Reduce CI plan output verbosity and merge PR comments

[Alexanderamiri]

Summary

• Filter refresh noise from CI logs — run-plan.sh now strips Refreshing state..., Reading..., Read complete... lines from console output. Full output still saved to plan-output.txt for the LLM review.
• Filter refresh noise from PR comments — post-plan-comment.sh uses the clean output, reducing comment size from ~28KB to just the actual plan diff
• Single PR comment — Plan output and LLM review are now combined into one comment instead of two, halving email notifications
• Plan summary in header — The Plan: X to add, Y to change, Z to destroy line is extracted and shown prominently
• Remove post-review-comment.sh — No longer needed since review is appended to the plan comment

Test plan

• Open a PR with infra changes and verify the PR comment is a single, clean comment with plan + review
• Verify CI log output is concise (no refresh lines)
• Verify LLM review still works (receives full plan-output.txt, not the filtered version)
• Verify app repo tf-plan workflow also produces clean comments

[github-actions]

Terraform Plan

🚧 Changes detected — Plan: 4 to add, 0 to change, 0 to destroy.

Plan output

Acquiring state lock. This may take a few moments...

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.lambdas.aws_lambda_permission.password_set_alb will be created
  + resource "aws_lambda_permission" "password_set_alb" {
      + action              = "lambda:InvokeFunction"
      + function_name       = "javabin-password-set"
      + id                  = (known after apply)
      + principal           = "elasticloadbalancing.amazonaws.com"
      + source_arn          = (known after apply)
      + statement_id        = "AllowALBInvoke"
      + statement_id_prefix = (known after apply)
    }

  # module.lambdas.aws_lb_listener_rule.password_set will be created
  + resource "aws_lb_listener_rule" "password_set" {
      + arn          = (known after apply)
      + id           = (known after apply)
      + listener_arn = "arn:aws:elasticloadbalancing:eu-central-1:553637109631:listener/app/javabin-platform-alb/bec1dd43ab8341b9/500c9c2b4186bf45"
      + priority     = 10
      + tags_all     = {
          + "environment" = "production"
          + "managed-by"  = "terraform"
          + "project"     = "javabin"
          + "team"        = "javabin"
        }

      + action {
          + order            = (known after apply)
          + target_group_arn = (known after apply)
          + type             = "forward"
        }

      + condition {
          + host_header {
              + values = [
                  + "password.javazone.no",
                ]
            }
        }
    }

  # module.lambdas.aws_lb_target_group.password_set will be created
  + resource "aws_lb_target_group" "password_set" {
      + arn                                = (known after apply)
      + arn_suffix                         = (known after apply)
      + connection_termination             = (known after apply)
      + deregistration_delay               = "300"
      + id                                 = (known after apply)
      + ip_address_type                    = (known after apply)
      + lambda_multi_value_headers_enabled = false
      + load_balancer_arns                 = (known after apply)
      + load_balancing_algorithm_type      = (known after apply)
      + load_balancing_anomaly_mitigation  = (known after apply)
      + load_balancing_cross_zone_enabled  = (known after apply)
      + name                               = "javabin-password-set"
      + name_prefix                        = (known after apply)
      + preserve_client_ip                 = (known after apply)
      + protocol_version                   = (known after apply)
      + proxy_protocol_v2                  = false
      + slow_start                         = 0
      + tags_all                           = {
          + "environment" = "production"
          + "managed-by"  = "terraform"
          + "project"     = "javabin"
          + "team"        = "javabin"
        }
      + target_type                        = "lambda"

      + health_check {
          + enabled             = false
          + healthy_threshold   = 3
          + interval            = 30
          + matcher             = (known after apply)
          + path                = (known after apply)
          + port                = "traffic-port"
          + protocol            = "HTTP"
          + timeout             = (known after apply)
          + unhealthy_threshold = 3
        }
    }

  # module.lambdas.aws_lb_target_group_attachment.password_set will be created
  + resource "aws_lb_target_group_attachment" "password_set" {
      + id               = (known after apply)
      + target_group_arn = (known after apply)
      + target_id        = "arn:aws:lambda:eu-central-1:553637109631:function:javabin-password-set"
    }

Plan: 4 to add, 0 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "tfplan"

---

LLM Review

Risk: 🟢 LOW

Adding ALB integration for password reset Lambda function with proper routing and permissions.

• ✅ [routine] Creating ALB listener rule for password.javazone.no with host-based routing to Lambda target group - standard application routing configuration
• ✅ [routine] Adding Lambda permission for ALB to invoke password-set function - required for ALB-to-Lambda integration
• ✅ [routine] Creating Lambda target group with health checks disabled (appropriate for Lambda) and attaching password-set function
• ✅ [routine] No security group changes, no public access modifications, and no destructive operations - purely additive infrastructure