Cursor Rules Template: Node.js Policy Management with Versioning | Suhas Bhairav

Overview

This Cursor rules configuration provides a ready-to-use pattern for building a policy management system with versioning, employee acknowledgements, training tracking, and compliance reporting, tailored for a Node.js + Express + TypeScript + PostgreSQL stack using Cursor AI. Direct answer: paste the copyable .cursorrules block below into your project root to bootstrap a secure, versioned policy platform.

Cursor rules template for a policy management system on the Node/Express stack enables versioned policies, auditable acknowledgements, training progress, and automated compliance reporting. Use this as a starting point for rapid iteration while enforcing strong typing, ORM usage, and secure-by-default patterns. Cursor rules template

When to Use These Cursor Rules

Rapid bootstrap of a versioned policy repository with public-facing API endpoints and admin tooling.
Enforcing employee acknowledgements tied to policy versions and training completion before access grants.
Generating and exporting compliance reports for audits with deterministic data hashes.
Maintaining a strict separation between domain logic and data persistence via TypeORM entities.

Copyable .cursorrules Configuration

Framework: Node.js + Express + TypeScript
Runtime: Node.js 18.x or 20.x
Database: PostgreSQL with TypeORM
Authentication: JWT (RS256) with short-lived access tokens & refresh tokens; public/private keys stored in env
Role: PolicyPlatformBackend
Context: Build a policy management system with versioning, employee acknowledgements, training, and compliance reporting; ensure safe AI-assisted development with Cursor AI

Code Style & Style Guides
Style: ESLint + Prettier; TypeScript strict mode; noImplicitAny; prefer interfaces; conventional naming

Architecture & Directory Rules
Layers: controllers -> services -> repositories; Entities in persistence; DTOs in dto
Directories:
src/
  api/controllers
  api/routes
  api/dto
  services
  persistence/entities
  persistence/repositories
  persistence/migrations
  config
  middlewares
  tests
  logs

Authentication & Security Rules
Auth: JWT tokens; validate via middleware; bcrypt for password hashing when present; secure cookies; TLS in production; CSRF for browser clients as needed
Authorization: role-based access to policies, versions, acknowledgements, training, and reports
Secrets: read from process.env; do not commit; rotate keys; use secret manager in prod

Database & ORM Patterns
ORM: TypeORM; separate migrations; policy_versioning via PolicyVersion; soft delete for retired policies; content_hash for change detection
Projections: select only needed fields for endpoints; avoid N+1 patterns
Migrations: explicit, reviewed; test migrations in CI

Testing & Linting Workflows
Testing: Jest + Supertest; coverage > 80%
Linting: ESLint + Prettier; run on CI & pre-commit hooks
Migrations: run migrations in CI; verify rollback

Prohibited Actions & Anti-patterns for AI
Do not bypass authentication; do not generate raw SQL via string concatenation; do not store plaintext secrets; do not perform privileged actions without verification; do not bypass migrations; avoid emitting keys in prompts

Recommended Project Structure

src/
  api/
    controllers/
    routes/
    dtos/
  services/
  persistence/
    entities/
    repositories/
    migrations/
  config/
  middlewares/
  tests/
  utils/

Core Engineering Principles

Strong typing and explicit DTOs for all data transfer.
Strict separation of concerns across controllers, services, and repositories.
Deterministic policy versioning with content hashes and publish dates.
Auditable employee acknowledgements linked to policy versions.
Automated training tracking and clear compliance reporting.
Security first: proper auth, secrets management, and secure defaults.

Code Construction Rules

Use TypeORM entities for Policy, PolicyVersion, Employee, Acknowledgement, TrainingModule, EmployeeTraining, and ComplianceReport.
Enforce versioning on policies; never overwrite an active version without creating a new PolicyVersion row.
Store policy content as text with a content_hash field to detect changes; validate hash on save.
Endpoints must be protected by JWT middleware; implement RBAC for policy, training, and reports domains.
Use parameterized queries through TypeORM; avoid raw string concatenation for security.
Include migrations for every schema change and verify by CI in tests.
Write unit tests for services and integration tests for controllers; ensure deterministic tests for versioning behavior.
Keep API payloads lean; paginate large results; implement filtering by policy_version, status, and training completion.
Do not bypass environment-based config; never hard-code secrets in code or prompts.

Security and Production Rules

Use HTTPS in production; set HSTS; disable verbose error details in prod.
JWTs: short-lived access tokens; rotate with refresh tokens; store as HttpOnly cookies or secure headers.
Input validation: validate all inputs with schema validators; prevent injection attacks.
Audit logging: record policy version changes, acknowledgements, and training completions with timestamps and user IDs.
Secret management: centralize in vault/secrets manager; rotate keys periodically.
Backups: schedule regular backups of PostgreSQL; test restore procedures regularly.

Testing Checklist

Unit tests for policy versioning logic and acknowledgement rules.
Integration tests for policy CRUD, versioning workflow, and acknowledgement events.
End-to-end-ish tests for common flows: publish policy, acknowledge, assign training, generate report.
CI checks for linting, type-checking, test coverage, and migrations.
Security tests: token validation, RBAC paths, input validation edge cases.

Common Mistakes to Avoid

Assuming a single policyVersion is sufficient; always create a new version instead of editing past versions.
Storing policy content without a hash/checksum; omits change-detection.
Omitting training progress tracking; failing to link training to policy versions.
Neglecting audit logs for version changes and acknowledgements.
Hard-coding secrets or endpoints; ignore in production deployment.

Related Cursor rules templates

Explore adjacent Cursor rules templates for similar stacks, workflows, and production constraints.

FAQ

What is the purpose of this Cursor Rules Template?

This template provides a structured, copyable Cursor rules block and stack-specific guidance to implement a versioned policy management system with employee acknowledgements, training modules, and compliance reporting using Node.js + Express + PostgreSQL with Cursor AI.

Which stack does this template target?

The instructions are tailored for a Node.js + Express + TypeScript backend with PostgreSQL using TypeORM, focusing on policy versioning, acknowledgements, and training reporting. Cursor AI helps enforce architectural decisions and security constraints.

How do I version policies and track employee acknowledgements?

Policies have a one-to-many relationship with PolicyVersion entries. Each version is immutable once published. Acknowledgements reference a PolicyVersion and include employee_id and acknowledged_at. Training progress links to a PolicyVersion and TrainingModule.

How can I extend this for compliance reports?

Design a ComplianceReport entity that aggregates policy versions, acknowledgement statuses, and training completion across employees. Expose endpoints to generate aggregated metrics, exportable PDFs/CSV, and scheduled report generation.

How should I run and verify tests?

Run unit tests for services, integration tests for controllers, and migrations in CI. Enforce coverage thresholds, run type checks, and ensure migrations apply cleanly in a disposable test database.

Cursor Rules Template: Policy Management with Versioning (Node.js, Express, PostgreSQL)

Target User

Use Cases