monadical/greywall
Archived
13
0
Fork 0
Code Issues Pull Requests 1 Actions 2 Packages Projects Releases Wiki Activity

Add code-relaxed template, handle wildcard network allow

Browse Source
This commit is contained in:
JY Tan
2025-12-29 01:39:41 -08:00
parent d8e55d9515
commit 90cd0a0a4b
10 changed files with 535 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
docs/agents.md
View File

@@ -36,17 +36,23 @@ Run:
fence --settings ./fence.json <agent-command>
```
## Real-world usage
## Popular CLI coding agents
Currently, we provide the `code.json` template. You can use it by running `fence -t code -- claude`.
We provide these template for guardrailing CLI coding agents:
However, not all coding agent CLIs work with Fence yet. We're actively investigating these issues.
- [`code`](/internal/templates/code.json) - Strict deny-by-default network filtering via proxy. Works with agents that respect `HTTP_PROXY`. Blocks cloud metadata APIs, protects secrets, restricts dangerous commands.
- [`code-relaxed`](/internal/templates/code-relaxed.json) - Allows direct network connections for agents that ignore `HTTP_PROXY`. Same filesystem/command protections as `code`, but `deniedDomains` only enforced for proxy-respecting apps.
| Agent | Works? | Notes |
You can use it like `fence -t code -- claude`.
However, not all coding agent CLIs work with Fence at the moment.
| Agent | Works with template | Notes |
|-------|--------| ----- |
| Claude Code | ✅ | Fully working with `code` template |
| Codex | ❌ | Missing unidentified sandbox permission for interactive mode |
| OpenCode | ❌ | Ignores proxy env vars; makes direct network connections |
| Claude Code | `code` | - |
| Codex | `code` | |
| Cursor Agent | `code-relaxed` | Node.js/undici doesn't respect HTTP_PROXY |
| OpenCode | - | TUI hangs. Bun runtime doesn't respect HTTP_PROXY; architectural limitation |
## Protecting your environment

13
docs/configuration.md
View File

@@ -34,6 +34,19 @@ Example config:
| `httpProxyPort` | Fixed port for HTTP proxy (default: random available port) |
| `socksProxyPort` | Fixed port for SOCKS5 proxy (default: random available port) |
### Wildcard Domain Access
Setting `allowedDomains: ["*"]` enables **relaxed network mode**:
- Direct network connections are allowed (sandbox doesn't block outbound)
- Proxy still runs for apps that respect `HTTP_PROXY`
- `deniedDomains` is only enforced for apps using the proxy
> [!WARNING]
> **Security tradeoff**: Apps that ignore `HTTP_PROXY` will bypass `deniedDomains` filtering entirely.
Use this when you need to support apps that don't respect proxy environment variables.
## Filesystem Configuration
| Field | Description |

1
docs/templates.md
View File

@@ -24,5 +24,6 @@ You can also copy and customize templates from [`internal/templates/`](/internal
| Template | Description |
|----------|-------------|
| `code` | Production-ready config for AI coding agents (Claude Code, Codex, Copilot, etc.) |
| `code-relaxed` | Like `code` but allows direct network for apps that ignore HTTP_PROXY |
| `git-readonly` | Blocks destructive commands like `git push`, `rm -rf`, etc. |
| `local-dev-server` | Allow binding and localhost outbound; allow writes to workspace/tmp |