a7728c6266
- Security: input validation, SQL injection, auth annotations, secrets, CVE checks - Architecture: API contract first, service boundaries, breaking change protocol - DevOps: health checks, structured logging, resource limits, rollback safety - Cost: resource tagging, auto-scaling limits, storage lifecycle - Deterministic compliance checker (.tests/check.sh) - Agent skill for context injection (Cursor, OpenSpec, Claude Code examples) - Demo with intentional violations
1.2 KiB
Cost & Tagging Requirements
Phase: deployment Enforcement: informational
COST-001: Resource Tagging
All cloud resources (AWS, GCP, Azure) MUST include the following tags:
team— owning team nameservice— service identifierenvironment— dev/staging/prodcost-center— finance cost center code
Rule: Infrastructure-as-code (Terraform, CloudFormation, Pulumi) must include these tags on every resource that supports tagging.
Test: Parse IaC files, verify tag block contains all four required keys.
COST-002: No Open-Ended Auto-Scaling
Auto-scaling configurations MUST define a maxReplicas / maxCapacity ceiling.
Rule: Unbounded scaling is a cost incident waiting to happen. Every autoscaler must have an explicit maximum.
Test: Parse HPA/scaling configs, verify maxReplicas is set and is not unreasonably high (>50 requires justification).
COST-003: Storage Lifecycle
All S3 buckets / GCS buckets / Blob containers MUST have a lifecycle policy defined.
Rule: No indefinite storage retention. Every bucket must transition to cheaper tiers or expire objects after a defined period.
Test: Check IaC for lifecycle configuration on storage resources.