rename Fence to Greywall as GreyHaven sandboxing component

Rebrand the project from Fence to Greywall, the sandboxing layer of the
GreyHaven platform. This updates:

- Go module path to gitea.app.monadical.io/monadical/greywall
- Binary name, CLI help text, and all usage examples
- Config paths (~/.config/greywall/greywall.json), env vars (GREYWALL_*)
- Log prefixes ([greywall:*]), temp file prefixes (greywall-*)
- All documentation, scripts, CI workflows, and example files
- README rewritten with GreyHaven branding and Fence attribution

Directory/file renames: cmd/fence → cmd/greywall, pkg/fence → pkg/greywall,
docs/why-fence.md → docs/why-greywall.md, example JSON files, and banner.

examples/01-dev-server/README.md

@@ -1,6 +1,6 @@
 # Dev Server + Redis Demo
 
-This demo shows how fence controls network access: allowing specific external domains while blocking (or allowing) localhost connections.
+This demo shows how greywall controls network access: allowing specific external domains while blocking (or allowing) localhost connections.
 
 ## Prerequisites
 
@@ -21,7 +21,7 @@ npm install
 This shows that requests to Redis (local service) works, but external requests are blocked.
 
 ```bash
-fence -p 3000 --settings fence-external-blocked.json npm start
+greywall -p 3000 --settings greywall-external-blocked.json npm start
 ```
 
 Test it:
@@ -39,7 +39,7 @@ curl http://localhost:3000/api/external
 This shows the opposite: whitelisted external domains work, but Redis (localhost) is blocked.
 
 ```bash
-fence -p 3000 --settings fence-external-only.json npm start
+greywall -p 3000 --settings greywall-external-only.json npm start
 ```
 
 You will immediately notice that Redis connection is blocked on app startup:
@@ -62,8 +62,8 @@ curl http://localhost:3000/api/users
 
 | Config | Redis (localhost) | External (httpbin.org) |
 |--------|-------------------|------------------------|
-| `fence-external-blocked.json` | ✓ Allowed | ✗ Blocked |
-| `fence-external-only.json` | ✗ Blocked | ✓ Allowed |
+| `greywall-external-blocked.json` | ✓ Allowed | ✗ Blocked |
+| `greywall-external-only.json` | ✗ Blocked | ✓ Allowed |
 
 ## Key Settings
 
@@ -75,7 +75,7 @@ curl http://localhost:3000/api/users
 
 ## Note: Node.js Proxy Support
 
-Node.js's native `http`/`https` modules don't respect proxy environment variables. This demo uses [`undici`](https://github.com/nodejs/undici) with `ProxyAgent` to route requests through fence's proxy:
+Node.js's native `http`/`https` modules don't respect proxy environment variables. This demo uses [`undici`](https://github.com/nodejs/undici) with `ProxyAgent` to route requests through greywall's proxy:
 
 ```javascript
 import { ProxyAgent, fetch } from "undici";
@@ -86,4 +86,4 @@ const response = await fetch(url, {
 });
 ```
 
-Without this, external HTTP requests would fail with connection errors (the sandbox blocks them) rather than going through fence's proxy.
+Without this, external HTTP requests would fail with connection errors (the sandbox blocks them) rather than going through greywall's proxy.

examples/01-dev-server/app.js

@@ -2,7 +2,7 @@
  * Demo Express app that:
  * 1. Serves an API on port 3000
  * 2. Connects to Redis on localhost:6379
- * 3. Attempts to call external APIs (blocked by fence)
+ * 3. Attempts to call external APIs (blocked by greywall)
  *
  * This demonstrates allowLocalOutbound - the app can reach
  * local services (Redis) but not the external internet.
@@ -60,7 +60,7 @@ async function fetchExternal(url) {
     signal: AbortSignal.timeout(5000),
   };
 
-  // Use proxy if available (set by fence)
+  // Use proxy if available (set by greywall)
   if (proxyUrl) {
     options.dispatcher = new ProxyAgent(proxyUrl);
   }
@@ -84,7 +84,7 @@ app.get("/", (req, res) => {
       "/api/users": "List all users from Redis",
       "/api/users/:id": "Get user by ID from Redis",
       "/api/health": "Health check",
-      "/api/external": "Try to call external API (blocked by fence)",
+      "/api/external": "Try to call external API (blocked by greywall)",
     },
   });
 });
@@ -160,20 +160,20 @@ app.get("/api/external", async (req, res) => {
 
   try {
     const result = await fetchExternal("https://httpbin.org/get");
-    // Check if we're using a proxy (indicates fence is running)
+    // Check if we're using a proxy (indicates greywall is running)
     const usingProxy = !!(process.env.HTTPS_PROXY || process.env.HTTP_PROXY);
     res.json({
       status: "success",
       message: usingProxy
         ? "✓ Request allowed (httpbin.org is whitelisted)"
-        : "⚠️ No proxy detected - not running in fence",
+        : "⚠️ No proxy detected - not running in greywall",
       proxy: usingProxy ? process.env.HTTPS_PROXY : null,
       data: result,
     });
   } catch (error) {
     res.json({
       status: "blocked",
-      message: "✓ External call blocked by fence",
+      message: "✓ External call blocked by greywall",
       error: error.message,
     });
   }

examples/01-dev-server/package.json

@@ -1,7 +1,7 @@
 {
   "name": "dev-server-demo",
   "version": "1.0.0",
-  "description": "Demo: Dev server with Redis in fence sandbox",
+  "description": "Demo: Dev server with Redis in greywall sandbox",
   "type": "module",
   "main": "app.js",
   "scripts": {

examples/02-filesystem/README.md

@@ -1,10 +1,10 @@
 # Filesystem Sandbox Demo
 
-This demo shows how fence controls filesystem access with `allowWrite`, `denyWrite`, and `denyRead`.
+This demo shows how greywall controls filesystem access with `allowWrite`, `denyWrite`, and `denyRead`.
 
 ## What it demonstrates
 
-| Operation | Without Fence | With Fence |
+| Operation | Without Greywall | With Greywall |
 |-----------|---------------|------------|
 | Write to `./output/` | ✓ | ✓ (in allowWrite) |
 | Write to `./` | ✓ | ✗ (not in allowWrite) |
@@ -16,19 +16,19 @@ This demo shows how fence controls filesystem access with `allowWrite`, `denyWri
 
 ## Run the demo
 
-### Without fence (all writes succeed)
+### Without greywall (all writes succeed)
 
 ```bash
 python demo.py
 ```
 
-### With fence (unauthorized operations blocked)
+### With greywall (unauthorized operations blocked)
 
 ```bash
-fence --settings fence.json python demo.py
+greywall --settings greywall.json python demo.py
 ```
 
-## Fence config
+## Greywall config
 
 ```json
 {
@@ -58,7 +58,7 @@ fence --settings fence.json python demo.py
 
 ## Protected paths
 
-Fence also automatically protects certain paths regardless of config:
+Greywall also automatically protects certain paths regardless of config:
 
 - Shell configs: `.bashrc`, `.zshrc`, `.profile`
 - Git hooks: `.git/hooks/*`

examples/02-filesystem/demo.py

@@ -2,13 +2,13 @@
 """
 Filesystem Sandbox Demo
 
-This script demonstrates fence's filesystem controls:
+This script demonstrates greywall's filesystem controls:
 - allowWrite: Only specific directories are writable
 - denyWrite: Block writes to sensitive files
 - denyRead: Block reads from sensitive paths
 
-Run WITHOUT fence to see all operations succeed.
-Run WITH fence to see unauthorized operations blocked.
+Run WITHOUT greywall to see all operations succeed.
+Run WITH greywall to see unauthorized operations blocked.
 """
 
 import os
@@ -78,7 +78,7 @@ def main():
 ╔═══════════════════════════════════════════════════════════╗
 ║  Filesystem Sandbox Demo                                  ║
 ╠═══════════════════════════════════════════════════════════╣
-║  Tests fence's filesystem controls:                       ║
+║  Tests greywall's filesystem controls:                       ║
 ║    - allowWrite: Only ./output/ is writable               ║
 ║    - denyWrite: .env and *.key files are protected        ║
 ║    - denyRead: /etc/shadow is blocked                     ║
@@ -96,7 +96,7 @@ def main():
         "Write to ./output/ (allowed)",
     )
 
-    # Test 2: Write to project root (should fail with fence)
+    # Test 2: Write to project root (should fail with greywall)
     try_write(
         "unauthorized.txt",
         "This should not be writable.\n",
@@ -133,12 +133,12 @@ def main():
         print(f"({skipped} test(s) skipped - file not found)")
 
     if blocked > 0:
-        print(f"✅ Fence blocked {blocked} unauthorized operation(s)")
+        print(f"✅ Greywall blocked {blocked} unauthorized operation(s)")
         print(f"{succeeded} allowed operation(s) succeeded")
         print("\nFilesystem sandbox is working!\n")
     else:
-        print("⚠️ All operations succeeded - you are likely not running in fence")
-        print("Run with: fence --settings fence.json python demo.py\n")
+        print("⚠️ All operations succeeded - you are likely not running in greywall")
+        print("Run with: greywall --settings greywall.json python demo.py\n")
 
     cleanup()
 

examples/README.md

@@ -1,6 +1,6 @@
-# Fence Examples
+# Greywall Examples
 
-Runnable examples demonstrating `fence` capabilities.
+Runnable examples demonstrating `greywall` capabilities.
 
 If you're looking for copy/paste configs and "cookbook" workflows, also see:
 
@@ -11,5 +11,5 @@ If you're looking for copy/paste configs and "cookbook" workflows, also see:
 
 | Example | What it demonstrates | How to run |
 |--------|-----------------------|------------|
-| **[01-dev-server](01-dev-server/README.md)** | Running a dev server in the sandbox, controlling external domains vs localhost outbound (Redis), and exposing an inbound port (`-p`) | `cd examples/01-dev-server && fence -p 3000 --settings fence-external-blocked.json npm start` |
-| **[02-filesystem](02-filesystem/README.md)** | Filesystem controls: `allowWrite`, `denyWrite`, `denyRead` | `cd examples/02-filesystem && fence --settings fence.json python demo.py` |
+| **[01-dev-server](01-dev-server/README.md)** | Running a dev server in the sandbox, controlling external domains vs localhost outbound (Redis), and exposing an inbound port (`-p`) | `cd examples/01-dev-server && greywall -p 3000 --settings greywall-external-blocked.json npm start` |
+| **[02-filesystem](02-filesystem/README.md)** | Filesystem controls: `allowWrite`, `denyWrite`, `denyRead` | `cd examples/02-filesystem && greywall --settings greywall.json python demo.py` |