Execute production readiness checklist for Cursor IDE setup. Triggers on "cursor production", "cursor ready", "cursor checklist", "optimize cursor setup"...
Comprehensive checklist for configuring Cursor IDE for production use. Covers security hardening, project rules, indexing optimization, privacy settings, and team standardization.
[ ] All team members authenticated with correct plan (Pro/Business/Enterprise)
[ ] SSO configured (Business/Enterprise) -- see cursor-sso-integration skill
[ ] Privacy Mode enabled (enforced at team level for Business+)
[ ] Verify plan at cursor.com/settings
[ ] .cursor/rules/ directory created and committed to git
[ ] Core project rule with alwaysApply: true (stack, conventions, standards)
[ ] Language-specific rules with glob patterns (*.ts, *.py, etc.)
[ ] Security rule: "Never suggest hardcoded credentials or secrets"
[ ] No sensitive data (API keys, passwords) in any rule file
Minimum viable rule set:
# .cursor/rules/project.mdc
---
description: "Core project context"
globs: ""
alwaysApply: true
---
# Project: [Name]
Stack: [framework, language, database, etc.]
Package manager: [npm/pnpm/yarn]
## Conventions
- [your team conventions here]
- Never commit console.log statements
- All functions require TypeScript return types
- Use Conventional Commits format
# .cursor/rules/security.mdc
---
description: "Security constraints for AI-generated code"
globs: ""
alwaysApply: true
---
# Security Rules
- NEVER hardcode API keys, passwords, or secrets in code
- NEVER disable HTTPS/TLS verification
- ALWAYS use parameterized queries (no string concatenation for SQL)
- ALWAYS validate and sanitize user input
- Use environment variables for all configuration values
[ ] .cursorignore created at project root
[ ] Excluded: node_modules/, dist/, build/, .next/, vendor/
[ ] Excluded: *.min.js, *.map, *.lock, *.sqlite
[ ] Excluded: .env*, secrets/, credentials/
[ ] .cursorindexingignore created for large-but-useful files
[ ] Verified indexing completes (status bar shows "Indexed")
[ ] Tested @Codebase queries return relevant results
[ ] Privacy Mode: ON (Cursor Settings > General > Privacy Mode)
[ ] Verified: cursor.com/settings shows "Privacy Mode: Enabled"
[ ] .cursorignore covers all files with PII or regulated data
[ ] API keys (if BYOK) stored in Cursor settings, NOT in project files
[ ] Team members briefed: AI output is a draft, not production-ready code
[ ] Default model set (Cursor Settings > Models)
[ ] BYOK configured if required by team (see cursor-api-key-management skill)
[ ] Auto mode evaluated vs fixed model selection
[ ] Tab completion enabled and tested
[ ] Conflicting extensions disabled (Copilot, TabNine, Codeium)
[ ] .cursor/rules/ committed to git (team shares rules)
[ ] .cursorignore committed to git
[ ] .cursorindexingignore committed to git
[ ] AI-generated commit messages reviewed before pushing
[ ] Pre-commit hooks run (linting, tests) regardless of AI-generated code
# Cursor IDE Onboarding
## Setup (15 minutes)
1. Download Cursor from cursor.com/download
2. Sign in with your @company.com email (SSO will redirect)
3. Open our project repository in Cursor
4. Wait for indexing to complete (status bar)
## Daily Workflow
- Cmd+L (Chat): Ask questions, plan features
- Cmd+K (Inline Edit): Fix/refactor selected code
- Cmd+I (Composer): Multi-file changes
- Tab: Accept AI completions while typing
## Our Rules
- Project rules are in .cursor/rules/ -- read them
- Always review AI-generated code before committing
- Start new chats for new tasks (don't continue stale conversations)
- Use @Files for specific context, @Codebase for discovery
## Prohibited
- Do NOT paste credentials into Chat/Composer
- Do NOT disable Privacy Mode
- Do NOT commit AI-generated code without review and testing
| Task | Frequency | How |
|---|---|---|
| Review and update project rules | Monthly | Audit .cursor/rules/ for stale info |
| Verify Privacy Mode enforcement | Quarterly | Admin dashboard or Cursor Settings |
| Rotate API keys (BYOK) | Quarterly | Provider console + Cursor Settings |
| Update .cursorignore | When project structure changes | Add new build/data directories |
| Review extension list | Monthly | Disable unused, check for conflicts |
| Cursor version update | As released | Help > Check for Updates |
| Team onboarding doc update | When workflow changes | Keep setup steps current |
| Anti-Pattern | Risk | Fix |
|---|---|---|
| No .cursor/rules/ | AI generates inconsistent code | Create rules with team conventions |
| No .cursorignore | Secrets indexed, large files slow indexing | Add comprehensive ignore patterns |
| Privacy Mode off | Code stored by model providers | Enable at team level (admin dashboard) |
| One giant conversation | Context overflow, bad suggestions | Start new chat per task |
| Blind "Apply All" | Bugs, wrong patterns committed | Review every diff before applying |
| No pre-commit hooks | AI-generated bugs reach main branch | Enforce lint + test hooks |
.cursor/rules/ changes like infrastructure changes -- PR and review