docs: bless local terragrunt apply, but require committing every applied change

Viktor asked to change the infra apply guidance: instead of 'never apply locally, always rely on CI', the policy is now 'you MAY apply locally, but always commit the change to the infra repo'. - .claude/CLAUDE.md (Critical Rule: Terraform Only): new bullet making local apply explicit (scripts/tg apply / homelab tf apply) from the MAIN checkout (not a worktree — git-crypt'd tfvars read as ciphertext there), with a hard requirement that every applied change is committed + pushed to master the same session so the repo stays the source of truth and CI drift-detection doesn't revert it. Spells out the apply<->commit ordering both ways. - AGENTS.md (non-admin workstation land steps): step 5 now notes local apply as an option alongside CI auto-apply, with the same 'always committed, never applied uncommitted' rule. Note: the org-managed settings block also frames CI auto-apply but is not editable from a workstation clone. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-27 08:10:20 +00:00 · 2026-06-27 08:10:20 +00:00 · 006f97ef58
commit 006f97ef58
parent 7b4a8ba867
2 changed files with 6 additions and 2 deletions
--- a/.claude/CLAUDE.md
+++ b/.claude/CLAUDE.md
@ -16,6 +16,7 @@
 **ALL infrastructure changes MUST go through Terraform/Terragrunt.** Never use `kubectl apply/edit/patch/set`, `helm install/upgrade`, or any manual cluster mutation as the final state.
 - **No exceptions for "quick fixes"** — even one-line changes must be in `.tf` files and applied via `scripts/tg apply`
 - **Apply locally OR let CI do it — but ALWAYS commit.** You don't have to wait for CI: with apply access you MAY run the apply yourself (`scripts/tg apply <stack>` / `homelab tf apply <stack>`), but **from the main checkout, never a worktree** (git-crypt'd `*.tfvars` come through as ciphertext under the worktree filter-bypass, so a worktree apply reads garbage). **Every applied change MUST be committed and pushed to `master` the same session** — the repo is the source of truth, so applied-but-uncommitted HCL is drift that the next CI apply / daily drift-detection will try to revert. Order either way: apply locally then commit + push (CI's changed-stack apply then no-ops), or commit + push and let CI apply. Never apply an uncommitted edit; never leave a committed change unapplied.
 - **kubectl is for read-only operations and temporary debugging only** (get, describe, logs, exec, port-forward)
 - **If a resource isn't in Terraform yet**, evaluate whether it can be added before making manual changes. If manual change is unavoidable (e.g., emergency), document it immediately and create the Terraform resource in the same session
 - **kubectl scale/patch during migrations is acceptable** as a transient step, but the final state must be in Terraform and applied via `scripts/tg apply`
--- a/AGENTS.md
+++ b/AGENTS.md
@ -273,8 +273,11 @@ To land a finished change from such a clone:
   Slack audit feed; a no-op CI apply on a docs-only commit is harmless.
 4. Leave the clone on clean `master` so auto-refresh keeps working.
 5. Tell the user in plain language what happened. Stack changes are
-   auto-applied by CI — verify the live result with the user's read-only
+   auto-applied by CI on push — or, with apply access, applied locally yourself
-   kubectl before saying "it's live".
+   (`scripts/tg apply`, from the main checkout, not a worktree); either path is
   fine, but the change must always be committed here, never applied
   uncommitted. Verify the live result with the user's read-only kubectl before
   saying "it's live".
 If a push to `master` is rejected by branch protection (user not on the
 whitelist — e.g. new users before Viktor grants it), fall back to a