Cursor Rules TemplatesCursor Rules Template

Cursor Rules Template for Vendor Management SaaS (Contracts, Compliance, Renewals, AI Risk)

Cursor Rules Template for building a vendor management SaaS with contracts, compliance docs, renewals, scoring, and AI risk analysis using Cursor AI.

cursor-rules-templatecursor-rulesvendor-managementcontractscompliancerenewalsai-risk-analysisnestjstypescriptpostgresqltypeormrbacoauth2jwt

Target User

Developers building vendor management SaaS with contracts, compliance, renewals, and AI risk analysis

Use Cases

  • Paste into project root to enforce architecture, security, and data governance for NestJS + PostgreSQL stack
  • Guide AI-assisted development with Cursor AI for contract workflows and compliance checks

Markdown Template

Cursor Rules Template for Vendor Management SaaS (Contracts, Compliance, Renewals, AI Risk)

# Framework Role & Context
framework: NestJS + PostgreSQL (TypeORM)
context: Vendor management SaaS with contracts, compliance docs, renewals, scoring, AI risk analysis

# Framework Role & Context (continued)
role:
  - System: You are Cursor AI specialized for a NestJS + PostgreSQL backend for a vendor-management SaaS.
  - Developer: You output concrete .cursorrules blocks ready to paste into the project root.

# Code Style and Style Guides
codeStyle:
  - strict: true
  - lint: eslint + prettier
  - tsconfig: strict: true, noImplicitAny: true
  - namingConventions: camelCase for variables, PascalCase for types/classes

# Architecture & Directory Rules
architecture:
  - apps/vendor-manager-api/src
  - apps/vendor-manager-api/src/modules
  - apps/vendor-manager-api/src/core
  - libs/persistence/src/entities
  - libs/persistence/src/repositories
  - libs/auth/src
  - libs/contracts/src
  - libs/compliance/src
  - libs/ai-risk/src

directory:
  - Do not place business logic in controllers; use domain services and repositories.
  - Keep DTOs in src/dtos near controllers.
  - Entities in libs/persistence/entities; migrations in libs/persistence/migrations.

# Authentication & Security Rules
authentication:
  - type: JWT
  - algorithm: RS256
  - storage: HttpOnly cookies for web apps
  - RBAC: roles admin, vendor_manager, reviewer
  - access: enforce least privilege per endpoint

# Database and ORM patterns
database:
  - database: PostgreSQL
  - orm: TypeORM
  - migrations: required, incremental
  - patterns: repositories, aggregates, domain events
  - security: parameterized queries, avoid string-concat SQL

# Testing & Linting Workflows
testing:
  - unit: Jest
  - integration: SuperTest
  - e2e: playwright or Cypress (if UI exists)
  - lint: ESLint
  - ci: run on push, fail-fast on lint/tests

# Prohibited Actions and Anti-patterns for the AI
antiPatterns:
  - Do not bypass RBAC or create broad admin shortcuts
  - Do not log PII in plain text or unencrypted logs
  - Do not bypass migrations; avoid schema drift
  - Do not perform network requests to external services without user consent
  - Do not generate raw SQL without parameterization

Overview

Cursor rules configuration for Cursor AI is a copyable .cursorrules block that encodes stack-specific constraints, best practices, and guardrails to guide AI-assisted development for a vendor management SaaS with contracts, compliance documents, renewals, scoring, and AI risk analysis. This Cursor rules template is tailored for a NestJS (TypeScript) backend with PostgreSQL using TypeORM and a modular architecture.

When to Use These Cursor Rules

  • Starting a new vendor management SaaS project with contracts, compliance, and renewals.
  • Enforcing RBAC and secure authentication in NestJS APIs.
  • Ensuring strict domain boundaries between vendors, contracts, compliance, and risk modules.
  • Guiding AI-assisted generation of business logic around risk scoring and renewal workflows.
  • Integrating with Cursor AI to maintain data governance and auditability.

Copyable .cursorrules Configuration


# Framework Role & Context
framework: NestJS + PostgreSQL (TypeORM)
context: Vendor management SaaS with contracts, compliance docs, renewals, scoring, AI risk analysis

# Framework Role & Context (continued)
role:
  - System: You are Cursor AI specialized for a NestJS + PostgreSQL backend for a vendor-management SaaS.
  - Developer: You output concrete .cursorrules blocks ready to paste into the project root.

# Code Style and Style Guides
codeStyle:
  - strict: true
  - lint: eslint + prettier
  - tsconfig: strict: true, noImplicitAny: true
  - namingConventions: camelCase for variables, PascalCase for types/classes

# Architecture & Directory Rules
architecture:
  - apps/vendor-manager-api/src
  - apps/vendor-manager-api/src/modules
  - apps/vendor-manager-api/src/core
  - libs/persistence/src/entities
  - libs/persistence/src/repositories
  - libs/auth/src
  - libs/contracts/src
  - libs/compliance/src
  - libs/ai-risk/src

directory:
  - Do not place business logic in controllers; use domain services and repositories.
  - Keep DTOs in src/dtos near controllers.
  - Entities in libs/persistence/entities; migrations in libs/persistence/migrations.

# Authentication & Security Rules
authentication:
  - type: JWT
  - algorithm: RS256
  - storage: HttpOnly cookies for web apps
  - RBAC: roles admin, vendor_manager, reviewer
  - access: enforce least privilege per endpoint

# Database and ORM patterns
database:
  - database: PostgreSQL
  - orm: TypeORM
  - migrations: required, incremental
  - patterns: repositories, aggregates, domain events
  - security: parameterized queries, avoid string-concat SQL

# Testing & Linting Workflows
testing:
  - unit: Jest
  - integration: SuperTest
  - e2e: playwright or Cypress (if UI exists)
  - lint: ESLint
  - ci: run on push, fail-fast on lint/tests

# Prohibited Actions and Anti-patterns for the AI
antiPatterns:
  - Do not bypass RBAC or create broad admin shortcuts
  - Do not log PII in plain text or unencrypted logs
  - Do not bypass migrations; avoid schema drift
  - Do not perform network requests to external services without user consent
  - Do not generate raw SQL without parameterization

Recommended Project Structure

vendor-manager/
  apps/
    vendor-manager-api/
      src/
        main.ts
        app.module.ts
        modules/
        controllers/
        services/
        dtos/
        entities/
        migrations/
    vendor-manager-admin/
      src/
        main.ts
        app.module.ts
        components/
  libs/
    core/
      src/
        lib/
    persistence/
      src/
        entities/
        repositories/
        migrations/
    auth/
      src/
        jwt.ts
        guards/
    contracts/
      src/
        entities/
        services/
    compliance/
      src/
        documents/
    ai-risk/
      src/
        scoring/
        risk_analysis/

Core Engineering Principles

  • Strong typing and explicit contracts across modules
  • Clear domain boundaries: vendors, contracts, compliance, renewals, risk
  • Security by default: RBAC, encryption at rest, audit logs
  • Test-driven focus: unit, integration, and CI checks
  • Deterministic, auditable data flows with migrations

Code Construction Rules

  • Place business logic in domain services; controllers should call services via DTOs
  • Use repository pattern with TypeORM; avoid raw queries in services
  • DTOs validate user input; use class-validator decorators
  • Contracts, compliance, and renewal entities must carry audit timestamps
  • All external calls should be abstracted behind services with mocks for tests

Security and Production Rules

  • RBAC enforced at route handlers; use guards; token rotation
  • Encrypt sensitive fields in database; mask PII in logs
  • Enable audit trails for contract actions; immutable logs for important events
  • CI/CD: run migrations in production with feature flags; blue/green or canary deployments

Testing Checklist

  • Unit tests for domain services and repositories
  • Integration tests for API endpoints with real DB in CI
  • End-to-end tests for common user journeys (vendor onboarding, contract creation, renewals)
  • Static analysis and linting in CI
  • Security checks: secret scanning and dependency auditing

Common Mistakes to Avoid

  • Mixing domain logic into controllers or infrastructure code
  • Skipping migrations leading to schema drift
  • Overexposing endpoints or misconfiguring RBAC
  • Neglecting audit logs for critical actions
  • Hard-coding secrets or credentials in source

Related Cursor rules templates

Explore adjacent Cursor rules templates for similar stacks, workflows, and production constraints.

FAQ

What is this Cursor Rules Template used for?

This Cursor Rules Template provides a copyable .cursorrules block and project structure to guide AI-assisted development for a vendor management SaaS with contracts, compliance, renewals, and AI risk analysis.

Which stack is targeted?

The template targets NestJS (TypeScript) backend with PostgreSQL using TypeORM, with RBAC-based authentication and domain-driven design boundaries.

How do I adapt to my data model?

Replace entities and repositories to reflect your domain; preserve domain service boundaries; adjust migrations; ensure audit logs.

What security measures are emphasized?

RBAC with RS256 JWTs, HttpOnly cookies, encryption at rest, and robust audit logging for contracts and renewals.

How does AI risk analysis integrate?

The template outlines scoring and risk analysis modules that feed risk signals into decisions, while ensuring data governance, privacy, and traceability in AI-driven flows.