security/requirements.md

# Security Requirements

Phase: implementation
Enforcement: informational (graduating to blocking Q3 2026)

## SEC-001: Input Validation

All external input (API request bodies, query parameters, headers, file uploads) MUST be validated through a schema validator before processing.

**Rule:** No raw request body access in business logic. All endpoints must define and validate against a schema (JSON Schema, protobuf, or framework-equivalent).

**Test:** Grep for direct `request.body` / `req.body` / `getParameter()` usage outside of controller/validation layer.

```
# Bad
String name = request.getParameter("name");
db.query("SELECT * FROM users WHERE name = '" + name + "'");

# Good
ValidatedInput input = validator.validate(request, CreateUserSchema.class);
userService.create(input);
```

## SEC-002: No Raw SQL

All database queries MUST use parameterized queries or an ORM. No string concatenation in SQL statements.

**Rule:** Zero tolerance for SQL string concatenation with user-controlled values.

**Test:** Regex scan for SQL keywords adjacent to string concatenation operators (`+`, `concat`, `format`, `f"`, template literals).

## SEC-003: Authentication Annotations

All new REST endpoints MUST have an explicit auth annotation. No endpoint may be implicitly public.

**Rule:** Every `@RequestMapping`, `@GetMapping`, `@PostMapping` (or equivalent) must be accompanied by `@ReltioSecured` or `@PublicEndpoint`. Missing annotation = violation.

**Test:** AST/regex check that every endpoint method has an auth annotation.

## SEC-004: Secrets in Code

No hardcoded secrets, tokens, passwords, or API keys in source code.

**Rule:** All secrets must come from environment variables, vault, or config service. String literals matching secret patterns are violations.

**Test:** Regex scan for patterns: API keys, JWT tokens, passwords in string literals, base64-encoded credentials.

## SEC-005: Dependency Vulnerability

No new dependencies with known critical/high CVEs.

**Rule:** Any new dependency added to `pom.xml`, `package.json`, `go.mod`, or equivalent must pass a vulnerability scan.

**Test:** Run `npm audit` / `mvn dependency-check:check` / `govulncheck` on changed dependency files.
AI SDLC Standards: cross-cutting requirements mono repo - Security: input validation, SQL injection, auth annotations, secrets, CVE checks - Architecture: API contract first, service boundaries, breaking change protocol - DevOps: health checks, structured logging, resource limits, rollback safety - Cost: resource tagging, auto-scaling limits, storage lifecycle - Deterministic compliance checker (.tests/check.sh) - Agent skill for context injection (Cursor, OpenSpec, Claude Code examples) - Demo with intentional violations 2026-03-07 07:31:16 +00:00			`# Security Requirements`

			`Phase: implementation`
			`Enforcement: informational (graduating to blocking Q3 2026)`

			`## SEC-001: Input Validation`

			`All external input (API request bodies, query parameters, headers, file uploads) MUST be validated through a schema validator before processing.`

			`Rule: No raw request body access in business logic. All endpoints must define and validate against a schema (JSON Schema, protobuf, or framework-equivalent).`

			Test: Grep for direct `request.body` / `req.body` / `getParameter()` usage outside of controller/validation layer.

			```
			`# Bad`
			`String name = request.getParameter("name");`
			`db.query("SELECT * FROM users WHERE name = '" + name + "'");`

			`# Good`
			`ValidatedInput input = validator.validate(request, CreateUserSchema.class);`
			`userService.create(input);`
			```

			`## SEC-002: No Raw SQL`

			`All database queries MUST use parameterized queries or an ORM. No string concatenation in SQL statements.`

			`Rule: Zero tolerance for SQL string concatenation with user-controlled values.`

			Test: Regex scan for SQL keywords adjacent to string concatenation operators (`+`, `concat`, `format`, `f"`, template literals).

			`## SEC-003: Authentication Annotations`

			`All new REST endpoints MUST have an explicit auth annotation. No endpoint may be implicitly public.`

			Rule: Every `@RequestMapping`, `@GetMapping`, `@PostMapping` (or equivalent) must be accompanied by `@ReltioSecured` or `@PublicEndpoint`. Missing annotation = violation.

			`Test: AST/regex check that every endpoint method has an auth annotation.`

			`## SEC-004: Secrets in Code`

			`No hardcoded secrets, tokens, passwords, or API keys in source code.`

			`Rule: All secrets must come from environment variables, vault, or config service. String literals matching secret patterns are violations.`

			`Test: Regex scan for patterns: API keys, JWT tokens, passwords in string literals, base64-encoded credentials.`

			`## SEC-005: Dependency Vulnerability`

			`No new dependencies with known critical/high CVEs.`

			Rule: Any new dependency added to `pom.xml`, `package.json`, `go.mod`, or equivalent must pass a vulnerability scan.

			Test: Run `npm audit` / `mvn dependency-check:check` / `govulncheck` on changed dependency files.