fix: require ANTHROPIC_API_KEY for Claude Code auth in VNC container

Browser-based OAuth login does not work inside the VNC session because
the OAuth redirect callback cannot reach back into the container. The
solution is to set ANTHROPIC_API_KEY in the Kubernetes secret — when
this env var is present, Claude Code skips browser auth entirely.

Changes:
- init-repo.sh: warn clearly at startup if ANTHROPIC_API_KEY is unset
- values.yaml: document ANTHROPIC_API_KEY in the envSecretName comment
- VARIABLES.md: add ANTHROPIC_API_KEY entry and update secret template

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Dockerfile

@@ -25,19 +25,13 @@ RUN apt-get update && apt-get install -y \
     sudo \
     && rm -rf /var/lib/apt/lists/*
 
-# Install Chrome and xdg-utils (needed for xdg-open to work in VNC)
+# Install Chrome
 RUN wget -q -O - https://dl.google.com/linux/linux_signing_key.pub | gpg --dearmor -o /usr/share/keyrings/google-chrome-keyring.gpg && \
     echo "deb [arch=amd64 signed-by=/usr/share/keyrings/google-chrome-keyring.gpg] http://dl.google.com/linux/chrome/deb/ stable main" > /etc/apt/sources.list.d/google-chrome.list && \
     apt-get update && \
-    apt-get install -y google-chrome-stable xdg-utils && \
+    apt-get install -y google-chrome-stable && \
     rm -rf /var/lib/apt/lists/*
 
-# Chrome wrapper: adds flags required for running inside a Docker container.
-# xdg-open (used by Claude Code on Linux) respects $BROWSER, so pointing it
-# here ensures the OAuth popup works without manual --no-sandbox invocations.
-RUN printf '#!/bin/bash\nexec /usr/bin/google-chrome-stable \\\n  --no-sandbox \\\n  --disable-dev-shm-usage \\\n  --disable-gpu \\\n  "$@"\n' > /usr/local/bin/google-chrome && \
-    chmod +x /usr/local/bin/google-chrome
-
 # Install Node.js (LTS version for Happy Coder)
 RUN curl -fsSL https://deb.nodesource.com/setup_lts.x | bash - && \
     apt-get install -y nodejs && \
@@ -75,8 +69,7 @@ WORKDIR /workspace
 
 # Configure container to run as user user
 ENV HOME=/home/user \
-    USER=user \
-    BROWSER=/usr/local/bin/google-chrome
+    USER=user
 
 # Expose VNC port (baseimage-gui default)
 EXPOSE 5800

VARIABLES.md

@@ -59,9 +59,18 @@ These MUST be configured before deployment:
 - **Format:** `ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`
 - **Scopes:** `repo`
 
+### Anthropic API Key
+- **Variable:** `ANTHROPIC_API_KEY`
+- **File:** Kubernetes Secret (referenced by `envSecretName`)
+- **Type:** String (Anthropic API key)
+- **Description:** API key for Claude Code / Happy Coder authentication. Browser-based OAuth login does not work inside the VNC session, so this key is **required** for Happy Coder to function.
+- **Required:** Yes (for Happy Coder / Claude Code)
+- **Format:** `sk-ant-api03-...`
+- **How to get:** https://console.anthropic.com/settings/keys
+
 ### VNC Password
 - **Variable:** `vnc-password`
-- **File:** Sealed Secret
+- **File:** Kubernetes Secret (referenced by `envSecretName`)
 - **Type:** String
 - **Description:** Password for VNC web interface
 - **Required:** Recommended for security
@@ -286,8 +295,9 @@ hostnames:
 ### With Secrets
 ```bash
 kubectl create secret generic antigravity-secrets \
-  --from-literal=github-token='CHANGE_ME' \
-  --from-literal=vnc-password='CHANGE_ME' \
+  --from-literal=GITHUB_TOKEN='CHANGE_ME' \
+  --from-literal=VNC_PASSWORD='CHANGE_ME' \
+  --from-literal=ANTHROPIC_API_KEY='sk-ant-api03-...' \
   --dry-run=client -o yaml | \
   kubeseal --format=yaml > k8s/sealedsecrets.yaml
 ```

chart/values.yaml

@@ -38,6 +38,9 @@ resources:
     memory: "8Gi"
     cpu: "4000m"
 
-# Name of existing Secret containing env vars (GITHUB_TOKEN, VNC_PASSWORD, etc.)
-# Defaults to: devcontainer-{name}-secrets-env
+# Name of existing Secret containing env vars. Defaults to: devcontainer-{name}-secrets-env
+# Recognized keys:
+#   GITHUB_TOKEN      — PAT for private repo access
+#   VNC_PASSWORD      — password for the VNC web UI
+#   ANTHROPIC_API_KEY — required for Claude Code / Happy Coder auth (browser login won't work in VNC)
 envSecretName: ""

scripts/init-repo.sh

@@ -59,11 +59,17 @@ chown -R "$RUN_UID:$RUN_GID" "$WORKSPACE_DIR"
 mkdir -p "$HOME"
 chown "$RUN_UID:$RUN_GID" "$HOME"
 
-# Start Happy Coder daemon. startapp.sh already runs as the app user (UID 1000),
-# so no sudo needed — Happy/Claude Code will find credentials in the correct home dir.
-echo "Starting Happy Coder..."
+# Warn if ANTHROPIC_API_KEY is not set — browser-based Claude login won't work in VNC
+if [ -z "$ANTHROPIC_API_KEY" ]; then
+    echo "WARNING: ANTHROPIC_API_KEY is not set."
+    echo "  Claude Code cannot authenticate via browser inside this container."
+    echo "  Add ANTHROPIC_API_KEY to your Kubernetes secret to enable Happy Coder."
+fi
 
+# Start Happy Coder daemon
+echo "Starting Happy Coder..."
 cd "$WORKSPACE_DIR"
+
 happy daemon start || echo "Happy Coder daemon failed to start, continuing anyway..."
 
 echo "Happy Coder daemon started"