Archived

This repository has been archived on 2026-03-13. You can view files and clone it. You cannot open issues or pull requests or push a commit.

Files

JY Tan 8db245f56e Refactor and improve documentation, add examples

2025-12-23 18:43:07 -08:00

1.6 KiB

Raw Blame History

Configuration

Fence reads settings from ~/.fence.json by default (or pass --settings ./fence.json).

Example config:

{
  "network": {
    "allowedDomains": ["github.com", "*.npmjs.org", "registry.yarnpkg.com"],
    "deniedDomains": ["evil.com"]
  },
  "filesystem": {
    "denyRead": ["/etc/passwd"],
    "allowWrite": [".", "/tmp"],
    "denyWrite": [".git/hooks"]
  }
}

Network Configuration

Field	Description
`allowedDomains`	List of allowed domains. Supports wildcards like `*.example.com`
`deniedDomains`	List of denied domains (checked before allowed)
`allowUnixSockets`	List of allowed Unix socket paths (macOS)
`allowAllUnixSockets`	Allow all Unix sockets
`allowLocalBinding`	Allow binding to local ports
`allowLocalOutbound`	Allow outbound connections to localhost, e.g., local DBs (defaults to `allowLocalBinding` if not set)
`httpProxyPort`	Fixed port for HTTP proxy (default: random available port)
`socksProxyPort`	Fixed port for SOCKS5 proxy (default: random available port)

Filesystem Configuration

Field	Description
`denyRead`	Paths to deny reading (deny-only pattern)
`allowWrite`	Paths to allow writing
`denyWrite`	Paths to deny writing (takes precedence)
`allowGitConfig`	Allow writes to `.git/config` files

Other Options

Field	Description
`allowPty`	Allow pseudo-terminal (PTY) allocation in the sandbox (for MacOS)

1.6 KiB Raw Blame History

Configuration

Network Configuration

Filesystem Configuration

Other Options

See Also

1.6 KiB

Raw Blame History