extends: spectral:oas
rules:
  sage-operation-summary-title-case:
    description: All operation summaries must use Title Case
    message: "Operation summary '{{value}}' must use Title Case"
    given: "$.paths[*][*].summary"
    severity: warn
    then:
      function: pattern
      functionOptions:
        match: "^([A-Z][a-z]*)( [A-Z][a-z0-9]*)*$"

  sage-oauth2-security-required:
    description: All endpoints must use OAuth2 authentication
    message: "Endpoint must declare OAuth2 security"
    given: "$.paths[*][*]"
    severity: error
    then:
      field: security
      function: defined

  sage-operation-ids-camel-case:
    description: Operation IDs must use camelCase
    message: "Operation ID '{{value}}' must use camelCase"
    given: "$.paths[*][*].operationId"
    severity: warn
    then:
      function: pattern
      functionOptions:
        match: "^[a-z][a-zA-Z0-9]*$"

  sage-tags-required:
    description: All operations must have at least one tag
    message: "Operation must have at least one tag"
    given: "$.paths[*][*]"
    severity: warn
    then:
      field: tags
      function: truthy

  sage-resource-paths-snake-case:
    description: Sage API resource paths use snake_case
    message: "Sage API resource paths use snake_case (e.g., sales_invoices)"
    given: "$.paths"
    severity: info
    then:
      function: pattern
      functionOptions:
        match: "^\\/[a-z_/{}]+$"

  sage-list-pagination-items-per-page:
    description: List endpoints should support items_per_page parameter
    message: "List endpoints should define items_per_page query parameter"
    given: "$.paths[*][get]"
    severity: info
    then:
      function: defined

  sage-response-list-format:
    description: List responses should use $items array format
    message: "List response schemas should have $items array"
    given: "$.components.schemas[*List]*"
    severity: info
    then:
      field: properties
      function: defined

  sage-rate-limit-documented:
    description: API documentation should reference rate limiting
    message: "API info description should mention rate limits"
    given: "$.info.description"
    severity: info
    then:
      function: pattern
      functionOptions:
        match: "(?i)(rate.limit|429)"

  sage-oauth-authorization-code-flow:
    description: OAuth2 security scheme must use authorizationCode flow
    message: "OAuth2 must use authorizationCode flow for Sage APIs"
    given: "$.components.securitySchemes[*].flows"
    severity: warn
    then:
      field: authorizationCode
      function: defined

  sage-response-delete-204:
    description: DELETE operations should return 204 No Content
    message: "DELETE operations should return 204 status code"
    given: "$.paths[*][delete].responses"
    severity: info
    then:
      field: "204"
      function: defined