Every Mesrai rule, in one place

Add a CI step that fails builds if secret patterns (JWT, AWS keys) or high-entropy strings are detected in diffs.

Reject PRs adding real PAN/CVV in fixtures, seeds, or mocks. Only use Luhn-valid test PANs from the gateway or opaque tokens (e.g., tok_) and never include CVV. Add a check to fail if a PAN regex is matched. (PCI DSS data minimization)

If the PR claims to fix a specific issue (e.g., 'Fixes #123' / 'Fix PAY-123'), validate it against the real production error. - If an observability MCP is available (Sentry/Datadog/Bugsnag): fetch the event/stack trace and confirm the change addresses the root cause. - Require a regression test (or a clearly documented reason why a test cannot be added). Call out fixes that only hide symptoms (catch-and-ignore, broader retries, defaulting values) without removing the underlying failure mode.

Verify that after loading a PyTorch model, either `model.eval()` or `model.train()` is called. Failing to do so can result in incorrect behavior, especially for layers like dropout and batch normalization.

If an API/contract or behavior is breaking, add a 'BREAKING CHANGE' section detailing what breaks, migration steps, and affected consumers.

Add a 'Security & Privacy' section in ADRs addressing threat model impacts, secrets handling, data retention, and PII processing; link to relevant runbooks and DPA if applicable.

Verify if a widget is still mounted before using `BuildContext` inside an asynchronous operation to prevent accessing invalid states.

Before approving/merging risky changes, check whether there is an active critical production incident. - If an incident/monitoring MCP is available (PagerDuty, Datadog Monitors): query for active Sev1/Sev2 incidents. - If there is an active incident: warn the author and suggest delaying merges/deploys or using an explicit emergency override process.

Tag records by data_class (PII, telemetry, auth) and enforce retention (e.g., PII ≤ 365 days unless legal hold). Provide scheduled deletion jobs and audit log entries.

Whenever you start an interval/timeout, also define a deterministic cleanup path that clears it.

Serve text-based assets (JS, CSS, JSON, SVG) with Brotli (br) when the client sends "Accept-Encoding: br" and fallback to gzip. Always set "Vary: Accept-Encoding" and do NOT compress already-compressed formats (e.g., .png, .jpg, .woff2).

Provide a single permission check API (e.g., can(user, action, resource)) and reuse it across layers.

When accepting a slice or map from external snippet or returning one, consider copying it. This prevents unintentional modifications to the original data. For example, don't store a slice argument directly if the caller might modify it later; instead, make a copy for internal use.

Any PR that adds or modifies telemetry/analytics must prove that no PHI leaves the boundary. Use irreversible tokenization or hashing (HMAC with secret salt) for identifiers and document the data dictionary.

Apply debounce/throttle to handlers that trigger network calls or heavy computation on rapid input.

Include a 'Rollout Plan' section with phases, feature flags, backout plan, and data migration steps; reference migration scripts and flag names.

If a PR introduces workloads in a namespace that lacks a default-deny NetworkPolicy, add one plus explicit allow rules.

All bulk exports of PII require approval, step-up MFA, rate limits, and watermarking of files with requestor and timestamp; record export_id in the audit log.

Flag patterns that issue network/database calls inside loops; recommend batching (Promise.all), joins, or aggregate endpoints.

Require TOTP or WebAuthn MFA for admin areas; verify mfa_verified_at timestamp before sensitive routes.

Avoid using directives or features that bypass Vue's built-in HTML escaping mechanisms, such as the `v-html` directive, unless the content is known to be safe or has been properly sanitized.

Registry configuration (e.g., .npmrc, .yarnrc.yml) must live at the monorepo root. Forbid .npmrc files inside workspace packages overriding registry auth or URL.

Avoid assigning values to `void` variables as `void` is not a compatible type and doing so results in runtime errors.

Check if modules export mutable variables. Mutable exports can be modified by other modules, leading to unpredictable behavior. Recommend exporting immutable values instead.