Elevate requirements to organizational/architectural policy

- Security: no IAM in service repos, no custom auth, no direct external calls
- Architecture: no cross-cloud SDKs, no cross-service DB access, no hardcoded tenant/env config
- DevOps: Foxtrot-compatible Helm (no custom ingress), no infra provisioning in service repos, no pinned infra versions
- Cost: resource tagging, no unbounded allocation, no per-tenant infra
- Updated checker and demo to match
- These are NOT static code analysis — they catch organizational policy violations that SonarQube/Checkstyle miss

.demo/src/main/java/com/reltio/demo/UserController.java

@@ -1,42 +1,48 @@
-// Sample service with intentional violations for demo purposes
+// Demo service with intentional violations at the organizational/architectural level
+
 package com.reltio.demo;
 
+import com.amazonaws.services.s3.AmazonS3;  // ARCH-001 VIOLATION: Direct AWS SDK import
+import com.google.cloud.storage.Storage;     // ARCH-001 VIOLATION: Direct GCP SDK import
+import io.jsonwebtoken.Jwts;                 // SEC-002 VIOLATION: Custom JWT handling
 import org.springframework.web.bind.annotation.*;
+import org.springframework.web.client.RestTemplate;
 
-// SEC-003 VIOLATION: Missing @ReltioSecured annotation
 @RestController
 @RequestMapping("/api/users")
 public class UserController {
 
-    private final UserRepository repo;
+    private final AmazonS3 s3Client;
+    private final RestTemplate restTemplate;
 
-    public UserController(UserRepository repo) {
-        this.repo = repo;
+    // ARCH-003 VIOLATION: Hardcoded environment URL
+    private static final String ANALYTICS_URL = "https://prod.reltio.com/analytics/v1";
+
+    // ARCH-003 VIOLATION: Hardcoded tenant logic
+    public Object getTenantConfig(String tenantId) {
+        if (tenantId.equals("acme-corp")) {
+            return Map.of("maxEntities", 1000000);
+        }
+        return Map.of("maxEntities", 100000);
     }
 
-    // SEC-001 VIOLATION: Raw request parameter access
-    // SEC-002 VIOLATION: SQL string concatenation
-    @GetMapping("/search")
-    public List<User> search(HttpServletRequest request) {
-        String name = request.getParameter("name");
-        return repo.query("SELECT * FROM users WHERE name = '" + name + "'");
+    // SEC-003 VIOLATION: Direct external HTTP call
+    public void notifyPartner(String event) {
+        restTemplate.postForObject("https://api.partner-system.com/webhook", event, String.class);
     }
 
-    // COMPLIANT: Validated input, parameterized query, auth annotation
-    @ReltioSecured(resource = "users", privilege = "READ")
-    @GetMapping("/{id}")
-    public User getById(@PathVariable @Valid Long id) {
-        return repo.findById(id);
+    // SEC-002 VIOLATION: Custom auth endpoint
+    @PostMapping("/login")
+    public String login(@RequestBody LoginRequest req) {
+        // Custom JWT generation instead of using platform auth
+        return Jwts.builder().setSubject(req.getUsername()).compact();
     }
 
-    // SEC-004 VIOLATION: Hardcoded secret
-    private static final String API_SECRET = "sk-reltio-prod-a8f3b2c1d4e5f6789";
-
-    // OPS-002 VIOLATION: Raw stdout logging
-    @PostMapping
-    @ReltioSecured(resource = "users", privilege = "WRITE")
-    public User create(@RequestBody @Valid CreateUserRequest req) {
-        System.out.println("Creating user: " + req.getName());
-        return repo.save(req.toUser());
+    // ARCH-002 VIOLATION: Cross-service database query
+    public List<Order> getUserOrders(Long userId) {
+        // Directly querying the orders service's schema
+        return jdbcTemplate.query(
+            "SELECT * FROM orders_service.orders WHERE user_id = ?",
+            new Object[]{userId}, orderRowMapper);
     }
 }