Every Mesrai rule, in one place

Ensure that `assert` is not used for validating user input or critical checks. Assertions can be disabled in optimized mode (`python -O`). Recommend using explicit validation with `if` conditions and raising proper exceptions.

Before persisting ePHI, encrypt using a data key protected by a Key Management Service (KMS). Use authenticated encryption (AES-256-GCM or equivalent), rotate keys, and store the key id and algorithm with the record.

For fields like CPF, birth_date, and address, use AES-256-GCM with envelope encryption. Keys must come from a managed KMS; rotate data keys at least annually and store key IDs with the ciphertext.

Use envelope encryption (AES-256-GCM) with cloud KMS-managed CMKs for databases, object storage, and backups. Rotate CMKs at least annually and rotate DEKs per object/file.

Public services must require TLSv1.2 or higher and set HSTS (max-age ≥ 15552000, includeSubDomains). Reject plaintext HTTP and weak ciphers; cookies must be Secure and HttpOnly with SameSite set.

Check if every `case` statement includes an `else` clause. If an `else` clause is missing, ensure that a comment explicitly states why it is unnecessary.

Verify that all `if...elsif` constructs include a final `else` clause. If `else` is missing, ensure there is a comment explaining why all cases are covered.

Ensure that deserialization processes validate untrusted data before processing to prevent code execution vulnerabilities.

All static JS/CSS/font/image files MUST use content-hashed filenames (e.g., app.9c1a7b.js) and be served with "Cache-Control: public, max-age=31536000, immutable". HTML and other non-fingerprinted documents MUST be served with "Cache-Control: no-cache" (or equivalent) to enable conditional revalidation.

Provide a single idempotency-keyed erasure workflow that scrubs PII in primary DB, caches, search indices, and object storage; emit an audit event with erasure_request_id. (GDPR Art. 17)

Never emit Primary Account Number (PAN) or Sensitive Authentication Data (SAD: CVV/CVC, full track data, PIN) to application or audit logs. Per PCI DSS 4.0 Req. 3 and 10, always mask PAN as first6last4 and fully redact SAD before logging.

Unit tests must stub or fake external HTTP/DB calls; allow real I/O only in integration/e2e tests tagged accordingly.

Detect exception handling blocks that catch objects not derived from `BaseException`. This causes a `TypeError` and should be avoided.

Set securityContext.runAsNonRoot=true, runAsUser!=0, and readOnlyRootFilesystem=true on pods/containers.

Detect uses of `re.sub()` where regular expressions are not needed. For simple string replacements, `str.replace()` is more efficient and should be used instead.

Ensure that offset-based string methods are used instead of creating unnecessary substring instances.

Allowing untrusted data to be executed dynamically can lead to arbitrary code execution and security vulnerabilities. Always validate input before execution.

Deserializing untrusted data can allow attackers to execute arbitrary code. Always validate and sanitize serialized inputs before processing.

Ensure that the application does not disclose file existence based on user input to prevent filesystem oracle attacks.

Ensure that applications do not expose intent-processing components that can be manipulated by other applications.

Unsanitized user input in NoSQL queries can allow attackers to manipulate database queries, leading to data leaks or unauthorized modifications.

Ensure that user-controlled HTTP redirections are validated to prevent phishing attacks.

Ensure that URLs used in redirection are properly validated and restricted to trusted domains. Open redirects can be exploited to redirect users to malicious sites.

Ensure that all user inputs related to file paths are validated and sanitized to prevent path traversal attacks.