README

Cursor Rules for PHP and Laravel

Cursor rules for PHP and Laravel — a complete set of .mdc rule files and Agent skills for Cursor, Claude Code, and Codex. One package for PHP and Laravel cursor rules: coding standards, testing, and conventions. The installer discovers the project root (via composer.json lookup from the current directory), mirrors the rules/ directory into the editor's rules path and the skills/ directory into the editor's skills path, and copies or symlinks every file into the target project. Use cursor rules for PHP and Laravel to keep every edit aligned with enforced standards, plus comprehensive Agent skills for issue resolution, bug fixing, code review, security analysis, refactoring, testing, and package review.

Why This Package

cursor rules for PHP and Laravel in one Composer-installable package
unified PHP coding guidelines for PHP 8.4 projects
Pest-based testing with mandatory code analysis and 100% coverage
strong focus on clean code: typed properties, SRP, no redundant comments
31 comprehensive Agent skills for automated workflows (v0.8.3)
fast onboarding inside development repositories

Installation

composer require pekral/cursor-rules --dev
vendor/bin/cursor-rules install --editor=cursor

The --editor flag is required. Use it to choose the target agent:

cursor: .cursor/rules, .cursor/skills
claude: .claude/rules, .claude/skills, and when HOME/USERPROFILE is set also ~/.claude/skills
codex: .codex/rules, .codex/skills, and when HOME/USERPROFILE is set also ~/.codex/skills
all: all of the above (Cursor, Claude, Codex in project + home)

When the package is required via Composer, sources are read from vendor/pekral/cursor-rules/rules and vendor/pekral/cursor-rules/skills.

Important: By default, the installer only copies missing files and keeps existing content untouched. Use the --force flag to overwrite existing files: vendor/bin/cursor-rules install --force. This is particularly useful when you want to update rules to their latest versions or when you've made local changes that should be replaced. The file .cursor/rules/project.mdc and CLAUDE.md are never overwritten once they exist in the target project, so you can safely customize them.

Automatic Installation via Composer Plugin

By default, the Composer plugin does not auto-install rules on composer install or composer update. To enable automatic installation, add the following to your project's composer.json:

{
  "extra": {
    "cursor-rules": {
      "auto-install": true,
      "editor": "claude"
    }
  }
}

Option	Description	Default
`auto-install`	Enable automatic install on `composer install/update`.	`false`
`editor`	Target editor for auto-install (`cursor`, `claude`, `codex`, `all`).	`cursor`

If you prefer manual control, simply call vendor/bin/cursor-rules install in your Composer post-update-cmd scripts with the desired flags.

Installing rules from GitHub (Cursor only)

You can use this repository as a Remote Rule in Cursor without installing the package via Composer:

Open Cursor Settings → Rules.
In the Project Rules section, click Add Rule.
Select Remote Rule (Github).
Enter the repository URL: https://github.com/pekral/cursor-rules.

Cursor will fetch and apply the rules from the repository. Note: this method provides rules only; Agent skills are installed into your project when you use the Composer-based installation above.

Available Commands

vendor/bin/cursor-rules help                                  # print help
vendor/bin/cursor-rules install --editor=cursor               # install for Cursor
vendor/bin/cursor-rules install --editor=claude               # install for Claude
vendor/bin/cursor-rules install --editor=codex                # install for Codex
vendor/bin/cursor-rules install --editor=all                  # install for Cursor, Claude, and Codex
vendor/bin/cursor-rules install --editor=cursor --force       # overwrite existing files
vendor/bin/cursor-rules install --editor=cursor --symlink     # prefer symlinks (fallback to copy)
vendor/bin/cursor-rules install --editor=claude --allow-bundled-scripts   # whitelist this package's bundled scripts in ~/.claude/settings.json

Installer Flow

Determine the project root by walking up from the current directory until composer.json is found.
Resolve the rules source (local rules/ or vendor/pekral/cursor-rules/rules).
Install rules into the target directory(ies) for the chosen editor (see --editor).
If present, resolve the skills source and install into the corresponding skill directory(ies).
For --editor=claude or --editor=all: copy CLAUDE.md to the project root (never overwrites existing).
Optionally overwrite existing files with --force; use --symlink to prefer symlinks (fallback to copy on Windows).
Surface explicit errors for missing directories, removal failures, and copy/symlink failures.

CLI Switches

Option	Description
`--editor=EDITOR`	Target editor (required): `cursor`, `claude`, `codex`, `all`.
`--force`	Overwrite files that already exist in the target directory.
`--symlink`	Create symlinks when the OS permits; automatically falls back to copy.
`--prune`	Remove files in target that no longer exist in source.
`--allow-bundled-scripts`	Opt-in. With `--editor=claude` or `--editor=all`, idempotently appends a narrow allow-list for this package's bundled scripts (`load-issue.sh` for GitHub and JIRA) to `~/.claude/settings.json`, so Claude Code stops prompting on every run. Other entries in `settings.json` are preserved. No effect when the editor target is `cursor` / `codex` or when `HOME` / `USERPROFILE` is not set.
(default)	Only copy missing files and keep existing content untouched.

🎯 Skills Overview — v0.8.3

Current release includes 31 skills for issue resolution, code review, refactoring, testing, security, SQL performance, and delivery workflows.

Agent skills are installed into the chosen editor’s skill directory (see --editor). Use --editor=all to install for Cursor, Claude, and Codex at once. They can be invoked when relevant. Each skill follows project conventions, ensures code quality, and maintains 100% test coverage where applicable.

Note: Skill files use relative paths (e.g. @rules/…, @skills/…) without any editor-specific prefix, so they work with any supported editor (--editor=cursor, --editor=claude, --editor=codex, --editor=all).

Issue Resolution & Delivery

Skill	Description
`analyze-problem`	Structured problem analysis for debugging, root cause identification, and breaking down complex issues.
`resolve-issue`	Unified issue resolution for GitHub, JIRA, and Bugsnag. Detects the tracker from the provided link, runs `analyze-problem` before implementation, validates with tests, and creates a PR.
`autoresolve-oldest-github-issue`	Picks the oldest open GitHub issue (optionally filtered by label, default `Resolve_by_AI`) and chains `resolve-issue` → `code-review-github` → `process-code-review` → `merge-github-pr` against the resulting PR. Stops on any documented blocker (merge conflict, failing CI, residual Critical/Moderate findings).
`merge-github-pr`	Safely merge GitHub pull requests that are ready for deployment.
`create-issue`	Create a tracker issue from provided task text while preserving original meaning and structure.
`create-issues-from-text`	Batch-create issues from provided text with automatic structure detection.
`pr-summary`	Summarize current PR changes for development and product teams as a short two-section comment (Summary of changes + How to test), rendered as GitHub Markdown for PR comments or JIRA Wiki Markup for JIRA issue comments.
`skill-creator`	Scaffold a new Agent skill that follows project conventions and passes `skill-check` validation.
`cleanup-local-branches`	Prune dead local Git branches — those whose upstream was deleted on origin (gone) and those with no origin counterpart inactive for more than six months — while protecting the current and default branches and previewing every deletion.

Code Review, Security & Architecture

Skill	Description
`assignment-compliance-check`	Plain-language check that the PR implementation fulfills the linked issue's business requirements; reports only Critical functional gaps as a dedicated comment on the originating issue tracker — no local file written and never embedded in the PR comment.
`prepare-issue-context`	Pre-flight data + codebase prep before `/resolve-issue`, TDD, or CR. Extracts every assignment scenario, maps each to a code path, seeds the dev DB with the records the scenario depends on, and surfaces gaps so the implementing agent never has to guess.
`code-review`	Senior PHP code review focused on architecture, risk, and behavior (read-only).
`code-review-github`	Review GitHub pull requests; posts technical findings on the PR and a non-technical `pr-summary` comment on every linked GitHub issue (read-only on the codebase; publishes only comments via `gh`).
`code-review-jira`	Review changes linked to a JIRA ticket; posts technical findings on the GitHub PR and a non-technical `pr-summary` comment on the JIRA ticket (read-only on the codebase; publishes only comments via `gh` and `acli`).
`process-code-review`	Process existing review feedback, resolve comments, and prepare next review cycle.
`security-review`	OWASP-focused security review (injection, auth, SSRF, exposure, misconfigurations) — read-only.
`api-review`	API design contract review (`@rules/api/general.mdc`) — resource-oriented REST, HTTP method/idempotence, idempotency keys, precise status codes, validation at the trust boundary. Self-scopes to API-surface diffs and runs on every CR — read-only.
`security-threat-analysis`	Analyze a specific security threat from a referenced source (CVE, GHSA, advisory, blog post). Produces a human-readable remediation report with ordered, agent-actionable steps and a verification check.
`class-refactoring`	Refactor PHP classes using SOLID and Laravel best practices with testability focus.
`refactor-entry-point-to-action`	Refactor controller/job/command/listener entry-point logic into Action classes.
`smartest-project-addition`	Propose one high-impact, low-risk project improvement.
`understand-propose-implement-verify`	Enforce a strict 4-step loop: understand, propose, implement, verify.

Testing & Quality Automation

Skill	Description
`create-test`	Add tests following project rules with deterministic behavior and high coverage.
`create-missing-tests-in-pr`	Validate review recommendations and add missing tests for current PR changes.
`rewrite-tests-pest`	Rewrite tests to PEST style while preserving behavior and conventions.
`test-like-human`	Validate PR behavior from user perspective using scenario-driven testing.
`test-driven-development`	Enforce strict red-green-refactor flow for bugfixes and features.
`tester-cookbook`	Turn a JIRA task and its linked PRs into a concise QA report for a non-technical tester — focused on what to report back to the dev team, optionally with brief steps to reach the result — delivered as a JIRA Wiki Markup comment.

Platform & Data

Skill	Description
`composer-update`	Analyze composer updates, conflicts, and changelog impact.
`mysql-problem-solver`	Diagnose and optimize MySQL queries, indexes, and execution plans.
`laravel-telescope`	Analyze Laravel Telescope request data from URL, match entries in DB, and propose concrete optimizations.

Claude Code Subagents

The package ships Claude Code subagents for common PHP and Laravel workflows. Agents are a thin orchestration layer over the existing skills — they do not replace them and they do not duplicate their prompts.

Rules  = long-lived project standards
Skills = reusable workflows
Agents = specialised orchestration roles over multiple skills

Install for Claude Code or for every supported editor:

composer require pekral/cursor-rules --dev
vendor/bin/cursor-rules install --editor=claude
# or
vendor/bin/cursor-rules install --editor=all

Agents are installed to:

.claude/agents/

They are not installed for --editor=cursor or --editor=codex.

Available subagents

Agent	Role	Orchestrated skills
`php-code-reviewer`	Senior PHP/Laravel review of the current diff. Read-only by default.	`code-review`, `security-review`, `create-missing-tests-in-pr`
`issue-resolver`	End-to-end issue resolution from GitHub, JIRA, or Bugsnag.	`prepare-issue-context`, `analyze-problem`, `test-driven-development`, `resolve-issue`, `code-review`
`test-engineer`	Author, repair, and complete Pest / feature tests, including missing-coverage fills on open PRs.	`create-test`, `create-missing-tests-in-pr`, `test-driven-development`, `rewrite-tests-pest`
`security-reviewer`	OWASP-focused review of the current diff or a referenced advisory. Read-only by default.	`security-review`, `security-threat-analysis`
`laravel-architect`	Design and restructuring of Laravel architecture (Actions, services, jobs, Livewire, domain boundaries).	`analyze-problem`, `refactor-entry-point-to-action`, `understand-propose-implement-verify`
`mysql-performance-reviewer`	MySQL and Eloquent performance analysis; every index recommendation justified by a query pattern.	`mysql-problem-solver`, `laravel-telescope`
`refactoring-specialist`	Behaviour-preserving PHP/Laravel refactors in small, test-backed steps.	`class-refactoring`, `refactor-entry-point-to-action`, `understand-propose-implement-verify`, `create-test`

Example invocations in Claude Code

@agent-php-code-reviewer review the current diff
@agent-issue-resolver resolve GitHub issue #123
@agent-test-engineer add missing tests for this PR
@agent-security-reviewer review the authentication changes
@agent-mysql-performance-reviewer analyze this slow query
@agent-refactoring-specialist refactor this service without changing behavior
@agent-laravel-architect propose a cleaner architecture for this feature

Workflow continuity — agents do not change the slash-command pipeline

The skill-based pipeline still works exactly as before:

/resolve-issue <link>
/code-review-github <link>
/process-code-review <link>
/merge-github-pr <link>

Agents are entry-points to the same skills, so quality and output stay identical. Pick whichever entry feels natural for the task:

Slash command (skill)	Equivalent subagent entry-point
`/analyze-problem <link>` → `/resolve-issue <link>` → `/code-review-github` or `/code-review-jira <link>` → `/process-code-review <link>` → (on explicit request) `/merge-github-pr <link>`	`@agent-issue-resolver resolve <link>` (chains every step — picks `code-review-github` for GitHub / Bugsnag sources and `code-review-jira` for JIRA, converges the post-PR loop, and only merges when you say so)
`/code-review-github <link>`	`@agent-php-code-reviewer review <link>`
`/security-review`	`@agent-security-reviewer review the current diff`
`/create-test` / `/create-missing-tests-in-pr`	`@agent-test-engineer add missing tests for <link>`

When in doubt, prefer the slash command — it invokes the underlying skill directly, with no extra layer. Use the agent when you want Claude Code to select the right skill for you, or when you want to chain several skills under a single specialist role.

Rules Overview

Rules included in this package:

File	Description	Scope
`php/core-standards.mdc`	Project context, AI behavior, and unified PHP/Laravel coding standards	Always
`git/general.mdc`	Unified git workflow, commits, and pull request rules	Always
`code-review/general.mdc`	Code review conventions and output rules	Always
`code-testing/general.mdc`	Testing conventions and quality standards	Always
`refactoring/general.mdc`	Shared refactoring definition (legacy → modern, incremental migration)	Refactor
`jira/general.mdc`	JIRA CLI usage and formatting rules	JIRA
`reports/general.mdc`	Language rule for reports published to issue trackers (assignment language)	Always
`laravel/architecture.mdc`	Laravel architecture and conventions	Laravel
`laravel/laravel.mdc`	Laravel-specific rules and patterns	Laravel
`laravel/filament.mdc`	Filament v4 specific rules	Filament
`laravel/livewire.mdc`	Livewire component rules and conventions	Livewire
`laravel/queue-debouncing.mdc`	Safe Laravel queue debouncing, urgency separation, and replaceable work	Laravel
`laravel/dynamodb.mdc`	DynamoDB query safety: scan prevention, key-targeted reads, Tinker debug	Laravel
`sql/optimalize.mdc`	SQL query optimization, index design, schema standards	Always
`security/backend.md`	Backend security rules and OWASP Top 10 checks	Always
`security/frontend.md`	Frontend security rules (XSS, CSRF, CSP)	Frontend
`security/mobile.md`	Mobile-specific security rules and WebView checks	Mobile

All .mdc and .md files are ready for automatic injection by Cursor so every PHP and Laravel edit stays aligned with the enforced standards.

Development & Testing

Composer Scripts

composer check              # run full quality check (skill-check, normalize, phpcs, pint, rector, phpstan, audit, tests)
composer fix                # run all automatic fixes (skill-check-fix, normalize, rector, pint, phpcs)
composer build              # install (cursor-rules install --force) then fix then check
composer analyse            # run PHPStan static analysis
composer test:coverage      # run tests with 100% coverage
composer coverage           # alias for test:coverage
composer security-audit     # run security audit of dependencies

Individual Commands

composer skill-check                # SKILL.md linter (validation + scoring across every skill)
composer skill-check-fix            # SKILL.md linter with auto-fix
composer composer-normalize-check   # validate composer.json normalization (dry-run)
composer composer-normalize-fix     # apply composer.json normalization
composer phpcs-check                # PHP CodeSniffer check
composer phpcs-fix                  # PHP CodeSniffer fix
composer pint-check                 # Laravel Pint check
composer pint-fix                   # Laravel Pint fix
composer rector-check               # Rector check (dry-run)
composer rector-fix                 # Rector fix

Testing

./vendor/bin/pest           # run all tests
composer test:coverage      # run tests with coverage (min. 100%)

Remove coverage.xml before committing if it was produced locally.

Author

Petr Král — PHP Developer & Laravel programmer, open source contributor (pekral.cz).

License

MIT — free to use, modify, and distribute.

pekral / cursor-rules

Maintainers

Package info

Statistics

Security