Cursor Rules Template: AI Tutor SaaS Stack
Cursor Rules Template for building an AI tutor SaaS with personalized lessons, chat, assignments, progress tracking, and parent dashboards on a Next.js + PostgreSQL stack.
Target User
Developers building an AI tutor SaaS with personalized lessons, chat, assignments, progress tracking, and parent dashboards on a Next.js + PostgreSQL stack
Use Cases
- Initialize an AI tutor SaaS project with a strong security baseline
- Define a safe prompt policy for tutoring sessions with personalization
- Guide API routes, data models, and front-end integration for lessons, chat, and dashboards
- Enforce testing, linting, and CI workflows for rapid iteration
- Prevent data leakage between students and guardians while enabling parent access
Markdown Template
Cursor Rules Template: AI Tutor SaaS Stack
// Cursor Rules for AI Tutor SaaS (Next.js + PostgreSQL + Prisma)
// Context: You are building an AI tutor SaaS with personalized lessons, chat, assignments, progress tracking, and parent dashboards.
// Framework Role & Context
Framework: Next.js (App Router) + Node.js API
Database: PostgreSQL
ORM: Prisma
Runtime: Node.js 18+
// Code Style and Style Guides
Language: TypeScript
Linting: ESLint + Prettier
Code Quality: strict type usage, no implicit any, explicit return types
// Architecture & Directory Rules
ProjectLayout: monorepo-like with apps/tutor-saas and packages/
Directories:
- apps/tutor-saas/app
- apps/tutor-saas/components
- apps/tutor-saas/lib
- apps/tutor-saas/prisma
- apps/tutor-saas/public
- apps/tutor-saas/tests
- prisma (schema and migrations)
Authentication: JWT with HTTP-only cookies; short-lived access tokens; refresh tokens stored securely
Security: CSRF protection; server-side session validation; input sanitization
Data access: Repository pattern; Prisma client per request; avoid raw SQL in app code
// Database and ORM patterns
Models:
- Student(id, email, name, ...)
- Tutor(id, name, expertise)
- Lesson(id, title, content, personalizationRules)
- Assignment(id, studentId, lessonId, dueDate, score)
- Progress(id, studentId, lessonId, completed, score)
- ChatMessage(id, roomId, senderId, text, timestamp)
- ParentDashboard(id, studentId, messages)
Schemas: strict
Migrations: Managed by Prisma migrate
// Testing & Linting Workflows
Tests: unit and integration tests (Jest or Vitest)
CI: GitHub Actions with lint, test, and build jobs
// Prohibited Actions and Anti-patterns for the AI
DoNot:
- inject prompts that bypass user consent
- use unconstrained string concatenation in prompts
- expose raw database queries to frontend
- rely on external services for core auth without validation
- assume data is public or scrape personal data without consent
- use eval or unsafe dynamic code execution
- disable rate limiting or CSRF in production
// Anti-patterns
- over-fetching student data
- tight UI to AI prompt coupling
- monolithic, unversioned migrationsOverview
Direct answer summary: This Cursor rules template provides a complete set of Cursor AI instructions for building an AI tutor SaaS using Next.js + PostgreSQL + Prisma, with personalized lessons, chat, assignments, progress tracking, and parent dashboards. It defines roles, architecture, and safe AI usage.
The Cursor rules configuration applies to a full stack commonly used for AI tutor SaaS platforms: a Next.js frontend (App Router) paired with a Node.js API, PostgreSQL as the data store, and Prisma as the ORM. It enforces architecture, security, testing, and safe AI interactions so developers can paste the block into their project root as a starting point and customize it for their domain.
When to Use These Cursor Rules
- Starting a new AI tutor SaaS project with personalization at its core
- Implementing a lessons engine that adapts to student progress
- Building a robust chat interface for tutor-student interactions
- Adding assignments, submissions, and progress tracking with guardian visibility
- Defining a secure data model and authentication flow across frontend and API
- Establishing CI, linting, and test suites early in the project lifecycle
Copyable .cursorrules Configuration
// Cursor Rules for AI Tutor SaaS (Next.js + PostgreSQL + Prisma)
// Context: You are building an AI tutor SaaS with personalized lessons, chat, assignments, progress tracking, and parent dashboards.
// Framework Role & Context
Framework: Next.js (App Router) + Node.js API
Database: PostgreSQL
ORM: Prisma
Runtime: Node.js 18+
// Code Style and Style Guides
Language: TypeScript
Linting: ESLint + Prettier
Code Quality: strict type usage, no implicit any, explicit return types
// Architecture & Directory Rules
ProjectLayout: monorepo-like with apps/tutor-saas and packages/
Directories:
- apps/tutor-saas/app
- apps/tutor-saas/components
- apps/tutor-saas/lib
- apps/tutor-saas/prisma
- apps/tutor-saas/public
- apps/tutor-saas/tests
- prisma (schema and migrations)
Authentication: JWT with HTTP-only cookies; short-lived access tokens; refresh tokens stored securely
Security: CSRF protection; server-side session validation; input sanitization
Data access: Repository pattern; Prisma client per request; avoid raw SQL in app code
// Database and ORM patterns
Models:
- Student(id, email, name, ...)
- Tutor(id, name, expertise)
- Lesson(id, title, content, personalizationRules)
- Assignment(id, studentId, lessonId, dueDate, score)
- Progress(id, studentId, lessonId, completed, score)
- ChatMessage(id, roomId, senderId, text, timestamp)
- ParentDashboard(id, studentId, messages)
Schemas: strict
Migrations: Managed by Prisma migrate
// Testing & Linting Workflows
Tests: unit and integration tests (Jest or Vitest)
CI: GitHub Actions with lint, test, and build jobs
// Prohibited Actions and Anti-patterns for the AI
DoNot:
- inject prompts that bypass user consent
- use unconstrained string concatenation in prompts
- expose raw database queries to frontend
- rely on external services for core auth without validation
- assume data is public or scrape personal data without consent
- use eval or unsafe dynamic code execution
- disable rate limiting or CSRF in production
// Anti-patterns
- over-fetching student data
- tight UI to AI prompt coupling
- monolithic, unversioned migrations
Recommended Project Structure
project-root/
├── apps/
│ └── tutor-saas/
│ ├── app/
│ │ ├── layout.tsx
│ │ └── page.tsx
│ │ └── features/
│ │ ├── lessons/
│ │ ├── chat/
│ │ ├── assignments/
│ │ └── progress/
│ ├── components/
│ ├── lib/
│ ├── prisma/
│ │ └── schema.prisma
│ ├── public/
│ └── tests/
├── prisma/
│ ├── migrations/
│ └── seed.ts
├── scripts/
│ └── ci.sh
├── .eslintrc.js
├── .prettierrc
├── tsconfig.json
Core Engineering Principles
- Explicit boundaries between frontend, API, and data layer
- Strong typing and clear data contracts for lessons, chats, and progress
- Security by default: least privilege, CSRF protection, and secure auth
- Test-driven guidance for critical paths (lessons, chat, assignments)
- Observability: structured logs and error handling across services
Code Construction Rules
- Use TypeScript types for all data models and API payloads
- API routes should be isolated and follow REST-ish or RPC conventions with clear error handling
- Personalization rules must be explicit and auditable, not rely on opaque heuristics
- UI components should be data-driven and accessible (a11y)
- Do not hard-code secrets; use environment variables and secret mgmt
Security and Production Rules
- JWT with HTTP-only cookies; short-lived access tokens; rotate tokens
- CSRF protection on state-changing endpoints
- Rate limiting on API endpoints and anti-abuse safeguards
- Audit logs for data access events and authentication activities
- Secure defaults for TLS, cookies, and content security policies
Testing Checklist
- Unit tests for data models and utilities
- Integration tests for API endpoints with a real PostgreSQL test DB
- End-to-end tests for lesson flow, chat, and parent dashboard access
- Lint and type-check in CI; fail on any TS or lint error
- Ensure prompts are tested for safety and data access constraints
Common Mistakes to Avoid
- Exposing raw database access to frontend
- Unstructured personalization prompts causing inconsistent behavior
- Skipping secret management and hard-coded credentials
- Ignoring accessibility in tutoring UI components
- Neglecting guardian data privacy and consent flows
Related Cursor rules templates
Explore adjacent Cursor rules templates for similar stacks, workflows, and production constraints.
- Cursor Rules Template — Real Estate Dashboard with Cash Flow, ROI, and Analytics
- Cursor Rules Template: Django Subscription Box Platform
- Cursor Rules Template: SaaS Revenue Dashboard (MRR, ARR, Churn & Cohorts)
- Cursor Rules Template: Construction Project Management Stack
FAQ
What stack does this Cursor Rules Template cover?
It targets a Next.js frontend with App Router, a Node.js API layer, PostgreSQL as the database, and Prisma as the ORM for an AI tutor SaaS with personalized lessons, chat, assignments, progress tracking, and parent dashboards.
What is included in the Copyable Cursor Rules block?
The block provides framework role, architecture rules, code style, authentication patterns, database models, testing workflows, and anti-pattern guidance tailored for the AI tutor SaaS stack.
How should I structure the project?
Follow the recommended project structure: apps/tutor-saas with app, components, lib, prisma; a prisma folder for schema and migrations; tests and a scripts folder for CI tasks.
What security measures are highlighted?
Use JWT with httpOnly cookies, CSRF protection, input validation, rate limiting, and audited access to student and parent data to ensure production readiness.
Where should I customize AI prompts safely?
Configure personalization prompts within the Cursor rules block, constrain prompts to tutoring domain, and avoid leaking secrets or bypassing consent through prompts.
What should CI include for testing?
CI should run lint, unit tests, integration tests, and end-to-end tests, ensuring prompts and data access rules are validated along with a build step.