Every Mesrai rule, in one place

Ensure tabIndex values are either 0 or -1. Positive tabIndex values disrupt the natural tab order and can create accessibility issues.

Calling synchronous methods inside async code can block execution and reduce performance. Use awaitable methods to ensure proper async execution.

Process large tables with find_in_batches and avoid loading entire datasets.

Ensure that batch processing is used instead of executing individual SQL statements inside loops for better database efficiency.

Store decision records under docs/adr/ with zero-padded incremental numbering and a kebab-case title: docs/adr/NNNN-title.md (e.g., docs/adr/0001-choose-postgresql.md).

For web/mobile payment forms, send PAN and CVV directly to the PCI-compliant gateway to obtain a single-use token; submit only the token to your backend. Validate that backend APIs reject requests containing PAN/SAD. (PCI DSS scoping & SAQ A)

For applications, styles in a top-level `App` component and in layout components may be global, but all other components should always be scoped. This can be achieved through CSS modules, class-based strategies like BEM, or the `scoped` attribute in Single-File Components.

For security tokens (session IDs, CSRF tokens, password‐reset links), use cryptographically secure random functions like random_bytes() or openssl_random_pseudo_bytes(), instead of predictable functions like rand() or mt_rand().

Always use `defer` to release resources like files or locks when a function has multiple exit points. Open or lock resources and immediately defer their close/unlock to ensure they get released on every code path.

Request dependencies via constructors and register them with the DI container; avoid new-ing services in code.

In committed code, prop definitions should always be as detailed as possible, specifying at least type(s).

Iterate large ActiveRecord sets with find_each/find_in_batches to stream records in batches.

Maintain a single go.work at the monorepo root listing all local modules via use directives. Forbid go.mod replace directives that point to sibling modules (e.g., ../pkg) in workspace modules.

Ensure that Java records are used for immutable data structures instead of manually implementing immutable classes.

`key` with `v-for` is *always* required on components to maintain internal component state down the subtree. Even for elements, it's good practice for predictable behavior like object constancy in animations.

Always use the Next.js Image component for images with width/height (or fill) and meaningful alt text. Avoid plain <img> for app assets.

Prefer thenCompose/thenCombine over blocking get/join; propagate async results end-to-end.

Ensure that optional REST parameters use object types or `Optional<T>` instead of primitive types to avoid runtime errors.

Do not build SQL queries by directly concatenating untrusted data. Instead, use prepared statements with parameters (for example, using PDO or MySQLi) to prevent SQL Injection.

Without ProducesResponseTypeAttribute, Swagger cannot infer the response type of an action returning IActionResult, making API documentation unclear and unreliable.

When re-emitting a caught exception, use `rethrow` instead of `throw e` to keep the original stack trace.

Prefer app/api route handlers over legacy pages/api. Return NextResponse.json, validate input, and handle allowed HTTP methods explicitly.

Use `&.` and presence/|| to safely traverse possibly-nil chains and provide defaults.

Do not use weak or generic hash algorithms (like MD5 or SHA1) for storing passwords. Use built‐in functions like password_hash() (with BCRYPT or Argon2) and password_verify(), which handle salting and secure algorithms automatically.