fix: make Chrome work inside Docker for Claude OAuth browser login

Chrome requires --no-sandbox and --disable-dev-shm-usage when running
inside a Docker container, otherwise it crashes silently and the OAuth
popup never completes.

- Add a /usr/local/bin/google-chrome wrapper that injects these flags
- Install xdg-utils so xdg-open can resolve browser handlers in VNC
- Set BROWSER env var to the wrapper so Claude Code and xdg-open both
  use it when opening the Claude Max login URL

The OAuth callback (to localhost) works fine inside VNC because both
the browser and the Claude Code local auth server share the same
container network namespace.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Dockerfile

@@ -25,13 +25,19 @@ RUN apt-get update && apt-get install -y \
     sudo \
     && rm -rf /var/lib/apt/lists/*
 
-# Install Chrome
+# Install Chrome and xdg-utils (needed for xdg-open to work in VNC)
 RUN wget -q -O - https://dl.google.com/linux/linux_signing_key.pub | gpg --dearmor -o /usr/share/keyrings/google-chrome-keyring.gpg && \
     echo "deb [arch=amd64 signed-by=/usr/share/keyrings/google-chrome-keyring.gpg] http://dl.google.com/linux/chrome/deb/ stable main" > /etc/apt/sources.list.d/google-chrome.list && \
     apt-get update && \
-    apt-get install -y google-chrome-stable && \
+    apt-get install -y google-chrome-stable xdg-utils && \
     rm -rf /var/lib/apt/lists/*
 
+# Chrome wrapper: adds flags required for running inside a Docker container.
+# xdg-open (used by Claude Code on Linux) respects $BROWSER, so pointing it
+# here ensures the OAuth popup works without manual --no-sandbox invocations.
+RUN printf '#!/bin/bash\nexec /usr/bin/google-chrome-stable \\\n  --no-sandbox \\\n  --disable-dev-shm-usage \\\n  --disable-gpu \\\n  "$@"\n' > /usr/local/bin/google-chrome && \
+    chmod +x /usr/local/bin/google-chrome
+
 # Install Node.js (LTS version for Happy Coder)
 RUN curl -fsSL https://deb.nodesource.com/setup_lts.x | bash - && \
     apt-get install -y nodejs && \
@@ -69,7 +75,8 @@ WORKDIR /workspace
 
 # Configure container to run as user user
 ENV HOME=/home/user \
-    USER=user
+    USER=user \
+    BROWSER=/usr/local/bin/google-chrome
 
 # Expose VNC port (baseimage-gui default)
 EXPOSE 5800

VARIABLES.md

@@ -59,18 +59,9 @@ These MUST be configured before deployment:
 - **Format:** `ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`
 - **Scopes:** `repo`
 
-### Anthropic API Key
-- **Variable:** `ANTHROPIC_API_KEY`
-- **File:** Kubernetes Secret (referenced by `envSecretName`)
-- **Type:** String (Anthropic API key)
-- **Description:** API key for Claude Code / Happy Coder authentication. Browser-based OAuth login does not work inside the VNC session, so this key is **required** for Happy Coder to function.
-- **Required:** Yes (for Happy Coder / Claude Code)
-- **Format:** `sk-ant-api03-...`
-- **How to get:** https://console.anthropic.com/settings/keys
-
 ### VNC Password
 - **Variable:** `vnc-password`
-- **File:** Kubernetes Secret (referenced by `envSecretName`)
+- **File:** Sealed Secret
 - **Type:** String
 - **Description:** Password for VNC web interface
 - **Required:** Recommended for security
@@ -295,9 +286,8 @@ hostnames:
 ### With Secrets
 ```bash
 kubectl create secret generic antigravity-secrets \
-  --from-literal=GITHUB_TOKEN='CHANGE_ME' \
+  --from-literal=github-token='CHANGE_ME' \
-  --from-literal=VNC_PASSWORD='CHANGE_ME' \
+  --from-literal=vnc-password='CHANGE_ME' \
-  --from-literal=ANTHROPIC_API_KEY='sk-ant-api03-...' \
   --dry-run=client -o yaml | \
   kubeseal --format=yaml > k8s/sealedsecrets.yaml
 ```

chart/values.yaml

@@ -38,9 +38,6 @@ resources:
     memory: "8Gi"
     cpu: "4000m"
 
-# Name of existing Secret containing env vars. Defaults to: devcontainer-{name}-secrets-env
+# Name of existing Secret containing env vars (GITHUB_TOKEN, VNC_PASSWORD, etc.)
-# Recognized keys:
+# Defaults to: devcontainer-{name}-secrets-env
-#   GITHUB_TOKEN      — PAT for private repo access
-#   VNC_PASSWORD      — password for the VNC web UI
-#   ANTHROPIC_API_KEY — required for Claude Code / Happy Coder auth (browser login won't work in VNC)
 envSecretName: ""

scripts/init-repo.sh

@@ -59,13 +59,6 @@ chown -R "$RUN_UID:$RUN_GID" "$WORKSPACE_DIR"
 mkdir -p "$HOME"
 chown "$RUN_UID:$RUN_GID" "$HOME"
 
-# Warn if ANTHROPIC_API_KEY is not set — browser-based Claude login won't work in VNC
-if [ -z "$ANTHROPIC_API_KEY" ]; then
-    echo "WARNING: ANTHROPIC_API_KEY is not set."
-    echo "  Claude Code cannot authenticate via browser inside this container."
-    echo "  Add ANTHROPIC_API_KEY to your Kubernetes secret to enable Happy Coder."
-fi
-
 # Start Happy Coder daemon
 echo "Starting Happy Coder..."
 cd "$WORKSPACE_DIR"