Refactor and improve documentation, add examples

docs/configuration.md

@@ -0,0 +1,52 @@
+# Configuration
+
+Fence reads settings from `~/.fence.json` by default (or pass `--settings ./fence.json`).
+
+Example config:
+
+```json
+{
+  "network": {
+    "allowedDomains": ["github.com", "*.npmjs.org", "registry.yarnpkg.com"],
+    "deniedDomains": ["evil.com"]
+  },
+  "filesystem": {
+    "denyRead": ["/etc/passwd"],
+    "allowWrite": [".", "/tmp"],
+    "denyWrite": [".git/hooks"]
+  }
+}
+```
+
+## Network Configuration
+
+| Field | Description |
+|-------|-------------|
+| `allowedDomains` | List of allowed domains. Supports wildcards like `*.example.com` |
+| `deniedDomains` | List of denied domains (checked before allowed) |
+| `allowUnixSockets` | List of allowed Unix socket paths (macOS) |
+| `allowAllUnixSockets` | Allow all Unix sockets |
+| `allowLocalBinding` | Allow binding to local ports |
+| `allowLocalOutbound` | Allow outbound connections to localhost, e.g., local DBs (defaults to `allowLocalBinding` if not set) |
+| `httpProxyPort` | Fixed port for HTTP proxy (default: random available port) |
+| `socksProxyPort` | Fixed port for SOCKS5 proxy (default: random available port) |
+
+## Filesystem Configuration
+
+| Field | Description |
+|-------|-------------|
+| `denyRead` | Paths to deny reading (deny-only pattern) |
+| `allowWrite` | Paths to allow writing |
+| `denyWrite` | Paths to deny writing (takes precedence) |
+| `allowGitConfig` | Allow writes to `.git/config` files |
+
+## Other Options
+
+| Field | Description |
+|-------|-------------|
+| `allowPty` | Allow pseudo-terminal (PTY) allocation in the sandbox (for MacOS) |
+
+## See Also
+
+- Config templates: [`docs/templates/`](docs/templates/)
+- Workflow guides: [`docs/recipes/`](docs/recipes/)