Skillshub cursor-prod-checklist
install
source · Clone the upstream repo
git clone https://github.com/ComeOnOliver/skillshub
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/ComeOnOliver/skillshub "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/jeremylongshore/claude-code-plugins-plus-skills/cursor-prod-checklist" ~/.claude/skills/comeonoliver-skillshub-cursor-prod-checklist && rm -rf "$T"
manifest:
skills/jeremylongshore/claude-code-plugins-plus-skills/cursor-prod-checklist/SKILL.mdsource content
Cursor Production Checklist
Comprehensive checklist for configuring Cursor IDE for production use. Covers security hardening, project rules, indexing optimization, privacy settings, and team standardization.
Pre-Flight Checklist
Authentication & Licensing
[ ] All team members authenticated with correct plan (Pro/Business/Enterprise) [ ] SSO configured (Business/Enterprise) -- see cursor-sso-integration skill [ ] Privacy Mode enabled (enforced at team level for Business+) [ ] Verify plan at cursor.com/settings
Project Rules
[ ] .cursor/rules/ directory created and committed to git [ ] Core project rule with alwaysApply: true (stack, conventions, standards) [ ] Language-specific rules with glob patterns (*.ts, *.py, etc.) [ ] Security rule: "Never suggest hardcoded credentials or secrets" [ ] No sensitive data (API keys, passwords) in any rule file
Minimum viable rule set:
# .cursor/rules/project.mdc --- description: "Core project context" globs: "" alwaysApply: true --- # Project: [Name] Stack: [framework, language, database, etc.] Package manager: [npm/pnpm/yarn] ## Conventions - [your team conventions here] - Never commit console.log statements - All functions require TypeScript return types - Use Conventional Commits format
# .cursor/rules/security.mdc --- description: "Security constraints for AI-generated code" globs: "" alwaysApply: true --- # Security Rules - NEVER hardcode API keys, passwords, or secrets in code - NEVER disable HTTPS/TLS verification - ALWAYS use parameterized queries (no string concatenation for SQL) - ALWAYS validate and sanitize user input - Use environment variables for all configuration values
Indexing Configuration
[ ] .cursorignore created at project root [ ] Excluded: node_modules/, dist/, build/, .next/, vendor/ [ ] Excluded: *.min.js, *.map, *.lock, *.sqlite [ ] Excluded: .env*, secrets/, credentials/ [ ] .cursorindexingignore created for large-but-useful files [ ] Verified indexing completes (status bar shows "Indexed") [ ] Tested @Codebase queries return relevant results
Privacy & Security
[ ] Privacy Mode: ON (Cursor Settings > General > Privacy Mode) [ ] Verified: cursor.com/settings shows "Privacy Mode: Enabled" [ ] .cursorignore covers all files with PII or regulated data [ ] API keys (if BYOK) stored in Cursor settings, NOT in project files [ ] Team members briefed: AI output is a draft, not production-ready code
AI Configuration
[ ] Default model set (Cursor Settings > Models) [ ] BYOK configured if required by team (see cursor-api-key-management skill) [ ] Auto mode evaluated vs fixed model selection [ ] Tab completion enabled and tested [ ] Conflicting extensions disabled (Copilot, TabNine, Codeium)
Version Control Integration
[ ] .cursor/rules/ committed to git (team shares rules) [ ] .cursorignore committed to git [ ] .cursorindexingignore committed to git [ ] AI-generated commit messages reviewed before pushing [ ] Pre-commit hooks run (linting, tests) regardless of AI-generated code
Team Onboarding Template
# Cursor IDE Onboarding ## Setup (15 minutes) 1. Download Cursor from cursor.com/download 2. Sign in with your @company.com email (SSO will redirect) 3. Open our project repository in Cursor 4. Wait for indexing to complete (status bar) ## Daily Workflow - Cmd+L (Chat): Ask questions, plan features - Cmd+K (Inline Edit): Fix/refactor selected code - Cmd+I (Composer): Multi-file changes - Tab: Accept AI completions while typing ## Our Rules - Project rules are in .cursor/rules/ -- read them - Always review AI-generated code before committing - Start new chats for new tasks (don't continue stale conversations) - Use @Files for specific context, @Codebase for discovery ## Prohibited - Do NOT paste credentials into Chat/Composer - Do NOT disable Privacy Mode - Do NOT commit AI-generated code without review and testing
Maintenance Schedule
| Task | Frequency | How |
|---|---|---|
| Review and update project rules | Monthly | Audit |
| Verify Privacy Mode enforcement | Quarterly | Admin dashboard or Cursor Settings |
| Rotate API keys (BYOK) | Quarterly | Provider console + Cursor Settings |
| Update .cursorignore | When project structure changes | Add new build/data directories |
| Review extension list | Monthly | Disable unused, check for conflicts |
| Cursor version update | As released | Help > Check for Updates |
| Team onboarding doc update | When workflow changes | Keep setup steps current |
Production Anti-Patterns
| Anti-Pattern | Risk | Fix |
|---|---|---|
| No .cursor/rules/ | AI generates inconsistent code | Create rules with team conventions |
| No .cursorignore | Secrets indexed, large files slow indexing | Add comprehensive ignore patterns |
| Privacy Mode off | Code stored by model providers | Enable at team level (admin dashboard) |
| One giant conversation | Context overflow, bad suggestions | Start new chat per task |
| Blind "Apply All" | Bugs, wrong patterns committed | Review every diff before applying |
| No pre-commit hooks | AI-generated bugs reach main branch | Enforce lint + test hooks |
Enterprise Considerations
- Compliance documentation: Maintain records of Cursor configuration for SOC 2 / ISO 27001 audits
- Change management: Treat
changes like infrastructure changes -- PR and review.cursor/rules/ - Access reviews: Quarterly review of team membership and seat assignments
- Data classification: Map .cursorignore to your data classification policy