DLPX-97162 Add internal-claude variant for Claude Code developer environments

[prakashsurya]

Problem

Developers working with Claude Code need a pre-configured appliance image that
is ready to use on first boot — with the Claude CLI installed, product repos
pre-cloned, and standard tooling wired up. Today there is no such image; each
developer must manually install and configure everything on a stock internal VM.

Solution

Add a new internal-claude appliance variant (AWS-only) that layers a
claude-internal Ansible role on top of minimal-common + minimal-internal + minimal-development. On first boot the VM provides:

• Claude CLI installed via npm (/usr/local/bin/claude)
• Six product repos pre-cloned under ~delphix/src/ at their configured
  branches, with remote URLs rewritten to SSH form (no build-time token on disk):
  • delphix/dlpx-app-gate @ develop
  • delphix/dlpx-qa-gate @ develop
  • delphix/dms-core-gate @ develop
  • delphix/zfs @ develop
  • delphix/cd-aidlc @ main
  • delphix/git-utils @ main
• support-tools group (gid 4000) with delphix as a member
• NAS mount at /nas via a systemd nas.mount unit
  (After/Wants=network-online.target); uses a unit file rather than
  /etc/fstab because 90-raw-disk-image.binary overwrites fstab after the
  ansible chroot stage
• apt sources modifiable post-boot (cloud-init override in
  /etc/cloud/cloud.cfg.d/99-delphix-claude.cfg)
• git-utils/bin in the login shell PATH via /etc/profile.d/

Also fixes 80-build-configuration.binary to use trap cleanup EXIT so
/proc, /sys, and /dev bind mounts are always torn down even when the
ansible playbook fails mid-run.

The build requires GITHUB_TOKEN to be set (asserted at the top of the role);
without it the build fails fast with a clear message.

Testing Done

• ./gradlew buildInternalClaudeAws succeeds with GITHUB_TOKEN set —
  produces internal-claude-aws.{vmdk,debs.tar.gz,packages.list}
• ./gradlew buildInternalClaudeAws without GITHUB_TOKEN fails fast at the
  assertion task with the expected fail_msg
• git-ab-pre-push -v internal-claude --no-tests passed CI
  (appliance-build pre-push #13984, stage1 #62229)
• Boot-verify checks 4.1–4.10 all passed on a VM cloned from the produced AMI:
  • claude --version → 2.1.132 (Claude Code)
  • All 6 repos present at correct branches with SSH remote URLs
  • support-tools gid 4000, delphix in group
  • nas.mount enabled, unit file correct
  • 99-delphix-claude.cfg present with correct content
  • 61 GB free (> 50 GB)
  • git-utils/bin in PATH
  • No embedded credentials
  • No ~/.claude/settings.json

Future Work

• Ship ~/.claude/settings.json with "Generated with Claude" attribution
  defaults (deferred to a follow-on spec)
• Preload common build dependencies to speed up first use (out of scope)

JIRA: https://perforce.atlassian.net/browse/DLPX-97162

[david-mendez1]

Do we want the .claude/settings.json to include the Generated with Claude stamp if developers will be submitting PRs from these VMs?
"attribution": {
"commit": "Co-Authored-By: Claude xxxx noreply@anthropic.com",
"pr": "🤖 Generated with Claude Code"

[david-mendez1]

This may be a v2 thing, but include dlpx-qa-gate for E-2-E testing.

[lyriclake]

2018 -> 2026

[prakashsurya]

Do we want the .claude/settings.json to include the Generated with Claude stamp if developers will be submitting PRs from these VMs?

Yea, that would make sense. I'll defer to another spec for that, though.

but include dlpx-qa-gate for E-2-E testing.

Good idea, let me pull that in for v1.

[prakashsurya]

Closing in favour of #865 — the branch was not under the projects/ namespace required by this repo's conventions. All changes (including review feedback) are squashed into a single commit on projects/internal-claude.