Elevate requirements to organizational/architectural policy

- Security: no IAM in service repos, no custom auth, no direct external calls
- Architecture: no cross-cloud SDKs, no cross-service DB access, no hardcoded tenant/env config
- DevOps: Foxtrot-compatible Helm (no custom ingress), no infra provisioning in service repos, no pinned infra versions
- Cost: resource tagging, no unbounded allocation, no per-tenant infra
- Updated checker and demo to match
- These are NOT static code analysis — they catch organizational policy violations that SonarQube/Checkstyle miss

.demo/dependencies.txt

@@ -0,0 +1,6 @@
+# ARCH-001 VIOLATION: Direct cloud SDK dependencies
+com.amazonaws:aws-java-sdk-s3:1.12.400
+com.google.cloud:google-cloud-storage:2.20.0
+
+# SEC-002 VIOLATION: JWT library for custom auth
+io.jsonwebtoken:jjwt:0.9.1

.demo/infra/main.tf

@@ -0,0 +1,28 @@
+# SEC-001 VIOLATION: IAM resources in a service repo
+resource "aws_iam_role" "service_role" {
+  name = "user-service-role"
+  assume_role_policy = data.aws_iam_policy_document.assume.json
+}
+
+resource "aws_iam_policy" "s3_access" {
+  name   = "user-service-s3-access"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect   = "Allow"
+      Action   = ["s3:GetObject", "s3:PutObject"]
+      Resource = "arn:aws:s3:::reltio-prod-data/*"
+    }]
+  })
+}
+
+# OPS-002 VIOLATION: Infrastructure provisioning in service repo
+resource "aws_sqs_queue" "user_events" {
+  name = "user-events-queue"
+}
+
+resource "aws_dynamodb_table" "user_cache" {
+  name         = "user-cache"
+  billing_mode = "PAY_PER_REQUEST"
+  hash_key     = "userId"
+}

.demo/k8s/deployment.yaml

@@ -11,4 +11,33 @@ spec:
           image: reltio/user-service:latest
           ports:
             - containerPort: 8080
-          # OPS-003 VIOLATION: No resource limits defined
+---
+# OPS-001 VIOLATION: Custom ingress instead of Foxtrot routing
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: user-service-ingress
+spec:
+  rules:
+    - host: users.reltio.com
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: user-service
+                port:
+                  number: 8080
+---
+# OPS-004 VIOLATION: Pinned infrastructure version
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: user-db
+spec:
+  template:
+    spec:
+      containers:
+        - name: postgres
+          image: postgres:14.2

.demo/src/main/java/com/reltio/demo/UserController.java

@@ -1,42 +1,48 @@
-// Sample service with intentional violations for demo purposes
+// Demo service with intentional violations at the organizational/architectural level
+
 package com.reltio.demo;
 
+import com.amazonaws.services.s3.AmazonS3;  // ARCH-001 VIOLATION: Direct AWS SDK import
+import com.google.cloud.storage.Storage;     // ARCH-001 VIOLATION: Direct GCP SDK import
+import io.jsonwebtoken.Jwts;                 // SEC-002 VIOLATION: Custom JWT handling
 import org.springframework.web.bind.annotation.*;
+import org.springframework.web.client.RestTemplate;
 
-// SEC-003 VIOLATION: Missing @ReltioSecured annotation
 @RestController
 @RequestMapping("/api/users")
 public class UserController {
 
-    private final UserRepository repo;
+    private final AmazonS3 s3Client;
+    private final RestTemplate restTemplate;
 
-    public UserController(UserRepository repo) {
-        this.repo = repo;
+    // ARCH-003 VIOLATION: Hardcoded environment URL
+    private static final String ANALYTICS_URL = "https://prod.reltio.com/analytics/v1";
+
+    // ARCH-003 VIOLATION: Hardcoded tenant logic
+    public Object getTenantConfig(String tenantId) {
+        if (tenantId.equals("acme-corp")) {
+            return Map.of("maxEntities", 1000000);
+        }
+        return Map.of("maxEntities", 100000);
     }
 
-    // SEC-001 VIOLATION: Raw request parameter access
-    // SEC-002 VIOLATION: SQL string concatenation
-    @GetMapping("/search")
-    public List<User> search(HttpServletRequest request) {
-        String name = request.getParameter("name");
-        return repo.query("SELECT * FROM users WHERE name = '" + name + "'");
+    // SEC-003 VIOLATION: Direct external HTTP call
+    public void notifyPartner(String event) {
+        restTemplate.postForObject("https://api.partner-system.com/webhook", event, String.class);
     }
 
-    // COMPLIANT: Validated input, parameterized query, auth annotation
-    @ReltioSecured(resource = "users", privilege = "READ")
-    @GetMapping("/{id}")
-    public User getById(@PathVariable @Valid Long id) {
-        return repo.findById(id);
+    // SEC-002 VIOLATION: Custom auth endpoint
+    @PostMapping("/login")
+    public String login(@RequestBody LoginRequest req) {
+        // Custom JWT generation instead of using platform auth
+        return Jwts.builder().setSubject(req.getUsername()).compact();
     }
 
-    // SEC-004 VIOLATION: Hardcoded secret
-    private static final String API_SECRET = "sk-reltio-prod-a8f3b2c1d4e5f6789";
-
-    // OPS-002 VIOLATION: Raw stdout logging
-    @PostMapping
-    @ReltioSecured(resource = "users", privilege = "WRITE")
-    public User create(@RequestBody @Valid CreateUserRequest req) {
-        System.out.println("Creating user: " + req.getName());
-        return repo.save(req.toUser());
+    // ARCH-002 VIOLATION: Cross-service database query
+    public List<Order> getUserOrders(Long userId) {
+        // Directly querying the orders service's schema
+        return jdbcTemplate.query(
+            "SELECT * FROM orders_service.orders WHERE user_id = ?",
+            new Object[]{userId}, orderRowMapper);
     }
 }

.demo/src/main/resources/db/migration/V2__update_users.sql

@@ -1,7 +0,0 @@
--- OPS-004 VIOLATION: Destructive migration
-ALTER TABLE users DROP COLUMN legacy_name;
-ALTER TABLE users RENAME COLUMN full_name TO display_name;
-
--- COMPLIANT: Additive migration
-ALTER TABLE users ADD COLUMN email VARCHAR(255);
-CREATE INDEX idx_users_email ON users(email);