Review bucket configuration
Policies, ACLs, encryption, versioning, and public-access settings — flagged when a combination is risky.
Native desktop agent
Point it at your S3-compatible storage and ask — review config, analyze access logs, or triage a failing request. Keys and evidence stay on your machine.
Which bucket, log, or error should we check?
Read-only and never destructive — I'll ask before moving any data.
Native desktop agent
Start a chat or pick a task — bucket config, access logs, inventory, errors, or cost. The agent plans read-only checks, works in DuckDB on imported evidence, and cites the log rows or config lines behind each finding.
What it investigates
Policies, ACLs, encryption, versioning, and public-access settings — flagged when a combination is risky.
Import access logs and query them in DuckDB: who read what, hot prefixes, and unusual access.
Turn an inventory into answers about object counts, sizes, storage classes, and growth.
Sort out which buckets exist across accounts, what each is for, and which look orphaned.
Bring a failing request; it checks the object with range reads and metadata to narrow the cause.
See where cost concentrates and where lifecycle or tiering would actually help.
How a session runs
Start a chat, or pick a task like review bucket config or analyze access logs.
It picks read-only tools, reads policy, metadata, and logs, and works in DuckDB.
Findings come with the log rows, object metadata, or config lines they rest on.
Read the diagnosis, approve anything that moves data, and act with the evidence in hand.
Local and read-only
Credentials live in an encrypted vault on your machine and are never written to logs, reports, or model prompts.
The agent can inspect but not write: no deletes, no overwrites, no configuration changes.
Downloads, large scans, and dataset analysis always ask first — nothing leaves without your go-ahead.
FAQ
You bring your own: configure a model provider and key. The key stays in the local vault and is never sent anywhere but your chosen provider.
No. Credentials, imported evidence, and analysis stay local; any action that moves data asks for consent first.
No. Cloud access is read-only by design — no writes, deletes, or configuration changes.
StorageOps gives an existing agent (Pi) storage skills; Storage Agent is a self-contained desktop app that runs the whole investigation itself.
A Tauri desktop app for macOS, Windows, and Linux. The project is Apache-2.0.