fix: require ANTHROPIC_API_KEY for Claude Code auth in VNC container

Browser-based OAuth login does not work inside the VNC session because
the OAuth redirect callback cannot reach back into the container. The
solution is to set ANTHROPIC_API_KEY in the Kubernetes secret — when
this env var is present, Claude Code skips browser auth entirely.

Changes:
- init-repo.sh: warn clearly at startup if ANTHROPIC_API_KEY is unset
- values.yaml: document ANTHROPIC_API_KEY in the envSecretName comment
- VARIABLES.md: add ANTHROPIC_API_KEY entry and update secret template

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

VARIABLES.md

@@ -59,9 +59,18 @@ These MUST be configured before deployment:
 - **Format:** `ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`
 - **Scopes:** `repo`
 
+### Anthropic API Key
+- **Variable:** `ANTHROPIC_API_KEY`
+- **File:** Kubernetes Secret (referenced by `envSecretName`)
+- **Type:** String (Anthropic API key)
+- **Description:** API key for Claude Code / Happy Coder authentication. Browser-based OAuth login does not work inside the VNC session, so this key is **required** for Happy Coder to function.
+- **Required:** Yes (for Happy Coder / Claude Code)
+- **Format:** `sk-ant-api03-...`
+- **How to get:** https://console.anthropic.com/settings/keys
+
 ### VNC Password
 - **Variable:** `vnc-password`
-- **File:** Sealed Secret
+- **File:** Kubernetes Secret (referenced by `envSecretName`)
 - **Type:** String
 - **Description:** Password for VNC web interface
 - **Required:** Recommended for security
@@ -286,8 +295,9 @@ hostnames:
 ### With Secrets
 ```bash
 kubectl create secret generic antigravity-secrets \
-  --from-literal=github-token='CHANGE_ME' \
+  --from-literal=GITHUB_TOKEN='CHANGE_ME' \
-  --from-literal=vnc-password='CHANGE_ME' \
+  --from-literal=VNC_PASSWORD='CHANGE_ME' \
+  --from-literal=ANTHROPIC_API_KEY='sk-ant-api03-...' \
   --dry-run=client -o yaml | \
   kubeseal --format=yaml > k8s/sealedsecrets.yaml
 ```

chart/values.yaml

@@ -38,6 +38,9 @@ resources:
     memory: "8Gi"
     cpu: "4000m"
 
-# Name of existing Secret containing env vars (GITHUB_TOKEN, VNC_PASSWORD, etc.)
+# Name of existing Secret containing env vars. Defaults to: devcontainer-{name}-secrets-env
-# Defaults to: devcontainer-{name}-secrets-env
+# Recognized keys:
+#   GITHUB_TOKEN      — PAT for private repo access
+#   VNC_PASSWORD      — password for the VNC web UI
+#   ANTHROPIC_API_KEY — required for Claude Code / Happy Coder auth (browser login won't work in VNC)
 envSecretName: ""

scripts/init-repo.sh

@@ -59,13 +59,18 @@ chown -R "$RUN_UID:$RUN_GID" "$WORKSPACE_DIR"
 mkdir -p "$HOME"
 chown "$RUN_UID:$RUN_GID" "$HOME"
 
-# Start Happy Coder daemon as the app user so it can access user credentials
+# Warn if ANTHROPIC_API_KEY is not set — browser-based Claude login won't work in VNC
-# (running as root means HOME=/root, Claude Code and Happy config would be missing)
+if [ -z "$ANTHROPIC_API_KEY" ]; then
-echo "Starting Happy Coder..."
+    echo "WARNING: ANTHROPIC_API_KEY is not set."
+    echo "  Claude Code cannot authenticate via browser inside this container."
+    echo "  Add ANTHROPIC_API_KEY to your Kubernetes secret to enable Happy Coder."
+fi
 
-RUN_USER=$(id -nu "$RUN_UID" 2>/dev/null || echo "user")
+# Start Happy Coder daemon
-sudo -u "$RUN_USER" -E sh -c "cd '$WORKSPACE_DIR' && happy daemon start" \
+echo "Starting Happy Coder..."
-    || echo "Happy Coder daemon failed to start, continuing anyway..."
+cd "$WORKSPACE_DIR"
+
+happy daemon start || echo "Happy Coder daemon failed to start, continuing anyway..."
 
 echo "Happy Coder daemon started"