Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

BhumitThakkar/validate-spring-dto

Name: validate-spring-dto
Author: BhumitThakkar

.cursor/skills/validate-spring-dto/SKILL.md

npx skillsauth add BhumitThakkar/cursor-kit validate-spring-dto

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Validate Spring DTO / request models

When to Use

Backend or QA gate before merge: confirm request/response models used on REST boundaries have appropriate validation.
After adding new @PostMapping / @PutMapping endpoints or changing DTO shapes.
Pair with quality-gates.mdc Gate 1 (controller @Valid + BindingResult where applicable).

Scope (files to analyze)

Include types that cross the HTTP boundary, for example:

**/*Request.java, **/*Response.java, **/*Dto.java, **/*DTO.java
Types referenced as @RequestBody parameters (discover via controller scan in the same change or module)
Java record types used as API request bodies

Exclude unless explicitly in scope:

JPA @Entity classes (validation rules differ; use persistence-layer review)
Internal service-only POJOs never exposed on REST

Adjust globs per repo layout (e.g. api.dto, web.model).

Read-only rule

This skill only instructs analysis and reporting. The agent must not apply fixes unless the user or Zeus brief explicitly authorizes edits.

Checks

1. Request bodies on controllers

For each @RequestBody parameter:

Parameter should be annotated with @Valid (or @Validated with appropriate group) when the type contains constrained fields.
Nested DTO fields that must be validated need @Valid on the nested property inside the parent type.

2. DTO / record types

For each type in scope:

Constrained API surface: Non-primitive fields that accept user input should have appropriate Jakarta annotations where business rules require them (e.g. @NotNull, @NotBlank, @Size, @Email, @Min/@Max, @Pattern).
Defensive defaults: Optional fields may omit constraints if null is explicitly allowed and handled; document as assumption in the report.
Empty shells: Flag types used on public endpoints with no field-level constraints and no class-level @NotNull / custom validator — likely HIGH if the type maps unvalidated JSON to persistence or security-sensitive operations.

3. Response DTOs

Usually fewer constraints; flag if sensitive data could leak through unbounded collections or unvalidated maps — MEDIUM informational.

4. Groups and custom validators

If @Validated groups or @Constraint are used, note in the report whether group sequences are consistent with controller @Validated usage.

Output contract

Emit, in order:

Scope — globs and packages analyzed; list of files (or count + samples).
Findings table

| File | Line or symbol | Issue | Severity | Fix hint |

Severity: HIGH (unvalidated user input on write path), MEDIUM (missing nested @Valid, weak bounds), LOW (style / optional clarity).
Verdict — single line: PASS (no HIGH/MEDIUM) or FAIL (one or more HIGH/MEDIUM).
Assumptions — bullets for anything not verifiable without compilation or tests.

Verification (mental test)

A DTO with a String email field and no @Email / @NotBlank on a POST body → at least one MEDIUM or HIGH finding.
A correctly constrained DTO with @Valid on the controller parameter and nested @Valid where needed → PASS for that path.

Status

Registered in .cursor/rules/tool-registry.mdc as draft until Zeus verifies output on a real PR; then move row status to active.

BhumitThakkar/validate-spring-dto

.cursor/skills/validate-spring-dto/SKILL.md

Read-only checklist for Jakarta Bean Validation on Spring API models (DTOs, request bodies). Produces a markdown report with PASS/FAIL; does not modify source files.

development

Updated Apr 16, 2026

$ install --global

skillsauth

npx skillsauth add BhumitThakkar/cursor-kit validate-spring-dto

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 16, 2026, 3:01 PM4.4s1 file scanned

SKILL.md

name:: validate-spring-dto
description:: >-

Validate Spring DTO / request models

When to Use

Backend or QA gate before merge: confirm request/response models used on REST boundaries have appropriate validation.
After adding new @PostMapping / @PutMapping endpoints or changing DTO shapes.
Pair with quality-gates.mdc Gate 1 (controller @Valid + BindingResult where applicable).

Scope (files to analyze)

Include types that cross the HTTP boundary, for example:

**/*Request.java, **/*Response.java, **/*Dto.java, **/*DTO.java
Types referenced as @RequestBody parameters (discover via controller scan in the same change or module)
Java record types used as API request bodies

Exclude unless explicitly in scope:

JPA @Entity classes (validation rules differ; use persistence-layer review)
Internal service-only POJOs never exposed on REST

Adjust globs per repo layout (e.g. api.dto, web.model).

Read-only rule

This skill only instructs analysis and reporting. The agent must not apply fixes unless the user or Zeus brief explicitly authorizes edits.

Checks

1. Request bodies on controllers

For each @RequestBody parameter:

Parameter should be annotated with @Valid (or @Validated with appropriate group) when the type contains constrained fields.
Nested DTO fields that must be validated need @Valid on the nested property inside the parent type.

2. DTO / record types

For each type in scope:

Constrained API surface: Non-primitive fields that accept user input should have appropriate Jakarta annotations where business rules require them (e.g. @NotNull, @NotBlank, @Size, @Email, @Min/@Max, @Pattern).
Defensive defaults: Optional fields may omit constraints if null is explicitly allowed and handled; document as assumption in the report.
Empty shells: Flag types used on public endpoints with no field-level constraints and no class-level @NotNull / custom validator — likely HIGH if the type maps unvalidated JSON to persistence or security-sensitive operations.

3. Response DTOs

Usually fewer constraints; flag if sensitive data could leak through unbounded collections or unvalidated maps — MEDIUM informational.

4. Groups and custom validators

If @Validated groups or @Constraint are used, note in the report whether group sequences are consistent with controller @Validated usage.

Output contract

Emit, in order:

Scope — globs and packages analyzed; list of files (or count + samples).
Findings table

| File | Line or symbol | Issue | Severity | Fix hint |

Severity: HIGH (unvalidated user input on write path), MEDIUM (missing nested @Valid, weak bounds), LOW (style / optional clarity).
Verdict — single line: PASS (no HIGH/MEDIUM) or FAIL (one or more HIGH/MEDIUM).
Assumptions — bullets for anything not verifiable without compilation or tests.

Verification (mental test)

A DTO with a String email field and no @Email / @NotBlank on a POST body → at least one MEDIUM or HIGH finding.
A correctly constrained DTO with @Valid on the controller parameter and nested @Valid where needed → PASS for that path.

Status

Registered in .cursor/rules/tool-registry.mdc as draft until Zeus verifies output on a real PR; then move row status to active.

Related Skills

BhumitThakkar/thymeleaf-patterns

data-ai

VerifiedTrustedCommunity

Thymeleaf + Spring Boot UI conventions, fragment patterns, form handling, and accessibility standards for this project.

SKILL.mdUpdated Apr 16, 2026

BhumitThakkar/thymeleaf-patterns

BhumitThakkar/test-coverage-check

development

VerifiedTrustedCommunity

QA-oriented playbook for verifying test coverage on new or changed code (JaCoCo / Maven Gradle) against project quality gate expectations. Read-only analysis instructions unless user authorizes runs.

SKILL.mdUpdated Apr 16, 2026

BhumitThakkar/test-coverage-check

BhumitThakkar/subagents-manager

testing

VerifiedTrustedCommunity

Maintain AGENTS.md roster and disabled.txt without deleting agent files without explicit approval.

SKILL.mdUpdated Apr 16, 2026

BhumitThakkar/subagents-manager

BhumitThakkar/spring-boot-patterns

development

VerifiedTrustedCommunity

Spring Boot coding standards, patterns, and conventions for this project. Uses SLF4J API with Log4j2 as the logging implementation. Loaded dynamically when implementing Java/Spring Boot code.

SKILL.mdUpdated Apr 16, 2026

BhumitThakkar/spring-boot-patterns

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/BhumitThakkar/cursor-kit.git

# Copy into Claude Code skills folder (global)
cp -r cursor-kit/.cursor/skills/validate-spring-dto ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

BhumitThakkar/cursor-kit

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT