514-1516: rotate API keys across parallel runs and warn on undersized pools

[oatsandsugar]

Summary

• Adds KeyPools — a per-provider round-robin pool of API keys — so a matrix run with --parallel > 1 does not all hit a single key.
• Users supply multiple keys via the new plural env vars ANTHROPIC_API_KEYS, OPENAI_API_KEYS, CURSOR_API_KEYS (comma-separated).
• When parallelism exceeds the pool size, the CLI prints a stderr warning and proceeds.
• Each container gets exactly one provider key on the singular env var it reads; the plural list is never forwarded into containers.
• Preflight validates every key in every relevant pool against the provider API, in parallel, before any Docker work.

Closes Linear 514-1516.

Honest scope

Anthropic rate limits apply at the organization level, not per key. Two keys from the same Anthropic org share one rate-limit pool, so multi-key rotation only adds real capacity when the keys come from different organizations. The warning text and README / AGENTS / skill docs say this explicitly so users do not get a false sense of safety from setting ANTHROPIC_API_KEYS=k1,k2 with two keys from the same account.

For more capacity within a single organization (the common case), the actual fixes are:

• Raise the Anthropic usage tier (more deposit → higher RPM/ITPM/OTPM)
• Lower --parallel
• Add 429 retry/backoff in the agent harness
• Add a token-bucket rate limiter in the CLI

Those last two are AXP follow-ups, tracked on the Linear ticket.

What this PR is good for

• Cross-org rotation when 514 has access to keys from multiple Anthropic orgs (e.g., a team account + a sandbox account, or per-engineer keys)
• Removing the per-key rate-limit footgun on OpenAI and Cursor where the same plumbing applies
• Setting the foundation that AXP can build proper rate-limit handling on top of (token bucket per pool, etc.)

Test plan

• cargo test — 72 unit + 11 e2e + 2 integration tests pass
• cargo clippy --all-targets clean
• Manual: dec-bench run --matrix --parallel 2 with ANTHROPIC_API_KEYS=a,b set — confirm each container env carries one key and they alternate
• Manual: --parallel 2 with only singular ANTHROPIC_API_KEY set — see warning, run still proceeds
• Single-run mode unchanged

Release

This changes CLI runtime behavior. Per .claude/CLAUDE.md, after merge bump apps/cli/Cargo.toml and cut a release so the install script picks up the new binary.

🤖 Generated with Claude Code

[linear]

514-1516 Manage tokens to avoid Anthropic rate limiting

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
agent-evals-web	Ready	Preview, Comment	Apr 30, 2026 6:38pm

[github-actions]

Preview CLI build for 0.2.2-preview.pr.91.59b1c9a is ready.

DEC_BENCH_INSTALL_VERSION=preview-pr-91-59b1c9a curl -fsSL https://raw.githubusercontent.com/514-labs/agent-evals/59b1c9ac4f2e7ea38e0fd2f604635f66d3792c05/install.sh | sh

Release: https://github.com/514-labs/agent-evals/releases/tag/preview-pr-91-59b1c9a

Version policy:

• crate version: 0.2.2
• release tag: v0.2.2
• preview tag: preview-pr-91-59b1c9a
• default image suffix: v0.2.2