53 lines
1.6 KiB
Markdown
53 lines
1.6 KiB
Markdown
# Configuration
|
|
|
|
Fence reads settings from `~/.fence.json` by default (or pass `--settings ./fence.json`).
|
|
|
|
Example config:
|
|
|
|
```json
|
|
{
|
|
"network": {
|
|
"allowedDomains": ["github.com", "*.npmjs.org", "registry.yarnpkg.com"],
|
|
"deniedDomains": ["evil.com"]
|
|
},
|
|
"filesystem": {
|
|
"denyRead": ["/etc/passwd"],
|
|
"allowWrite": [".", "/tmp"],
|
|
"denyWrite": [".git/hooks"]
|
|
}
|
|
}
|
|
```
|
|
|
|
## Network Configuration
|
|
|
|
| Field | Description |
|
|
|-------|-------------|
|
|
| `allowedDomains` | List of allowed domains. Supports wildcards like `*.example.com` |
|
|
| `deniedDomains` | List of denied domains (checked before allowed) |
|
|
| `allowUnixSockets` | List of allowed Unix socket paths (macOS) |
|
|
| `allowAllUnixSockets` | Allow all Unix sockets |
|
|
| `allowLocalBinding` | Allow binding to local ports |
|
|
| `allowLocalOutbound` | Allow outbound connections to localhost, e.g., local DBs (defaults to `allowLocalBinding` if not set) |
|
|
| `httpProxyPort` | Fixed port for HTTP proxy (default: random available port) |
|
|
| `socksProxyPort` | Fixed port for SOCKS5 proxy (default: random available port) |
|
|
|
|
## Filesystem Configuration
|
|
|
|
| Field | Description |
|
|
|-------|-------------|
|
|
| `denyRead` | Paths to deny reading (deny-only pattern) |
|
|
| `allowWrite` | Paths to allow writing |
|
|
| `denyWrite` | Paths to deny writing (takes precedence) |
|
|
| `allowGitConfig` | Allow writes to `.git/config` files |
|
|
|
|
## Other Options
|
|
|
|
| Field | Description |
|
|
|-------|-------------|
|
|
| `allowPty` | Allow pseudo-terminal (PTY) allocation in the sandbox (for MacOS) |
|
|
|
|
## See Also
|
|
|
|
- Config templates: [`docs/templates/`](docs/templates/)
|
|
- Workflow guides: [`docs/recipes/`](docs/recipes/)
|