Every Mesrai rule, in one place

Verify that heading elements contain meaningful content. Headings are used for structure and navigation, so empty or generic headings negatively impact accessibility and usability.

Check that JSX list components have unique key properties. Missing keys can cause unnecessary re-renders and lead to state inconsistencies.

Verify that method parameters in overrides and interface implementations match the base method’s parameter titles to maintain consistency.

Check if React list keys are stable and unique. Using dynamic values like Math.random() or Date.now() can cause rendering issues. Recommend using unique IDs.

Verify that special methods (e.g., `__eq__`, `__len__`) have the correct number of parameters. Incorrect parameters can cause runtime errors or unexpected behavior.

Always escape or sanitize user‐provided content before displaying it in HTML. Use functions like htmlspecialchars() to convert special characters into HTML entities.

Check if resources such as files or database connections are properly closed in a `finally` block. This ensures resources are always released, even if an exception occurs.

Read API URLs/keys from ENV/credentials and inject where needed; do not hardcode.

Launch goroutines outside of waits, capture loop variables, and use sync.WaitGroup (and buffered channels when needed) to achieve true concurrency.

In JS/TS workspaces, imports must use workspace package names (as defined in each package.json and exports) rather than relative paths crossing package boundaries.

Enable config.force_ssl = true; add filter_parameters to redact PII and secrets; use secure_same_site for cookies.

In unit and integration tests, call a time-freeze utility and set a fixed random seed before exercising the system under test; unfreeze after assertions.

Only set analytics/marketing cookies if consent.purposes.analytics === true and consent.version matches current policy; re-check on version bump. (GDPR Art. 7, ePrivacy)

Any code path that reads, decrypts, or exchanges PAN tokens must require an explicit authorization policy (e.g., role "pci:read_token") and log access without PAN. Deny by default. (PCI DSS 4.0 Req. 7 & 10)

Produce an SBOM (e.g., SPDX/CycloneDX) during CI and block releases if SCA finds CVEs ≥ High severity or disallowed licenses.

Mark tests that don't mutate shared state with t.Parallel() and use t.TempDir() for filesystem isolation; avoid package-level globals.

Rescue RecordNotFound and return 404 (or domain-appropriate response) instead of 500.

Every awaited async operation must be guarded with error handling. Use try/catch for await and .catch for promise chains; never leave rejections unhandled.

Attach exceptionally/handle to CompletableFuture chains; never assume success.

Catch and map DB exceptions (e.g., SQLIntegrityConstraintViolationException) to domain results; always close resources with use { }.

Use transactions for multi-step writes; on Throwable, rollback and rethrow with context.

Never silently ignore an error, and avoid handling an error (e.g., logging it) and then still returning it. Either handle the error fully or propagate it upward, but not both.

Guard file IO with try/except; handle OSError and data parse errors with clear messages.

Use JSON_THROW_ON_ERROR (PHP ≥7.3) and wrap json_encode/json_decode in try/catch; validate the decoded shape.