rules:
  - id: payment-prod-config-test-endpoint
    message: Test- oder Sandbox-Endpunkt in produktionsnaher Konfiguration erkannt.
    severity: ERROR
    languages: [yaml, json]
    pattern-regex: (?i)(sandbox|test-endpoint|mock-terminal|dummy-acquirer)

  - id: payment-prod-debug-flag
    message: Unsicherer Debug-Flag in Konfiguration erkannt.
    severity: WARNING
    languages: [yaml, json]
    pattern-regex: (?i)(debug:\s*true|"debug"\s*:\s*true)

  - id: payment-open-cors
    message: Offene CORS-Freigabe pruefen.
    severity: WARNING
    languages: [yaml, json, javascript, typescript]
    pattern-regex: (?i)(Access-Control-Allow-Origin.*\*|origin:\s*["']\*["'])

  - id: payment-insecure-session-cookie
    message: Unsicher gesetzte Session-Cookies pruefen.
    severity: ERROR
    languages: [javascript, typescript, python]
    pattern-regex: (?i)(httpOnly\s*:\s*false|secure\s*:\s*false|sameSite\s*:\s*["']none["'])

  - id: payment-unbounded-retry
    message: Retry-Konfiguration scheint unbegrenzt oder zu hoch.
    severity: WARNING
    languages: [yaml, json]
    pattern-regex: (?i)(retry.*(9999|infinite|unbounded))