cursor-prod-checklist

# Cursor Production Checklist

Comprehensive checklist for configuring Cursor IDE for production use. Covers security hardening, project rules, indexing optimization, privacy settings, and team standardization.

## Pre-Flight Checklist

### Authentication & Licensing

```
[ ] All team members authenticated with correct plan (Pro/Business/Enterprise)
[ ] SSO configured (Business/Enterprise) -- see cursor-sso-integration skill
[ ] Privacy Mode enabled (enforced at team level for Business+)
[ ] Verify plan at cursor.com/settings
```

### Project Rules

```
[ ] .cursor/rules/ directory created and committed to git
[ ] Core project rule with alwaysApply: true (stack, conventions, standards)
[ ] Language-specific rules with glob patterns (*.ts, *.py, etc.)
[ ] Security rule: "Never suggest hardcoded credentials or secrets"
[ ] No sensitive data (API keys, passwords) in any rule file
```

**Minimum viable rule set:**

```yaml
# .cursor/rules/project.mdc
---
description: "Core project context"
globs: ""
alwaysApply: true
---
# Project: [Name]
Stack: [framework, language, database, etc.]
Package manager: [npm/pnpm/yarn]

## Conventions
- [your team conventions here]
- Never commit console.log statements
- All functions require TypeScript return types
- Use Conventional Commits format
```

```yaml
# .cursor/rules/security.mdc
---
description: "Security constraints for AI-generated code"
globs: ""
alwaysApply: true
---
# Security Rules
- NEVER hardcode API keys, passwords, or secrets in code
- NEVER disable HTTPS/TLS verification
- ALWAYS use parameterized queries (no string concatenation for SQL)
- ALWAYS validate and sanitize user input
- Use environment variables for all configuration values
```

### Indexing Configuration

```
[ ] .cursorignore created at project root
[ ] Excluded: node_modules/, dist/, build/, .next/, vendor/
[ ] Excluded: *.min.js, *.map, *.lock, *.sqlite
[ ] Excluded: .env*, secrets/, credentials/
[ ] .cursorindexingignore created for large-but-useful files
[ ] Verified indexing completes (status bar shows "Indexed")
[ ] Tested @Codebase queries return relevant results
```

### Privacy & Security

```
[ ] Privacy Mode: ON (Cursor Settings > General > Privacy Mode)
[ ] Verified: cursor.com/settings shows "Privacy Mode: Enabled"
[ ] .cursorignore covers all files with PII or regulated data
[ ] API keys (if BYOK) stored in Cursor settings, NOT in project files
[ ] Team members briefed: AI output is a draft, not production-ready code
```

### AI Configuration

```
[ ] Default model set (Cursor Settings > Models)
[ ] BYOK configured if required by team (see cursor-api-key-management skill)
[ ] Auto mode evaluated vs fixed model selection
[ ] Tab completion enabled and tested
[ ] Conflicting extensions disabled (Copilot, TabNine, Codeium)
```

### Version Control Integration

```
[ ] .cursor/rules/ committed to git (team shares rules)
[ ] .cursorignore committed to git
[ ] .cursorindexingignore committed to git
[ ] AI-generated commit messages reviewed before pushing
[ ] Pre-commit hooks run (linting, tests) regardless of AI-generated code
```

## Team Onboarding Template

```markdown
# Cursor IDE Onboarding

## Setup (15 minutes)
1. Download Cursor from cursor.com/download
2. Sign in with your @company.com email (SSO will redirect)
3. Open our project repository in Cursor
4. Wait for indexing to complete (status bar)

## Daily Workflow
- Cmd+L (Chat): Ask questions, plan features
- Cmd+K (Inline Edit): Fix/refactor selected code
- Cmd+I (Composer): Multi-file changes
- Tab: Accept AI completions while typing

## Our Rules
- Project rules are in .cursor/rules/ -- read them
- Always review AI-generated code before committing
- Start new chats for new tasks (don't continue stale conversations)
- Use @Files for specific context, @Codebase for discovery

## Prohibited
- Do NOT paste credentials into Chat/Composer
- Do NOT disable Privacy Mode
- Do NOT commit AI-generated code without review and testing
```

## Maintenance Schedule

| Task | Frequency | How |
|------|-----------|-----|
| Review and update project rules | Monthly | Audit `.cursor/rules/` for stale info |
| Verify Privacy Mode enforcement | Quarterly | Admin dashboard or Cursor Settings |
| Rotate API keys (BYOK) | Quarterly | Provider console + Cursor Settings |
| Update .cursorignore | When project structure changes | Add new build/data directories |
| Review extension list | Monthly | Disable unused, check for conflicts |
| Cursor version update | As released | Help > Check for Updates |
| Team onboarding doc update | When workflow changes | Keep setup steps current |

## Production Anti-Patterns

| Anti-Pattern | Risk | Fix |
|-------------|------|-----|
| No .cursor/rules/ | AI generates inconsistent code | Create rules with team conventions |
| No .cursorignore | Secrets indexed, large files slow indexing | Add comprehensive ignore patterns |
| Privacy Mode off | Code stored by model providers | Enable at team level (admin dashboard) |
| One giant conversation | Context overflow, bad suggestions | Start new chat per task |
| Blind "Apply All" | Bugs, wrong patterns committed | Review every diff before applying |
| No pre-commit hooks | AI-generated bugs reach main branch | Enforce lint + test hooks |

## Enterprise Considerations

- **Compliance documentation**: Maintain records of Cursor configuration for SOC 2 / ISO 27001 audits
- **Change management**: Treat `.cursor/rules/` changes like infrastructure changes -- PR and review
- **Access reviews**: Quarterly review of team membership and seat assignments
- **Data classification**: Map .cursorignore to your data classification policy

## Resources

- [Cursor Enterprise](https://cursor.com/enterprise)
- [Privacy and Data Governance](https://docs.cursor.com/enterprise/privacy-and-data-governance)
- [Security Page](https://cursor.com/security)