Every Mesrai rule, in one place

Use WebMock or equivalent to stub external requests in specs and prefer effect-based matchers (e.g., change(Model, :count)) over brittle value guesses.

Keep UI/controllers thin; move domain logic to services or domain objects.

Provide AVIF/WebP fallbacks via <img srcset> with width/height attributes, meaningful sizes, and "loading=lazy" plus "decoding=async". Avoid shipping oversized PNG/JPEG when AVIF/WebP is supported.

Every container must specify resources.requests and resources.limits for cpu and memory.

Avoid bare `rescue`; rescue StandardError (or a narrower class) and log with context.

Without a timeout, regex processing on untrusted input can be exploited for Denial-of-Service (DoS) attacks. Always define a timeout when using regex.

Attach a trace_id (e.g., from request header or generated UUID) and emit structured JSON logs for login, role change, and data export routes.

Do not rewrite accepted ADRs. When reversing or replacing a decision, create a new ADR with Status: accepted and add 'Supersedes: NNNN' while marking the old ADR as 'Status: superseded by NNNN'.

All Terraform/Kubernetes resources must include standard tags/labels: owner, env, cost-center (and application if available).

Every ADR must contain the sections: Context, Decision, Consequences, Status. Allowed Status values: proposed, accepted, deprecated, superseded.

Configure a remote backend with state locking (e.g., S3 + DynamoDB table or AzureRM blob with leases). Do not use local backend for shared environments.

Background jobs must throw on irrecoverable failures (after logging) so the runner/queue can retry or dead-letter appropriately.

For changes affecting public APIs or modules, include 'Versioning & Deprecation' with semantic version impact and deprecation timeline; link to CHANGELOG and deprecation notices.

Wrap PII scrubbing and session invalidation in a single DB transaction; publish a gdpr.erased event with subject ID and timestamp after commit.

Never hardcode credentials (API keys, tokens, private keys) in source code, configs, or tests. If a string looks like a credential based on context (variable name, header usage, auth flows), treat it as a secret even if it is not high-entropy. Move it to env/secret manager, rotate the credential if it may have leaked, and remove it from git history if necessary.

Ensure that `Arrays.stream(array)` is used instead of `Arrays.asList(T... a).stream()` for primitive arrays.

Ensure that all literal values passed to constructors of `@immutable` classes are marked as `const` to prevent unnecessary object creation.

Ensure that `entrySet()` is used instead of iterating over `keySet()` and calling `get(key)`, to optimize performance.

Ensure that constants are declared with the `final` keyword to prevent modification.

Detect code where resources (files, sockets, etc.) are not closed in a `finally` block. Using `finally` ensures that resources are released, even if an exception is raised.

Ensure `First()` or `Single()` is used instead of `FirstOrDefault()` or `SingleOrDefault()` when collections are guaranteed to have elements.

Ensure that immutable instance fields are marked as `readonly`, and compile-time constants are marked as `const`.

Return 2xx on success, 4xx for client errors, and 5xx for server errors with minimal, non-sensitive bodies.

Ensure that HTTP handlers return the appropriate status codes based on request success or failure.