feat(auth): support subscription login alongside API key

Make ANTHROPIC_API_KEY optional. Add CLAUDE_CODE_OAUTH_TOKEN pass-through
for headless token-based auth (claude setup-token). When neither is set,
Claude Code falls back to browser OAuth on port 54545. Add claude-config
named volume mounted at ~/.claude/ in both claude and webui services so
credentials persist across container runs. Pre-create ~/.claude/ in the
Dockerfile so the volume is initialised with correct ownership. Add
--service-ports to docker compose run calls to publish port 54545 during
CLI sessions.

.env.example

@@ -1,13 +1,27 @@
 # Copy this file to .env and fill in your values.
 # .env is git-ignored — never commit it.
 
-# Required: your Anthropic API key
-ANTHROPIC_API_KEY=sk-ant-...
+# ─── Authentication (choose one) ──────────────────────────────────────────────
+
+# Option 1: Anthropic API key
+# ANTHROPIC_API_KEY=sk-ant-...
+
+# Option 2: OAuth token from a Claude.ai subscription (1-year validity)
+# Generate with: claude setup-token  (run on your host, not inside the container)
+# CLAUDE_CODE_OAUTH_TOKEN=...
+
+# Option 3: No key set — Claude Code will prompt for browser login on first run.
+# Port 54545 must be reachable from your browser for the OAuth callback.
+# Run: sbx ports <sandbox-name> --publish 54545:54545/tcp
+
+# ─── Workspace (CLI mode only) ────────────────────────────────────────────────
 
 # Optional: mount a host directory as /workspace inside the Claude container.
 # If unset, a named Docker volume is used (fully isolated from the host).
 # WORKSPACE_DIR=/absolute/path/to/your/project
 
-# Web interface credentials (required for ./claude.sh web)
+# ─── Web interface ────────────────────────────────────────────────────────────
+
+# Required for ./claude.sh web
 # WEBUI_USER=claude
 # WEBUI_PASSWORD=changeme