e323c45cb0
- Security: no IAM in service repos, no custom auth, no direct external calls - Architecture: no cross-cloud SDKs, no cross-service DB access, no hardcoded tenant/env config - DevOps: Foxtrot-compatible Helm (no custom ingress), no infra provisioning in service repos, no pinned infra versions - Cost: resource tagging, no unbounded allocation, no per-tenant infra - Updated checker and demo to match - These are NOT static code analysis — they catch organizational policy violations that SonarQube/Checkstyle miss
AI SDLC Standards
Cross-cutting non-functional requirements for AI-assisted software development.
Structure
security/ — InfoSec requirements (owned by Security team)
architecture/ — Software architecture standards (owned by Architecture team)
devops/ — CI/CD and deployment requirements (owned by DevOps team)
cost/ — Cost attribution and resource tagging (owned by FinOps team)
.tests/ — Deterministic compliance checks
skill/ — Agent skill for context injection
How It Works
- Each folder contains testable requirements in markdown — specific rules an AI agent (or human) must follow.
- The skill teaches your AI agent where to find these requirements and when to apply them.
- Deterministic tests in
.tests/validate compliance at CI time — fast, free, no LLM needed. - Each folder has an
OWNERSfile. That team maintains and evolves their requirements.
Philosophy
- Standardize the input, not the tool. Use OpenSpec, BMad, Cursor rules, or anything else. These requirements feed into whatever workflow you already have.
- Progressive enforcement. Start informational. Graduate to blocking as requirements mature.
- Concrete over aspirational. Every requirement must be testable. If you can't write a check for it, it's not a requirement — it's a wish.
Getting Started
Plug the skill into your AI agent's configuration. It will pull the right requirements at the right phase of development.
See skill/SKILL.md for integration instructions.