# Authentication Security Rules
# =============================

authentication_rules:
  - id: SEC-001
    name: No hardcoded credentials
    severity: error
    description: >
      Credentials must never be hardcoded in source code.
      Use environment variables or secret management.

  - id: SEC-002
    name: JWT expiry enforcement
    severity: error
    description: >
      All JWT tokens must have expiration claims.
      Access tokens should expire in 15-60 minutes.

  - id: SEC-003
    name: Password hashing required
    severity: error
    description: >
      Passwords must be hashed using bcrypt, argon2, or scrypt.
      Never store or compare passwords in plain text.

  - id: SEC-004
    name: Session regeneration after auth
    severity: warning
    description: >
      Session IDs should be regenerated after authentication
      to prevent session fixation attacks.

  - id: SEC-005
    name: Brute force protection
    severity: warning
    description: >
      Login endpoints should implement rate limiting
      or account lockout after failed attempts.

  - id: SEC-006
    name: Secure password reset
    severity: warning
    description: >
      Password reset tokens must be cryptographically random,
      expire within 1 hour, and be single-use.

  - id: SEC-007
    name: Authentication on sensitive endpoints
    severity: error
    description: >
      All endpoints except public ones must require authentication.

  - id: SEC-008
    name: Token in Authorization header
    severity: warning
    description: >
      JWT tokens should be sent in Authorization header,
      not in URL parameters.

  - id: SEC-009
    name: Logout invalidates tokens
    severity: warning
    description: >
      Logout should invalidate or blacklist tokens.

  - id: SEC-010
    name: Multi-factor authentication support
    severity: info
    description: >
      Consider implementing MFA for sensitive operations.