fix: require ANTHROPIC_API_KEY for Claude Code auth in VNC container

Browser-based OAuth login does not work inside the VNC session because
the OAuth redirect callback cannot reach back into the container. The
solution is to set ANTHROPIC_API_KEY in the Kubernetes secret — when
this env var is present, Claude Code skips browser auth entirely.

Changes:
- init-repo.sh: warn clearly at startup if ANTHROPIC_API_KEY is unset
- values.yaml: document ANTHROPIC_API_KEY in the envSecretName comment
- VARIABLES.md: add ANTHROPIC_API_KEY entry and update secret template

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.github/dependabot.yml

@@ -1,19 +0,0 @@
-version: 2
-updates:
-  # Maintain dependencies for GitHub Actions
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-    labels:
-      - "dependencies"
-      - "github-actions"
-
-  # Maintain dependencies for Docker
-  - package-ecosystem: "docker"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-    labels:
-      - "dependencies"
-      - "docker"

.github/workflows/build-and-push.yaml

@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -53,7 +53,7 @@ jobs:
             type=raw,value=latest,enable={{is_default_branch}}
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           push: ${{ github.event_name != 'pull_request' }}

.github/workflows/helm-release.yaml

@@ -9,7 +9,7 @@ on:
   workflow_dispatch:
 
 permissions:
-  contents: read
+  contents: write
   packages: write
 
 jobs:
@@ -18,10 +18,31 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up Helm
         uses: azure/setup-helm@v4
 
+      - name: Bump patch version
+        id: bump
+        run: |
+          CURRENT=$(grep '^version:' chart/Chart.yaml | awk '{print $2}')
+          MAJOR=$(echo $CURRENT | cut -d. -f1)
+          MINOR=$(echo $CURRENT | cut -d. -f2)
+          PATCH=$(echo $CURRENT | cut -d. -f3)
+          NEW_VERSION="${MAJOR}.${MINOR}.$((PATCH + 1))"
+          sed -i "s/^version: .*/version: ${NEW_VERSION}/" chart/Chart.yaml
+          echo "version=${NEW_VERSION}" >> $GITHUB_OUTPUT
+
+      - name: Commit version bump
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add chart/Chart.yaml
+          git commit -m "chore: bump chart version to ${{ steps.bump.outputs.version }} [skip ci]"
+          git push
+
       - name: Log in to GHCR
         run: |
           helm registry login ghcr.io \
@@ -33,5 +54,4 @@ jobs:
 
       - name: Push chart to GHCR
         run: |
-          CHART_VERSION=$(helm show chart chart/ | grep '^version:' | awk '{print $2}')
-          helm push antigravity-${CHART_VERSION}.tgz oci://ghcr.io/cpfarhood/charts
+          helm push devcontainer-${{ steps.bump.outputs.version }}.tgz oci://ghcr.io/cpfarhood/charts

.github/workflows/release.yaml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 

Dockerfile

@@ -37,8 +37,8 @@ RUN curl -fsSL https://deb.nodesource.com/setup_lts.x | bash - && \
     apt-get install -y nodejs && \
     rm -rf /var/lib/apt/lists/*
 
-# Install Happy Coder globally
-RUN npm install -g happy-coder
+# Install Happy Coder and Claude Code globally
+RUN npm install -g happy-coder @anthropic-ai/claude-code
 
 # Install Antigravity (Google's Project IDX / Cloud Code alternative)
 # Note: Antigravity might be packaged differently - adjust as needed
@@ -58,9 +58,11 @@ RUN groupadd -g 1000 user && \
 RUN mkdir -p /workspace && \
     chown -R user:user /workspace
 
-# Copy startup script
+# Copy startup scripts
 COPY --chmod=755 scripts/startapp.sh /startapp.sh
 COPY --chmod=755 scripts/init-repo.sh /usr/local/bin/init-repo
+# Fix app user shell after baseimage-gui creates it at runtime
+COPY --chmod=755 scripts/cont-init-user.sh /etc/cont-init.d/20-fix-user-shell.sh
 
 # Set working directory
 WORKDIR /workspace

VARIABLES.md

@@ -59,9 +59,18 @@ These MUST be configured before deployment:
 - **Format:** `ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`
 - **Scopes:** `repo`
 
+### Anthropic API Key
+- **Variable:** `ANTHROPIC_API_KEY`
+- **File:** Kubernetes Secret (referenced by `envSecretName`)
+- **Type:** String (Anthropic API key)
+- **Description:** API key for Claude Code / Happy Coder authentication. Browser-based OAuth login does not work inside the VNC session, so this key is **required** for Happy Coder to function.
+- **Required:** Yes (for Happy Coder / Claude Code)
+- **Format:** `sk-ant-api03-...`
+- **How to get:** https://console.anthropic.com/settings/keys
+
 ### VNC Password
 - **Variable:** `vnc-password`
-- **File:** Sealed Secret
+- **File:** Kubernetes Secret (referenced by `envSecretName`)
 - **Type:** String
 - **Description:** Password for VNC web interface
 - **Required:** Recommended for security
@@ -286,8 +295,9 @@ hostnames:
 ### With Secrets
 ```bash
 kubectl create secret generic antigravity-secrets \
-  --from-literal=github-token='CHANGE_ME' \
-  --from-literal=vnc-password='CHANGE_ME' \
+  --from-literal=GITHUB_TOKEN='CHANGE_ME' \
+  --from-literal=VNC_PASSWORD='CHANGE_ME' \
+  --from-literal=ANTHROPIC_API_KEY='sk-ant-api03-...' \
   --dry-run=client -o yaml | \
   kubeseal --format=yaml > k8s/sealedsecrets.yaml
 ```

chart/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
-name: antigravity
+name: devcontainer
 description: Antigravity Dev Container with Happy Coder AI assistant
 type: application
-version: 0.1.0
+version: 0.1.1
 appVersion: "latest"

chart/values.yaml

@@ -38,6 +38,9 @@ resources:
     memory: "8Gi"
     cpu: "4000m"
 
-# Name of existing Secret containing env vars (GITHUB_TOKEN, VNC_PASSWORD, etc.)
-# Defaults to: devcontainer-{name}-secrets-env
+# Name of existing Secret containing env vars. Defaults to: devcontainer-{name}-secrets-env
+# Recognized keys:
+#   GITHUB_TOKEN      — PAT for private repo access
+#   VNC_PASSWORD      — password for the VNC web UI
+#   ANTHROPIC_API_KEY — required for Claude Code / Happy Coder auth (browser login won't work in VNC)
 envSecretName: ""

renovate.json

@@ -0,0 +1,72 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended",
+    ":gitSignOff"
+  ],
+  "semanticCommits": "enabled",
+  "dependencyDashboard": true,
+  "suppressNotifications": [
+    "prEditedNotification"
+  ],
+  "rebaseWhen": "conflicted",
+  "commitMessagePrefix": "chore(deps):",
+  "commitMessageAction": "update",
+  "commitMessageTopic": "{{depName}}",
+  "prConcurrentLimit": 5,
+  "prHourlyLimit": 2,
+  "schedule": [
+    "before 6am on monday"
+  ],
+  "packageRules": [
+    {
+      "description": "GitHub Actions",
+      "matchManagers": [
+        "github-actions"
+      ],
+      "groupName": "github-actions",
+      "additionalBranchPrefix": "github-actions-",
+      "semanticCommitScope": "github-actions",
+      "pinDigests": true
+    },
+    {
+      "description": "Docker base image",
+      "matchManagers": [
+        "dockerfile"
+      ],
+      "groupName": "docker",
+      "additionalBranchPrefix": "docker-",
+      "semanticCommitScope": "docker"
+    },
+    {
+      "description": "Automerge patch updates",
+      "matchUpdateTypes": [
+        "patch"
+      ],
+      "automerge": true,
+      "automergeType": "pr",
+      "platformAutomerge": true
+    },
+    {
+      "description": "Automerge minor updates for stable packages",
+      "matchUpdateTypes": [
+        "minor"
+      ],
+      "matchCurrentVersion": "!/^0/",
+      "automerge": true,
+      "automergeType": "pr",
+      "platformAutomerge": true
+    },
+    {
+      "description": "Separate major updates - require manual review",
+      "matchUpdateTypes": [
+        "major"
+      ],
+      "automerge": false,
+      "additionalBranchPrefix": "major-"
+    }
+  ],
+  "ignorePaths": [
+    "**/node_modules/**"
+  ]
+}

scripts/cont-init-user.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+# Fix the app user (UID 1000) created by baseimage-gui at runtime.
+# baseimage-gui sets shell=/sbin/nologin and home=/dev/null, which
+# prevents VSCode from opening terminals.
+usermod -s /bin/bash app
+usermod -d /home/user app

scripts/init-repo.sh

@@ -55,23 +55,24 @@ RUN_UID="${USER_ID:-1000}"
 RUN_GID="${GROUP_ID:-1000}"
 chown -R "$RUN_UID:$RUN_GID" "$WORKSPACE_DIR"
 
-# Start Happy Coder in background as the app user
+# Ensure home directory exists on the PVC (may be absent on a fresh volume)
+mkdir -p "$HOME"
+chown "$RUN_UID:$RUN_GID" "$HOME"
+
+# Warn if ANTHROPIC_API_KEY is not set — browser-based Claude login won't work in VNC
+if [ -z "$ANTHROPIC_API_KEY" ]; then
+    echo "WARNING: ANTHROPIC_API_KEY is not set."
+    echo "  Claude Code cannot authenticate via browser inside this container."
+    echo "  Add ANTHROPIC_API_KEY to your Kubernetes secret to enable Happy Coder."
+fi
+
+# Start Happy Coder daemon
 echo "Starting Happy Coder..."
 cd "$WORKSPACE_DIR"
 
-# Create Happy Coder log file
-HAPPY_LOG="/tmp/happy-coder.log"
-touch "$HAPPY_LOG"
-chown "$RUN_UID:$RUN_GID" "$HAPPY_LOG"
+happy daemon start || echo "Happy Coder daemon failed to start, continuing anyway..."
 
-# Start Happy Coder (already running as the correct user via baseimage-gui)
-bash -c "cd '$WORKSPACE_DIR' && happy-coder > '$HAPPY_LOG' 2>&1 &"
-
-# Save PID for monitoring
-echo $! > /tmp/happy-coder.pid
-
-echo "Happy Coder started (PID: $(cat /tmp/happy-coder.pid))"
-echo "Logs available at: $HAPPY_LOG"
+echo "Happy Coder daemon started"
 
 # Export workspace directory for startapp.sh
 echo "$WORKSPACE_DIR" > /tmp/workspace-dir