npm - projecta-rrr - Versions diffs - 1.24.5 → 1.24.6 - Mend

projecta-rrr 1.24.5 → 1.24.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/AGENTS.md +1 -1
package/CHANGELOG.md +11 -0
package/package.json +1 -1
package/rrr/lib/team-mode/manager.js +136 -5
package/scripts/rrr-team-mode.js +10 -1

package/AGENTS.md CHANGED Viewed

@@ -96,4 +96,4 @@ The RRR loop follows five steps:
 - Use `$rrr-help` for full skill catalogue
 - Trigger phrases are case-sensitive: `$rrr-plan-phase` not `$rrr-PlanPhase`
-<!-- generated: 2026-05-13T01:06:46.790Z | source: commands/rrr/*.md | count: 59 skills -->
+<!-- generated: 2026-05-13T03:49:42.852Z | source: commands/rrr/*.md | count: 59 skills -->

package/CHANGELOG.md CHANGED Viewed

@@ -4,6 +4,17 @@ All notable changes to RRR will be documented in this file.
 Format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
+## [1.24.6] - 2026-05-13
+### Added
+- **Infisical machine-identity auth mode** — `$rrr-provision-coordinator --auth-mode infisical-machine-identity --infisical-project-id <id> --infisical-env <env>` writes a coordinator contract that fetches secrets at boot from Infisical via Universal Auth. Required runtime secrets become `RRR_INFI_CID` + `RRR_INFI_CS` only; Anthropic and GitHub tokens live in Infisical and rotate centrally.
+- **Infisical Sprite bootstrap** — `$rrr-provision-sprites --apply --infisical-project-id <id>` installs Infisical CLI inside each Sprite, writes machine-identity creds, and wires `~/.profile` to fetch `ANTHROPIC_API_KEY` on every login shell. Uses `RRR_INFI_CID` + `RRR_INFI_CS` from the provisioning host's environment.
+### Changed
+- **Default coordinator auth mode** — `infisical-machine-identity` is now the default (was `claude-code-subscription`). The subscription path remains available via `--auth-mode claude-code-subscription`.
+- **Coordinator README** — generated README emits the Infisical install + login + secret-fetch boot snippet when in Infisical mode; falls back to credentials-file injection or AI Gateway when in their respective modes.
+- **`$rrr-coordinator-status`** — checks for `RRR_INFI_CID`/`RRR_INFI_CS` env and `infisical --version` when in Infisical mode.
 ## [1.24.5] - 2026-05-13
 ### Added

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "projecta-rrr",
-  "version": "1.24.5",
+  "version": "1.24.6",
   "description": "A meta-prompting, context engineering and spec-driven development system for Claude Code by Projecta.ai",
   "bin": {
     "projecta-rrr": "bin/install.js",

package/rrr/lib/team-mode/manager.js CHANGED Viewed

@@ -201,6 +201,9 @@ function buildSpriteProvisionPlan(projectRoot, options) {
   const workdir = spriteWorkdir(config, runtime);
   const selectedTeams = normalizeList(opts.teams || opts.team);
   const teams = selectedTeams.length > 0 ? selectedTeams : Object.keys(config.teams || {});
+  const infisicalProjectId = opts.infisicalProjectId || null;
+  const infisicalEnv = opts.infisicalEnv || 'dev';
+  const infisicalEnabled = !!infisicalProjectId;
   const rows = [];
   for (const rawTeam of teams) {
@@ -216,6 +219,34 @@ function buildSpriteProvisionPlan(projectRoot, options) {
       : `git clone <repo-url> ${workdir}`;
     const checkoutCommand = `gh auth setup-git >/dev/null 2>&1 || true; git fetch origin && git checkout -B ${teamConfig.branch} origin/${config.github.base_branch}`;
+    const loaderScript = [
+      '[ -f ~/.infisical-machine-creds ] && source ~/.infisical-machine-creds',
+      'if [ -n "$RRR_INFI_CID" ] && [ -n "$RRR_INFI_CS" ]; then',
+      '  _IT=$(infisical login --method=universal-auth --client-id="$RRR_INFI_CID" --client-secret="$RRR_INFI_CS" --plain --silent 2>/dev/null)',
+      '  if [ -n "$_IT" ]; then',
+      '    export ANTHROPIC_API_KEY=$(infisical secrets get ANTHROPIC_API_KEY --token="$_IT" --projectId="$RRR_INFI_PROJ" --env="${RRR_INFI_ENV:-dev}" --plain --silent 2>/dev/null)',
+      '    unset _IT',
+      '  fi',
+      'fi'
+    ].join('\n');
+    const credsScript = [
+      'umask 077 && cat > ~/.infisical-machine-creds <<EOF',
+      'export RRR_INFI_CID="$RRR_INFI_CID"',
+      'export RRR_INFI_CS="$RRR_INFI_CS"',
+      'export RRR_INFI_PROJ="$RRR_INFI_PROJ"',
+      'export RRR_INFI_ENV="$RRR_INFI_ENV"',
+      'EOF'
+    ].join('\n');
+    const writeLoaderCommand = `cat > ~/.infisical-load.sh <<'LOADER'\n${loaderScript}\nLOADER\ngrep -q "infisical-load.sh" ~/.profile || echo "[ -f ~/.infisical-load.sh ] && source ~/.infisical-load.sh" >> ~/.profile`;
+    const infisicalCommands = infisicalEnabled ? [
+      '# Install Infisical CLI for runtime secret fetch',
+      `sprite exec -s ${teamConfig.sprite} -- bash -lc 'command -v infisical || (curl -1sLf "https://artifacts-cli.infisical.com/setup.deb.sh" | sudo -E bash && sudo apt-get install -y infisical)'`,
+      '# Write machine-identity credentials (read-only, mode 600)',
+      `sprite exec -s ${teamConfig.sprite} --env "RRR_INFI_CID=$RRR_INFI_CID,RRR_INFI_CS=$RRR_INFI_CS,RRR_INFI_PROJ=${infisicalProjectId},RRR_INFI_ENV=${infisicalEnv}" -- bash -lc ${JSON.stringify(credsScript)}`,
+      '# Loader fetches ANTHROPIC_API_KEY on every login shell',
+      `sprite exec -s ${teamConfig.sprite} -- bash -lc ${JSON.stringify(writeLoaderCommand)}`
+    ] : [];
     rows.push({
       team,
       github_team: teamConfig.github_team,
@@ -226,6 +257,7 @@ function buildSpriteProvisionPlan(projectRoot, options) {
       repo,
       setup,
       checks,
+      infisical: infisicalEnabled ? { project_id: infisicalProjectId, env: infisicalEnv } : null,
       commands: [
         `sprite create ${teamConfig.sprite} --skip-console`,
         `sprite exec -s ${teamConfig.sprite} -- mkdir -p /home/sprite/work`,
@@ -234,12 +266,13 @@ function buildSpriteProvisionPlan(projectRoot, options) {
         `sprite exec -s ${teamConfig.sprite} --dir ${workdir} --env GITHUB_TOKEN=$GITHUB_TOKEN -- bash -lc '${checkoutCommand}'`,
         `sprite exec -s ${teamConfig.sprite} --dir ${workdir} -- npx projecta-rrr@latest --global --yes`,
         ...setup.map(cmd => `sprite exec -s ${teamConfig.sprite} --dir ${workdir} -- bash -lc '${cmd}'`),
+        ...infisicalCommands,
         `sprite checkpoint create -s ${teamConfig.sprite} --comment "rrr clean-ready ${config.milestone} ${team}"`
       ]
     });
   }
-  return { config, runtime, workdir, rows };
+  return { config, runtime, workdir, rows, infisical: infisicalEnabled ? { project_id: infisicalProjectId, env: infisicalEnv } : null };
 }
 function renderSpriteProvisionPlan(plan) {
@@ -416,6 +449,31 @@ function applySpriteProvisionPlan(projectRoot, options) {
       const setup = execCapture('sprite', ['exec', '-s', row.sprite, '--dir', row.workdir, '--', 'bash', '-lc', command]);
       teamResults.push({ step: `setup: ${command}`, ...setup });
     }
+    if (row.infisical && process.env.RRR_INFI_CID && process.env.RRR_INFI_CS) {
+      const cid = process.env.RRR_INFI_CID;
+      const cs = process.env.RRR_INFI_CS;
+      const proj = row.infisical.project_id;
+      const env = row.infisical.env;
+      const installInfi = execCapture('sprite', [
+        'exec', '-s', row.sprite, '--', 'bash', '-lc',
+        'command -v infisical || (curl -1sLf "https://artifacts-cli.infisical.com/setup.deb.sh" | sudo -E bash >/dev/null 2>&1 && sudo apt-get install -y infisical >/dev/null 2>&1) && infisical --version'
+      ]);
+      teamResults.push({ step: 'infisical-install', ...installInfi });
+      const writeCreds = execCapture('sprite', [
+        'exec', '-s', row.sprite,
+        '--env', `RRR_INFI_CID=${cid},RRR_INFI_CS=${cs},RRR_INFI_PROJ=${proj},RRR_INFI_ENV=${env}`,
+        '--', 'bash', '-lc',
+        'umask 077 && cat > ~/.infisical-machine-creds <<EOF\nexport RRR_INFI_CID="$RRR_INFI_CID"\nexport RRR_INFI_CS="$RRR_INFI_CS"\nexport RRR_INFI_PROJ="$RRR_INFI_PROJ"\nexport RRR_INFI_ENV="$RRR_INFI_ENV"\nEOF'
+      ]);
+      teamResults.push({ step: 'infisical-creds', ...writeCreds });
+      const writeLoader = execCapture('sprite', [
+        'exec', '-s', row.sprite, '--', 'bash', '-lc',
+        'cat > ~/.infisical-load.sh <<\'LOADER\'\n[ -f ~/.infisical-machine-creds ] && source ~/.infisical-machine-creds\nif [ -n "$RRR_INFI_CID" ] && [ -n "$RRR_INFI_CS" ]; then\n  _IT=$(infisical login --method=universal-auth --client-id="$RRR_INFI_CID" --client-secret="$RRR_INFI_CS" --plain --silent 2>/dev/null)\n  if [ -n "$_IT" ]; then\n    export ANTHROPIC_API_KEY=$(infisical secrets get ANTHROPIC_API_KEY --token="$_IT" --projectId="$RRR_INFI_PROJ" --env="${RRR_INFI_ENV:-dev}" --plain --silent 2>/dev/null)\n    unset _IT\n  fi\nfi\nLOADER\ngrep -q "infisical-load.sh" ~/.profile || echo "[ -f ~/.infisical-load.sh ] && source ~/.infisical-load.sh" >> ~/.profile'
+      ]);
+      teamResults.push({ step: 'infisical-loader', ...writeLoader });
+    } else if (row.infisical) {
+      teamResults.push({ step: 'infisical-skip', ok: false, output: 'infisical bootstrap requested but RRR_INFI_CID/RRR_INFI_CS not set in apply environment' });
+    }
     const readyForCheckpoint = teamResults.every(result => result.ok);
     const checkpoint = readyForCheckpoint
       ? execCapture('sprite', [
@@ -539,7 +597,32 @@ function buildAiGatewayBlock(opts) {
 }
 function buildAuthBlock(opts) {
-  const mode = opts.authMode || 'claude-code-subscription';
+  const mode = opts.authMode || 'infisical-machine-identity';
+  if (mode === 'infisical-machine-identity') {
+    const projectId = opts.infisicalProjectId || null;
+    const env = opts.infisicalEnv || 'dev';
+    const domain = opts.infisicalDomain || 'https://app.infisical.com';
+    const secrets = opts.infisicalSecrets && opts.infisicalSecrets.length > 0
+      ? opts.infisicalSecrets
+      : ['ANTHROPIC_API_KEY', 'GITHUB_TOKEN'];
+    return {
+      mode,
+      description: 'Coordinator fetches secrets at boot from Infisical via Universal Auth (machine identity).',
+      infisical: {
+        domain,
+        project_id: projectId,
+        env,
+        secrets
+      },
+      required_runtime_env: ['RRR_INFI_CID', 'RRR_INFI_CS'],
+      required_secrets: ['RRR_INFI_CID', 'RRR_INFI_CS'],
+      notes: [
+        'RRR_INFI_CID + RRR_INFI_CS are Infisical Universal Auth client credentials (stored as Cloudflare Secrets / Wrangler secrets).',
+        'Boot script calls `infisical login --method=universal-auth` then `infisical secrets get` for each declared secret.',
+        'Anthropic, GitHub, and any future tokens rotate centrally in Infisical with no coordinator redeploy.'
+      ]
+    };
+  }
   if (mode === 'claude-code-subscription') {
     return {
       mode,
@@ -626,7 +709,38 @@ function writeCoordinatorProvision(options) {
     auth.description
   ];
-  if (auth.mode === 'claude-code-subscription') {
+  if (auth.mode === 'infisical-machine-identity') {
+    const infi = auth.infisical;
+    const fetches = (infi.secrets || []).map(s =>
+      `export ${s}=$(infisical secrets get ${s} --token="$_IT" --projectId="${infi.project_id || '<INFISICAL_PROJECT_ID>'}" --env="${infi.env}" --plain --silent)`
+    );
+    readme.push(
+      '',
+      '### Infisical machine-identity bootstrap',
+      '',
+      `- Domain: ${infi.domain}`,
+      `- Project ID: ${infi.project_id || '(unset — pass --infisical-project-id)'}`,
+      `- Env: ${infi.env}`,
+      `- Fetched secrets: ${(infi.secrets || []).join(', ') || '(none)'}`,
+      '',
+      'Cloudflare sandbox boot snippet:',
+      '',
+      '```bash',
+      '# Install Infisical CLI (one-time, ideally baked into image)',
+      'curl -1sLf "https://artifacts-cli.infisical.com/setup.deb.sh" | sudo -E bash',
+      'sudo apt-get install -y infisical',
+      '',
+      '# Exchange machine-identity credentials for an access token',
+      '_IT=$(infisical login --method=universal-auth --client-id="$RRR_INFI_CID" --client-secret="$RRR_INFI_CS" --plain --silent)',
+      '',
+      '# Fetch and export each declared secret',
+      ...fetches,
+      'unset _IT',
+      '',
+      'claude --version  # picks up ANTHROPIC_API_KEY automatically',
+      '```'
+    );
+  } else if (auth.mode === 'claude-code-subscription') {
     readme.push(
       '',
       '### Credentials injection',
@@ -702,8 +816,25 @@ function readCoordinatorStatus(projectRoot) {
   checks.push({ name: 'wrangler available', ok: wrangler.ok, detail: wrangler.output || 'not available' });
   checks.push({ name: 'GITHUB_TOKEN present', ok: !!process.env.GITHUB_TOKEN, detail: process.env.GITHUB_TOKEN ? 'present' : 'missing locally' });
-  const authMode = config && config.auth ? config.auth.mode : (config && config.ai_gateway ? 'anthropic-api-key' : 'claude-code-subscription');
-  if (authMode === 'claude-code-subscription') {
+  const authMode = config && config.auth ? config.auth.mode : (config && config.ai_gateway ? 'anthropic-api-key' : 'infisical-machine-identity');
+  if (authMode === 'infisical-machine-identity') {
+    checks.push({
+      name: 'RRR_INFI_CID present',
+      ok: !!process.env.RRR_INFI_CID,
+      detail: process.env.RRR_INFI_CID ? 'present' : 'missing locally (Infisical Universal Auth client ID)'
+    });
+    checks.push({
+      name: 'RRR_INFI_CS present',
+      ok: !!process.env.RRR_INFI_CS,
+      detail: process.env.RRR_INFI_CS ? 'present' : 'missing locally (Infisical Universal Auth client secret)'
+    });
+    const infiCli = execCapture('infisical', ['--version']);
+    checks.push({
+      name: 'infisical CLI available',
+      ok: infiCli.ok,
+      detail: infiCli.output || 'not installed locally; coordinator runtime must install it'
+    });
+  } else if (authMode === 'claude-code-subscription') {
     const credsPath = path.join(os.homedir(), '.claude', '.credentials.json');
     const localCreds = fs.existsSync(credsPath);
     checks.push({

package/scripts/rrr-team-mode.js CHANGED Viewed

@@ -189,7 +189,9 @@ function main() {
     if (command === 'provision-sprites') {
       const options = {
         teams: args.teams,
-        team: args.team
+        team: args.team,
+        infisicalProjectId: args['infisical-project-id'],
+        infisicalEnv: args['infisical-env']
       };
       if (args.apply === true || args.apply === 'true') {
         const result = applySpriteProvisionPlan(projectRoot, options);
@@ -226,6 +228,10 @@ function main() {
         provider: args.provider,
         name: args.name,
         authMode: args['auth-mode'] || args.authMode,
+        infisicalProjectId: args['infisical-project-id'],
+        infisicalEnv: args['infisical-env'],
+        infisicalDomain: args['infisical-domain'],
+        infisicalSecrets: splitCsv(args['infisical-secrets']),
         aiGatewayAccountId: args['ai-gateway-account-id'] || args['cf-account-id'],
         aiGatewayId: args['ai-gateway-id'],
         aiGatewayAuthenticated: args['ai-gateway-authenticated'] === true || args['ai-gateway-authenticated'] === 'true'
@@ -233,6 +239,9 @@ function main() {
       console.log(`Wrote ${path.relative(projectRoot, path.join(result.dir, 'COORDINATOR.json'))}`);
       console.log(`Wrote ${path.relative(projectRoot, path.join(result.dir, 'README.md'))}`);
       console.log(`Auth mode: ${result.config.auth.mode}`);
+      if (result.config.auth && result.config.auth.infisical) {
+        console.log(`Infisical: ${result.config.auth.infisical.project_id || '(unset)'}@${result.config.auth.infisical.env}`);
+      }
       if (result.config.ai_gateway) {
         console.log(`AI Gateway: ${result.config.ai_gateway.anthropic_base_url}`);
       }