fix(claude-code): drop ANTHROPIC_API_KEY to avoid CLI auth conflict

[BjoernSchotte]

Summary

The claude-code harness sets both ANTHROPIC_AUTH_TOKEN and ANTHROPIC_API_KEY to the same LITELLM_API_KEY value when proxying through a LiteLLM gateway. Current claude CLI versions print this on every boot:

Auth conflict: Both a token (ANTHROPIC_AUTH_TOKEN) and an API key
(ANTHROPIC_API_KEY) are set. This may lead to unexpected behavior.
  · Trying to use ANTHROPIC_AUTH_TOKEN? Unset the ANTHROPIC_API_KEY
    environment variable, or claude /logout then say "No" to the API
    key approval before login.
  · Trying to use ANTHROPIC_API_KEY? Unset the ANTHROPIC_AUTH_TOKEN
    environment variable.

Behavior beyond the warning is version-dependent (CLI picks one of the two).

Why AUTH_TOKEN is correct here

LiteLLM expects Authorization: Bearer <key>, which is what ANTHROPIC_AUTH_TOKEN produces. ANTHROPIC_API_KEY produces the legacy X-API-Key header, which LiteLLM does not consume for auth. So AUTH_TOKEN is unambiguously the right contract for a proxy setup.

Change

In harnesses/claude-code/server.js, keep ANTHROPIC_AUTH_TOKEN = LITELLM_API_KEY and delete process.env.ANTHROPIC_API_KEY — even if the operator passes one in via CONTAINER_ENV_ANTHROPIC_API_KEY the harness env stays clean.

harnesses/claude-agent-sdk/src/server.ts (referenced by the existing code comment) already uses only AUTH_TOKEN, so this aligns the two harnesses.

Test plan

• Built claude-code-sandbox:dev locally on arm64 and spawned a session via kind
• Confirmed harness env now has only ANTHROPIC_AUTH_TOKEN set, no ANTHROPIC_API_KEY
• Claude CLI starts in the TUI without the warning

[greptile-apps]

Greptile Summary

This fix resolves a Claude CLI startup warning caused by setting both ANTHROPIC_AUTH_TOKEN and ANTHROPIC_API_KEY to the same LiteLLM key. When LITELLM_API_KEY is present the harness now sets only ANTHROPIC_AUTH_TOKEN and explicitly deletes ANTHROPIC_API_KEY, including any value the container operator may have injected.

• The delete process.env.ANTHROPIC_API_KEY is correctly scoped inside the if (process.env.LITELLM_API_KEY) block, so containers running without LiteLLM are unaffected.
• The approach aligns this harness with harnesses/claude-agent-sdk/src/server.ts, which already used only AUTH_TOKEN.

Confidence Score: 5/5

Safe to merge — the change is a targeted two-line fix with a clear, well-documented rationale and no behavioral side-effects for non-LiteLLM deployments.

The change removes a redundant env-var assignment and adds a delete call that only runs when LITELLM_API_KEY is present. Containers not using LiteLLM are completely unaffected. The fix brings the harness in line with the claude-agent-sdk harness and eliminates a real CLI startup warning. No auth logic, PTY management, or platform-compat routing is touched.

No files require special attention.

Important Files Changed

Filename	Overview
harnesses/claude-code/server.js	Removes the duplicate ANTHROPIC_API_KEY assignment and adds an explicit delete so only ANTHROPIC_AUTH_TOKEN is set when routing through LiteLLM, eliminating the Claude CLI auth-conflict warning.

_{Reviews (1): Last reviewed commit: "fix(claude-code): drop ANTHROPIC_API_KEY..." | Re-trigger Greptile}