Rules

Cursor rules are .mdc files in .cursor/rules/ that inject context into every conversation (or pattern-matched conversations). They define what the agent knows about the project and what standards it must follow.

Always-Applied Rules

These five rules are injected into every conversation regardless of which files are being edited.

Agent Behavior (agent-rules.mdc)

Defines when to invoke sub-agents and what constraints the agent operates under.

Key directives:

• Run Code Marshal after any code changes
• Run Security Sentinel after changes to auth, user input, cookies, APIs, or sensitive data
• Run both concurrently when changes touch security-sensitive code
• Do not start/stop servers — they are already running
• Do not restart Docker containers unless explicitly asked
• Do not run database migrations without explicit approval

Coding Standards (coding-standards.mdc)

The comprehensive coding standards that Code Marshal enforces.

Standards covered:

• SOLID — Single Responsibility, Open/Closed, Liskov Substitution, Interface Segregation, Dependency Inversion
• DDD — Domain organization, ubiquitous language, encapsulated business logic, infrastructure separation
• Code Splitting — Functions ≤30 lines (hard limit 50), one concern per file, max 3 nesting levels, early returns
• DRY — Extracted shared logic, composition over inheritance, centralized constants/types
• TypeScript — Strict mode, no any, explicit return types, discriminated unions, generics, readonly/as const
• Clean Code — Descriptive names, no abbreviations, no magic numbers, pure functions, no dead code
• Error Handling — No swallowed exceptions, typed errors, appropriate boundaries, actionable logs
• Testing — 80% minimum coverage, small focused unit tests, behavior-driven, integration tests for combined flows
• E2E Relaxations — Higher function length (75+), complexity (12), nesting (4+), inline fixtures, .catch(() => false) for visibility checks

Project Overview (project-rules.mdc)

High-level project architecture and conventions.

Key knowledge:

• NX monorepo with PNPM, React/Vite/Radix (frontend), NestJS (API Gateway)
• Carrier/State/LOB agnostic platform — no hardcoding carrier logic
• CDM configuration system (the "One True Way") — all enum fields use cdmPath, never hardcode options
• Carrier flow locations: apps/fastlane-portal/src/app/pages/carriers/<carrier>/<lob>/
• API libs: libs/apis/carriers/<carrier>/ with @goosehead-fastlane/carriers/<carrier> imports
• Session store via Zustand — no PII, API-first, Redis-backed with CRN rehydration
• Component library at libs/ui/components — must be carrier/state/LOB agnostic, requires Storybook stories
• legacy/ is reference only — do not modify

Carrier Integration (carrier-rules.mdc)

Progressive Home portal bot architecture and conventions.

Key knowledge:

• Architecture: Frontend → API Gateway → Application Service → Playwright Page Objects → Progressive Portal
• DDD layers: Domain types, Application services/DTOs, Infrastructure pages/browser
• 8-step quote flow: NamedInsured → Products → HouseholdMembers → AdditionalDetails → CoveragesBillPlans → Portfolio → PointOfSale → FinalSale
• Page object pattern: constructor(page) → fillForm(data) → submitToNextStep()
• Browser pool: single Chromium instance, multiple isolated contexts (max 3)
• Modification rules: new step requires page object + domain type + mapper + service wiring; new field requires DTO + domain type + mapper + page object

Prisma/Database (prisma-rules.mdc)

Database operation constraints.

Key directives:

• Use fastlane schema — never public
• All operations via Prisma migrations and seeding
• Local Docker Postgres only (localhost:5432/goosehead)
• The postgres-legacy-crn-mcp connects to a remote CRN database — do not use for local development

Pattern-Matched Rules

These rules activate only when editing files that match their glob patterns.

Security (security-rules.mdc)

Applies to: **/*.ts, **/*.tsx

Defines the security standards that Security Sentinel enforces.

Standards covered:

• JWT in httpOnly cookies, not localStorage; short expiration; validation on every request; refresh rotation; server-side invalidation on logout
• Cookie flags: httpOnly: true, secure: true, sameSite: 'strict'
• Injection prevention: Prisma parameterized queries, no string interpolation in SQL, sanitized input, allowlisted dynamic identifiers
• Input validation: server-side, strict schemas, type/length/format checks, allowlists over denylists
• XSS prevention: escaped user content, no raw dangerouslySetInnerHTML, CSP headers, HTML sanitization
• Secrets: no hardcoded keys, env vars only, .env gitignored, no secrets in error messages
• API security: rate limiting, specific CORS origins, request size limits, auth on sensitive endpoints

Test Standards (test-standards.mdc)

Applies to: **/*.spec.ts, **/*.test.ts

Defines testing conventions.

Key directives:

• Co-locate specs with source files
• Use test-helpers/ for shared logic
• Prefer builders for fixtures
• Behavior-focused it blocks
• Mock dependencies in unit tests

Agents Loader (agents-loader.mdc)

Applies to: Not always applied (manually triggered)

Instructs the agent to load the root AGENTS.md file at conversation start for additional AI workflow patterns.

How Rules Interact with Sub-Agents

The rules and sub-agents form a closed loop: rules define the standards, sub-agents read those rules at invocation time, and the hooks system ensures the loop runs automatically.