Case Study Maker — Portfolio Case Study

Role & Scope

Solo product builder responsible for end-to-end delivery: concept, UX design, architecture, security hardening, implementation, and Cursor marketplace submission. The project spanned 10 days from planning through a complete architectural pivot to production-ready plugin.

The core insight driving the project: the best case studies come from real-time capture, not post-hoc reconstruction. Developers do impressive reasoning work — architecture tradeoffs, security decisions, iteration pivots — but none of it survives into their portfolios because they write case studies from memory weeks later.

Constraints

Marketplace-only distribution

Cursor Marketplace accepts only free, open-source plugins. No in-app payments, no paid tiers inside the plugin. Monetization must happen through external channels.

No compiled code

The plugin architecture limits you to markdown, plain JavaScript, and Cursor's component system (rules, skills, hooks, commands, agents). No TypeScript compilation, no bundler, no npm dependencies. Node.js must be installed on the user's machine for the hooks to run; all other features work without it.

Zero external costs

The tool uses Cursor's built-in AI. No additional API keys, no third-party services, no cost to the developer beyond their existing Cursor subscription.

Project-scoped data only

All data must stay within the project folder. No home directory access, no cloud storage, no network calls. The plugin never reads or writes outside the workspace root.

Tradeoffs

Pivot decision: Web app vs. plugin

Reflection capture broken?

↓ Yes

Where does developer think?

→ In chat

Plugin: embed prompts in Cursor

↓

Kill web app, ship plugin

Killed a working web app to go native

The biggest tradeoff was scrapping a functional Express + React UI with path browsing, screenshot upload, and AI-powered generation. The reflection questions lived in a separate browser tab — disconnected from the developer's actual workflow. The plugin approach sacrificed that visual dashboard for something more valuable: embedding prompts directly in the chat where the developer is already thinking.

AI-generated HTML over a cinematic renderer

The original concept doc described animated architecture diagrams, scroll-based interactivity, and decision tree visuals. We traded that for AI-generated static HTML — less visually ambitious, but eliminates the need for any custom backend, API keys, or build infrastructure.

Per-project output over central directory

Chose OUTPUTS/ within each project instead of a central ~/CASE_STUDIES/ directory. Enforces the security boundary at the cost of convenience when managing multiple case studies across projects.

Monetization outside the plugin

Accepted the Cursor marketplace constraint that plugins must be free and open source. Monetization lives in adjacent products (premium templates, PDF/Notion export, LinkedIn kit) sold externally — no in-plugin paywall, but distribution friction is near zero and viral adoption can come from marketplace discovery.

Risks & Mitigations

Each risk was identified during development and patched before shipping.

Command injection → `execFileSync`

Hook scripts originally used execSync with string interpolation — vulnerable to shell injection via crafted commit messages. Patched by switching to execFileSync with array arguments, preventing shell metacharacter execution.

XSS in generated HTML → CSP headers

User-authored reflection text flows into generated HTML. Added Content-Security-Policy meta tags (default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline') to all generated output, preventing inline script injection.

Supply chain (5 high CVEs) → zero dependencies

The web app's package.json had 5 high and 1 moderate Dependabot vulnerabilities. Eliminated the entire dependency tree — the plugin runs on plain markdown and vanilla JavaScript with zero npm packages.

Security Design

Security was a primary design constraint, not an afterthought.

Activation gate

The always-on AI partner rule only fires when .case-study/ exists in the project. No ambient tracking across unrelated projects.

Scope boundary

Every plugin component includes an explicit statement confining reads and writes to the project root. No home directory, no symlinks, no .. paths.

No secrets stored

The original web app stored API keys as plain JSON. The plugin eliminates key storage entirely — uses Cursor's built-in AI.

Auditable code

All plugin code is plain markdown and vanilla JavaScript. No compiled artifacts, no obfuscation. .case-study/ added to .gitignore automatically.

Technical Highlights

Architecture

The plugin maps directly to Cursor's component model. Each concern has a dedicated layer.

Event flow: capture → structure → output

Chat / Commit / Session → Rule / Hooks → Prompt reflection → Append events.json → Generate HTML

Developer in Cursor IDE

↓ chat + code ↓ commits ↓ slash commands

Always-On Layer

case-study-partner.mdc

check-commit.js (hook)

session-capture.js (hook)

Chat Commands

/case-study (hub)

/capture-reflection

/review-timeline

/generate-portfolio

/generate-marketing

Skills (AI-Executed)

capture-reflection

auto-capture

review-timeline

generate-portfolio

generate-marketing

integrate-figma

integrate-assets

↓ append ↓ read ↓ generate

Project Folder (Scoped)

.case-study/events.json

.case-study/media/

OUTPUTS/ → portfolio | marketing | portfolio-card

Git history (read-only)

An always-on rule watches for decision moments. Hooks fire after commits and at session end. Skills execute AI-powered capture and generation. A read-only agent provides analysis. All data flows through a single append-only events.json log.

Iteration

Iteration Timeline

Planning, building, pivoting, and hardening — from concept to production-ready plugin.

Click an event to expand details.

Commit History

Visual Evidence

Screenshots captured during development — from the original web app through the plugin pivot.