docs: add auth credentials guidance to main group CLAUDE.md

Clarify that only long-lived OAuth tokens (claude setup-token) or API keys
should be used — short-lived tokens from the keychain expire within hours
and cause recurring 401s. Also update native credential proxy skill to
swap the OneCLI reference when applied.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.claude/skills/use-native-credential-proxy/SKILL.md

@@ -64,6 +64,16 @@ This merges in:
 
 If the merge reports conflicts beyond `package-lock.json`, resolve them by reading the conflicted files and understanding the intent of both sides.
 
+### Update main group CLAUDE.md
+
+Replace the OneCLI auth reference with the native proxy:
+
+In `groups/main/CLAUDE.md`, replace:
+> OneCLI manages credentials (including Anthropic auth) — run `onecli --help`.
+
+with:
+> The native credential proxy manages credentials (including Anthropic auth) via `.env` — see `src/credential-proxy.ts`.
+
 ### Validate code changes
 
 ```bash

groups/main/CLAUDE.md

@@ -77,6 +77,10 @@ Standard Markdown: `**bold**`, `*italic*`, `[links](url)`, `# headings`.
 
 This is the **main channel**, which has elevated privileges.
 
+## Authentication
+
+Anthropic credentials must be either an API key from console.anthropic.com (`ANTHROPIC_API_KEY`) or a long-lived OAuth token from `claude setup-token` (`CLAUDE_CODE_OAUTH_TOKEN`). Short-lived tokens from the system keychain or `~/.claude/.credentials.json` expire within hours and can cause recurring container 401s. The `/setup` skill walks through this. OneCLI manages credentials (including Anthropic auth) — run `onecli --help`.
+
 ## Container Mounts
 
 Main has read-only access to the project and read-write access to its group folder: