Fence is a sandboxing tool that restricts network and filesystem access for arbitrary commands. It's most useful for running semi-trusted code (package installs, build scripts, CI jobs, unfamiliar repos) with controlled side effects.

Getting Started

Quickstart - Install fence and run your first sandboxed command in 5 minutes
Why Fence - What problem it solves (and what it doesn't)

Guides

Concepts - Mental model: OS sandbox + local proxies + config
Troubleshooting - Common failure modes and fixes
Using Fence with AI agents - Defense-in-depth and policy standardization
Recipes - Common workflows (npm/pip/git/CI)
Config Templates - Copy/paste templates you can start from

Reference

README - CLI + library usage
Configuration - How to configure Fence
Architecture - How fence works under the hood
Security model - Threat model, guarantees, and limitations
Linux security features - Landlock, seccomp, eBPF details and fallback behavior
Testing - How to run tests and write new ones
Benchmarking - Performance overhead and profiling

Examples

See examples/ for runnable demos.

Quick Reference

Common commands

# Block all network (default)
fence <command>

# Use custom config
fence --settings ./fence.json <command>

# Debug mode (verbose output)
fence -d <command>

# Monitor mode (show blocked requests)
fence -m <command>

# Expose port for servers
fence -p 3000 <command>

# Run shell command
fence -c "echo hello && ls"