Cursor Rules TemplatesCursor Rules Template

Cursor Rules Template: Client Onboarding Portal with Forms, Uploads, E-Sign and Admin Dashboards

Cursor Rules Template for Node.js/React/PostgreSQL onboarding portal with forms, document uploads, e-signature workflows, and admin dashboards using Cursor AI.

.cursorrules templatecursor rules templateonboarding portalformsdocument uploadse-signaturenotificationsadmin dashboardnode.jsreactpostgresql

Target User

Full-stack developers building onboarding portals with Node.js/Express, React, and PostgreSQL.

Use Cases

  • Customer onboarding workflows
  • Document collection and verification
  • e-signature integration
  • User notifications
  • Admin dashboards and analytics

Markdown Template

Cursor Rules Template: Client Onboarding Portal with Forms, Uploads, E-Sign and Admin Dashboards

// Cursor Rules: Client Onboarding Portal with Cursor Rules Template
FRAMEWORK: Node.js/Express + React + PostgreSQL
CONTEXT: You are a Cursor AI assistant tasked with designing a production-ready client onboarding portal. Target stack: Node.js/Express REST API, React SPA, PostgreSQL, JWT auth, and server-side validation. The goal is to generate high-quality, secure, testable code with clear file organization.
STYLE: ESLint + Prettier with Airbnb style; TypeScript preferred; strict typing; consistent import/order; no console logs in prod
ARCHITECTURE: Monorepo with server and client separation; folders below
DIRECTORIES:
  - server/
  - server/controllers/
  - server/routes/
  - server/models/
  - server/middleware/
  - server/services/
  - client/
  - client/src/
  - client/src/components/
  - client/src/pages/
  - client/src/hooks/
  - client/public/
AUTH:
  - METHOD: JWT with HTTP-only cookies
  - ACCESS_TOKEN_EXP: 15m
  - REFRESH_TOKEN_EXP: 7d
  - OAUTH: optional
DB:
  - ENGINE: PostgreSQL
  - ORM: TypeORM
  - MIGRATIONS: true
  - SEEDING: scripts/seed
  - CONSTRAINTS: robust constraints and indexes
DATA_MODEL:
  - User: { id, email, passwordHash, role, createdAt }
  - ClientProfile: { id, userId, companyName, onboardingStatus, createdAt }
  - Document: { id, clientId, type, storageKey, status, uploadedAt }
  - FormSubmission: { id, clientId, formType, data, createdAt }
  - Signature: { id, documentId, status, signedAt }
TESTING:
  - UNIT: Jest
  - INTEGRATION: supertest for API
  - E2E: Cypress
CI/CD:
  - PLATFORM: GitHub Actions
  - JOBS: lint, test, build-server, build-client, e2e
SECURITY:
  - INPUT_VALIDATION: server-side only
  - FILE_UPLOADS: size limits, virus scan, store in object storage
  - AUTHZ: RBAC by roles
  - CSRF: enabled for non-GET APIs
  - ENCRYPTION: data at rest and in transit
ANTI-PATTERNS:
  - Do not bypass validation or authorization checks
  - Do not store secrets in code or logs
  - Do not mix UI and business logic in controllers

Overview

Direct answer: Paste this Cursor Rules Template into your project to scaffold a client onboarding portal built with Node.js/Express for the API, React for the front-end, and PostgreSQL for the database. It defines roles, security rules, architecture, testing, and anti-patterns so Cursor AI can guide implementation of forms, document uploads, e-signature workflows, notifications, and an admin dashboard.

Stack focus: Node.js/Express API, React SPA, PostgreSQL, JWT with HTTP-only cookies for auth, and object storage for uploads. Cursor AI will follow the rules to ensure maintainability, security, and testability in production.

When to Use These Cursor Rules

  • You are building a customer onboarding portal with forms, document uploads, e-signatures, and admin dashboards.
  • You want a repeatable Cursor AI instruction set for Node/React/PostgreSQL stacks.
  • You aim to enforce security, testing, and deployment discipline from the start.
  • You need clear anti-pattern guidance to avoid common architectural drift.

Copyable .cursorrules Configuration

// Cursor Rules: Client Onboarding Portal with Cursor Rules Template
FRAMEWORK: Node.js/Express + React + PostgreSQL
CONTEXT: You are a Cursor AI assistant tasked with designing a production-ready client onboarding portal. Target stack: Node.js/Express REST API, React SPA, PostgreSQL, JWT auth, and server-side validation. The goal is to generate high-quality, secure, testable code with clear file organization.
STYLE: ESLint + Prettier with Airbnb style; TypeScript preferred; strict typing; consistent import/order; no console logs in prod
ARCHITECTURE: Monorepo with server and client separation; folders below
DIRECTORIES:
  - server/
  - server/controllers/
  - server/routes/
  - server/models/
  - server/middleware/
  - server/services/
  - client/
  - client/src/
  - client/src/components/
  - client/src/pages/
  - client/src/hooks/
  - client/public/
AUTH:
  - METHOD: JWT with HTTP-only cookies
  - ACCESS_TOKEN_EXP: 15m
  - REFRESH_TOKEN_EXP: 7d
  - OAUTH: optional
DB:
  - ENGINE: PostgreSQL
  - ORM: TypeORM
  - MIGRATIONS: true
  - SEEDING: scripts/seed
  - CONSTRAINTS: robust constraints and indexes
DATA_MODEL:
  - User: { id, email, passwordHash, role, createdAt }
  - ClientProfile: { id, userId, companyName, onboardingStatus, createdAt }
  - Document: { id, clientId, type, storageKey, status, uploadedAt }
  - FormSubmission: { id, clientId, formType, data, createdAt }
  - Signature: { id, documentId, status, signedAt }
TESTING:
  - UNIT: Jest
  - INTEGRATION: supertest for API
  - E2E: Cypress
CI/CD:
  - PLATFORM: GitHub Actions
  - JOBS: lint, test, build-server, build-client, e2e
SECURITY:
  - INPUT_VALIDATION: server-side only
  - FILE_UPLOADS: size limits, virus scan, store in object storage
  - AUTHZ: RBAC by roles
  - CSRF: enabled for non-GET APIs
  - ENCRYPTION: data at rest and in transit
ANTI-PATTERNS:
  - Do not bypass validation or authorization checks
  - Do not store secrets in code or logs
  - Do not mix UI and business logic in controllers

Recommended Project Structure

my-onboarding-app/
├── server/
│   ├── src/
│   │   ├── controllers/
│   │   ├── routes/
│   │   ├── models/
│   │   ├── services/
│   │   ├── middleware/
│   │   └── index.ts
│   ├── tests/
│   └── package.json
├── client/
│   ├── src/
│   │   ├── components/
│   │   ├── pages/
│   │   ├── hooks/
│   │   └── index.tsx
│   ├── public/
│   └── package.json
├── tests/
├── scripts/
├── .env.example
└── README.md

Core Engineering Principles

  • Security-by-default: fail closed, validate input, protect auth flows.
  • Clear boundaries: separate server and client concerns; keep logic isolated in services.
  • Defensive coding: input validations, explicit types, and robust error handling.
  • Observability: structured logs, metrics, and tracing for onboarding flows.
  • Testability: unit, integration, and e2e tests with CI hooks.

Code Construction Rules

  • Do not import database models directly into routes; use services for business logic.
  • Do not bypass input validation; always validate on server side for all forms and file uploads.
  • Use TypeScript typings for API payloads and UI data models.
  • Keep forms and document upload handling modular and audited in separate services.
  • Use environment-based feature flags for onboarding experiments.

Security and Production Rules

  • Use HTTPS, secure cookies, and HttpOnly flags for tokens.
  • Enforce RBAC: only authorized roles can access client data and admin dashboards.
  • Limit file upload sizes and scan content before storage.
  • Enable CSRF protection for non-idempotent endpoints.
  • Encrypt sensitive data at rest and in transit; redact PII in logs.

Testing Checklist

  • Unit tests for all API handlers and utilities.
  • Integration tests for onboarding flows (form submission, upload, e-sign).
  • End-to-end tests covering signers, document uploads, and notifications.
  • Linting and type checks in CI; fail on warnings treated as errors.
  • Security tests: input validation, auth, and rate limiting checks.
  • Deployment checks: smoke tests in staging before production.

Common Mistakes to Avoid

  • Storing raw credentials in code or logs.
  • Skipping server-side validation for file uploads and forms.
  • Overloading controllers; failing to refactor into services.
  • Ignoring RBAC in admin routes and audit logs.

Related Cursor rules templates

Explore adjacent Cursor rules templates for similar stacks, workflows, and production constraints.

FAQ

What is a Cursor Rules Template?

A Cursor Rules Template is a copyable configuration block that guides Cursor AI to generate or validate code for a specific technology stack. This template targets a Node.js/Express API, React frontend, and PostgreSQL database to implement a client onboarding portal with forms, uploads, e-signature, notifications, and an admin dashboard.

Which stack does this template target?

This template targets a Node.js/Express REST API, a React frontend, and PostgreSQL as the data store, using JWT-based authentication and a modular service-oriented design.

How should I implement e-signature securely?

Integrate a compliant e-signature provider, log signing events immutably, restrict access with RBAC, and ensure access to documents is restricted by scope and audit trails.

What tests should I add for onboarding flows?

Include unit tests for validators and services, integration tests for the API, and end-to-end tests that simulate the signer and admin flows to verify the entire process.

What is essential for production readiness?

Production readiness requires strict input validation, RBAC, secure token handling, encrypted storage, robust logging, performance monitoring, and CI/CD with automated tests and rollback plans.

Are there anti-patterns to avoid?

Avoid bypassing validation, mixing business logic into routes, and exposing internal service details through APIs. Keep concerns separated and respect the boundary between client and server code.