Cursor app compliance checklist — what AI-IDE projects ship by default

Unlike Lovable or Bolt, Cursor doesn't generate apps from a single prompt — it edits a real codebase, file by file, on your filesystem. That means more dev control, more variation in output, and a different failure profile. Most Cursor projects look professional. Most also ship with two or three of these issues hiding in plain sight.

What Cursor projects tend to look like

Cursor's strength is its edit-mode flexibility. Compared to Lovable / Bolt, a typical Cursor codebase is:

• Next.js or Vite + React (rarely Remix, sometimes SvelteKit)
• pnpm or npm with full package.json control
• Custom auth (NextAuth, Clerk, Supabase) instead of platform-bundled defaults
• Backend routes the developer wrote, often with inconsistent auth checks
• Pushed to GitHub from the start, with normal commit history

The compliance issues are subtler than Lovable's — but for that exact reason, harder to catch in a one-time review. The patterns below show up in roughly 60% of production Cursor apps we scan.

The 7 things to check on a Cursor app

1. Inconsistent auth checks on API routes

Cursor's apply-edits behavior means some routes get auth, some don't — depending on which files were open when you prompted. The classic failure: `app/api/admin/*` has auth, but `app/api/internal/*` doesn't, because the AI thought "internal" meant trusted. Audit every API route for an auth check on entry.

2. Form labels lost in refactor

Cursor's reformat-on-edit behavior sometimes strips `<label>` elements when it converts JSX styles or extracts a component. Always re-scan after a significant refactor; what was compliant Tuesday may not be Wednesday.

3. Mixed-license dependency tree

pnpm + AI-suggested packages = a higher chance of one transitive AGPL or GPL package slipping in. Run `npx license-checker --production --summary` monthly. If anything reports AGPL-3.0 or GPL-3.0 you have a decision to make.

4. AI-suggested code with embedded copyleft snippets

Cursor's tab completions sometimes reproduce GPL-licensed snippets verbatim from training data. The completion doesn't include a license header. A dependency-tree scan won't catch this — only a bundle fingerprint scan will. This is where Doe v. GitHub is still being litigated; the safe move is to scan and remediate regardless.

5. Env vars accidentally exposed

Cursor will "helpfully" add a `NEXT_PUBLIC_` prefix when an env var is referenced client-side and the build fails. The fix it applies — make the secret public — is wrong. Grep your code for `NEXT_PUBLIC_` env names that look like secrets (`*_KEY`, `*_SECRET`, `*_TOKEN`). Move the calling code server-side.

6. AI-generated docs that overclaim

Cursor's `@docs` feature can pull auto-generated README content into your repo. If that content makes legal claims about your app ("GDPR-compliant", "HIPAA-ready", "SOC 2 Type II"), and you haven't actually verified those claims, you've created false-advertising exposure. Audit every claim in your published documentation.

7. Commit history reveals authorship pattern

`git blame` on a heavily-AI-generated repo can be useful ("look how iteratively this was developed") or harmful ("99% of this was written by Cursor in one session") depending on context. Be deliberate about commit hygiene: small commits with descriptive messages, even when most of the code came from the AI, support a stronger copyright claim at acquisition.

How to fix all of these

Cursor's strength is also its trap: the codebase has more depth than a Lovable app, so manual review takes longer. Run Comply Code on your deployed URL for the runtime checks (items 1, 2, 5). Run a local audit for the code-level items (3, 4, 6, 7). Use Cursor's own AI to apply the fixes — paste each fix prompt from the report directly into the @inline panel and let Cursor make the edits, then re-scan.