Every Mesrai rule, in one place

Use curly braces `{}` around all control structures (`if`, `for`, `while`, `do`-`while`) to improve readability and prevent logic errors.

Failing to check `ModelState.IsValid` before processing user input can result in invalid or unverified data being accepted.

Without explicit HTTP method attributes, API behavior can be unclear, leading to route conflicts and unexpected results.

Verify that API controllers inherit from `ControllerBase` instead of `Controller` unless views are explicitly required.

Protect /exports/ with role checks, fresh MFA, and rate limits; add requester and approved_by to the audit event.

Whenever PII is read, emit an audit event capturing actor, purpose, fields touched, and legal basis; never include raw PII in the audit payload—store hashes/tokens only.

`DateTime.Now` is affected by daylight savings and system clock adjustments. Use `Stopwatch` for more accurate timing.

Using `new Guid()` instead of `Guid.Empty` or `Guid.NewGuid()` can be misleading and lead to unintended behavior.

Do not use `return`, `break`, or `continue` inside `finally` blocks as they can suppress exceptions and lead to unintended behavior.

Never use `v-if` on the same element as `v-for`.

Ensure that React list items do not use array indexes as keys. This practice can cause reordering issues and unexpected behavior. Recommend using unique identifiers instead.

Ensure that constructors do not include asynchronous operations. Constructors should initialize class instances synchronously. If async logic is required, suggest moving it to a separate initialization method.

Check for occurrences where user input is directly used to construct system commands. This introduces a risk of command injection. Suggest using parameterized queries or safe wrappers instead.

Ensure that `instanceof` checks are used before performing explicit type casting to prevent `ClassCastException`.

Detect missing commas in lists, tuples, or dictionaries that unintentionally concatenate strings. This can lead to unexpected behavior and hard-to-find bugs.

Passing user input directly into system commands can lead to command injection vulnerabilities. Always sanitize inputs before execution.

Ensure that objects are not created solely for calling `getClass()`. Use `ClassName.class` instead.

Detect function definitions that use mutable objects (lists, dictionaries) as default arguments. This can lead to unintended shared state. Recommend using `None` as the default and initializing the object inside the function.

Never swallow exceptions silently; log with context and either rethrow or handle explicitly.

Ensure that catch blocks do not remain empty. Empty catch blocks hide errors, making debugging difficult. Recommend logging or handling errors properly.

Ensure that catch blocks contain meaningful exception handling logic and do not remain empty.

Check that finalizers are not left empty. If cleanup is needed, ensure proper resource disposal is implemented instead.

Ensure that logging arguments and preconditions do not require costly evaluations before method calls.

Identify functions that return the same value regardless of input. This may indicate poor design or a logic error.