rules:
  bbva-bearer-auth-required:
    description: BBVA API operations must use OAuth 2.0 Bearer token authentication.
    message: Operation must include BearerAuth or OAuth2 security requirement.
    severity: error
    given: $.paths[?(!@property.match('(token|oauth)'))].*.security
    then:
      function: schema
      functionOptions:
        schema:
          type: array
          minItems: 1

  bbva-operation-id-required:
    description: All BBVA API operations must have an operationId.
    message: Operation is missing operationId.
    severity: error
    given: $.paths.*.*
    then:
      field: operationId
      function: truthy

  bbva-response-200-required:
    description: All GET operations should define a 200 success response.
    message: GET operation is missing a 200 response.
    severity: warn
    given: $.paths.*.get.responses
    then:
      field: '200'
      function: truthy

  bbva-error-response-400:
    description: Operations should define a 400 error response for bad requests.
    message: Operation is missing a 400 Bad Request response definition.
    severity: warn
    given: $.paths.*.*.responses
    then:
      field: '400'
      function: truthy

  bbva-country-header-documented:
    description: BBVA multi-country APIs should document country selection mechanism.
    message: Consider documenting the country or region selection header/parameter.
    severity: info
    given: $.info
    then:
      field: description
      function: truthy

  bbva-iban-format:
    description: IBAN fields should use string format with pattern constraint.
    message: IBAN property should specify format or pattern.
    severity: warn
    given: $.components.schemas..[?(@property === 'iban')]
    then:
      field: type
      function: truthy