Add support for config inheritance

docs/templates.md

@@ -19,6 +19,67 @@ fence --list-templates
 
 You can also copy and customize templates from [`internal/templates/`](/internal/templates/).
 
+## Extending templates
+
+Instead of copying and modifying templates, you can extend them in your config file using the `extends` field:
+
+```json
+{
+  "extends": "code",
+  "network": {
+    "allowedDomains": ["private-registry.company.com"]
+  }
+}
+```
+
+This inherits all settings from the `code` template and adds your private registry. Settings are merged:
+
+- Slice fields (domains, paths, commands): Appended and deduplicated
+- Boolean fields: OR logic (true if either enables it)
+- Integer fields (ports): Override wins (0 keeps base value)
+
+### Extending files
+
+You can also extend other config files using file paths:
+
+```json
+{
+  "extends": "./shared/base-config.json",
+  "network": {
+    "allowedDomains": ["extra-domain.com"]
+  }
+}
+```
+
+The `extends` value is treated as a file path if it contains `/` or `\`, or starts with `.`. Relative paths are resolved relative to the config file's directory. The extended file is validated before merging.
+
+Chains are supported: a file can extend a template, and another file can extend that file. Circular extends are detected and rejected.
+
+### Example: Company-specific AI agent config
+
+```json
+{
+  "extends": "code",
+  "network": {
+    "allowedDomains": [
+      "internal-npm.company.com",
+      "artifactory.company.com"
+    ],
+    "deniedDomains": ["competitor-analytics.com"]
+  },
+  "filesystem": {
+    "denyRead": ["~/.company-secrets/**"]
+  }
+}
+```
+
+This config:
+
+- Extends the battle-tested `code` template
+- Adds company-specific package registries
+- Adds additional telemetry/analytics to deny list
+- Protects company-specific secret directories
+
 ## Available Templates
 
 | Template | Description |