fix: move HAPPY_HOME_DIR to /workspace so lock never persists across restarts

The daemon.state.json.lock lives on the home PVC and survives pod
restarts, causing happy daemon start to fail on every reboot. Moving
HAPPY_HOME_DIR to /workspace (emptyDir) means the entire happy state
directory is ephemeral and always clean on startup.

The rm -f in init-repo.sh is kept as a safety net for the within-run
case but is now a no-op on fresh starts.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Dockerfile

@@ -25,13 +25,19 @@ RUN apt-get update && apt-get install -y \
     sudo \
     && rm -rf /var/lib/apt/lists/*
 
-# Install Chrome
+# Install Chrome and xdg-utils (needed for xdg-open to work in VNC)
 RUN wget -q -O - https://dl.google.com/linux/linux_signing_key.pub | gpg --dearmor -o /usr/share/keyrings/google-chrome-keyring.gpg && \
     echo "deb [arch=amd64 signed-by=/usr/share/keyrings/google-chrome-keyring.gpg] http://dl.google.com/linux/chrome/deb/ stable main" > /etc/apt/sources.list.d/google-chrome.list && \
     apt-get update && \
-    apt-get install -y google-chrome-stable && \
+    apt-get install -y google-chrome-stable xdg-utils && \
     rm -rf /var/lib/apt/lists/*
 
+# Chrome wrapper: adds flags required for running inside a Docker container.
+# xdg-open (used by Claude Code on Linux) respects $BROWSER, so pointing it
+# here ensures the OAuth popup works without manual --no-sandbox invocations.
+RUN printf '#!/bin/bash\nexec /usr/bin/google-chrome-stable \\\n  --no-sandbox \\\n  --disable-dev-shm-usage \\\n  --disable-gpu \\\n  "$@"\n' > /usr/local/bin/google-chrome && \
+    chmod +x /usr/local/bin/google-chrome
+
 # Install Node.js (LTS version for Happy Coder)
 RUN curl -fsSL https://deb.nodesource.com/setup_lts.x | bash - && \
     apt-get install -y nodejs && \
@@ -69,7 +75,8 @@ WORKDIR /workspace
 
 # Configure container to run as user user
 ENV HOME=/home/user \
-    USER=user
+    USER=user \
+    BROWSER=/usr/local/bin/google-chrome
 
 # Expose VNC port (baseimage-gui default)
 EXPOSE 5800

VARIABLES.md

@@ -59,18 +59,9 @@ These MUST be configured before deployment:
 - **Format:** `ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`
 - **Scopes:** `repo`
 
-### Anthropic API Key
-- **Variable:** `ANTHROPIC_API_KEY`
-- **File:** Kubernetes Secret (referenced by `envSecretName`)
-- **Type:** String (Anthropic API key)
-- **Description:** API key for Claude Code / Happy Coder authentication. Browser-based OAuth login does not work inside the VNC session, so this key is **required** for Happy Coder to function.
-- **Required:** Yes (for Happy Coder / Claude Code)
-- **Format:** `sk-ant-api03-...`
-- **How to get:** https://console.anthropic.com/settings/keys
-
 ### VNC Password
 - **Variable:** `vnc-password`
-- **File:** Kubernetes Secret (referenced by `envSecretName`)
+- **File:** Sealed Secret
 - **Type:** String
 - **Description:** Password for VNC web interface
 - **Required:** Recommended for security
@@ -295,9 +286,8 @@ hostnames:
 ### With Secrets
 ```bash
 kubectl create secret generic antigravity-secrets \
-  --from-literal=GITHUB_TOKEN='CHANGE_ME' \
-  --from-literal=VNC_PASSWORD='CHANGE_ME' \
-  --from-literal=ANTHROPIC_API_KEY='sk-ant-api03-...' \
+  --from-literal=github-token='CHANGE_ME' \
+  --from-literal=vnc-password='CHANGE_ME' \
   --dry-run=client -o yaml | \
   kubeseal --format=yaml > k8s/sealedsecrets.yaml
 ```

chart/values.yaml

@@ -12,7 +12,7 @@ githubRepo: ""
 # Happy Coder endpoints
 happyServerUrl: "https://happy.farh.net"
 happyWebappUrl: "https://happy-coder.farh.net"
-happyHomeDir: "/home/user/.happy"
+happyHomeDir: "/workspace/.happy"
 happyExperimental: "true"
 
 # VNC display
@@ -38,9 +38,6 @@ resources:
     memory: "8Gi"
     cpu: "4000m"
 
-# Name of existing Secret containing env vars. Defaults to: devcontainer-{name}-secrets-env
-# Recognized keys:
-#   GITHUB_TOKEN      — PAT for private repo access
-#   VNC_PASSWORD      — password for the VNC web UI
-#   ANTHROPIC_API_KEY — required for Claude Code / Happy Coder auth (browser login won't work in VNC)
+# Name of existing Secret containing env vars (GITHUB_TOKEN, VNC_PASSWORD, etc.)
+# Defaults to: devcontainer-{name}-secrets-env
 envSecretName: ""

scripts/init-repo.sh

@@ -59,17 +59,16 @@ chown -R "$RUN_UID:$RUN_GID" "$WORKSPACE_DIR"
 mkdir -p "$HOME"
 chown "$RUN_UID:$RUN_GID" "$HOME"
 
-# Warn if ANTHROPIC_API_KEY is not set — browser-based Claude login won't work in VNC
-if [ -z "$ANTHROPIC_API_KEY" ]; then
-    echo "WARNING: ANTHROPIC_API_KEY is not set."
-    echo "  Claude Code cannot authenticate via browser inside this container."
-    echo "  Add ANTHROPIC_API_KEY to your Kubernetes secret to enable Happy Coder."
-fi
-
-# Start Happy Coder daemon
+# Start Happy Coder daemon. startapp.sh already runs as the app user (UID 1000),
+# so no sudo needed — Happy/Claude Code will find credentials in the correct home dir.
 echo "Starting Happy Coder..."
-cd "$WORKSPACE_DIR"
 
+# HAPPY_HOME_DIR is in /workspace (emptyDir), so it is always fresh on pod start.
+# Remove the lock file as a safety net in case daemon start is called more than
+# once within the same container lifetime.
+rm -f "${HAPPY_HOME_DIR:-/workspace/.happy}/daemon.state.json.lock"
+
+cd "$WORKSPACE_DIR"
 happy daemon start || echo "Happy Coder daemon failed to start, continuing anyway..."
 
 echo "Happy Coder daemon started"