Comprehensive coding standards for building a secure, automated, and personalized employee-onboarding web platform.
Stop building onboarding platforms from scratch. These comprehensive TypeScript rules eliminate the guesswork and accelerate your development timeline while ensuring enterprise-grade security and compliance.
You're building employee onboarding automation, which means you're dealing with:
Most developers spend weeks researching security patterns, data handling best practices, and integration approaches. These rules eliminate that research phase entirely.
These rules provide a battle-tested architecture for building automated onboarding platforms with TypeScript, React, and modern cloud infrastructure. You get:
Secure-by-Default Data Handling: Pre-configured AWS KMS encryption, PII redaction patterns, and GDPR-compliant data models that handle everything from SSNs to I-9 documents.
Workflow Automation Framework: Ready-to-use patterns for the 6 C's of Employee Onboarding (Compliance, Clarification, Confidence, Connection, Culture, Checkback) with reusable playbook abstractions.
Enterprise Integration Patterns: TypeScript interfaces and service layers designed for BambooHR, Rippling, Synthesia, and other major HR platforms.
Instead of researching encryption patterns, you get production-ready security configurations:
// Pre-built validation with automatic PII redaction
export const createOnboardingTask = async (input: TaskInput, ctx: Ctx): Promise<Task> => {
const parsed = TaskSchema.safeParse(input);
if (!parsed.success) {
throw new ValidationError('ONB_4001', parsed.error);
}
// Built-in duplicate detection and secure data handling
return ctx.db.task.create({ data: parsed.data });
};
Before: Spend days researching secure file upload patterns, encryption at rest, and S3 configurations.
With These Rules: Get production-ready document handling:
// Built-in encrypted storage with audit trail
const uploadI9Document = async (file: File, employeeId: string) => {
// Automatic encryption, virus scanning, and compliance logging
return await secureDocumentService.upload(file, {
category: 'I9_VERIFICATION',
employeeId,
retentionPolicy: '7_YEARS'
});
};
Before: Build custom adapters for each HR system, handle rate limiting, and manage webhook reliability.
With These Rules: Use pre-built integration patterns:
// Standardized HR system integration with error handling
const syncEmployeeData = async (employeeId: string) => {
const bambooData = await hrIntegrations.bamboo.getEmployee(employeeId);
const ripplingTasks = await hrIntegrations.rippling.getOnboardingTasks(employeeId);
// Built-in conflict resolution and data normalization
return await onboardingService.syncMultiSource([bambooData, ripplingTasks]);
};
Before: Design complex state machines for onboarding progress, handle async operations, and manage notifications.
With These Rules: Use the proven workflow framework:
// Pre-built workflow engine with progress tracking
const executeOnboardingPlaybook = async (employeeId: string, role: string) => {
const playbook = await getPlaybookForRole(role);
// Automatic progress tracking, notification scheduling, and escalation
return await workflowEngine.execute(playbook, {
employeeId,
checkpoints: ['30_day', '60_day', '90_day'],
automateDocuments: true,
assignBuddy: true
});
};
# Set up the recommended project structure
mkdir onboarding-platform && cd onboarding-platform
npm init -y
npm install typescript @types/node --save-dev
# Apply the strict TypeScript configuration
echo '{
"compilerOptions": {
"strict": true,
"noUncheckedIndexedAccess": true,
"exactOptionalPropertyTypes": true
}
}' > tsconfig.json
src/
├─ modules/
│ ├─ onboarding/
│ │ ├─ api/ # GraphQL resolvers
│ │ ├─ ui/ # React components
│ │ ├─ model.ts # Zod schemas + DB models
│ │ └─ service.ts # Business logic
│ ├─ documents/
│ └─ workflows/
└─ shared/
├─ security/ # Encryption utilities
├─ integrations/ # HR system adapters
└─ validation/ # Zod schemas
// Configure AWS KMS encryption for PII
import { KMSClient, EncryptCommand } from "@aws-sdk/client-kms";
export const encryptPII = async (data: string): Promise<string> => {
const kms = new KMSClient({ region: process.env.AWS_REGION });
const command = new EncryptCommand({
KeyId: process.env.KMS_KEY_ID,
Plaintext: Buffer.from(data)
});
const response = await kms.send(command);
return Buffer.from(response.CiphertextBlob!).toString('base64');
};
// Build your first onboarding workflow
export const createEmployeeOnboarding = async (
employee: NewEmployee
): Promise<OnboardingPlan> => {
// Validate with Zod schema
const validated = NewEmployeeSchema.parse(employee);
// Generate role-specific playbook
const playbook = await generatePlaybook(validated.role, validated.department);
// Schedule automated tasks
return await scheduleOnboardingTasks(playbook, validated);
};
Ready to transform your onboarding platform development? Copy these rules into your Cursor IDE and start building with enterprise-grade patterns from day one.
You are an expert in TypeScript, Node.js, React, GraphQL, PostgreSQL, AWS (Lambda, S3, KMS), Terraform, and Cypress.
Key Principles
- Prioritise automation of repetitive onboarding tasks while preserving a human touch via scheduled check-ins APIs and notification hooks.
- Treat sensitive employee data as PII: encrypt at rest (AES-256 via AWS KMS) and in transit (TLS ≥1.2).
- Align every feature with the 6 C’s of Employee Onboarding (Compliance, Clarification, Confidence, Connection, Culture, Checkback).
- Strive for consistency across teams by abstracting workflows into reusable “playbooks”.
- Build declaratively, prefer pure functions and immutability; avoid large classes.
- Keep components small (≤150 LOC) and single-responsibility; aim for 100 % TypeScript coverage.
- Enforce CI gates (lint, type-check, unit + e2e tests, security scan) before merge.
TypeScript
- Use `--strict`, `noUncheckedIndexedAccess`, and `exactOptionalPropertyTypes`.
- Default to `interface` for contracts; use `type` for unions/aliases.
- Name boolean vars with auxiliary verbs: `isSigned`, `hasBuddy`. Exclude negations (`isNot…`).
- Prefer readonly data models; mutate only via pure reducers or ORM transactions.
- Project layout:
src/
├─ modules/{domain}/
│ ├─ api/ (GraphQL resolvers, route handlers)
│ ├─ ui/ (React components)
│ ├─ model.ts (Zod schema + DB model)
│ └─ service.ts (domain logic)
└─ shared/
- Export order inside files: types → constants → pure funcs → side-effect funcs → default export.
Node.js / GraphQL API
- Use Apollo Server with `@graphql-codegen/typescript-resolvers` to enforce strong types.
- Segregate queries, mutations, and subscriptions; keep resolvers ≤30 LOC.
- Never return raw DB errors; map to domain-level errors with unique codes (`ONB_XXXX`).
- Max request time = 5 s; longer flows off-load to async queues (AWS SQS + Lambda workers).
React (Next.js)
- Functional components only; adopt React 18 hooks.
- Co-locate tests (`*.spec.tsx`) and stories (`*.stories.tsx`) next to components.
- Use React Query for data-sync; keep cache TTL short for onboarding status (≤15 s).
- Theming via Chakra UI; respect WCAG AA contrast.
- Directory kebab-case: `components/task-card`, `pages/onboarding/[employeeId].tsx`.
PostgreSQL
- One schema per environment; use Liquibase for migrations, never `ALTER` manually.
- Store encrypted columns via `pgcrypto` for SSN, banking info.
- Use nullable columns only when business rule allows opt-out (e.g., `middle_name`).
Error Handling & Validation
- Validate all external input with Zod at module boundaries.
- Use early returns for error branches; happy path last.
- Map technical errors → HR-friendly messages (`Employee record not found. Ask HR for help.`).
- Log with pino; redact PII fields automatically (`pino-redact`).
- 100 % coverage for critical validators (SSN, I-9 document uploads).
Security Rules
- Default CSP: `default-src 'self'; img-src 'self' data: https:`.
- Use CSRF double-submit cookies for web forms.
- Rotate KMS CMKs annually; enforce AWS IAM least-privilege (`terraform-policy-lint`).
- Deny-by-default firewall rules; allowlist office IPs for admin portal.
Testing
- Unit: Jest + ts-jest; target ≥90 % statement coverage.
- Contract: GraphQL schema changes gated by `graphql-test` snapshot.
- E2E: Cypress, run on prod-mirror; seed DB with Faker HR data.
- Accessibility: `@axe-core/react` integration in CI.
Performance
- Lazy-load heavy modules (Synthesia video player) with dynamic imports.
- Server-side render first dashboard; hydrate client diff.
- Monitor Core Web Vitals; LCP ≤2.5 s on 4G.
Observability
- Trace every onboarding workflow via OpenTelemetry; set `traceparent` header between services.
- Define KPIs: time-to-signature, first-week task completion, 30-60-90 day goal hit-rate.
DevOps
- Infrastructure as Code with Terraform; PRs produce plan comments.
- Blue/Green deploys via AWS Elastic Beanstalk.
- Feature flags (LaunchDarkly) for iterative rollout of new onboarding steps.
Documentation & Naming Conventions
- Public GraphQL schema is canonical source of truth; auto-publish docs to `/graphql` playground.
- Use `verb-noun` for mutation names (`signDocument`, `assignBuddy`).
- Onboarding workflow files: `workflow-<role>-<version>.yml` (e.g., `workflow-sales-1.3.yml`).
Common Pitfalls & Guards
- DO NOT embed PII in logs or analytics events.
- DO NOT hard-code role-based logic; configure via DB-backed templates.
- DO NOT assume single timezone; store dates in UTC, display in local.
Useful Snippet – Early-Exit Validation Pattern
```ts
export const createOnboardingTask = async (input: TaskInput, ctx: Ctx): Promise<Task> => {
const parsed = TaskSchema.safeParse(input);
if (!parsed.success) {
throw new ValidationError('ONB_4001', parsed.error);
}
const duplicate = await ctx.db.task.findUnique({ where: { externalId: input.externalId } });
if (duplicate) {
throw new DomainError('ONB_4002', 'Task already exists');
}
// happy path
return ctx.db.task.create({ data: parsed.data });
};
```
Further Reading
- SHRM Onboarding Guide 2023
- NIST SP 800-122 (PII security)
- AWS Well-Architected – Security & Operational Excellence Pillars