rules:
  - id: payment-debug-route
    message: Debug- oder Diagnosepfad im produktiven API-Code pruefen.
    severity: WARNING
    languages: [python, javascript, typescript, java, go]
    pattern-regex: (?i)(/debug|/internal|/test|/actuator|/swagger|/openapi)

  - id: payment-admin-route-without-auth
    message: Administrative Route ohne offensichtlichen Auth-Schutz pruefen.
    severity: WARNING
    languages: [python]
    patterns:
      - pattern: |
          @app.$METHOD($ROUTE)
          def $FUNC(...):
            ...
      - metavariable-pattern:
          metavariable: $ROUTE
          pattern-regex: (?i).*(admin|config|terminal|maintenance|device|key).*

  - id: payment-raw-exception-response
    message: Roh-Exceptions duerfen nicht direkt an Clients zurueckgegeben werden.
    severity: ERROR
    languages: [python, javascript, typescript]
    pattern-regex: (?i)(return .*str\(e\)|res\.status\(500\)\.send\(e|json\(.*error.*e)

  - id: payment-missing-input-validation
    message: Zahlungsrelevanter Endpunkt ohne offensichtliche Validierung pruefen.
    severity: INFO
    languages: [python, javascript, typescript]
    pattern-regex: (?i)(amount|currency|terminalId|transactionId)

  - id: payment-idor-risk
    message: Direkter Zugriff ueber terminalId/transactionId ohne Pruefung.
    severity: WARNING
    languages: [python, javascript, typescript, java, go]
    pattern-regex: (?i)(get.*terminalId|find.*terminalId|get.*transactionId|find.*transactionId)