rules:
  - name: Harness Personal Access Token (PAT)
    id: kingfisher.harness.pat.1
    pattern: |
      (?x)
      \b
      (
        pat\.
        [A-Za-z0-9_-]{22}
        \.
        [0-9a-fA-F]{24}
        \.
        [A-Za-z0-9]{20}
      )
      \b
    pattern_requirements:
      min_digits: 4
    min_entropy: 3.4
    confidence: medium
    examples:
      - 'HARNESS_TOKEN="pat.AbCdEfGhIjKlMnOpQrStUv.0123abcd4567ef890123abcd.ZyXwVuTsRqPoNmLkJiHg"'
    references:
      - https://developer.harness.io/docs/platform/automation/api/api-quickstart/
      - https://apidocs.harness.io/
    validation:
      type: Http
      content:
        request:
          method: GET
          # Use an endpoint that does not require additional query params.
          url: https://app.harness.io/v1/orgs?limit=1&page=1
          headers:
            Accept: application/json
            x-api-key: "{{ TOKEN }}"
          response_matcher:
            - report_response: true
            # 403 can still mean a live token with restricted scope.
            - type: StatusMatch
              status: [200, 403]
            - type: StatusMatch
              status: [401]
              negative: true
            - type: JsonValid

    # Self-revocation support (delete the backing API key).
    #
    # Harness exposes DELETE /ng/api/apikey/{identifier}, authenticated with x-api-key,
    # and requires accountIdentifier/apiKeyType/parentIdentifier query parameters.
    #
    # Required runtime vars for revoke command:
    #   - ACCOUNTIDENTIFIER: Harness account ID
    #
    # API key metadata is derived from token validation in step 1.
    revocation:
      type: HttpMultiStep
      content:
        steps:
          - name: validate_token_and_extract_api_key
            request:
              method: POST
              url: https://app.harness.io/ng/api/token/validate?accountIdentifier={{ ACCOUNTIDENTIFIER }}
              headers:
                Accept: application/json
                x-api-key: "{{ TOKEN }}"
              response_matcher:
                - type: StatusMatch
                  status: [200]
                - type: JsonValid
            extract:
              APIKEYIDENTIFIER:
                type: JsonPath
                path: "$.data.apiKeyIdentifier"
              PARENTIDENTIFIER:
                type: JsonPath
                path: "$.data.parentIdentifier"
              APIKEYTYPE:
                type: JsonPath
                path: "$.data.apiKeyType"

          - name: delete_api_key
            request:
              method: DELETE
              url: https://app.harness.io/ng/api/apikey/{{ APIKEYIDENTIFIER }}?accountIdentifier={{ ACCOUNTIDENTIFIER }}&apiKeyType={{ APIKEYTYPE }}&parentIdentifier={{ PARENTIDENTIFIER }}
              headers:
                Accept: application/json
                x-api-key: "{{ TOKEN }}"
              response_matcher:
                - report_response: true
                - type: StatusMatch
                  status: [200, 204]