Every Mesrai rule, in one place

Run a scheduled job that deletes telemetry after 30 days and anonymizes PII after the retention window; log deletions with data_class and count.

Ensure that variables are declared as close as possible to their first use to improve readability.

Ensure that each variable is declared separately instead of using multiple declarations in one statement.

Always specify access levels (public, private, protected) when declaring class properties and methods. Don’t use the old `var` keyword for properties. Explicit visibility clarifies intent and prevents unintended access.

Establish maintenance windows and freeze periods; emergency overrides require incident_id, approver, and post-facto review logged in the audit trail.

Hoist constant Regex/Formatters/Collections into top-level vals or companion objects; avoid recreating in hot paths.

For confirm/cancel flows, define common callbacks (confirm/cancel) once and reuse across dialogs.

Replace magic strings with constants or enums sealed classes; keep them in a single source of truth.

Create theme-like constants (radii, gaps, durations) and reuse across widgets.

Set HTTP headers for payment entry points and CHD-adjacent responses to prevent storage: Cache-Control: no-store, Pragma: no-cache, and appropriate privacy headers. Ensure intermediaries cannot cache PAN-related flows.

Implement a tracing layer that scans fields and redacts patterns (JWT, API keys, emails) before output.

If the PR introduces or expands usage of deprecated libraries/patterns the team is migrating away from (e.g., Moment.js, React Class Components), block and suggest the modern replacement. If the repo includes a migration guide (e.g., `docs/migration.md`, `CONTRIBUTING.md`, `docs/adr/*`), follow it and propose the equivalent snippet. If no guide exists, use an available web/search MCP to propose a safe, modern alternative and ask for confirmation of project standards.

Avoid duplicating runtime schemas and TypeScript types; derive types from constants/functions or declare as const tuples.

Directive shorthands (`:` for `v-bind:`, `@` for `v-on:` and `#` for `v-slot`) should be used always or never.

Set APP_DEBUG=false and hide stack traces; send errors to a centralized logger with trace_id instead.

Render PAN only in truncated form (first 6 and last 4) and never expose full PAN, CVV, or expiration data together. Apply the masking helper at all presentation points including emails and PDFs. (PCI DSS 4.0 Req. 3.3)

Always handle or log caught exceptions instead of silently ignoring them to improve debugging and maintain application stability.

Avoid empty catch blocks. When you catch an exception, implement meaningful handling: log the error, perform a fallback action, or rethrow after processing. Do not catch exceptions generically just to suppress them.

Ensure that imported variables are not reassigned. This can cause runtime errors, especially in TypeScript. Modify object properties instead of reassigning variables.

Use `///` for documentation instead of block comments to improve tooling support and ensure better formatting in generated docs.

Avoid functions or extensions deprecated in recent PHP versions (e.g., mysql_* or preg_replace without proper delimiters). Use modern supported alternatives like PDO/MySQLi for DB or PCRE functions (preg_match, preg_replace with correct syntax).

Avoid using the `goto` statement for flow control. Instead, refactor code using loops (for, while) and conditional structures (if/else, switch) for clear and maintainable logic.

Detect occurrences of the Array constructor. It behaves inconsistently depending on arguments. Recommend using array literals [] instead for clarity and predictability.

Ensure that the Object constructor is not used. Object literals are clearer, more predictable, and improve readability.