extends:
  - spectral:oas

# Spectral linting rules for commercetools Composable Commerce APIs.
# Tuned to commercetools.com conventions: regional api.{region}.commercetools.com
# servers, OAuth 2.0 client-credentials authentication, project-key path
# scoping, and strongly typed JSON resources.
rules:
  commercetools-info-contact:
    description: API info must include a contact block.
    severity: error
    given: "$.info"
    then:
      field: contact
      function: truthy

  commercetools-server-https:
    description: Server URLs must use HTTPS.
    severity: error
    given: "$.servers[*].url"
    then:
      function: pattern
      functionOptions:
        match: "^https://"

  commercetools-server-host:
    description: Public server URL should point to *.commercetools.com.
    severity: warn
    given: "$.servers[*].url"
    then:
      function: pattern
      functionOptions:
        match: "commercetools.com"

  commercetools-regional-server:
    description: Production server URLs should be regional (use {region}).
    severity: info
    given: "$.servers[*].url"
    then:
      function: pattern
      functionOptions:
        match: "{region}"

  commercetools-oauth-security:
    description: APIs must declare OAuth 2.0 security.
    severity: error
    given: "$.components.securitySchemes[*]"
    then:
      function: schema
      functionOptions:
        schema:
          type: object
          properties:
            type:
              enum: ["oauth2", "http"]

  commercetools-operation-id:
    description: Every operation must declare a unique operationId.
    severity: error
    given: "$.paths[*][get,post,put,patch,delete]"
    then:
      field: operationId
      function: truthy

  commercetools-operation-tags:
    description: Operations must declare at least one tag.
    severity: warn
    given: "$.paths[*][get,post,put,patch,delete]"
    then:
      field: tags
      function: schema
      functionOptions:
        schema:
          type: array
          minItems: 1

  commercetools-project-key-path:
    description: Project-scoped paths must include a {projectKey} parameter.
    severity: warn
    given: "$.paths[?(@property.indexOf('{projectKey}') > -1)]"
    then:
      function: truthy

  commercetools-error-responses:
    description: Mutating operations should declare 400 and 409 error responses.
    severity: warn
    given: "$.paths[*][post,put,patch,delete].responses"
    then:
      function: schema
      functionOptions:
        schema:
          type: object
          anyOf:
            - required: ["400"]
            - required: ["401"]
            - required: ["404"]
            - required: ["409"]