# Access Control Rules
# ====================
# Ensures proper authentication, authorization, and least privilege.
# Critical for preventing unauthorized access.

rules:
  # ===================
  # AUTHENTICATION
  # ===================

  - id: ACCESS-AUTH-001
    name: "Protected endpoints must require authentication"
    description: "API endpoints handling sensitive data must enforce authentication"
    severity: critical
    check:
      type: pattern_required
      paths:
        - "app/api/v1/*.py"
      patterns:
        - "CurrentUser|Depends.*get_current_user|AdminUser"
      exclude_patterns:
        - "health.py"
        - "auth.py"  # Auth endpoints handle their own logic
      message: "API endpoints must require authentication"

  - id: ACCESS-AUTH-002
    name: "Admin endpoints must verify admin role"
    description: "Administrative functions must check for admin privileges"
    severity: critical
    check:
      type: pattern_required
      paths:
        - "app/routes/admin.py"
      patterns:
        - "is_admin|AdminUser|require_admin|admin_required"
      message: "Admin routes must verify admin privileges"

  - id: ACCESS-AUTH-003
    name: "Session management must be secure"
    description: "Sessions must have proper timeout and security settings"
    severity: high
    check:
      type: pattern_required
      paths:
        - "app/core/config.py"
        - "app/core/security.py"
      patterns:
        - "ACCESS_TOKEN_EXPIRE|SESSION_TIMEOUT|token.*expire"
      message: "Session/token expiration must be configured"

  # ===================
  # AUTHORIZATION (RBAC)
  # ===================

  - id: ACCESS-RBAC-001
    name: "Role-based access control implementation"
    description: "System must implement role-based access control"
    severity: high
    check:
      type: pattern_required
      paths:
        - "models/database/user.py"
      patterns:
        - "is_admin|role|permission"
      message: "User model must support role-based access"

  - id: ACCESS-RBAC-002
    name: "Authorization checks before data access"
    description: "Data access must verify user permissions"
    severity: high
    check:
      type: pattern_recommended
      paths:
        - "app/api/v1/*.py"
      patterns:
        - "user\\.id|current_user|owner|created_by"
      message: "Consider ownership checks for data access"

  - id: ACCESS-RBAC-003
    name: "Separation of duties"
    description: "Critical operations should require different roles"
    severity: medium
    check:
      type: documentation
      message: "Document separation of duties in critical workflows"

  # ===================
  # LEAST PRIVILEGE
  # ===================

  - id: ACCESS-PRIV-001
    name: "Database connections use least privilege"
    description: "Database user should have minimal required permissions"
    severity: high
    check:
      type: documentation
      paths:
        - "docs/**/*.md"
        - "README.md"
      patterns:
        - "database.*permission|db.*role|least.*privilege"
      message: "Document database user permissions"

  - id: ACCESS-PRIV-002
    name: "API endpoints return minimal data"
    description: "Responses should not include unnecessary sensitive fields"
    severity: medium
    check:
      type: pattern_forbidden
      paths:
        - "models/schema/*.py"
      patterns:
        - "password_hash|password.*Field"
      exclude_patterns:
        - "password.*exclude.*True"
      message: "Password hashes must not be included in API responses"

  - id: ACCESS-PRIV-003
    name: "Environment-specific access"
    description: "Debug/admin features disabled in production"
    severity: high
    check:
      type: pattern_required
      paths:
        - "main.py"
        - "app/core/environment.py"
      patterns:
        - "is_production|ENVIRONMENT|DEBUG"
      message: "Environment-based feature flags required"

  # ===================
  # ACCOUNT SECURITY
  # ===================

  - id: ACCESS-ACCT-001
    name: "Account lockout mechanism"
    description: "Failed login attempts should trigger account lockout"
    severity: high
    check:
      type: pattern_recommended
      paths:
        - "app/api/v1/auth.py"
        - "app/services/user_service.py"
      patterns:
        - "failed.*attempt|lockout|rate.*limit|throttle"
      message: "Consider implementing account lockout after failed attempts"

  - id: ACCESS-ACCT-002
    name: "Password complexity requirements"
    description: "Passwords must meet minimum complexity requirements"
    severity: high
    check:
      type: pattern_required
      paths:
        - "models/schema/auth.py"
        - "models/schema/user.py"
      patterns:
        - "min_length|MinLen|Field.*ge.*8"
      message: "Password minimum length must be enforced"

  - id: ACCESS-ACCT-003
    name: "Secure password storage"
    description: "Passwords must be hashed with strong algorithm"
    severity: critical
    check:
      type: pattern_required
      paths:
        - "app/core/security.py"
      patterns:
        - "bcrypt|argon2|scrypt|pbkdf2"
      message: "Passwords must use approved hashing algorithms"