Add Cloudflare Workers + Hono + Angular SaaS rules

[ProfessorManhattan]

Summary\n\nAdds comprehensive .cursorrules for building full-stack SaaS applications on Cloudflare Workers with:\n\n- Hono v4.12+ — inline handlers for RPC type inference, method chaining, @hono/zod-validator, factory pattern\n- Angular 21 — zoneless, signals, standalone components, PrimeNG\n- D1 + Drizzle v1 — batch API, prepared statements, type-safe schemas\n- Inngest v4 — durable background jobs with step.ai.infer() and realtime\n- Clerk Core 3 — JWT auth, webhook sync, RBAC\n- Stripe — versioned releases, webhook dedup via KV\n- Security — OWASP Top 10:2025, CSP with Trusted Types, Turnstile\n- Testing — TDD with Playwright (6 breakpoints) + Vitest, axe-core\n- Quality — Lighthouse a11y ≥95, WCAG 2.2 AA, perf budgets\n\nIncludes a complete Hono Worker starter template and deploy commands.\n\n## Category\n\nBackend and Full-Stack\n\n## Source\n\nExtracted from megabytespace/claude-skills — a 14-category skill system with 94 reference docs for autonomous SaaS building.</n"

Summary by CodeRabbit

• Documentation
  • Added comprehensive development guidelines and best practices for full-stack SaaS application architecture, covering API structure, frontend conventions, database schemas, background job handling, security protocols, and testing standards.
  • Included starter code examples and configuration references.

[coderabbitai]

📝 Walkthrough

Walkthrough

A new .cursorrules configuration file is added to establish development standards and best practices for a full-stack SaaS architecture built on Cloudflare Workers, Hono, Angular, with supporting tools like Drizzle, Zod, Clerk, Stripe, and Inngest.

Changes

Cohort / File(s)	Summary
Cursor Rules Configuration rules/cloudflare-workers-hono-angular-saas-cursorrules-prompt-file/.cursorrules	New ruleset file defining coding standards, architecture patterns, and development conventions for Hono API structure, Angular frontend setup, TypeScript requirements, database schemas with Drizzle, Workers runtime behaviors, Inngest background jobs, security/auth checklists, and a minimal Hono starter snippet.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Suggested reviewers

• PatrickJS

Poem

🐰 Hops excitedly through the new ruleset...

A compass for builders, so clear and so keen,
With Hono and Angular, a dream to convene,
From Drizzle to Stripe, from Zod to Inngest,
Your full-stack SaaS rules—now put to the test! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately summarizes the main change: adding a comprehensive Cursor ruleset file for Cloudflare Workers, Hono, and Angular SaaS development.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

rules/cloudflare-workers-hono-angular-saas-cursorrules-prompt-file/.cursorrules (1)

87-91: Avoid recommending full-zone cache purge on every deploy.

"purge_everything": true can cause avoidable cache stampedes, latency regressions, and higher origin load. Prefer purge-by-tag or targeted URL purges in the default deploy recipe.

Safer deploy snippet pattern

-npx wrangler deploy && curl -sX POST \
+npx wrangler deploy && curl -sX POST \
   "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/purge_cache" \
   -H "Authorization: Bearer ${CF_API_TOKEN}" \
   -H "Content-Type: application/json" \
-  -d '{"purge_everything":true}'
+  -d '{"tags":["app-shell","api-schema-v1"]}'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@rules/cloudflare-workers-hono-angular-saas-cursorrules-prompt-file/.cursorrules`
around lines 87 - 91, The deploy script currently calls Cloudflare’s API with
"purge_everything": true which causes full-zone cache purges; change it to a
targeted purge approach instead: stop sending purge_everything, and use
purge-by-tag or specific URL purges (e.g., send {"tags":["<DEPLOY_TAG>"]} or
{"files":["/path/to/file"]}) and ensure your build/upload step (the npx wrangler
deploy stage) sets that tag or records the URLs; update the curl payload and any
deployment step that sets CF cache tags so subsequent deploys send the tag-based
or URL-based purge rather than a full-zone purge.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@rules/cloudflare-workers-hono-angular-saas-cursorrules-prompt-file/.cursorrules`:
- Line 23: The health endpoint implementation for GET /health does not match the
documented contract `{ status, version, timestamp }`; update the GET /health
handler to return an object including a status string (e.g., "ok"), a version
field (sourced from the app/package version or an env var), and a timestamp (ISO
string or epoch) so the runtime response matches the contract; ensure the
handler that constructs the response (the GET /health route) is changed to
include the version property.
- Around line 66-69: The secureHeaders() middleware is being used without an
explicit Content-Security-Policy; update the middleware setup that calls
secureHeaders() to pass the contentSecurityPolicy option and configure a
nonce-based strict CSP with Trusted Types enforcement and required directives
(e.g., default-src 'none'; script-src 'nonce-<generated-nonce>'
'strict-dynamic'; style-src 'nonce-<generated-nonce>'; connect-src, img-src,
font-src as needed), ensuring the nonce is generated per request and injected
into responses and into any inline scripts/styles; modify the code that
generates responses to expose the per-request nonce to templates or inline
script insertion so the CSP nonce and Trusted Types policy are consistently
applied.

---

Nitpick comments:
In
`@rules/cloudflare-workers-hono-angular-saas-cursorrules-prompt-file/.cursorrules`:
- Around line 87-91: The deploy script currently calls Cloudflare’s API with
"purge_everything": true which causes full-zone cache purges; change it to a
targeted purge approach instead: stop sending purge_everything, and use
purge-by-tag or specific URL purges (e.g., send {"tags":["<DEPLOY_TAG>"]} or
{"files":["/path/to/file"]}) and ensure your build/upload step (the npx wrangler
deploy stage) sets that tag or records the URLs; update the curl payload and any
deployment step that sets CF cache tags so subsequent deploys send the tag-based
or URL-based purge rather than a full-zone purge.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 15aa1406-c522-483b-b487-a934e9ed1698

📥 Commits

Reviewing files that changed from the base of the PR and between fc2ce04 and b210653.

📒 Files selected for processing (1)

• rules/cloudflare-workers-hono-angular-saas-cursorrules-prompt-file/.cursorrules

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Health contract is inconsistent with the starter implementation.

Line 23 mandates { status, version, timestamp }, but Line 110 omits version. Please align the starter response with the stated API contract.

Proposed fix

-app.get('/health', (c) => c.json({ status: 'ok', timestamp: new Date().toISOString() }));
+app.get('/health', (c) =>
+  c.json({
+    status: 'ok',
+    version: c.env.WORKER_VERSION ?? 'unknown',
+    timestamp: new Date().toISOString(),
+  })
+);

Also applies to: 110-110

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@rules/cloudflare-workers-hono-angular-saas-cursorrules-prompt-file/.cursorrules`
at line 23, The health endpoint implementation for GET /health does not match
the documented contract `{ status, version, timestamp }`; update the GET /health
handler to return an object including a status string (e.g., "ok"), a version
field (sourced from the app/package version or an env var), and a timestamp (ISO
string or epoch) so the runtime response matches the contract; ensure the
handler that constructs the response (the GET /health route) is changed to
include the version property.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

In Hono (v4.12+), does secureHeaders() default configuration provide a strict nonce-based Content-Security-Policy suitable for Trusted Types enforcement, or must CSP nonce directives be configured explicitly?

💡 Result:

In Hono (v4.12+), the default configuration of secureHeaders does not provide any Content-Security-Policy (CSP) header, let alone a strict nonce-based one suitable for Trusted Types enforcement. CSP must be configured explicitly via the contentSecurityPolicy option. While the middleware supports nonce-based CSP (using the NONCE helper in directives like scriptSrc) and Trusted Types directives (trustedTypes and requireTrustedTypesFor), these require explicit configuration. The default SecureHeadersOptions sets other headers like Strict-Transport-Security, X-Frame-Options, etc., but CSP is "No Setting" by default.

Citations:

• 1: https://hono.dev/docs/middleware/builtin/secure-headers
• 2: https://hono-website.pages.dev/middleware/builtin/secure-headers
• 3: https://www.mintlify.com/honojs/hono/api/middleware/secure-headers
• 4: https://cdn.jsdelivr.net/npm/hono@4.12.8/dist/types/middleware/secure-headers/secure-headers.d.ts
• 5: https://github.com/honojs/hono/blob/8217d9ec/src/middleware/secure-headers/secure-headers.ts

---

🏁 Script executed:

cat -n "rules/cloudflare-workers-hono-angular-saas-cursorrules-prompt-file/.cursorrules" | sed -n '60,120p'

Repository: PatrickJS/awesome-cursorrules

Length of output: 2104

---

🏁 Script executed:

# Search for CSP or Content-Security-Policy configuration in the codebase
rg -i "content-security-policy|csp|nonce" --type-list

Repository: PatrickJS/awesome-cursorrules

Length of output: 462

---

🏁 Script executed:

# Look for secureHeaders usage and any CSP configuration
rg -i "secureHeaders|contentSecurityPolicy" -A 5 -B 2

Repository: PatrickJS/awesome-cursorrules

Length of output: 55

---

The starter code must include explicit CSP configuration to match the documented security requirements.

The rules require nonce-based strict CSP as mandatory (line 66), but the starter code (lines 108–110) uses only secureHeaders(), which provides no Content-Security-Policy by default. Per Hono's documentation, CSP headers must be configured explicitly via the contentSecurityPolicy option. Add an explicit CSP configuration with nonce-based directives and Trusted Types enforcement to the middleware setup.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@rules/cloudflare-workers-hono-angular-saas-cursorrules-prompt-file/.cursorrules`
around lines 66 - 69, The secureHeaders() middleware is being used without an
explicit Content-Security-Policy; update the middleware setup that calls
secureHeaders() to pass the contentSecurityPolicy option and configure a
nonce-based strict CSP with Trusted Types enforcement and required directives
(e.g., default-src 'none'; script-src 'nonce-<generated-nonce>'
'strict-dynamic'; style-src 'nonce-<generated-nonce>'; connect-src, img-src,
font-src as needed), ensuring the nonce is generated per request and injected
into responses and into any inline scripts/styles; modify the code that
generates responses to expose the per-request nonce to templates or inline
script insertion so the CSP nonce and Trusted Types policy are consistently
applied.