terragrunt: add topology/style validator for leaves and env_helpers

[afreidah]

Context

The Terragrunt tree has a strong documented architecture:

• leaves are exactly include "root" plus one env_helper include
• env_helpers own dependencies, locals, inputs, and generated provider blocks
• path-keyed config in root.hcl is selected from the leaf directory name

That model is good, but it is currently enforced mostly by convention. A small repo-specific validator would catch accidental drift before terragrunt plan or apply.

Proposed checks

Add a script, for example under infrastructure/terragrunt/tools/ or scripts/, that walks infrastructure/terragrunt/**/terragrunt.hcl and validates:

• each leaf has a header
• each leaf has exactly two includes
• one include is root
• the second include points to an existing _env_helpers/*.hcl
• leaves do not contain locals, inputs, dependency, or generate blocks
• env_helpers contain a terraform.source pointing to an existing module
• dependency mocks include init, plan, and validate
• path-keyed leaf names exist in the relevant root/config maps where practical

Acceptance criteria

• A validator can be run locally from infrastructure/terragrunt/
• The validator exits non-zero on architecture drift
• Existing valid leaves pass without requiring Terraform provider initialization
• README or STYLE_GUIDE documents the new command

Notes

This should be a static check. It should not call terraform, terragrunt, providers, Vault, Consul, Cloudflare, Proxmox, OCI, etc.