monadical/greywall
Archived
13
0
Fork 0
Code Issues Pull Requests 1 Actions 2 Packages Projects Releases Wiki Activity
This repository has been archived on 2026-03-13. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
89301f8c8a53c6141969e3f17a0c72a78167f4e4
greywall/docs/agents.md

2.4 KiB
Raw Blame History

Using Fence with AI Agents

Many popular coding agents already include sandboxing. Fence can still be useful when you want a tool-agnostic policy layer that works the same way across:

  • local developer machines
  • CI jobs
  • custom/internal agents or automation scripts
  • different agent products (as defense-in-depth)

Recommended approach

Treat an agent as "semi-trusted automation":

  • Restrict writes to the workspace (and maybe /tmp)
  • Allowlist only the network destinations you actually need
  • Use -m (monitor mode) to audit blocked attempts and tighten policy

Fence can also reduce the risk of running agents with fewer interactive permission prompts (e.g. "skip permissions"), as long as your Fence config tightly scopes writes and outbound destinations. It's defense-in-depth, not a substitute for the agent's own safeguards.

Example: API-only agent

{
  "network": {
    "allowedDomains": ["api.openai.com", "api.anthropic.com"]
  },
  "filesystem": {
    "allowWrite": ["."]
  }
}

Run:

fence --settings ./fence.json <agent-command>

Popular CLI coding agents

We provide these template for guardrailing CLI coding agents:

  • code - Strict deny-by-default network filtering via proxy. Works with agents that respect HTTP_PROXY. Blocks cloud metadata APIs, protects secrets, restricts dangerous commands.
  • code-relaxed - Allows direct network connections for agents that ignore HTTP_PROXY. Same filesystem/command protections as code, but deniedDomains only enforced for proxy-respecting apps.

You can use it like fence -t code -- claude.

However, not all coding agent CLIs work with Fence at the moment.

Agent Works with template Notes
Claude Code code -
Codex code
Cursor Agent code-relaxed Node.js/undici doesn't respect HTTP_PROXY
OpenCode - TUI hangs. Bun runtime doesn't respect HTTP_PROXY; architectural limitation

Protecting your environment

Fence includes additional "dangerous file protection (writes blocked regardless of config) to reduce persistence and environment-tampering vectors like:

  • .git/hooks/*
  • shell startup files (.zshrc, .bashrc, etc.)
  • some editor/tool config directories

See ARCHITECTURE.md for the full list and rationale.

Reference in New Issue View Git Blame Copy Permalink