Construction Safety Cursor Rules Template for Cursor AI

Overview

The Cursor rules configuration is a declarative, copyable set of AI-driven rules to guide Cursor AI when building a construction safety compliance app. It covers the stack used to manage checklists, incidents, audits, photos, and reports: Node.js/Express backend, PostgreSQL database with TypeORM, and a React frontend. This Cursor Rules Template provides deterministic roles, security constraints, and directory patterns to ensure safe AI-assisted development.

When to Use These Cursor Rules

• Model field checklists and incident logs with photo attachments for construction sites.
• Apply a copyable rule set to drive AI-assisted validation and report generation.
• Enforce architecture and security patterns across backend, data layer, and UI.

Copyable .cursorrules Configuration

.cursorrules

Framework Role & Context:
- Role: 'SafetyOps AI Assistant'
- Context: 'Construction safety compliance app: checklists, incidents, audits, photos, reports; stack: Node.js/Express, React, PostgreSQL, TypeORM, JWT, TLS'

Code Style and Style Guides:
- ESLint + Prettier
- TypeScript preferred
- Commit message conventions: conventionalcommits

Architecture & Directory Rules:
- src/api/controllers
- src/api/routes
- src/client/components
- src/client/pages
- src/models
- src/services
- migrations
- config

Authentication & Security Rules:
- JWT auth with short lifetimes; refresh tokens stored securely
- OAuth2 for admin onboarding
- CSRF protection enabled for browser clients
- TLS 1.3 in transit; rotate certificates

Database and ORM patterns:
- PostgreSQL as primary database
- TypeORM entities in src/models
- Migrations tracked in migrations/
- Soft deletes with deletedAt timestamp

Testing & Linting Workflows:
- Unit tests with Vitest
- Integration tests with supertest for API endpoints
- E2E tests with Cypress
- GitHub Actions CI for lint, test, build
- Pre-commit hooks for type checks

Prohibited Actions and Anti-patterns for the AI:
- Do not output real secrets or credentials
- Do not bypass server-side validation
- Do not perform privileged actions without explicit authorization
- Do not assume client-side validation suffices for security

Recommended Project Structure

construction-safety-app/├── src/│   ├── api/│   │   ├── controllers/│   │   └── routes/│   ├── client/│   │   ├── components/│   │   └── pages/│   ├── models/│   ├── services/│   ├── config/│   └── index.ts├── migrations/├── tests/└── scripts/

Core Engineering Principles

• Strong typing across server and client.
• Explicit data validation and sanitization at boundaries.
• Secure by default; least privilege for services.
• Clear separation of concerns between API, data layer, and UI.
• Test-driven guidance with measurable coverage and fast feedback.

Code Construction Rules

• Use TypeORM for PostgreSQL models; define entities in src/models with proper relations.
• Use DTOs and class-validator for input validation.
• Endpoints under src/api/routes must be exported from a central router.
• Frontend components in React with TypeScript; CSS-in-JS or Tailwind depending on project.
• All data stored as monitored via migrations; never alter production schema without migration.
• Do not embed secrets in code; use environment variables and secret managers.

Security and Production Rules

• Enforce TLS 1.3; enable HSTS in production.
• JWTs with short-lived access tokens; rotate refresh tokens securely.
• Input validation and output encoding to prevent injection.
• Audit logs for actions that affect safety-critical features (checklists, incidents, audits).

Testing Checklist

• Unit tests for all services and utilities.
• Integration tests for API endpoints and database interactions.
• End-to-end tests for critical flows: create checklist, log incident, attach photo, generate report.
• CI checks: lint, typecheck, test, build, and security audit step.

Common Mistakes to Avoid

• Skipping server-side validation and relying on client validation.
• Storing sensitive data in client memory or logs.
• Over-sharing database credentials in code or logs.
• Ignoring migrations for schema changes in production.

Related Cursor rules templates

Explore adjacent Cursor rules templates for similar stacks, workflows, and production constraints.

• Cursor Rules Template: Construction Project Management Stack
• Cursor Rules Template: SaaS Revenue Dashboard (MRR, ARR, Churn & Cohorts)
• Cursor Rules Template: Sustainability Supplier Assessment Platform with Questionnaires, Scoring, and Compliance Dashboards
• Cursor Rules Template for Vendor Management SaaS (Contracts, Compliance, Renewals, AI Risk)

FAQ

What is a Cursor Rules Template for construction safety?

A Cursor Rules Template defines a deterministic set of AI-guided rules to structure development for a construction safety compliance app. It codifies roles, architecture, and security expectations so that Cursor AI can reason about safety-critical features like checklists, incidents, audits, photos, and reports.

Which stack does this template target?

The template targets a Node.js/Express backend with PostgreSQL using TypeORM, a React frontend, and Cursor AI for rule-based guidance and data validation in a construction-safety context.

How do I paste this into a .cursorrules file?

Copy the entire block including the starting .cursorrules header and paste into your project root as .cursorrules, then run Cursor AI tools to validate and apply the rules to your codebase.

What security rules are enforced?

Tokens are short-lived, secrets are never committed, TLS is required in production, and API endpoints validate input, sanitize output, and log sensitive actions for incident auditing.

What should I include in the recommended project structure?

The structure separates API, client, models, services, migrations, and tests to maintain clear boundaries, ease migration, and support robust CI/CD pipelines for Cursor AI-assisted development.