Every Mesrai rule, in one place

Never swallow exceptions in catch blocks; either rethrow or return an explicit error result.

Ensure that React class components' render functions return a value. Forgetting a return statement results in missing UI elements and potential bugs.

Check if React children are passed as regular props instead of being nested inside components. Passing them incorrectly can cause conflicts and reduce clarity.

Identify cases where React Context values are being reassigned dynamically. Unstable context values trigger unnecessary re-renders. Use memoization to stabilize them.

Use headers() and cookies() in Server Components, Route Handlers, or server actions; never in Client Components.

CI logs must redact secrets and CHD; disable shell xtrace, and add a job that fails if PAN regex (e.g., [0-9]{13,19} with Luhn) appears in logs/artifacts. (PCI DSS 4.0 Req. 10 & CI hygiene)

Logging/metrics must redact or hash personal data; attach lawful_basis and purpose to diagnostic context; forbid raw PII in logs. (GDPR Art. 5(1)(c) data minimization)

Verify that collections are not modified directly during iteration. Instead, ensure safe removal techniques such as iterating over a copy or using `ToList()`.

Identify function parameters that are declared but never used within the function body. Remove them to improve clarity and maintainability.

Avoid the !! operator. Prefer safe calls, Elvis (?:), early returns, or explicit exceptions with a clear message.

Do not use printStackTrace/System.err; log via a structured logger with context and level.

CI must run fmt/validate, produce and upload a plan artifact (e.g., terraform plan -out plan.bin), run policy-as-code (e.g., tfsec/checkov/conftest), and gate apply on manual approval for prod.

If a PR modifies a workspace with "private": false in its package.json, enforce a .changeset/*.md entry describing semver impact for each affected package.

Use app.UseHsts(); app.UseHttpsRedirection(); store DataProtection keys in Azure Key Vault or KMS with rotation.

Endpoints under /admin or privileged routes that can view or export ePHI must enforce multi-factor authentication and recent re-auth (e.g., within 15 minutes).

Actions like role changes, key rotations, and exports of PII require MFA re-authentication within the last 5 minutes; record mfa_verified_at in the audit log.

Configure http.Server with tls.Config{MinVersion: tls.VersionTLS12} and set cookies with Secure, HttpOnly, SameSite.

All cache entries containing PII must set an explicit TTL aligned to the retention policy (e.g., 24h). No indefinite storage of personal data in Redis or in-memory caches.

Ensure that SQL queries specify only the necessary fields instead of using `SELECT *` to optimize database performance.

API endpoints should return an explicit status code and minimal error body on failures; avoid 200 with error payload.

Return 2xx only on success; use 4xx for client errors and 5xx for server errors, with a minimal JSON error body.

Handlers must return non-2xx status codes for error outcomes and include a minimal error body that does not leak sensitive details.

After server-side mutations, call revalidatePath or revalidateTag to refresh cached RSC data.

If the PR is large (many files/lines), split it into logical chunks or provide a clear justification and review guide listing file groups and what to focus on.