# Security Requirements Phase: implementation Enforcement: informational (graduating to blocking Q3 2026) ## SEC-001: Input Validation All external input (API request bodies, query parameters, headers, file uploads) MUST be validated through a schema validator before processing. **Rule:** No raw request body access in business logic. All endpoints must define and validate against a schema (JSON Schema, protobuf, or framework-equivalent). **Test:** Grep for direct `request.body` / `req.body` / `getParameter()` usage outside of controller/validation layer. ``` # Bad String name = request.getParameter("name"); db.query("SELECT * FROM users WHERE name = '" + name + "'"); # Good ValidatedInput input = validator.validate(request, CreateUserSchema.class); userService.create(input); ``` ## SEC-002: No Raw SQL All database queries MUST use parameterized queries or an ORM. No string concatenation in SQL statements. **Rule:** Zero tolerance for SQL string concatenation with user-controlled values. **Test:** Regex scan for SQL keywords adjacent to string concatenation operators (`+`, `concat`, `format`, `f"`, template literals). ## SEC-003: Authentication Annotations All new REST endpoints MUST have an explicit auth annotation. No endpoint may be implicitly public. **Rule:** Every `@RequestMapping`, `@GetMapping`, `@PostMapping` (or equivalent) must be accompanied by `@ReltioSecured` or `@PublicEndpoint`. Missing annotation = violation. **Test:** AST/regex check that every endpoint method has an auth annotation. ## SEC-004: Secrets in Code No hardcoded secrets, tokens, passwords, or API keys in source code. **Rule:** All secrets must come from environment variables, vault, or config service. String literals matching secret patterns are violations. **Test:** Regex scan for patterns: API keys, JWT tokens, passwords in string literals, base64-encoded credentials. ## SEC-005: Dependency Vulnerability No new dependencies with known critical/high CVEs. **Rule:** Any new dependency added to `pom.xml`, `package.json`, `go.mod`, or equivalent must pass a vulnerability scan. **Test:** Run `npm audit` / `mvn dependency-check:check` / `govulncheck` on changed dependency files.