Every Mesrai rule, in one place

Ensure the PR title/description honestly reflects what the diff actually changes. Flag out-of-scope changes (behavioral changes hidden as refactors, unrelated dependency bumps, config/security changes) and require either: - splitting into separate PRs, or - an explicit 'Additional changes' section with rationale and risk/rollout notes.

Use `for` elements inside map literals instead of `Map.fromIterable` to improve readability and allow better compiler optimizations.

Use `is!` instead of `!is` for type checking to prevent confusion and ensure consistent behavior.

Use `SizedBox` instead of `Container` when adding spacing in layouts to improve performance and avoid unnecessary rendering overhead.

Ensure that constructor injection is used instead of field injection (`@Autowired` on fields) in Spring components for better testability.

Obtain collaborators via constructor injection (or a DI container) instead of new/service locators in business code.

Detect deeply nested conditionals and suggest using guard clauses (`return unless condition`) instead to improve readability.

Replace any/unknown with inferred generics, unions, or precise interfaces when the shape is known.

Preload render-blocking WOFF2 fonts using <link rel="preload" as="font" type="font/woff2" crossorigin> and define @font-face with "font-display: swap". Only preload fonts used above the fold.

Check if memory allocation sizes are derived from untrusted input. Attackers may exploit this to crash the program or consume excessive resources. Recommend validating and limiting allocation sizes.

Numeric overflows occur when values exceed the data type limits, leading to incorrect calculations. Use checked arithmetic where necessary.

Reflection methods that process untrusted input can be exploited for remote code execution. Always validate and sanitize external input before using reflection.

Ensure that server-side requests are properly validated to prevent SSRF attacks.

Never swallow exceptions silently; wrap with context and rethrow or translate to a domain exception.

Ensure that `HashMap` and `HashSet` are initialized with appropriate capacity settings to optimize performance.

Guard early or use safe navigation when dereferencing possibly-nil data.

Write ePHI backups to storage with server-side encryption (SSE-KMS) and least-privilege access; disallow public ACLs and cross-account access without a BAA. Record the KMS key id in metadata.

Implement anti‐CSRF tokens in forms performing sensitive actions (like state changes or deletions). Generate a unique token per session or request and validate it on the server before processing the form action.

Include Motivation, Approach, Considered Alternatives, Risk & Rollout, and Testing Evidence. Use bullet points; avoid single-line descriptions.

When subscribing to streams/listeners, always provide an error handler and a deterministic unsubscribe/cleanup path.

When a PR introduces new PII fields or processing, the PR body must include legal_basis: (e.g., consent, contract) and dpia: (yes/no with link). CI should fail if missing.

For stateful/critical infra (state buckets, databases), create resources with pulumi.Protect(true) to block accidental destroy.

Do not send direct identifiers (email, CPF) to analytics. Use an HMAC-based pseudonymous ID derived from user ID and a rotating key; never reversible without server secret.

Do not swallow errors; log with context and re-raise using `raise` (no args) or `raise new_error, cause: e`.