9e5a5fb0c7
Every `tg plan/apply/destroy/refresh` now runs `scripts/check-ingress-auth-comments.py` against the current stack before invoking terragrunt. The check fails closed if any `auth = "app"` or `auth = "none"` line in the stack's .tf files lacks an immediately-preceding `# auth = "<tier>": ...` comment documenting what gates the app (for "app") or why the endpoint is intentionally public (for "none"). Why tg-level (not git pre-commit): tg is the universal entry point for all infra changes. CI runs it, headless agents run it, humans run it. A pre-commit hook only catches the human path. Wiring the check into tg means the anti-exposure guard fires regardless of who or what is invoking terragrunt. Stack-scoped: each stack documents itself the next time it's edited. The 30+ existing `auth = "none"` stacks that predate this guard are not blocked from operating today; they'll need the comment added the next time someone runs `tg plan` on them — at which point the gate forces a conscious "yes, this is intentional" moment before any state change can land. Skipped on: init, fmt, validate, output, etc. — anything that doesn't read or write infra state. |
||
|---|---|---|
| .. | ||
| agents | ||
| commands | ||
| reference | ||
| scripts | ||
| skills | ||
| calendar-query.py | ||
| CLAUDE.md | ||
| home-assistant-sofia.py | ||
| home-assistant.py | ||
| internet-mode-used_DO_NOT_REMOVE_MANUALLY_SECURITY_RISK | ||
| pfsense.py | ||
| settings.json | ||