a7728c6266
- Security: input validation, SQL injection, auth annotations, secrets, CVE checks - Architecture: API contract first, service boundaries, breaking change protocol - DevOps: health checks, structured logging, resource limits, rollback safety - Cost: resource tagging, auto-scaling limits, storage lifecycle - Deterministic compliance checker (.tests/check.sh) - Agent skill for context injection (Cursor, OpenSpec, Claude Code examples) - Demo with intentional violations
AI SDLC Standards
Cross-cutting non-functional requirements for AI-assisted software development.
Structure
security/ — InfoSec requirements (owned by Security team)
architecture/ — Software architecture standards (owned by Architecture team)
devops/ — CI/CD and deployment requirements (owned by DevOps team)
cost/ — Cost attribution and resource tagging (owned by FinOps team)
.tests/ — Deterministic compliance checks
skill/ — Agent skill for context injection
How It Works
- Each folder contains testable requirements in markdown — specific rules an AI agent (or human) must follow.
- The skill teaches your AI agent where to find these requirements and when to apply them.
- Deterministic tests in
.tests/validate compliance at CI time — fast, free, no LLM needed. - Each folder has an
OWNERSfile. That team maintains and evolves their requirements.
Philosophy
- Standardize the input, not the tool. Use OpenSpec, BMad, Cursor rules, or anything else. These requirements feed into whatever workflow you already have.
- Progressive enforcement. Start informational. Graduate to blocking as requirements mature.
- Concrete over aspirational. Every requirement must be testable. If you can't write a check for it, it's not a requirement — it's a wish.
Getting Started
Plug the skill into your AI agent's configuration. It will pull the right requirements at the right phase of development.
See skill/SKILL.md for integration instructions.