Cursor Rules Template: Salon Booking System with Staff Calendars, Services, Packages, Memberships, and Payments

Overview

This Cursor rules configuration provides a complete, copyable .cursorrules template for building a salon and spa booking system with staff calendars, services, packages, memberships, and payments. It targets a Node.js/Express backend with PostgreSQL, Stripe payments, and JWT-based authentication, designed for Cursor AI-assisted development.

When to Use These Cursor Rules

• Kick off a production-ready salon booking API with calendars per staff member.
• Model services, service bundles, and membership plans for streamlined bookings.
• Integrate payments (Stripe) and webhooks with secure handling.
• Ensure testable, auditable flows from booking to payment capture.
• Define clear directory structure and safety rules for AI-assisted code generation.

Copyable .cursorrules Configuration

Framework Role & Context:
- You are a backend Node.js/Express API for a salon and spa booking system with staff calendars, services catalog, packages, memberships, and Stripe payments. Multi-tenant and role-based access are considered.

Code Style and Style Guides:
- Use ES2020+ syntax, ESLint with the Airbnb style, Prettier for formatting, and JSDoc annotations for public APIs.

Architecture & Directory Rules:
- Project root: /src; API routes under /src/routes; controllers under /src/controllers; services under /src/services; models under /src/models; db migrations under /db/migrations; config under /config; tests under /tests.

Authentication & Security Rules:
- JWTs in HttpOnly cookies, rotating refresh tokens, TLS in production, input validation, parameterized queries, and secure webhooks signature validation (Stripe).

Database and ORM patterns:
- PostgreSQL with Knex.js for queries; use transactions for multi-step writes; define FK constraints and indexes for frequent lookups; prevent N+1 queries with eager loading patterns.

Testing & Linting Workflows:
- Jest for unit tests; Supertest for integration tests; ESLint + Prettier; GitHub Actions CI with tests, lint, and type checks; require 80%+ test coverage.

Prohibited Actions and Anti-patterns for the AI:
- Do not generate unsafe SQL or bypass authentication; do not modify secrets; do not perform privileged operations; avoid hardcoding credentials; do not rely on client-side logic for security.

Recommended Project Structure

/src
  /controllers
  /routes
  /services
  /models
  /middlewares
  /utils
  /config
  /db
  /migrations
  /tests

Core Engineering Principles

• Principle of least privilege for authentication and authorization
• Idempotent booking operations with idempotency keys
• Auditability: comprehensive logs for bookings, payments, and user actions
• Data integrity via transactions and strong constraints
• Clear separation of concerns among API, domain logic, and persistence

Code Construction Rules

• RESTful endpoints: /appointments, /services, /packages, /memberships, /payments
• Validate input with Joi/Yup; return 400 for invalid input
• Parameterized database queries; avoid string concatenation to prevent SQL injection
• Use migrations for schema changes; track changes in /db/migrations
• Encapsulate business rules in a service layer; controllers should be thin
• Authenticate with JWTs; implement refresh token rotation

Security and Production Rules

• Enforce TLS/HTTPS; store secrets in environment variables or a vault
• Rate limiting and IP blocking for abuse; implement auditing and anomaly detection
• Secure payment webhooks; verify Stripe signatures; protect webhook endpoints
• Validate all inputs; escape outputs to prevent XSS/SQLi

Testing Checklist

• Unit tests for services and validators
• Integration tests for bookings, calendars, and payments
• End-to-end testing for the booking flow with payment simulation
• CI pipeline: lint, tests, type checks, and deployment validations
• Load/stress tests for concurrent bookings and high-traffic scenarios

Common Mistakes to Avoid

• Hardcoding business rules or calendar data in controllers
• Ignoring time zones and daylight saving transitions for staff calendars
• Under- or over-fetching data; missing pagination and projections
• Unreliable webhook handling or not validating event signatures

Related Cursor rules templates

Explore adjacent Cursor rules templates for similar stacks, workflows, and production constraints.

• Cursor Rules Template: Node/NestJS Tour Operator SaaS
• Cursor Rules Template: Node.js + Sequelize Car Rental Management
• Cursor Rules Template for Node.js Hotel Booking Platform
• Cursor Rules Template: Local Services Marketplace (Providers, Quotes, Bookings, Payments)

FAQ

What is the Cursor Rules Template for a salon booking system?

The template encodes Cursor AI instructions for a Node.js/Express API with PostgreSQL, staff calendars, services, packages, memberships, and Stripe payments. It emphasizes modular design, secure patterns, and testable flows for production-grade booking software.

Which stack does this template target?

Node.js with Express, PostgreSQL, Knex.js for queries, Stripe for payments, and JWT-based auth. It includes CI, linting, and testing workflows suitable for a salon booking system.

How do I extend staff calendars and booking rules?

Add staff entities, per-staff calendars, availability rules, and conflict detection. Use transactions for bookings, and implement time-slot locking to prevent double bookings.

What security considerations are included?

JWTs in HttpOnly cookies, TLS, input validation, parameterized queries, and secure webhooks. Do not expose secrets in code; use environment variables or a vault.

How do I paste this into my project?

Copy the .cursorrules block, place it in your project root as .cursorrules, and load it before generation. Adapt paths to match your repository structure and ensure the backend aligns with PostgreSQL and Stripe integrations.