Mathieu Virbel
da3a2ac3a4
Rebrand the project from Fence to Greywall, the sandboxing layer of the GreyHaven platform. This updates: - Go module path to gitea.app.monadical.io/monadical/greywall - Binary name, CLI help text, and all usage examples - Config paths (~/.config/greywall/greywall.json), env vars (GREYWALL_*) - Log prefixes ([greywall:*]), temp file prefixes (greywall-*) - All documentation, scripts, CI workflows, and example files - README rewritten with GreyHaven branding and Fence attribution Directory/file renames: cmd/fence → cmd/greywall, pkg/fence → pkg/greywall, docs/why-fence.md → docs/why-greywall.md, example JSON files, and banner.
91 lines
2.5 KiB
Markdown
91 lines
2.5 KiB
Markdown
# Config Templates
|
|
|
|
Greywall includes built-in config templates for common use cases. Templates are embedded in the binary, so you can use them directly without copying files.
|
|
|
|
## Using templates
|
|
|
|
Use the `-t` / `--template` flag to apply a template:
|
|
|
|
```bash
|
|
# Use a built-in template
|
|
greywall -t npm-install npm install
|
|
|
|
# Wraps Claude Code
|
|
greywall -t code -- claude
|
|
|
|
# List available templates
|
|
greywall --list-templates
|
|
```
|
|
|
|
You can also copy and customize templates from [`internal/templates/`](/internal/templates/).
|
|
|
|
## Extending templates
|
|
|
|
Instead of copying and modifying templates, you can extend them in your config file using the `extends` field:
|
|
|
|
```json
|
|
{
|
|
"extends": "code",
|
|
"network": {
|
|
"allowedDomains": ["private-registry.company.com"]
|
|
}
|
|
}
|
|
```
|
|
|
|
This inherits all settings from the `code` template and adds your private registry. Settings are merged:
|
|
|
|
- Slice fields (domains, paths, commands): Appended and deduplicated
|
|
- Boolean fields: OR logic (true if either enables it)
|
|
- Integer fields (ports): Override wins (0 keeps base value)
|
|
|
|
### Extending files
|
|
|
|
You can also extend other config files using file paths:
|
|
|
|
```json
|
|
{
|
|
"extends": "./shared/base-config.json",
|
|
"network": {
|
|
"allowedDomains": ["extra-domain.com"]
|
|
}
|
|
}
|
|
```
|
|
|
|
The `extends` value is treated as a file path if it contains `/` or `\`, or starts with `.`. Relative paths are resolved relative to the config file's directory. The extended file is validated before merging.
|
|
|
|
Chains are supported: a file can extend a template, and another file can extend that file. Circular extends are detected and rejected.
|
|
|
|
### Example: Company-specific AI agent config
|
|
|
|
```json
|
|
{
|
|
"extends": "code",
|
|
"network": {
|
|
"allowedDomains": [
|
|
"internal-npm.company.com",
|
|
"artifactory.company.com"
|
|
],
|
|
"deniedDomains": ["competitor-analytics.com"]
|
|
},
|
|
"filesystem": {
|
|
"denyRead": ["~/.company-secrets/**"]
|
|
}
|
|
}
|
|
```
|
|
|
|
This config:
|
|
|
|
- Extends the battle-tested `code` template
|
|
- Adds company-specific package registries
|
|
- Adds additional telemetry/analytics to deny list
|
|
- Protects company-specific secret directories
|
|
|
|
## Available Templates
|
|
|
|
| Template | Description |
|
|
|----------|-------------|
|
|
| `code` | Production-ready config for AI coding agents (Claude Code, Codex, Copilot, etc.) |
|
|
| `code-relaxed` | Like `code` but allows direct network for apps that ignore HTTP_PROXY |
|
|
| `git-readonly` | Blocks destructive commands like `git push`, `rm -rf`, etc. |
|
|
| `local-dev-server` | Allow binding and localhost outbound; allow writes to workspace/tmp |
|