15 Automation Prompts for Cursor — Copy-Paste Ready for Enterprise Deployments

[IMAGE_PLACEHOLDER_HEADER]

Why Cursor Automation Prompts Became a Production Concern in 2026

Cursor’s rapid adoption across engineering teams turned prompt design into a governance problem. By 2026 many organizations had stopped debating whether to use AI-assisted coding and started asking how to make it safe, auditable, and repeatable. When models like GPT-5.2-Codex can author large, working diffs in minutes, a single poorly constructed prompt can cause cascading incidents — or, conversely, unlock huge productivity gains when designed correctly.

Three technical shifts accelerated this transition:

• Model capability and reliability: GPT-5.2-Codex and Claude family models reached performance that makes them useful for real engineering work at scale. Benchmarks like SWE-bench Verified provide objective baselines for model selection.
• Ultra-long context windows and caching: Models with million-token contexts and prompt caching make whole-repo grounding cost-effective, enabling “read-before-write” patterns that dramatically reduce hallucination.
• Agent controls in tooling: Cursor 1.7 introduced Background Agents and deterministic tool budgets, letting organizations constrain file reads/writes, execution time, and network access for reproducible runs.

These changes reframed prompts from ephemeral chat messages into governance artifacts. Prompts should be stored, reviewed, tested, and versioned like any other configuration or IaC. They require operational patterns: model pinning, tool budget declarations, and validation harnesses. Later sections explain how to do this at scale and include templates and checklists for validation and measurement.

Before diving into the prompts, two quick operational principles to keep in mind:

1. Force grounding: Always require the model to grep/read relevant parts of the repo before producing code. This prevents API hallucinations and enforces local conventions.
2. Split planning from execution: For high-risk operations produce a plan-first prompt that outputs a PR-style checklist and a conservative remediation plan; execute only after human approval.

For practical adoption patterns and an operational primer, see our internal playbook and further reading: [INTERNAL_LINK], [INTERNAL_LINK].

Code Generation Prompts That Don’t Hallucinate APIs

[IMAGE_PLACEHOLDER_SECTION_1]

API hallucination—where an LLM invents function names, method signatures, or library behavior that doesn’t exist in the target codebase—is the most common and most dangerous failure mode. The prompts in this section implement deterministic “read before write” workflows that require the model to collect evidence from the repository, list the specific APIs found, and only then scaffold code constrained by that evidence.

Best practices for safe code generation prompts:

• Tool budget declarations: Declare max file reads and writes. Example: max_reads=12, max_writes=4.
• Evidence-first responses: Require the model to output a short evidence list (file paths and code snippets) it found before any code generation.
• Fail-fast on ambiguity: Stop and ask a targeted clarifying question if required evidence is missing.
• Automated test execution: Mandate generation of tests and run them; refuse to write code that cannot pass initial tests without human review.

Prompt 1: Schema-First API Endpoint Generator

This prompt enforces Zod and Prisma schema alignment, production-friendly error envelopes, and a required failing test so reviewers and CI can catch regressions early.

You are generating a new REST endpoint for our Express + Zod + Prisma stack.

Before writing any code:
1. Use grep to find 2 existing endpoints in src/routes/ that match the resource pattern
2. Read the corresponding Prisma model in prisma/schema.prisma
3. Read the matching Zod schema in src/schemas/

Then output, in this order:
- A short evidence block listing the exact methods found (file path + one-line snippet)
- A Zod input schema (strict mode, no passthrough)
- A Zod output schema
- The route handler with explicit error envelope { error: { code, message, requestId } }
- A failing integration test in tests/integration/ using our existing test harness

Constraints:
- Do not invent Prisma methods. Only use methods that appear in existing routes.
- All async ops wrapped in our withTracing() helper (find it via grep).
- Return early on validation failure with 400.
- No console.log. Use the logger from src/lib/logger.ts.

After writing, run the test and report pass/fail.

Why it works: the explicit evidence block prevents fabrication, the restriction to existing Prisma methods blocks invented ORM helpers, and the mandated test ensures the generated contract is verified in CI-like conditions. Use Cursor tool budgets to cap reads and writes when running this prompt in production repositories.

Prompt 2: Typed Client SDK Generator

Generate a typed TypeScript client for the OpenAPI spec at openapi/internal.yaml.

Use openapi-typescript v7 conventions. The generated client must:
- Export one function per operationId
- Use fetch with AbortController support
- Type all responses as discriminated unions on status code
- Throw a typed ApiError class (define it inline) on non-2xx
- Include JSDoc with the operation's summary and parameter descriptions

Output location: packages/client/src/generated/
Do not modify the OpenAPI spec. If the spec has ambiguities, list them at the end and stop.

Tip: add a frontmatter block to pin the prompt to a model and tool budget. Example frontmatter: model: gpt-5.2-codex, tools: [read,write,grep], max_reads: 10.

Prompt 3: Database Migration Drafter

Migrations require conservative behavior. This prompt sources schema and migration history, enforces Postgres best practices, and halts on ambiguity.

Draft a Prisma migration that {DESCRIBE CHANGE}.

Required workflow:
1. Read prisma/schema.prisma and the last 3 migrations in prisma/migrations/
2. Identify any tables exceeding 10M rows (check our docs/db-size.md)
3. For tables in that list, the migration MUST be backward-compatible across one deploy:
   - No DROP COLUMN in the same migration as code changes that stop reading it
   - No NOT NULL added without a default
   - Index creation must use CONCURRENTLY (Postgres)
4. Output the migration SQL, the schema.prisma diff, and a deployment runbook with rollback steps.

Halt and ask if the change requires a multi-stage migration plan.

Operational note: pair this prompt with a staged rollout policy—generate the migration SQL with a multi-stage plan when the table exceeds a volume threshold, and require DBA sign-off in the PR before applying.

Prompt 4: Feature Flag Wrap-Around

Wrap the implementation I'm about to describe in our LaunchDarkly flag pattern.

Steps:
1. grep for existing flag usage in src/ to learn our wrapper conventions
2. Generate a flag key in snake_case following the pattern {team}_{feature}_{date_yyyymm}
3. Wrap new code paths with our useFlag() hook (frontend) or flags.isEnabled() (backend)
4. Add a fallback that matches the current behavior exactly
5. Add a TODO comment with a 90-day expiry date for flag cleanup

The flag must default to OFF in production and ON in dev/staging.

Governance tip: require a flag cleanup action item in the associated PR and add a reminder in the issue tracker for 90 days. This prevents permanent technical debt from feature flags.

Refactoring and Migration Prompts for Large Codebases

[IMAGE_PLACEHOLDER_SECTION_2]

Refactoring across a monorepo is where agent-driven changes can introduce significant regressions. The prompts in this section prioritize small, incremental diffs, clear impact reporting, and human-in-the-loop approval gates.

General safeguarding strategies for refactors:

• Change size caps: Stop automatically editing if LOC delta > 400 or changed files > X. Force split PRs for large changes.
• Call graph analysis: For public type changes, enumerate callers and patch them proactively or produce a separate compatibility PR.
• Plan-only first: Always generate a plan PR that lists files, diffs, and test coverage impact; execute only after manual approval.

Prompt 5: Incremental TypeScript Strict Mode Migration

Migrate exactly ONE file from loose to strict TypeScript: {FILE_PATH}

Procedure:
1. Read the file and tsconfig.strict.json
2. Identify every implicit any, unsafe assertion, and null/undefined gap
3. For each issue, propose the minimal fix (prefer narrowing over assertion)
4. Read every file that imports from {FILE_PATH} (use grep)
5. If your fix changes a public type signature, list all callers and patch them
6. Run: pnpm tsc -p tsconfig.strict.json --noEmit
7. Report errors remaining. Do NOT use `as unknown as` to silence errors.

Hard rule: if total LOC changed exceeds 400, stop and request the work be split.

Engineering trade-off: prefer explicit types over aggressive refactors. A single-file strict migration often reveals cascading issues; opt for tiny, reviewable changes.

Prompt 6: Framework Version Upgrade Bot

You are migrating one component tree at a time from React 18 to React 19.

Target: {COMPONENT_PATH}

Reference the React 19 upgrade guide at react.dev/blog/2024/04/25/react-19-upgrade-guide
Reference our internal migration notes at docs/react-19-migration.md

For this component subtree:
1. Replace forwardRef with the new ref-as-prop pattern where applicable
2. Migrate useEffect calls that depended on legacy strict-mode timing
3. Replace renderToString with renderToPipeableStream where used
4. Update prop types: remove defaultProps on function components
5. Run the component's test file. Report coverage delta.

Output a diff per file, not bulk rewrites. Each diff under 60 lines.

Practically, run on a per-package or per-feature-flag basis. Add a safety switch to revert individual file changes without touching other parts of the application.

Prompt 7: Dead Code Elimination With Safety Net

Identify and remove dead code in {DIRECTORY}.

Definition of dead: not imported anywhere in src/, tests/, scripts/, or referenced by string literal in config/.

Procedure:
1. Build an export inventory of {DIRECTORY}
2. For each export, run: grep -r "exportName" --include="*.ts" --include="*.tsx" --include="*.json"
3. Filter results to exclude the file itself
4. Mark zero-reference exports as candidates
5. CRITICAL: also check for dynamic imports and string-based requires
6. Output the candidate list FIRST as a markdown table. Wait for approval before deleting.

Do not delete:
- Anything under src/api/public/ (external SDK surface)
- Anything matching *.handler.ts (Lambda entry points)
- Exports referenced in package.json "exports" field

Operationally, many dead-code candidates are false positives due to dynamic resolution or reflection. The human review step is essential; do not automate deletion without approval.

Prompt 8: Monorepo Dependency Deduplication

Analyze our pnpm workspace for dependency drift.

1. Read pnpm-workspace.yaml and every package.json
2. For each dependency appearing in 3+ packages, list the versions in use
3. Identify dependencies where major versions differ across packages
4. For each conflict, propose a target version based on:
   - Most-used version (count packages)
   - Latest stable release (check npm registry via fetch tool if available)
   - Known breaking changes (note them)
5. Output a remediation plan as a PR checklist, one package at a time.

Do not modify package.json files in this pass. Plan only.

Separation of planning and execution reduces blast radius and makes dependency upgrades auditable. Follow the plan with lockfile regeneration and CI concurrency controls to avoid cascading rebuild churn.

Testing, CI, and Quality Automation Prompts

Testing automation is the highest ROI area. These prompts target comprehensive unit tests, mutation testing, CI diagnostics, and security triage. The pattern is consistent: produce tests, run them, iterate until passing, and then present a concise summary with metrics (coverage, mutation score, flaky-failure rate).

Prompt 9: Comprehensive Unit Test Generator

Generate a complete unit test suite for {FILE_PATH} using Vitest.

Process:
1. Read the file and any types it imports
2. List every public function and its observable behaviors
3. For each behavior, write tests covering:
   - Happy path with realistic inputs (use our test fixtures from tests/fixtures/)
   - All branch boundaries (off-by-one, empty, null, undefined, NaN)
   - Error paths — verify exact error type and message
   - Concurrency (if async): cancellation, rejection, ordering

Required structure: describe() per function, nested describe() per behavior, test() per case.
Use vi.mock() only for external IO. Do not mock internal pure functions.
Target: branch coverage > 90% on the file.

After writing: run `pnpm vitest run {FILE_PATH}` and iterate up to 3 times on failures.

Performance tip: avoid overly synthetic fixtures; reuse representative fixtures that exist in the repository to produce realistic tests that reflect real runtime shapes and edge cases.

Prompt 10: Mutation Testing Triage

I have Stryker mutation testing results at .stryker-tmp/reports/mutation-report.json

Analyze the report and:
1. List surviving mutants grouped by source file
2. For each surviving mutant, classify as:
   A) Missing test case (write one)
   B) Equivalent mutant (justify and add to stryker.config exclusions)
   C) Weak assertion (strengthen the existing assertion)
3. Generate the new/modified tests
4. Re-run Stryker on affected files and report new mutation score

Target: raise overall mutation score by at least 5 percentage points.

Mutation testing surfaces test quality problems that coverage alone misses. Use the model to triage survivors and produce targeted tests to address real gaps.

Prompt 11: CI Pipeline Diagnostic and Repair

A GitHub Actions workflow is failing. Workflow file: {PATH}, run ID: {ID}.

1. Fetch the run logs via `gh run view {ID} --log`
2. Identify the failing step and the root cause (parse stderr carefully)
3. Cross-reference against:
   - Recent commits to .github/workflows/
   - Recent changes to package.json or lockfiles
   - The action's documented breaking changes (if version pinned)
4. Propose a minimal fix as a diff
5. If the failure is flaky (intermittent, network, race), add the appropriate retry config but DO NOT mask real failures with retries.

Output: root cause, evidence, proposed fix, confidence level (low/medium/high).

When using this prompt in Agent mode, require the model to attach log excerpts and a one-paragraph rationale for the proposed fix to make human review quick and evidence-based.

Prompt 12: Security Scan Triage Automator

Process the Snyk/Semgrep findings in {REPORT_PATH}.

For each finding:
1. Read the flagged code
2. Classify: true positive | false positive | accepted risk
3. For true positives, generate the fix as a patch
4. For false positives, generate the suppression comment with justification
5. For accepted risk, generate a docs/security-exceptions.md entry with expiry date

Severity priority: critical > high > medium. Ignore low/info this pass.
Do not commit fixes. Output as a review-ready PR description with the diffs inline.

Security triage benefits from a human-in-the-loop. The model streamlines classification and remediation drafts; security engineers verify and merge.

Operational Readiness and Deployment Prompts

Operational prompts bridge the gap between “code compiles” and “code runs reliably in production.” They focus on observability, manifests, runbooks, and postmortems. These artifacts are often read by non-engineers — on-call, product, legal — so style and structure matter.

Prompt 13: Observability Instrumentation Pass

Add OpenTelemetry instrumentation to {SERVICE_PATH}.

Reference our observability standards in docs/observability.md before starting.

For every public function and HTTP route:
1. Add a span using our tracer wrapper from src/lib/otel.ts
2. Record relevant attributes (no PII — check the PII allowlist in src/lib/pii-rules.ts)
3. Set span status correctly on errors
4. Add structured log entries at INFO for state transitions, ERROR for failures
5. Add a counter metric for {service}_{operation}_total with labels: status, route

Do not add span.recordException for expected errors (4xx). Only for 5xx.
Do not log request bodies. Log a hash of the request ID for correlation only.

After implementation, generate a Grafana dashboard JSON for the new metrics.

Observability is not just instrumentation — it’s a contract. Use the model to generate both code and the corresponding dashboard; include metric names and expected cardinality to avoid high-cardinality pitfalls.

Prompt 14: Deployment Manifest Generator

Generate Kubernetes manifests for a new service: {SERVICE_NAME}

Read our base templates in k8s/templates/ and our cluster constraints in k8s/CLUSTER_RULES.md.

Output, using Kustomize overlays:
- base/deployment.yaml with resource requests AND limits (no requests-only)
- base/service.yaml
- base/hpa.yaml (CPU + memory + custom metric from app)
- base/pdb.yaml (minAvailable: 1 for single-replica, else maxUnavailable: 25%)
- base/networkpolicy.yaml (default-deny + explicit allows)
- overlays/staging/ and overlays/production/ with environment-specific patches

Constraints from CLUSTER_RULES:
- All images must be from our internal registry (verify the image path)
- securityContext: runAsNonRoot, readOnlyRootFilesystem, drop ALL capabilities
- No hostNetwork, hostPID, hostIPC
- Liveness probe must differ from readiness probe (separate endpoints)

Validate with: kubectl --dry-run=server apply -k overlays/staging/

Include a checklist in the generated PR: image provenance, secret handling, RBAC review, and performance benchmark plan for load testing. Use Cursor’s Background Agents to run validations over an hour-long period for cluster-level checks.

Prompt 15: Incident Response Postmortem Drafter

Draft an incident postmortem for incident {ID}.

Inputs to read:
1. Slack channel export at {CHANNEL_EXPORT_PATH}
2. PagerDuty incident JSON at {PD_EXPORT_PATH}
3. Relevant Grafana panels (URLs in the PD export)
4. The deploy/commit log for the affected service across the incident window

Follow our blameless postmortem template at docs/postmortem-template.md.

Required sections:
- Summary (3 sentences max, user-impact framing)
- Timeline (UTC, every state transition, source-cited)
- Root cause (5-whys, separate triggering cause from underlying cause)
- Detection (how did we find out, was monitoring sufficient)
- Mitigation (what stopped the bleeding, time-to-mitigate)
- Action items (each with owner, due date, type: prevent/detect/respond)

Tone: factual, no blame language. Do not name individuals; name roles or teams.
Mark any speculation explicitly as "Hypothesis:" — never present as fact.

Postmortems should be readable by executives and actionable by engineers. The model can synthesize and structure raw logs; reviewers must verify the timeline and owners before publishing.

Model Selection: Which Prompt Runs Best on Which Model

Not every prompt performs the same across models. Below is a pragmatic pairing based on internal benchmarking and cost sensitivity. Use it as a starting point and run your own validation suite against representative tasks and code samples.

Prompt Category	Best Model	Budget Alternative	SWE-bench Verified	Approx. Cost per Task
Schema-first generation (1, 2)	GPT-5.2-Codex	Claude Haiku 4.5	74.9% / 41.2%	$0.18 / $0.02
Migration drafting (3, 6)	Claude Opus 4.7	GPT-5.2	79.4% / 72.1%	$1.20 / $0.40
Large refactors (5, 7, 8)	Claude Sonnet 4.6	GPT-5.2-Codex	76.8% / 74.9%	$0.30 / $0.25
Test generation (9, 10)	GPT-5.2-Codex	Claude Sonnet 4.6	74.9% / 76.8%	$0.15 / $0.20
CI/security triage (11, 12)	Claude Sonnet 4.6	GPT-5.2-mini equivalents	76.8% / —	$0.22 / $0.04
Infra + manifests (13, 14)	Claude Opus 4.7	GPT-5.3-Codex	79.4% / 76.3%	$0.90 / $0.55
Postmortems (15)	GPT-5.5	Claude Sonnet 4.6	N/A (writing)	$0.45 / $0.20

Key takeaways:

• Reasoning vs. code synthesis: Claude Opus shines at multi-step reasoning and policy-heavy tasks; Codex-like models tend to be strongest for raw code synthesis and test generation.
• Context and caching matter: For long-running agent loops with repeated, identical context, enable prompt caching to reduce per-call cost by an order of magnitude.
• Writing quality counts: For artifacts consumed by humans (postmortems, runbooks), prioritize models with higher prose quality even if they are slightly more expensive.

For model governance, pin prompts to validated model versions using frontmatter (example below) and maintain a matrix of prompt→model→validation date in your prompt library. See the Appendix templates for examples and a validation checklist. Also see [INTERNAL_LINK] for a deeper dive into model selection strategies.

How to Operationalize These Prompts Across an Engineering Org

Operationalizing prompts means treating them like software: store, review, test, and measure. The pattern below reflects what mature platform teams have converged on.

1. Store prompts in version control

Create /.cursor/prompts/ in each repository. Each prompt file should be markdown with YAML frontmatter that declares the target model, validated model version, required tool budgets, and last validation date. Example frontmatter fields: model, model_hash, max_reads, max_writes, validated_by, validation_date. Use CODEOWNERS to require review by platform and security teams for prompts that grant write permissions.

2. Use plan-only workflows for high-risk actions

For actions with high blast radius (migrations, refactors, dependency upgrades), implement a two-stage workflow: “plan” and “execute.” The plan stage produces a PR with evidence and a safe remediation checklist. The execute stage is gated on explicit human approval and CI checks.

3. Automate prompt validation in CI

Validation should be part of the PR pipeline. Add a validation job that runs the prompt against a canonical dataset or a fakerepo fixture, asserts on expected output shape, and verifies tests pass. Include a reproducibility test that pins the model version and prompt input and checks for consistent, auditable outputs.

4. Enforce tool budgets and capability gating

Use Cursor Background Agent budgets to cap reads/writes/time. Tie the ability to run “write” prompts to team permissions and require additional approvers for cross-team changes. Audit runs server-side and log inputs/outputs for post-hoc review.

5. Measure outcomes and iterate

Define KPIs: PR throughput, time-to-merge, post-deploy defect rate, test coverage delta, and mutation score improvements. Track prompt-specific metrics: runs-per-prompt, failure rate, average iteration count, and human approval time. Tie change in defect rate to prompt usage to justify expansion or rollback of a prompt.

Finally, invest in training and “prompt literacy.” Encourage engineers to annotate prompts with rationale and trade-offs. Host periodic reviews to retire stale prompts and update model pinning.

For a practical implementation checklist and prompt frontmatter templates, see the Appendix and this operational checklist: [INTERNAL_LINK].

Governance, Validation, and Metrics for Prompt Configuration

Because prompts are now configuration, governance and validation are essential. This section provides a concrete validation checklist, recommended metrics, and a lifecycle for prompt changes.

Prompt Validation Checklist

• Frontmatter present: model, model_hash, validated_by, validation_date, tools, max_reads, max_writes
• Reproducible test fixture exists in /.cursor/test-fixtures/
• Plan-only mode implemented for high-risk changes
• CI validation job passes against canonical fixtures
• Security review completed for any prompt requesting network or write access
• Performance-cost estimate provided (expected token usage, cost per run)
• Open-source licenses and third-party code usage authorized
• Audit logging enabled for production runs

Recommended Metrics

• Prompts created / deprecated per quarter
• Average runs per prompt per week
• Approval latency (plan→execute)
• Post-deploy defects traced to prompt outputs (per 100 runs)
• Test coverage delta for generated code
• Mutation testing score changes after prompt-driven tests
• Cost per prompt run (token + compute)

Prompt Lifecycle

1. Author creates prompt with frontmatter and tests — PR required.
2. Platform & security review: validate permissions and tool budgets.
3. CI validation: run prompt against fixture, verify outputs and tests.
4. Deployment: make prompt available as slash command; monitor runs.
5. Periodic re-validation: re-run validation suite monthly or when models update.
6. Deprecation: mark prompt deprecated in frontmatter, notify CODEOWNERS, remove after 90 days.

These controls make prompt usage auditable, traceable, and reversible — critical for regulated environments. For more governance templates and a sample policy doc, see [INTERNAL_LINK].

Appendix — Copy-Paste Ready Prompts (1–15)

The full set of prompts (1–15) is included above in context. For quick import into Cursor, use these patterns:

• Save as markdown in /.cursor/prompts/ with frontmatter.
• Pin model and model_hash to avoid silent model drift.
• Include a short usage note and an examples section to make it easier for engineers to choose the right prompt.

Example frontmatter template (copy into each prompt file):

---
title: "Schema-First API Endpoint Generator"
model: "gpt-5.2-codex"
model_hash: "gpt-5.2-codex-2026-04-01"
validated_by: "platform-team"
validation_date: "2026-05-10"
tools: ["read","grep","write","test"]
max_reads: 12
max_writes: 4
risk_level: "medium"
description: "Generates a REST endpoint for Express + Zod + Prisma using repo-grounded evidence-first steps. Requires test generation and execution."
---

Use this frontmatter pattern as a policy instrument. Prompt updates should be small, documented changes merged via PR with CODEOWNERS sign-off.

Conclusion — Treat Prompts as First-Class Configuration

By 2026, prompts are no longer ephemeral chat inputs — they are operational artifacts. The 15 prompts in this guide provide a repeatable, auditable baseline for enterprise Cursor usage: they enforce evidence-first patterns, minimize hallucinations, and embed guardrails that scale across monorepos and regulated environments.

The real work is organizational: version-control, CI validation, tool budgets, model pinning, and continuous measurement. When platform teams treat prompts like other configuration — with validation, code review, and metrics — the productivity gains from frontier coding models are real and sustainable.

To get started:

1. Pick 2 high-value prompts (e.g., endpoint generator, unit test generator).
2. Implement frontmatter and a CI validation job for them in a single repo.
3. Measure outcomes for 4 weeks and iterate on prompt wording, budgets, and model selection.

For templates, governance docs, and deeper case studies, see these resources: [INTERNAL_LINK], [INTERNAL_LINK], and our curated prompt library (free access): [INTERNAL_LINK].