docs(AGENTS): correct persisted key filename to api-key.txt

[rajshah4]

HUMAN:

Docs-only change. I reviewed the rendered diff and confirmed the three corrected paths match the key file the launcher and Docker entrypoint actually write.

• A human has tested these changes.

AGENT:

---

Why

AGENTS.md documents the persisted session/backend API key file as ~/.openhands/agent-canvas/session-api-key.txt in three places, but the current code persists it to ~/.openhands/agent-canvas/api-key.txt. The filename was renamed in code but not in this doc, so anyone reading AGENTS.md to debug auth gets the wrong path.

Summary

• Update the persisted key filename from session-api-key.txt to api-key.txt in AGENTS.md (local-mode auth, the security key list, and the Docker all-in-one section).
• Flag/env names are intentionally left unchanged — --session-api-key, VITE_SESSION_API_KEY, SESSION_API_KEY are not filenames. The automation key (automation-api-key.txt) is untouched.

Issue Number

N/A

How to Test

Documentation-only; no runtime behavior changes. To confirm the corrected path is the real one:

grep -n '"api-key.txt"' scripts/dev-safe.mjs        # DEFAULT_API_KEY_PATH
grep -n 'api-key.txt' docker/entrypoint.sh          # API_KEY_FILE="${STATE_DIR}/api-key.txt"
grep -rn 'session-api-key.txt' --exclude-dir=node_modules .   # only AGENTS.md (fixed here) + test fixtures set via OH_SESSION_API_KEY_PATH

DEFAULT_SESSION_API_KEY_PATH remains only as a @deprecated alias of DEFAULT_API_KEY_PATH; no runtime code writes session-api-key.txt.

Video/Screenshots

N/A — documentation-only.

Type

• Bug fix
• Feature
• Refactor
• Breaking change
• Docs / chore

Notes

Scoped to AGENTS.md (3 lines). Found while reconciling a downstream tutorial against Agent Canvas v1.0.0.

[vercel]

@rajshah4 is attempting to deploy a commit to the openhands Team on Vercel.

A member of the Team first needs to authorize it.