Elevate requirements to organizational/architectural policy

- Security: no IAM in service repos, no custom auth, no direct external calls
- Architecture: no cross-cloud SDKs, no cross-service DB access, no hardcoded tenant/env config
- DevOps: Foxtrot-compatible Helm (no custom ingress), no infra provisioning in service repos, no pinned infra versions
- Cost: resource tagging, no unbounded allocation, no per-tenant infra
- Updated checker and demo to match
- These are NOT static code analysis — they catch organizational policy violations that SonarQube/Checkstyle miss

.demo/infra/main.tf

@@ -0,0 +1,28 @@
+# SEC-001 VIOLATION: IAM resources in a service repo
+resource "aws_iam_role" "service_role" {
+  name = "user-service-role"
+  assume_role_policy = data.aws_iam_policy_document.assume.json
+}
+
+resource "aws_iam_policy" "s3_access" {
+  name   = "user-service-s3-access"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect   = "Allow"
+      Action   = ["s3:GetObject", "s3:PutObject"]
+      Resource = "arn:aws:s3:::reltio-prod-data/*"
+    }]
+  })
+}
+
+# OPS-002 VIOLATION: Infrastructure provisioning in service repo
+resource "aws_sqs_queue" "user_events" {
+  name = "user-events-queue"
+}
+
+resource "aws_dynamodb_table" "user_cache" {
+  name         = "user-cache"
+  billing_mode = "PAY_PER_REQUEST"
+  hash_key     = "userId"
+}