Skip to main content

Documentation Index

Fetch the complete documentation index at: https://www.macaly.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

Working on security with the agent looks a lot like any other part of the conversation. The Macaly agent applies sensible defaults, and what you bring is context: what kind of project this is, what data it handles, and what matters to you. The clearer you are about your project, the better the result.

Set the context early

The most useful thing you can do is tell the agent early what kind of project you’re building. A few words of context at the start lead to a stronger result than asking for security adjustments after everything is built. When you describe your project, mention if it involves user accounts, personal data, or anything sensitive. The agent takes that into account across the whole project, from how the database is structured to how API endpoints are protected. Adding “make sure each user only sees their own data” after the app is built often means refactoring what’s already there. Mentioning it up front means the agent designs the app that way from the start. Examples of useful context: 
I'm building a SaaS app with user accounts. Each user should
only see their own projects and data. Treat this as a production
app where security and data protection matter.

This is an internal tool for our team to manage customer
support tickets. We'll have admin and member roles. Customer
emails and conversation history are sensitive, so handle them
carefully.

I'm building a public marketing site for my consultancy. No
user accounts, no payments, just content and a contact form.
The third example is just as useful as the first two. It tells the agent that elaborate access controls aren’t needed, which keeps the project simple.

When to give the agent more context

For a simple site without accounts or external integrations, the platform’s defaults usually cover what you need. A short prompt is enough. A more detailed initial prompt helps when your project will involve any of the following:
  • User accounts and personal data
  • Different permission levels (such as admin and member)
  • Sensitive business data in internal tools
  • Public APIs or open submission forms
In these cases, a few extra sentences in your first prompt save iteration later.
What counts as personal data? Anything that could identify someone: name, email, phone number, address, IP address, photo. Sensitive data is a step up: health information, financial details, private messages, or anything related to children. If your project will store either, mentioning it in your first prompt helps the agent set things up appropriately.

Refining behaviors during the build

As your project grows, you may want to adjust specific things. The agent can refine input validation, rate limiting, role-based access, what data is sent to the page, and similar behaviors. You don’t need technical terms, just describe what you want in plain language. A few examples: 
The contact form is getting spam. Limit submissions to 3 per
visitor per hour.

On the public leaderboard, only show display names and scores.
Don't expose any other user information.

Add an admin area where only I can moderate posts. Make sure
nobody else can access it, even by guessing the URL.
The agent will pick up the intent and apply it where it matters.

If you didn’t set the context early

If you’ve already built something and want to take a closer look at it before sharing it with real users, that’s perfectly fine. The agent can review what’s there and suggest improvements without you having to start over. A few prompts that work well for this kind of review: 
I want to take this project to production. Review what's there
and suggest anything I should tighten before publishing.

I'm about to share this app with real users. Walk me through
how user data is handled and let me know if anything looks
off.
The agent will look at how access, data handling, and integrations are set up, and explain what would benefit from adjustment. You can then decide what to apply.

Checking specific areas with the agent

You can ask the agent at any point to explain how something in your project works. A few prompts that tend to give clear answers: 
Walk me through how user data is protected in this app.

What does the public leaderboard endpoint return to visitors?

Show me where login attempts are rate limited.

Who has access to the admin area, and how is it enforced?
If you’re not sure whether something in your project is right, just describe your concern to the agent in plain words. It will look at the relevant parts and either explain what’s there or suggest what to change. There are no wrong questions, and asking is faster than guessing. For background on what Macaly handles at the platform level, see the Security overview. For specific use cases, contact support@macaly.com.