Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

sahib-sawhney-wh/dapr-middleware-validator

Name: dapr-middleware-validator
Author: sahib-sawhney-wh

plugins/dapr/skills/middleware-validator/SKILL.md

npx skillsauth add sahib-sawhney-wh/sahibs-claude-plugin-marketplace dapr-middleware-validator

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

DAPR Middleware Configuration Validator

This skill validates DAPR HTTP middleware components for security and correctness.

When to Use

Claude automatically uses this skill when:

A middleware YAML file is created or modified
User configures OAuth2, Bearer, OPA, or rate limiting
Pipeline configuration is being set up
Before deploying middleware-protected APIs

Middleware Types

Authentication Middleware

| Type | Component Type | Purpose | |------|---------------|---------| | OAuth2 | middleware.http.oauth2 | Authorization Code flow | | OAuth2 CC | middleware.http.oauth2clientcredentials | Service-to-service auth | | Bearer | middleware.http.bearer | JWT/OIDC token validation |

Authorization Middleware

| Type | Component Type | Purpose | |------|---------------|---------| | OPA | middleware.http.opa | Policy-based authorization |

Traffic Control Middleware

| Type | Component Type | Purpose | |------|---------------|---------| | Rate Limit | middleware.http.ratelimit | Request throttling | | Sentinel | middleware.http.sentinel | Circuit breaker/flow control |

Request Processing Middleware

| Type | Component Type | Purpose | |------|---------------|---------| | Router Alias | middleware.http.routeralias | Route rewriting | | Router Checker | middleware.http.routerchecker | Route validation | | WASM | middleware.http.wasm | Custom WebAssembly logic | | Uppercase | middleware.http.uppercase | Testing only |

Validation Rules

OAuth2 Middleware Validation

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: oauth2
spec:
  type: middleware.http.oauth2
  version: v1
  metadata:
  - name: clientId
    secretKeyRef:           # REQUIRED: Use secretKeyRef
      name: oauth-secrets
      key: client-id
  - name: clientSecret
    secretKeyRef:           # REQUIRED: Use secretKeyRef
      name: oauth-secrets
      key: client-secret
  - name: scopes
    value: "openid profile" # REQUIRED
  - name: authURL
    value: "https://..."    # REQUIRED: Must be HTTPS
  - name: tokenURL
    value: "https://..."    # REQUIRED: Must be HTTPS
  - name: redirectURL
    value: "..."            # REQUIRED
  - name: forceHTTPS
    value: "true"           # RECOMMENDED for production

Checks performed:

[ ] clientId uses secretKeyRef (not plain value)
[ ] clientSecret uses secretKeyRef (not plain value)
[ ] authURL uses HTTPS protocol
[ ] tokenURL uses HTTPS protocol
[ ] forceHTTPS is "true" for production

Bearer Token Validation

spec:
  type: middleware.http.bearer
  metadata:
  - name: audience
    value: "api://..."      # REQUIRED
  - name: issuer
    value: "https://..."    # REQUIRED: Must be HTTPS

Checks performed:

[ ] audience is specified
[ ] issuer uses HTTPS protocol
[ ] Issuer matches known providers or is valid URL

OPA Middleware Validation

spec:
  type: middleware.http.opa
  metadata:
  - name: defaultStatus
    value: "403"            # RECOMMENDED: 403 for authz failures
  - name: rego
    value: |
      package http
      default allow = false  # REQUIRED: Default deny

Checks performed:

[ ] Rego policy has default allow = false
[ ] Policy uses package http
[ ] includedHeaders contains Authorization if JWT checking
[ ] No hardcoded secrets in policy

Rate Limit Validation

spec:
  type: middleware.http.ratelimit
  metadata:
  - name: maxRequestsPerSecond
    value: "100"            # REQUIRED: Reasonable limit

Checks performed:

[ ] maxRequestsPerSecond is specified
[ ] Value is reasonable (not 0, not extremely high)

Sentinel Validation

spec:
  type: middleware.http.sentinel
  metadata:
  - name: appName
    value: "my-service"     # REQUIRED
  - name: flowRules
    value: |                # At least one rule type required
      [...]

Checks performed:

[ ] appName is specified
[ ] At least one rule type is defined (flowRules, circuitBreakerRules, etc.)
[ ] Resource paths in rules are valid format
[ ] Threshold values are reasonable

WASM Validation

spec:
  type: middleware.http.wasm
  metadata:
  - name: url
    value: "file://..."     # REQUIRED

Checks performed:

[ ] url is specified with valid scheme (file://, http://, https://)
[ ] HTTPS used for remote WASM binaries
[ ] Path exists for file:// URLs (if verifiable)

Router Alias Validation

spec:
  type: middleware.http.routeralias
  metadata:
  - name: routes
    value: |                # REQUIRED
      {"/api": "/v1.0/invoke/..."}

Checks performed:

[ ] routes is valid JSON or YAML
[ ] Target paths are valid Dapr API paths

Router Checker Validation

spec:
  type: middleware.http.routerchecker
  metadata:
  - name: rule
    value: "^[A-Za-z0-9/._-]+$"  # REQUIRED: Valid regex

Checks performed:

[ ] rule is valid regex pattern
[ ] Pattern is security-appropriate (blocks common attacks)

Pipeline Order Validation

Correct middleware ordering:

spec:
  httpPipeline:
    handlers:
    - name: routerchecker     # 1. Block invalid requests first
      type: middleware.http.routerchecker
    - name: ratelimit         # 2. Rate limit before auth
      type: middleware.http.ratelimit
    - name: bearer-auth       # 3. Authenticate
      type: middleware.http.bearer
    - name: opa-authz         # 4. Authorize (after auth)
      type: middleware.http.opa
    - name: routeralias       # 5. Transform routes last
      type: middleware.http.routeralias

Order checks:

[ ] Rate limiting comes before authentication
[ ] Authorization comes after authentication
[ ] Route validation comes before other middleware
[ ] Route aliasing comes after security middleware

Security Checks

Critical Security Issues

Plain-text credentials - clientId/clientSecret not in secretKeyRef
HTTP URLs - Auth/token URLs using HTTP instead of HTTPS
Default allow - OPA policy without explicit default deny
No rate limiting - APIs without request throttling

Warnings

Missing forceHTTPS - OAuth2 without HTTPS enforcement
High rate limits - Very permissive request limits
Overly permissive OPA - Policies with broad allow rules
Missing headers - OPA not checking Authorization header

Output Format

DAPR Middleware Validation Report
==================================

✓ components/oauth2-auth.yaml - Valid
  - Type: middleware.http.oauth2
  - Credentials use secretKeyRef: Yes
  - HTTPS enforced: Yes

⚠ components/ratelimit.yaml - Warning
  - Type: middleware.http.ratelimit
  - Warning: Rate limit of 10000 RPS is very high
  - Recommendation: Consider lower limit for public APIs

✗ components/bearer-auth.yaml - Invalid
  - Type: middleware.http.bearer
  - Error: Missing required field 'audience'
  - Error: 'issuer' uses HTTP instead of HTTPS

Pipeline Analysis:
✗ Rate limiting should come BEFORE authentication middleware
  Current order: [bearer-auth, ratelimit]
  Recommended:   [ratelimit, bearer-auth]

Security Summary:
- Critical: 1 (plain-text credentials)
- Warnings: 2
- Valid: 3

Common Issues and Fixes

Plain-Text Credentials

# BAD (security risk)
- name: clientSecret
  value: "my-secret-key"

# GOOD (use secret reference)
- name: clientSecret
  secretKeyRef:
    name: oauth-secrets
    key: client-secret

HTTP Instead of HTTPS

# BAD (insecure)
- name: tokenURL
  value: "http://auth.example.com/token"

# GOOD
- name: tokenURL
  value: "https://auth.example.com/token"

Default Allow in OPA

# BAD (insecure - allows everything by default)
package http
default allow = true

# GOOD (secure - denies by default)
package http
default allow = false
allow { ... specific conditions ... }

Wrong Pipeline Order

# BAD (auth before rate limit allows DoS via auth endpoints)
handlers:
- name: oauth2
  type: middleware.http.oauth2
- name: ratelimit
  type: middleware.http.ratelimit

# GOOD (rate limit protects auth endpoints)
handlers:
- name: ratelimit
  type: middleware.http.ratelimit
- name: oauth2
  type: middleware.http.oauth2

Integration Points

This skill integrates with:

middleware-expert agent for detailed configuration help
security-scanner skill for broader security analysis
/dapr:middleware command to generate valid configs
/dapr:security command for pre-deployment checks

sahib-sawhney-wh/dapr-middleware-validator

plugins/dapr/skills/middleware-validator/SKILL.md

Automatically validate DAPR HTTP middleware configuration files. Checks for correct middleware types, proper secret references, pipeline ordering, and security best practices. Use when configuring OAuth2, Bearer tokens, OPA policies, rate limiting, or other middleware.

3 stars

testing

Updated Apr 13, 2026

$ install --global

skillsauth

npx skillsauth add sahib-sawhney-wh/sahibs-claude-plugin-marketplace dapr-middleware-validator

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 24, 2026, 8:44 PM1.7s1 file scanned

SKILL.md

name:: dapr-middleware-validator
description:: Automatically validate DAPR HTTP middleware configuration files. Checks for correct middleware types, proper secret references, pipeline ordering, and security best practices. Use when configuring OAuth2, Bearer tokens, OPA policies, rate limiting, or other middleware.
allowed-tools:: Read, Grep, Glob

DAPR Middleware Configuration Validator

This skill validates DAPR HTTP middleware components for security and correctness.

When to Use

Claude automatically uses this skill when:

A middleware YAML file is created or modified
User configures OAuth2, Bearer, OPA, or rate limiting
Pipeline configuration is being set up
Before deploying middleware-protected APIs

Middleware Types

Authentication Middleware

Authorization Middleware

| Type | Component Type | Purpose | |------|---------------|---------| | OPA | middleware.http.opa | Policy-based authorization |

Traffic Control Middleware

Request Processing Middleware

Validation Rules

OAuth2 Middleware Validation

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: oauth2
spec:
  type: middleware.http.oauth2
  version: v1
  metadata:
  - name: clientId
    secretKeyRef:           # REQUIRED: Use secretKeyRef
      name: oauth-secrets
      key: client-id
  - name: clientSecret
    secretKeyRef:           # REQUIRED: Use secretKeyRef
      name: oauth-secrets
      key: client-secret
  - name: scopes
    value: "openid profile" # REQUIRED
  - name: authURL
    value: "https://..."    # REQUIRED: Must be HTTPS
  - name: tokenURL
    value: "https://..."    # REQUIRED: Must be HTTPS
  - name: redirectURL
    value: "..."            # REQUIRED
  - name: forceHTTPS
    value: "true"           # RECOMMENDED for production

Checks performed:

[ ] clientId uses secretKeyRef (not plain value)
[ ] clientSecret uses secretKeyRef (not plain value)
[ ] authURL uses HTTPS protocol
[ ] tokenURL uses HTTPS protocol
[ ] forceHTTPS is "true" for production

Bearer Token Validation

spec:
  type: middleware.http.bearer
  metadata:
  - name: audience
    value: "api://..."      # REQUIRED
  - name: issuer
    value: "https://..."    # REQUIRED: Must be HTTPS

Checks performed:

[ ] audience is specified
[ ] issuer uses HTTPS protocol
[ ] Issuer matches known providers or is valid URL

OPA Middleware Validation

spec:
  type: middleware.http.opa
  metadata:
  - name: defaultStatus
    value: "403"            # RECOMMENDED: 403 for authz failures
  - name: rego
    value: |
      package http
      default allow = false  # REQUIRED: Default deny

Checks performed:

[ ] Rego policy has default allow = false
[ ] Policy uses package http
[ ] includedHeaders contains Authorization if JWT checking
[ ] No hardcoded secrets in policy

Rate Limit Validation

spec:
  type: middleware.http.ratelimit
  metadata:
  - name: maxRequestsPerSecond
    value: "100"            # REQUIRED: Reasonable limit

Checks performed:

[ ] maxRequestsPerSecond is specified
[ ] Value is reasonable (not 0, not extremely high)

Sentinel Validation

spec:
  type: middleware.http.sentinel
  metadata:
  - name: appName
    value: "my-service"     # REQUIRED
  - name: flowRules
    value: |                # At least one rule type required
      [...]

Checks performed:

[ ] appName is specified
[ ] At least one rule type is defined (flowRules, circuitBreakerRules, etc.)
[ ] Resource paths in rules are valid format
[ ] Threshold values are reasonable

WASM Validation

spec:
  type: middleware.http.wasm
  metadata:
  - name: url
    value: "file://..."     # REQUIRED

Checks performed:

[ ] url is specified with valid scheme (file://, http://, https://)
[ ] HTTPS used for remote WASM binaries
[ ] Path exists for file:// URLs (if verifiable)

Router Alias Validation

spec:
  type: middleware.http.routeralias
  metadata:
  - name: routes
    value: |                # REQUIRED
      {"/api": "/v1.0/invoke/..."}

Checks performed:

[ ] routes is valid JSON or YAML
[ ] Target paths are valid Dapr API paths

Router Checker Validation

spec:
  type: middleware.http.routerchecker
  metadata:
  - name: rule
    value: "^[A-Za-z0-9/._-]+$"  # REQUIRED: Valid regex

Checks performed:

[ ] rule is valid regex pattern
[ ] Pattern is security-appropriate (blocks common attacks)

Pipeline Order Validation

Correct middleware ordering:

spec:
  httpPipeline:
    handlers:
    - name: routerchecker     # 1. Block invalid requests first
      type: middleware.http.routerchecker
    - name: ratelimit         # 2. Rate limit before auth
      type: middleware.http.ratelimit
    - name: bearer-auth       # 3. Authenticate
      type: middleware.http.bearer
    - name: opa-authz         # 4. Authorize (after auth)
      type: middleware.http.opa
    - name: routeralias       # 5. Transform routes last
      type: middleware.http.routeralias

Order checks:

[ ] Rate limiting comes before authentication
[ ] Authorization comes after authentication
[ ] Route validation comes before other middleware
[ ] Route aliasing comes after security middleware

Security Checks

Critical Security Issues

Plain-text credentials - clientId/clientSecret not in secretKeyRef
HTTP URLs - Auth/token URLs using HTTP instead of HTTPS
Default allow - OPA policy without explicit default deny
No rate limiting - APIs without request throttling

Warnings

Missing forceHTTPS - OAuth2 without HTTPS enforcement
High rate limits - Very permissive request limits
Overly permissive OPA - Policies with broad allow rules
Missing headers - OPA not checking Authorization header

Output Format

DAPR Middleware Validation Report
==================================

✓ components/oauth2-auth.yaml - Valid
  - Type: middleware.http.oauth2
  - Credentials use secretKeyRef: Yes
  - HTTPS enforced: Yes

⚠ components/ratelimit.yaml - Warning
  - Type: middleware.http.ratelimit
  - Warning: Rate limit of 10000 RPS is very high
  - Recommendation: Consider lower limit for public APIs

✗ components/bearer-auth.yaml - Invalid
  - Type: middleware.http.bearer
  - Error: Missing required field 'audience'
  - Error: 'issuer' uses HTTP instead of HTTPS

Pipeline Analysis:
✗ Rate limiting should come BEFORE authentication middleware
  Current order: [bearer-auth, ratelimit]
  Recommended:   [ratelimit, bearer-auth]

Security Summary:
- Critical: 1 (plain-text credentials)
- Warnings: 2
- Valid: 3

Common Issues and Fixes

Plain-Text Credentials

# BAD (security risk)
- name: clientSecret
  value: "my-secret-key"

# GOOD (use secret reference)
- name: clientSecret
  secretKeyRef:
    name: oauth-secrets
    key: client-secret

HTTP Instead of HTTPS

# BAD (insecure)
- name: tokenURL
  value: "http://auth.example.com/token"

# GOOD
- name: tokenURL
  value: "https://auth.example.com/token"

Default Allow in OPA

# BAD (insecure - allows everything by default)
package http
default allow = true

# GOOD (secure - denies by default)
package http
default allow = false
allow { ... specific conditions ... }

Wrong Pipeline Order

# BAD (auth before rate limit allows DoS via auth endpoints)
handlers:
- name: oauth2
  type: middleware.http.oauth2
- name: ratelimit
  type: middleware.http.ratelimit

# GOOD (rate limit protects auth endpoints)
handlers:
- name: ratelimit
  type: middleware.http.ratelimit
- name: oauth2
  type: middleware.http.oauth2

Integration Points

This skill integrates with:

middleware-expert agent for detailed configuration help
security-scanner skill for broader security analysis
/dapr:middleware command to generate valid configs
/dapr:security command for pre-deployment checks

Related Skills

sahib-sawhney-wh/plugins/dataverse/skills/dataverse-web-apps

tools

VerifiedTrustedCommunity

# dataverse-web-apps This skill provides guidance on building web applications (any language) that connect to Microsoft Dataverse. Use when users ask about ".NET Dataverse", "Node.js Dataverse", "JavaScript Dataverse", "REST API Dataverse", "web app Dataverse", "OAuth Dataverse", or need help with web application integration. ## Dataverse Web API All languages can access Dataverse via the OData Web API. **Base URL:** `https://yourorg.api.crm.dynamics.com/api/data/v9.2/` ### Authentication

3SKILL.mdUpdated Apr 13, 2026

sahib-sawhney-wh/plugins/dataverse/skills/dataverse-web-apps

sahib-sawhney-wh/plugins/dataverse/skills/dataverse-sdk

tools

VerifiedTrustedCommunity

# dataverse-sdk This skill provides guidance on using the PowerPlatform Dataverse Client SDK for Python. Use when users ask about "Dataverse SDK", "Dataverse Python", "DataverseClient", "Dataverse authentication", "Dataverse CRUD operations", "create Dataverse records", "query Dataverse", "Dataverse connection", or need help with the Microsoft Dataverse Python SDK. ## Quick Start Install the SDK: ```bash pip install PowerPlatform-Dataverse-Client azure-identity ``` Basic setup: ```python fro

3SKILL.mdUpdated Apr 13, 2026

sahib-sawhney-wh/plugins/dataverse/skills/dataverse-sdk

sahib-sawhney-wh/plugins/dataverse/skills/dataverse-schema-design

tools

VerifiedTrustedCommunity

# dataverse-schema-design This skill provides guidance on designing Dataverse table schemas and data models. Use when users ask about "Dataverse table design", "Dataverse schema", "Dataverse relationships", "Dataverse columns", "data modeling Dataverse", "Dataverse best practices", or need help designing their data structure. ## Table Design Fundamentals ### Naming Conventions - **Table prefix**: Use publisher prefix (e.g., `new_`, `cr123_`) - **Table names**: PascalCase, singular (e.g., `new

3SKILL.mdUpdated Apr 13, 2026

sahib-sawhney-wh/plugins/dataverse/skills/dataverse-schema-design

sahib-sawhney-wh/plugins/dataverse/skills/dataverse-queries

tools

VerifiedTrustedCommunity

# dataverse-queries This skill provides guidance on querying data from Microsoft Dataverse. Use when users ask about "Dataverse query", "OData filter", "Dataverse SQL", "FetchXML", "query Dataverse records", "Dataverse filter syntax", "search Dataverse", or need help constructing queries. ## Query Methods The Dataverse SDK supports two query methods: 1. **OData queries** - Standard Web API query syntax 2. **SQL queries** - T-SQL-like syntax (read-only) ## OData Query Basics ```python # Basi

3SKILL.mdUpdated Apr 13, 2026

sahib-sawhney-wh/plugins/dataverse/skills/dataverse-queries

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/sahib-sawhney-wh/sahibs-claude-plugin-marketplace.git

# Copy into Claude Code skills folder (global)
cp -r sahibs-claude-plugin-marketplace/plugins/dapr/skills/middleware-validator ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

sahib-sawhney-wh/sahibs-claude-plugin-marketplace

3 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT