Harden validation and Terraform defaults

[TerminalsandCoffee]

Motivation

• Improve repository safety and validation reliability because the project is being viewed by a larger audience.
• Make the detection validation tool compatible with Python 3.10+ and surface clearer, stricter rule errors.
• Prevent insecure Terraform defaults (unencrypted root volumes, permissive CIDRs, IMDSv1) and encourage a validation-first workflow to avoid accidental deployments.

Description

• Update development/validation.py to support a fallback to tomli when tomllib is not available and add stricter checks for creation_date format, supported rule.type values, severity values, UUID-shaped rule_id, duplicate rule_ids, and risk_score bounds.
• Add tomli to requirements.txt for Python versions earlier than 3.11 via tomli>=2.0.1; python_version < "3.11".
• Harden setup/terraform/main.tf by adding required_version, enabling EBS encryption and delete_on_termination for root volumes, and enforcing IMDSv2 via metadata_options on EC2 instances.
• Add input validation blocks in setup/terraform/variables.tf to validate AMI IDs and to reject globally-open allowed_ip CIDRs.
• Update setup/README.md to document a validation-first workflow and to show terraform fmt -check, terraform init -backend=false, terraform validate, and terraform plan -refresh=false for safe verification.

Testing

• Ran python3 -m py_compile development/validation.py which succeeded.
• Executed python3 development/validation.py, which ran against the detections/ directory and printed Validation Passed for each TOML rule found.
• Attempted Terraform checks (terraform fmt/init/validate) but terraform is not installed in the execution environment so those native Terraform validations could not be completed.
• Attempted static scanners (tfsec/checkov) but those tools are not installed in the execution environment so those scans were not run.

---

Codex Task

[TerminalsandCoffee]

LGTM!