natureco-cli 5.18.3 → 5.20.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +32 -0
- package/package.json +1 -1
- package/skills/a-b-testing/SKILL.md +34 -0
- package/skills/accessibility-audit/SKILL.md +34 -0
- package/skills/agent-memory/SKILL.md +34 -0
- package/skills/agent-orchestration/SKILL.md +34 -0
- package/skills/airunway-aks-setup/SKILL.md +73 -0
- package/skills/algorithmic-art/SKILL.md +405 -0
- package/skills/analytics-setup/SKILL.md +34 -0
- package/skills/api-design/SKILL.md +34 -0
- package/skills/api-versioning/SKILL.md +34 -0
- package/skills/appinsights-instrumentation/SKILL.md +76 -0
- package/skills/audio-transcription/SKILL.md +34 -0
- package/skills/authentication-patterns/SKILL.md +34 -0
- package/skills/authorization-rbac/SKILL.md +34 -0
- package/skills/azure-ai/SKILL.md +71 -0
- package/skills/azure-aigateway/SKILL.md +129 -0
- package/skills/azure-cloud-migrate/SKILL.md +52 -0
- package/skills/azure-compliance/SKILL.md +108 -0
- package/skills/azure-compute/SKILL.md +46 -0
- package/skills/azure-cost/SKILL.md +45 -0
- package/skills/azure-deploy/SKILL.md +97 -0
- package/skills/azure-diagnostics/SKILL.md +151 -0
- package/skills/azure-enterprise-infra-planner/SKILL.md +54 -0
- package/skills/azure-hosted-copilot-sdk/SKILL.md +89 -0
- package/skills/azure-kubernetes/SKILL.md +153 -0
- package/skills/azure-kusto/SKILL.md +231 -0
- package/skills/azure-messaging/SKILL.md +57 -0
- package/skills/azure-prepare/SKILL.md +165 -0
- package/skills/azure-quotas/SKILL.md +276 -0
- package/skills/azure-rbac/SKILL.md +17 -0
- package/skills/azure-reliability/SKILL.md +387 -0
- package/skills/azure-resource-lookup/SKILL.md +108 -0
- package/skills/azure-resource-visualizer/SKILL.md +183 -0
- package/skills/azure-storage/SKILL.md +100 -0
- package/skills/azure-upgrade/SKILL.md +91 -0
- package/skills/azure-validate/SKILL.md +72 -0
- package/skills/backup-strategy/SKILL.md +34 -0
- package/skills/bash-scripting/SKILL.md +34 -0
- package/skills/batch-api-calls/SKILL.md +34 -0
- package/skills/batch-processing/SKILL.md +34 -0
- package/skills/brainstorming/SKILL.md +159 -0
- package/skills/brand-guidelines/SKILL.md +73 -0
- package/skills/brandkit/SKILL.md +798 -0
- package/skills/brutalist-skill/SKILL.md +92 -0
- package/skills/bulk-file-operations/SKILL.md +34 -0
- package/skills/cache-responses/SKILL.md +34 -0
- package/skills/caching-strategy/SKILL.md +34 -0
- package/skills/calendar-optimization/SKILL.md +34 -0
- package/skills/canvas-design/SKILL.md +130 -0
- package/skills/cavecrew/SKILL.md +82 -0
- package/skills/caveman-commit/SKILL.md +65 -0
- package/skills/caveman-help/SKILL.md +63 -0
- package/skills/caveman-review/SKILL.md +55 -0
- package/skills/caveman-stats/SKILL.md +10 -0
- package/skills/changelog-generation/SKILL.md +34 -0
- package/skills/chat-bot-design/SKILL.md +34 -0
- package/skills/chunking-strategy/SKILL.md +34 -0
- package/skills/ci-cd-pipeline/SKILL.md +34 -0
- package/skills/classification-pipeline/SKILL.md +34 -0
- package/skills/claude-api/SKILL.md +356 -0
- package/skills/clipboard-master/SKILL.md +34 -0
- package/skills/code-explanation/SKILL.md +34 -0
- package/skills/code-generation/SKILL.md +34 -0
- package/skills/code-migration/SKILL.md +34 -0
- package/skills/code-review-checklist/SKILL.md +34 -0
- package/skills/composition-patterns/SKILL.md +89 -0
- package/skills/contact-management/SKILL.md +34 -0
- package/skills/content-generation/SKILL.md +34 -0
- package/skills/context-pruning/SKILL.md +34 -0
- package/skills/context-window-management/SKILL.md +34 -0
- package/skills/continuous-improvement/SKILL.md +34 -0
- package/skills/cron-scheduling/SKILL.md +34 -0
- package/skills/cross-platform-compat/SKILL.md +34 -0
- package/skills/csv-processing/SKILL.md +34 -0
- package/skills/daily-journal/SKILL.md +34 -0
- package/skills/data-analysis/SKILL.md +34 -0
- package/skills/data-backup/SKILL.md +34 -0
- package/skills/data-cleaning/SKILL.md +34 -0
- package/skills/data-extraction/SKILL.md +34 -0
- package/skills/data-validation/SKILL.md +34 -0
- package/skills/database-migrations/SKILL.md +34 -0
- package/skills/database-schema-design/SKILL.md +34 -0
- package/skills/decision-mapping/SKILL.md +84 -0
- package/skills/decision-matrix/SKILL.md +34 -0
- package/skills/dependency-management/SKILL.md +34 -0
- package/skills/deploy-to-vercel/SKILL.md +296 -0
- package/skills/design-an-interface/SKILL.md +94 -0
- package/skills/design-doc-mermaid/SKILL.md +498 -0
- package/skills/dev-environment-setup/SKILL.md +34 -0
- package/skills/develop-userscripts/SKILL.md +84 -0
- package/skills/distraction-blocker/SKILL.md +34 -0
- package/skills/doc-coauthoring/SKILL.md +375 -0
- package/skills/docker-optimization/SKILL.md +34 -0
- package/skills/document-template/SKILL.md +34 -0
- package/skills/documentation/SKILL.md +109 -0
- package/skills/documentation-gen/SKILL.md +34 -0
- package/skills/docx/SKILL.md +590 -0
- package/skills/edit-article/SKILL.md +15 -0
- package/skills/efficient-formatting/SKILL.md +34 -0
- package/skills/email-management/SKILL.md +34 -0
- package/skills/email-service/SKILL.md +34 -0
- package/skills/embedding-generation/SKILL.md +34 -0
- package/skills/entity-extraction/SKILL.md +34 -0
- package/skills/entra-agent-id/SKILL.md +356 -0
- package/skills/entra-app-registration/SKILL.md +191 -0
- package/skills/environment-config/SKILL.md +34 -0
- package/skills/error-handling/SKILL.md +34 -0
- package/skills/estimation-techniques/SKILL.md +34 -0
- package/skills/event-driven-architecture/SKILL.md +34 -0
- package/skills/excel-automation/SKILL.md +34 -0
- package/skills/execution-monitoring/SKILL.md +34 -0
- package/skills/expense-tracking/SKILL.md +34 -0
- package/skills/faceless-explainer/SKILL.md +202 -0
- package/skills/fastify/SKILL.md +75 -0
- package/skills/feature-engineering/SKILL.md +34 -0
- package/skills/feature-flags/SKILL.md +34 -0
- package/skills/file-conversion/SKILL.md +34 -0
- package/skills/file-upload-handling/SKILL.md +34 -0
- package/skills/fine-tuning-prep/SKILL.md +34 -0
- package/skills/focus-mode/SKILL.md +34 -0
- package/skills/form-validation/SKILL.md +34 -0
- package/skills/function-calling/SKILL.md +34 -0
- package/skills/general-video/SKILL.md +143 -0
- package/skills/git-guardrails-claude-code/SKILL.md +95 -0
- package/skills/git-workflow/SKILL.md +34 -0
- package/skills/github-actions-docs/SKILL.md +98 -0
- package/skills/goal-setting/SKILL.md +34 -0
- package/skills/gpt-tasteskill/SKILL.md +74 -0
- package/skills/graphql-design/SKILL.md +34 -0
- package/skills/grill-me/SKILL.md +7 -0
- package/skills/grilling/SKILL.md +10 -0
- package/skills/habit-tracker/SKILL.md +34 -0
- package/skills/hallucination-detection/SKILL.md +34 -0
- package/skills/handoff/SKILL.md +16 -0
- package/skills/hyperframes/SKILL.md +152 -0
- package/skills/hyperframes-animation/SKILL.md +82 -0
- package/skills/hyperframes-cli/SKILL.md +109 -0
- package/skills/hyperframes-core/SKILL.md +78 -0
- package/skills/hyperframes-creative/SKILL.md +68 -0
- package/skills/hyperframes-media/SKILL.md +97 -0
- package/skills/image-processing/SKILL.md +34 -0
- package/skills/image-to-code-skill/SKILL.md +1228 -0
- package/skills/imagegen-frontend-mobile/SKILL.md +1465 -0
- package/skills/imagegen-frontend-web/SKILL.md +987 -0
- package/skills/implement/SKILL.md +15 -0
- package/skills/init/SKILL.md +91 -0
- package/skills/internal-comms/SKILL.md +32 -0
- package/skills/json-transformation/SKILL.md +34 -0
- package/skills/keyboard-shortcuts/SKILL.md +34 -0
- package/skills/knowledge-base/SKILL.md +34 -0
- package/skills/knowledge-graph/SKILL.md +34 -0
- package/skills/kubernetes-deployment/SKILL.md +34 -0
- package/skills/language-translation/SKILL.md +34 -0
- package/skills/lark-approval/SKILL.md +56 -0
- package/skills/lark-base/SKILL.md +157 -0
- package/skills/lark-doc/SKILL.md +81 -0
- package/skills/lark-shared/SKILL.md +168 -0
- package/skills/lark-workflow-meeting-summary/SKILL.md +122 -0
- package/skills/linting-neostandard-eslint9/SKILL.md +64 -0
- package/skills/llm-chaining/SKILL.md +34 -0
- package/skills/localization-i18n/SKILL.md +34 -0
- package/skills/logging-best-practices/SKILL.md +34 -0
- package/skills/loop-me/SKILL.md +32 -0
- package/skills/machine-learning-pipeline/SKILL.md +34 -0
- package/skills/meeting-notes/SKILL.md +34 -0
- package/skills/meeting-scheduler/SKILL.md +34 -0
- package/skills/message-queues/SKILL.md +34 -0
- package/skills/message-summarization/SKILL.md +34 -0
- package/skills/microservices-architecture/SKILL.md +34 -0
- package/skills/microsoft-foundry/SKILL.md +262 -0
- package/skills/migrate-to-shoehorn/SKILL.md +118 -0
- package/skills/milestone-tracking/SKILL.md +34 -0
- package/skills/minimalist-skill/SKILL.md +85 -0
- package/skills/model-deployment/SKILL.md +34 -0
- package/skills/model-evaluation/SKILL.md +34 -0
- package/skills/monitoring-setup/SKILL.md +34 -0
- package/skills/monorepo-setup/SKILL.md +34 -0
- package/skills/motion-graphics/SKILL.md +170 -0
- package/skills/multi-agent-systems/SKILL.md +34 -0
- package/skills/music-to-video/SKILL.md +197 -0
- package/skills/network-troubleshooting/SKILL.md +34 -0
- package/skills/node/SKILL.md +94 -0
- package/skills/nodejs-core/SKILL.md +156 -0
- package/skills/note-organization/SKILL.md +34 -0
- package/skills/oauth/SKILL.md +186 -0
- package/skills/obsidian-vault/SKILL.md +59 -0
- package/skills/octocat/SKILL.md +93 -0
- package/skills/openclaw-secure-linux-cloud/SKILL.md +157 -0
- package/skills/opensource-guide-coach/SKILL.md +218 -0
- package/skills/output-skill/SKILL.md +49 -0
- package/skills/package-publishing/SKILL.md +34 -0
- package/skills/password-generator/SKILL.md +34 -0
- package/skills/pdf/SKILL.md +314 -0
- package/skills/pdf-processing/SKILL.md +34 -0
- package/skills/performance-optimization/SKILL.md +34 -0
- package/skills/pomodoro-timer/SKILL.md +34 -0
- package/skills/powershell-automation/SKILL.md +34 -0
- package/skills/pptx/SKILL.md +232 -0
- package/skills/pr-to-video/SKILL.md +235 -0
- package/skills/priority-filtering/SKILL.md +34 -0
- package/skills/product-launch-video/SKILL.md +205 -0
- package/skills/project-tracking/SKILL.md +34 -0
- package/skills/prompt-compression/SKILL.md +34 -0
- package/skills/prompt-engineering/SKILL.md +34 -0
- package/skills/push-notifications/SKILL.md +34 -0
- package/skills/python-appservice-deploy/SKILL.md +36 -0
- package/skills/qa/SKILL.md +130 -0
- package/skills/rag-implementation/SKILL.md +34 -0
- package/skills/rate-limiting/SKILL.md +34 -0
- package/skills/react-best-practices/SKILL.md +149 -0
- package/skills/react-native-skills/SKILL.md +121 -0
- package/skills/react-view-transitions/SKILL.md +320 -0
- package/skills/readme-i18n/SKILL.md +176 -0
- package/skills/real-time-communication/SKILL.md +34 -0
- package/skills/redesign-skill/SKILL.md +178 -0
- package/skills/refactoring-strategy/SKILL.md +34 -0
- package/skills/regex-mastery/SKILL.md +34 -0
- package/skills/remotion/SKILL.md +364 -0
- package/skills/report-generation/SKILL.md +34 -0
- package/skills/request-refactor-plan/SKILL.md +68 -0
- package/skills/research-compiler/SKILL.md +34 -0
- package/skills/resolving-merge-conflicts/SKILL.md +14 -0
- package/skills/responsive-design/SKILL.md +34 -0
- package/skills/rest-api-patterns/SKILL.md +34 -0
- package/skills/retrospectives/SKILL.md +34 -0
- package/skills/risk-assessment/SKILL.md +34 -0
- package/skills/roadmap-creation/SKILL.md +34 -0
- package/skills/running-claude-code-via-litellm-copilot/SKILL.md +263 -0
- package/skills/scaffold-exercises/SKILL.md +106 -0
- package/skills/search-implementation/SKILL.md +34 -0
- package/skills/secrets-management/SKILL.md +34 -0
- package/skills/secure-linux-web-hosting/SKILL.md +162 -0
- package/skills/security-audit/SKILL.md +34 -0
- package/skills/selective-memory/SKILL.md +34 -0
- package/skills/semantic-search/SKILL.md +34 -0
- package/skills/semantic-versioning/SKILL.md +34 -0
- package/skills/sentiment-analysis/SKILL.md +34 -0
- package/skills/seo-optimization/SKILL.md +34 -0
- package/skills/setup-pre-commit/SKILL.md +91 -0
- package/skills/shadcn/SKILL.md +267 -0
- package/skills/simple/SKILL.md +52 -0
- package/skills/skill-creator/SKILL.md +485 -0
- package/skills/skill-optimizer/SKILL.md +47 -0
- package/skills/skills-cli/SKILL.md +281 -0
- package/skills/slack-gif-creator/SKILL.md +254 -0
- package/skills/snipgrapher/SKILL.md +58 -0
- package/skills/snippet-manager/SKILL.md +34 -0
- package/skills/soft-skill/SKILL.md +98 -0
- package/skills/sprint-planning/SKILL.md +34 -0
- package/skills/sql-query-optimization/SKILL.md +34 -0
- package/skills/stakeholder-communication/SKILL.md +34 -0
- package/skills/state-management/SKILL.md +34 -0
- package/skills/statistical-analysis/SKILL.md +34 -0
- package/skills/stitch-skill/SKILL.md +184 -0
- package/skills/streaming-responses/SKILL.md +34 -0
- package/skills/structured-output/SKILL.md +34 -0
- package/skills/summarization-techniques/SKILL.md +34 -0
- package/skills/supabase/SKILL.md +135 -0
- package/skills/supabase-postgres-best-practices/SKILL.md +64 -0
- package/skills/system-diagnostics/SKILL.md +34 -0
- package/skills/systematic-debugging/SKILL.md +296 -0
- package/skills/talking-head-recut/SKILL.md +1191 -0
- package/skills/task-decomposition/SKILL.md +34 -0
- package/skills/task-prioritization/SKILL.md +34 -0
- package/skills/taste-skill/SKILL.md +1206 -0
- package/skills/taste-skill-v1/SKILL.md +226 -0
- package/skills/tdd/SKILL.md +108 -0
- package/skills/teach/SKILL.md +140 -0
- package/skills/template-library/SKILL.md +34 -0
- package/skills/test-driven-development/SKILL.md +371 -0
- package/skills/test-generation/SKILL.md +34 -0
- package/skills/testing-strategy/SKILL.md +34 -0
- package/skills/text-expansion/SKILL.md +34 -0
- package/skills/theme-factory/SKILL.md +59 -0
- package/skills/time-blocking/SKILL.md +34 -0
- package/skills/to-prd/SKILL.md +75 -0
- package/skills/token-budgeting/SKILL.md +34 -0
- package/skills/token-optimization/SKILL.md +34 -0
- package/skills/tool-calling-patterns/SKILL.md +34 -0
- package/skills/typescript-magician/SKILL.md +117 -0
- package/skills/tzst/SKILL.md +68 -0
- package/skills/ubiquitous-language/SKILL.md +93 -0
- package/skills/use-my-browser/SKILL.md +110 -0
- package/skills/using-superpowers/SKILL.md +121 -0
- package/skills/vector-database-setup/SKILL.md +34 -0
- package/skills/vercel-cli-with-tokens/SKILL.md +353 -0
- package/skills/vercel-optimize/SKILL.md +322 -0
- package/skills/video-editing/SKILL.md +34 -0
- package/skills/viral-instagram-reels/SKILL.md +180 -0
- package/skills/viral-short-form/SKILL.md +147 -0
- package/skills/viral-short-form-ideas/SKILL.md +184 -0
- package/skills/viral-tiktok-content/SKILL.md +180 -0
- package/skills/visualization-creation/SKILL.md +34 -0
- package/skills/web-artifacts-builder/SKILL.md +74 -0
- package/skills/web-design-guidelines/SKILL.md +39 -0
- package/skills/web-scraping/SKILL.md +34 -0
- package/skills/webapp-testing/SKILL.md +96 -0
- package/skills/webhook-handling/SKILL.md +34 -0
- package/skills/website-to-video/SKILL.md +145 -0
- package/skills/weekly-review/SKILL.md +34 -0
- package/skills/workflow-automation/SKILL.md +34 -0
- package/skills/writing-beats/SKILL.md +67 -0
- package/skills/writing-fragments/SKILL.md +79 -0
- package/skills/writing-great-skills/SKILL.md +82 -0
- package/skills/writing-guidelines/SKILL.md +39 -0
- package/skills/writing-plans/SKILL.md +174 -0
- package/skills/writing-shape/SKILL.md +79 -0
- package/skills/xdrop/SKILL.md +78 -0
- package/skills/xget/SKILL.md +87 -0
- package/skills/xlsx/SKILL.md +292 -0
- package/src/commands/code_v5.js +377 -73
- package/src/commands/repl.js +505 -86
- package/src/providers/model/anthropic.js +84 -0
- package/src/providers/model/gemini.js +49 -0
- package/src/providers/model/minimax.js +48 -0
- package/src/providers/model/ollama.js +42 -0
- package/src/providers/model/openai.js +49 -0
- package/src/providers/search/duckduckgo.js +45 -0
- package/src/providers/search/exa.js +52 -0
- package/src/providers/search/searxng.js +51 -0
- package/src/providers/search/tavily.js +47 -0
- package/src/tools/model_provider.js +71 -0
- package/src/tools/parallel_search.js +40 -49
- package/src/tools/search_provider.js +79 -0
- package/src/tools/skills_download.js +217 -0
- package/src/tools/web_search.js +42 -62
- package/src/tools/workflow.js +21 -9
- package/src/utils/cron.js +82 -126
- package/src/utils/effort-levels.js +42 -0
- package/src/utils/fallback-chain.js +72 -0
- package/src/utils/file-history.js +78 -0
- package/src/utils/model-provider.js +113 -0
- package/src/utils/permissions.js +147 -0
- package/src/utils/plan-mode.js +164 -0
- package/src/utils/provider-detect.js +7 -32
- package/src/utils/sandbox.js +60 -0
- package/src/utils/search-provider.js +62 -0
- package/src/utils/session-search.js +66 -0
- package/src/utils/structured-output.js +20 -0
- package/src/utils/system-prompt.js +28 -2
- package/src/utils/tasks.js +132 -0
- package/src/utils/tool-hooks.js +154 -0
- package/src/utils/tools.js +18 -2
- package/src/utils/ultra-review.js +59 -0
- package/src/utils/worktree.js +192 -0
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: email-service
|
|
3
|
+
description: Build email services with templates, sending, tracking, and bounce handling
|
|
4
|
+
category: Software Development
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# Email Service
|
|
8
|
+
|
|
9
|
+
## Overview
|
|
10
|
+
Build email services with templates, sending, tracking, and bounce handling. This skill helps you apply structured, repeatable methods for consistent results.
|
|
11
|
+
|
|
12
|
+
## When to Use
|
|
13
|
+
- When you need to apply email service best practices
|
|
14
|
+
- When establishing processes or standards for your workflow
|
|
15
|
+
- When training team members on email service
|
|
16
|
+
- When automating or optimizing email service tasks
|
|
17
|
+
|
|
18
|
+
## Instructions
|
|
19
|
+
1. **Assess**: Evaluate the current state, requirements, and constraints
|
|
20
|
+
2. **Plan**: Define the approach, steps, and success criteria
|
|
21
|
+
3. **Execute**: Follow the established patterns and best practices
|
|
22
|
+
4. **Verify**: Check results against expected outcomes and quality standards
|
|
23
|
+
5. **Iterate**: Refine based on feedback and lessons learned
|
|
24
|
+
|
|
25
|
+
## Examples
|
|
26
|
+
```
|
|
27
|
+
User: Help me apply email service for my current project
|
|
28
|
+
Assistant: I'll help you apply email service step by step...
|
|
29
|
+
```
|
|
30
|
+
|
|
31
|
+
## Related Skills
|
|
32
|
+
- Use with `workflow` tool for orchestrated execution
|
|
33
|
+
- Combine with `task` tool for delegated processing
|
|
34
|
+
- Reference `system-prompt` for system-level integration
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: embedding-generation
|
|
3
|
+
description: Generate and optimize embeddings for text, images, and multimodal content
|
|
4
|
+
category: AI Agents
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# Embedding Generation
|
|
8
|
+
|
|
9
|
+
## Overview
|
|
10
|
+
Generate and optimize embeddings for text, images, and multimodal content. This skill helps you apply structured, repeatable methods for consistent results.
|
|
11
|
+
|
|
12
|
+
## When to Use
|
|
13
|
+
- When you need to apply embedding generation best practices
|
|
14
|
+
- When establishing processes or standards for your workflow
|
|
15
|
+
- When training team members on embedding generation
|
|
16
|
+
- When automating or optimizing embedding generation tasks
|
|
17
|
+
|
|
18
|
+
## Instructions
|
|
19
|
+
1. **Assess**: Evaluate the current state, requirements, and constraints
|
|
20
|
+
2. **Plan**: Define the approach, steps, and success criteria
|
|
21
|
+
3. **Execute**: Follow the established patterns and best practices
|
|
22
|
+
4. **Verify**: Check results against expected outcomes and quality standards
|
|
23
|
+
5. **Iterate**: Refine based on feedback and lessons learned
|
|
24
|
+
|
|
25
|
+
## Examples
|
|
26
|
+
```
|
|
27
|
+
User: Help me apply embedding generation for my current project
|
|
28
|
+
Assistant: I'll help you apply embedding generation step by step...
|
|
29
|
+
```
|
|
30
|
+
|
|
31
|
+
## Related Skills
|
|
32
|
+
- Use with `workflow` tool for orchestrated execution
|
|
33
|
+
- Combine with `task` tool for delegated processing
|
|
34
|
+
- Reference `system-prompt` for system-level integration
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: entity-extraction
|
|
3
|
+
description: Extract entities from text with NER, regex patterns, and LLM-based extraction
|
|
4
|
+
category: AI Agents
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# Entity Extraction
|
|
8
|
+
|
|
9
|
+
## Overview
|
|
10
|
+
Extract entities from text with NER, regex patterns, and LLM-based extraction. This skill helps you apply structured, repeatable methods for consistent results.
|
|
11
|
+
|
|
12
|
+
## When to Use
|
|
13
|
+
- When you need to apply entity extraction best practices
|
|
14
|
+
- When establishing processes or standards for your workflow
|
|
15
|
+
- When training team members on entity extraction
|
|
16
|
+
- When automating or optimizing entity extraction tasks
|
|
17
|
+
|
|
18
|
+
## Instructions
|
|
19
|
+
1. **Assess**: Evaluate the current state, requirements, and constraints
|
|
20
|
+
2. **Plan**: Define the approach, steps, and success criteria
|
|
21
|
+
3. **Execute**: Follow the established patterns and best practices
|
|
22
|
+
4. **Verify**: Check results against expected outcomes and quality standards
|
|
23
|
+
5. **Iterate**: Refine based on feedback and lessons learned
|
|
24
|
+
|
|
25
|
+
## Examples
|
|
26
|
+
```
|
|
27
|
+
User: Help me apply entity extraction for my current project
|
|
28
|
+
Assistant: I'll help you apply entity extraction step by step...
|
|
29
|
+
```
|
|
30
|
+
|
|
31
|
+
## Related Skills
|
|
32
|
+
- Use with `workflow` tool for orchestrated execution
|
|
33
|
+
- Combine with `task` tool for delegated processing
|
|
34
|
+
- Reference `system-prompt` for system-level integration
|
|
@@ -0,0 +1,356 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: entra-agent-id
|
|
3
|
+
description: "Provision Microsoft Entra Agent Identity Blueprints, BlueprintPrincipals, and per-instance Agent Identities via Microsoft Graph, and configure OAuth 2.0 token exchange (fmi_path, OBO, cross-tenant) including the Microsoft Entra SDK for AgentID sidecar. USE FOR: Agent Identity Blueprint, BlueprintPrincipal, agent OAuth, fmi_path token exchange, agent OBO, Workload Identity Federation for agents, polyglot agent auth, Microsoft.Identity.Web.AgentIdentities. DO NOT USE FOR: standard Entra app registration (use entra-app-registration), Azure RBAC (use azure-rbac), Microsoft Foundry agent authoring (use microsoft-foundry)."
|
|
4
|
+
license: MIT
|
|
5
|
+
metadata:
|
|
6
|
+
author: Microsoft
|
|
7
|
+
version: "1.0.1"
|
|
8
|
+
---
|
|
9
|
+
|
|
10
|
+
# Microsoft Entra Agent ID
|
|
11
|
+
|
|
12
|
+
Create and manage OAuth 2.0-capable identities for AI agents using Microsoft Graph. Every agent instance gets a distinct identity, audit trail, and independently-scoped permission grants.
|
|
13
|
+
|
|
14
|
+
## Quick Reference
|
|
15
|
+
|
|
16
|
+
| Property | Value |
|
|
17
|
+
|----------|-------|
|
|
18
|
+
| Service | Microsoft Entra Agent ID |
|
|
19
|
+
| API | Microsoft Graph (`https://graph.microsoft.com/v1.0`) |
|
|
20
|
+
| Required role | Agent Identity Developer, Agent Identity Administrator, or Application Administrator |
|
|
21
|
+
| Object model | Blueprint (application) → BlueprintPrincipal (SP) → Agent Identity (SP) |
|
|
22
|
+
| Runtime exchange | Two-step `fmi_path` exchange (autonomous and OBO) |
|
|
23
|
+
| .NET helper | `Microsoft.Identity.Web.AgentIdentities` |
|
|
24
|
+
| Polyglot helper | Microsoft Entra SDK for AgentID (sidecar container) |
|
|
25
|
+
|
|
26
|
+
## When to Use This Skill
|
|
27
|
+
|
|
28
|
+
- Provisioning a new Agent Identity Blueprint and BlueprintPrincipal
|
|
29
|
+
- Creating per-instance Agent Identities under a Blueprint
|
|
30
|
+
- Configuring credentials (FIC, Managed Identity, or client secret) on the Blueprint
|
|
31
|
+
- Implementing the two-step `fmi_path` runtime token exchange (autonomous or OBO)
|
|
32
|
+
- Cross-tenant agent token flows
|
|
33
|
+
- Deploying the Microsoft Entra SDK for AgentID sidecar for polyglot agents (Python, Node, Go, Java)
|
|
34
|
+
- Granting per-Agent-Identity application (`appRoleAssignments`) or delegated (`oauth2PermissionGrants`) permissions
|
|
35
|
+
- Diagnosing Agent ID errors such as `AADSTS82001`, `AADSTS700211`, or `PropertyNotCompatibleWithAgentIdentity`
|
|
36
|
+
|
|
37
|
+
## MCP Tools
|
|
38
|
+
|
|
39
|
+
| Tool | Use |
|
|
40
|
+
|------|-----|
|
|
41
|
+
| `mcp_azure_mcp_documentation` | Search Microsoft Learn for current Agent ID setup, Graph API shapes, and SDK configuration |
|
|
42
|
+
|
|
43
|
+
There is no dedicated Agent Identity MCP server today. This skill guides direct Microsoft Graph API calls (PowerShell or Python `requests`). Use `mcp_azure_mcp_documentation` to verify request bodies and endpoints against current docs before running.
|
|
44
|
+
|
|
45
|
+
## Before You Start
|
|
46
|
+
|
|
47
|
+
Use the `mcp_azure_mcp_documentation` tool to search Microsoft Learn for current Agent ID documentation:
|
|
48
|
+
- "Microsoft Entra Agent ID setup instructions"
|
|
49
|
+
- "Microsoft Entra SDK for AgentID"
|
|
50
|
+
|
|
51
|
+
Verify request bodies and endpoints against the installed SDK version — Graph API shapes evolve.
|
|
52
|
+
|
|
53
|
+
## Conceptual Model
|
|
54
|
+
|
|
55
|
+
```
|
|
56
|
+
Agent Identity Blueprint (application) ← one per agent type/project
|
|
57
|
+
└── BlueprintPrincipal (service principal) ← MUST be created explicitly
|
|
58
|
+
├── Agent Identity (SP): agent-1 ← one per agent instance
|
|
59
|
+
├── Agent Identity (SP): agent-2
|
|
60
|
+
└── Agent Identity (SP): agent-3
|
|
61
|
+
```
|
|
62
|
+
|
|
63
|
+
| Concept | Description |
|
|
64
|
+
|---------|-------------|
|
|
65
|
+
| **Blueprint** | Application object that defines a type/class of agent. Holds credentials (secret, certificate, federated identity). |
|
|
66
|
+
| **BlueprintPrincipal** | Service principal for the Blueprint in the tenant. Not auto-created. |
|
|
67
|
+
| **Agent Identity** | Service-principal-only identity for a single agent instance. Cannot hold its own credentials. |
|
|
68
|
+
| **Sponsor** | A User (or Group, for Agent Identity) who is responsible for the identity. Required on creation. |
|
|
69
|
+
|
|
70
|
+
## Prerequisites
|
|
71
|
+
|
|
72
|
+
### Required Entra Roles
|
|
73
|
+
|
|
74
|
+
One of: **Agent Identity Developer**, **Agent Identity Administrator**, or **Application Administrator**.
|
|
75
|
+
|
|
76
|
+
### PowerShell (interactive setup)
|
|
77
|
+
|
|
78
|
+
```powershell
|
|
79
|
+
# PowerShell 7+
|
|
80
|
+
Install-Module Microsoft.Graph.Applications -Scope CurrentUser -Force
|
|
81
|
+
```
|
|
82
|
+
|
|
83
|
+
### Python (programmatic provisioning)
|
|
84
|
+
|
|
85
|
+
```bash
|
|
86
|
+
pip install azure-identity requests
|
|
87
|
+
```
|
|
88
|
+
|
|
89
|
+
## Authentication
|
|
90
|
+
|
|
91
|
+
> **`DefaultAzureCredential` is not supported.** Azure CLI tokens carry `Directory.AccessAsUser.All`, which Agent Identity APIs hard-reject (403). Use a dedicated app registration with `client_credentials`, or `Connect-MgGraph` with explicit delegated scopes.
|
|
92
|
+
|
|
93
|
+
### PowerShell (delegated)
|
|
94
|
+
|
|
95
|
+
```powershell
|
|
96
|
+
Connect-MgGraph -Scopes @(
|
|
97
|
+
"AgentIdentityBlueprint.Create",
|
|
98
|
+
"AgentIdentityBlueprint.ReadWrite.All",
|
|
99
|
+
"AgentIdentityBlueprintPrincipal.Create",
|
|
100
|
+
"AgentIdentity.Create.All",
|
|
101
|
+
"User.Read"
|
|
102
|
+
)
|
|
103
|
+
```
|
|
104
|
+
|
|
105
|
+
### Python (application)
|
|
106
|
+
|
|
107
|
+
```python
|
|
108
|
+
import os, requests
|
|
109
|
+
from azure.identity import ClientSecretCredential
|
|
110
|
+
|
|
111
|
+
credential = ClientSecretCredential(
|
|
112
|
+
tenant_id=os.environ["AZURE_TENANT_ID"],
|
|
113
|
+
client_id=os.environ["AZURE_CLIENT_ID"],
|
|
114
|
+
client_secret=os.environ["AZURE_CLIENT_SECRET"],
|
|
115
|
+
)
|
|
116
|
+
token = credential.get_token("https://graph.microsoft.com/.default")
|
|
117
|
+
|
|
118
|
+
GRAPH = "https://graph.microsoft.com/v1.0"
|
|
119
|
+
headers = {
|
|
120
|
+
"Authorization": f"Bearer {token.token}",
|
|
121
|
+
"Content-Type": "application/json",
|
|
122
|
+
"OData-Version": "4.0",
|
|
123
|
+
}
|
|
124
|
+
```
|
|
125
|
+
|
|
126
|
+
## Core Workflow
|
|
127
|
+
|
|
128
|
+
### Step 1: Create Agent Identity Blueprint
|
|
129
|
+
|
|
130
|
+
Use the typed endpoint. Sponsors must be **Users** at Blueprint creation. This snippet assumes the `requests` client and `headers` dict from the Python authentication block above.
|
|
131
|
+
|
|
132
|
+
```python
|
|
133
|
+
import subprocess
|
|
134
|
+
import requests
|
|
135
|
+
|
|
136
|
+
user_id = subprocess.run(
|
|
137
|
+
["az", "ad", "signed-in-user", "show", "--query", "id", "-o", "tsv"],
|
|
138
|
+
capture_output=True, text=True, check=True,
|
|
139
|
+
).stdout.strip()
|
|
140
|
+
|
|
141
|
+
blueprint_body = {
|
|
142
|
+
"displayName": "My Agent Blueprint",
|
|
143
|
+
"sponsors@odata.bind": [
|
|
144
|
+
f"https://graph.microsoft.com/v1.0/users/{user_id}"
|
|
145
|
+
],
|
|
146
|
+
}
|
|
147
|
+
resp = requests.post(
|
|
148
|
+
f"{GRAPH}/applications/microsoft.graph.agentIdentityBlueprint",
|
|
149
|
+
headers=headers, json=blueprint_body,
|
|
150
|
+
)
|
|
151
|
+
resp.raise_for_status()
|
|
152
|
+
|
|
153
|
+
blueprint = resp.json()
|
|
154
|
+
app_id = blueprint["appId"]
|
|
155
|
+
blueprint_obj_id = blueprint["id"]
|
|
156
|
+
```
|
|
157
|
+
|
|
158
|
+
### Step 2: Create BlueprintPrincipal
|
|
159
|
+
|
|
160
|
+
> Mandatory. Creating a Blueprint does NOT auto-create its service principal. Skipping this step produces:
|
|
161
|
+
> `400: The Agent Blueprint Principal for the Agent Blueprint does not exist.`
|
|
162
|
+
|
|
163
|
+
```python
|
|
164
|
+
sp_body = {"appId": app_id}
|
|
165
|
+
resp = requests.post(
|
|
166
|
+
f"{GRAPH}/servicePrincipals/microsoft.graph.agentIdentityBlueprintPrincipal",
|
|
167
|
+
headers=headers, json=sp_body,
|
|
168
|
+
)
|
|
169
|
+
resp.raise_for_status()
|
|
170
|
+
```
|
|
171
|
+
|
|
172
|
+
Make your provisioning scripts idempotent — always check for the BlueprintPrincipal even when the Blueprint already exists.
|
|
173
|
+
|
|
174
|
+
### Step 3: Create Agent Identities
|
|
175
|
+
|
|
176
|
+
Sponsors for an Agent Identity may be **Users or Groups**.
|
|
177
|
+
|
|
178
|
+
```python
|
|
179
|
+
agent_body = {
|
|
180
|
+
"displayName": "my-agent-instance-1",
|
|
181
|
+
"agentIdentityBlueprintId": app_id,
|
|
182
|
+
"sponsors@odata.bind": [
|
|
183
|
+
f"https://graph.microsoft.com/v1.0/users/{user_id}"
|
|
184
|
+
],
|
|
185
|
+
}
|
|
186
|
+
resp = requests.post(
|
|
187
|
+
f"{GRAPH}/servicePrincipals/microsoft.graph.agentIdentity",
|
|
188
|
+
headers=headers, json=agent_body,
|
|
189
|
+
)
|
|
190
|
+
resp.raise_for_status()
|
|
191
|
+
agent = resp.json()
|
|
192
|
+
agent_sp_id = agent["id"]
|
|
193
|
+
```
|
|
194
|
+
|
|
195
|
+
## Runtime Authentication
|
|
196
|
+
|
|
197
|
+
Agents authenticate at runtime using credentials configured on the **Blueprint** (not on the Agent Identity — Agent Identities can't hold credentials).
|
|
198
|
+
|
|
199
|
+
| Option | Use case | Credential on Blueprint |
|
|
200
|
+
|--------|----------|------------------------|
|
|
201
|
+
| **Managed Identity + WIF** | Production (Azure-hosted) | Federated Identity Credential |
|
|
202
|
+
| **Client secret** | Local dev / testing | Password credential |
|
|
203
|
+
| **Microsoft Entra SDK for AgentID** | Polyglot / 3P agents | Sidecar container acquires tokens over HTTP |
|
|
204
|
+
|
|
205
|
+
For the two-step `fmi_path` exchange (parent token → per-Agent-Identity Graph token) that gives each agent instance a distinct `sub` claim and audit trail, see [references/runtime-token-exchange.md](references/runtime-token-exchange.md).
|
|
206
|
+
|
|
207
|
+
For OBO (agent acting on behalf of a user), see [references/obo-blueprint-setup.md](references/obo-blueprint-setup.md).
|
|
208
|
+
|
|
209
|
+
For the containerized polyglot auth sidecar (Python, Node, Go, Java — no SDK embedding), see [references/sdk-sidecar.md](references/sdk-sidecar.md).
|
|
210
|
+
|
|
211
|
+
For MI+WIF and client-secret setup details, see [references/oauth2-token-flow.md](references/oauth2-token-flow.md).
|
|
212
|
+
|
|
213
|
+
### .NET quick path
|
|
214
|
+
|
|
215
|
+
For .NET services, use **`Microsoft.Identity.Web.AgentIdentities`** — it handles Federated Identity Credential management and the two-step exchange for you. See the package README at `github.com/AzureAD/microsoft-identity-web` under `src/Microsoft.Identity.Web.AgentIdentities/`.
|
|
216
|
+
|
|
217
|
+
## Granting Permissions (Per Agent Identity)
|
|
218
|
+
|
|
219
|
+
Agent Identities support both application permissions (autonomous) and delegated permissions (OBO). Grants are scoped **per Agent Identity**, not to the BlueprintPrincipal.
|
|
220
|
+
|
|
221
|
+
### Application permissions (autonomous)
|
|
222
|
+
|
|
223
|
+
```python
|
|
224
|
+
graph_sp = requests.get(
|
|
225
|
+
f"{GRAPH}/servicePrincipals?$filter=appId eq '00000003-0000-0000-c000-000000000000'",
|
|
226
|
+
headers=headers,
|
|
227
|
+
).json()["value"][0]
|
|
228
|
+
|
|
229
|
+
user_read_all = next(r for r in graph_sp["appRoles"] if r["value"] == "User.Read.All")
|
|
230
|
+
|
|
231
|
+
requests.post(
|
|
232
|
+
f"{GRAPH}/servicePrincipals/{agent_sp_id}/appRoleAssignments",
|
|
233
|
+
headers=headers,
|
|
234
|
+
json={
|
|
235
|
+
"principalId": agent_sp_id,
|
|
236
|
+
"resourceId": graph_sp["id"],
|
|
237
|
+
"appRoleId": user_read_all["id"],
|
|
238
|
+
},
|
|
239
|
+
).raise_for_status()
|
|
240
|
+
```
|
|
241
|
+
|
|
242
|
+
### Delegated permissions (OBO)
|
|
243
|
+
|
|
244
|
+
```python
|
|
245
|
+
from datetime import datetime, timedelta, timezone
|
|
246
|
+
|
|
247
|
+
expiry = (datetime.now(timezone.utc) + timedelta(days=3650)).strftime("%Y-%m-%dT%H:%M:%SZ")
|
|
248
|
+
|
|
249
|
+
requests.post(
|
|
250
|
+
f"{GRAPH}/oauth2PermissionGrants",
|
|
251
|
+
headers=headers,
|
|
252
|
+
json={
|
|
253
|
+
"clientId": agent_sp_id,
|
|
254
|
+
"consentType": "AllPrincipals",
|
|
255
|
+
"resourceId": graph_sp["id"],
|
|
256
|
+
"scope": "User.Read Tasks.ReadWrite Mail.Send",
|
|
257
|
+
"expiryTime": expiry,
|
|
258
|
+
},
|
|
259
|
+
).raise_for_status()
|
|
260
|
+
```
|
|
261
|
+
|
|
262
|
+
Browser-based admin consent URLs do not work for Agent Identities — use `oauth2PermissionGrants` for programmatic delegated consent.
|
|
263
|
+
|
|
264
|
+
## Cross-Tenant Agent Identities
|
|
265
|
+
|
|
266
|
+
Blueprints can be multi-tenant (`signInAudience: AzureADMultipleOrgs`). When exchanging tokens cross-tenant:
|
|
267
|
+
|
|
268
|
+
> **Step 1 of the parent token exchange MUST target the Agent Identity's home tenant**, not the Blueprint's. Wrong tenant → `AADSTS700211: No matching federated identity record found`.
|
|
269
|
+
|
|
270
|
+
See [references/runtime-token-exchange.md](references/runtime-token-exchange.md) for full cross-tenant examples.
|
|
271
|
+
|
|
272
|
+
## API Reference
|
|
273
|
+
|
|
274
|
+
| Operation | Method | Endpoint |
|
|
275
|
+
|-----------|--------|----------|
|
|
276
|
+
| Create Blueprint | `POST` | `/applications/microsoft.graph.agentIdentityBlueprint` |
|
|
277
|
+
| Create BlueprintPrincipal | `POST` | `/servicePrincipals/microsoft.graph.agentIdentityBlueprintPrincipal` |
|
|
278
|
+
| Create Agent Identity | `POST` | `/servicePrincipals/microsoft.graph.agentIdentity` |
|
|
279
|
+
| Add FIC to Blueprint | `POST` | `/applications/{id}/microsoft.graph.agentIdentityBlueprint/federatedIdentityCredentials` |
|
|
280
|
+
| List Agent Identities | `GET` | `/servicePrincipals/microsoft.graph.agentIdentity` |
|
|
281
|
+
| Grant app permission | `POST` | `/servicePrincipals/{id}/appRoleAssignments` |
|
|
282
|
+
| Grant delegated permission | `POST` | `/oauth2PermissionGrants` |
|
|
283
|
+
| Delete Agent Identity | `DELETE` | `/servicePrincipals/{id}` |
|
|
284
|
+
| Delete Blueprint | `DELETE` | `/applications/{id}` |
|
|
285
|
+
|
|
286
|
+
Base URL: `https://graph.microsoft.com/v1.0`.
|
|
287
|
+
|
|
288
|
+
## Required Graph Permissions
|
|
289
|
+
|
|
290
|
+
| Permission | Purpose |
|
|
291
|
+
|-----------|---------|
|
|
292
|
+
| `AgentIdentityBlueprint.Create` | Create Blueprints |
|
|
293
|
+
| `AgentIdentityBlueprint.ReadWrite.All` | Read/update Blueprints |
|
|
294
|
+
| `AgentIdentityBlueprintPrincipal.Create` | Create BlueprintPrincipals |
|
|
295
|
+
| `AgentIdentity.Create.All` | Create Agent Identities |
|
|
296
|
+
| `AgentIdentity.ReadWrite.All` | Read/update Agent Identities |
|
|
297
|
+
| `Application.ReadWrite.All` | Blueprint CRUD on application objects |
|
|
298
|
+
| `AppRoleAssignment.ReadWrite.All` | Grant application permissions |
|
|
299
|
+
| `DelegatedPermissionGrant.ReadWrite.All` | Grant delegated permissions |
|
|
300
|
+
|
|
301
|
+
Grant admin consent (required for application permissions):
|
|
302
|
+
|
|
303
|
+
```bash
|
|
304
|
+
az ad app permission admin-consent --id <client-id>
|
|
305
|
+
```
|
|
306
|
+
|
|
307
|
+
After admin consent, tokens may not include new claims for 30–120 seconds — retry with exponential backoff.
|
|
308
|
+
|
|
309
|
+
## Best Practices
|
|
310
|
+
|
|
311
|
+
1. **Always create BlueprintPrincipal after Blueprint** — not auto-created.
|
|
312
|
+
2. **Use typed endpoints** (`/applications/microsoft.graph.agentIdentityBlueprint`) instead of raw `/applications` with `@odata.type`.
|
|
313
|
+
3. **Credentials live on the Blueprint** — Agent Identities can't hold secrets/certs (`PropertyNotCompatibleWithAgentIdentity`).
|
|
314
|
+
4. **Include `OData-Version: 4.0`** on every Graph request.
|
|
315
|
+
5. **Use Workload Identity Federation for production** — client secrets only for local dev.
|
|
316
|
+
6. **Set `identifierUris: ["api://{appId}"]` on the Blueprint** before OAuth2 scope resolution.
|
|
317
|
+
7. **Never use Azure CLI tokens** for Agent Identity APIs — `Directory.AccessAsUser.All` causes hard 403.
|
|
318
|
+
8. **Use `fmi_path`** with `client_credentials` — NOT RFC 8693 `urn:ietf:params:oauth:grant-type:token-exchange` (returns `AADSTS82001`).
|
|
319
|
+
9. **Always use `/.default` scope** in both steps of the exchange — individual scopes fail.
|
|
320
|
+
10. **Step 1 targets the Agent Identity's home tenant** in cross-tenant flows.
|
|
321
|
+
11. **Grant permissions per Agent Identity**, not to the BlueprintPrincipal.
|
|
322
|
+
12. **Handle permission-propagation delays** — retry 403s with 30–120s backoff after admin consent.
|
|
323
|
+
13. **Keep the Entra SDK for AgentID on localhost** — never expose via LoadBalancer or Ingress.
|
|
324
|
+
|
|
325
|
+
## Troubleshooting
|
|
326
|
+
|
|
327
|
+
| Error | Cause | Fix |
|
|
328
|
+
|-------|-------|-----|
|
|
329
|
+
| `AADSTS82001` | Used RFC 8693 token-exchange grant | Use `client_credentials` with `fmi_path` |
|
|
330
|
+
| `AADSTS700211` | Step 1 parent token targeted wrong tenant | Target Agent Identity's home tenant |
|
|
331
|
+
| `AADSTS50013` | OBO user token targets Graph, not Blueprint | Use `api://{blueprint_app_id}/access_as_user` |
|
|
332
|
+
| `AADSTS65001` | Missing grant or used individual scopes | Use `/.default` and verify `oauth2PermissionGrants` |
|
|
333
|
+
| `403 Authorization_RequestDenied` | No grant on this Agent Identity | Add via `appRoleAssignments` or `oauth2PermissionGrants` |
|
|
334
|
+
| `PropertyNotCompatibleWithAgentIdentity` | Tried to add credential to Agent Identity SP | Put credentials on the Blueprint |
|
|
335
|
+
| `Agent Blueprint Principal does not exist` | BlueprintPrincipal not created | Step 2 of the Core Workflow |
|
|
336
|
+
| `AADSTS650051` on admin consent | SP already exists from partial consent | Grant directly via `appRoleAssignments` |
|
|
337
|
+
|
|
338
|
+
## References
|
|
339
|
+
|
|
340
|
+
| File | Contents |
|
|
341
|
+
|------|----------|
|
|
342
|
+
| [references/runtime-token-exchange.md](references/runtime-token-exchange.md) | Two-step `fmi_path` exchange: autonomous + OBO, cross-tenant |
|
|
343
|
+
| [references/oauth2-token-flow.md](references/oauth2-token-flow.md) | MI + WIF (production) and client secret (local dev) |
|
|
344
|
+
| [references/obo-blueprint-setup.md](references/obo-blueprint-setup.md) | Configuring the Blueprint as an OAuth2 API for OBO |
|
|
345
|
+
| [references/sdk-sidecar.md](references/sdk-sidecar.md) | Microsoft Entra SDK for AgentID — architecture, configuration, endpoints |
|
|
346
|
+
| [references/sdk-sidecar-deployment.md](references/sdk-sidecar-deployment.md) | SDK code patterns (Python/TypeScript), Docker/Kubernetes manifests, security, troubleshooting |
|
|
347
|
+
| [references/known-limitations.md](references/known-limitations.md) | Documented gaps organized by category |
|
|
348
|
+
|
|
349
|
+
### External Links
|
|
350
|
+
|
|
351
|
+
| Resource | URL |
|
|
352
|
+
|----------|-----|
|
|
353
|
+
| Agent ID Setup Guide | https://learn.microsoft.com/en-us/entra/agent-id/identity-platform/agent-id-setup-instructions |
|
|
354
|
+
| AI-Guided Setup | https://learn.microsoft.com/en-us/entra/agent-id/identity-platform/agent-id-ai-guided-setup |
|
|
355
|
+
| Microsoft Entra SDK for AgentID | https://learn.microsoft.com/en-us/entra/msidweb/agent-id-sdk/overview |
|
|
356
|
+
| Microsoft.Identity.Web.AgentIdentities (.NET) | https://github.com/AzureAD/microsoft-identity-web/blob/master/src/Microsoft.Identity.Web.AgentIdentities/README.AgentIdentities.md |
|
|
@@ -0,0 +1,191 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: entra-app-registration
|
|
3
|
+
description: "Guides Microsoft Entra ID app registration, OAuth 2.0 authentication, and MSAL integration. USE FOR: create app registration, register Azure AD app, configure OAuth, set up authentication, add API permissions, generate service principal, MSAL example, console app auth, Entra ID setup, Azure AD authentication. DO NOT USE FOR: Azure RBAC or role assignments (use azure-rbac), Key Vault secrets (use azure-keyvault-expiration-audit), general Azure resource security guidance."
|
|
4
|
+
license: MIT
|
|
5
|
+
metadata:
|
|
6
|
+
author: Microsoft
|
|
7
|
+
version: "1.1.1"
|
|
8
|
+
---
|
|
9
|
+
|
|
10
|
+
## Overview
|
|
11
|
+
|
|
12
|
+
Microsoft Entra ID (formerly Azure Active Directory) is Microsoft's cloud-based identity and access management service. App registrations allow applications to authenticate users and access Azure resources securely.
|
|
13
|
+
|
|
14
|
+
### Key Concepts
|
|
15
|
+
|
|
16
|
+
| Concept | Description |
|
|
17
|
+
|---------|-------------|
|
|
18
|
+
| **App Registration** | Configuration that allows an app to use Microsoft identity platform |
|
|
19
|
+
| **Application (Client) ID** | Unique identifier for your application |
|
|
20
|
+
| **Tenant ID** | Unique identifier for your Azure AD tenant/directory |
|
|
21
|
+
| **Client Secret** | Password for the application (confidential clients only) |
|
|
22
|
+
| **Redirect URI** | URL where authentication responses are sent |
|
|
23
|
+
| **API Permissions** | Access scopes your app requests |
|
|
24
|
+
| **Service Principal** | Identity created in your tenant when you register an app |
|
|
25
|
+
|
|
26
|
+
### Application Types
|
|
27
|
+
|
|
28
|
+
| Type | Use Case |
|
|
29
|
+
|------|----------|
|
|
30
|
+
| **Web Application** | Server-side apps, APIs |
|
|
31
|
+
| **Single Page App (SPA)** | JavaScript/React/Angular apps |
|
|
32
|
+
| **Mobile/Native App** | Desktop, mobile apps |
|
|
33
|
+
| **Daemon/Service** | Background services, APIs |
|
|
34
|
+
|
|
35
|
+
## Core Workflow
|
|
36
|
+
|
|
37
|
+
### Step 1: Register the Application
|
|
38
|
+
|
|
39
|
+
Create an app registration in the Azure portal or using Azure CLI.
|
|
40
|
+
|
|
41
|
+
**Portal Method:**
|
|
42
|
+
1. Navigate to Azure Portal → Microsoft Entra ID → App registrations
|
|
43
|
+
2. Click "New registration"
|
|
44
|
+
3. Provide name, supported account types, and redirect URI
|
|
45
|
+
4. Click "Register"
|
|
46
|
+
|
|
47
|
+
**CLI Method:** See [references/cli-commands.md](references/cli-commands.md)
|
|
48
|
+
**IaC Method:** See [references/BICEP-EXAMPLE.bicep](references/BICEP-EXAMPLE.bicep)
|
|
49
|
+
|
|
50
|
+
It's highly recommended to use the IaC to manage Entra app registration if you already use IaC in your project, need a scalable solution for managing lots of app registrations or need fine-grained audit history of the configuration changes.
|
|
51
|
+
|
|
52
|
+
### Step 2: Configure Authentication
|
|
53
|
+
|
|
54
|
+
Set up authentication settings based on your application type.
|
|
55
|
+
|
|
56
|
+
- **Web Apps**: Add redirect URIs, enable ID tokens if needed
|
|
57
|
+
- **SPAs**: Add redirect URIs, enable implicit grant flow if necessary
|
|
58
|
+
- **Mobile/Desktop**: Use `http://localhost` or custom URI scheme
|
|
59
|
+
- **Services**: No redirect URI needed for client credentials flow
|
|
60
|
+
|
|
61
|
+
### Step 3: Configure API Permissions
|
|
62
|
+
|
|
63
|
+
Grant your application permission to access Microsoft APIs or your own APIs.
|
|
64
|
+
|
|
65
|
+
**Common Microsoft Graph Permissions:**
|
|
66
|
+
- `User.Read` - Read user profile
|
|
67
|
+
- `User.ReadWrite.All` - Read and write all users
|
|
68
|
+
- `Directory.Read.All` - Read directory data
|
|
69
|
+
- `Mail.Send` - Send mail as a user
|
|
70
|
+
|
|
71
|
+
**Details:** See [references/api-permissions.md](references/api-permissions.md)
|
|
72
|
+
|
|
73
|
+
### Step 4: Create Client Credentials (if needed)
|
|
74
|
+
|
|
75
|
+
For confidential client applications (web apps, services), create a client secret, certificate or federated identity credential.
|
|
76
|
+
|
|
77
|
+
**Client Secret:**
|
|
78
|
+
- Navigate to "Certificates & secrets"
|
|
79
|
+
- Create new client secret
|
|
80
|
+
- Copy the value immediately (only shown once)
|
|
81
|
+
- Store securely (Key Vault recommended)
|
|
82
|
+
|
|
83
|
+
**Certificate:** For production environments, use certificates instead of secrets for enhanced security. Upload certificate via "Certificates & secrets" section.
|
|
84
|
+
|
|
85
|
+
**Federated Identity Credential:** For dynamically authenticating the confidential client to Entra platform.
|
|
86
|
+
|
|
87
|
+
### Step 5: Implement OAuth Flow
|
|
88
|
+
|
|
89
|
+
Integrate the OAuth flow into your application code.
|
|
90
|
+
|
|
91
|
+
**See:**
|
|
92
|
+
- [references/oauth-flows.md](references/oauth-flows.md) - OAuth 2.0 flow details
|
|
93
|
+
- [references/console-app-example.md](references/console-app-example.md) - Console app implementation
|
|
94
|
+
|
|
95
|
+
## Common Patterns
|
|
96
|
+
|
|
97
|
+
### Pattern 1: First-Time App Registration
|
|
98
|
+
|
|
99
|
+
Walk user through their first app registration step-by-step.
|
|
100
|
+
|
|
101
|
+
**Required Information:**
|
|
102
|
+
- Application name
|
|
103
|
+
- Application type (web, SPA, mobile, service)
|
|
104
|
+
- Redirect URIs (if applicable)
|
|
105
|
+
- Required permissions
|
|
106
|
+
|
|
107
|
+
**Script:** See [references/first-app-registration.md](references/first-app-registration.md)
|
|
108
|
+
|
|
109
|
+
### Pattern 2: Console Application with User Authentication
|
|
110
|
+
|
|
111
|
+
Create a .NET/Python/Node.js console app that authenticates users.
|
|
112
|
+
|
|
113
|
+
**Required Information:**
|
|
114
|
+
- Programming language (C#, Python, JavaScript, etc.)
|
|
115
|
+
- Authentication library (MSAL recommended)
|
|
116
|
+
- Required permissions
|
|
117
|
+
|
|
118
|
+
**Example:** See [references/console-app-example.md](references/console-app-example.md)
|
|
119
|
+
|
|
120
|
+
### Pattern 3: Service-to-Service Authentication
|
|
121
|
+
|
|
122
|
+
Set up daemon/service authentication without user interaction.
|
|
123
|
+
|
|
124
|
+
**Required Information:**
|
|
125
|
+
- Service/app name
|
|
126
|
+
- Target API/resource
|
|
127
|
+
- Whether to use secret or certificate
|
|
128
|
+
|
|
129
|
+
**Implementation:** Use Client Credentials flow (see [references/oauth-flows.md#client-credentials-flow](references/oauth-flows.md#client-credentials-flow))
|
|
130
|
+
|
|
131
|
+
## MCP Tools and CLI
|
|
132
|
+
|
|
133
|
+
### Azure CLI Commands
|
|
134
|
+
|
|
135
|
+
| Command | Purpose |
|
|
136
|
+
|---------|---------|
|
|
137
|
+
| `az ad app create` | Create new app registration |
|
|
138
|
+
| `az ad app list` | List app registrations |
|
|
139
|
+
| `az ad app show` | Show app details |
|
|
140
|
+
| `az ad app permission add` | Add API permission |
|
|
141
|
+
| `az ad app credential reset` | Generate new client secret |
|
|
142
|
+
| `az ad sp create` | Create service principal |
|
|
143
|
+
|
|
144
|
+
**Complete reference:** See [references/cli-commands.md](references/cli-commands.md)
|
|
145
|
+
|
|
146
|
+
### Microsoft Authentication Library (MSAL)
|
|
147
|
+
|
|
148
|
+
MSAL is the recommended library for integrating Microsoft identity platform.
|
|
149
|
+
|
|
150
|
+
**Supported Languages:**
|
|
151
|
+
- .NET/C# - `Microsoft.Identity.Client`
|
|
152
|
+
- JavaScript/TypeScript - `@azure/msal-browser`, `@azure/msal-node`
|
|
153
|
+
- Python - `msal`
|
|
154
|
+
|
|
155
|
+
**Examples:** See [references/console-app-example.md](references/console-app-example.md)
|
|
156
|
+
|
|
157
|
+
## Security Best Practices
|
|
158
|
+
|
|
159
|
+
| Practice | Recommendation |
|
|
160
|
+
|----------|---------------|
|
|
161
|
+
| **Never hardcode secrets** | Use environment variables, Azure Key Vault, or managed identity |
|
|
162
|
+
| **Rotate secrets regularly** | Set expiration, automate rotation |
|
|
163
|
+
| **Use certificates over secrets** | More secure for production |
|
|
164
|
+
| **Least privilege permissions** | Request only required API permissions |
|
|
165
|
+
| **Enable MFA** | Require multi-factor authentication for users |
|
|
166
|
+
| **Use managed identity** | For Azure-hosted apps, avoid secrets entirely |
|
|
167
|
+
| **Validate tokens** | Always validate issuer, audience, expiration |
|
|
168
|
+
| **Use HTTPS only** | All redirect URIs must use HTTPS (except localhost) |
|
|
169
|
+
| **Monitor sign-ins** | Use Entra ID sign-in logs for anomaly detection |
|
|
170
|
+
|
|
171
|
+
## SDK Quick References
|
|
172
|
+
|
|
173
|
+
- **Azure Identity**: [Python](references/sdk/azure-identity-py.md) | [.NET](references/sdk/azure-identity-dotnet.md) | [TypeScript](references/sdk/azure-identity-ts.md) | [Java](references/sdk/azure-identity-java.md) | [Rust](references/sdk/azure-identity-rust.md)
|
|
174
|
+
- **Key Vault (secrets)**: [Python](references/sdk/azure-keyvault-py.md) | [TypeScript](references/sdk/azure-keyvault-secrets-ts.md)
|
|
175
|
+
- **Auth Events**: [.NET](references/sdk/microsoft-azure-webjobs-extensions-authentication-events-dotnet.md)
|
|
176
|
+
|
|
177
|
+
## References
|
|
178
|
+
|
|
179
|
+
- [OAuth Flows](references/oauth-flows.md) - Detailed OAuth 2.0 flow explanations
|
|
180
|
+
- [CLI Commands](references/cli-commands.md) - Azure CLI reference for app registrations
|
|
181
|
+
- [Console App Example](references/console-app-example.md) - Complete working examples
|
|
182
|
+
- [First App Registration](references/first-app-registration.md) - Step-by-step guide for beginners
|
|
183
|
+
- [API Permissions](references/api-permissions.md) - Understanding and configuring permissions
|
|
184
|
+
- [Troubleshooting](references/troubleshooting.md) - Common issues and solutions
|
|
185
|
+
|
|
186
|
+
## External Resources
|
|
187
|
+
|
|
188
|
+
- [Microsoft Identity Platform Documentation](https://learn.microsoft.com/entra/identity-platform/)
|
|
189
|
+
- [OAuth 2.0 and OpenID Connect protocols](https://learn.microsoft.com/entra/identity-platform/v2-protocols)
|
|
190
|
+
- [MSAL Documentation](https://learn.microsoft.com/entra/msal/)
|
|
191
|
+
- [Microsoft Graph API](https://learn.microsoft.com/graph/)
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: environment-config
|
|
3
|
+
description: Manage environment configurations with validation, defaults, and secret injection
|
|
4
|
+
category: Software Development
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# Environment Config
|
|
8
|
+
|
|
9
|
+
## Overview
|
|
10
|
+
Manage environment configurations with validation, defaults, and secret injection. This skill helps you apply structured, repeatable methods for consistent results.
|
|
11
|
+
|
|
12
|
+
## When to Use
|
|
13
|
+
- When you need to apply environment config best practices
|
|
14
|
+
- When establishing processes or standards for your workflow
|
|
15
|
+
- When training team members on environment config
|
|
16
|
+
- When automating or optimizing environment config tasks
|
|
17
|
+
|
|
18
|
+
## Instructions
|
|
19
|
+
1. **Assess**: Evaluate the current state, requirements, and constraints
|
|
20
|
+
2. **Plan**: Define the approach, steps, and success criteria
|
|
21
|
+
3. **Execute**: Follow the established patterns and best practices
|
|
22
|
+
4. **Verify**: Check results against expected outcomes and quality standards
|
|
23
|
+
5. **Iterate**: Refine based on feedback and lessons learned
|
|
24
|
+
|
|
25
|
+
## Examples
|
|
26
|
+
```
|
|
27
|
+
User: Help me apply environment config for my current project
|
|
28
|
+
Assistant: I'll help you apply environment config step by step...
|
|
29
|
+
```
|
|
30
|
+
|
|
31
|
+
## Related Skills
|
|
32
|
+
- Use with `workflow` tool for orchestrated execution
|
|
33
|
+
- Combine with `task` tool for delegated processing
|
|
34
|
+
- Reference `system-prompt` for system-level integration
|