{
  "ruleId": "S054",
  "name": "Disallow Default/Built-in Accounts (admin/root/sa/...)",
  "description": "Prevent use of default or shared accounts. Enforce per-user identities, initial password change, and disabling well-known built-ins.",
  "category": "security",
  "severity": "error",
  "options": {
    "blockedUsernames": [
      "admin","root","sa","test","guest","operator","super","superuser","sys",
      "postgres","mysql","mssql","oracle","elastic","kibana","grafana",
      "administrator", "demo", "example", "default", "public", "anonymous",
      "user", "password", "service", "support", "backup", "monitor"
    ],
    "codeCreationPatterns": [
      "create(User|Account)\\s*\\(",
      "new\\s+User\\s*\\(",
      "user(Name|name|_name)\\s*:",
      "username\\s*=\\s*",
      "setUser(Name|name)\\s*\\(",
      "addUser\\s*\\(",
      "registerUser\\s*\\(",
      "createAccount\\s*\\("
    ],
    "sqlInsertUserPatterns": [
      "INSERT\\s+INTO\\s+\\w*user\\w*\\s*\\(",
      "UPSERT\\s+INTO\\s+\\w*user\\w*\\s*\\(",
      "CREATE\\s+USER\\s+",
      "GRANT\\s+.+\\s+TO\\s+",
      "REVOKE\\s+.+\\s+FROM\\s+"
    ],
    "infraPatterns": {
      "terraform": [
        "username\\s*=\\s*\"(admin|root|sa|test|guest)\"",
        "user\\s*=\\s*\"(admin|root|sa|test|guest)\"",
        "admin_username\\s*=\\s*\"(admin|root|sa|test|guest)\""
      ],
      "helmValues": [
        "admin(User|Password)\\s*:",
        "default(User|Pass)\\s*:",
        "root(User|Password)\\s*:",
        "service(User|Account)\\s*:"
      ],
      "docker": [
        "ENV\\s+.*(USER|USERNAME|_ROOT_USERNAME)\\s*=\\s*(admin|root|sa)",
        "POSTGRES_USER\\s*=\\s*(postgres|admin|root)",
        "MONGO_INITDB_ROOT_USERNAME\\s*=\\s*(root|admin)",
        "MYSQL_USER\\s*=\\s*(root|admin|mysql)",
        "REDIS_USER\\s*=\\s*(redis|admin|root)"
      ],
      "kubernetes": [
        "serviceAccount:\\s*default",
        "user:\\s*(admin|root|sa|test|guest)",
        "username:\\s*(admin|root|sa|test|guest)"
      ]
    },
    "docPatterns": [
      "login\\s*[:=]\\s*(admin|root|sa|test|guest)",
      "user\\s*[:=]\\s*(admin|root|sa|test|guest)",
      "username\\s*[:=]\\s*(admin|root|sa|test|guest)",
      "password\\s*[:=]\\s*(admin|root|sa|test|guest|password|123456)"
    ],
    "passwordSmells": [
      "password", "123456", "admin", "Admin@123", "Password1", "changeme", 
      "default", "qwerty", "letmein", "welcome", "secret", "pass123",
      "root", "toor", "administrator", "guest"
    ],
    "configFilePatterns": [
      "database\\.(username|user)\\s*=\\s*(admin|root|sa)",
      "db\\.(username|user)\\s*=\\s*(admin|root|sa)",
      "auth\\.(username|user)\\s*=\\s*(admin|root|sa)",
      "admin\\.(username|user)\\s*=\\s*",
      "spring\\.datasource\\.username\\s*=\\s*(admin|root|sa)"
    ],
    "policy": {
      "requirePerUserAccount": true,
      "requireInitialPasswordChange": true,
      "forbidWellKnownServiceAccountsInAppDB": true,
      "allowOnlyInEphemeralTests": true,
      "mustDisableBuiltInsOnInfra": true
    },
    "allowlist": {
      "paths": [
        "test/", "tests/", "__tests__/", "e2e/", "playground/", 
        "local-dev/", "demo/", "example/", "mock/", "fixture/",
        "spec/", ".spec.", ".test."
      ],
      "notes": "Vẫn cảnh báo nếu xuất hiện mật khẩu mặc định; cho phép username cấm chỉ khi data giả lập không public và không nối vào môi trường thật."
    },
    "thresholds": {
      "maxFindings": 0,
      "maxInAllowedPaths": 2,
      "maxPasswordSmells": 0
    },
    "exemptions": {
      "testDirectories": ["test", "tests", "__tests__", "e2e", "spec"],
      "configFiles": ["jest.config", "test.config", "local.config"],
      "allowTestData": true,
      "allowDocumentationExamples": false
    }
  }
}