+      name: 'Claude Code subscription credentials',
+      ok: localCreds || !!process.env.CLAUDE_CREDENTIALS_JSON,
+      detail: localCreds ? credsPath : (process.env.CLAUDE_CREDENTIALS_JSON ? 'CLAUDE_CREDENTIALS_JSON env present' : 'missing locally (run `claude login` or set CLAUDE_CREDENTIALS_JSON)')
+    });
+  } else {
+    checks.push({ name: 'ANTHROPIC_API_KEY present', ok: !!process.env.ANTHROPIC_API_KEY, detail: process.env.ANTHROPIC_API_KEY ? 'present' : 'missing locally' });
+    if (config && config.ai_gateway) {
+      const expectedBase = config.ai_gateway.anthropic_base_url;
+      const baseUrl = process.env.ANTHROPIC_BASE_URL;
+      checks.push({
+        name: 'ANTHROPIC_BASE_URL routes to AI Gateway',
+        ok: baseUrl === expectedBase,
+        detail: baseUrl ? (baseUrl === expectedBase ? expectedBase : `mismatch: ${baseUrl}`) : `missing locally (expected ${expectedBase})`
+      });
+      if (config.ai_gateway.authenticated) {
+        checks.push({
+          name: 'CF_AI_GATEWAY_TOKEN present',
+          ok: !!process.env.CF_AI_GATEWAY_TOKEN,
+          detail: process.env.CF_AI_GATEWAY_TOKEN ? 'present' : 'missing locally (authenticated gateway requires it)'
+        });
+      }
+    }
+  }
   return { config, checks };
 }
 

package/scripts/rrr-team-mode.js

@@ -73,7 +73,7 @@ Usage:
   node scripts/rrr-team-mode.js runtime-init
   node scripts/rrr-team-mode.js provision-sprites [--apply] [--teams team-runtime]
   node scripts/rrr-team-mode.js sprite-status [--live]
-  node scripts/rrr-team-mode.js provision-coordinator
+  node scripts/rrr-team-mode.js provision-coordinator [--auth-mode claude-code-subscription|anthropic-api-key] [--ai-gateway-account-id <id> --ai-gateway-id <id> [--ai-gateway-authenticated]]
   node scripts/rrr-team-mode.js coordinator-status
 
 Notes:
@@ -189,7 +189,9 @@ function main() {
     if (command === 'provision-sprites') {
       const options = {
         teams: args.teams,
-        team: args.team
+        team: args.team,
+        infisicalProjectId: args['infisical-project-id'],
+        infisicalEnv: args['infisical-env']
       };
       if (args.apply === true || args.apply === 'true') {
         const result = applySpriteProvisionPlan(projectRoot, options);
@@ -224,10 +226,25 @@ function main() {
       const result = writeCoordinatorProvision({
         projectRoot,
         provider: args.provider,
-        name: args.name
+        name: args.name,
+        authMode: args['auth-mode'] || args.authMode,
+        infisicalProjectId: args['infisical-project-id'],
+        infisicalEnv: args['infisical-env'],
+        infisicalDomain: args['infisical-domain'],
+        infisicalSecrets: splitCsv(args['infisical-secrets']),
+        aiGatewayAccountId: args['ai-gateway-account-id'] || args['cf-account-id'],
+        aiGatewayId: args['ai-gateway-id'],
+        aiGatewayAuthenticated: args['ai-gateway-authenticated'] === true || args['ai-gateway-authenticated'] === 'true'
       });
       console.log(`Wrote ${path.relative(projectRoot, path.join(result.dir, 'COORDINATOR.json'))}`);
       console.log(`Wrote ${path.relative(projectRoot, path.join(result.dir, 'README.md'))}`);
+      console.log(`Auth mode: ${result.config.auth.mode}`);
+      if (result.config.auth && result.config.auth.infisical) {
+        console.log(`Infisical: ${result.config.auth.infisical.project_id || '(unset)'}@${result.config.auth.infisical.env}`);
+      }
+      if (result.config.ai_gateway) {
+        console.log(`AI Gateway: ${result.config.ai_gateway.anthropic_base_url}`);
+      }
       return;
     }