Fix type inference error for api_key after removing ApiKey auth mode

Both match arms now return None, so Rust needs an explicit type
annotation for the Option<String>.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Triple-C.md

@@ -47,8 +47,7 @@ Triple-C is a cross-platform desktop application that sandboxes Claude Code insi
 
 Each project can independently use one of:
 
-- **`/login`** (OAuth): User runs `claude login` inside the terminal. Token persisted in the config volume.
-- **API Key**: Stored in the OS keychain, injected as `ANTHROPIC_API_KEY` env var.
+- **Anthropic** (OAuth): User runs `claude login` inside the terminal on first use. Token persisted in the config volume across restarts and resets.
 - **AWS Bedrock**: Per-project AWS credentials (static keys, profile, or bearer token).
 
 ### Container Spawning (Sibling Containers)

app/src-tauri/Cargo.lock

@@ -41,56 +41,6 @@ dependencies = [
  "libc",
 ]
 
-[[package]]
-name = "anstream"
-version = "0.6.21"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "43d5b281e737544384e969a5ccad3f1cdd24b48086a0fc1b2a5262a26b8f4f4a"
-dependencies = [
- "anstyle",
- "anstyle-parse",
- "anstyle-query",
- "anstyle-wincon",
- "colorchoice",
- "is_terminal_polyfill",
- "utf8parse",
-]
-
-[[package]]
-name = "anstyle"
-version = "1.0.13"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5192cca8006f1fd4f7237516f40fa183bb07f8fbdfedaa0036de5ea9b0b45e78"
-
-[[package]]
-name = "anstyle-parse"
-version = "0.2.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4e7644824f0aa2c7b9384579234ef10eb7efb6a0deb83f9630a49594dd9c15c2"
-dependencies = [
- "utf8parse",
-]
-
-[[package]]
-name = "anstyle-query"
-version = "1.1.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "40c48f72fd53cd289104fc64099abca73db4166ad86ea0b4341abe65af83dadc"
-dependencies = [
- "windows-sys 0.61.2",
-]
-
-[[package]]
-name = "anstyle-wincon"
-version = "3.0.11"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "291e6a250ff86cd4a820112fb8898808a366d8f9f58ce16d1f538353ad55747d"
-dependencies = [
- "anstyle",
- "once_cell_polyfill",
- "windows-sys 0.61.2",
-]
-
 [[package]]
 name = "anyhow"
 version = "1.0.102"
@@ -549,12 +499,6 @@ dependencies = [
  "windows-link 0.2.1",
 ]
 
-[[package]]
-name = "colorchoice"
-version = "1.0.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b05b61dc5112cbb17e4b6cd61790d9845d13888356391624cbe7e41efeac1e75"
-
 [[package]]
 name = "combine"
 version = "4.6.7"
@@ -944,29 +888,6 @@ dependencies = [
  "syn 2.0.117",
 ]
 
-[[package]]
-name = "env_filter"
-version = "1.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7a1c3cc8e57274ec99de65301228b537f1e4eedc1b8e0f9411c6caac8ae7308f"
-dependencies = [
- "log",
- "regex",
-]
-
-[[package]]
-name = "env_logger"
-version = "0.11.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b2daee4ea451f429a58296525ddf28b45a3b64f1acf6587e2067437bb11e218d"
-dependencies = [
- "anstream",
- "anstyle",
- "env_filter",
- "jiff",
- "log",
-]
-
 [[package]]
 name = "equivalent"
 version = "1.0.2"
@@ -1030,6 +951,16 @@ dependencies = [
  "simd-adler32",
 ]
 
+[[package]]
+name = "fern"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4316185f709b23713e41e3195f90edef7fb00c3ed4adc79769cf09cc762a3b29"
+dependencies = [
+ "chrono",
+ "log",
+]
+
 [[package]]
 name = "field-offset"
 version = "0.3.6"
@@ -1948,12 +1879,6 @@ dependencies = [
  "once_cell",
 ]
 
-[[package]]
-name = "is_terminal_polyfill"
-version = "1.70.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a6cb138bb79a146c1bd460005623e142ef0181e3d0219cb493e02f7d08a35695"
-
 [[package]]
 name = "itoa"
 version = "1.0.17"
@@ -1983,30 +1908,6 @@ dependencies = [
  "system-deps",
 ]
 
-[[package]]
-name = "jiff"
-version = "0.2.21"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b3e3d65f018c6ae946ab16e80944b97096ed73c35b221d1c478a6c81d8f57940"
-dependencies = [
- "jiff-static",
- "log",
- "portable-atomic",
- "portable-atomic-util",
- "serde_core",
-]
-
-[[package]]
-name = "jiff-static"
-version = "0.2.21"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a17c2b211d863c7fde02cbea8a3c1a439b98e109286554f2860bdded7ff83818"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn 2.0.117",
-]
-
 [[package]]
 name = "jni"
 version = "0.21.1"
@@ -2612,12 +2513,6 @@ version = "1.21.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "42f5e15c9953c5e4ccceeb2e7382a716482c34515315f7b03532b8b4e8393d2d"
 
-[[package]]
-name = "once_cell_polyfill"
-version = "1.70.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "384b8ab6d37215f3c5301a95a4accb5d64aa607f1fcb26a11b5303878451b4fe"
-
 [[package]]
 name = "open"
 version = "5.3.3"
@@ -2928,21 +2823,6 @@ dependencies = [
  "windows-sys 0.61.2",
 ]
 
-[[package]]
-name = "portable-atomic"
-version = "1.13.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c33a9471896f1c69cecef8d20cbe2f7accd12527ce60845ff44c153bb2a21b49"
-
-[[package]]
-name = "portable-atomic-util"
-version = "0.2.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7a9db96d7fa8782dd8c15ce32ffe8680bbd1e978a43bf51a34d39483540495f5"
-dependencies = [
- "portable-atomic",
-]
-
 [[package]]
 name = "potential_utf"
 version = "0.1.4"
@@ -4793,7 +4673,7 @@ dependencies = [
  "bollard",
  "chrono",
  "dirs",
- "env_logger",
+ "fern",
  "futures-util",
  "keyring",
  "log",
@@ -4941,12 +4821,6 @@ version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be"
 
-[[package]]
-name = "utf8parse"
-version = "0.2.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821"
-
 [[package]]
 name = "uuid"
 version = "1.21.0"

app/src-tauri/src/commands/project_commands.rs

@@ -125,13 +125,8 @@ pub async fn start_project_container(
     let image_name = container_config::resolve_image_name(&settings.image_source, &settings.custom_image_name);
 
     // Get API key only if auth mode requires it
-    let api_key = match project.auth_mode {
-        AuthMode::ApiKey => {
-            let key = secure::get_api_key()?
-                .ok_or_else(|| "No API key configured. Please set your Anthropic API key in Settings.".to_string())?;
-            Some(key)
-        }
-        AuthMode::Login => {
+    let api_key: Option<String> = match project.auth_mode {
+        AuthMode::Anthropic => {
             None
         }
         AuthMode::Bedrock => {
@@ -169,6 +164,7 @@ pub async fn start_project_container(
             let needs_recreation = docker::container_needs_recreation(
                     &existing_id,
                     &project,
+                    api_key.as_deref(),
                     settings.global_claude_instructions.as_deref(),
                     &settings.global_custom_env_vars,
                 )

app/src-tauri/src/docker/container.rs

@@ -10,6 +10,19 @@ use std::hash::{Hash, Hasher};
 use super::client::get_docker;
 use crate::models::{AuthMode, BedrockAuthMethod, ContainerInfo, EnvVar, GlobalAwsSettings, Project, ProjectPath};
 
+/// Compute a fingerprint for the API key so we can detect when it changes
+/// without storing the actual key in Docker labels.
+fn compute_api_key_fingerprint(api_key: Option<&str>) -> String {
+    match api_key {
+        Some(key) => {
+            let mut hasher = DefaultHasher::new();
+            key.hash(&mut hasher);
+            format!("{:x}", hasher.finish())
+        }
+        None => String::new(),
+    }
+}
+
 /// Compute a fingerprint string for the custom environment variables.
 /// Sorted alphabetically so order changes do not cause spurious recreation.
 fn compute_env_fingerprint(custom_env_vars: &[EnvVar]) -> String {
@@ -356,6 +369,7 @@ pub async fn create_container(
     labels.insert("triple-c.project-id".to_string(), project.id.clone());
     labels.insert("triple-c.project-name".to_string(), project.name.clone());
     labels.insert("triple-c.auth-mode".to_string(), format!("{:?}", project.auth_mode));
+    labels.insert("triple-c.api-key-fingerprint".to_string(), compute_api_key_fingerprint(api_key));
     labels.insert("triple-c.paths-fingerprint".to_string(), compute_paths_fingerprint(&project.paths));
     labels.insert("triple-c.bedrock-fingerprint".to_string(), compute_bedrock_fingerprint(project));
     labels.insert("triple-c.image".to_string(), image_name.to_string());
@@ -439,6 +453,7 @@ pub async fn remove_container(container_id: &str) -> Result<(), String> {
 pub async fn container_needs_recreation(
     container_id: &str,
     project: &Project,
+    api_key: Option<&str>,
     global_claude_instructions: Option<&str>,
     global_custom_env_vars: &[EnvVar],
 ) -> Result<bool, String> {
@@ -477,6 +492,14 @@ pub async fn container_needs_recreation(
         }
     }
 
+    // ── API key fingerprint ─────────────────────────────────────────────
+    let expected_api_key_fp = compute_api_key_fingerprint(api_key);
+    let container_api_key_fp = get_label("triple-c.api-key-fingerprint").unwrap_or_default();
+    if container_api_key_fp != expected_api_key_fp {
+        log::info!("API key fingerprint mismatch, triggering recreation");
+        return Ok(true);
+    }
+
     // ── Project paths fingerprint ──────────────────────────────────────────
     let expected_paths_fp = compute_paths_fingerprint(&project.paths);
     match get_label("triple-c.paths-fingerprint") {

app/src-tauri/src/lib.rs

@@ -43,7 +43,7 @@ pub fn run() {
             exec_manager: ExecSessionManager::new(),
         })
         .setup(|app| {
-            match tauri::image::Image::from_bytes(include_bytes!("../icons/icon.ico")) {
+            match tauri::image::Image::from_bytes(include_bytes!("../icons/icon.png")) {
                 Ok(icon) => {
                     if let Some(window) = app.get_webview_window("main") {
                         let _ = window.set_icon(icon);

app/src-tauri/src/models/project.rs

@@ -46,20 +46,21 @@ pub enum ProjectStatus {
 }
 
 /// How the project authenticates with Claude.
-/// - `Login`: User runs `claude login` inside the container (OAuth, persisted via config volume)
-/// - `ApiKey`: Uses the API key stored in the OS keychain
+/// - `Anthropic`: User runs `claude login` inside the container (OAuth via Anthropic Console,
+///   persisted in the config volume)
 /// - `Bedrock`: Uses AWS Bedrock with per-project AWS credentials
 #[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
 #[serde(rename_all = "snake_case")]
 pub enum AuthMode {
-    Login,
-    ApiKey,
+    /// Backward compat: old projects stored as "login" or "api_key" map to Anthropic.
+    #[serde(alias = "login", alias = "api_key")]
+    Anthropic,
     Bedrock,
 }
 
 impl Default for AuthMode {
     fn default() -> Self {
-        Self::Login
+        Self::Anthropic
     }
 }
 

app/src/components/projects/ProjectCard.test.tsx

@@ -47,7 +47,7 @@ const mockProject: Project = {
   paths: [{ host_path: "/home/user/project", mount_name: "project" }],
   container_id: null,
   status: "stopped",
-  auth_mode: "login",
+  auth_mode: "anthropic",
   bedrock_config: null,
   allow_docker_access: false,
   ssh_key_path: null,

app/src/components/projects/ProjectCard.tsx

@@ -267,26 +267,15 @@ export default function ProjectCard({ project }: Props) {
           <div className="flex items-center gap-1 text-xs">
             <span className="text-[var(--text-secondary)] mr-1">Auth:</span>
             <button
-              onClick={(e) => { e.stopPropagation(); handleAuthModeChange("login"); }}
+              onClick={(e) => { e.stopPropagation(); handleAuthModeChange("anthropic"); }}
               disabled={!isStopped}
               className={`px-2 py-0.5 rounded transition-colors ${
-                project.auth_mode === "login"
+                project.auth_mode === "anthropic"
                   ? "bg-[var(--accent)] text-white"
                   : "text-[var(--text-secondary)] hover:text-[var(--text-primary)] hover:bg-[var(--bg-primary)]"
               } disabled:opacity-50`}
             >
-              /login
-            </button>
-            <button
-              onClick={(e) => { e.stopPropagation(); handleAuthModeChange("api_key"); }}
-              disabled={!isStopped}
-              className={`px-2 py-0.5 rounded transition-colors ${
-                project.auth_mode === "api_key"
-                  ? "bg-[var(--accent)] text-white"
-                  : "text-[var(--text-secondary)] hover:text-[var(--text-primary)] hover:bg-[var(--bg-primary)]"
-              } disabled:opacity-50`}
-            >
-              API key
+              Anthropic
             </button>
             <button
               onClick={(e) => { e.stopPropagation(); handleAuthModeChange("bedrock"); }}

app/src/components/settings/AwsSettings.tsx

@@ -51,6 +51,7 @@ export default function AwsSettings() {
       <div className="space-y-3 text-sm">
         <p className="text-xs text-[var(--text-secondary)]">
           Global AWS defaults for Bedrock projects. Per-project settings override these.
+          Changes here require a container rebuild to take effect.
         </p>
 
         {/* AWS Config Path */}

app/src/lib/types.ts

@@ -34,7 +34,7 @@ export type ProjectStatus =
   | "stopping"
   | "error";
 
-export type AuthMode = "login" | "api_key" | "bedrock";
+export type AuthMode = "anthropic" | "bedrock";
 
 export type BedrockAuthMethod = "static_credentials" | "profile" | "bearer_token";