Every Mesrai rule, in one place

Ensure that all user inputs in templates are properly validated and sanitized to prevent SSTI attacks.

Using unsanitized user input in SQL queries can lead to SQL injection attacks. Use parameterized queries to protect against malicious inputs.

Ensure that user-controlled data is not used to suspend threads, as it can lead to Denial of Service (DoS) attacks.

In Pulumi TypeScript programs, load sensitive values with new Config().requireSecret and pass as Secret<T>, never plain strings.

Ensure that `SystemExit` and `KeyboardInterrupt` are not caught without being re-raised. Preventing Python from exiting can cause unintended behavior.

For changes that affect architecture, data models, external APIs, security posture, deployment topology, or cost (>10%), create an ADR in docs/adr/ using the standard template (Context, Decision, Consequences) and link the PR and issue IDs.

Before handling sensitive personal data (e.g., health, biometric), verify a valid consent record and attach its ID to the processing context. Provide a path to revoke consent and stop further processing.

Allowing user input in connection strings can lead to injection attacks. Always validate and sanitize inputs before constructing connection strings.

Identify server-side requests that do not validate input sources. SSRF vulnerabilities allow attackers to make unauthorized requests on behalf of the server. Restrict and validate request sources.

Ensure that `String.replace()` is used when a simple string replacement is needed instead of `String.replaceAll()`.

All credentials (API keys, DB passwords, tokens) must be stored in a secrets manager with automatic rotation ≤ 90 days; forbid hardcoded or .env-committed secrets via CI checks.

Ensure that factory method injection is used in `@Configuration` classes instead of `@Autowired` field injection.

Verify that when extracting substrings, a start index is specified to avoid unnecessary memory allocations.

Disabling SSL/TLS certificate validation exposes applications to Man-in-the-Middle (MitM) attacks, compromising security.

Skipping certificate validation enables attackers to impersonate trusted entities and intercept secure communications.

Ensure that 'this' is not used in functional components. Functional components do not have a 'this' context. Use props and destructuring for data access instead.

Define constructors for `@immutable` classes as `const` to ensure that instances are created efficiently and cannot be modified.

Identify cases where a module imports itself. Self-imports are usually unintentional and can cause confusion or unnecessary dependencies. Suggest removing them.

Ensure close/stop/dispose is called for resources (clients, channels, scopes) using use{} or try/finally; cancel coroutines on shutdown.

Log failures with operation name, key identifiers, and exception; prefer structured logging (fields).

Validate required parameters at boundaries using require/requireNotNull or explicit validators; fail fast with actionable messages.

Validate method inputs up front with null checks or use Objects.requireNonNull and meaningful messages.

Index frequently filtered or joined columns and verify with query plans.

Index columns used in WHERE/JOIN/ORDER and enforce uniqueness where applicable.