What Are AI Conventions
Every ShipUI theme ships with a set of battle-tested rules files and an architecture guide for AI coding tools. These give Cursor and Claude Code specific, opinionated instructions about how to structure your code, which patterns to use, and what to never do.
Free cursor rules are generic. They tell AI to "use TypeScript" or "follow best practices." The conventions included with ShipUI themes tell AI exactly how to organize files, exactly how to handle errors, and exactly what architectural boundaries must never be crossed. Every rule explains why it exists and what breaks without it.
The result: AI that makes implementation decisions but stays within the architectural constraints you define.
Getting Started
Setup takes about two minutes. The conventions work with any existing project or a new one.
-
1
Locate the conventions
Every ShipUI theme includes .cursorrules and CLAUDE.md in the project root, along with the architecture guide. These are ready to use out of the box.
-
2
Copy your stack folder into your project root
Pick the folder that matches your stack (for example, nextjs-typescript). Copy .cursorrules and CLAUDE.md into the root of your repository.
-
3
Customize for your project
Open both files and fill in your project-specific details: the stack section, your dev and build commands, and any project-specific conventions. The architecture rules come pre-filled and should not need changes for most projects.
-
4
Start coding
Cursor reads .cursorrules automatically. Claude Code reads CLAUDE.md automatically. Both tools will follow the guardrails from this point forward without any additional setup.
File placement
your-project/
├── .cursorrules
├── CLAUDE.md
├── src/
└── ...
Using the Universal config
If your stack is not one of the three named stacks, or if you want a language-agnostic baseline, start with the universal folder. It contains the architecture principles and the "Don't" rules that apply to any project. You can layer stack-specific rules on top.
A Note on Rule Compliance
These conventions reduce the frequency and severity of rule violations, but they cannot eliminate them entirely. AI models can drift during long conversations, complex tasks, or ambiguous prompts.
Treat the rules as strong architectural guidance rather than guarantees.
Recommended complementary tools
For the best results, pair these conventions with at least one automated code review layer that catches what the AI misses:
Claude Code
Use a separate Claude Code session to review code after generation. With your CLAUDE.md in place, it applies the same rules as a reviewer rather than a generator.
CodeRabbit
AI-powered pull request reviewer that catches architectural issues, security problems, and style violations before code merges. Integrates directly with GitHub.
Greptile
Codebase-aware AI that understands your entire repository. Useful for catching violations that require knowledge of how multiple files relate to each other.
Manual review
No tool replaces reading the code. Use the pre-shipment checklist below as a structured walkthrough before any significant feature ships.
Included Stacks
Each stack includes a .cursorrules file for Cursor, a CLAUDE.md file for Claude Code, and all rules tailored to that framework's conventions.
Next.js + TypeScript
.cursorrules + CLAUDE.md
App Router architecture, Server Components, Zod validation, Prisma or Drizzle repository patterns, and Next.js-specific do-not rules.
Python + FastAPI
.cursorrules + CLAUDE.md
FastAPI route organization, PostgreSQL access patterns, Pydantic schemas, async handling, and Python-specific conventions.
React + Node + Express
.cursorrules + CLAUDE.md
Full-stack JavaScript structure, Express middleware patterns, React component boundaries, and separation of client and server concerns.
Universal
.cursorrules + CLAUDE.md
Language-agnostic architecture rules that apply to any project. A good starting point before adding stack-specific rules on top.
Rule Categories
The rules are organized into four categories. Each stack covers all four.
🏗
Architecture Guardrails
Rules that prevent AI from making structural decisions that become expensive to change later.
File organization and separation of concerns
Database access layer boundaries
API design consistency
State management conventions
🔒
Security Rules
Rules that prevent AI from writing vulnerable code that passes code review but fails in production.
No hardcoded secrets or API keys
Input validation enforcement
Auth pattern requirements
CORS and headers configuration
⚡
Scalability Patterns
Rules that prevent code that works with 10 users but fails with 10,000.
N+1 query prevention
Pagination enforcement on list endpoints
Caching strategy requirements
Connection pooling rules
🧪
Quality Standards
Rules that keep the codebase maintainable when you return to it six months later.
Error handling requirements
Type safety enforcement
Logging conventions
Testing expectations
Architecture Guide
Every ShipUI theme includes a plain-English architecture guide covering the five structural mistakes that AI makes most often. It is designed for developers who learned to code with AI assistance and want to understand the reasoning behind the rules.
What the guide covers
-
1
The God File problem
Why AI puts everything in one file, how it breaks, and how to structure by responsibility instead.
-
2
Database calls in the wrong place
Why direct database imports in route handlers and components cause maintenance debt, and how a service layer fixes it.
-
3
Silent error handling
Why empty catch blocks and generic error messages make debugging impossible, and the pattern that gives you context when things break.
-
4
Missing pagination
Why unbounded list queries work fine in development and fail in production, with the minimum implementation required on every list endpoint.
-
5
Secrets in source code
Why hardcoded credentials are a production risk regardless of repository visibility, and the environment variable pattern that prevents it.
Pre-Shipment Checklist
Each theme includes a checklist that maps directly to the rules. Before marking any task complete, verify each item. The checklist is embedded in the CLAUDE.md and .cursorrules files so AI tools can reference it during code review.
Security
- No secrets or credentials in source code
- All user input validated on the server before use
- Auth checked on every protected endpoint
.env files in .gitignore- CORS configured with specific origins, not wildcard
Structure
- Business logic separated from route handlers and components
- Database access goes through a service or repository layer
- One responsibility per file
- Consistent naming conventions throughout
Data
- All list endpoints paginated with limit and offset
- No database calls inside loops
- Transactions used for multi-step operations
- Schema changes handled through migrations
Error Handling
- No empty catch blocks
- Structured error responses returned to clients
- Errors logged with enough context to debug
- No stack traces exposed to end users
Included with every ShipUI theme
AI conventions come standard. No add-on, no extra cost. Pick a theme and start building.