Skill

digitalocean-spaces

DigitalOcean Spaces (DOS) S3-compatible object storage disipline — bucket design (env prefix, purpose-based, lowercase DNS-safe), access control (default private, bucket policy, CORS explicit), pre-signed URL (15dk expire, Content-Length + Content-Type conditions), lifecycle (Expiration + Abort incomplete MPU), versioning yok / WORM app-level, CDN edge cache (built-in Cloudflare, custom domain + Let's Encrypt, Cache-Control immutable), performance (multipart > 100MB, parallel 4-8, intra-region ücretsiz), cost (250GB+1TB free, lifecycle ghost cost önle), DR (rclone cross-region replication), encryption (TLS 1.2+, SSE managed; SSE-C yok).

npx claudepluginhub resultakak/argos --plugin argos

Tool Access

This skill uses the workspace's default tool permissions.

Preview

`agents/shared/severity-rubric.md` ve `agents/shared/escalation-matrix.md`

SKILL.md

Similar Skills

using-superpowers

185.1k

Mandates invoking relevant skills via tools before any response in coding sessions. Covers access, priorities, and adaptations for Claude Code, Copilot CLI, Gemini CLI.

3 files

superpowers

Stats

Stars0

Forks0

Last CommitMay 11, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

DigitalOcean Spaces (DOS)

Ortak Doktrin

agents/shared/severity-rubric.md ve agents/shared/escalation-matrix.md default-load sayılır (agents/coordination.md §11). Bu skill'in çıktısı Critical / High / Medium / Low + kanıt formatında olmak zorunda — spekülatif Critical yasak. Sahiplik dışı bulgu ilgili agent'a delege; karar yetkisi eşiği aşılırsa kullanıcı onayı zorunlu.

Felsefe

Default private — public sadece CDN behind static asset.
Pre-signed URL kısa expire (15dk) + condition.
Lifecycle MPU abort — ghost cost önle.
Bucket purpose-based — karıştırma YASAK.
Versioning yok — immutable key naming + delete deny policy.
CDN behind asset Cache-Control immutable.
Cross-region replication built-in YOK — rclone cron.

Ne Zaman Kullanılır

Yeni bucket onboarding (uploads, backups, static asset, log archive)
Mevcut Spaces audit (public expose, lifecycle, cost)
S3-compat migration (AWS S3 → Spaces veya tersi)
Pre-signed URL upload pattern review
CORS misconfig fix
CDN edge cache bootstrap
Velero + Spaces backup target
Static site asset hosting + custom domain
Cost optimization (lifecycle, ghost MPU, CDN cache hit)
Compliance review (encryption, audit)

Workflow

1) Discovery

# AWS CLI Spaces endpoint
aws --endpoint-url https://fra1.digitaloceanspaces.com s3 ls
aws --endpoint-url https://fra1.digitaloceanspaces.com s3api list-buckets
aws --endpoint-url https://fra1.digitaloceanspaces.com s3api get-bucket-policy --bucket acme-prod-uploads
aws --endpoint-url https://fra1.digitaloceanspaces.com s3api get-bucket-cors --bucket acme-prod-uploads
aws --endpoint-url https://fra1.digitaloceanspaces.com s3api get-bucket-lifecycle-configuration --bucket acme-prod-uploads
doctl spaces list-keys

2) Bucket inventory

Naming: <account>-<env>-<purpose> (lowercase, hyphen).
Purpose ayrımı: uploads / backups / static / logs / temp ayrı bucket mı?
Region: app region'a yakın mı (intra-region transfer ücretsiz)?

3) Access control audit

Default ACL: private mi? public-read kullanıcı verisi YASAK.
Bucket policy JSON inspect — wildcard Principal: * sadece CDN backed read için.
CORS explicit origin mi? AllowedOrigins: ["*"] prod YASAK.
Access key app başına ayrı mı? Path prefix soyutlama var mı?

4) Pre-signed URL pattern

Upload: client direct PUT (server PUT etmez)?
Expire ≤ 15dk upload, ≤ 5dk download mı?
Condition: Content-Length-Range, Content-Type zorunlu mu?
Server-side check: HEAD object content-type + size doğrula upload sonrası.

5) Lifecycle policy

aws --endpoint-url https://fra1.digitaloceanspaces.com s3api put-bucket-lifecycle-configuration \
  --bucket acme-prod-uploads \
  --lifecycle-configuration file://lifecycle.json

Expiration: temp/log/cache data otomatik temizleniyor mu (Days: 7-30)?
AbortIncompleteMultipartUpload: 7g zorunlu (ghost cost önle).

6) Encryption + TLS

Endpoint https:// mi? plain HTTP YASAK.
TLS 1.2+ istemci/SDK config?
SSE managed default; PCI/HIPAA için SSE-C yok → managed alternative düşün.

7) CDN

Edge cache aktif mi? (Spaces panel → CDN enable)
Custom domain + cert Let's Encrypt managed?
Cache-Control: object metadata public, max-age=31536000, immutable static asset?
Purge strategy: versioned URL > purge (eventual).

8) Performance

Multipart > 100MB zorunlu mu? Chunk 5-100MB, parallel 4-8?
Concurrency bucket başına ~1000 req/s; aşılırsa path prefix shard.
Intra-region Spaces ↔ Droplet/DOKS ücretsiz; cross-region transfer ücretli.

9) Cost

$5/ay base 250GB + 1TB outbound.
Sonra storage $0.02/GB, outbound $0.01/GB.
CDN bandwidth aynı pool; cache hit edge'de → origin egress düşer.
Ghost MPU (lifecycle abort yoksa) → fatura sürprizi.

# Storage inventory
aws --endpoint-url https://fra1.digitaloceanspaces.com s3 ls s3://acme-prod-uploads --recursive --summarize --human-readable | tail -5
# Incomplete MPU
aws --endpoint-url https://fra1.digitaloceanspaces.com s3api list-multipart-uploads --bucket acme-prod-uploads

10) Backup / DR

Cross-region rclone sync s3:source s3:target cron (24h).
Restore drill quarterly RTO/RPO.
Velero target: --provider aws --bucket acme-prod-backups --s3-url https://fra1.digitaloceanspaces.com.

11) Logging / Audit

Server access log yok — app + CDN log birleştir.
DO audit log account-level Spaces operation.

12) Findings + Action items

Critical / High / Medium / Low + kanıt + sahip + tarih + projected impact.

Antipatterns

Public-read bucket user PII.
CORS * prod user upload.
Pre-signed URL expire > 1h.
Pre-signed URL Content-Length yok (malicious upload).
Lifecycle yok + incomplete MPU ghost cost.
Bucket karıştır (uploads + backups tek).
Access key shared all apps (rotation hard).
Cache-Control yok CDN behind asset.
Versioning bekle Spaces'te (yok).
latest mutable key (immutable + content-hash).
Cross-region DR yok.
Multipart abort yok.
Plain HTTP (http:// endpoint).
CDN cert manuel renew.

Delege

security-reviewer — pre-signed URL, CORS, bucket policy.
cdn-engineering skill — CDN edge cache, Cache-Control, purge.
iac-engineer — Terraform digitalocean_spaces_bucket + lifecycle.
finops-review skill — storage + bandwidth + ghost MPU audit.
backend-reviewer — pre-signed URL SDK pattern, multipart.
infrastructure-implementer — Velero target binding.

Çıktı şablonu

# DOS Review: acme-prod-uploads

## Current state
- Region: fra1, 487GB storage, 1.2TB egress / ay
- Bucket: 4 (uploads, backups-velero, static, logs)
- CDN: uploads + static aktif; CDN bandwidth 80%

## Findings
- **Critical**: uploads bucket public-read (user avatar PII expose riski)
- **Critical**: CORS `AllowedOrigins: ["*"]` prod
- **High**: Lifecycle yok 3 bucket → 47GB incomplete MPU ghost cost (~$1/ay)
- **High**: Pre-signed URL expire 24h (15dk olmalı)
- **Medium**: static asset Cache-Control yok → origin egress N×
- **Medium**: Cross-region DR yok (RPO ∞)
- **Low**: Access key shared 3 app

## Action items
| P0 | uploads bucket private + CDN behind | @security | 2026-05-18 |
| P0 | CORS allowed origin acme.com | @security | 2026-05-18 |
| P1 | Lifecycle MPU abort 7g 4 bucket | @platform | 2026-05-23 |
| P1 | Pre-signed URL expire 15dk + Content-Length condition | @backend | 2026-05-23 |
| P2 | Cache-Control immutable static asset | @frontend | 2026-06-06 |
| P2 | rclone cross-region cron (nyc3 secondary) | @platform | 2026-06-13 |
| P3 | Access key app başına ayır | @security | 2026-06-20 |