Farled

SECURITY — FOR THE PERSON WHO HAS TO SAY YES

Everything a security review asks. Answered up front.

Farled sits close to your code, so it is built to be inspected. The entire edge — everything that runs on engineers’ machines — is Apache-2.0 open source. This page is the short version of what an auditor finds.

Data classes

Class A — metadata, the default

file paths · line ranges · branch names · symbol names · repo & worktree IDs · timestamps · counts · source-issue IDs

This is all the wire protocol can carry by default. No field in farled/v1 can hold file contents, diffs, prompts, or chat logs — verified by tests that plant a canary secret and audit every transmitted byte.

Class B & C — content, opt-in or never

Scoped content (issue excerpts, failure summaries) is opt-in per source and bounded. Sensitive content — source files, prompt history, agent chat logs, scratchpads, secrets — is Class C: not collected, with no configuration that enables it.

Controls

Roadmap

SOC 2 Type I is planned ahead of the first enterprise deployment; self-hosted and single-tenant options are part of the Enterprise tier. For questions, vulnerability disclosures, or to schedule a security review: [email protected].