# Third-Party Risk Rules
# ======================
# Ensures proper management of external dependencies.
# Critical for supply chain security and license compliance.

rules:
  # ===================
  # DEPENDENCY MANAGEMENT
  # ===================

  - id: THIRD-DEP-001
    name: "Dependency lock file required"
    description: "Dependencies must be locked to specific versions"
    severity: high
    check:
      type: file_exists
      paths:
        - "uv.lock"
        - "poetry.lock"
        - "requirements.lock"
        - "Pipfile.lock"
      message: "Dependency lock file required for reproducible builds"

  - id: THIRD-DEP-002
    name: "Dependencies defined in manifest"
    description: "All dependencies must be declared"
    severity: critical
    check:
      type: file_exists
      paths:
        - "pyproject.toml"
        - "requirements.txt"
        - "Pipfile"
      message: "Dependency manifest file required"

  - id: THIRD-DEP-003
    name: "Pinned dependency versions"
    description: "Production dependencies should have pinned versions"
    severity: high
    check:
      type: pattern_recommended
      paths:
        - "pyproject.toml"
      patterns:
        - '>=.*,<|==|~='
      message: "Consider pinning dependency version ranges"

  # ===================
  # VULNERABILITY MANAGEMENT
  # ===================

  - id: THIRD-VULN-001
    name: "Dependency vulnerability scanning"
    description: "Dependencies must be scanned for vulnerabilities"
    severity: high
    check:
      type: file_exists
      paths:
        - ".github/workflows/*.yml"
        - ".gitea/workflows/*.yml"
      patterns:
        - "safety|pip-audit|snyk|dependabot"
      message: "Dependency vulnerability scanning required"

  - id: THIRD-VULN-002
    name: "Dependabot enabled"
    description: "Automated dependency updates should be configured"
    severity: medium
    check:
      type: file_exists
      paths:
        - ".github/dependabot.yml"
        - ".gitea/workflows/*.yml"
      message: "Consider enabling Dependabot for security updates"

  - id: THIRD-VULN-003
    name: "Container base image scanning"
    description: "Container base images should be scanned"
    severity: medium
    check:
      type: pattern_recommended
      paths:
        - ".github/workflows/*.yml"
        - ".gitea/workflows/*.yml"
      patterns:
        - "trivy|grype|snyk.*container"
      message: "Consider container image vulnerability scanning"

  # ===================
  # LICENSE COMPLIANCE
  # ===================

  - id: THIRD-LIC-001
    name: "License compatibility check"
    description: "Dependency licenses must be compatible"
    severity: high
    check:
      type: documentation
      message: "Document license compliance verification process"

  - id: THIRD-LIC-002
    name: "No copyleft in proprietary code"
    description: "GPL/AGPL dependencies require careful handling"
    severity: high
    check:
      type: pattern_forbidden
      paths:
        - "pyproject.toml"
      patterns:
        - "gpl|agpl"
      case_insensitive: true
      message: "Copyleft licenses require legal review"

  - id: THIRD-LIC-003
    name: "Project license declared"
    description: "Project must have explicit license"
    severity: medium
    check:
      type: file_exists
      paths:
        - "LICENSE"
        - "LICENSE.md"
        - "LICENSE.txt"
      message: "Project license file recommended"

  # ===================
  # VENDOR ASSESSMENT
  # ===================

  - id: THIRD-VEND-001
    name: "Trusted package sources"
    description: "Packages should come from trusted sources"
    severity: high
    check:
      type: pattern_forbidden
      paths:
        - "pyproject.toml"
        - "requirements.txt"
      patterns:
        - "git\\+http://|--index-url.*http://"
      message: "Only HTTPS sources allowed for packages"

  - id: THIRD-VEND-002
    name: "No direct Git dependencies in production"
    description: "Production should use released packages"
    severity: medium
    check:
      type: pattern_recommended
      paths:
        - "pyproject.toml"
      patterns:
        - "git\\+"
      invert: true
      message: "Prefer released packages over Git dependencies"

  - id: THIRD-VEND-003
    name: "Minimal dependencies"
    description: "Only necessary dependencies should be included"
    severity: low
    check:
      type: documentation
      message: "Document justification for external dependencies"

  # ===================
  # SUPPLY CHAIN SECURITY
  # ===================

  - id: THIRD-CHAIN-001
    name: "Package integrity verification"
    description: "Package hashes should be verified"
    severity: medium
    check:
      type: pattern_recommended
      paths:
        - "uv.lock"
        - "requirements.txt"
      patterns:
        - "sha256|hash"
      message: "Consider hash verification for packages"

  - id: THIRD-CHAIN-002
    name: "Signed commits for dependencies"
    description: "Critical dependencies should use signed releases"
    severity: low
    check:
      type: documentation
      message: "Consider verifying signatures for critical dependencies"

  - id: THIRD-CHAIN-003
    name: "Private package registry"
    description: "Internal packages should use private registry"
    severity: low
    check:
      type: documentation
      message: "Document private package registry usage if applicable"