fix(validation): spectral r4.x ruleset stabilization fixes

[hdamker]

What type of PR is this?

bug, correction

What this PR does / why we need it:

Follow-up fixes after OWASP rule integration (#145), based on ReleaseTest validation runs (dispatch, PR):

• Changelog entry: Add missing OWASP changelog line to .spectral-r4.yaml header
• Phantom findings filter: Drop sourceless string-restricted findings produced by Spectral's internal $ref dereferencing (44 phantom warnings observed on ReleaseTest dispatch run)
• Proposed rule changes: Track three rule adjustments needing Commonalities discussion in rule-inventory.yaml:
  • oas3-unused-component → hint (false positives from discriminator mappings)
  • owasp:api4:2023-string-restricted → hint (free-text strings can't have format/pattern without backward-compatibility risk; resource consumption already covered by string-limit)
  • camara-schema-casing-convention → overrides for CloudEvents abbreviation prefixes (HTTP, JWT)

Which issue(s) this PR fixes:

Related: #145 (OWASP rules integration)
Related: ReleaseManagement#448 (validation framework umbrella)

Special notes for reviewers:

This PR also serves as a place to collect feedback on the OWASP rule configuration from #145. The severity levels follow Commonalities Linting-rules.md section 5 — proposed deviations are tracked in rule-inventory.yaml for upstream discussion.

The phantom findings issue affects only unbundled specs with $ref to code/common/ files. On snapshot branches (bundled specs), no phantoms occur.

Changelog input

fix: drop phantom string-restricted findings from Spectral $ref dereferencing

Additional documentation

This section can be blank.

docs

[hdamker]

Updated with additional rule changes

Beyond the original phantom findings fix, this PR now includes three rule adjustments based on ReleaseTest validation analysis:

Post-filter severity changes (Spectral config unchanged, Linting-rules.md preserved):

• S-211 (oas3-unused-component): downgraded to hint via post-filter metadata — Spectral does not follow discriminator mappings, producing false positives on subscription event schemas
• S-313 (owasp:api4:2023-string-restricted): downgraded to hint via post-filter metadata — free-text fields (e.g. ErrorInfo.message, SubscriptionId) cannot have format/pattern without backward-compatibility risk; resource consumption is already covered by string-limit (maxLength)

Spectral rule change (r4.x ruleset only):

• S-015 (camara-schema-casing-convention): replaced built-in casing: pascal with custom JS function that allows exactly the 4 CloudEvents schema names (HTTPSettings, HTTPSubscriptionRequest, HTTPSubscriptionResponse, PrivateKeyJWTCredential) while keeping PascalCase enforced for all other schemas. CloudEvents convention uses uppercase protocol prefixes — renaming would deviate from the upstream spec. r3.4 and fallback rulesets are unchanged.

Also tracked S-016 (camara-schema-type-check) as needing a rewrite — current rule only checks top-level schemas, misses nested properties and combiners.

All decisions are tracked in rule-inventory.yaml proposed_changes section and marked as preliminary (tbc in PR discussion).

[hdamker]

S-016 (camara-schema-type-check) rewritten as recursive function

The original inline rule only checked top-level $.components.schemas.* for a type field. The new custom JS function:

• Recursively traverses properties, items, and additionalProperties
• Validates type value (must be one of the 6 OAS types), not just presence
• Accepts allOf/anyOf/oneOf as valid alternatives to type
• Marks combiner children as partial (no type required — e.g. an allOf member adding properties)
• Skips $ref nodes (validated at their definition site)

Applied to .spectral-r4.yaml only — original inline rule preserved in r3.4 and fallback rulesets.

[Kevsy]

LGTM

[hdamker]

Merging the fixes now to avoid merge conflicts with the upcoming next bunch of Spectral rules; and to be able to test the changes.