fln is a command-line tool that runs locally on your machine. It:
- Reads files from your filesystem
- Writes output files locally
- Does not contact external services during flatten or diagnostics (
why,doctor,plan,diff,mcp); the only network path is explicitfln upgrade - Does NOT execute arbitrary code from your project
Only the latest release receives security updates. Please upgrade to the latest version before reporting issues.
Standalone binaries are published on GitHub Releases:
- SHA256 checksums (
.sha256) — required;fln upgradealways verifies the archive hash before install - cosign signatures (
.sig+.pem) — keyless Sigstore signatures from release CI; verified whencosignis on PATH, otherwise skipped with a stderr notice (sha256-only install still proceeds) - SPDX SBOM (
fln-<version>.sbom.spdx.json) — software bill of materials for each release
The npm package uses npm provenance (--provenance in publish CI) — separate from binary signing.
Network access during normal fln runs is limited to fln upgrade (explicit user action). Flatten, why, doctor, plan, diff, and mcp do not contact external services.
Please do NOT open public issues for security vulnerabilities.
Instead:
- Use GitHub Security Advisories for private reporting
- Include:
- Clear description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
I aim to respond within 3-5 business days and will work with you to address confirmed vulnerabilities.
fln skips paths that match built-in security globs (for example .env, **/*.pem, credentials.json) and any extra patterns in fln.json / securityPatterns.
- Skipped files appear in the directory tree with
skipReason: "security"when they are scanned (for example via-i .envwith--include-hidden, or force-include on a dotfile). - Force
-i/includedo not bypass security — detected secrets are never embedded in output. - Detection is pattern- and entropy-based: common formats (AWS, Google, GitHub, Stripe, Slack, Azure, GitLab, JWT, PEM) and high-entropy strings in file headers. Not a guarantee — review output before sharing.
fln why .envreports whether a path would be included; use--include-hiddenor-ito see the node in the tree without content.
fln does not phone home. On flatten runs it may write small local JSON files under ~/.config/fln/ (Windows: %LOCALAPPDATA%\fln\):
usage.json—runCountandlastRunonly — used for an optional in-terminal sponsor message, not sent anywheretoken-count-cache.json— content-addressed cache for token counts (snapshot diff / tokenizer); local only, not sent anywhere- Opt out of usage writes for one run:
--no-local-state - Remove: delete those files in that directory
When using fln:
- Review exclude patterns before running on sensitive projects
- Use
--dry-runfirst to preview what will be included - Be careful when sharing generated output files (they contain your code)
- Don't commit
fln.jsonconfig if it contains sensitive paths