Cursor Rules TemplatesCursor Rules TemplateMay 27, 2026

Cursor Rules Template: Physiotherapy Treatment Progress Summary App

Cursor Rules Template for building physiotherapy treatment progress summary apps with Cursor AI integration.

cursor-rules-templatephysiotherapytreatment-progresscursor-aiclinicspostgresqlnextjstypescriptdata-privacyaudit-logs

Target User

Developers building physiotherapy clinic treatment progress summary apps using Cursor AI

Use Cases

Building patient progress dashboards
Auto-generated progress notes
Clinician-friendly summaries from structured data
Data validation and privacy controls

Markdown Template

Cursor Rules Template: Physiotherapy Treatment Progress Summary App

Overview


Cursor rules configuration for building a physiotherapy treatment progress summary app with Cursor AI. This template targets a Next.js + TypeScript frontend, a Node.js API, and a PostgreSQL database, providing policy-driven guidance for data models, privacy, authentication, and clinician-focused summaries in a clinical workflow.


Direct summary: This Cursor Rules Template encodes stack-specific rules for architecture, security, and data handling so AI-assisted development remains safe and auditable in a physiotherapy clinic context.



When to Use These Cursor Rules



  - When building patient progress dashboards that clinicians can read during sessions.

  - When auto-generating progress notes from structured session data with enforced privacy constraints.

  - When you need RBAC checks to restrict access to PII and clinical data.

  - When aiming for auditable data flows and reproducible builds in healthcare software.



Copyable .cursorrules Configuration


Framework: Next.js + TypeScript
Context: You are a software engineer building a physiotherapy treatment progress summary app. The app stores patient data in PostgreSQL with tables patients, sessions, progress_entries. You must ensure privacy, audit logs, and clinician workflows. Cursor AI should enforce stack-specific rules while assisting engineering tasks.
Role: Developer Assistant for Cursor AI in a physiotherapy clinic stack
CodeStyle: TypeScript strict, ESLint + Prettier, commit message guidelines
Architecture: Monorepo with apps/web (Next.js UI), apps/api (Node.js API), libs/db (PostgreSQL access), libs/auth (OAuth/JWT utilities), libs/ui (shared components)
Authentication: JWT-based sessions; OAuth2 for clinicians or clinic staff
Database & ORM patterns: PostgreSQL with normalized schema; use foreign keys; avoid storing PII in logs; use prepared statements
Testing & Linting Workflows: Jest for unit tests, Playwright for end-to-end tests; GitHub Actions CI with lint/test steps
Prohibited Actions and Anti-patterns: Do not bypass auth; Do not log PII; Do not call external APIs with patient data without consent; Do not store raw patient data in production logs; Do not use client-side data as the sole source of truth
Anti-patterns: Avoid client-only data fetching for protected data; Avoid dynamic SQL without parameterization
Notes: Cursor tokens should not generate or reveal clinical diagnoses without clinician confirmation.

Recommended Project Structure


apps/
  web/       # Next.js frontend for physiotherapy clinics
  api/       # Node.js API backend for clinical data and auth
libs/
  db/        # PostgreSQL data access and query helpers
  auth/      # JWT/OAuth utilities and middleware
  ui/        # Shared UI components and forms
scripts/
tests/

Core Engineering Principles



  - Data privacy by design: restrict access to PII and audit data.

  - Strong typing and explicit contracts across API surfaces and data models.

  - Defense in depth: layered authentication, authorization, and input validation.

  - Observability: structured logging with redaction and end-to-end testing.

  - Deterministic builds and reproducible deployments via a monorepo structure.

  - Safe AI-assisted development: guardrails, validation, and audit trails for AI outputs.



Code Construction Rules



  - Use TypeScript types for all request/response shapes and DTOs.

  - All database writes must occur inside a transaction with error handling.

  - Use parameterized queries to prevent SQL injection and enforce schema boundaries.

  - Model patient progress with clear tables: patients, sessions, progress_entries, with proper FK relationships.

  - Endpoints enforce RBAC by role (clinician, admin, support) before data access.

  - Logs must redact PII and rely on IDs, not raw patient data, for traceability.

  - Environment-specific configuration via secrets manager; never hard-code credentials.

  - Testing: unit tests for domain logic, integration tests for DB access, and E2E tests for clinician workflows.

  - Do not embed private keys, tokens, or credentials in code or the .cursorrules block.



Security and Production Rules



  - Transport: TLS everywhere; enforce secure cookies and CSRF protection where applicable.

  - Auth: short-lived access tokens, refresh tokens, and periodic rotation; protect API routes with RBAC.

  - Data protection: encrypt sensitive data at rest; minimize exposure of PII in logs and UI.

  - Observability: centralized logging with redaction and audit trails for data access events.

  - Deployment: feature flags for safe rollout, immutable builds, and blue/green deployments.

  - Secrets: store in a dedicated secrets manager; never commit secrets to VCS.



Testing Checklist



  - Unit tests for domain rules and data validation.

  - Integration tests for API endpoints and DB transactions.

  - End-to-end tests simulating clinician workflows with Playwright.

  - Static analysis and type checks in CI; linting with Prettier.

  - Security tests for auth, RBAC, and data redaction in logs.

  - Performance checks on common queries for patient progress data.



Common Mistakes to Avoid



  - Assuming client-side code is enough for protecting patient data.

  - Storing raw PII in logs or analysis outputs.

  - Skipping authorization checks on API endpoints.

  - Hard-coding secrets or connecting to external services without consent.

  - Over-fetching patient data or bypassing pagination and filtering.



Related implementation resources: AI Use Case for Medical Practices Using Outlook To Prioritize Urgent Patient Emails Over Routine Inquiries and Why authorization checks belong in AI coding instructions for production-grade systems.





FAQ


What is a Cursor Rules Template for physiotherapy apps?


A Cursor Rules Template is a copyable .cursorrules configuration that instructs Cursor AI on how to operate within a physiotherapy treatment progress summary app, including data models, privacy constraints, and integration patterns.


Which stack does this template cover?


It targets a Next.js + TypeScript frontend, a Node.js API, PostgreSQL database, and Cursor AI integration, with clear authentication, data models, and testing workflows.


How do I use the .cursorrules block?


Copy the provided block into a file named .cursorrules at your project root. Cursor AI reads the block to enforce stack-specific rules during content generation and coding tasks.


How does this template handle patient data privacy?


Rules enforce role-based access, data minimization, audit trails, and redaction patterns. The configuration prohibits exposing PII in logs or outputs and requires secure data handling.


Can I customize for other stacks?


Yes. Modify the Framework Context, Architecture rules, and database patterns in the header of the .cursorrules file to fit your stack while maintaining Cursor safety guidelines.

Overview

Cursor rules configuration for building a physiotherapy treatment progress summary app with Cursor AI. This template targets a Next.js + TypeScript frontend, a Node.js API, and a PostgreSQL database, providing policy-driven guidance for data models, privacy, authentication, and clinician-focused summaries in a clinical workflow.

Direct summary: This Cursor Rules Template encodes stack-specific rules for architecture, security, and data handling so AI-assisted development remains safe and auditable in a physiotherapy clinic context.

When to Use These Cursor Rules

When building patient progress dashboards that clinicians can read during sessions.
When auto-generating progress notes from structured session data with enforced privacy constraints.
When you need RBAC checks to restrict access to PII and clinical data.
When aiming for auditable data flows and reproducible builds in healthcare software.

Copyable .cursorrules Configuration

Framework: Next.js + TypeScript
Context: You are a software engineer building a physiotherapy treatment progress summary app. The app stores patient data in PostgreSQL with tables patients, sessions, progress_entries. You must ensure privacy, audit logs, and clinician workflows. Cursor AI should enforce stack-specific rules while assisting engineering tasks.
Role: Developer Assistant for Cursor AI in a physiotherapy clinic stack
CodeStyle: TypeScript strict, ESLint + Prettier, commit message guidelines
Architecture: Monorepo with apps/web (Next.js UI), apps/api (Node.js API), libs/db (PostgreSQL access), libs/auth (OAuth/JWT utilities), libs/ui (shared components)
Authentication: JWT-based sessions; OAuth2 for clinicians or clinic staff
Database & ORM patterns: PostgreSQL with normalized schema; use foreign keys; avoid storing PII in logs; use prepared statements
Testing & Linting Workflows: Jest for unit tests, Playwright for end-to-end tests; GitHub Actions CI with lint/test steps
Prohibited Actions and Anti-patterns: Do not bypass auth; Do not log PII; Do not call external APIs with patient data without consent; Do not store raw patient data in production logs; Do not use client-side data as the sole source of truth
Anti-patterns: Avoid client-only data fetching for protected data; Avoid dynamic SQL without parameterization
Notes: Cursor tokens should not generate or reveal clinical diagnoses without clinician confirmation.

Recommended Project Structure

apps/
  web/       # Next.js frontend for physiotherapy clinics
  api/       # Node.js API backend for clinical data and auth
libs/
  db/        # PostgreSQL data access and query helpers
  auth/      # JWT/OAuth utilities and middleware
  ui/        # Shared UI components and forms
scripts/
tests/

Core Engineering Principles

Data privacy by design: restrict access to PII and audit data.
Strong typing and explicit contracts across API surfaces and data models.
Defense in depth: layered authentication, authorization, and input validation.
Observability: structured logging with redaction and end-to-end testing.
Deterministic builds and reproducible deployments via a monorepo structure.
Safe AI-assisted development: guardrails, validation, and audit trails for AI outputs.

Code Construction Rules

Use TypeScript types for all request/response shapes and DTOs.
All database writes must occur inside a transaction with error handling.
Use parameterized queries to prevent SQL injection and enforce schema boundaries.
Model patient progress with clear tables: patients, sessions, progress_entries, with proper FK relationships.
Endpoints enforce RBAC by role (clinician, admin, support) before data access.
Logs must redact PII and rely on IDs, not raw patient data, for traceability.
Environment-specific configuration via secrets manager; never hard-code credentials.
Testing: unit tests for domain logic, integration tests for DB access, and E2E tests for clinician workflows.
Do not embed private keys, tokens, or credentials in code or the .cursorrules block.

Security and Production Rules

Transport: TLS everywhere; enforce secure cookies and CSRF protection where applicable.
Auth: short-lived access tokens, refresh tokens, and periodic rotation; protect API routes with RBAC.
Data protection: encrypt sensitive data at rest; minimize exposure of PII in logs and UI.
Observability: centralized logging with redaction and audit trails for data access events.
Deployment: feature flags for safe rollout, immutable builds, and blue/green deployments.
Secrets: store in a dedicated secrets manager; never commit secrets to VCS.

Testing Checklist

Unit tests for domain rules and data validation.
Integration tests for API endpoints and DB transactions.
End-to-end tests simulating clinician workflows with Playwright.
Static analysis and type checks in CI; linting with Prettier.
Security tests for auth, RBAC, and data redaction in logs.
Performance checks on common queries for patient progress data.

Common Mistakes to Avoid

Assuming client-side code is enough for protecting patient data.
Storing raw PII in logs or analysis outputs.
Skipping authorization checks on API endpoints.
Hard-coding secrets or connecting to external services without consent.
Over-fetching patient data or bypassing pagination and filtering.

FAQ

What is a Cursor Rules Template for physiotherapy apps?

A Cursor Rules Template is a copyable .cursorrules configuration that instructs Cursor AI on how to operate within a physiotherapy treatment progress summary app, including data models, privacy constraints, and integration patterns.

Which stack does this template cover?

It targets a Next.js + TypeScript frontend, a Node.js API, PostgreSQL database, and Cursor AI integration, with clear authentication, data models, and testing workflows.

How do I use the .cursorrules block?

Copy the provided block into a file named .cursorrules at your project root. Cursor AI reads the block to enforce stack-specific rules during content generation and coding tasks.

How does this template handle patient data privacy?

Rules enforce role-based access, data minimization, audit trails, and redaction patterns. The configuration prohibits exposing PII in logs or outputs and requires secure data handling.

Can I customize for other stacks?

Yes. Modify the Framework Context, Architecture rules, and database patterns in the header of the .cursorrules file to fit your stack while maintaining Cursor safety guidelines.