Cursor Rules Template: Construction Project Management Stack

Overview

Direct answer: This Cursor rules template configures Cursor AI to produce, validate, and audit code for a construction project management platform with budgets, schedules, contractors, documents, and site reports. It targets a Node.js/Express backend, PostgreSQL data layer, and a React frontend with secure APIs.

Scope: A production-ready Cursor Rules Template that covers budgeting workflows, scheduling calculations, contractor management, document handling, and site reporting, with auditable actions and role-based access controls baked into the AI guidance.

When to Use These Cursor Rules

• Starting a new construction PM application with integrated budgets and schedules.
• Guiding AI-generated data models for budgets, tasks, approvals, and site reports.
• Enforcing security, audit trails, and RBAC across API layers and UI components.
• Automating validation, testing, and deployment workflows for a multi-module project.

Copyable .cursorrules Configuration

framework: Node.js + PostgreSQL + React
role: Cursor AI Assistant for Construction PM
context: Develop a secure, auditable, scalable Cursor Rules configuration to guide AI-generated code, queries, data models, and workflows for budgets, schedules, contractors, documents, and site reports.

# Code Style and Style Guides
codeStyle: ES2024, TypeScript, ESLint+Prettier, JSDoc annotations, consistent naming, no eval
linting: CI npm test, lint on pull requests, enforce 80%+ test coverage

# Architecture & Directory Rules
directories:
  - src/
  - src/api/
  - src/models/
  - src/controllers/
  - src/routes/
  - src/services/
  - migrations/
  - tests/

# Authentication & Security Rules
auth: JWT with RS256, RBAC with per-project scopes, OAuth2 where applicable
security: Strict input validation, parameterized queries, CSRF protection for state-changing endpoints

# Database and ORM patterns
db: PostgreSQL, use parameterized queries, migrations, strict constraints
orm: plain SQL with a thin data layer; avoid dynamic SQL, ensure transactional integrity

# Testing & Linting Workflows
testing: unit & integration tests with Jest, CI coverage > 80%
lint: run lint before every commit; automated formatting with Prettier

# Prohibited Actions and Anti-patterns
doNot: [
  "Store secrets in source code",
  "Trusting client-side validation for security",
  "Unvalidated file uploads without virus scanning",
  "Dynamic SQL without sanitization",
  "Skipping access control on APIs"
]

# Cursor constraints
guidelines:
  - "All operations must be scoped to a project to enforce data isolation"
  - "Audit trails recorded for budgets, schedules, contractors, documents, and site reports"
  - "Document uploads are stored as references; do not insert file binaries into DB unless necessary"
  - "Scheduling computations must be deterministic and testable"

Recommended Project Structure

project-root/
  src/
    api/
      budgets/
        controllers/
        services/
        models/
      schedules/
        controllers/
        services/
        models/
      contractors/
        controllers/
        services/
        models/
      documents/
        controllers/
        services/
        models/
      siteReports/
        controllers/
        services/
        models/
    middleware/
    config/
    migrations/
    tests/
  public/
  scripts/
  docs/

Core Engineering Principles

• Clear domain boundaries: budgets, schedules, contractors, documents, and site reports have explicit models and services.
• Security by design: RBAC, least privilege, and audited actions for every API path.
• Deterministic business logic: scheduling and budgeting calculations are deterministic and fully testable.
• Test-driven, CI-friendly: unit and integration tests run in CI for every change.
• Auditable AI: Cursor AI outputs include traceable reasoning samples and validation checks.

Code Construction Rules

• Use TypeScript with strictNullChecks; define domain types for budgets, schedules, contracts, documents, and site reports.
• All API responses must be validated against schema definitions; never return raw database rows to clients.
• Encapsulate data access behind repository/services layers; avoid leaking ORM/DB specifics to higher layers.
• Implement per-project scoping for all queries; enforce access controls at the service layer.
• Files and documents stored as references; store metadata in DB and keep binaries in secure storage.
• Respect idempotency for upserts on budgets, schedules, and contracts to support retries.

Security and Production Rules

• Rotate JWT signing keys regularly; implement short-lived tokens with refresh tokens.
• Enable TLS for all endpoints; enforce HSTS and secure headers.
• Validate all user inputs; use parameterized queries; avoid concatenated SQL.
• Audit log every create/update/delete action on critical domain entities.
• Limit file uploads by type, size, and scan for malware before storage.

Testing Checklist

• Unit tests for all domain services (budgets, schedules, contractors, documents, siteReports).
• Integration tests validating API endpoints, auth, and RBAC rules.
• End-to-end tests covering common user journeys (create budget, schedule milestones, attach documents, generate site reports).
• CI checks include type-checking, linting, tests, and security lint.
• Performance tests for basic CRUD workflows under typical project sizes.

Common Mistakes to Avoid

• Assuming client-side validation is sufficient for security.
• Baking business logic into the UI layer instead of services.
• Overloading endpoints with large payloads; prefer streaming or pagination for documents.
• Skipping audit trails for updates to budgets or site reports.
• Using global state for project-critical data without proper isolation.

Related Cursor rules templates

Explore adjacent Cursor rules templates for similar stacks, workflows, and production constraints.

• Cursor Rules Template for Node.js Hotel Booking Platform
• Construction Safety Cursor Rules Template for Cursor AI
• Cursor Rules Template: Sustainability Supplier Assessment Platform with Questionnaires, Scoring, and Compliance Dashboards
• Cursor Rules Template: LMS with Courses, Lessons, Quizzes, Certificates, Payments, and Admin Dashboard

FAQ

What is the purpose of this Cursor Rules Template for a construction PM platform?

This Cursor Rules Template provides a concrete, stack-specific set of AI guidance rules to help Cursor AI generate, validate, and audit code for budgets, schedules, contractors, documents, and site reports. It is tailored for a Node.js/Express backend, PostgreSQL data layer, and a React frontend, with strong security and audit requirements.

How do I adapt the project structure to my repository?

Use the recommended project structure as a starting point and adjust module folders to fit your team's domain boundaries. Maintain consistent naming, ensure services are isolated per domain, and keep migrations and tests aligned with those domains to preserve modularity.

What security practices are enforced by these rules?

RBAC-based access, JWT with short-lived tokens, TLS, input validation, parameterized queries, and audit logging for all critical actions. File uploads are restricted by type and size, with malware scanning before storage.

How should I test AI-generated code against this template?

Write unit tests for domain services, integration tests for API endpoints, and end-to-end tests for typical user journeys. Ensure Cursor AI outputs are validated against the schema, and that generated code includes test coverage and audit logs.

Where can I extend this template for future modules?

Extend the stack by adding new domain modules under src/api (eg budgetsPlus, riskAssessment) and corresponding tests. Update the Cursor Rules Configuration with new constraints, data models, and validation rules while preserving existing audit trails and RBAC behavior.