Every Mesrai rule, in one place

Use a KMS client to derive DEKs and encrypt sensitive blobs; rotate CMKs annually and re-encrypt on rotation.

If PAN must be handled transiently, encrypt in memory with AES-256-GCM using a KMS/HSM-provided key, store only ciphertext or tokens, and zeroize plaintext buffers immediately. Rotate keys per policy. (PCI DSS 4.0 Req. 3)

When reading from PHI tables, project only authorized fields and avoid SELECT *. Implement whitelists per role and document them. Reject requests lacking a Purpose-Of-Use justification.

Root package.json must define the packageManager field (e.g., "pnpm@9.x") and the repo must not contain other lockfiles or tool config (e.g., yarn.lock, package-lock.json) conflicting with that choice.

Do not violate the project's architecture boundaries. Examples of violations: Controllers/Views directly querying the database; UI importing infrastructure modules; domain modules importing unrelated domains. If the repo defines boundaries (lint rules, Nx tags, dependency-cruiser, ARCHITECTURE.md), enforce them. When in doubt, route all I/O through the intended service/repository layer and keep domain logic isolated.

Allowing anonymous LDAP connections exposes directory data to unauthorized users. Always require authentication.

Use helmet to set HSTS and configure cookies with Secure, HttpOnly, and SameSite. Reject HTTP by redirecting to HTTPS.

Install HSTS in Ktor, require HTTPS redirects, and emit structured audit events for role changes with callId/traceId.

Force HTTPS via middleware, set HSTS, and configure session cookies with secure=true, http_only=true, same_site=lax or strict in config/session.php.

Use Spring Security to require HTTPS, enable HSTS, set session fixation protection, and configure SameSite, Secure, HttpOnly cookies.

Grant production access just-in-time via approved requests with scoped durations; break-glass access must trigger alerts and expanded audit logging.

CI must fail the build when line coverage drops below the project threshold (e.g., 80%); publish coverage reports as artifacts.

PII tables must include an expires_at (or retention_policy) column and a scheduled deletion/archival job aligned to data category. No indefinite retention. (GDPR Art. 5(1)(e))

Applications serving ePHI must require HTTPS, disable insecure ciphers, and enable HSTS with preload and includeSubDomains. Reject cleartext HTTP requests.

All outbound connections that may carry CHD/PAN tokens must enforce TLS >= 1.2, validate hostname/chain, and optionally pin gateway SPKI. Disable insecure ciphers/versions. (PCI DSS 4.0 Req. 4)

Check if the `__all__` list in a module contains titles that are not defined. Listing undefined titles can cause `ImportError` when performing wildcard imports.

Verify that `__init__` methods always return `None`. Returning any other value causes a `TypeError` and prevents correct object instantiation.

Ensure that `@PathVariable` is used correctly in Spring applications to bind URI path variables to method parameters.

Ensure that `StringBuilder` instances are converted to strings using `ToString()` before use to prevent memory wastage.

Ensure that `ThreadLocal` variables are cleaned using `.remove()` to avoid memory leaks.

Controllers handling multiple concerns become harder to maintain and test. Split responsibilities into separate controllers.

Identify function calls where the number of arguments passed does not match the expected parameters. This often results in a `TypeError`. Suggest reviewing function signatures.

Detect functions that mix `return` statements with values and those without. Inconsistent return usage can lead to unpredictable behavior.

Copy-pasting code can lead to errors where getters or setters access the wrong fields. Always verify that properties interact with the expected fields.