SECURITY — FOR THE PERSON WHO HAS TO SAY YES
Farled sits close to your code, so it is built to be inspected. The entire edge — everything that runs on engineers’ machines — is Apache-2.0 open source. This page is the short version of what an auditor finds.
file paths · line ranges · branch names · symbol names · repo & worktree IDs · timestamps · counts · source-issue IDs
This is all the wire protocol can carry by default. No field in farled/v1 can hold file contents, diffs, prompts, or chat logs — verified by tests that plant a canary secret and audit every transmitted byte.
Scoped content (issue excerpts, failure summaries) is opt-in per source and bounded. Sensitive content — source files, prompt history, agent chat logs, scratchpads, secrets — is Class C: not collected, with no configuration that enables it.
SOC 2 Type I is planned ahead of the first enterprise deployment; self-hosted and single-tenant options are part of the Enterprise tier. For questions, vulnerability disclosures, or to schedule a security review: [email protected].