rules:
  - id: payment-no-sensitive-logging-python
    message: Sensitive Zahlungsdaten duerfen nicht geloggt werden.
    severity: ERROR
    languages: [python]
    patterns:
      - pattern-either:
          - pattern: logging.$METHOD(..., $X, ...)
          - pattern: logger.$METHOD(..., $X, ...)
      - metavariable-pattern:
          metavariable: $X
          pattern-regex: (?i).*(pan|cvv|cvc|track2|track_2|cardnumber|card_number|karten|pin|expiry|ablauf).*

  - id: payment-no-sensitive-logging-js
    message: Sensitive Zahlungsdaten duerfen nicht geloggt werden.
    severity: ERROR
    languages: [javascript, typescript]
    patterns:
      - pattern-either:
          - pattern: console.$METHOD(..., $X, ...)
          - pattern: logger.$METHOD(..., $X, ...)
      - metavariable-pattern:
          metavariable: $X
          pattern-regex: (?i).*(pan|cvv|cvc|track2|cardnumber|pin|expiry).*

  - id: payment-no-token-logging
    message: Tokens oder Session-IDs duerfen nicht geloggt werden.
    severity: ERROR
    languages: [python, javascript, typescript, java, go]
    pattern-regex: (?i)(log|logger|logging|console)\.(debug|info|warn|error).*?(token|sessionid|session_id|authheader|authorization)

  - id: payment-no-debug-logging-prod-flag
    message: Debug-Logging darf in produktiven Pfaden nicht fest aktiviert sein.
    severity: WARNING
    languages: [python, javascript, typescript, java, go]
    pattern-regex: (?i)(DEBUG\s*=\s*true|debug\s*:\s*true|setLevel\(.*DEBUG.*\))

  - id: payment-audit-log-admin-action
    message: Administrative sicherheitsrelevante Aktion ohne Audit-Hinweis pruefen.
    severity: INFO
    languages: [python, javascript, typescript]
    pattern-regex: (?i)(deleteTerminal|rotateKey|updateConfig|disableDevice|enableMaintenance)