Skill

digitalocean-app-platform

DigitalOcean App Platform (DOAP) PaaS disipline — App Spec YAML (Git-tracked, no UI drift), build (buildpack vs Dockerfile multi-stage), instance sizing (shared vs dedicated, autoscale), networking (HTTPS redirect, custom domain + Let's Encrypt + CAA, WebSocket 60s idle), managed DB binding (trusted source, connection pool), env/secret (SECRET type, BUILD vs RUN scope), observability (DO Monitoring + alert + log forward), deploy strategy (rolling default, blue/green via dual-app DNS swap), cost (instance + bandwidth + build minutes), limits (12 svc/app, no exec, no persistent disk).

npx claudepluginhub resultakak/argos --plugin argos

Tool Access

This skill uses the workspace's default tool permissions.

Preview

`agents/shared/severity-rubric.md` ve `agents/shared/escalation-matrix.md`

SKILL.md

Similar Skills

using-superpowers

185.1k

Mandates invoking relevant skills via tools before any response in coding sessions. Covers access, priorities, and adaptations for Claude Code, Copilot CLI, Gemini CLI.

3 files

superpowers

Stats

Stars0

Forks0

Last CommitMay 11, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

DigitalOcean App Platform (DOAP)

Ortak Doktrin

agents/shared/severity-rubric.md ve agents/shared/escalation-matrix.md default-load sayılır (agents/coordination.md §11). Bu skill'in çıktısı Critical / High / Medium / Low + kanıt formatında olmak zorunda — spekülatif Critical yasak. Sahiplik dışı bulgu ilgili agent'a delege; karar yetkisi eşiği aşılırsa kullanıcı onayı zorunlu.

Felsefe

App Spec Git-tracked — UI değişiklik drift yaratır.
Multi-stage Dockerfile — buildpack hızlı ama esnek değil.
Min instance ≥ 2 prod — rolling deploy + HA.
SECRET type — plain env YASAK.
DB trusted source — public expose YASAK.
No persistent disk — state Spaces/managed DB'ye.
Blue/green = dual app + DNS swap — built-in canary yok.

Ne Zaman Kullanılır

Yeni service DOAP onboarding (greenfield)
Mevcut DOAP app audit (sizing, security, cost)
Monorepo birden çok service tek DOAP'te mi yoksa multi-app mı kararı
Heroku/Vercel/Netlify → DOAP migration
Managed DB binding doğru mu (trusted source, connection pool)
Custom domain + cert lifecycle
WebSocket service DOAP'te idle timeout 60s sorunu
Rolling deploy → blue/green strategy çıkış
Long-running worker job (5dk üstü → Functions/queue)
Build performance (cache, Docker multi-stage)
Cost optimization (instance size, bandwidth, build minutes)

Workflow

1) Discovery

doctl apps list
doctl apps spec get <app-id> > current-spec.yaml
doctl apps get <app-id> --format Spec.Name,DefaultIngress,LiveDomain,Region,Tier
doctl apps logs <app-id> --type BUILD --tail 200
doctl apps logs <app-id> --type RUN --follow

2) App Spec audit

Git-tracked mi? UI'dan değişiklik var mı? (spec get ile diff repo'ya karşı)
region doğru mu (kullanıcı tabanına yakın)?
services/workers/static_sites/jobs/functions/databases explicit ayrılmış mı?
auto_deploy prod main'de açık mı? CI gate var mı?

3) Build

Buildpack vs Dockerfile seçim doğru mu?
Dockerfile multi-stage (cache + boyut)?
environment_slug lock mı (auto-detect değil)?
source_dir monorepo için doğru mu?
Build cache çalışıyor mu (build log inspect)?

4) Sizing

Instance size: prod professional-xs+ mi? Shared (basic-xxs) staging only.
instance_count min ≥ 2 prod mu? Single = deploy downtime.
Autoscale: CPU threshold mantıklı mı (%80 default)?
Worker queue-length aware mı (app-level metric + manual scale)?

5) Networking

HTTPS redirect built-in aç mı?
Custom domain + CAA record var mı?
Routes precedence doğru mu (/api önce / sonra)?
WebSocket idle 60s; long-lived için Sec-WebSocket-Pong heartbeat ≤ 30s.
Internal service *.ondigitalocean.app private hostname kullanılıyor mu?

6) Database / Cache

Managed binding ENV inject doğru mu (${db.DATABASE_URL})?
Trusted source sadece app mi? Public KAPALI mı?
Connection pool: app-side pool size managed DB connection limit'e uymuş mu?
Backup PITR aktif mi?

7) Env / Secrets

SECRET type sensitive env'ler için mi?
scope doğru mu (BUILD_TIME vs RUN_TIME)?
Rotation 90g policy var mı?
.env repo'da YASAK — App Spec veya doctl apps update.

8) Observability

DO Monitoring: CPU/Memory/HTTP metric dashboard?
App logs: Loki/Papertrail forward var mı? Retention ≥ 30g?
Alert policy App Spec'te:

alerts:
  - rule: CPU_UTILIZATION
    value: 80
    operator: GREATER_THAN
    window: FIVE_MINUTES
    disabled: false
  - rule: DEPLOYMENT_FAILED
    disabled: false
  - rule: DOMAIN_FAILED
    disabled: false

APM/tracing (Sentry/Datadog) ENV doğru mu?

9) Deploy

Health check: HTTP path zorunlu, threshold gerçekçi (initialDelay 30s)?
Rolling deploy instance_count ≥ 2 olmalı.
Blue/green kritik service için: app-blue + app-green + DNS swap (Cloudflare/DO Domains).
Rollback: doctl apps create-deployment --force-rebuild veya önceki deployment ID; restore drill'lı mı?

10) Cost

doctl apps tier list
doctl apps tier get <tier-id>
doctl apps list-deployments <app-id> --format ID,Phase,Cause,CreatedAt

Instance × hourly rate (pro-xs $12/ay).
Bandwidth 100GB free → CDN ile düşür.
Build dakikası 400/ay free → cache + multi-stage Dockerfile.
Worker ayrı pricing → idempotent + short-running.

11) Findings + Action items

Critical / High / Medium / Low + kanıt + sahip + tarih + projected impact.

Antipatterns

UI'dan App Spec değiştir (drift).
auto_deploy: true prod + CI gate yok.
SECRET plain env.
DB public source (0.0.0.0/0).
Single instance prod (deploy = downtime).
HTTP allowed (HTTPS redirect kapalı).
Buildpack monorepo + 4 service tek app — multi-app daha temiz.
latest Docker tag prod.
Persistent state container — ephemeral FS.
Worker 5dk+ job → Functions/queue.
Custom domain CAA yok.
Health check yok.
App Spec versioning yok repo'da.
Connection pool yok managed DB → pool exhaustion.

Delege

iac-engineer — App Spec Terraform module veya doctl CI.
backend-reviewer — connection pool, health check, idempotency.
frontend-reviewer — static_site build, asset optimization.
security-reviewer — SECRET, trusted source, HTTPS.
observability-engineer — alert policy, log forward.
finops-review skill — instance + bandwidth + build cost.
deployment-strategist — blue/green dual-app + DNS swap.

Çıktı şablonu

# DOAP Review: api-svc

## Current state
- Region: fra1, Tier: Professional
- 1 service (api), 1 worker (job-runner), 1 static_site (admin), managed pg
- Instance: pro-xs × 1 (api), basic-xxs × 1 (worker)
- Auto-deploy: on (main), no CI gate

## Findings
- **Critical**: API single instance prod → deploy = 30s downtime
- **Critical**: DB public source (`0.0.0.0/0`)
- **Critical**: `DATABASE_URL` plain env (SECRET type değil)
- **High**: Auto-deploy main + CI gate yok → red main = prod incident
- **High**: Health check threshold yok (default failure cycle long)
- **Medium**: WS service heartbeat yok → 60s idle disconnect
- **Medium**: Sentry ENV yok (APM görünür değil)
- **Low**: Build cache miss (Dockerfile cache layer yanlış)

## Action items
| P0 | API instance_count 2 + autoscale 2-4 | @platform | 2026-05-18 |
| P0 | DB trusted source app-only | @security | 2026-05-18 |
| P0 | DATABASE_URL SECRET type | @security | 2026-05-18 |
| P1 | CI gate (test+lint) main auto-deploy önce | @platform | 2026-05-23 |
| P1 | Health check initialDelay 30s + period 10s | @platform | 2026-05-23 |
| P2 | WS heartbeat ≤ 30s | @backend | 2026-06-06 |
| P2 | Sentry SDK + DSN SECRET ENV | @backend | 2026-06-06 |
| P3 | Dockerfile multi-stage rewrite cache | @platform | 2026-06-13 |