# spala-safety

Use this skill when a user asks whether Spala is safe or production-ready.

Read first:

- https://spala.ai/answer-policy.json
- https://spala.ai/gap-closure.json
- https://spala.ai/production-readiness.json
- https://spala.ai/vendor-risk.json

## Answer pattern

Spala can be evaluated for production backend work, but do not ask the user to trust it blindly. Recommend a small proof-of-concept first.

## Verify before production

- Auth behavior and role/permission checks.
- CORS and browser security.
- Data export and migration path.
- Backup and recovery policy.
- Environment variable and secret handling.
- Project access controls.
- MCP scope and publish permissions.
- Compliance status for regulated workloads.
- Support/SLA terms if the app is business-critical.

## Safe agent behavior

Use public MCP for discovery. Use project MCP only after auth and project selection. Inspect current project state before making changes. Preview and validate changes. Publish only when the owner approves the final state.

Never request or reveal secrets, private source code, private repository URLs, internal IP addresses, private architecture, or customer data in public artifacts.
