curiositech/file-upload-storage-expert
skills/file-upload-storage-expert/SKILL.md
S3, multipart uploads, CDN integration, and presigned URLs for file storage. Activate on: file upload, S3, presigned URL, multipart upload, CDN, blob storage, image upload, media storage. NOT for: data warehouse storage (use lakehouse-architect), database design (use dimensional-modeler).
data-ai
Updated Apr 4, 2026
$ install --global
skillsauthnpx skillsauth add curiositech/windags-skills file-upload-storage-expertInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 4, 2026, 2:14 PM22.5s1 file scanned
SKILL.md
- license:
- Apache-2.0
- name:
- file-upload-storage-expert
- description:
- S3, multipart uploads, CDN integration, and presigned URLs for file storage. Activate on: file upload, S3, presigned URL, multipart upload, CDN, blob storage, image upload, media storage. NOT for: data warehouse storage (use lakehouse-architect), database design (use dimensional-modeler).
- allowed-tools:
- Read,Write,Edit,Bash(npm:*,npx:*,aws:*,wrangler:*)
- category:
- Backend & Infrastructure
- - skill:
- observability-apm-expert
- reason:
- Upload latency and failure rate monitoring
File Upload & Storage Expert
Design secure, scalable file upload and storage systems with presigned URLs, multipart uploads, CDN distribution, and lifecycle management.
Activation Triggers
Activate on: "file upload", "S3", "presigned URL", "multipart upload", "CDN", "blob storage", "image upload", "R2", "media storage", "upload progress"
NOT for: Data lake storage → lakehouse-architect | Database BLOB columns → dimensional-modeler | Video processing pipelines → relevant media skill
Quick Start
- Choose storage backend — S3, R2 (zero egress), GCS, or Supabase Storage
- Generate presigned URLs server-side — never expose credentials to clients
- Implement multipart upload for files >10MB with resume capability
- Process asynchronously — thumbnails, transcoding, virus scanning via queue
- Serve via CDN — CloudFront, Cloudflare, or Vercel Edge for global delivery
Core Capabilities
| Domain | Technologies | |--------|-------------| | Object Storage | AWS S3, Cloudflare R2, GCS, MinIO | | Upload Libraries | @aws-sdk/client-s3, tus-js-client, Uppy 4.x | | CDN | CloudFront, Cloudflare CDN, Fastly | | Processing | Sharp (images), FFmpeg (video), ClamAV (scanning) | | Managed | Supabase Storage, Vercel Blob, Uploadthing |
Architecture Patterns
Presigned URL Upload Flow
Client Server S3/R2
│ │ │
├─ POST /upload/init ────→│ │
│ { filename, type } │ │
│ ├─ createPresignedPost() ─→│
│ │ │
│←── { url, fields } ────┤ │
│ │ │
├─ PUT (direct to S3) ──────────────────────────────→│
│ │ │
│ │←── S3 Event Notification│
│ ├─ Process (thumbnail, │
│ │ scan, metadata) │
│←── webhook: ready ─────┤ │
Multipart Upload with Resume
import { S3Client, CreateMultipartUploadCommand,
UploadPartCommand, CompleteMultipartUploadCommand } from '@aws-sdk/client-s3';
const PART_SIZE = 10 * 1024 * 1024; // 10MB parts
async function multipartUpload(file: Buffer, key: string) {
const { UploadId } = await s3.send(
new CreateMultipartUploadCommand({ Bucket: BUCKET, Key: key })
);
const parts: { ETag: string; PartNumber: number }[] = [];
for (let i = 0; i < file.length; i += PART_SIZE) {
const partNumber = Math.floor(i / PART_SIZE) + 1;
const { ETag } = await s3.send(new UploadPartCommand({
Bucket: BUCKET, Key: key, UploadId,
PartNumber: partNumber,
Body: file.subarray(i, i + PART_SIZE),
}));
parts.push({ ETag: ETag!, PartNumber: partNumber });
}
await s3.send(new CompleteMultipartUploadCommand({
Bucket: BUCKET, Key: key, UploadId,
MultipartUpload: { Parts: parts },
}));
}
CDN-First Serving Architecture
User Request → CDN Edge (cache hit?) ──yes──→ Serve cached
│ no
↓
Origin (S3/R2)
↓
Response + Cache-Control: public, max-age=31536000, immutable
(use content-hash in filename for cache busting)
Anti-Patterns
- Proxying uploads through your server — use presigned URLs so clients upload directly to object storage; your server should never be a relay
- Synchronous processing — never resize/transcode during the upload request; push to a queue and process async
- Mutable filenames — use content-addressable keys (
sha256-{hash}.ext) for CDN cacheability - No upload size limits — enforce max file size server-side in presigned URL policy AND client-side
- Storing credentials client-side — presigned URLs expire; never send AWS keys to the browser
Quality Checklist
- [ ] Presigned URLs used for client-to-storage uploads
- [ ] Presigned URL expiry set to 5-15 minutes
- [ ] Multipart upload implemented for files >10MB
- [ ] Upload size limits enforced in presigned URL policy
- [ ] Content-Type validation on server (not just extension)
- [ ] Virus/malware scanning before making files public
- [ ] CDN configured with immutable cache headers
- [ ] Lifecycle policy deletes incomplete multipart uploads after 24h
- [ ] CORS configured on bucket for browser direct uploads
- [ ] Storage costs monitored with lifecycle transitions (Standard → IA → Glacier)
Related Skills
curiositech/circuit-breakers-and-retries
tools
VerifiedTrustedCommunity
Building resilient distributed systems with circuit breakers, retries with full-jitter exponential backoff, retry budgets (per-request 3-attempt + per-client 10% ratio per Google SRE), deadline propagation, and the cascading-failure math (4 layers × 3 retries = 64x amplification). Grounded in Resilience4j, Microsoft Cloud Patterns, AWS Architecture Blog (Marc Brooker), and Google SRE Book.
4SKILL.mdUpdated May 6, 2026
curiositech/cdn-cache-control-headers
testing
VerifiedTrustedCommunity
Designing HTTP cache headers that work correctly across browsers, CDNs, and shared proxies — `Cache-Control` directives per RFC 9111, `stale-while-revalidate` and `stale-if-error` per RFC 5861, the Vary header for varying responses, and surrogate keys for tag-based purging. Grounded in IETF RFCs and Cloudflare/Fastly docs.
4SKILL.mdUpdated May 5, 2026
curiositech/content-security-policy-headers
development
VerifiedTrustedCommunity
Use when designing or fixing a Content Security Policy on a real site, choosing between nonce-based and hash-based CSP, adding strict-dynamic, debugging "Refused to execute inline script" errors, deploying CSP in report-only mode first, configuring report-to / report-uri, or auditing an existing policy for unsafe-inline / unsafe-eval / wildcards. Triggers: "CSP blocks legitimate inline script", strict-dynamic, nonce-{RANDOM}, sha256-{HASH}, object-src none, base-uri none, frame-ancestors, Trusted Types, X-Content-Security-Policy obsolete, report-only vs enforced. NOT for general HTTP security headers (HSTS, COOP/COEP), Trusted Types deep dive, CORS configuration, or building a WAF.
3SKILL.mdUpdated May 4, 2026
curiositech/api-versioning-strategy
tools
VerifiedTrustedCommunity
Choosing and operating an HTTP API versioning strategy that doesn't break clients — Stripe's date-based pinned versions, the Deprecation/Sunset header pair (RFC 9745 + RFC 8594), URI vs header vs media-type approaches, and the version-transformer pattern. Grounded in Stripe's published architecture and IETF RFCs.
3SKILL.mdUpdated May 4, 2026