Cursor Rules Template for Fitness Trainer SaaS

Overview

Cursor rules configuration for building a complete fitness trainer SaaS stack. This Cursor rules template targets a backend in TypeScript with a React frontend, PostgreSQL database, and subscription billing. It defines how Cursor AI should assist in architecture, coding standards, security, testing, and deployment for modules that manage client plans, workouts, check-ins, progress photos, and billing.

Direct answer: use this template to paste a copyable .cursorrules block and follow stack-specific guidelines that keep AI-assisted development safe, predictable, and maintainable.

When to Use These Cursor Rules

• Starting a new fitness trainer SaaS project with client plans, workouts, check-ins, and progress photos.
• Onboarding a Stripe-like subscription billing workflow and ensuring RBAC governance for admins, trainers, and clients.
• Enforcing architecture boundaries between backend services and frontend components while preserving data integrity.
• Preparing CI/CD pipelines that lint, type-check, and test backend and frontend code with predictable results.

Copyable .cursorrules Configuration

// Cursor Rules Template for Fitness Trainer SaaS
// Framework Role & Context
Role: Cursor AI assistant for a full stack fitness trainer SaaS using TypeScript backend and React frontend.
Context: You help implement modular domain driven design, robust security, and reliable tests while keeping the stack approachable and maintainable.

// Code Style and Style Guides
- Use strict TypeScript with explicit types and well named interfaces
- Enforce ESLint, Prettier, and a consistent commit style
- Prefer readable, annotated code with clear error handling

// Architecture & Directory Rules
- Backend: modules for auth, plans, workouts, checkins, progress, billing
- Frontend: component-driven, feature folder structure, TS across codebase
- Data layer: clear boundaries between services and repositories, define DTOs

// Authentication & Security Rules
- Use OAuth 2.0 / OIDC where possible; store tokens securely; rotate refresh tokens
- Implement RBAC with roles: admin, trainer, client; enforce in API layer
- Validate all inputs server-side; sanitize outputs; enforce CORS and CSP

// Database and ORM patterns
- PostgreSQL as primary datastore; migrations for schema changes
- Use parameterized queries; avoid dynamic SQL; index critical queries
- Store progress photos as URLs with metadata rather than binary blobs

// Testing & Linting Workflows
- Unit tests for domain logic; integration tests for API endpoints
- E2E tests for critical user journeys (plans, workouts, check-ins, billing)
- Pre-commit hooks for linting; CI checks for tests and type safety

// Prohibited Actions and Anti-patterns for the AI
- Do not bypass authentication checks; do not depend on client side for authorization decisions
- Do not hardcode secrets or credentials in code or prompts
- Do not assume the presence of non-deterministic data; guard against race conditions

Recommended Project Structure

fitness-trainer-saas/
├── backend/
│   ├── src/
│   │   ├── api/                  # API layer scaffolding
│   │   │   ├── v1/               # versioned routes
│   │   │   │   └── index.ts
│   │   ├── modules/              # domain modules
│   │   │   ├── auth/
│   │   │   ├── plans/
│   │   │   ├── workouts/
│   │   │   ├── checkins/
│   │   │   ├── progress/
│   │   │   └── billing/
│   │   ├── config/
│   │   ├── database/
│   │   └── tests/
│   └── migrations/
├── frontend/
│   ├── src/
│   │   ├── components/
│   │   ├── pages/
│   │   └── hooks/
│   └── public/
└── shared/
    ├── lib/
    └── utilities/

Core Engineering Principles

• Explicit, typed APIs and data contracts across backend and frontend
• Security by default with RBAC, proper token handling, and input validation
• Deterministic builds, strong CI checks, and test-driven development for critical paths
• Modular domain boundaries and clearly defined data models for plans, workouts, check-ins, and billing
• Safe AI-assisted development with Cursor rules guiding generation and validation

Code Construction Rules

• Endpoints for plans, workouts, check-ins, and billing must follow RESTful conventions under /api/v1
• Models must map to database tables with explicit migrations and seeding scripts
• All business rules validated server-side; avoid duplicating logic in UI
• Images for progress photos stored as accessible URLs with validation and size checks
• Tests cover core domain logic and integration points; mocks for external services
• Do not bypass auth or expose sensitive routes without proper authorization

Security and Production Rules

• Use TLS in production and secure cookies; enforce secure headers
• JWTs signed with RS256; rotate keys; implement token revocation
• Implement rate limiting and input sanitization to prevent abuse
• Store secrets in environment variables and secret managers; avoid hardcoding
• Audit logs for subscription events, admin actions, and data changes

Testing Checklist

• Unit tests for all domain modules (auth, plans, workouts, checkins, progress, billing)
• Integration tests for API endpoints and data layer interactions
• End-to-end tests for user journeys: sign up, plan purchase, schedule workouts, record check-ins
• Lint, type checks, and CI/CD pipeline checks on push and PRs

Common Mistakes to Avoid

• Skipping server-side validation or trusting client-side checks alone
• Mixing business logic into route handlers rather than services or domain modules
• Ignoring image storage security and hotlink protection for progress photos
• Weak RBAC or overly permissive access controls
• Hardcoding secrets or credentials in code or prompts

Related Cursor rules templates

Explore adjacent Cursor rules templates for similar stacks, workflows, and production constraints.

• Cursor Rules Template: Django Subscription Box Platform
• Cursor Rules Template: Django Payroll Dashboard with Timesheets, Deductions, Approvals and Exportable Reports
• Cursor Rules Template: Waste Management Operations Dashboard
• Cursor Rules Template: Python FastAPI API Monitoring

FAQ

What is a Cursor rules template in this context?

A Cursor rules template provides a ready-to-paste .cursorrules block plus stack-specific guidance for a fitness trainer SaaS. It defines roles, architecture, security, testing, and anti-patterns to help developers implement a reliable, AI-assisted workflow with Cursor AI.

Which stack does this template target?

This template targets a full stack with a TypeScript backend, React frontend, PostgreSQL database, and a subscription billing workflow. It emphasizes RBAC, secure authentication, and maintainable module boundaries for plans, workouts, check-ins, and progress photos.

How do I customize the rules for billing and subscriptions?

Customize the Cursor rules to enforce validation of plan IDs, pricing tiers, and subscription state changes. Ensure billing events update user plans, trigger webhook handlers, and propagate status to the frontend. Guard sensitive billing operations behind strict authorization checks.

Can this template support multi-tenant usage?

Yes. The rules template can be extended to support multi-tenant data isolation by scoping data to tenant IDs, enforcing row level security, and partitioning critical tables. Document tenant resolution in the config and ensure auditability of cross-tenant actions.

How should progress photos be stored and accessed?

Store progress photos as externally hosted URLs with accessible metadata. Validate image dimensions and MIME types at upload, apply access controls, and avoid exposing raw binaries. Use a CDN for efficient delivery and caching.