diff --git a/.gitignore b/.gitignore
index 40656fa..cb7e86d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,4 @@
 .omc
 .obsidian
 /docs/test-screenshots/
+.gstack/
diff --git a/crates/agentkeys-provisioner/src/orchestrator.rs b/crates/agentkeys-provisioner/src/orchestrator.rs
index 972c024..3dff5cc 100644
--- a/crates/agentkeys-provisioner/src/orchestrator.rs
+++ b/crates/agentkeys-provisioner/src/orchestrator.rs
@@ -1,14 +1,14 @@
 use std::collections::HashMap;
-use std::path::Path;
+use std::path::{Path, PathBuf};
 use std::sync::{Arc, Mutex};
-use std::time::Instant;
+use std::time::{Instant, SystemTime, UNIX_EPOCH};
 
 use agentkeys_core::backend::CredentialBackend;
 use agentkeys_types::{ProvisionEvent, ServiceName, Session, TripwireKind, WalletAddress};
 
 use crate::error::{ProvisionError, ProvisionResult};
 use crate::metrics::{self, ProvisionMetric, VerificationResultLabel};
-use crate::subprocess::{spawn_and_collect, SubprocessConfig};
+use crate::subprocess::{spawn_and_collect, SubprocessConfig, SubprocessOutcome};
 
 #[derive(Debug, Clone)]
 pub struct ActiveProvision {
@@ -86,6 +86,37 @@ impl Drop for ProvisionGuard {
     }
 }
 
+/// Best-effort dump of subprocess output to `~/.agentkeys/logs/provision-<service>-<ts>.log`.
+/// Returns the file path if the write succeeded. Never errors — failure to write the log
+/// must not mask the underlying provision failure.
+fn write_provision_log(service: &str, outcome: &SubprocessOutcome) -> Option<PathBuf> {
+    let home = std::env::var("HOME").ok().map(PathBuf::from)?;
+    let dir = home.join(".agentkeys").join("logs");
+    std::fs::create_dir_all(&dir).ok()?;
+    let ts = SystemTime::now().duration_since(UNIX_EPOCH).ok()?.as_secs();
+    let safe_service: String = service
+        .chars()
+        .map(|c| if c.is_ascii_alphanumeric() || c == '-' || c == '_' { c } else { '_' })
+        .collect();
+    let path = dir.join(format!("provision-{}-{}.log", safe_service, ts));
+
+    let mut body = String::new();
+    body.push_str(&format!(
+        "service: {}\nexit_code: {:?}\nevents_emitted: {}\n\n=== subprocess stdout events ===\n",
+        service,
+        outcome.exit_code,
+        outcome.events.len()
+    ));
+    for ev in &outcome.events {
+        body.push_str(&format!("{:?}\n", ev));
+    }
+    body.push_str("\n=== subprocess stderr ===\n");
+    body.push_str(&outcome.stderr);
+
+    std::fs::write(&path, body).ok()?;
+    Some(path)
+}
+
 /// Returns first 8 chars + `****...` + last 4. For keys shorter than 12 chars returns `****`.
 pub fn mask_key(key: &str) -> String {
     if key.len() < 12 {
@@ -190,7 +221,26 @@ pub async fn run_provision(
     }
 
     let raw_key = api_key.ok_or_else(|| {
-        ProvisionError::Internal("subprocess ended without terminal event".to_string())
+        let stderr_tail: String = outcome
+            .stderr
+            .lines()
+            .rev()
+            .take(20)
+            .collect::<Vec<_>>()
+            .into_iter()
+            .rev()
+            .collect::<Vec<_>>()
+            .join("\n");
+        let log_hint = match write_provision_log(service, &outcome) {
+            Some(path) => format!("full log: {}", path.display()),
+            None => "full log: (unable to write ~/.agentkeys/logs — check HOME + permissions)".to_string(),
+        };
+        ProvisionError::Internal(format!(
+            "subprocess ended without terminal event (exit {:?}). {}. stderr tail:\n{}",
+            outcome.exit_code,
+            log_hint,
+            if stderr_tail.is_empty() { "(empty)" } else { stderr_tail.as_str() }
+        ))
     })?;
 
     let masked = mask_key(&raw_key);
diff --git a/docs/manual-test-stage5.md b/docs/manual-test-stage5.md
index 47d8aca..1828615 100644
--- a/docs/manual-test-stage5.md
+++ b/docs/manual-test-stage5.md
@@ -30,70 +30,143 @@ For the demo-only purpose of Stage 5, the goal is the **shortest path to a runni
 
 > **This is a temporary demo solution.** For production (v0.1), the agent mailbox moves to SES-hosted `*@agentkeys-email.io` under the three-layer `TokenAuthority` abstraction. See the [email-system wiki page](../wiki/email-system.md) for the full architecture and why we're running demo-and-production on different backends deliberately.
 
-#### 🚀 Demo path: dedicated personal Gmail + TOTP + app password
+#### 🚀 Demo path: your existing Gmail + plus-addressing + app password
 
-Why dedicated (not your personal inbox with plus-addressing): the agent gets a clean inbox it fully controls, no personal mail pollution, cleanup is a single account-delete.
+Why plus-addressing as the primary demo path:
 
-**1. Create a fresh Gmail account for the bot.**
+- **Unique email per run.** OpenRouter's sign-up/sign-in page is a single URL — if you submit an email that already has an account, you land on a returning-user screen the scraper was not designed to traverse, and the provision fails with a `no terminal event`-style error. `you+or-<timestamp>@gmail.com` is a fresh address to OpenRouter on every run, so every run hits the pristine signup path.
+- **Zero account creation.** Uses your existing Gmail — no new Google account, no new phone verification.
+- **Single inbox to clean up.** The OpenRouter confirmation mail lands in your real inbox; delete one thread after the demo and you're done.
+- **Scales to repeat testing.** Rotate the local-part (`+or-1`, `+or-2`, …) or include a timestamp and you have DWD-equivalent disposable emails without building DWD.
 
-Sign up at [accounts.google.com](https://accounts.google.com) with a name like `wildmeta-stage5-demo@gmail.com`. Google will ask for a recovery phone — use your personal phone; you only need it once for step 2.
+**1. Generate a Gmail app password for IMAP.**
 
-**2. Enable 2-Step Verification and enroll TOTP as the second factor.**
+- Requires 2FA enabled on your Google account. If not already enabled: [myaccount.google.com](https://myaccount.google.com) → Security → turn on 2-Step Verification (TOTP or SMS is fine; enrollment is a one-time cost).
+- Visit [myaccount.google.com/apppasswords](https://myaccount.google.com/apppasswords). Create one named `agentkeys-stage5`. Google gives you a 16-character password.
+- Copy immediately — it's shown once. Revoke anytime from the same page.
 
-Gmail IMAP access chain: `app password` requires `2FA enabled` requires `second factor enrolled`. Using an authenticator app as that second factor makes the account non-interactive after this one-time enrollment.
+**2. Export the env vars.**
 
-- Open [myaccount.google.com](https://myaccount.google.com) → **Security**
-- **Turn on 2-Step Verification.** Google sends an SMS to your recovery phone to start enrollment.
-- Under 2-Step Verification settings, add **Authenticator app** as a second step. Google shows a QR code and a secret.
-- Scan into Google Authenticator / Authy / 1Password / Bitwarden / whatever TOTP client you already use. You now own the second factor.
-- (Optional) once TOTP is active, you can drop SMS as a 2FA method — Google keeps the phone for account recovery but stops using it as a live second factor.
+The scraper splits **IMAP login** from **signup email**. Set both:
 
-**3. Generate an app password for IMAP.**
+```bash
+export AGENTKEYS_EMAIL_BACKEND=gmail
 
-- Visit [myaccount.google.com/apppasswords](https://myaccount.google.com/apppasswords).
-- Create one named "agentkeys-stage5". Google gives you a 16-character password.
-- Copy it immediately — it's shown once. Revoke anytime from the same page.
+# IMAP login — must be the canonical Gmail address.
+export AGENTKEYS_EMAIL_USER="you@gmail.com"
+export AGENTKEYS_EMAIL_PASSWORD="xxxx xxxx xxxx xxxx"   # 16-char app password
 
-**4. Export the four env vars.**
+# What we type into OpenRouter's signup form.
+# Plus-addressed alias so OpenRouter sees a brand-new email per run;
+# mail is still delivered to you@gmail.com.
+export AGENTKEYS_SIGNUP_EMAIL="you+or-$(date +%s)@gmail.com"
 
-```bash
-export AGENTKEYS_EMAIL_BACKEND=gmail
-export AGENTKEYS_EMAIL_USER="wildmeta-stage5-demo@gmail.com"   # the bot account from step 1
-export AGENTKEYS_EMAIL_PASSWORD="xxxx xxxx xxxx xxxx"          # 16-char app password from step 3
 export AGENTKEYS_EMAIL_HOST="imap.gmail.com"
 export AGENTKEYS_EMAIL_PORT="993"
 ```
 
+> **Why two email vars.** `AGENTKEYS_EMAIL_USER` is the IMAP login — Gmail IMAP only accepts your canonical address (plus-addressing aliases are rejected at login). `AGENTKEYS_SIGNUP_EMAIL` is what we fill into the service's sign-up form — plus-addressing works there because SMTP delivery honors the `+alias` suffix. If `AGENTKEYS_SIGNUP_EMAIL` is unset, the scraper falls back to `AGENTKEYS_EMAIL_USER` — which is fine for a dedicated bot account (see alternative below) but guarantees a "account already exists" collision if you reuse a canonical address across runs.
+
 Once the app password is set, the demo sees **zero 2FA prompts**. App passwords bypass 2FA by design — they're Google's non-interactive credential, scoped to IMAP only, revocable anytime.
 
-**5. Daemon running and paired** — see the Stage 4 manual test guide.
+**3. Build binaries + install provisioner-script deps (one-time).**
+
+```bash
+cd ~/Projects/agentkeys
+cargo build --workspace --release
+npm install --prefix provisioner-scripts
+npx playwright install chromium --with-deps
+```
 
 <details>
-<summary>Alternative: Google Workspace DWD (for operators with an existing Workspace subscription)</summary>
+<summary>Alternative: dedicated throwaway Gmail (cleanest but more setup)</summary>
 
-See [`docs/stage5-workspace-email-setup.md`](stage5-workspace-email-setup.md). That path mints a throwaway `stage5test-<timestamp>@wildmeta.ai` per run, reads its inbox via the Gmail API (no app password, no interactive OAuth), and deletes the user at the end. One-time ~20-minute admin setup + currently 3-5 days of code work to replace the `imapflow` fetcher with a Gmail-API fetcher that uses DWD impersonation. Longer upfront cost than the dedicated-Gmail demo path, but the right choice for enterprise deployments that already run Workspace.
+Create a fresh bot Gmail (`wildmeta-stage5-demo@gmail.com`), enable 2FA + TOTP, generate an app password. Set `AGENTKEYS_EMAIL_USER` to the bot address; leave `AGENTKEYS_SIGNUP_EMAIL` unset. One-time ~10 minutes setup; gives you a fully controlled inbox with no personal-mail pollution. Re-runs need `--force` or account-delete between attempts because the bot address itself will collide.
 
 </details>
 
 <details>
-<summary>Alternative: plus-addressed personal Gmail (shared-inbox quick demo)</summary>
+<summary>Alternative: Google Workspace DWD (for operators with an existing Workspace subscription)</summary>
 
-If you don't want to create a dedicated account and are OK with one-off OpenRouter mail landing in your real inbox, plus-addressing on your existing Gmail works for a single demo run.
+See [`docs/stage5-workspace-email-setup.md`](stage5-workspace-email-setup.md). That path mints a throwaway `stage5test-<timestamp>@wildmeta.ai` per run, reads its inbox via the Gmail API (no app password, no interactive OAuth), and deletes the user at the end. One-time ~20-minute admin setup + currently 3-5 days of code work to replace the `imapflow` fetcher with a Gmail-API fetcher that uses DWD impersonation. Right choice for enterprise deployments that already run Workspace; overkill for the demo.
 
-1. **Your existing personal Gmail account** — plus-addressing is a Gmail-native feature: mail sent to `you+anything@gmail.com` is delivered to `you@gmail.com` without any configuration. A single inbox supports unlimited test aliases (`you+stage5test-20260418@gmail.com`).
-2. **Gmail app password** (not your regular password) — generate at https://myaccount.google.com/apppasswords. Scoped to IMAP access only; revoke after the demo.
-3. **Environment:**
-   ```bash
-   export AGENTKEYS_EMAIL_BACKEND=gmail
-   export AGENTKEYS_EMAIL_USER="you@gmail.com"      # your real Gmail; Stage 5a appends +alias at signup
-   export AGENTKEYS_EMAIL_PASSWORD="<app password>" # NOT your normal Google password
-   export AGENTKEYS_EMAIL_HOST="imap.gmail.com"
-   export AGENTKEYS_EMAIL_PORT="993"
-   ```
+</details>
 
-Downside: the agent doesn't fully control the inbox (shared with the human), and the OpenRouter confirmation email lingers in your personal mail until you delete it.
+### Run it
 
-</details>
+Two terminals. Everything runs from the repo root (`~/Projects/agentkeys`).
+
+**Terminal 1 — mock backend.** Stage 5a stores the provisioned key via the mock server (real Heima + TEE ships in v0.1). Leave this running.
+
+```bash
+cd ~/Projects/agentkeys
+cargo run --release -p agentkeys-mock-server -- --port 8090
+# Expected: "Mock server running on port 8090"
+```
+
+**Terminal 2 — provision.** Carry the Gmail env vars from step 2 into this shell (or re-`export` them here). Note: if you are using plus-addressing, **re-evaluate `AGENTKEYS_SIGNUP_EMAIL` for every run** so the timestamp is fresh and OpenRouter sees a new email — otherwise your second run will collide with the first run's account.
+
+```bash
+cd ~/Projects/agentkeys
+BIN=$(pwd)/target/release/agentkeys
+BACKEND=http://127.0.0.1:8090
+
+# 1. Initialize the master session (one-time per shell / mock restart).
+$BIN --backend $BACKEND init --mock-token stage5-demo
+# Expected: wallet printed; ~/.agentkeys/master/session.json created.
+
+# 2. Sanity-check the email env vars landed in this shell.
+env | grep -E 'AGENTKEYS_(EMAIL|SIGNUP)_'
+# Expected: AGENTKEYS_EMAIL_{BACKEND,USER,PASSWORD,HOST,PORT} and AGENTKEYS_SIGNUP_EMAIL.
+# If AGENTKEYS_SIGNUP_EMAIL is missing, the scraper falls back to AGENTKEYS_EMAIL_USER,
+# which will hit "account already exists" on the second run against OpenRouter.
+
+# 3. Re-seed a fresh signup alias for this run (plus-addressing path only).
+export AGENTKEYS_SIGNUP_EMAIL="you+or-$(date +%s)@gmail.com"
+
+# 4. Run the live OpenRouter provision.
+$BIN --backend $BACKEND provision openrouter
+# Expect ~30-90 s: browser opens headless, account created,
+# email verified, API key extracted + verified, stored in the mock backend.
+```
+
+**What this does under the hood:**
+
+- `init` authenticates the master CLI to the mock backend and caches the session token (OS keychain on macOS/Linux with keychain, file fallback otherwise).
+- `provision openrouter` runs `npx tsx provisioner-scripts/src/scrapers/openrouter.ts` against a real Chromium session, uses the Gmail IMAP creds from your exported env to read the confirmation email, extracts + verifies the key against `https://openrouter.ai/api/v1/models`, and stores it into the mock backend under the master session's wallet.
+- No daemon, no pairing — Stage 5a provision runs entirely as the master CLI. Daemon + pairing are Stage 4's flow for agent-side credential access, not needed for the live provision demo.
+
+**After it succeeds:**
+
+```bash
+# Read the full stored key back.
+$BIN --backend $BACKEND read openrouter
+# Expected: sk-or-v1-...
+
+# Verify it works against OpenRouter.
+curl -s -H "Authorization: Bearer $($BIN --backend $BACKEND read openrouter)" \
+  https://openrouter.ai/api/v1/models | head -c 200
+# Expected: HTTP 200 + a JSON body starting with {"data":[...
+```
+
+**Artifacts you can inspect:**
+
+- `~/.agentkeys/master/session.json` — the master session (wallet + bearer token).
+- `~/.agentkeys/logs/provision-openrouter-<unix_ts>.log` — **written automatically when a provision fails with "no terminal event."** Contains the exit code, every event the subprocess emitted, and the full captured stderr. `ls -lt ~/.agentkeys/logs/ | head` to find the most recent.
+- Stderr of `provision openrouter` — the single-shot step lines shown under "Expected behavior" below.
+
+**Debugging a failure:**
+
+1. Check the error message on stderr — if it ends with `full log: /path/to/provision-openrouter-<ts>.log`, that file has the full signal.
+2. `cat` the log file. The `=== subprocess stderr ===` section usually shows the real cause (Playwright browser-launch error, IMAP connection refused, an unhandled rejection from the pattern, etc.).
+3. For interactive debugging, run the TS scraper directly against a visible browser:
+   ```bash
+   # Temporarily flip headless:false at provisioner-scripts/src/scrapers/openrouter.ts:~116,
+   # then:
+   cd ~/Projects/agentkeys
+   npx tsx provisioner-scripts/src/scrapers/openrouter.ts
+   ```
+   You'll see the page in real time — instant diagnosis for selector drift, returning-user UI paths, or CAPTCHA challenges.
 
 ### Expected behavior
 
@@ -116,6 +189,8 @@ Downside: the agent doesn't fully control the inbox (shared with the human), and
 
 ### Failure modes to watch for
 
+- **"subprocess ended without terminal event"** — the scraper crashed before emitting any event (Playwright browser-launch failed, IMAP connection refused, unhandled rejection, etc.). The error message now ends with `full log: ~/.agentkeys/logs/provision-openrouter-<ts>.log` — open that file; the `=== subprocess stderr ===` section has the real cause. If stderr is empty, re-run the TS scraper directly with `npx tsx provisioner-scripts/src/scrapers/openrouter.ts` and watch the node-side output.
+- **"account already exists" (returning-user path)** — OpenRouter's `/auth` is signup+signin on one URL. If `AGENTKEYS_SIGNUP_EMAIL` is an address that already has an OpenRouter account, the site lands on a returning-user UI the scraper can't traverse, and you'll get a `selector_timeout` tripwire or (if the path is weirder) a "no terminal event." Re-evaluate `AGENTKEYS_SIGNUP_EMAIL` with a fresh timestamp (`you+or-$(date +%s)@gmail.com`) and retry.
 - **CAPTCHA / Cloudflare challenge** — the Tier 2 script does not solve CAPTCHAs. Expect a Tripwire event with `kind: selector_timeout`. This is the signal that Stage 5b's agentic fallback is needed. Until 5b ships, abort and retry from a different IP.
 - **Email didn't arrive within 60 s** — check spam, check plus-addressing forwarding. Tripwire `email_timeout` means the IMAP fetch exhausted its polling window.
 - **Key verification fails with `phantom`** — the scraper extracted something key-shaped that isn't a real API key. OpenRouter may have changed its DOM; inspect the page at the success-step selector and file an issue with the HAR dump.
@@ -206,17 +281,78 @@ These are slop markers. Apply the suggested `cargo clippy --fix` or hand-replace
 
 ---
 
-## 4. What to do when Stage 5b lands
+## 4. Stage 5b — CDP-connected real-Chrome scraper (partial: proven working, blocked on email duplicate)
+
+### What's landed
 
-When Stage 5b ships (agentic fallback, `/agentkeys-record-scraper` skill, script-generation loop), this document will grow:
+- **[provisioner-scripts/src/scrapers/openrouter-cdp.ts](../provisioner-scripts/src/scrapers/openrouter-cdp.ts)** — connects to a user-launched real Chrome via `chromium.connectOverCDP()`, drives the OpenRouter Clerk-hosted signup form, polls Gmail IMAP for the OTP code, mints a new key on `/keys`, prints the `sk-or-v1-*` value on stdout.
+- **Why CDP, not Playwright-launched Chromium:** Playwright's bundled Chromium ships with `--enable-automation` baked in. Cloudflare Turnstile detects this at runtime (error **600010** — "browser execution environment suspicious") and refuses to issue a token even when a human clicks the checkbox. Connecting to a user-launched *real* Chrome bypasses this because the browser process has no automation flags. Verified 2026-04-20: Turnstile passes invisibly in real Chrome, Clerk backend returns normal responses.
 
+### How to run (when you have a fresh-to-OpenRouter email)
+
+1. **Launch real Chrome with CDP enabled** (fresh profile, separate from your daily browsing):
+   ```bash
+   /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \
+     --remote-debugging-port=9222 \
+     --user-data-dir=/tmp/agentkeys-chrome-profile &
+   ```
+   A blank Chrome window opens. Don't navigate it manually — the scraper drives it.
+
+2. **Export env** (Gmail IMAP creds + a signup email OpenRouter hasn't seen):
+   ```bash
+   export AGENTKEYS_EMAIL_BACKEND=gmail
+   export AGENTKEYS_EMAIL_USER="you@gmail.com"                   # canonical IMAP login
+   export AGENTKEYS_EMAIL_PASSWORD="<gmail app password>"
+   export AGENTKEYS_EMAIL_HOST="imap.gmail.com"
+   export AGENTKEYS_EMAIL_PORT="993"
+   export AGENTKEYS_SIGNUP_EMAIL="<NEW-address-OpenRouter-hasnt-seen>"
+   export AGENTKEYS_SIGNUP_PASSWORD="<strong-random>"
+   ```
+
+3. **Run the scraper:**
+   ```bash
+   cd ~/Projects/agentkeys
+   node --import tsx/esm provisioner-scripts/src/scrapers/openrouter-cdp.ts
+   ```
+   Last stdout line is the `sk-or-v1-*` key. Stderr shows `[cdp] <time> <step>` progress lines.
+
+4. **Store via the CLI:**
+   ```bash
+   $BIN --backend $BACKEND store openrouter <KEY>
+   $BIN --backend $BACKEND read openrouter
+   curl -H "Authorization: Bearer $(... read openrouter)" https://openrouter.ai/api/v1/models
+   ```
+
+### Known blocker — WHY "a fresh-to-OpenRouter email" is non-trivial today
+
+OpenRouter's Clerk integration **normalizes Gmail / Workspace plus-aliases** to the canonical address when checking for duplicates. If `agent@wildmeta.ai` already has an OpenRouter account, every plus-aliased variant (`agent+or-<ts>@wildmeta.ai`, `agent+stage5b@wildmeta.ai`, etc.) gets rejected with:
+
+> This email address is already in use. Creating multiple accounts with the same email address is not allowed.
+
+Only a **different canonical local-part** passes (e.g. `bot-42@wildmeta.ai` is fine if no one has used it; `agent+42@wildmeta.ai` is not because it normalizes to `agent@wildmeta.ai`).
+
+### Pickup plan — blocked on Stage 6
+
+This unblocks when Stage 6 ships its **throwaway inbox provisioning API** (see [`docs/spec/plans/development-stages.md`](./spec/plans/development-stages.md) §Stage 6 deliverables). Stage 6 mints distinct local-parts like `bot-<random>@agentkeys-email.io` per call, Clerk-normalization-proof because each has a unique local-part. The pickup checklist:
+
+- [ ] Stage 6 SES stack deployed (`agentkeys-email.io` verified, MX/DKIM/SPF live, S3 bucket + IAM OIDC provider + bucket policy per §Stage 6)
+- [ ] `agentkeys inbox provision` CLI mints a `<id>@agentkeys-email.io` and returns the address
+- [ ] `provisioner-scripts/src/lib/email.ts` has an SES-S3 reader variant that reads messages for the provisioned address
+- [ ] Set `AGENTKEYS_SIGNUP_EMAIL` to the provisioned address + point the IMAP fetcher at the SES-S3 reader
+- [ ] Re-run the CDP scraper per §4 step 3 above
+- [ ] Verify all four Stage 5a acceptance criteria pass with the resulting key
+- [ ] Promote the scraper from `provisioner-scripts/src/scrapers/openrouter-cdp.ts` to the default OpenRouter provisioner (delete or archive the Turnstile-blocked `openrouter.ts`)
+
+See [`docs/manual-test-stage6.md`](./manual-test-stage6.md) for the Stage 6 manual demo once that stage lands.
+
+### What's also deferred past the CDP scraper (original Stage 5b scope)
+
+Still-future pieces of the original Stage 5b agentic-fallback design:
 - A new demo path that triggers the agentic fallback via a failing Tier 2 script (expected Tripwire → Tier 3 engagement).
 - A step for inspecting the audit JSONL at `~/.agentkeys/logs/provision-<timestamp>.jsonl`.
 - A `/agentkeys-record-scraper` walkthrough for adding a new service (Brave, Jina, etc.).
 - An assertion that the fallback→PR loop does **not** auto-submit for agent-driven callers (non-TTY).
 
-For now, Stage 5a with OpenRouter as the only deterministic scraper is the full surface.
-
 ---
 
 ## Summary checklist
diff --git a/docs/manual-test-stage6.md b/docs/manual-test-stage6.md
new file mode 100644
index 0000000..03cddfd
--- /dev/null
+++ b/docs/manual-test-stage6.md
@@ -0,0 +1,177 @@
+# Stage 6 Manual Test Guide
+
+**Prerequisite:** Stage 6 SES stack deployed OR the Stage 6 mock equivalent running locally (see [`docs/spec/plans/development-stages.md`](./spec/plans/development-stages.md) §Stage 6). Rust toolchain installed, Node.js 20+.
+
+> **Scope.** This guide covers Stage 6 — **Federated Own Email on `@agentkeys-email.io`**. It does NOT cover Stage 5b's CDP-scraper retest beyond the handoff section at the end — that's done per [`docs/manual-test-stage5.md`](./manual-test-stage5.md) §3 once the Stage 6 pieces this document covers are in place.
+
+Stage 6 has two tests that matter:
+
+1. **Throwaway inbox provisioning** — `agentkeys inbox provision` mints a fresh `<id>@agentkeys-email.io`, mail sent to it lands in the right S3 prefix, fetchable by the agent with correctly-tagged creds. This is what makes Stage 5b's live-demo re-run unblockable.
+2. **Per-user isolation** — agent A cannot read agent B's mail. Enforced by `aws:PrincipalTag/agentkeys_user_wallet` on the shared `agentkeys-mail` bucket.
+
+---
+
+## 1. Preflight
+
+```bash
+# Rust + Node + provisioner deps built
+cd ~/Projects/agentkeys
+cargo build --workspace --release
+npm install --prefix provisioner-scripts
+
+# Backend (mock or real TEE endpoint)
+BACKEND="${BACKEND:-http://127.0.0.1:8090}"
+curl -sf "$BACKEND/health" >/dev/null || {
+  echo "backend not up — run: cargo run --release -p agentkeys-mock-server -- --port 8090 &"
+  exit 1
+}
+
+BIN=$(pwd)/target/release/agentkeys
+$BIN --backend $BACKEND init --mock-token stage6-demo
+```
+
+**For the real SES path (not mock):** you also need:
+- DNS for `agentkeys-email.io` published (MX, Ed25519 DKIM CNAMEs, SPF, DMARC) per `docs/spec/ses-email-architecture.md`
+- S3 bucket `agentkeys-mail` with PrincipalTag-conditioned bucket policy
+- IAM OIDC provider `oidc.agentkeys.dev` registered
+- IAM role `agentkeys-agent` with trust policy on the OIDC provider + MRSIGNER pinning
+- TEE reachable + `derive("dkim/agentkeys-email.io/v1")` and `derive("oidc/issuer/v1")` subkeys present
+
+The mock equivalent stubs all of that to SQLite + a local HTTP server; both paths honor the same CLI surface.
+
+---
+
+## 2. The demo — provision a throwaway inbox + verify mail delivery
+
+```bash
+# Provision a fresh inbox (returns { address, agent_wallet })
+$BIN --backend $BACKEND inbox provision --agent my-agent
+# → e.g.: { "address": "bot-ax7kq@agentkeys-email.io", "agent_wallet": "0x..." }
+```
+
+Save the address:
+
+```bash
+INBOX=$(<output-from-above>)
+echo "provisioned: $INBOX"
+```
+
+**Send a test message** from any external mail source (use your own Gmail, Mailgun sandbox, or a `curl` to your own SMTP test relay):
+
+```bash
+# Example via `mail` on macOS (requires a local SMTP configured)
+echo "stage-6 test body" | mail -s "stage-6-$RANDOM" "$INBOX"
+```
+
+Or send from a real service's signup form if you want to validate end-to-end (e.g. paste `$INBOX` into the signup form at a simpler service and trigger a verification email).
+
+**Read the mail** — Claude drives the daemon:
+
+```bash
+$BIN --backend $BACKEND run my-agent -- \
+  claude-mcp-client email.list 2>&1 | jq
+# → shows the test message + its body
+
+$BIN --backend $BACKEND run my-agent -- \
+  claude-mcp-client email.get --id <msg-id-from-above>
+# → full MIME + parsed body
+```
+
+### Expected behavior
+
+1. `inbox provision` exits 0 and returns a JSON object with a `.address` matching `^bot-[a-z0-9]{6}@agentkeys-email.io$` (or whatever shape §Stage 6 commits to; acceptance is "distinct local-part per call, no plus-aliases").
+2. `email.list` from the agent returns a non-empty array within ≤30s of the test message being sent. The item's `to` field matches `$INBOX`.
+3. The raw MIME in `s3://agentkeys-mail/<agent_wallet>/<inbox_address>/*.eml` is present — verify with `aws s3 ls --profile agentkeys` or whatever read mechanism your deployment uses.
+4. An on-chain audit extrinsic `CredentialMinted` was emitted for the `s3.read` mint that serviced `email.list`.
+
+### Failure modes to watch for
+
+- **`inbox provision` 400 / "domain not verified"** — SES identity for `agentkeys-email.io` is not verified in this AWS account. Run `aws sesv2 get-email-identity --email-identity agentkeys-email.io`; if the DKIM / Identity records aren't `PENDING` → `SUCCESS`, publish DNS or re-trigger verification.
+- **Mail never appears in S3** — DNS MX record not pointing at `inbound-smtp.us-east-1.amazonaws.com`, OR the SES receipt rule isn't active, OR the S3 bucket's bucket policy denies SES write. `aws logs tail /aws/ses/<rule-set>` to debug.
+- **`email.list` returns AccessDenied** — the agent's minted JWT didn't carry `agentkeys_user_wallet` as a session tag, OR bucket policy's `${aws:PrincipalTag/agentkeys_user_wallet}` condition didn't match. Inspect the temp-cred claims via `aws sts get-caller-identity --profile <temp>`.
+- **DKIM fails at recipient** — the outbound-path test. Send a message from your agent to a real Gmail inbox; if it lands in Spam with "DKIM: fail", either (a) the Ed25519 DKIM key at `derive("dkim/agentkeys-email.io/v1")` doesn't match what's published in DNS, or (b) the DKIM header isn't being added before SES hands the MIME to the outbound MTA.
+
+---
+
+## 3. Per-user isolation test
+
+```bash
+# Provision a second agent + inbox
+$BIN --backend $BACKEND inbox provision --agent other-agent
+OTHER_WALLET=$(... extract the wallet from the previous output)
+
+# First agent attempts to read second agent's inbox prefix — must fail
+$BIN --backend $BACKEND run my-agent -- \
+  claude-mcp-client email.list --agent "$OTHER_WALLET" 2>&1
+# → AccessDenied OR "DENIED session does not own agent"
+```
+
+**Expected:** the cross-agent read is refused at either our backend (ownership check) or at AWS's bucket policy (`${aws:PrincipalTag/agentkeys_user_wallet}` mismatch). Either layer is sufficient; both firing is belt-and-suspenders.
+
+---
+
+## 4. Stage 5b live-demo re-run (the payoff)
+
+With Stage 6's throwaway-inbox API in place, Stage 5b's blocker from [`docs/manual-test-stage5.md`](./manual-test-stage5.md) §4 is resolved.
+
+Procedure:
+
+```bash
+# 1. Provision a throwaway inbox for this signup
+INBOX=$($BIN --backend $BACKEND inbox provision --agent stage5b-retest --json | jq -r .address)
+echo "signup email: $INBOX"
+
+# 2. Export it as the signup target for the CDP scraper
+export AGENTKEYS_SIGNUP_EMAIL="$INBOX"
+export AGENTKEYS_SIGNUP_PASSWORD="Stage5b-$(date +%s)-xZq9!okFg"
+
+# 3. Point the OTP fetcher at Stage 6's SES-S3 reader (not Gmail IMAP)
+export AGENTKEYS_EMAIL_BACKEND=ses-s3   # new value, see provisioner-scripts/src/lib/email.ts
+# (ses-s3 backend infers wallet + address from AGENTKEYS_SIGNUP_EMAIL and reads S3 directly)
+
+# 4. Launch real Chrome with CDP (same as Stage 5b)
+/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \
+  --remote-debugging-port=9222 \
+  --user-data-dir=/tmp/agentkeys-chrome-profile &
+
+# 5. Run the CDP scraper
+cd provisioner-scripts
+node --import tsx/esm src/scrapers/openrouter-cdp.ts
+
+# 6. Store + verify
+$BIN --backend $BACKEND store openrouter "<KEY-FROM-STDOUT>"
+$BIN --backend $BACKEND read openrouter
+curl -sS -H "Authorization: Bearer $($BIN --backend $BACKEND read openrouter)" \
+  https://openrouter.ai/api/v1/models | head -c 40
+# → expect "{\"data\":["
+```
+
+All four Stage 5a live-demo acceptance criteria should pass. If any step fails, check [`docs/manual-test-stage5.md`](./manual-test-stage5.md) §Failure modes first.
+
+---
+
+## 5. What this does NOT cover (post-Stage 6)
+
+- **BYO custom domain** — `bots.theircompany.com` for enterprise users. Deferred per Stage 7+.
+- **BYO Workspace DWD** — the advanced `docs/stage5-workspace-email-setup.md` runbook remains valid for Workspace customers but is never the default path.
+- **Email drafts as HITL primitive** — daemon-side, per the broker-not-proxy thesis. Not Stage 6 scope.
+- **Labels / threads / search** — implemented daemon-side (MCP); not server features. Per [`wiki/email-system.md`](../wiki/email-system.md).
+
+---
+
+## Summary checklist
+
+- [ ] §2 demo passes: throwaway inbox provisioned, inbound mail received, agent reads it
+- [ ] §3 isolation test passes: cross-agent read denied
+- [ ] §4 Stage 5b re-run passes: `sk-or-v1-*` minted end-to-end with a Stage-6-provisioned inbox
+- [ ] DKIM verified by a real recipient (Gmail / Outlook / Fastmail)
+- [ ] Audit trail on chain: `agentkeys usage <agent> --filter email` shows the expected mint events
+
+## References
+
+- [`docs/spec/plans/development-stages.md`](./spec/plans/development-stages.md) §Stage 6 — deliverables + tests
+- [`docs/spec/ses-email-architecture.md`](./spec/ses-email-architecture.md) — SES architecture spec
+- [`wiki/email-system.md`](../wiki/email-system.md) — high-level email system overview
+- [`wiki/hosted-first.md`](../wiki/hosted-first.md) — why `@agentkeys-email.io` is the default
+- [`wiki/tag-based-access.md`](../wiki/tag-based-access.md) — PrincipalTag mechanism
+- [`docs/manual-test-stage5.md`](./manual-test-stage5.md) — Stage 5a + 5b guide (live demo unblocked by this stage)
diff --git a/docs/spec/plans/development-stages.md b/docs/spec/plans/development-stages.md
index 4dae267..99f95e0 100644
--- a/docs/spec/plans/development-stages.md
+++ b/docs/spec/plans/development-stages.md
@@ -896,6 +896,8 @@ See `docs/spec/ses-email-architecture.md` for the full spec. High-level:
 - [ ] Chain extrinsic pallet for `CredentialMinted` audit events
 - [ ] Daemon MCP tools wired to real minted creds
 - [ ] Stage 5's `provisioner-scripts` updated to read OTPs from the hosted inbox
+- [ ] **Throwaway inbox provisioning API** — on-demand mint of a fresh `<id>@agentkeys-email.io` address per caller. Acceptance: `POST /inbox/provision` (or `agentkeys inbox provision`) returns `{address, agent_wallet}` where `address` is a new locally-unique local-part under our hosted domain, Clerk-normalization-proof (distinct local-part, not plus-alias suffixes). Readable via the same `fetchVerificationCode`-style API as Stage 5, backed by the SES→S3→TEE-decrypt chain. Auto-cleanup or audit-logged revocation after the inbox is done serving signups.
+- [ ] **Stage 5b live-demo re-run against throwaway inbox** — once throwaway-inbox provisioning lands, the Stage 5b CDP scraper (`provisioner-scripts/src/scrapers/openrouter-cdp.ts`) is re-tested end-to-end: provision a throwaway `bot-N@agentkeys-email.io`, run the scraper with that as `AGENTKEYS_SIGNUP_EMAIL`, get a verified `sk-or-v1-*` key back. This closes the [`docs/manual-test-stage5.md`](../../../docs/manual-test-stage5.md) §3 pickup item. (Clerk rejects the Workspace-plus-alias flow as duplicate; only distinct local-parts work.)
 
 ### Tests
 
@@ -909,6 +911,8 @@ See `docs/spec/ses-email-architecture.md` for the full spec. High-level:
 | `email::jwt_without_wallet_claim_denied` | JWT missing `agentkeys_user_wallet` → `sts:AssumeRoleWithWebIdentity` fails per role trust policy |
 | `email::audit_emitted_on_mint` | Every SES/S3 credential mint emits a chain extrinsic with `(child, scope, operation, timestamp)` |
 | `email::grant_revocation_propagates` | Revoke user's email grant → next mint attempt fails within ≤6s |
+| `email::throwaway_inbox_provisioning` | `agentkeys inbox provision` returns a unique `<id>@agentkeys-email.io` address (distinct local-part per call, not plus-alias). A message sent to that address lands in `s3://agentkeys-mail/<wallet>/<address>/*.eml` and is readable via `fetchVerificationCode`. |
+| `email::stage5b_live_demo_rerun` | After a throwaway inbox is provisioned and set as `AGENTKEYS_SIGNUP_EMAIL`, the Stage 5b CDP scraper completes end-to-end: signup → Turnstile passes → OTP fetched → key minted → `agentkeys read openrouter` returns a `sk-or-v1-*` string → `curl /api/v1/models` returns HTTP 200. |
 
 ### Reviewer E2E Checklist
 
diff --git a/harness/stage-5a-live-demo-handoff.sh b/harness/stage-5a-live-demo-handoff.sh
new file mode 100755
index 0000000..d6d0325
--- /dev/null
+++ b/harness/stage-5a-live-demo-handoff.sh
@@ -0,0 +1,103 @@
+#!/usr/bin/env bash
+# Stage 5a live-demo one-shot handoff.
+# Preconditions checked up front; failures are loud; prints SUCCESS when
+# all four acceptance criteria pass.
+#
+# Usage (with AGENTKEYS_EMAIL_{BACKEND,USER,PASSWORD,HOST,PORT} exported;
+# AGENTKEYS_SIGNUP_EMAIL is auto-minted below if unset):
+#   cd ~/Projects/agentkeys
+#   bash harness/stage-5a-live-demo-handoff.sh
+set -uo pipefail
+
+REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+cd "$REPO_ROOT"
+BIN="$REPO_ROOT/target/release/agentkeys"
+BACKEND="${BACKEND:-http://127.0.0.1:8090}"
+
+say()  { printf '\n\033[1;34m==>\033[0m %s\n' "$*"; }
+fail() { printf '\033[1;31mFAIL:\033[0m %s\n' "$*" >&2; exit 1; }
+pass() { printf '\033[1;32mPASS:\033[0m %s\n' "$*"; }
+
+say "Preflight — required env"
+: "${AGENTKEYS_EMAIL_BACKEND:?AGENTKEYS_EMAIL_BACKEND must be set (e.g. gmail)}"
+: "${AGENTKEYS_EMAIL_USER:?AGENTKEYS_EMAIL_USER must be set to the CANONICAL Gmail address (NOT a plus-alias; IMAP login only accepts canonical)}"
+: "${AGENTKEYS_EMAIL_PASSWORD:?AGENTKEYS_EMAIL_PASSWORD must be set (Gmail app password; NOT your normal Google password)}"
+: "${AGENTKEYS_EMAIL_HOST:?AGENTKEYS_EMAIL_HOST must be set (imap.gmail.com)}"
+: "${AGENTKEYS_EMAIL_PORT:?AGENTKEYS_EMAIL_PORT must be set (993)}"
+
+# Auto-mint a fresh single-plus alias for THIS run so OpenRouter never sees
+# a repeat email. Strip any existing +suffix on AGENTKEYS_EMAIL_USER first:
+# some email validators (including OpenRouter's) reject double-plus addresses
+# like agent+2026042001+or-...@wildmeta.ai and silently drop the signup. The
+# inbox delivery path doesn't care, but the signup form does.
+if [ -z "${AGENTKEYS_SIGNUP_EMAIL:-}" ]; then
+  RAW_LOCAL="${AGENTKEYS_EMAIL_USER%@*}"
+  CANONICAL_LOCAL="${RAW_LOCAL%%+*}"   # strip first + and everything after
+  DOMAIN="${AGENTKEYS_EMAIL_USER#*@}"
+  export AGENTKEYS_SIGNUP_EMAIL="${CANONICAL_LOCAL}+or-$(date +%s)@${DOMAIN}"
+  say "Auto-minted AGENTKEYS_SIGNUP_EMAIL=$AGENTKEYS_SIGNUP_EMAIL (stripped existing plus-alias before appending)"
+fi
+
+say "Preflight — binary exists"
+[ -x "$BIN" ] || fail "$BIN not found. Run: cargo build --release -p agentkeys-cli"
+
+say "Preflight — mock-server at $BACKEND is up"
+curl -sf "$BACKEND/health" >/dev/null 2>&1 \
+  || curl -sf "$BACKEND" >/dev/null 2>&1 \
+  || fail "mock-server not reachable at $BACKEND. Run: cargo run --release -p agentkeys-mock-server -- --port 8090 &"
+
+say "Preflight — node + playwright deps + chromium browser"
+command -v node >/dev/null || fail "node not on PATH"
+command -v npx  >/dev/null || fail "npx not on PATH"
+[ -d provisioner-scripts/node_modules ] \
+  || fail "provisioner-scripts deps missing. Run: npm install --prefix provisioner-scripts"
+# Playwright caches browsers under \$HOME/Library/Caches/ms-playwright on macOS;
+# a run-in-unusual-HOME provision will hit "browserType.launch: Executable
+# doesn't exist" unless they are installed under THIS \$HOME.
+if ! ls "${HOME}/Library/Caches/ms-playwright/chromium_headless_shell-"* >/dev/null 2>&1 \
+  && ! ls "${HOME}/.cache/ms-playwright/chromium_headless_shell-"* >/dev/null 2>&1; then
+  fail "Playwright chromium not installed under \$HOME=$HOME. Run: npx playwright install chromium --with-deps"
+fi
+
+say "1. Initialize master session"
+$BIN --backend $BACKEND init --mock-token stage5-live-demo || fail "init"
+
+say "2. Env snapshot (masking secrets)"
+env | grep -E 'AGENTKEYS_(EMAIL|SIGNUP)_' | sed 's/\(PASSWORD=\).*/\1***REDACTED***/'
+
+say "3. agentkeys provision openrouter"
+if ! $BIN --backend $BACKEND provision openrouter; then
+  EC=$?
+  echo "---exit=$EC---"
+  LOG=$(ls -t $HOME/.agentkeys/logs/provision-openrouter-*.log 2>/dev/null | head -1)
+  if [ -n "$LOG" ]; then
+    echo "=== most recent provision log: $LOG ==="
+    cat "$LOG"
+  else
+    echo "(no provision log written — orchestrator path unreachable)"
+  fi
+  fail "provision failed; inspect log above"
+fi
+
+say "4. AC#1-#3 — read full key back (exit 0 + masked-key form already checked above)"
+KEY=$($BIN --backend $BACKEND read openrouter) || fail "read openrouter"
+case "$KEY" in
+  sk-or-v1-*) pass "read returned key of correct prefix" ;;
+  *) fail "read returned unexpected prefix: $(echo "$KEY" | head -c 12)..." ;;
+esac
+
+say "5. AC#4 — curl OpenRouter /api/v1/models"
+HTTP_CODE=$(curl -sS -o /tmp/or-models.json -w '%{http_code}' \
+  -H "Authorization: Bearer $KEY" \
+  https://openrouter.ai/api/v1/models)
+if [ "$HTTP_CODE" != "200" ]; then
+  echo "unexpected HTTP $HTTP_CODE"
+  head -c 500 /tmp/or-models.json
+  fail "OpenRouter /api/v1/models did not return 200"
+fi
+head -c 40 /tmp/or-models.json
+echo ''
+pass "OpenRouter /api/v1/models returned 200"
+
+say "ALL FOUR ACCEPTANCE CRITERIA PASS"
+echo "SUCCESS"
diff --git a/provisioner-scripts/diag-imap.mjs b/provisioner-scripts/diag-imap.mjs
new file mode 100644
index 0000000..ec0c89e
--- /dev/null
+++ b/provisioner-scripts/diag-imap.mjs
@@ -0,0 +1,76 @@
+// Diagnostic: IMAP auth + folder scan for OpenRouter verification emails.
+// Usage (from provisioner-scripts/): node diag-imap.mjs
+// Requires AGENTKEYS_EMAIL_{USER,PASSWORD,HOST,PORT} exported.
+import { ImapFlow } from "imapflow";
+
+const user = process.env.AGENTKEYS_EMAIL_USER;
+const pass = process.env.AGENTKEYS_EMAIL_PASSWORD;
+const host = process.env.AGENTKEYS_EMAIL_HOST ?? "imap.gmail.com";
+const port = parseInt(process.env.AGENTKEYS_EMAIL_PORT ?? "993", 10);
+
+if (!user || !pass) {
+  console.error("ERROR: AGENTKEYS_EMAIL_USER and AGENTKEYS_EMAIL_PASSWORD required");
+  process.exit(2);
+}
+
+const client = new ImapFlow({
+  host, port, secure: true,
+  auth: { user, pass },
+  logger: false,
+});
+
+try {
+  console.log(`1) connecting as ${user}...`);
+  await client.connect();
+  console.log("   OK");
+
+  console.log("2) listing mailboxes...");
+  const listResult = await client.list();
+  const mailboxes = listResult.map(b => b.path);
+  console.log(`   found ${mailboxes.length} mailboxes: ${mailboxes.join(", ")}`);
+
+  // Gmail key folders
+  const candidates = ["INBOX", "[Gmail]/Spam", "[Gmail]/All Mail", "[Gmail]/Trash"];
+  for (const box of candidates) {
+    if (!mailboxes.includes(box)) continue;
+    try {
+      await client.mailboxOpen(box);
+      const uids = await client.search({
+        from: "noreply@openrouter.ai",
+        since: new Date(Date.now() - 24 * 3600 * 1000), // last 24h
+      });
+      console.log(`3) [${box}] openrouter emails (last 24h): ${uids.length}`);
+      // Show the most recent one's envelope
+      if (uids.length > 0) {
+        const msg = await client.fetchOne(uids[uids.length - 1], { envelope: true, source: false });
+        if (msg) {
+          console.log(`     most recent: from=${msg.envelope.from?.[0]?.address} subject="${msg.envelope.subject}" date=${msg.envelope.date}`);
+          console.log(`     TO: ${JSON.stringify(msg.envelope.to?.map(t => t.address))}`);
+        }
+      }
+    } catch (err) {
+      console.log(`   [${box}] error: ${err.message}`);
+    }
+  }
+
+  // Broader search: anything mentioning openrouter in subject (catches forwards, digest emails)
+  console.log("4) broader search in INBOX for 'openrouter' subject (last 24h):");
+  try {
+    await client.mailboxOpen("INBOX");
+    const uids = await client.search({
+      subject: "openrouter",
+      since: new Date(Date.now() - 24 * 3600 * 1000),
+    });
+    console.log(`   found ${uids.length}`);
+  } catch (err) {
+    console.log(`   error: ${err.message}`);
+  }
+
+} catch (err) {
+  console.error(`FATAL: ${err.message}`);
+  console.error(err.stack);
+  process.exit(1);
+} finally {
+  await client.logout().catch(() => {});
+}
+console.log("DONE");
diff --git a/provisioner-scripts/diag-openrouter.mjs b/provisioner-scripts/diag-openrouter.mjs
new file mode 100644
index 0000000..1d6b8f7
--- /dev/null
+++ b/provisioner-scripts/diag-openrouter.mjs
@@ -0,0 +1,113 @@
+// Diagnostic: step through OpenRouter signup manually, saving a screenshot +
+// HTML snapshot at each checkpoint. Captures where the real DOM diverges from
+// the scraper's selectors.
+//
+// Usage (from repo root):
+//   cd provisioner-scripts
+//   node diag-openrouter.mjs
+// Writes artifacts to /tmp/or-diag/ so we can inspect after the run.
+import { chromium } from "playwright";
+import { mkdir, writeFile } from "fs/promises";
+
+const OUT = "/tmp/or-diag";
+const EMAIL = process.env.AGENTKEYS_SIGNUP_EMAIL ?? process.env.AGENTKEYS_EMAIL_USER;
+if (!EMAIL) {
+  console.error("ERROR: set AGENTKEYS_SIGNUP_EMAIL or AGENTKEYS_EMAIL_USER");
+  process.exit(2);
+}
+
+await mkdir(OUT, { recursive: true });
+
+async function snap(page, label) {
+  try {
+    const url = page.url();
+    const title = await page.title();
+    const html = await page.content();
+    await page.screenshot({ path: `${OUT}/${label}.png`, fullPage: true });
+    await writeFile(`${OUT}/${label}.html`, html);
+    await writeFile(`${OUT}/${label}.meta.txt`,
+      `url: ${url}\ntitle: ${title}\nhtml_len: ${html.length}\n`);
+    console.log(`  snapshot ${label}: url=${url} title="${title}"`);
+  } catch (err) {
+    console.log(`  snapshot ${label} FAILED: ${err.message}`);
+  }
+}
+
+const browser = await chromium.launch({ headless: true });
+const ctx = await browser.newContext({
+  userAgent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36",
+});
+const page = await ctx.newPage();
+
+try {
+  console.log(`Using signup email: ${EMAIL}`);
+  console.log("1) goto https://openrouter.ai/auth");
+  await page.goto("https://openrouter.ai/auth", { waitUntil: "networkidle", timeout: 30_000 });
+  await snap(page, "01-landed");
+
+  console.log("2) looking for any email-like input");
+  // Broad probe — whatever the scraper's 'input[name="email"]' misses.
+  const candidates = await page.$$eval(
+    "input, button",
+    nodes => nodes.map(n => ({
+      tag: n.tagName.toLowerCase(),
+      type: n.getAttribute("type"),
+      name: n.getAttribute("name"),
+      id: n.id,
+      placeholder: n.getAttribute("placeholder"),
+      text: (n.innerText || n.value || "").slice(0, 80),
+      ariaLabel: n.getAttribute("aria-label"),
+    }))
+  );
+  await writeFile(`${OUT}/02-candidates.json`, JSON.stringify(candidates, null, 2));
+  console.log(`   wrote ${candidates.length} candidates to ${OUT}/02-candidates.json`);
+  const emailLikely = candidates.filter(c =>
+    c.tag === "input" && (
+      c.type === "email" ||
+      c.name?.includes("email") ||
+      c.id?.includes("email") ||
+      c.placeholder?.toLowerCase().includes("email") ||
+      c.ariaLabel?.toLowerCase().includes("email")
+    )
+  );
+  console.log(`   email-like inputs:`, emailLikely);
+
+  console.log("3) looking for sign-in / sign-up CTA buttons");
+  const buttons = candidates.filter(c =>
+    c.tag === "button" && /sign|continue|next|submit|start/i.test(c.text || "")
+  );
+  console.log(`   sign-up-likely buttons:`, buttons);
+
+  await snap(page, "02-inspected");
+
+  // If there's an obvious email input + sign-up button, try submitting
+  if (emailLikely.length > 0) {
+    const e0 = emailLikely[0];
+    const selector =
+      e0.id ? `#${e0.id}` :
+      e0.name ? `input[name="${e0.name}"]` :
+      `input[type="${e0.type}"]`;
+    console.log(`4) attempting fill on ${selector} with ${EMAIL}`);
+    await page.fill(selector, EMAIL);
+    await snap(page, "03-filled");
+
+    // `buttons` is already the sign/continue/next/submit/start-filtered set.
+    const submitBtn = buttons[0];
+    if (submitBtn) {
+      console.log(`5) clicking button: text="${submitBtn.text}"`);
+      await page.getByRole("button", { name: new RegExp(submitBtn.text?.split("\n")[0] ?? "", "i") }).first().click();
+      await page.waitForTimeout(3000);
+      await snap(page, "04-after-submit");
+    } else {
+      console.log("5) no obvious submit button — skipped click");
+    }
+  }
+
+  console.log("DONE — inspect artifacts under /tmp/or-diag/");
+} catch (err) {
+  console.error(`FATAL: ${err.message}`);
+  await snap(page, "99-error").catch(() => {});
+  process.exit(1);
+} finally {
+  await browser.close();
+}
diff --git a/provisioner-scripts/diag-or-flow.mjs b/provisioner-scripts/diag-or-flow.mjs
new file mode 100644
index 0000000..52f91ba
--- /dev/null
+++ b/provisioner-scripts/diag-or-flow.mjs
@@ -0,0 +1,111 @@
+// Full-flow Clerk signup probe for OpenRouter. Walks through every post-submit
+// DOM state, capturing screenshots + HTML + candidate inventory after each
+// user-initiated transition. Used to design the scraper's new selectors.
+//
+// Usage (from provisioner-scripts/):
+//   node diag-or-flow.mjs
+// Writes artifacts to /tmp/or-flow/.
+import { chromium } from "playwright";
+import { mkdir, writeFile } from "fs/promises";
+
+const OUT = "/tmp/or-flow";
+const EMAIL = process.env.AGENTKEYS_SIGNUP_EMAIL ?? process.env.AGENTKEYS_EMAIL_USER;
+if (!EMAIL) { console.error("ERROR: AGENTKEYS_SIGNUP_EMAIL or AGENTKEYS_EMAIL_USER required"); process.exit(2); }
+
+await mkdir(OUT, { recursive: true });
+
+async function snap(page, label) {
+  try {
+    const url = page.url();
+    const title = await page.title();
+    const html = await page.content();
+    await page.screenshot({ path: `${OUT}/${label}.png`, fullPage: true });
+    await writeFile(`${OUT}/${label}.html`, html);
+    const candidates = await page.$$eval(
+      "input, button, a[role='button']",
+      nodes => nodes.map(n => ({
+        tag: n.tagName.toLowerCase(),
+        type: n.getAttribute("type"),
+        name: n.getAttribute("name"),
+        id: n.id,
+        placeholder: n.getAttribute("placeholder"),
+        text: (n.innerText || n.value || "").slice(0, 80).replace(/\s+/g, " ").trim(),
+        ariaLabel: n.getAttribute("aria-label"),
+        dataLocalization: n.getAttribute("data-localization-key"),
+      })).filter(c => c.id || c.name || c.placeholder || c.text || c.ariaLabel)
+    );
+    await writeFile(`${OUT}/${label}.candidates.json`, JSON.stringify(candidates, null, 2));
+    console.log(`\n[${label}] url=${url} title="${title}"`);
+    console.log(`  inputs:`, candidates.filter(c => c.tag === "input").map(c => `${c.id || c.name} (type=${c.type}, placeholder="${c.placeholder}")`));
+    console.log(`  buttons:`, candidates.filter(c => c.tag === "button" || c.tag === "a").map(c => `"${c.text}" (id=${c.id}, data-loc=${c.dataLocalization})`));
+  } catch (err) {
+    console.log(`  snapshot ${label} FAILED: ${err.message}`);
+  }
+}
+
+const browser = await chromium.launch({ headless: true });
+const ctx = await browser.newContext({
+  userAgent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36",
+});
+const page = await ctx.newPage();
+
+try {
+  console.log(`Probe email: ${EMAIL}`);
+
+  // STATE 1: landing
+  await page.goto("https://openrouter.ai/auth", { waitUntil: "networkidle", timeout: 30_000 });
+  await snap(page, "01-landing");
+
+  // STATE 2: fill all three fields (email + password + legal checkbox)
+  await page.waitForSelector('#emailAddress-field', { timeout: 10_000 });
+  await page.fill('#emailAddress-field', EMAIL);
+  await page.fill('#password-field', `AgKe-${Date.now()}-Pw!9xZ`);
+  // legal checkbox: click the label or the input. Checkbox inputs are often
+  // display:none in Radix UI — clicking the label is the reliable path.
+  try {
+    await page.locator('label[for="legalAccepted-field"]').click();
+  } catch {
+    await page.check('#legalAccepted-field').catch(() => {});
+  }
+  await snap(page, "02-all-filled");
+
+  // Click the form's primary button.
+  await page.locator('button[data-localization-key="formButtonPrimary"]').first().click({ timeout: 5_000 });
+  console.log("\nclicked formButtonPrimary");
+  // Give Clerk time to transition. Use waitForLoadState + small fixed delay for the DOM to settle.
+  await page.waitForLoadState("networkidle", { timeout: 15_000 }).catch(() => {});
+  await page.waitForTimeout(2000);
+  await snap(page, "03-after-submit");
+
+  // STATE 3: enumerate inputs — should now be the OTP-entry step
+  const step3Candidates = await page.$$eval("input", inputs =>
+    inputs.map(i => ({
+      id: i.id, name: i.getAttribute("name"), type: i.getAttribute("type"),
+      placeholder: i.getAttribute("placeholder"), ariaLabel: i.getAttribute("aria-label"),
+      inputMode: i.getAttribute("inputmode"),
+      autocomplete: i.getAttribute("autocomplete"),
+      maxlength: i.getAttribute("maxlength"),
+    }))
+  );
+  console.log(`\nstep 3 all inputs:`, JSON.stringify(step3Candidates, null, 2));
+
+  // Save localization keys + any text blocks that identify this step
+  const headings = await page.$$eval("h1, h2, h3, p", els =>
+    els.map(e => (e.innerText || "").trim()).filter(t => t && t.length < 200)
+  );
+  console.log(`\nstep 3 headings/paras:`, headings.slice(0, 10));
+
+  // Error messages?
+  const errors = await page.$$eval('[role="alert"], .cl-formFieldError, .cl-alertText, [data-localization-key*="error"]', els =>
+    els.map(e => (e.innerText || "").trim()).filter(Boolean)
+  );
+  if (errors.length) console.log(`\nerrors visible:`, errors);
+
+  console.log("\nDONE — inspect /tmp/or-flow/");
+} catch (err) {
+  console.error(`FATAL: ${err.message}`);
+  await snap(page, "99-error").catch(() => {});
+  process.exit(1);
+} finally {
+  await browser.close();
+}
diff --git a/provisioner-scripts/diag-or-signin.mjs b/provisioner-scripts/diag-or-signin.mjs
new file mode 100644
index 0000000..eb63c82
--- /dev/null
+++ b/provisioner-scripts/diag-or-signin.mjs
@@ -0,0 +1,53 @@
+// Probe: does OpenRouter's SIGN-IN (not sign-up) page have Turnstile?
+// If sign-in is clean, we can pivot Stage 5a's strategy from "create new account"
+// to "sign in to existing account and mint a new API key" — which is what the
+// user actually wants anyway.
+import { chromium } from "playwright";
+import { mkdir, writeFile } from "fs/promises";
+
+const OUT = "/tmp/or-signin";
+await mkdir(OUT, { recursive: true });
+
+const browser = await chromium.launch({ headless: true });
+const ctx = await browser.newContext({
+  userAgent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36",
+  viewport: { width: 1280, height: 900 },
+});
+const page = await ctx.newPage();
+
+try {
+  // Try /sign-in directly
+  await page.goto("https://openrouter.ai/sign-in", { waitUntil: "networkidle", timeout: 30_000 });
+  await page.screenshot({ path: `${OUT}/signin.png`, fullPage: true });
+  await writeFile(`${OUT}/signin.html`, await page.content());
+
+  const inputs = await page.$$eval("input", ins => ins.map(i => ({
+    id: i.id, name: i.getAttribute("name"), type: i.getAttribute("type"),
+    placeholder: i.getAttribute("placeholder"),
+  })));
+  const buttons = await page.$$eval("button", bs => bs.map(b => ({
+    text: (b.innerText || "").trim().slice(0, 40),
+    disabled: b.disabled,
+    dataLoc: b.getAttribute("data-localization-key"),
+  })).filter(b => b.text || b.dataLoc));
+  const headings = await page.$$eval("h1, h2, h3, p", els =>
+    els.map(e => (e.innerText || "").trim()).filter(t => t && t.length < 150).slice(0, 15));
+
+  const hasTurnstile = inputs.some(i => i.name === "cf-turnstile-response");
+
+  console.log(`url: ${page.url()}`);
+  console.log(`turnstile present on sign-in: ${hasTurnstile}`);
+  console.log(`\nheadings:`);
+  headings.forEach(h => console.log(`  ${h}`));
+  console.log(`\ninputs:`);
+  inputs.forEach(i => console.log(`  id=${i.id} name=${i.name} type=${i.type} placeholder="${i.placeholder}"`));
+  console.log(`\nbuttons:`);
+  buttons.forEach(b => console.log(`  text="${b.text}" disabled=${b.disabled} data-loc=${b.dataLoc}`));
+
+  console.log("DONE");
+} catch (err) {
+  console.error(`FATAL: ${err.message}`);
+  process.exit(1);
+} finally {
+  await browser.close();
+}
diff --git a/provisioner-scripts/diag-or-turnstile.mjs b/provisioner-scripts/diag-or-turnstile.mjs
new file mode 100644
index 0000000..0aede00
--- /dev/null
+++ b/provisioner-scripts/diag-or-turnstile.mjs
@@ -0,0 +1,92 @@
+// Probe: after clicking Continue, poll for Turnstile to resolve and check if
+// Clerk advances to the email-verification step. If Turnstile never resolves
+// in headless, the scraper cannot proceed past signup without Stage 5b.
+import { chromium } from "playwright";
+import { mkdir, writeFile } from "fs/promises";
+
+const OUT = "/tmp/or-turnstile";
+const EMAIL = process.env.AGENTKEYS_SIGNUP_EMAIL ?? process.env.AGENTKEYS_EMAIL_USER;
+if (!EMAIL) { console.error("ERROR: email env required"); process.exit(2); }
+await mkdir(OUT, { recursive: true });
+
+const browser = await chromium.launch({ headless: true });
+const ctx = await browser.newContext({
+  userAgent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36",
+  viewport: { width: 1280, height: 900 },
+  locale: "en-US",
+  timezoneId: "America/Los_Angeles",
+});
+const page = await ctx.newPage();
+
+async function snap(label) {
+  await page.screenshot({ path: `${OUT}/${label}.png`, fullPage: true });
+  await writeFile(`${OUT}/${label}.html`, await page.content());
+}
+
+async function turnstileState() {
+  return page.$$eval(
+    'input[name="cf-turnstile-response"]',
+    inputs => inputs.map(i => ({ id: i.id, value: i.value, hasValue: i.value && i.value.length > 0 }))
+  );
+}
+
+async function formState() {
+  const headings = await page.$$eval("h1, h2, h3, p", els =>
+    els.map(e => (e.innerText || "").trim()).filter(t => t && t.length < 150).slice(0, 10));
+  const buttons = await page.$$eval("button", btns =>
+    btns.map(b => ({ text: (b.innerText || "").trim().slice(0, 40), disabled: b.disabled, dataLoc: b.getAttribute("data-localization-key") })).filter(b => b.text || b.dataLoc));
+  const inputs = await page.$$eval("input", ins =>
+    ins.map(i => ({ id: i.id, type: i.getAttribute("type"), name: i.getAttribute("name") })));
+  const errors = await page.$$eval('[role="alert"], .cl-formFieldError, .cl-alertText', els =>
+    els.map(e => (e.innerText || "").trim()).filter(Boolean));
+  return { url: page.url(), headings, buttons, inputs, errors };
+}
+
+try {
+  console.log(`email: ${EMAIL}`);
+  await page.goto("https://openrouter.ai/auth", { waitUntil: "networkidle", timeout: 30_000 });
+
+  await page.fill('#emailAddress-field', EMAIL);
+  // Use realistic password (strong, varied)
+  await page.fill('#password-field', `Stg5-${Date.now()}-xZq9!ok`);
+  await page.locator('label[for="legalAccepted-field"]').click().catch(() => page.check('#legalAccepted-field'));
+
+  await snap("01-filled");
+  console.log("state before submit:");
+  console.log(JSON.stringify(await turnstileState(), null, 2));
+
+  await page.locator('button[data-localization-key="formButtonPrimary"]').first().click({ timeout: 5_000 });
+  console.log("\nclicked Continue — polling Turnstile for 60s...");
+
+  // Poll for up to 60s: watch Turnstile response value + form advance
+  for (let s = 0; s < 60; s += 3) {
+    await page.waitForTimeout(3000);
+    const ts = await turnstileState();
+    const fs = await formState();
+    const hasTs = ts.some(t => t.hasValue);
+    const submitted = !fs.url.includes("sign-up") || fs.headings.some(h => /verify|verification|code/i.test(h));
+    console.log(`  t=${s+3}s: ts_solved=${hasTs} url=${fs.url.slice(0, 60)} headings=[${fs.headings.slice(0, 3).join(" | ")}] errors=[${fs.errors.slice(0, 2).join(" | ")}]`);
+    if (submitted) {
+      console.log("  → FORM ADVANCED");
+      await snap(`advanced-at-${s+3}s`);
+      console.log(JSON.stringify(fs, null, 2));
+      break;
+    }
+    if (fs.errors.length && fs.errors.some(e => e && !/password meets/i.test(e))) {
+      console.log("  → ERROR BRANCH");
+      await snap(`error-at-${s+3}s`);
+      console.log("errors:", fs.errors);
+      break;
+    }
+  }
+  await snap("99-final");
+  console.log("\nfinal state:", JSON.stringify(await formState(), null, 2));
+  console.log("final turnstile:", JSON.stringify(await turnstileState(), null, 2));
+  console.log("DONE");
+} catch (err) {
+  console.error(`FATAL: ${err.message}`);
+  await snap("99-error").catch(() => {});
+  process.exit(1);
+} finally {
+  await browser.close();
+}
diff --git a/provisioner-scripts/src/scrapers/openrouter-cdp.ts b/provisioner-scripts/src/scrapers/openrouter-cdp.ts
new file mode 100644
index 0000000..2581ec1
--- /dev/null
+++ b/provisioner-scripts/src/scrapers/openrouter-cdp.ts
@@ -0,0 +1,188 @@
+// Stage 5b CDP scraper — connects to a user-launched Chrome via CDP, drives
+// OpenRouter signup through Clerk + Turnstile, retrieves the OTP from Gmail
+// IMAP, mints a new API key, outputs the sk-or-v1-* value on stdout.
+//
+// Why this exists:
+// Playwright's bundled Chromium launches with --enable-automation baked in
+// by the Playwright library. Cloudflare Turnstile detects this at runtime
+// (error 600010: "browser execution environment suspicious") and refuses
+// to issue a token even when a human clicks the checkbox. Connecting via
+// CDP to a user-launched real Chrome bypasses this because the browser
+// process has no automation flags.
+//
+// How to use:
+//   # 1. User launches a fresh real Chrome with remote-debugging enabled:
+//   /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \
+//     --remote-debugging-port=9222 \
+//     --user-data-dir=/tmp/agentkeys-chrome-profile &
+//   # 2. Export env — SIGNUP_EMAIL must be a local-part OpenRouter hasn't seen;
+//   #    Clerk normalizes Gmail/Workspace plus-aliases so +suffix reuse is rejected.
+//   export AGENTKEYS_SIGNUP_EMAIL="<fresh-local-part>@<your-domain>"
+//   export AGENTKEYS_SIGNUP_PASSWORD="<strong-random>"
+//   export AGENTKEYS_EMAIL_USER="you@gmail.com"            # canonical IMAP login
+//   export AGENTKEYS_EMAIL_PASSWORD="<gmail app password>"
+//   export AGENTKEYS_EMAIL_HOST="imap.gmail.com"
+//   export AGENTKEYS_EMAIL_PORT="993"
+//   # 3. Run:
+//   node --import tsx/esm provisioner-scripts/src/scrapers/openrouter-cdp.ts
+//
+// Waits up to 180s for Turnstile to resolve + form to advance. If Turnstile
+// surfaces a visible challenge, the user must click it on screen within that
+// window. Final line on stdout is the sk-or-v1-* key; progress logs go to stderr.
+
+import { chromium, type Browser, type Page } from "playwright";
+import { fetchVerificationCode } from "../lib/email.js";
+
+const CDP_URL = process.env.CDP_URL ?? "http://localhost:9222";
+const SIGNUP_EMAIL = process.env.AGENTKEYS_SIGNUP_EMAIL ?? "";
+const SIGNUP_PASSWORD = process.env.AGENTKEYS_SIGNUP_PASSWORD ?? "";
+
+const log = (msg: string) => console.error(`[cdp] ${new Date().toISOString().slice(11, 19)} ${msg}`);
+
+async function main() {
+  if (!SIGNUP_EMAIL || !SIGNUP_PASSWORD) {
+    throw new Error("AGENTKEYS_SIGNUP_EMAIL and AGENTKEYS_SIGNUP_PASSWORD env vars are required");
+  }
+  if (!process.env.AGENTKEYS_EMAIL_USER || !process.env.AGENTKEYS_EMAIL_PASSWORD) {
+    throw new Error("AGENTKEYS_EMAIL_USER + AGENTKEYS_EMAIL_PASSWORD required for OTP retrieval");
+  }
+
+  log(`connecting to CDP at ${CDP_URL}`);
+  const browser: Browser = await chromium.connectOverCDP(CDP_URL);
+  const contexts = browser.contexts();
+  const ctx = contexts[0] ?? await browser.newContext();
+  const page: Page = ctx.pages()[0] ?? await ctx.newPage();
+
+  try {
+    log("navigating to openrouter.ai/auth");
+    await page.goto("https://openrouter.ai/auth", { waitUntil: "networkidle", timeout: 30_000 });
+
+    log("waiting for email input");
+    await page.waitForSelector("#emailAddress-field", { timeout: 15_000 });
+
+    log(`filling email = ${SIGNUP_EMAIL}`);
+    await page.fill("#emailAddress-field", SIGNUP_EMAIL);
+
+    log("filling password");
+    await page.fill("#password-field", SIGNUP_PASSWORD);
+
+    log("checking TOS checkbox");
+    // DO NOT click the <label> — it wraps both the checkbox AND a "Terms of
+    // Service" link; clicking the label text often lands on the link and
+    // navigates to /terms. Click the checkbox input directly instead.
+    await page.locator('#legalAccepted-field').check({ force: true, timeout: 3000 });
+
+    log("clicking Continue");
+    await page.locator('button[data-localization-key="formButtonPrimary"]').first().click({ timeout: 5_000 });
+
+    // Watch for either (a) OTP form appears, (b) Turnstile surfaces visible challenge, or (c) redirect to dashboard
+    log("waiting for Turnstile + form to advance (up to 180s; user may need to click a visible challenge)");
+    const started = Date.now();
+    while (Date.now() - started < 180_000) {
+      const url = page.url();
+      if (!url.includes("/sign-up")) {
+        log(`URL advanced to ${url.slice(0, 60)}`);
+        break;
+      }
+      // Look for a Clerk OTP input (appears on the "verify your email" step)
+      const otpPresent = await page.locator('input[name="code"], input[inputmode="numeric"], input[autocomplete="one-time-code"]').count();
+      if (otpPresent > 0) {
+        log("OTP input appeared");
+        break;
+      }
+      // Check for an explicit error
+      const err = await page.locator('[role="alert"], .cl-formFieldError, .cl-alertText').allInnerTexts();
+      const realErr = err.find(t => t && !/password meets/i.test(t));
+      if (realErr) {
+        throw new Error(`form error: ${realErr}`);
+      }
+      await page.waitForTimeout(2500);
+    }
+
+    // If still on /sign-up and no OTP input, Turnstile never resolved.
+    const otpSel = 'input[name="code"], input[inputmode="numeric"], input[autocomplete="one-time-code"]';
+    if (page.url().includes("/sign-up")) {
+      const otpCount = await page.locator(otpSel).count();
+      if (otpCount === 0) {
+        throw new Error(
+          "form still on /sign-up after 180s AND no OTP input — Turnstile likely never resolved. " +
+          "Check the Chrome window: is the Turnstile checkbox visible and waiting? " +
+          "Or did the page navigate elsewhere (e.g. /terms if the ToS link was accidentally clicked)?"
+        );
+      }
+      log("OTP step is embedded on sign-up page (polling Gmail IMAP)");
+      await page.waitForSelector(otpSel, { timeout: 10_000 });
+
+      log("fetching code from Gmail IMAP");
+      const code = await fetchVerificationCode({
+        from: /noreply@openrouter\.ai/,
+        subject: /openrouter/i,
+        codeRegex: /(\d{6})/,
+        timeoutMs: 90_000,
+      });
+      log(`got OTP: ${code}`);
+
+      // Clerk OTP is usually split into 6 single-char inputs, but some versions are one input.
+      const otpInputs = await page.locator(otpSel).all();
+      if (otpInputs.length === 1) {
+        await otpInputs[0].fill(code);
+      } else if (otpInputs.length === 6) {
+        for (let i = 0; i < 6; i++) await otpInputs[i].fill(code[i]);
+      } else {
+        throw new Error(`unexpected OTP input count: ${otpInputs.length}`);
+      }
+
+      // Submit button on verify step
+      const verifyBtn = page.locator('button[data-localization-key="formButtonPrimary"]');
+      if (await verifyBtn.isEnabled({ timeout: 3000 })) {
+        await verifyBtn.click();
+      }
+
+      log("waiting for redirect away from /sign-up");
+      await page.waitForURL(u => !u.toString().includes("/sign-up"), { timeout: 30_000 });
+    }
+
+    log("navigating to /keys");
+    await page.goto("https://openrouter.ai/keys", { waitUntil: "networkidle", timeout: 20_000 });
+
+    log("looking for Create Key button");
+    const createBtn = page.locator('button:has-text("Create Key"), button:has-text("Create API Key"), [data-testid="create-key-btn"]').first();
+    await createBtn.waitFor({ timeout: 15_000 });
+    await createBtn.click();
+
+    log("filling key name");
+    const nameInput = page.locator('input[placeholder*="name" i], input[name="name"]').first();
+    if (await nameInput.count()) {
+      await nameInput.fill(`agentkeys-stage5b-${Date.now()}`);
+    }
+
+    log("confirming create");
+    const confirm = page.locator('button:has-text("Create"), button[type="submit"]').last();
+    await confirm.click();
+
+    log("waiting for key to appear");
+    const keyEl = page.locator('code:has-text("sk-or-v1-"), pre:has-text("sk-or-v1-"), input[value^="sk-or-v1-"]').first();
+    await keyEl.waitFor({ timeout: 15_000 });
+
+    const tag = await keyEl.evaluate(n => n.tagName.toLowerCase());
+    const raw =
+      tag === "input"
+        ? await keyEl.inputValue()
+        : (await keyEl.textContent()) ?? "";
+
+    const key = raw.trim();
+    log(`extracted key: ${key.slice(0, 12)}****...${key.slice(-4)}`);
+    if (!/^sk-or-v1-[a-zA-Z0-9]{20,}$/.test(key)) {
+      throw new Error(`extracted value doesn't match sk-or-v1-* format: ${key.slice(0, 40)}...`);
+    }
+    process.stdout.write(key + "\n");
+  } finally {
+    // Don't close the browser — user may want to keep their session.
+  }
+}
+
+main().catch(err => {
+  log(`FATAL: ${err.message}`);
+  console.error(err.stack);
+  process.exit(1);
+});
diff --git a/provisioner-scripts/src/scrapers/openrouter.ts b/provisioner-scripts/src/scrapers/openrouter.ts
index d3df2ae..ce9dab7 100644
--- a/provisioner-scripts/src/scrapers/openrouter.ts
+++ b/provisioner-scripts/src/scrapers/openrouter.ts
@@ -1,5 +1,6 @@
+import { fileURLToPath } from "url";
 import type { Browser } from "playwright";
-import { emit } from "../types.js";
+import { emit, type ProvisionEvent } from "../types.js";
 import type { VerifyResult } from "../lib/verify.js";
 import { signupEmailOtp } from "../patterns/signup_email_otp.js";
 
@@ -35,7 +36,13 @@ const EMAIL_SUBJECT_REGEX = /openrouter/i;
 const EMAIL_CODE_REGEX = /(\d{6})/;
 const EMAIL_TIMEOUT_MS = 60_000;
 
-const OPENROUTER_EMAIL = process.env["AGENTKEYS_EMAIL_USER"] ?? "user@example.com";
+// IMAP login — must be the canonical Gmail address (plus-addressing aliases
+// are not valid IMAP logins).
+const IMAP_LOGIN_EMAIL = process.env["AGENTKEYS_EMAIL_USER"] ?? "user@example.com";
+// What we type into the service's signup form. Defaults to the IMAP login but
+// can be overridden (e.g. plus-addressed `you+or-<ts>@gmail.com`) so returning
+// users can mint a fresh account per run while reusing one real inbox.
+const SIGNUP_EMAIL = process.env["AGENTKEYS_SIGNUP_EMAIL"] ?? IMAP_LOGIN_EMAIL;
 
 export async function runOpenRouterScraper(opts: OpenRouterScraperOpts): Promise<void> {
   const signupUrl =
@@ -62,7 +69,7 @@ export async function runOpenRouterScraper(opts: OpenRouterScraperOpts): Promise
         createKeyButtonSelector: CREATE_KEY_BUTTON_SELECTOR,
         keyRevealSelector: KEY_REVEAL_SELECTOR,
         emailFetcher: opts.emailFetcher,
-        emailAddress: OPENROUTER_EMAIL,
+        emailAddress: SIGNUP_EMAIL,
         emailFromRegex: EMAIL_FROM_REGEX,
         emailSubjectRegex: EMAIL_SUBJECT_REGEX,
         emailCodeRegex: EMAIL_CODE_REGEX,
@@ -108,25 +115,59 @@ export async function runOpenRouterScraper(opts: OpenRouterScraperOpts): Promise
   }
 }
 
-export default async function main(): Promise<void> {
-  const { chromium } = await import("playwright");
-  const { fetchVerificationCode } = await import("../lib/email.js");
-  const { verify } = await import("../lib/verify.js");
+// Emit a terminal event and wait for stdout to flush before exiting. Using a
+// bare `process.exit` can drop buffered writes to the parent's pipe — which is
+// exactly how the orchestrator ends up reporting "subprocess ended without
+// terminal event" when something upstream of the scraper's try/catch throws.
+function emitAndExit(event: ProvisionEvent, exitCode: number): void {
+  process.stdout.write(JSON.stringify(event) + "\n", () => process.exit(exitCode));
+}
 
-  const browser = await chromium.launch({ headless: true });
+export default async function main(): Promise<void> {
   try {
-    await runOpenRouterScraper({
-      browser,
-      emailFetcher: (from, subject, codeRegex, timeoutMs) =>
-        fetchVerificationCode({ from, subject, codeRegex, timeoutMs }),
-      verifier: verify,
-    });
+    const { chromium } = await import("playwright");
+    const { fetchVerificationCode } = await import("../lib/email.js");
+    const { verify } = await import("../lib/verify.js");
+
+    const browser = await chromium.launch({ headless: true });
+    try {
+      await runOpenRouterScraper({
+        browser,
+        emailFetcher: (from, subject, codeRegex, timeoutMs) =>
+          fetchVerificationCode({ from, subject, codeRegex, timeoutMs }),
+        verifier: verify,
+      });
+    } finally {
+      await browser.close();
+    }
   } catch (err) {
     if (err instanceof ScraperAbortError) {
-      process.exit(1);
+      // Tripwire / expected-error path: the scraper already emitted a terminal
+      // event (tripwire or error) before throwing. Just propagate the exit.
+      emitAndExit(
+        { type: "error", code: "internal", details: `abort: ${err.message}` },
+        1,
+      );
+      return;
     }
-    throw err;
-  } finally {
-    await browser.close();
+    // Unhandled path: a throw that escaped the scraper's try/catch — e.g.
+    // Playwright browser-launch failure, IMAP connection refused, dynamic
+    // import failure, unhandled rejection in the pattern. Without this
+    // catch-all the orchestrator sees a naked process exit and reports
+    // "subprocess ended without terminal event" with no cause.
+    const msg = err instanceof Error ? (err.stack ?? err.message) : String(err);
+    emitAndExit({ type: "error", code: "internal", details: `unhandled: ${msg}` }, 2);
   }
 }
+
+// Entry-point guard. Invoke main() only when this file is the direct script
+// target (e.g. `npx tsx src/scrapers/openrouter.ts`). When the module is
+// imported by test files that only use named exports like
+// `runOpenRouterScraper`, main() must NOT run — otherwise tests would launch
+// a real browser and hit real OpenRouter. Without this block, the provisioner
+// subprocess just loads the module, reaches EOF, and exits 0 with no events —
+// exactly the "exit_code: Some(0) / events_emitted: 0" failure mode.
+const isEntry = fileURLToPath(import.meta.url) === process.argv[1];
+if (isEntry) {
+  void main();
+}