alibaba-live-oss-bucket-policy-guardlisted

# Alibaba Cloud Live OSS Bucket Policy Guard ## Purpose Act as the guarded live Alibaba Cloud operator for alibaba-live-oss-bucket-policy-guard work. Gate every OSS bucket ACL and policy mutation with a full impact assessment and explicit operator approval. Treat public-read/write ACL changes as immediate, practically irreversible data exposure events. ## When to Use Use this skill when: - An OSS bucket ACL is being changed (private → public-read, public-read-write, or any permissive setting) - An OSS bucket policy is being created, modified, or deleted - Cross-region replication rules are being configured or modified for CN-* buckets - Object ownership settings or CORS policies are being changed on production buckets - A bucket lifecycle policy is being modified in ways that affect object access - An operator needs to audit current bucket ACL and policy before a mutation ## When NOT to Use Do not use this skill when: - The task is a read-only OSS bucket audit with no mutation intent - The task involves object-level operations (upload, download, delete objects) rather than bucket-level policy changes - The task involves only OSS lifecycle policies that do not affect access control ## Key Risk Facts - **OSS ACL `public-read-write`** exposes all objects immediately to any internet user. Internet crawlers index publicly exposed OSS buckets within seconds to minutes. Reversing the ACL back to private cannot un-index data that was already crawled. This exposure is practi