feat(auth): force subscription-only mode for Claude provider

[Maury1329]

Summary

Prevents accidental API credit consumption by explicitly enforcing subscription-only mode when using the default Claude provider. This ensures users with Claude Code subscriptions don't inadvertently incur API charges.

Changes

client.py

• Added safety check to reject API credentials for Claude provider before SDK client creation
• Added user-facing confirmation messages for subscription mode
• Raises RuntimeError if ANTHROPIC_API_KEY or ANTHROPIC_AUTH_TOKEN are detected in Claude mode

registry.py

• Modified get_effective_sdk_env() to explicitly clear API authentication env vars
• Forces empty strings for ANTHROPIC_API_KEY and ANTHROPIC_AUTH_TOKEN in Claude mode
• Added logging to confirm subscription-only mode activation

Motivation

Previously, the system would forward existing environment variables which could lead to:

• Unexpected API billing when users have OAuth tokens
• Confusion between subscription vs API usage
• Potential accidental charges for users with Claude Code subscriptions

Testing

• Verify agent runs successfully in subscription mode
• Confirm no API credentials are passed to SDK
• Check that safety error is raised if API key is detected
• [ ] Validate console messages show subscription mode confirmation

Breaking Changes

None - This is a safety enhancement that only affects Claude provider configuration.

Labels:

• enhancement
• security
• authentication