Case study / TerraGate
Review infrastructure change before it becomes infrastructure risk.
A constrained Terraform review demo that turns plan JSON into explainable findings, while keeping execution and external writes outside the public boundary.
- Role
- Independent builder
- System
- TerraGate
Demo boundary
Live constrained demo
Deterministic Python checks / external writes mocked
Live constrained demo. Deterministic Python checks run against sample plans; external writes are mocked and Terraform execution is disabled.
01 / Frame
Problem
- Terraform plans are dense review objects, and high-impact changes can be easy to miss in an unstructured diff.
- A useful review gate must explain findings without gaining permission to execute the plan it examines.
Constraints
- The public demo accepts bounded sample inputs rather than arbitrary infrastructure execution.
- External comments, checks, and approval writes remain mocked.
- Findings shown publicly come from deterministic Python checks.
02 / System
Real architecture, retained as review evidence.

03 / Decisions
Three decisions and the cost of each.
01
Make deterministic checks the public source of findings
Repeatable Python rules make the same plan produce the same result and keep the evaluation inspectable.
Tradeoff
The demo covers encoded checks rather than every organization-specific policy.
02
Disable Terraform execution
Separating review from apply keeps the public surface from holding infrastructure-changing authority.
Tradeoff
The demo proves review flow, not end-to-end deployment.
03
Mock external write integrations
Reviewers can inspect the intended handoff without exposing repository or approval credentials.
Tradeoff
Live GitHub comments and checks require a separately controlled installation path.
04 / Evidence
What the record supports—and how far it goes.
Live
Constrained public review flow
Sample inputs only; Terraform execution is disabled.
Inspect evidenceDeterministic
Python findings
No active external policy-engine execution is claimed.
Inspect evidenceMocked
External writes
Repository checks, comments, and approvals are outside the public boundary.
Inspect evidence
05 / Reliability & security
Deterministic review inside a constrained boundary.
Repeatable Python checks evaluate bounded inputs while Terraform execution stays disabled and external writes remain mocked. The threat model documents what the public surface cannot do.
Threat modelA stalled review recovers without gaining write authority.
If a review remains queued because the worker and execution mode disagree, the runbook checks REVIEW_EXECUTION_MODE, starts the worker or restores the intended safe mode, and keeps external writes mocked throughout the recovery.
Operator runbook06 / Limits
Known limits
- Terraform execution is disabled in the public demo.
- External repository writes are mocked.
- The public path does not execute an external policy engine.
Path to sustained operation
- Run evaluation inside an isolated worker with bounded time, memory, and input size.
- Use a narrowly scoped repository installation for checks and comments, with approval required for writes.
- Version rule packs and retain the rule version with every decision record.
07 / Artifact index
Follow the work into the repository.
- architectureReview-flow architecture
- iacAWS public-demo Terraform
- ciRepository CI workflow
- testsTesting strategy and commands
- runbookOperator runbook
- securityThreat model
- limitationsPublic-demo boundary