Problem

The module currently treats the Anthropic API key as a static, long-lived secret:

• claude_api_key is not marked sensitive, so it can appear in plain text in Terraform plan output and CI logs (only claude_code_oauth_token had the flag).
• install.sh writes the key to ~/.claude.json as primaryApiKey. The CLI already reads the key from the ANTHROPIC_API_KEY / CLAUDE_API_KEY environment variable that this module sets via coder_env, so the disk write is redundant and leaves a credential at rest in a user-readable file.
• There is no first-class way to use short-lived credentials. Customers who source keys from Vault, AWS Secrets Manager, or cloud IAM today have to wrap the module with a pre_install_script and still end up with a static value in TF state.

Changes

• New api_key_helper input ({ script, ttl_ms }). The script is written to ~/.claude/coder-api-key-helper.sh (mode 0700) and registered via the Claude Code apiKeyHelper setting at /etc/claude-code/managed-settings.d/20-coder-apikeyhelper.json. Claude invokes the helper whenever it needs a key and caches the result for ttl_ms (default 5 minutes), so the credential never lands in TF state, the agent environment, or ~/.claude.json.
• coder_env for CLAUDE_CODE_API_KEY_HELPER_TTL_MS when api_key_helper is set.
• claude_api_key now has sensitive = true and an updated description.
• install.sh no longer writes primaryApiKey to ~/.claude.json. Onboarding-bypass keys (hasCompletedOnboarding, hasTrustDialogAccepted, etc.) are kept so the CLI still starts non-interactively. The early-return guard is widened so onboarding bypass also runs when api_key_helper is the auth source.
• Validation: api_key_helper is mutually exclusive with claude_api_key, claude_code_oauth_token, and enable_aibridge.
• README: new "Short-lived credentials via api_key_helper" section with Vault and AWS Secrets Manager examples.

This is install-time configuration only, so it composes cleanly with the direction in #861.

Validation

• terraform fmt clean
• terraform validate clean
• terraform test: 23/23 pass (4 new: test_api_key_helper, test_api_key_helper_default_ttl, test_api_key_helper_validation_with_api_key, test_api_key_helper_validation_with_aibridge)
• bun test: 2 new tests pass (api-key-helper, claude-api-key-not-written-to-claude-json); existing suite untouched
• shellcheck --severity=warning scripts/install.sh clean

Disclosure

I work at Anthropic on the Claude Code team. This change is part of a small batch of upstream contributions based on what we have seen enterprise customers ask for; happy to adjust scope or split further if that helps review.