AI SDLC Standards: cross-cutting requirements mono repo

- Security: input validation, SQL injection, auth annotations, secrets, CVE checks
- Architecture: API contract first, service boundaries, breaking change protocol
- DevOps: health checks, structured logging, resource limits, rollback safety
- Cost: resource tagging, auto-scaling limits, storage lifecycle
- Deterministic compliance checker (.tests/check.sh)
- Agent skill for context injection (Cursor, OpenSpec, Claude Code examples)
- Demo with intentional violations

cost/OWNERS

@@ -0,0 +1 @@
+@finops-team

cost/requirements.md

@@ -0,0 +1,32 @@
+# Cost & Tagging Requirements
+
+Phase: deployment
+Enforcement: informational
+
+## COST-001: Resource Tagging
+
+All cloud resources (AWS, GCP, Azure) MUST include the following tags:
+- `team` — owning team name
+- `service` — service identifier
+- `environment` — dev/staging/prod
+- `cost-center` — finance cost center code
+
+**Rule:** Infrastructure-as-code (Terraform, CloudFormation, Pulumi) must include these tags on every resource that supports tagging.
+
+**Test:** Parse IaC files, verify tag block contains all four required keys.
+
+## COST-002: No Open-Ended Auto-Scaling
+
+Auto-scaling configurations MUST define a `maxReplicas` / `maxCapacity` ceiling.
+
+**Rule:** Unbounded scaling is a cost incident waiting to happen. Every autoscaler must have an explicit maximum.
+
+**Test:** Parse HPA/scaling configs, verify `maxReplicas` is set and is not unreasonably high (>50 requires justification).
+
+## COST-003: Storage Lifecycle
+
+All S3 buckets / GCS buckets / Blob containers MUST have a lifecycle policy defined.
+
+**Rule:** No indefinite storage retention. Every bucket must transition to cheaper tiers or expire objects after a defined period.
+
+**Test:** Check IaC for lifecycle configuration on storage resources.