Cursor Production Checklist

[ ] All team members authenticated with correct plan (Pro/Business/Enterprise)
[ ] SSO configured (Business/Enterprise) -- see cursor-sso-integration skill
[ ] Privacy Mode enabled (enforced at team level for Business+)
[ ] Verify plan at cursor.com/settings

[ ] .cursor/rules/ directory created and committed to git
[ ] Core project rule with alwaysApply: true (stack, conventions, standards)
[ ] Language-specific rules with glob patterns (*.ts, *.py, etc.)
[ ] Security rule: "Never suggest hardcoded credentials or secrets"
[ ] No sensitive data (API keys, passwords) in any rule file

# .cursor/rules/project.mdc
---
description: "Core project context"
globs: ""
alwaysApply: true
---
# Project: [Name]
Stack: [framework, language, database, etc.]
Package manager: [npm/pnpm/yarn]

## Conventions
- [your team conventions here]
- Never commit console.log statements
- All functions require TypeScript return types
- Use Conventional Commits format

# .cursor/rules/security.mdc
---
description: "Security constraints for AI-generated code"
globs: ""
alwaysApply: true
---
# Security Rules
- NEVER hardcode API keys, passwords, or secrets in code
- NEVER disable HTTPS/TLS verification
- ALWAYS use parameterized queries (no string concatenation for SQL)
- ALWAYS validate and sanitize user input
- Use environment variables for all configuration values

[ ] .cursorignore created at project root
[ ] Excluded: node_modules/, dist/, build/, .next/, vendor/
[ ] Excluded: *.min.js, *.map, *.lock, *.sqlite
[ ] Excluded: .env*, secrets/, credentials/
[ ] .cursorindexingignore created for large-but-useful files
[ ] Verified indexing completes (status bar shows "Indexed")
[ ] Tested @Codebase queries return relevant results

[ ] Privacy Mode: ON (Cursor Settings > General > Privacy Mode)
[ ] Verified: cursor.com/settings shows "Privacy Mode: Enabled"
[ ] .cursorignore covers all files with PII or regulated data
[ ] API keys (if BYOK) stored in Cursor settings, NOT in project files
[ ] Team members briefed: AI output is a draft, not production-ready code

[ ] Default model set (Cursor Settings > Models)
[ ] BYOK configured if required by team (see cursor-api-key-management skill)
[ ] Auto mode evaluated vs fixed model selection
[ ] Tab completion enabled and tested
[ ] Conflicting extensions disabled (Copilot, TabNine, Codeium)

[ ] .cursor/rules/ committed to git (team shares rules)
[ ] .cursorignore committed to git
[ ] .cursorindexingignore committed to git
[ ] AI-generated commit messages reviewed before pushing
[ ] Pre-commit hooks run (linting, tests) regardless of AI-generated code

# Cursor IDE Onboarding

## Setup (15 minutes)
1. Download Cursor from cursor.com/download
2. Sign in with your @company.com email (SSO will redirect)
3. Open our project repository in Cursor
4. Wait for indexing to complete (status bar)

## Daily Workflow
- Cmd+L (Chat): Ask questions, plan features
- Cmd+K (Inline Edit): Fix/refactor selected code
- Cmd+I (Composer): Multi-file changes
- Tab: Accept AI completions while typing

## Our Rules
- Project rules are in .cursor/rules/ -- read them
- Always review AI-generated code before committing
- Start new chats for new tasks (don't continue stale conversations)
- Use @Files for specific context, @Codebase for discovery

## Prohibited
- Do NOT paste credentials into Chat/Composer
- Do NOT disable Privacy Mode
- Do NOT commit AI-generated code without review and testing