AI SDLC Standards: cross-cutting requirements mono repo

- Security: input validation, SQL injection, auth annotations, secrets, CVE checks
- Architecture: API contract first, service boundaries, breaking change protocol
- DevOps: health checks, structured logging, resource limits, rollback safety
- Cost: resource tagging, auto-scaling limits, storage lifecycle
- Deterministic compliance checker (.tests/check.sh)
- Agent skill for context injection (Cursor, OpenSpec, Claude Code examples)
- Demo with intentional violations

.demo/k8s/deployment.yaml

@@ -0,0 +1,14 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: user-service
+spec:
+  replicas: 2
+  template:
+    spec:
+      containers:
+        - name: user-service
+          image: reltio/user-service:latest
+          ports:
+            - containerPort: 8080
+          # OPS-003 VIOLATION: No resource limits defined

.demo/src/main/java/com/reltio/demo/UserController.java

@@ -0,0 +1,42 @@
+// Sample service with intentional violations for demo purposes
+package com.reltio.demo;
+
+import org.springframework.web.bind.annotation.*;
+
+// SEC-003 VIOLATION: Missing @ReltioSecured annotation
+@RestController
+@RequestMapping("/api/users")
+public class UserController {
+
+    private final UserRepository repo;
+
+    public UserController(UserRepository repo) {
+        this.repo = repo;
+    }
+
+    // SEC-001 VIOLATION: Raw request parameter access
+    // SEC-002 VIOLATION: SQL string concatenation
+    @GetMapping("/search")
+    public List<User> search(HttpServletRequest request) {
+        String name = request.getParameter("name");
+        return repo.query("SELECT * FROM users WHERE name = '" + name + "'");
+    }
+
+    // COMPLIANT: Validated input, parameterized query, auth annotation
+    @ReltioSecured(resource = "users", privilege = "READ")
+    @GetMapping("/{id}")
+    public User getById(@PathVariable @Valid Long id) {
+        return repo.findById(id);
+    }
+
+    // SEC-004 VIOLATION: Hardcoded secret
+    private static final String API_SECRET = "sk-reltio-prod-a8f3b2c1d4e5f6789";
+
+    // OPS-002 VIOLATION: Raw stdout logging
+    @PostMapping
+    @ReltioSecured(resource = "users", privilege = "WRITE")
+    public User create(@RequestBody @Valid CreateUserRequest req) {
+        System.out.println("Creating user: " + req.getName());
+        return repo.save(req.toUser());
+    }
+}

.demo/src/main/resources/db/migration/V2__update_users.sql

@@ -0,0 +1,7 @@
+-- OPS-004 VIOLATION: Destructive migration
+ALTER TABLE users DROP COLUMN legacy_name;
+ALTER TABLE users RENAME COLUMN full_name TO display_name;
+
+-- COMPLIANT: Additive migration
+ALTER TABLE users ADD COLUMN email VARCHAR(255);
+CREATE INDEX idx_users_email ON users(email);