Fixes #1108

Describe the changes you have made in this PR -

Adds Anthropic Claude Code as a non-interactive CLI-backed LLM provider, selectable via LLM_PROVIDER=claude-code. The integration mirrors the existing OpenAI Codex CLI adapter shape end-to-end (adapter, registry, wizard option, env forwarding, fallback binary paths) so users can run opensre investigate against an alert using their local claude binary instead of an HTTP API key.

Highlights:

• New ClaudeCodeAdapter in app/integrations/llm_cli/claude_code.py that runs claude -p --output-format text with the prompt on stdin — strictly non-interactive, no TTY, no approval loops.
• Three-state auth probe (True / False / None) that checks ANTHROPIC_API_KEY env, then ~/.claude/.credentials.json. On macOS, when neither is present, returns None instead of False because claude login stores OAuth tokens in Keychain on darwin — a strict file-only check would falsely block Keychain-authenticated users.
• Binary resolution via the shared resolve_cli_binary helper — CLAUDE_CODE_BIN override → PATH → npm/Homebrew/volta/pnpm/XDG fallbacks.
• Provider registered in CLI_PROVIDER_REGISTRY and selectable through the onboarding wizard under "Local CLI providers".
• 29 unit tests covering detect / build / parse / explain_failure, the CLAUDE_CODE_BIN override and PATH fallback, fallback paths on macOS / Linux / Windows (mocked sys.platform), registry registration, and env-forwarding security guarantees (specifically: ANTHROPIC_API_KEY is forwarded ONLY by the Claude Code invocation, not via the global allowlist, so credentials don't leak into Codex subprocesses).
• .env.example documents CLAUDE_CODE_BIN and CLAUDE_CODE_MODEL.
• runner.py: added CLAUDE_ to _SAFE_SUBPROCESS_ENV_PREFIXES so CLAUDE_CODE_* settings reach the subprocess; added USER and LOGNAME to safe keys (macOS Keychain item lookup needs USER).

Demo/Screenshot for feature changes and bug fixes -

Code Understanding and AI Usage

Did you use AI assistance (ChatGPT, Claude, Copilot, etc.) to write any part of this code?

• No, I wrote all the code myself
• Yes, I used AI assistance (continue below)

If you used AI assistance:

• I have reviewed every single line of the AI-generated code
• I can explain the purpose and logic of each function/component I added
• I have tested edge cases and understand how the code handles them
• I have modified the AI output to follow this project's coding standards and conventions

Explain your implementation approach:

Problem: OpenSRE supported Codex CLI as a non-interactive LLM provider but had no equivalent for Claude Code. Issue #1108 asks for the same shape: a one-shot, scriptable CLI invocation that runs to completion under subprocess.run with no TTY, no approval prompts, and no REPL.

Alternatives considered:

1. Interactive mode (just claude with stdin) — rejected because the issue explicitly excludes interactive flows; the agent runtime can't sit in a REPL waiting for prompts.
2. HTTP via Anthropic SDK — that path already exists as LLM_PROVIDER=anthropic. The point of this issue is to support users whose only auth is claude login (no API key on file), via subprocess to their local CLI.
3. A subprocess auth probe (e.g. claude doctor) — rejected because Claude Code has no clean machine-readable auth-status command, so I went with a fast file-and-env check that doesn't fork a process for the probe at all.

Why this implementation:
The repo already has a clean LLMCLIAdapter Protocol and CLIBackedLLMClient runner that drive Codex. Implementing Claude Code as another adapter (instead of carving a new pathway) means I get caching of probes, ANSI stripping, env allowlisting, structured output, and timeout handling for free, and the change stays tightly scoped. Following the same shape is also explicitly requested by app/integrations/llm_cli/AGENTS.md.

Key components:

• ClaudeCodeAdapter._resolve_binary() — defers to the shared resolve_cli_binary so CLAUDE_CODE_BIN override behaviour matches Codex (blank/invalid env value falls back instead of erroring).
• ClaudeCodeAdapter._probe_binary() — runs claude --version with a generous 8s timeout (Codex's 3s was too tight: Claude Code does config/cache init at startup and times out when another claude process holds shared state). On version success, defers to _classify_claude_code_auth().
• _classify_claude_code_auth() — env-var check first, then OAuth credentials file. The macOS branch deliberately returns None (not False) when both are absent, because Claude Code on darwin stores tokens in Keychain and the runner only blocks invocation on False; None lets the actual claude -p call surface the real auth state via explain_failure.
• ClaudeCodeAdapter.build() — produces argv = (claude, -p, --output-format, text [, --model …]) with the prompt on stdin and NO_COLOR=1 in env. It explicitly forwards ANTHROPIC_API_KEY / ANTHROPIC_BASE_URL / ANTHROPIC_AUTH_TOKEN here rather than via the global subprocess allowlist — this prevents Anthropic credentials from leaking into other CLI adapters' subprocesses (e.g. Codex).
• parse() / explain_failure() — minimal, mirroring Codex; parse returns trimmed stdout, explain_failure includes the return code and a clipped stderr/stdout for the runner to surface.

Edge cases tested:

• Binary missing entirely → clear install hint
• CLAUDE_CODE_BIN points at a non-existent path → falls back to PATH
• claude --version fails → installed=False with diagnostic detail
• Missing creds on Linux → False (definitive); on macOS → None (Keychain may hold tokens)
• Empty / None model → --model flag omitted (CLI default applies)
• parse() with whitespace-only stdout
• explain_failure() falls back to stdout when stderr is empty
• Cross-OS fallback paths verified for macOS / Linux / Windows via patched sys.platform
• Env-forwarding: CLAUDE_* reaches the subprocess; ANTHROPIC_API_KEY reaches Claude Code's subprocess only, not the global allowlist (so it isn't forwarded to Codex runs)