Cursor Rules That Actually Improve AI Code Quality

Default AI code suggestions are generic. With the right rules, Cursor generates code that matches your exact stack, patterns, and conventions.

What Are Cursor Rules?

.cursorrules (or the newer .cursor/rules/ directory) gives Cursor persistent context about your project. Every AI request gets this context appended automatically.

Project-Level Rules

# .cursorrules

## Stack
- Next.js 14 App Router (not Pages Router)
- TypeScript strict mode
- Tailwind CSS with shadcn/ui components
- Prisma ORM with PostgreSQL
- NextAuth.js v5

## Conventions
- Server Components by default; use 'use client' only when needed
- All database calls via Prisma — no raw SQL
- Error handling: return { data, error } tuples, never throw
- API routes: always validate input with Zod before processing
- File naming: kebab-case for files, PascalCase for components

## Patterns
- Use server actions for mutations, not API routes
- Loading states with React Suspense, not manual isLoading booleans
- Forms: React Hook Form + Zod schema
- Auth: always check session in server components with getServerSession()

Security Rules

## Security
- Never expose database IDs in URLs — use slugs or UUIDs
- All user input validated and sanitized before database write
- No secrets in client-side code or environment variables prefixed NEXT_PUBLIC_
- File uploads: validate MIME type server-side, not just client-side
- API routes: rate limiting on all public endpoints

Testing Rules

## Testing
- Unit tests: Vitest + Testing Library
- Integration tests: use real database, never mock Prisma
- Test file location: co-located with source files (*.test.ts)
- Test names: describe what the function does, not how it's implemented

Component-Specific Rules (.cursor/rules/)

The newer format allows per-directory rules:

# .cursor/rules/components.mdc
---
globs: ['src/components/**/*.tsx']
---

- Export default for page components, named exports for UI components
- Props interface defined above the component, never inline
- No business logic in components — extract to hooks or server actions
- All images use next/image with explicit width/height

API Rules

# .cursor/rules/api.mdc
---
globs: ['src/app/api/**/*.ts']
---

- Always return NextResponse with proper status codes
- Input validation with Zod at the top of every handler
- Authentication check before any data access
- Consistent error shape: { error: string, code?: string }

What Makes Rules Effective

1. Be specific — "use server actions" beats "follow best practices"
2. Include the why — rules with context get better application
3. Scope them — per-directory rules beat global noise
4. Keep them short — under 50 lines; long rules dilute attention

Claude Code Skills vs Cursor Rules

Cursor rules set context. Claude Code skills execute workflows. The Ship Fast Skill Pack gives you 10 pre-built Claude Code skills (/auth, /pay, /deploy, /test) that work alongside your Cursor rules — $49 one-time at whoffagents.com.