Agentic skills and rules: orchestration repo pattern for org-wide Cursor

The problem: skills drift across 40 repos

Every team now ships .cursor/rules, AGENTS.md, and ad-hoc slash commands inside individual services. Within a quarter, security rules diverge, Plaid integration skills exist in one FinTech repo but not another, and new hires paste outdated prompts from Notion. Cursor’s 2026 answer is Agent Skills—portable SKILL.md packages with YAML frontmatter that agents load when task context matches the skill description.

Skills are not a replacement for rules (always-on or path-scoped .mdc enforcement) or agents (multi-step orchestration files). The mature pattern: one orchestration repository sitting above nested project clones, symlinked or opened as a multi-root workspace, so skills/rules update once and apply everywhere—similar to JuroOravec/agents and catalog-style setups like KS-Cursor-Orchestrator.

Directory layout that scales

org-ai-orchestration/          ← open THIS in Cursor
├── .cursor/
│   ├── skills/                # repo-wide skills (SKILL.md)
│   │   ├── plaid-link/SKILL.md
│   │   ├── contentful-cms/SKILL.md
│   │   └── pre-push-validate/SKILL.md
│   ├── rules/                 # always-on + path-scoped .mdc
│   │   ├── security-baseline.mdc
│   │   └── fintech-plaid.mdc
│   └── agents/                # multi-step workflows
│       └── code-review.md
├── docs/                      # runbooks agents reference
├── portfolio/                 # nested git clone
├── commerce-platform/         # nested git clone
└── .gitignore                 # ignore clone folders at root

Cursor discovers .cursor/skills/ recursively—monorepos can colocate package-scoped skills under apps/web/.cursor/skills/ (Cursor skills docs). Nested skills auto-scope to their subtree without explicit paths globs.

Skills vs rules vs agents

Best practice from practitioner writeups (sbstjn skills collection): keep each SKILL.md under ~500 lines; move deep references to references/ subfolders. Use /migrate-to-skills in Cursor 2.4+ to convert legacy dynamic rules.

SKILL.md frontmatter that triggers correctly

---
description: >
  Implement Plaid Link token exchange, webhook JWT verification,
  and ITEM_LOGIN_REQUIRED update mode for FinTech apply portals.
disable-model-invocation: false
---

The description field is the routing signal—write it like search copy, not internal jargon. Set disable-model-invocation: true for skills that should behave like explicit slash commands only.

Nested clones vs monorepo migration

Orchestration repo + nested clones wins when:

• Repos have independent release cadences and credentials
• You need one AI config without merging git histories
• Teams want full cross-repo context in one Cursor index (multi-root workspaces in Cursor 3.2+)

Monorepo migration wins when the same engineers touch the same files daily and CI already spans packages.

For 5–50 repos, orchestration root with .gitignore’d clone folders keeps day-to-day git simple: each project retains its own remote; the root repo tracks only shared .cursor/ + docs.

Operating model for platform teams

1. Own the catalog — capabilities-catalog.mdc indexes every skill/agent (pattern from KS-Cursor-Orchestrator)
2. Version skills — treat breaking skill changes like API semver; announce in #eng-ai
3. CI smoke — optional script verifying SKILL.md frontmatter + required sections
4. Onboarding — new repo = run “add project” skill to clone + register paths
5. No secrets in skills — reference env var names, never tokens

Illustrative org KPIs: <7 days skill propagation after security patch, 0 repos with orphan .cursorrules files, >80% engineers on latest catalog tag.

FinTech example stack

Pair orchestration skills with portfolio evidence:

• plaid-link skill → links to Auth guide
• pre-push-validate skill → runs lint/build/SEO scripts before push
• contentful-cms skill → documents webhook + ISR patterns

Nitin Rachabathuni ships MVPs in days using this orchestration pattern across client repos—contact for setup workshops.

Anti-patterns

• Duplicating the same SKILL.md into every repo “for convenience”
• 2,000-line skills that blow context windows
• Agents that re-encode skill content instead of referencing paths
• User-global skills (~/.cursor/skills) overriding org security rules without review

Authoritative references

Consult LangGraph.js, MDN Web Docs, web.dev, Next.js documentation, OWASP Cheat Sheets alongside the official references block below. Cross-check guidance with your compliance, security, and SRE stakeholders before setting SLOs.

Metrics snapshot

Illustrative consulting KPI ranges observed on programs like “Agentic skills and rules: orchestration repo pattern …” — validate against your own telemetry before setting SLOs. Methodology: production-like staging traces + weekly review with product and ops.

Architecture flow

Code sketches

/* Integration sketch */
// Agentic skills and rules: orchestration repo pattern …
export async function rolloutCursorAgentSkillsRulesOrchestrationRepoGuide() {
  const checks = ["telemetry", "auth", "rollback"];
  return { ok: true, checks };
}

Official references

• LangGraph.js
• MDN Web Docs
• web.dev
• Next.js documentation
• OWASP Cheat Sheets

Related on this site

• Juiceit.ai
• Related engineering article
• Implementation help

Related case study

Juiceit.ai — AI platform — document intelligence, agent workflows, enterprise automation.

Article slug: cursor-agent-skills-rules-orchestration-repo-guide · Engineering notes by Nitin Rachabathuni — MVP in 2 days specialist.