extends:
  - spectral:oas
rules:
  mercedes-me-operation-id-camel-case:
    description: Mercedes-Benz operationIds follow the lowerCamelCase pattern with a method suffix (e.g. marketsGET, modelConfigurationsGET, onlineCodePOST).
    message: "{{property}} should match Mercedes-Benz operationId convention (lowerCamelCase ending in GET/POST/PUT/DELETE/PATCH)"
    severity: warn
    given: $.paths[*][get,post,put,delete,patch].operationId
    then:
      function: pattern
      functionOptions:
        match: "^[a-z][a-zA-Z0-9]+(GET|POST|PUT|DELETE|PATCH)$"

  mercedes-me-vehicleid-param:
    description: Vehicle-keyed paths must accept a `vehicleId` (VIN/FIN) path parameter.
    message: Mercedes-Benz vehicle paths must use {vehicleId} as the VIN/FIN identifier.
    severity: warn
    given: $.paths[?(@property.match(/vehicles\//))]
    then:
      function: truthy

  mercedes-me-summary-title-case:
    description: Operation summaries should use Title Case for consistency across Mercedes-Benz API products.
    severity: warn
    given: $.paths[*][get,post,put,delete,patch].summary
    then:
      function: pattern
      functionOptions:
        match: "^[A-Z]"

  mercedes-me-host-must-be-mercedes:
    description: Mercedes-Benz APIs must be hosted at api.mercedes-benz.com.
    severity: error
    given: $.host
    then:
      function: pattern
      functionOptions:
        match: "^api\\.mercedes-benz\\.com$"

  mercedes-me-https-only:
    description: All Mercedes-Benz APIs must be served over HTTPS only.
    severity: error
    given: $.schemes
    then:
      function: schema
      functionOptions:
        schema:
          type: array
          items:
            enum: [https]

  mercedes-me-apikey-or-oauth:
    description: Mercedes-Benz APIs must declare apiKey (for sandbox/reference APIs) or oauth2 (for vehicle APIs) security definitions.
    severity: warn
    given: $.securityDefinitions
    then:
      function: truthy

  mercedes-me-error-codes-documented:
    description: Every operation should document 401, 429, and 500 in addition to its happy-path response.
    severity: warn
    given: $.paths[*][get,post,put,delete,patch].responses
    then:
      - field: "401"
        function: truthy
      - field: "429"
        function: truthy

  mercedes-me-no-trailing-slash:
    description: Mercedes-Benz API paths should not have a trailing slash.
    severity: warn
    given: $.paths[*]~
    then:
      function: pattern
      functionOptions:
        notMatch: ".+/$"