` — 50-60 chars, format: "Page Name — Brand" - `<meta name="description">` — 150-160 chars, unique per page - `<link rel="canonical">` — full absolute URL of that page - Open Graph: og:title, og:description, og:image, og:url, og:type, og:site_name - Twitter Card: twitter:card (summary_large_image), twitter:site, twitter:title, twitter:description, twitter:image 3. **Page-specific titles and descriptions** — write real, compelling copy for each page: - Homepage: focus on main value proposition - Features: what the product does - Pricing: plans and value - About: company story - Blog (if exists): blog section description - Contact: how to reach us - Auth pages (login/signup): set to noindex, nofollow - Dashboard/app pages: set to noindex, nofollow 4. **If using Next.js App Router**, use the Metadata API: ```tsx // layout.tsx for defaults + template export const metadata: Metadata = { metadataBase: new URL('https://yourdomain.com'), title: { default: '...', template: '%s | Brand' }, // ... } // each page.tsx exports its own metadata ``` 5. **If using anything else** (Vite, Astro, plain HTML), implement via `<head>` tags or the framework's head management. Do NOT use any third-party SEO libraries. Use the framework's built-in metadata handling. Implement this now across every route in the project. ``` --- --- # ════════════════════════════════════════════════ # PROMPT 3: ROBOTS.TXT + SITEMAP + LLMs.TXT # Crawlability and AI discoverability # ════════════════════════════════════════════════ ``` Set up robots.txt, sitemap.xml, and llms.txt for this project. **Domain:** [https://yourdomain.com] **Requirements:** 1. **robots.txt** — create at the public root (or as a route that returns text/plain): ``` User-agent: * Allow: / Disallow: /api/ Disallow: /admin/ Disallow: /auth/ Disallow: /dashboard/ Disallow: /app/ User-agent: GPTBot Allow: / User-agent: ChatGPT-User Allow: / User-agent: Claude-Web Allow: / User-agent: Anthropic-AI Allow: / User-agent: PerplexityBot Allow: / User-agent: Google-Extended Allow: / User-agent: Applebot-Extended Allow: / Sitemap: https://yourdomain.com/sitemap.xml ``` Adjust the Disallow paths based on the actual routes in this project that should NOT be crawled (auth, dashboard, API, admin, internal pages). 2. **sitemap.xml** — generate dynamically from all public routes: - Include all public, indexable pages - Each entry: `<url>`, `<loc>`, `<lastmod>`, `<changefreq>`, `<priority>` - Homepage priority: 1.0, key pages: 0.8, others: 0.6 - Do NOT include: auth pages, dashboard pages, API routes, admin pages - If using Next.js, create `app/sitemap.ts` that exports a function - If using another framework, generate XML directly 3. **llms.txt** — create at the public root as a plain text file: ``` # [PRODUCT_NAME] > [One-line description of what this product does] ## Key Pages - [Homepage](https://yourdomain.com): [Brief description] - [Features](https://yourdomain.com/features): [Brief description] - [Pricing](https://yourdomain.com/pricing): [Brief description] - [Docs](https://yourdomain.com/docs): [Brief description] - [About](https://yourdomain.com/about): [Brief description] - [Contact](https://yourdomain.com/contact): [Brief description] Updated: [TODAY'S DATE] ``` Adjust the pages list based on the actual routes that exist in this project. Look at the actual routes/pages in this project and tailor all three files to match what actually exists. Don't include pages that don't exist. ``` --- --- # ════════════════════════════════════════════════ # PROMPT 4: STRUCTURED DATA / JSON-LD SCHEMA # Rich results in Google + AI-readable entity data # ════════════════════════════════════════════════ ``` Add JSON-LD structured data (schema.org) to this application. **Company info (REPLACE THESE):** - Company name: [YOUR_COMPANY] - Website URL: [https://yourdomain.com] - Logo URL: [https://yourdomain.com/logo.png] - Description: [What you do in one sentence] - Founded: [YEAR] - Founder name: [YOUR_NAME] - Location: [City, Country] - Email: [hello@yourdomain.com] - Twitter: [https://twitter.com/yourhandle] - LinkedIn: [https://linkedin.com/company/yourcompany] - GitHub: [https://github.com/yourcompany] **Implement these schemas:** 1. **Site-wide (in layout/head):** - `Organization` — name, url, logo, description, founders, foundingDate, address, contactPoint, sameAs (social links) - `WebSite` — name, url (optionally with SearchAction if you have a search feature) 2. **Per-page (only on pages where they apply):** - Homepage: Organization + WebSite (already in layout) - Blog posts (if they exist): `Article` or `BlogPosting` — headline, author, datePublished, dateModified, image, publisher - FAQ page (if it exists): `FAQPage` with `Question` + `acceptedAnswer` pairs - Pricing page (if it exists): `Product` or `SoftwareApplication` with `offers` 3. **Implementation:** - Use `<script type="application/ld+json">` tags - Create a reusable component/function for injecting JSON-LD - Ensure the JSON is valid — no trailing commas, proper escaping - Each schema block should be a separate `<script>` tag 4. **Validation:** - After implementing, tell me the URLs I should test with Google Rich Results Test Only add schemas for pages/content types that actually exist in this project. Don't create schemas for pages we don't have. ``` --- --- # ════════════════════════════════════════════════ # PROMPT 5: EMAIL CONFIGURATION CHECK # DNS records + transactional email setup # ════════════════════════════════════════════════ ``` Audit and fix the email setup in this project. **Email provider:** [Resend / SendGrid / Postmark / AWS SES — pick yours] **Sending domain:** [yourdomain.com] **From address:** [hello@yourdomain.com] **Check and fix:** 1. **Transactional email code:** - Find all places where emails are sent in the codebase - Ensure "From" address is consistent and professional (not noreply@) - Ensure "Reply-To" is set to a monitored address - Ensure all emails have both HTML and plain text versions - Ensure email sending failures are caught and logged (not silent failures) - Ensure emails are sent asynchronously (don't block the API response) 2. **Email templates — verify these work:** - Welcome / signup confirmation email - Password reset email - Email verification email (if applicable) - Any notification emails - Ensure all emails have: proper subject line, branded header, clear body, footer with company name 3. **Contact form (if exists):** - Form submission sends email to your inbox - User gets a confirmation/thank-you response - Basic spam protection (honeypot field, rate limiting, or captcha) - Form validates inputs before sending - Error states shown to user if sending fails 4. **Environment variables for email:** - All email config (API keys, SMTP details) in env vars - Added to `.env.example` with descriptions 5. **DNS records I need to set (just tell me what to add):** - SPF record value - DKIM record (explain how to get this from the email provider) - DMARC record value: `v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com` - Tell me exactly what TXT records to add to my DNS Review the actual email code in this project and fix any issues. If there's no email setup yet, implement a basic transactional email service using [YOUR_PROVIDER]. ``` --- --- # ════════════════════════════════════════════════ # PROMPT 6: SECURITY HARDENING # Headers, auth, input validation # ════════════════════════════════════════════════ ``` Harden this application for production security. **Implement/verify ALL of the following:** 1. **HTTP Security Headers** — add to all responses (via middleware, next.config.js, or server config): - `X-Content-Type-Options: nosniff` - `X-Frame-Options: DENY` - `Strict-Transport-Security: max-age=31536000; includeSubDomains` - `Referrer-Policy: strict-origin-when-cross-origin` - `Permissions-Policy: camera=(), microphone=(), geolocation=()` - `X-XSS-Protection: 0` 2. **Authentication security (if auth exists):** - Passwords hashed with bcrypt or argon2 (verify — never plain text) - Login: rate limit to 5 attempts per minute per IP - Password reset: tokens expire after 1 hour, single use - Session/JWT tokens have reasonable expiration - Logout clears all session data - Error messages don't reveal if an email exists ("Invalid credentials" not "User not found") 3. **Input validation & sanitization:** - All user inputs validated on the server side (not just client) - SQL injection prevention (parameterized queries or ORM) - XSS prevention (escape HTML in user-generated content) - File uploads (if any): validate type, size, scan content - API endpoints validate request body shape 4. **CORS:** - Set to your specific domain(s) only - No wildcard `*` in production - Credentials handling set correctly 5. **Rate limiting:** - API endpoints: 100 req/min per IP (adjust as needed) - Auth endpoints (login, signup, password reset): 5 req/min per IP - Contact form: 3 req/min per IP 6. **Dependencies:** - Run `npm audit` and fix critical/high vulnerabilities - Remove unused dependencies Scan the codebase for vulnerabilities and implement all of the above. Show me what was missing and what you added. ``` --- --- # ════════════════════════════════════════════════ # PROMPT 7: PERFORMANCE OPTIMIZATION # Core Web Vitals and loading speed # ════════════════════════════════════════════════ ``` Optimize this application for Core Web Vitals and page load performance. **Targets:** - LCP (Largest Contentful Paint) < 2.5 seconds - CLS (Cumulative Layout Shift) < 0.1 - INP (Interaction to Next Paint) < 200ms - Total JS bundle < 300KB gzipped - Total page weight < 1.5MB **Fix the following:** 1. **Images:** - Convert all images to WebP format (or use next/image which does it automatically) - Add explicit `width` and `height` attributes to ALL images (prevents CLS) - Add `loading="lazy"` to all images below the fold - Add `loading="eager"` to hero/above-the-fold images - Ensure no image is larger than 200KB unless it's a hero image - Use SVGs for icons and logos 2. **Fonts:** - Maximum 2 font files - Use `font-display: swap` on all @font-face declarations - Preload critical fonts: `<link rel="preload" as="font" type="font/woff2" crossorigin>` - If using Google Fonts, use `next/font` (Next.js) or self-host 3. **JavaScript:** - Dynamic import / lazy load any heavy components not needed on initial render - Move third-party scripts (analytics, chat widgets) to load after page is interactive - Use `async` or `defer` on all script tags - Check for and remove any unused large dependencies 4. **CSS:** - Remove unused CSS (check with PurgeCSS or framework's built-in tree shaking) - No render-blocking stylesheets — critical CSS should be inlined or loaded first 5. **Caching headers** (via middleware, server config, or hosting platform): - Static assets (JS, CSS, images, fonts): `Cache-Control: public, max-age=31536000, immutable` - HTML pages: `Cache-Control: public, max-age=0, must-revalidate` - API responses: `Cache-Control: no-store` (unless intentionally cached) 6. **Preconnect/prefetch:** - Add `<link rel="preconnect">` for any third-party origins (analytics, fonts, APIs) - Add `<link rel="dns-prefetch">` for secondary third-party origins Analyze the actual bundle and assets in this project. Show me the before/after impact of each optimization. ``` --- --- # ════════════════════════════════════════════════ # PROMPT 8: ERROR HANDLING + 404 + LOADING STATES # The stuff people forget that makes apps look broken # ════════════════════════════════════════════════ ``` Implement proper error handling, loading states, and edge cases across the application. 1. **404 Page:** - Create a custom 404 page that matches the site design - Include: friendly message, search (if applicable), navigation links, link to homepage - Ensure it returns actual 404 HTTP status code - Branded — not the default framework 404 2. **500 / Error Page:** - Create a custom error page for unexpected server errors - Include: friendly message, "try again" suggestion, support contact - Log the error server-side (to Sentry or your error tracker) - Don't expose stack traces or technical details to the user 3. **Loading states:** - Every async operation (API calls, form submissions, page transitions) shows a loading indicator - Buttons show loading state during submission (spinner + disabled) - Page-level loading skeleton or spinner for data-dependent pages - No blank white screens while data loads 4. **Empty states:** - Dashboard with no data: friendly message + CTA to get started - Search with no results: helpful message + suggestions - List/table with no items: illustration or message + action to create first item 5. **Error states:** - API call fails: show user-friendly error message with retry option - Form submission fails: show specific field errors + keep user's input - Network offline: detect and show offline indicator - Auth expired: redirect to login with "session expired" message 6. **Form validation:** - Client-side validation with clear, specific error messages - Server-side validation as backup - Errors appear next to the relevant field (not just a toast) - Success confirmation after form submission 7. **Global error boundary** (React): - Wrap the app in an ErrorBoundary component - Catch rendering errors gracefully - Show fallback UI instead of white screen of death - Report error to monitoring service Scan every page, form, and data-fetching component in this project. Add missing loading, error, and empty states. ``` --- --- # ════════════════════════════════════════════════ # PROMPT 9: MONITORING & ANALYTICS SETUP # Know what's happening after launch # ════════════════════════════════════════════════ ``` Set up monitoring and analytics for production. 1. **Error tracking — Sentry:** - Install `@sentry/nextjs` (or appropriate Sentry SDK for this framework) - Configure with DSN from environment variable: `SENTRY_DSN` - Set up source map uploads for readable stack traces in production - Add to `.env.example` - Capture unhandled exceptions and promise rejections - Add user context to errors (user ID, email — NOT password or sensitive data) - Set environment tag: production/staging/development 2. **Analytics — Google Analytics 4:** - Install gtag.js or use a lightweight wrapper - GA Measurement ID from env var: `NEXT_PUBLIC_GA_MEASUREMENT_ID` - Only load in production (not dev/staging) - Respect cookie consent (don't fire until user consents, if required) - Track page views automatically on route changes - Add custom events for key actions: - `sign_up` — user creates account - `login` — user logs in - `purchase` — user completes payment (if applicable) - `cta_click` — user clicks main call-to-action - Load script with `async` to not block rendering 3. **Health check endpoint:** - Create `/api/health` that returns: ```json { "status": "ok", "timestamp": "ISO_DATE", "version": "1.0.0" } ``` - Optionally check database connection and return status - This endpoint should NOT require auth - Use this URL for uptime monitoring services 4. **Add to `.env.example`:** ``` SENTRY_DSN=https://xxx@sentry.io/xxx NEXT_PUBLIC_GA_MEASUREMENT_ID=G-XXXXXXXXXX ``` Implement all of this. Make sure analytics and error tracking don't break the app if their services are down (fail silently). ``` --- --- # ════════════════════════════════════════════════ # PROMPT 10: LEGAL PAGES # Privacy Policy, Terms, Cookie Consent # ════════════════════════════════════════════════ ``` Create the required legal pages for this application. **Company info (REPLACE):** - Company name: [YOUR_COMPANY_NAME] - Company legal entity: [e.g., Replace Works OÜ] - Country of incorporation: [e.g., Estonia] - Registration number: [YOUR_REG_NUMBER] - Contact email: [hello@yourdomain.com] - Website: [https://yourdomain.com] - Product name: [YOUR_PRODUCT_NAME] - What data you collect: [e.g., email, name, usage analytics, payment info] - Third-party services used: [e.g., Stripe, Google Analytics, Sentry, SendGrid, Vercel] **Create these pages:** 1. **Privacy Policy** (`/privacy`): - What data you collect and why - How data is stored and protected - Third-party services that receive data (list each with link to their privacy policy) - Cookie usage - User rights: access, deletion, export (GDPR) - Data retention period - Contact info for privacy questions - "Last updated: [DATE]" at the top - Written in plain, readable language (not dense legalese) 2. **Terms of Service** (`/terms`): - Acceptance of terms - Description of service - User accounts and responsibilities - Acceptable use - Payment terms (if applicable) - Cancellation and refunds (if applicable) - Intellectual property - Limitation of liability - Termination - Governing law and jurisdiction - Changes to terms - Contact information - "Last updated: [DATE]" 3. **Cookie consent banner** (if serving EU users): - Simple, non-intrusive banner at bottom of page - "Accept" and "Decline" buttons - Link to Privacy Policy - If declined: don't load GA or any non-essential tracking - Store preference in localStorage so it doesn't re-appear - No dark patterns (accept and decline should be equally prominent) 4. **Footer links:** - Add Privacy Policy and Terms of Service links to the site footer - Add copyright: `© 2026 [COMPANY_NAME]. All rights reserved.` Create these as actual pages/routes in the project with proper SEO meta tags (noindex is fine for legal pages). Style them to match the existing site design. NOTE: These are templates — I will have them reviewed by a legal professional before launch. Make them comprehensive but clearly mark any sections where I need to fill in specifics. ``` --- --- # ════════════════════════════════════════════════ # PROMPT 11: MOBILE + ACCESSIBILITY QUICK PASS # ════════════════════════════════════════════════ ``` Do a mobile responsiveness and accessibility pass on this entire application. **Mobile (test every page):** - [ ] No horizontal scroll on any screen width from 320px to 1920px - [ ] Text is readable without zooming (minimum 16px body text) - [ ] Buttons and links are minimum 44x44px touch targets - [ ] Navigation works on mobile (hamburger menu or equivalent) - [ ] Forms are usable on mobile (proper input types: email, tel, url, number) - [ ] Images don't overflow their containers - [ ] Modals/popups work on mobile and can be dismissed - [ ] Tables scroll horizontally or reflow on small screens Fix any responsive issues you find. **Accessibility (WCAG 2.1 AA essentials):** - [ ] All `<img>` tags have `alt` attributes (descriptive for content images, empty `alt=""` for decorative) - [ ] All form inputs have associated `<label>` elements (using `htmlFor`/`for`) - [ ] All interactive elements (buttons, links, inputs) are keyboard accessible - [ ] Focus indicators are visible on all interactive elements (don't remove outlines without replacement) - [ ] Color contrast: text meets 4.5:1 ratio (check with browser DevTools) - [ ] Heading hierarchy is correct: h1 → h2 → h3, no skipped levels - [ ] Use semantic HTML: `<nav>`, `<main>`, `<section>`, `<article>`, `<header>`, `<footer>` - [ ] `<html lang="en">` is set - [ ] `<button>` for actions, `<a>` for navigation (don't mix them up) - [ ] aria-label on icon-only buttons (e.g., hamburger menu, close button, social icons) Scan every page and component. Fix all issues. List anything you couldn't auto-fix that I need to review manually. ``` --- --- # ════════════════════════════════════════════════ # PROMPT 12: FINAL PRE-LAUNCH AUDIT # Run this LAST before going live # ════════════════════════════════════════════════ ``` Do a final pre-launch production audit of this entire project. Go through every file and every page and verify: **Code:** - [ ] No console.log statements - [ ] No hardcoded API keys or secrets - [ ] No TODO/FIXME comments - [ ] No placeholder text or test data - [ ] No unused imports or dead code - [ ] All env vars documented in .env.example - [ ] Build succeeds with zero errors and zero warnings **SEO:** - [ ] Every public page has: unique title, unique description, canonical URL, OG tags, Twitter tags - [ ] robots.txt exists and is correct - [ ] sitemap.xml exists with all public pages - [ ] JSON-LD schema (Organization + WebSite minimum) is present - [ ] No pages that should be indexed are set to noindex - [ ] No pages that should be private are set to index **Functionality:** - [ ] Homepage loads correctly - [ ] All navigation links work (no 404s) - [ ] All forms submit correctly - [ ] Auth flow works: signup → verify → login → logout - [ ] Core feature works end-to-end - [ ] Payment flow works (if applicable) - [ ] Emails send and deliver (if applicable) - [ ] Mobile: all pages work on 375px width **Error handling:** - [ ] Custom 404 page exists - [ ] Custom error page exists - [ ] No white screen of death on any error - [ ] Loading states on all async operations **Performance:** - [ ] No images over 500KB - [ ] All images have width/height attributes - [ ] No render-blocking scripts - [ ] Total page weight under 2MB **Security:** - [ ] HTTPS enforced - [ ] Security headers present - [ ] No sensitive data in error messages - [ ] Auth endpoints rate limited - [ ] npm audit has no critical issues Create a report with ✅ PASS or ❌ FAIL for each item. For any failures, fix them immediately or tell me exactly what I need to do manually. ``` --- --- # ════════════════════════════════════════════════ # 💡 HOW TO USE THESE PROMPTS # ════════════════════════════════════════════════ ## Order matters: 1. Prompt 1: Project Audit & Cleanup (clean slate) 2. Prompt 2: SEO Meta Tags (biggest SEO impact) 3. Prompt 3: Robots + Sitemap + llms.txt (crawlability) 4. Prompt 4: Structured Data (rich results) 5. Prompt 5: Email Configuration (deliverability) 6. Prompt 6: Security Hardening (protection) 7. Prompt 7: Performance Optimization (speed) 8. Prompt 8: Error Handling & UX Polish (quality) 9. Prompt 9: Monitoring & Analytics (visibility) 10. Prompt 10: Legal Pages (compliance) 11. Prompt 11: Mobile & Accessibility (reach) 12. Prompt 12: Final Audit (verification) ## Tips: - Run in Cursor's AGENT mode for best results (it can edit files directly) - Replace all [BRACKETED] placeholders before pasting - After each prompt, review the changes before moving to the next - Prompt 12 (final audit) will catch anything the others missed - Total time: ~2-3 hours if you run them sequentially - Save these prompts in a file in your project root so you can reuse them on every new project ## For your venture studio workflow: - Keep these prompts in a shared repo or template - Run them on every new project before the monthly launch - Prompt 1 + 2 + 3 + 12 alone covers 80% of what matters - The rest is the difference between "launched" and "launched properly"

# CURSOR PROMPTS FOR MVP PRODUCTION READINESS ## Copy-paste these into Cursor Chat or Agent mode ## Run them in order. Each one is self-contained. --- --- # ════════════════════════════════════════════════ # PROMPT 1: PROJECT AUDIT & CLEANUP # Run this FIRST on any project before going to production # ════════════════════════════════════════════════ ``` You are a senior full-stack engineer doing a production readiness audit on this project. Scan the entire codebase and fix the following: 1. **Security sweep:** - Find and flag ANY hardcoded API keys, secrets, passwords, or tokens in any file - Ensure all secrets use environment variables - Check that .gitignore covers: node_modules, .env*, .next, dist, build, .DS_Store, coverage, *.log, .vercel - Verify no sensitive data in console.log statements 2. **Code cleanup:** - Remove ALL console.log / console.error statements (replace critical ones with a proper logger if needed) - Remove all commented-out dead code blocks - Remove any TODO/FIXME/HACK comments that won't be addressed before launch - Remove any placeholder text: "Lorem ipsum", "test", "asdf", "TODO", sample data - Remove unused imports and unused variables 3. **Environment setup:** - Create or update `.env.example` with every environment variable the app needs, with descriptions and example values (never real secrets) - Verify the app fails gracefully if required env vars are missing (not a cryptic crash) 4. **Package.json:** - Ensure `name`, `description`, and `version` fields are correct - Remove any unused dependencies - Ensure no dev dependencies are imported in production code Report what you found and fixed. List anything that needs my manual attention. ``` --- --- # ════════════════════════════════════════════════ # PROMPT 2: SEO META TAGS + OPEN GRAPH + TWITTER CARDS # This is the single most impactful SEO prompt # ════════════════════════════════════════════════ ``` Implement comprehensive SEO meta tags across the entire application. **Site info (REPLACE THESE):** - Site name: [YOUR_PRODUCT_NAME] - Domain: [https://yourdomain.com] - Default description: [Your 150-160 char description with value prop] - Twitter handle: [@yourhandle] - OG image path: /og-image.png (1200x630) - Theme color: [#yourcolor] - Language: en **Requirements:** 1. **Global layout/head** — add these defaults that apply to every page: - `` - `` - `` - `` - `` - `` - Default robots: `index, follow` 2. **Per-page metadata** — every page/route must have unique: - `` — 50-60 chars, format: "Page Name — Brand" - `<meta name="description">` — 150-160 chars, unique per page - `<link rel="canonical">` — full absolute URL of that page - Open Graph: og:title, og:description, og:image, og:url, og:type, og:site_name - Twitter Card: twitter:card (summary_large_image), twitter:site, twitter:title, twitter:description, twitter:image 3. **Page-specific titles and descriptions** — write real, compelling copy for each page: - Homepage: focus on main value proposition - Features: what the product does - Pricing: plans and value - About: company story - Blog (if exists): blog section description - Contact: how to reach us - Auth pages (login/signup): set to noindex, nofollow - Dashboard/app pages: set to noindex, nofollow 4. **If using Next.js App Router**, use the Metadata API: ```tsx // layout.tsx for defaults + template export const metadata: Metadata = { metadataBase: new URL('https://yourdomain.com'), title: { default: '...', template: '%s | Brand' }, // ... } // each page.tsx exports its own metadata ``` 5. **If using anything else** (Vite, Astro, plain HTML), implement via `<head>` tags or the framework's head management. Do NOT use any third-party SEO libraries. Use the framework's built-in metadata handling. Implement this now across every route in the project. ``` --- --- # ════════════════════════════════════════════════ # PROMPT 3: ROBOTS.TXT + SITEMAP + LLMs.TXT # Crawlability and AI discoverability # ════════════════════════════════════════════════ ``` Set up robots.txt, sitemap.xml, and llms.txt for this project. **Domain:** [https://yourdomain.com] **Requirements:** 1. **robots.txt** — create at the public root (or as a route that returns text/plain): ``` User-agent: * Allow: / Disallow: /api/ Disallow: /admin/ Disallow: /auth/ Disallow: /dashboard/ Disallow: /app/ User-agent: GPTBot Allow: / User-agent: ChatGPT-User Allow: / User-agent: Claude-Web Allow: / User-agent: Anthropic-AI Allow: / User-agent: PerplexityBot Allow: / User-agent: Google-Extended Allow: / User-agent: Applebot-Extended Allow: / Sitemap: https://yourdomain.com/sitemap.xml ``` Adjust the Disallow paths based on the actual routes in this project that should NOT be crawled (auth, dashboard, API, admin, internal pages). 2. **sitemap.xml** — generate dynamically from all public routes: - Include all public, indexable pages - Each entry: `<url>`, `<loc>`, `<lastmod>`, `<changefreq>`, `<priority>` - Homepage priority: 1.0, key pages: 0.8, others: 0.6 - Do NOT include: auth pages, dashboard pages, API routes, admin pages - If using Next.js, create `app/sitemap.ts` that exports a function - If using another framework, generate XML directly 3. **llms.txt** — create at the public root as a plain text file: ``` # [PRODUCT_NAME] > [One-line description of what this product does] ## Key Pages - [Homepage](https://yourdomain.com): [Brief description] - [Features](https://yourdomain.com/features): [Brief description] - [Pricing](https://yourdomain.com/pricing): [Brief description] - [Docs](https://yourdomain.com/docs): [Brief description] - [About](https://yourdomain.com/about): [Brief description] - [Contact](https://yourdomain.com/contact): [Brief description] Updated: [TODAY'S DATE] ``` Adjust the pages list based on the actual routes that exist in this project. Look at the actual routes/pages in this project and tailor all three files to match what actually exists. Don't include pages that don't exist. ``` --- --- # ════════════════════════════════════════════════ # PROMPT 4: STRUCTURED DATA / JSON-LD SCHEMA # Rich results in Google + AI-readable entity data # ════════════════════════════════════════════════ ``` Add JSON-LD structured data (schema.org) to this application. **Company info (REPLACE THESE):** - Company name: [YOUR_COMPANY] - Website URL: [https://yourdomain.com] - Logo URL: [https://yourdomain.com/logo.png] - Description: [What you do in one sentence] - Founded: [YEAR] - Founder name: [YOUR_NAME] - Location: [City, Country] - Email: [hello@yourdomain.com] - Twitter: [https://twitter.com/yourhandle] - LinkedIn: [https://linkedin.com/company/yourcompany] - GitHub: [https://github.com/yourcompany] **Implement these schemas:** 1. **Site-wide (in layout/head):** - `Organization` — name, url, logo, description, founders, foundingDate, address, contactPoint, sameAs (social links) - `WebSite` — name, url (optionally with SearchAction if you have a search feature) 2. **Per-page (only on pages where they apply):** - Homepage: Organization + WebSite (already in layout) - Blog posts (if they exist): `Article` or `BlogPosting` — headline, author, datePublished, dateModified, image, publisher - FAQ page (if it exists): `FAQPage` with `Question` + `acceptedAnswer` pairs - Pricing page (if it exists): `Product` or `SoftwareApplication` with `offers` 3. **Implementation:** - Use `<script type="application/ld+json">` tags - Create a reusable component/function for injecting JSON-LD - Ensure the JSON is valid — no trailing commas, proper escaping - Each schema block should be a separate `<script>` tag 4. **Validation:** - After implementing, tell me the URLs I should test with Google Rich Results Test Only add schemas for pages/content types that actually exist in this project. Don't create schemas for pages we don't have. ``` --- --- # ════════════════════════════════════════════════ # PROMPT 5: EMAIL CONFIGURATION CHECK # DNS records + transactional email setup # ════════════════════════════════════════════════ ``` Audit and fix the email setup in this project. **Email provider:** [Resend / SendGrid / Postmark / AWS SES — pick yours] **Sending domain:** [yourdomain.com] **From address:** [hello@yourdomain.com] **Check and fix:** 1. **Transactional email code:** - Find all places where emails are sent in the codebase - Ensure "From" address is consistent and professional (not noreply@) - Ensure "Reply-To" is set to a monitored address - Ensure all emails have both HTML and plain text versions - Ensure email sending failures are caught and logged (not silent failures) - Ensure emails are sent asynchronously (don't block the API response) 2. **Email templates — verify these work:** - Welcome / signup confirmation email - Password reset email - Email verification email (if applicable) - Any notification emails - Ensure all emails have: proper subject line, branded header, clear body, footer with company name 3. **Contact form (if exists):** - Form submission sends email to your inbox - User gets a confirmation/thank-you response - Basic spam protection (honeypot field, rate limiting, or captcha) - Form validates inputs before sending - Error states shown to user if sending fails 4. **Environment variables for email:** - All email config (API keys, SMTP details) in env vars - Added to `.env.example` with descriptions 5. **DNS records I need to set (just tell me what to add):** - SPF record value - DKIM record (explain how to get this from the email provider) - DMARC record value: `v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com` - Tell me exactly what TXT records to add to my DNS Review the actual email code in this project and fix any issues. If there's no email setup yet, implement a basic transactional email service using [YOUR_PROVIDER]. ``` --- --- # ════════════════════════════════════════════════ # PROMPT 6: SECURITY HARDENING # Headers, auth, input validation # ════════════════════════════════════════════════ ``` Harden this application for production security. **Implement/verify ALL of the following:** 1. **HTTP Security Headers** — add to all responses (via middleware, next.config.js, or server config): - `X-Content-Type-Options: nosniff` - `X-Frame-Options: DENY` - `Strict-Transport-Security: max-age=31536000; includeSubDomains` - `Referrer-Policy: strict-origin-when-cross-origin` - `Permissions-Policy: camera=(), microphone=(), geolocation=()` - `X-XSS-Protection: 0` 2. **Authentication security (if auth exists):** - Passwords hashed with bcrypt or argon2 (verify — never plain text) - Login: rate limit to 5 attempts per minute per IP - Password reset: tokens expire after 1 hour, single use - Session/JWT tokens have reasonable expiration - Logout clears all session data - Error messages don't reveal if an email exists ("Invalid credentials" not "User not found") 3. **Input validation & sanitization:** - All user inputs validated on the server side (not just client) - SQL injection prevention (parameterized queries or ORM) - XSS prevention (escape HTML in user-generated content) - File uploads (if any): validate type, size, scan content - API endpoints validate request body shape 4. **CORS:** - Set to your specific domain(s) only - No wildcard `*` in production - Credentials handling set correctly 5. **Rate limiting:** - API endpoints: 100 req/min per IP (adjust as needed) - Auth endpoints (login, signup, password reset): 5 req/min per IP - Contact form: 3 req/min per IP 6. **Dependencies:** - Run `npm audit` and fix critical/high vulnerabilities - Remove unused dependencies Scan the codebase for vulnerabilities and implement all of the above. Show me what was missing and what you added. ``` --- --- # ════════════════════════════════════════════════ # PROMPT 7: PERFORMANCE OPTIMIZATION # Core Web Vitals and loading speed # ════════════════════════════════════════════════ ``` Optimize this application for Core Web Vitals and page load performance. **Targets:** - LCP (Largest Contentful Paint) < 2.5 seconds - CLS (Cumulative Layout Shift) < 0.1 - INP (Interaction to Next Paint) < 200ms - Total JS bundle < 300KB gzipped - Total page weight < 1.5MB **Fix the following:** 1. **Images:** - Convert all images to WebP format (or use next/image which does it automatically) - Add explicit `width` and `height` attributes to ALL images (prevents CLS) - Add `loading="lazy"` to all images below the fold - Add `loading="eager"` to hero/above-the-fold images - Ensure no image is larger than 200KB unless it's a hero image - Use SVGs for icons and logos 2. **Fonts:** - Maximum 2 font files - Use `font-display: swap` on all @font-face declarations - Preload critical fonts: `<link rel="preload" as="font" type="font/woff2" crossorigin>` - If using Google Fonts, use `next/font` (Next.js) or self-host 3. **JavaScript:** - Dynamic import / lazy load any heavy components not needed on initial render - Move third-party scripts (analytics, chat widgets) to load after page is interactive - Use `async` or `defer` on all script tags - Check for and remove any unused large dependencies 4. **CSS:** - Remove unused CSS (check with PurgeCSS or framework's built-in tree shaking) - No render-blocking stylesheets — critical CSS should be inlined or loaded first 5. **Caching headers** (via middleware, server config, or hosting platform): - Static assets (JS, CSS, images, fonts): `Cache-Control: public, max-age=31536000, immutable` - HTML pages: `Cache-Control: public, max-age=0, must-revalidate` - API responses: `Cache-Control: no-store` (unless intentionally cached) 6. **Preconnect/prefetch:** - Add `<link rel="preconnect">` for any third-party origins (analytics, fonts, APIs) - Add `<link rel="dns-prefetch">` for secondary third-party origins Analyze the actual bundle and assets in this project. Show me the before/after impact of each optimization. ``` --- --- # ════════════════════════════════════════════════ # PROMPT 8: ERROR HANDLING + 404 + LOADING STATES # The stuff people forget that makes apps look broken # ════════════════════════════════════════════════ ``` Implement proper error handling, loading states, and edge cases across the application. 1. **404 Page:** - Create a custom 404 page that matches the site design - Include: friendly message, search (if applicable), navigation links, link to homepage - Ensure it returns actual 404 HTTP status code - Branded — not the default framework 404 2. **500 / Error Page:** - Create a custom error page for unexpected server errors - Include: friendly message, "try again" suggestion, support contact - Log the error server-side (to Sentry or your error tracker) - Don't expose stack traces or technical details to the user 3. **Loading states:** - Every async operation (API calls, form submissions, page transitions) shows a loading indicator - Buttons show loading state during submission (spinner + disabled) - Page-level loading skeleton or spinner for data-dependent pages - No blank white screens while data loads 4. **Empty states:** - Dashboard with no data: friendly message + CTA to get started - Search with no results: helpful message + suggestions - List/table with no items: illustration or message + action to create first item 5. **Error states:** - API call fails: show user-friendly error message with retry option - Form submission fails: show specific field errors + keep user's input - Network offline: detect and show offline indicator - Auth expired: redirect to login with "session expired" message 6. **Form validation:** - Client-side validation with clear, specific error messages - Server-side validation as backup - Errors appear next to the relevant field (not just a toast) - Success confirmation after form submission 7. **Global error boundary** (React): - Wrap the app in an ErrorBoundary component - Catch rendering errors gracefully - Show fallback UI instead of white screen of death - Report error to monitoring service Scan every page, form, and data-fetching component in this project. Add missing loading, error, and empty states. ``` --- --- # ════════════════════════════════════════════════ # PROMPT 9: MONITORING & ANALYTICS SETUP # Know what's happening after launch # ════════════════════════════════════════════════ ``` Set up monitoring and analytics for production. 1. **Error tracking — Sentry:** - Install `@sentry/nextjs` (or appropriate Sentry SDK for this framework) - Configure with DSN from environment variable: `SENTRY_DSN` - Set up source map uploads for readable stack traces in production - Add to `.env.example` - Capture unhandled exceptions and promise rejections - Add user context to errors (user ID, email — NOT password or sensitive data) - Set environment tag: production/staging/development 2. **Analytics — Google Analytics 4:** - Install gtag.js or use a lightweight wrapper - GA Measurement ID from env var: `NEXT_PUBLIC_GA_MEASUREMENT_ID` - Only load in production (not dev/staging) - Respect cookie consent (don't fire until user consents, if required) - Track page views automatically on route changes - Add custom events for key actions: - `sign_up` — user creates account - `login` — user logs in - `purchase` — user completes payment (if applicable) - `cta_click` — user clicks main call-to-action - Load script with `async` to not block rendering 3. **Health check endpoint:** - Create `/api/health` that returns: ```json { "status": "ok", "timestamp": "ISO_DATE", "version": "1.0.0" } ``` - Optionally check database connection and return status - This endpoint should NOT require auth - Use this URL for uptime monitoring services 4. **Add to `.env.example`:** ``` SENTRY_DSN=https://xxx@sentry.io/xxx NEXT_PUBLIC_GA_MEASUREMENT_ID=G-XXXXXXXXXX ``` Implement all of this. Make sure analytics and error tracking don't break the app if their services are down (fail silently). ``` --- --- # ════════════════════════════════════════════════ # PROMPT 10: LEGAL PAGES # Privacy Policy, Terms, Cookie Consent # ════════════════════════════════════════════════ ``` Create the required legal pages for this application. **Company info (REPLACE):** - Company name: [YOUR_COMPANY_NAME] - Company legal entity: [e.g., Replace Works OÜ] - Country of incorporation: [e.g., Estonia] - Registration number: [YOUR_REG_NUMBER] - Contact email: [hello@yourdomain.com] - Website: [https://yourdomain.com] - Product name: [YOUR_PRODUCT_NAME] - What data you collect: [e.g., email, name, usage analytics, payment info] - Third-party services used: [e.g., Stripe, Google Analytics, Sentry, SendGrid, Vercel] **Create these pages:** 1. **Privacy Policy** (`/privacy`): - What data you collect and why - How data is stored and protected - Third-party services that receive data (list each with link to their privacy policy) - Cookie usage - User rights: access, deletion, export (GDPR) - Data retention period - Contact info for privacy questions - "Last updated: [DATE]" at the top - Written in plain, readable language (not dense legalese) 2. **Terms of Service** (`/terms`): - Acceptance of terms - Description of service - User accounts and responsibilities - Acceptable use - Payment terms (if applicable) - Cancellation and refunds (if applicable) - Intellectual property - Limitation of liability - Termination - Governing law and jurisdiction - Changes to terms - Contact information - "Last updated: [DATE]" 3. **Cookie consent banner** (if serving EU users): - Simple, non-intrusive banner at bottom of page - "Accept" and "Decline" buttons - Link to Privacy Policy - If declined: don't load GA or any non-essential tracking - Store preference in localStorage so it doesn't re-appear - No dark patterns (accept and decline should be equally prominent) 4. **Footer links:** - Add Privacy Policy and Terms of Service links to the site footer - Add copyright: `© 2026 [COMPANY_NAME]. All rights reserved.` Create these as actual pages/routes in the project with proper SEO meta tags (noindex is fine for legal pages). Style them to match the existing site design. NOTE: These are templates — I will have them reviewed by a legal professional before launch. Make them comprehensive but clearly mark any sections where I need to fill in specifics. ``` --- --- # ════════════════════════════════════════════════ # PROMPT 11: MOBILE + ACCESSIBILITY QUICK PASS # ════════════════════════════════════════════════ ``` Do a mobile responsiveness and accessibility pass on this entire application. **Mobile (test every page):** - [ ] No horizontal scroll on any screen width from 320px to 1920px - [ ] Text is readable without zooming (minimum 16px body text) - [ ] Buttons and links are minimum 44x44px touch targets - [ ] Navigation works on mobile (hamburger menu or equivalent) - [ ] Forms are usable on mobile (proper input types: email, tel, url, number) - [ ] Images don't overflow their containers - [ ] Modals/popups work on mobile and can be dismissed - [ ] Tables scroll horizontally or reflow on small screens Fix any responsive issues you find. **Accessibility (WCAG 2.1 AA essentials):** - [ ] All `<img>` tags have `alt` attributes (descriptive for content images, empty `alt=""` for decorative) - [ ] All form inputs have associated `<label>` elements (using `htmlFor`/`for`) - [ ] All interactive elements (buttons, links, inputs) are keyboard accessible - [ ] Focus indicators are visible on all interactive elements (don't remove outlines without replacement) - [ ] Color contrast: text meets 4.5:1 ratio (check with browser DevTools) - [ ] Heading hierarchy is correct: h1 → h2 → h3, no skipped levels - [ ] Use semantic HTML: `<nav>`, `<main>`, `<section>`, `<article>`, `<header>`, `<footer>` - [ ] `<html lang="en">` is set - [ ] `<button>` for actions, `<a>` for navigation (don't mix them up) - [ ] aria-label on icon-only buttons (e.g., hamburger menu, close button, social icons) Scan every page and component. Fix all issues. List anything you couldn't auto-fix that I need to review manually. ``` --- --- # ════════════════════════════════════════════════ # PROMPT 12: FINAL PRE-LAUNCH AUDIT # Run this LAST before going live # ════════════════════════════════════════════════ ``` Do a final pre-launch production audit of this entire project. Go through every file and every page and verify: **Code:** - [ ] No console.log statements - [ ] No hardcoded API keys or secrets - [ ] No TODO/FIXME comments - [ ] No placeholder text or test data - [ ] No unused imports or dead code - [ ] All env vars documented in .env.example - [ ] Build succeeds with zero errors and zero warnings **SEO:** - [ ] Every public page has: unique title, unique description, canonical URL, OG tags, Twitter tags - [ ] robots.txt exists and is correct - [ ] sitemap.xml exists with all public pages - [ ] JSON-LD schema (Organization + WebSite minimum) is present - [ ] No pages that should be indexed are set to noindex - [ ] No pages that should be private are set to index **Functionality:** - [ ] Homepage loads correctly - [ ] All navigation links work (no 404s) - [ ] All forms submit correctly - [ ] Auth flow works: signup → verify → login → logout - [ ] Core feature works end-to-end - [ ] Payment flow works (if applicable) - [ ] Emails send and deliver (if applicable) - [ ] Mobile: all pages work on 375px width **Error handling:** - [ ] Custom 404 page exists - [ ] Custom error page exists - [ ] No white screen of death on any error - [ ] Loading states on all async operations **Performance:** - [ ] No images over 500KB - [ ] All images have width/height attributes - [ ] No render-blocking scripts - [ ] Total page weight under 2MB **Security:** - [ ] HTTPS enforced - [ ] Security headers present - [ ] No sensitive data in error messages - [ ] Auth endpoints rate limited - [ ] npm audit has no critical issues Create a report with ✅ PASS or ❌ FAIL for each item. For any failures, fix them immediately or tell me exactly what I need to do manually. ``` --- --- # ════════════════════════════════════════════════ # 💡 HOW TO USE THESE PROMPTS # ════════════════════════════════════════════════ ## Order matters: 1. Prompt 1: Project Audit & Cleanup (clean slate) 2. Prompt 2: SEO Meta Tags (biggest SEO impact) 3. Prompt 3: Robots + Sitemap + llms.txt (crawlability) 4. Prompt 4: Structured Data (rich results) 5. Prompt 5: Email Configuration (deliverability) 6. Prompt 6: Security Hardening (protection) 7. Prompt 7: Performance Optimization (speed) 8. Prompt 8: Error Handling & UX Polish (quality) 9. Prompt 9: Monitoring & Analytics (visibility) 10. Prompt 10: Legal Pages (compliance) 11. Prompt 11: Mobile & Accessibility (reach) 12. Prompt 12: Final Audit (verification) ## Tips: - Run in Cursor's AGENT mode for best results (it can edit files directly) - Replace all [BRACKETED] placeholders before pasting - After each prompt, review the changes before moving to the next - Prompt 12 (final audit) will catch anything the others missed - Total time: ~2-3 hours if you run them sequentially - Save these prompts in a file in your project root so you can reuse them on every new project ## For your venture studio workflow: - Keep these prompts in a shared repo or template - Run them on every new project before the monthly launch - Prompt 1 + 2 + 3 + 12 alone covers 80% of what matters - The rest is the difference between "launched" and "launched properly"