extends:
  - spectral:oas

rules:
  # ENGAGE Credentialing summaries use Title Case
  engage-summary-title-case:
    description: Operation summaries must use Title Case.
    message: "Summary '{{value}}' should start with an uppercase letter"
    severity: warn
    given: "$.paths[*][get,post,put,patch,delete].summary"
    then:
      function: pattern
      functionOptions:
        match: "^[A-Z]"

  # Subscription key header is alle-subscription-key
  engage-subscription-key-name:
    description: API key security scheme name must be `alle-subscription-key` per Allegion documentation.
    severity: error
    given: "$.components.securitySchemes.SubscriptionKey"
    then:
      field: name
      function: pattern
      functionOptions:
        match: "^alle-subscription-key$"

  # Subscription key must be in header
  engage-subscription-key-in-header:
    description: Subscription key must be transmitted in the request header.
    severity: error
    given: "$.components.securitySchemes.SubscriptionKey"
    then:
      field: in
      function: pattern
      functionOptions:
        match: "^header$"

  # Every operation must require both schemes
  engage-dual-auth:
    description: Operations must require both SubscriptionKey and BasicAuth per Allegion documentation.
    severity: warn
    given: "$.security[0]"
    then:
      field: SubscriptionKey
      function: truthy

  # Server base URL
  engage-server-host:
    description: Servers must point at api.allegion.com/engage.
    severity: warn
    given: "$.servers[*].url"
    then:
      function: pattern
      functionOptions:
        match: "^https://api\\.allegion\\.com/engage"

  # Credential status enum is fixed
  engage-credential-status-enum:
    description: MobileCredential.status must be one of Active, Revoked, Expired.
    severity: warn
    given: "$.components.schemas.MobileCredential.properties.status"
    then:
      field: enum
      function: truthy