.demo/src/main/java/com/reltio/demo/UserController.java

// Demo service with intentional violations at the organizational/architectural level

package com.reltio.demo;

import com.amazonaws.services.s3.AmazonS3;  // ARCH-001 VIOLATION: Direct AWS SDK import
import com.google.cloud.storage.Storage;     // ARCH-001 VIOLATION: Direct GCP SDK import
import io.jsonwebtoken.Jwts;                 // SEC-002 VIOLATION: Custom JWT handling
import org.springframework.web.bind.annotation.*;
import org.springframework.web.client.RestTemplate;

@RestController
@RequestMapping("/api/users")
public class UserController {

    private final AmazonS3 s3Client;
    private final RestTemplate restTemplate;

    // ARCH-003 VIOLATION: Hardcoded environment URL
    private static final String ANALYTICS_URL = "https://prod.reltio.com/analytics/v1";

    // ARCH-003 VIOLATION: Hardcoded tenant logic
    public Object getTenantConfig(String tenantId) {
        if (tenantId.equals("acme-corp")) {
            return Map.of("maxEntities", 1000000);
        }
        return Map.of("maxEntities", 100000);
    }

    // SEC-003 VIOLATION: Direct external HTTP call
    public void notifyPartner(String event) {
        restTemplate.postForObject("https://api.partner-system.com/webhook", event, String.class);
    }

    // SEC-002 VIOLATION: Custom auth endpoint
    @PostMapping("/login")
    public String login(@RequestBody LoginRequest req) {
        // Custom JWT generation instead of using platform auth
        return Jwts.builder().setSubject(req.getUsername()).compact();
    }

    // ARCH-002 VIOLATION: Cross-service database query
    public List<Order> getUserOrders(Long userId) {
        // Directly querying the orders service's schema
        return jdbcTemplate.query(
            "SELECT * FROM orders_service.orders WHERE user_id = ?",
            new Object[]{userId}, orderRowMapper);
    }
}
Elevate requirements to organizational/architectural policy - Security: no IAM in service repos, no custom auth, no direct external calls - Architecture: no cross-cloud SDKs, no cross-service DB access, no hardcoded tenant/env config - DevOps: Foxtrot-compatible Helm (no custom ingress), no infra provisioning in service repos, no pinned infra versions - Cost: resource tagging, no unbounded allocation, no per-tenant infra - Updated checker and demo to match - These are NOT static code analysis — they catch organizational policy violations that SonarQube/Checkstyle miss 2026-03-07 07:41:27 +00:00			`// Demo service with intentional violations at the organizational/architectural level`

AI SDLC Standards: cross-cutting requirements mono repo - Security: input validation, SQL injection, auth annotations, secrets, CVE checks - Architecture: API contract first, service boundaries, breaking change protocol - DevOps: health checks, structured logging, resource limits, rollback safety - Cost: resource tagging, auto-scaling limits, storage lifecycle - Deterministic compliance checker (.tests/check.sh) - Agent skill for context injection (Cursor, OpenSpec, Claude Code examples) - Demo with intentional violations 2026-03-07 07:31:16 +00:00			`package com.reltio.demo;`

Elevate requirements to organizational/architectural policy - Security: no IAM in service repos, no custom auth, no direct external calls - Architecture: no cross-cloud SDKs, no cross-service DB access, no hardcoded tenant/env config - DevOps: Foxtrot-compatible Helm (no custom ingress), no infra provisioning in service repos, no pinned infra versions - Cost: resource tagging, no unbounded allocation, no per-tenant infra - Updated checker and demo to match - These are NOT static code analysis — they catch organizational policy violations that SonarQube/Checkstyle miss 2026-03-07 07:41:27 +00:00			`import com.amazonaws.services.s3.AmazonS3; // ARCH-001 VIOLATION: Direct AWS SDK import`
			`import com.google.cloud.storage.Storage; // ARCH-001 VIOLATION: Direct GCP SDK import`
			`import io.jsonwebtoken.Jwts; // SEC-002 VIOLATION: Custom JWT handling`
AI SDLC Standards: cross-cutting requirements mono repo - Security: input validation, SQL injection, auth annotations, secrets, CVE checks - Architecture: API contract first, service boundaries, breaking change protocol - DevOps: health checks, structured logging, resource limits, rollback safety - Cost: resource tagging, auto-scaling limits, storage lifecycle - Deterministic compliance checker (.tests/check.sh) - Agent skill for context injection (Cursor, OpenSpec, Claude Code examples) - Demo with intentional violations 2026-03-07 07:31:16 +00:00			`import org.springframework.web.bind.annotation.*;`
Elevate requirements to organizational/architectural policy - Security: no IAM in service repos, no custom auth, no direct external calls - Architecture: no cross-cloud SDKs, no cross-service DB access, no hardcoded tenant/env config - DevOps: Foxtrot-compatible Helm (no custom ingress), no infra provisioning in service repos, no pinned infra versions - Cost: resource tagging, no unbounded allocation, no per-tenant infra - Updated checker and demo to match - These are NOT static code analysis — they catch organizational policy violations that SonarQube/Checkstyle miss 2026-03-07 07:41:27 +00:00			`import org.springframework.web.client.RestTemplate;`
AI SDLC Standards: cross-cutting requirements mono repo - Security: input validation, SQL injection, auth annotations, secrets, CVE checks - Architecture: API contract first, service boundaries, breaking change protocol - DevOps: health checks, structured logging, resource limits, rollback safety - Cost: resource tagging, auto-scaling limits, storage lifecycle - Deterministic compliance checker (.tests/check.sh) - Agent skill for context injection (Cursor, OpenSpec, Claude Code examples) - Demo with intentional violations 2026-03-07 07:31:16 +00:00
			`@RestController`
			`@RequestMapping("/api/users")`
			`public class UserController {`

Elevate requirements to organizational/architectural policy - Security: no IAM in service repos, no custom auth, no direct external calls - Architecture: no cross-cloud SDKs, no cross-service DB access, no hardcoded tenant/env config - DevOps: Foxtrot-compatible Helm (no custom ingress), no infra provisioning in service repos, no pinned infra versions - Cost: resource tagging, no unbounded allocation, no per-tenant infra - Updated checker and demo to match - These are NOT static code analysis — they catch organizational policy violations that SonarQube/Checkstyle miss 2026-03-07 07:41:27 +00:00			`private final AmazonS3 s3Client;`
			`private final RestTemplate restTemplate;`
AI SDLC Standards: cross-cutting requirements mono repo - Security: input validation, SQL injection, auth annotations, secrets, CVE checks - Architecture: API contract first, service boundaries, breaking change protocol - DevOps: health checks, structured logging, resource limits, rollback safety - Cost: resource tagging, auto-scaling limits, storage lifecycle - Deterministic compliance checker (.tests/check.sh) - Agent skill for context injection (Cursor, OpenSpec, Claude Code examples) - Demo with intentional violations 2026-03-07 07:31:16 +00:00
Elevate requirements to organizational/architectural policy - Security: no IAM in service repos, no custom auth, no direct external calls - Architecture: no cross-cloud SDKs, no cross-service DB access, no hardcoded tenant/env config - DevOps: Foxtrot-compatible Helm (no custom ingress), no infra provisioning in service repos, no pinned infra versions - Cost: resource tagging, no unbounded allocation, no per-tenant infra - Updated checker and demo to match - These are NOT static code analysis — they catch organizational policy violations that SonarQube/Checkstyle miss 2026-03-07 07:41:27 +00:00			`// ARCH-003 VIOLATION: Hardcoded environment URL`
			`private static final String ANALYTICS_URL = "https://prod.reltio.com/analytics/v1";`
AI SDLC Standards: cross-cutting requirements mono repo - Security: input validation, SQL injection, auth annotations, secrets, CVE checks - Architecture: API contract first, service boundaries, breaking change protocol - DevOps: health checks, structured logging, resource limits, rollback safety - Cost: resource tagging, auto-scaling limits, storage lifecycle - Deterministic compliance checker (.tests/check.sh) - Agent skill for context injection (Cursor, OpenSpec, Claude Code examples) - Demo with intentional violations 2026-03-07 07:31:16 +00:00
Elevate requirements to organizational/architectural policy - Security: no IAM in service repos, no custom auth, no direct external calls - Architecture: no cross-cloud SDKs, no cross-service DB access, no hardcoded tenant/env config - DevOps: Foxtrot-compatible Helm (no custom ingress), no infra provisioning in service repos, no pinned infra versions - Cost: resource tagging, no unbounded allocation, no per-tenant infra - Updated checker and demo to match - These are NOT static code analysis — they catch organizational policy violations that SonarQube/Checkstyle miss 2026-03-07 07:41:27 +00:00			`// ARCH-003 VIOLATION: Hardcoded tenant logic`
			`public Object getTenantConfig(String tenantId) {`
			`if (tenantId.equals("acme-corp")) {`
			`return Map.of("maxEntities", 1000000);`
			`}`
			`return Map.of("maxEntities", 100000);`
AI SDLC Standards: cross-cutting requirements mono repo - Security: input validation, SQL injection, auth annotations, secrets, CVE checks - Architecture: API contract first, service boundaries, breaking change protocol - DevOps: health checks, structured logging, resource limits, rollback safety - Cost: resource tagging, auto-scaling limits, storage lifecycle - Deterministic compliance checker (.tests/check.sh) - Agent skill for context injection (Cursor, OpenSpec, Claude Code examples) - Demo with intentional violations 2026-03-07 07:31:16 +00:00			`}`

Elevate requirements to organizational/architectural policy - Security: no IAM in service repos, no custom auth, no direct external calls - Architecture: no cross-cloud SDKs, no cross-service DB access, no hardcoded tenant/env config - DevOps: Foxtrot-compatible Helm (no custom ingress), no infra provisioning in service repos, no pinned infra versions - Cost: resource tagging, no unbounded allocation, no per-tenant infra - Updated checker and demo to match - These are NOT static code analysis — they catch organizational policy violations that SonarQube/Checkstyle miss 2026-03-07 07:41:27 +00:00			`// SEC-003 VIOLATION: Direct external HTTP call`
			`public void notifyPartner(String event) {`
			`restTemplate.postForObject("https://api.partner-system.com/webhook", event, String.class);`
AI SDLC Standards: cross-cutting requirements mono repo - Security: input validation, SQL injection, auth annotations, secrets, CVE checks - Architecture: API contract first, service boundaries, breaking change protocol - DevOps: health checks, structured logging, resource limits, rollback safety - Cost: resource tagging, auto-scaling limits, storage lifecycle - Deterministic compliance checker (.tests/check.sh) - Agent skill for context injection (Cursor, OpenSpec, Claude Code examples) - Demo with intentional violations 2026-03-07 07:31:16 +00:00			`}`

Elevate requirements to organizational/architectural policy - Security: no IAM in service repos, no custom auth, no direct external calls - Architecture: no cross-cloud SDKs, no cross-service DB access, no hardcoded tenant/env config - DevOps: Foxtrot-compatible Helm (no custom ingress), no infra provisioning in service repos, no pinned infra versions - Cost: resource tagging, no unbounded allocation, no per-tenant infra - Updated checker and demo to match - These are NOT static code analysis — they catch organizational policy violations that SonarQube/Checkstyle miss 2026-03-07 07:41:27 +00:00			`// SEC-002 VIOLATION: Custom auth endpoint`
			`@PostMapping("/login")`
			`public String login(@RequestBody LoginRequest req) {`
			`// Custom JWT generation instead of using platform auth`
			`return Jwts.builder().setSubject(req.getUsername()).compact();`
			`}`
AI SDLC Standards: cross-cutting requirements mono repo - Security: input validation, SQL injection, auth annotations, secrets, CVE checks - Architecture: API contract first, service boundaries, breaking change protocol - DevOps: health checks, structured logging, resource limits, rollback safety - Cost: resource tagging, auto-scaling limits, storage lifecycle - Deterministic compliance checker (.tests/check.sh) - Agent skill for context injection (Cursor, OpenSpec, Claude Code examples) - Demo with intentional violations 2026-03-07 07:31:16 +00:00
Elevate requirements to organizational/architectural policy - Security: no IAM in service repos, no custom auth, no direct external calls - Architecture: no cross-cloud SDKs, no cross-service DB access, no hardcoded tenant/env config - DevOps: Foxtrot-compatible Helm (no custom ingress), no infra provisioning in service repos, no pinned infra versions - Cost: resource tagging, no unbounded allocation, no per-tenant infra - Updated checker and demo to match - These are NOT static code analysis — they catch organizational policy violations that SonarQube/Checkstyle miss 2026-03-07 07:41:27 +00:00			`// ARCH-002 VIOLATION: Cross-service database query`
			`public List<Order> getUserOrders(Long userId) {`
			`// Directly querying the orders service's schema`
			`return jdbcTemplate.query(`
			`"SELECT * FROM orders_service.orders WHERE user_id = ?",`
			`new Object[]{userId}, orderRowMapper);`
AI SDLC Standards: cross-cutting requirements mono repo - Security: input validation, SQL injection, auth annotations, secrets, CVE checks - Architecture: API contract first, service boundaries, breaking change protocol - DevOps: health checks, structured logging, resource limits, rollback safety - Cost: resource tagging, auto-scaling limits, storage lifecycle - Deterministic compliance checker (.tests/check.sh) - Agent skill for context injection (Cursor, OpenSpec, Claude Code examples) - Demo with intentional violations 2026-03-07 07:31:16 +00:00			`}`
			`}`