Refactor and improve documentation, add examples

docs/templates/README.md

@@ -0,0 +1,18 @@
+# Config Templates
+
+This directory contains Fence config templates. They are small and meant to be copied and customized.
+
+## Templates
+
+- `default-deny.json`: no network allowlist; no write access (most restrictive)
+- `workspace-write.json`: allow writes in the current directory
+- `npm-install.json`: allow npm registry; allow writes to workspace/node_modules/tmp
+- `pip-install.json`: allow PyPI; allow writes to workspace/tmp
+- `local-dev-server.json`: allow binding and localhost outbound; allow writes to workspace/tmp
+- `agent-api-only.json`: allow common LLM API domains; allow writes to workspace
+
+## Using a template
+
+```bash
+fence --settings ./docs/templates/npm-install.json npm install
+```

docs/templates/agent-api-only.json

@@ -0,0 +1,8 @@
+{
+  "network": {
+    "allowedDomains": ["api.openai.com", "api.anthropic.com"]
+  },
+  "filesystem": {
+    "allowWrite": ["."]
+  }
+}

docs/templates/default-deny.json

@@ -0,0 +1,8 @@
+{
+  "network": {
+    "allowedDomains": []
+  },
+  "filesystem": {
+    "allowWrite": []
+  }
+}

docs/templates/local-dev-server.json

@@ -0,0 +1,9 @@
+{
+  "network": {
+    "allowLocalBinding": true,
+    "allowLocalOutbound": true
+  },
+  "filesystem": {
+    "allowWrite": [".", "/tmp"]
+  }
+}

docs/templates/npm-install.json

@@ -0,0 +1,8 @@
+{
+  "network": {
+    "allowedDomains": ["registry.npmjs.org", "*.npmjs.org"]
+  },
+  "filesystem": {
+    "allowWrite": [".", "node_modules", "/tmp"]
+  }
+}

docs/templates/pip-install.json

@@ -0,0 +1,8 @@
+{
+  "network": {
+    "allowedDomains": ["pypi.org", "files.pythonhosted.org"]
+  },
+  "filesystem": {
+    "allowWrite": [".", "/tmp"]
+  }
+}

docs/templates/workspace-write.json

@@ -0,0 +1,5 @@
+{
+  "filesystem": {
+    "allowWrite": ["."]
+  }
+}