Cursor Rules Template: FastAPI Procurement with Vendor Management

Overview

This Cursor rules template is crafted for a production-grade procurement workspace using the FastAPI stack with vendor management, purchase requests, budgets, and audit logs. It leverages Cursor AI to ensure consistent patterns, security, and maintainability in a backend focused on procurement workflows.

Cursor AI assists in enforcing architecture, coding standards, and governance as you build out procurement features such as vendor catalogs, approval routing, budget checks, and immutable audit trails.

When to Use These Cursor Rules

When implementing a full procurement workflow with vendor data, purchase requests, and budget approvals.
When you need auditable changes and immutable logs for regulatory compliance.
When adopting a FastAPI + PostgreSQL + SQLAlchemy backend with a clean project structure.
When you require a copyable .cursorrules configuration to drop into your project root and kick off development.
When aiming for clear separation of concerns: models, services, controllers, and tests with proper authentication.

Copyable .cursorrules Configuration

Framework: FastAPI + PostgreSQL + SQLAlchemy
Language: Python 3.11
Stack: PostgreSQL, SQLAlchemy, Alembic, PyTest
Cursor AI role: Backend engineer for procurement platform
Context: Vendor management, purchase requests, budgets, audit logs
CodeStyle: PEP8, Black, isort, type hints
Architecture: src/app, models, api, services, repositories, tests
DirectoryRules:
  - app/
  - core/
  - api/
  - models/
  - repositories/
  - services/
  - tests/
Migrations: migrations/
Authentication: OAuth2PasswordBearer with JWT, bcrypt for hashing
Security: TLS, httpOnly cookies for refresh tokens, CSRF protection
DatabaseORM: PostgreSQL, SQLAlchemy, declarative models, relationships, indexes
Testing: pytest, pytest-asyncio, coverage, pre-commit hooks
Prohibited: Do not use inline SQL without parameterization; Do not embed secrets in code

Recommended Project Structure

project/
  app/
    main.py
    api/
      v1/
        endpoints/
        dependencies/
    core/
      config.py
      security.py
    models/
      vendor.py
      procurement.py
    repositories/
    services/
    tests/
  migrations/
  alembic/

Core Engineering Principles

Explicit contracts between services using typed models and clear interfaces.
Single source of truth for vendors, purchases, budgets, and audit logs.
Secure by default: authenticated access, least privilege roles, and encrypted tokens.
Idempotent operations for approvals and status transitions in the workflow.
Auditability with immutable histories and traceable changes.

Code Construction Rules

Use SQLAlchemy ORM models with relationships for vendors, procurement requests, budgets, and audit logs.
Route handlers must delegate to services; controllers stay thin and stateless.
Validate all inputs with Pydantic models and enforce strict typing.
Use Alembic for migrations; include seed data via migrations or fixtures.
Follow a consistent naming scheme for modules and models; avoid circular imports.
Do not bypass authentication or authorization checks on endpoints and service calls.
Keep business logic out of routes and in dedicated service layers.

Security and Production Rules

Use OAuth2 with JWT access tokens and short lifetimes; rotate keys securely.
Hash passwords with a strong algorithm and never log sensitive credentials.
Store secrets in environment variables or a dedicated vault; never in code.
Enforce TLS, CSRF protection for browser-based clients, and secure cookie flags.
Validate inputs at every boundary; implement rate limiting and IP allowlists as needed.

Testing Checklist

Unit tests for services and models with deterministic fixtures.
Integration tests for API endpoints using a TestClient with a test database.
Database migrations tested against a fresh schema.
Linting and type checking in CI (ruff/flake8, mypy if used).
Security checks for input validation and authentication flows.

Common Mistakes to Avoid

Mixing business logic into routes instead of services.
Hard-coding secrets or credentials in code or migrations.
Skipping migrations or relying on in-code schema changes.
Neglecting audit logging or making it non-operational in production.
Using raw SQL without parameterization or proper ORM usage where possible.

Related Cursor rules templates

Explore adjacent Cursor rules templates for similar stacks, workflows, and production constraints.

FAQ

What is this Cursor rules template for the FastAPI procurement stack?

This template provides a ready-to-paste .cursorrules configuration and a detailed guide to implement a procurement system with vendor management, budget tracking, and audit logs using FastAPI, PostgreSQL, and SQLAlchemy. It helps you enforce architecture, security, testing, and governance with Cursor AI guidance.

Which stack is covered by this template?

The stack centers on FastAPI for the API layer, PostgreSQL for the database, and SQLAlchemy for ORM, complemented by Alembic for migrations and PyTest for testing. Cursor AI is used to shape architecture and coding standards for maintainability.

How do I customize vendors, budgets, and approvals?

Modify the SQLAlchemy models for Vendor, Budget, and PurchaseRequest in models/; adjust relationships and constraints; update service logic in services/ to reflect your business rules; regenerate routes in api/ with updated validation schemas.

What security considerations are essential?

Implement OAuth2 with JWT tokens, enforce role-based access control, hash secrets, use TLS in production, protect tokens in httpOnly cookies, and validate all inputs to prevent injection and misconfigurations.

How do I validate and test the workflow?

Write unit tests for services, integration tests for endpoints, and end-to-end tests for approval flows. Ensure migrations run cleanly and audit logs capture essential events like approvals, rejections, and budget changes.

Target User

Use Cases