# Compliance Rules
# =================
# Ensures adherence to regulatory and internal policy requirements.
# Covers SOX, GDPR, CCPA, and internal governance policies.

rules:
  # ===================
  # REGULATORY COMPLIANCE
  # ===================

  - id: COMP-REG-001
    name: "Error messages must not expose internals"
    description: "Error responses must not reveal system internals (SOX, security)"
    severity: high
    check:
      type: pattern_forbidden
      paths:
        - "app/exceptions/*.py"
      patterns:
        - "traceback|stack.*trace|sys\\.exc_info"
      exclude_patterns:
        - "if.*debug|if.*development"
      message: "Production errors must not expose stack traces"

  - id: COMP-REG-002
    name: "HTTPS enforcement"
    description: "All communications must use HTTPS in production"
    severity: critical
    check:
      type: pattern_required
      paths:
        - "app/core/config.py"
        - "main.py"
      patterns:
        - "https|SSL|TLS|SECURE"
      message: "HTTPS configuration required"

  - id: COMP-REG-003
    name: "Security headers"
    description: "Security headers must be configured"
    severity: high
    check:
      type: pattern_recommended
      paths:
        - "main.py"
        - "middleware/*.py"
      patterns:
        - "X-Frame-Options|X-Content-Type|Strict-Transport|CSP|Content-Security-Policy"
      message: "Consider security headers middleware"

  # ===================
  # CONSENT MANAGEMENT
  # ===================

  - id: COMP-CONS-001
    name: "Terms acceptance tracking"
    description: "User acceptance of terms must be recorded"
    severity: medium
    check:
      type: pattern_recommended
      paths:
        - "models/database/user.py"
      patterns:
        - "terms_accepted|consent|accepted_at"
      message: "Consider tracking terms/consent acceptance"

  - id: COMP-CONS-002
    name: "Cookie consent"
    description: "Cookie usage must comply with consent requirements"
    severity: medium
    check:
      type: documentation
      message: "Document cookie consent mechanism"

  # ===================
  # FINANCIAL CONTROLS (SOX)
  # ===================

  - id: COMP-SOX-001
    name: "Financial transaction logging"
    description: "Financial transactions must have complete audit trail"
    severity: critical
    check:
      type: pattern_check
      paths:
        - "app/**/*.py"
      patterns:
        - "payment|transaction|invoice|billing"
      requires:
        - "logger\\."
      message: "Financial operations require audit logging"

  - id: COMP-SOX-002
    name: "Dual approval for critical operations"
    description: "Critical financial operations should require dual approval"
    severity: medium
    check:
      type: documentation
      message: "Document approval workflow for critical operations"

  - id: COMP-SOX-003
    name: "Immutable transaction records"
    description: "Financial records must not be modifiable"
    severity: high
    check:
      type: pattern_forbidden
      paths:
        - "app/**/*.py"
      patterns:
        - "update.*transaction|delete.*payment|modify.*invoice"
      message: "Financial records should be immutable"

  # ===================
  # INTERNAL POLICIES
  # ===================

  - id: COMP-POL-001
    name: "Code review requirement"
    description: "Code changes must go through review process"
    severity: high
    check:
      type: file_exists
      paths:
        - ".github/PULL_REQUEST_TEMPLATE.md"
        - "CONTRIBUTING.md"
        - ".github/workflows/*.yml"
        - ".gitea/workflows/*.yml"
      message: "Code review process must be documented/enforced"

  - id: COMP-POL-002
    name: "Change approval documentation"
    description: "Changes must have documented approval"
    severity: medium
    check:
      type: file_exists
      paths:
        - ".github/CODEOWNERS"
        - "CODEOWNERS"
        - ".github/workflows/*.yml"
        - ".gitea/workflows/*.yml"
      message: "Document change approval requirements"

  - id: COMP-POL-003
    name: "Incident response documentation"
    description: "Incident response procedures must be documented"
    severity: medium
    check:
      type: file_exists
      paths:
        - "docs/**/incident*.md"
        - "docs/**/security*.md"
        - "SECURITY.md"
      message: "Document incident response procedures"

  # ===================
  # EVIDENCE COLLECTION
  # ===================

  - id: COMP-EVID-001
    name: "Automated testing evidence"
    description: "Test results must be captured for audit evidence"
    severity: medium
    check:
      type: file_exists
      paths:
        - ".github/workflows/ci.yml"
        - ".gitea/workflows/*.yml"
        - "pytest.ini"
        - "pyproject.toml"
      patterns:
        - "pytest|test|coverage"
      message: "Automated testing must be configured"

  - id: COMP-EVID-002
    name: "Deployment audit trail"
    description: "Deployments must be logged and traceable"
    severity: high
    check:
      type: file_exists
      paths:
        - ".github/workflows/*.yml"
        - ".gitea/workflows/*.yml"
      patterns:
        - "deploy|release"
      message: "Deployment process must be automated and logged"

  - id: COMP-EVID-003
    name: "Version control usage"
    description: "All code must be version controlled"
    severity: critical
    check:
      type: file_exists
      paths:
        - ".git"
        - ".gitignore"
      message: "Version control is required"