Feature: Pre-merge infra validation hook for pal-e-services and pal-e-deployments PRs

### Type Feature ### Lineage Standalone -- migrated from `todo-pre-merge-infra-validation` in pal-e-docs. The pal-e-deployments CI piece (Woodpecker kustomize validation) was already completed (pal-e-deployments #14/#15). What remains is the PreToolUse hook in claude-custom. ### Repo `forgejo_admin/claude-custom` ### User Story As a platform engineer merging infra PRs, I want merge attempts on infra repos to be blocked unless validation evidence exists in the PR, So that Change Failure Rate is reduced by catching bad infra changes before merge. ### Context Currently no pre-merge validation enforcement for infrastructure changes. Kustomize overlays and terraform changes are only tested after merge, creating Change Failure Rate risk. The `sop-platform-tf-changes` SOP documents the desired validation patterns but enforcement is manual. The hook should trigger on `PreToolUse` / `mcp__forgejo__merge_approved_pr` and check per-repo evidence patterns: - pal-e-platform: CI green (plan step passed) via Woodpecker API - pal-e-services: `tofu plan` output in PR body or comments via Forgejo API - pal-e-deployments: `kubectl kustomize` output in PR body or comments via Forgejo API For non-infra repos, the hook passes silently (exit 0). ### File Targets Files the agent should modify or create: - `hooks/check-infra-validation.sh` -- new hook script implementing the validation gate - `settings.json` -- add PreToolUse hook entry for `mcp__forgejo__merge_approved_pr` Files the agent should NOT touch: - `hooks/block-mcp-merge.sh` -- existing merge gate, separate concern ### Acceptance Criteria - [ ] Hook blocks merge on infra repos (pal-e-platform, pal-e-services, pal-e-deployments) when validation evidence is missing - [ ] Hook passes silently for non-infra repos - [ ] Evidence patterns match per-repo requirements (CI status, plan output, kustomize output) - [ ] Hook registered in hook-catalog with Layer 1 (Block) classification ### Test Expectations - [ ] Manual test: attempt merge on pal-e-services PR without plan output -- hook blocks - [ ] Manual test: attempt merge on non-infra repo -- hook allows - [ ] Manual test: attempt merge on pal-e-platform PR with green CI -- hook allows ### Constraints - Must be a separate hook from `block-mcp-merge.sh` (same event, different check) - Must fail-open on network errors (match existing hook patterns) - Use `curl` for Forgejo/Woodpecker API calls (match existing hook patterns) ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `pal-e-agency` -- project - `sop-platform-tf-changes` -- SOP documenting validation patterns - `hook-catalog` -- coverage gaps table identifies this gap

forgejo_admin commented

2026-03-28 02:05:46 +00:00

Contributor

Type

Feature

Lineage

Standalone -- migrated from todo-pre-merge-infra-validation in pal-e-docs. The pal-e-deployments CI piece (Woodpecker kustomize validation) was already completed (pal-e-deployments #14/#15). What remains is the PreToolUse hook in claude-custom.

Repo

forgejo_admin/claude-custom

User Story

As a platform engineer merging infra PRs,
I want merge attempts on infra repos to be blocked unless validation evidence exists in the PR,
So that Change Failure Rate is reduced by catching bad infra changes before merge.

Context

Currently no pre-merge validation enforcement for infrastructure changes. Kustomize overlays and terraform changes are only tested after merge, creating Change Failure Rate risk. The sop-platform-tf-changes SOP documents the desired validation patterns but enforcement is manual.

The hook should trigger on PreToolUse / mcp__forgejo__merge_approved_pr and check per-repo evidence patterns:

pal-e-platform: CI green (plan step passed) via Woodpecker API
pal-e-services: tofu plan output in PR body or comments via Forgejo API
pal-e-deployments: kubectl kustomize output in PR body or comments via Forgejo API

For non-infra repos, the hook passes silently (exit 0).

File Targets

Files the agent should modify or create:

hooks/check-infra-validation.sh -- new hook script implementing the validation gate
settings.json -- add PreToolUse hook entry for mcp__forgejo__merge_approved_pr

Files the agent should NOT touch:

hooks/block-mcp-merge.sh -- existing merge gate, separate concern

Acceptance Criteria

Hook blocks merge on infra repos (pal-e-platform, pal-e-services, pal-e-deployments) when validation evidence is missing
Hook passes silently for non-infra repos
Evidence patterns match per-repo requirements (CI status, plan output, kustomize output)
Hook registered in hook-catalog with Layer 1 (Block) classification

Test Expectations

Manual test: attempt merge on pal-e-services PR without plan output -- hook blocks
Manual test: attempt merge on non-infra repo -- hook allows
Manual test: attempt merge on pal-e-platform PR with green CI -- hook allows

Constraints

Must be a separate hook from block-mcp-merge.sh (same event, different check)
Must fail-open on network errors (match existing hook patterns)
Use curl for Forgejo/Woodpecker API calls (match existing hook patterns)

Checklist

PR opened
Tests pass
No unrelated changes

pal-e-agency -- project
sop-platform-tf-changes -- SOP documenting validation patterns
hook-catalog -- coverage gaps table identifies this gap

Rows
Columns

Feature: Pre-merge infra validation hook for pal-e-services and pal-e-deployments PRs #187