Every Mesrai rule, in one place

Wrap multi-step writes in a transaction; on failure, roll back and rethrow with context.

Use the 'comma, ok' idiom for type assertions to safely handle cases when the assertion fails. Only use a single-value type assertion (which panics on failure) if you are absolutely sure (by prior checks or program logic) that the interface holds the correct type.

Set session idle timeout ≤ 15 minutes and absolute timeout ≤ 12 hours; cookies must be Secure, HttpOnly, and SameSite=Lax or Strict; revoke sessions on password change.

Serve precompressed .br/.gz variants when the client sends Accept-Encoding, set "Vary: Accept-Encoding", and apply immutable caching for hashed assets; keep HTML revalidatable.

In Express, use serve-static with setHeaders to apply "Cache-Control: public, max-age=31536000, immutable" for files matching /\.[0-9a-f]{8,}\./ and "Cache-Control: no-cache" for HTML. Also set correct Content-Type.

Use a builder stage for toolchains/dev deps and a minimal runtime stage that contains only runtime artifacts.

Detect transient vs non-transient DB errors; add context and apply retry policies only where safe (idempotent reads/operations).

Authorize every request by role and resource scope. Policies must default-deny and require explicit allow; privileged roles (admin, auditor) must be rare and reviewed quarterly.

Log errors with operation name and identifiers (e.g., userId, orderId) using structured context.

Error logs must include the operation name and relevant identifiers as structured fields, not just a message string.

Provide explicit verification steps (manual or automated), expected vs actual outcomes, and attach any logs or screenshots relevant to the changes.

Ensure that interactive DOM elements have appropriate ARIA roles. Incorrect roles can mislead assistive technologies, affecting accessibility.

Before sending PII to processors, verify the destination region is approved (e.g., BR/EEA with SCC/DPA). Block requests that include personal data and target non-approved regions.

Emergency access to ePHI must go through a dedicated break_glass path that requires reason, approver, limited time window, and automatic post-incident review. The PR must include changes to the audit log schema and runbook.

All public classes, interfaces, and methods must include Javadoc with a summary sentence, @param for each parameter, @return when not void, and @throws where applicable.

For Promises, return/await the expectation and prefer await expect(p).resolves|rejects...; do not use the callback done().

All exported JS/TS functions, classes, and public members must include JSDoc with a summary and @param/@returns; include @throws when applicable.

Prefer Server Components for pages/layouts and move interactivity to small leaf Client Components. Only add 'use client' where browser APIs or event handlers are strictly necessary.

Permit exactly one lockfile at the monorepo root (pnpm-lock.yaml, yarn.lock, or package-lock.json). Forbid lockfiles inside workspace packages. Validate against PR changes and existing tree.

If a PR changes an API route/controller signature (path, method, params, request/response schema), update the API specification in the same PR. To enable this check, reference the spec file path in the PR (e.g., `openapi.yaml`, `swagger.json`). If multiple specs exist, update the relevant one. Warn when code and spec drift (new params not documented, status codes changed, response shape changed).

Docstrings must match parameter names, optional defaults, return type, and raised exceptions; update the docstring in the same PR as any signature change.

Ensure that lambda expressions remain short and simple. If a lambda grows too complex, refactor it into a titled method.

Test suspend code with kotlinx-coroutines-test runTest {} and virtual time (advanceUntilIdle()); do not block with Thread.sleep.

Verify that LINQ queries are not excessively long. Break complex queries into smaller, more understandable expressions.