Skip to content
/ fence Public

Lightweight, container-free sandbox for running commands with network and filesystem restrictions

License

Apache-2.0 license
316 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Use-Tusk/fence

BranchesTags

Repository files navigation

Fence Banner

GitHub Release

Fence wraps commands in a sandbox that blocks network access by default and restricts filesystem operations based on configurable rules. It's most useful for running semi-trusted code (package installs, build scripts, CI jobs, unfamiliar repos) with controlled side effects, and it can also complement AI coding agents as defense-in-depth.

You can also think of Fence as a permission manager for your CLI agents.

# Block all network access (default)
fence curl https://example.com  # → 403 Forbidden

# Allow specific domains
fence -t code npm install  # → uses 'code' template with npm/pypi/etc allowed

# Block dangerous commands
fence -c "rm -rf /"  # → blocked by command deny rules

Install

macOS / Linux:

curl -fsSL https://raw.githubusercontent.com/Use-Tusk/fence/main/install.sh | sh
Other installation methods

Go install:

go install github.com/Use-Tusk/fence/cmd/fence@latest

Build from source:

git clone https://github.com/Use-Tusk/fence
cd fence
go build -o fence ./cmd/fence

Additional requirements for Linux:

  • bubblewrap (for sandboxing)
  • socat (for network bridging)
  • bpftrace (optional, for filesystem violation visibility when monitoring with -m)

Usage

Basic

# Run command with all network blocked (no domains allowed by default)
fence curl https://example.com

# Run with shell expansion
fence -c "echo hello && ls"

# Enable debug logging
fence -d curl https://example.com

# Use a template
fence -t code -- claude  # Runs Claude Code using `code` template config

# Monitor mode (shows violations)
fence -m npm install

# Show all commands and options
fence --help

Configuration

Fence reads from ~/.fence.json by default:

{
  "extends": "code",
  "network": { "allowedDomains": ["private.company.com"] },
  "filesystem": { "allowWrite": ["."] },
  "command": { "deny": ["git push", "npm publish"] }
}

Use fence --settings ./custom.json to specify a different config.

Import from Claude Code

fence import --claude -o ~/.fence.json

Features

  • Network isolation - All outbound blocked by default; allowlist domains via config
  • Filesystem restrictions - Control read/write access paths
  • Command blocking - Deny dangerous commands like rm -rf /, git push
  • SSH Command Filtering - Control which hosts and commands are allowed over SSH
  • Built-in templates - Pre-configured rulesets for common workflows
  • Violation monitoring - Real-time logging of blocked requests (-m)
  • Cross-platform - macOS (sandbox-exec) + Linux (bubblewrap)

Fence can be used as a Go package or CLI tool.

Documentation

Attribution

Inspired by Anthropic's sandbox-runtime.

About

Lightweight, container-free sandbox for running commands with network and filesystem restrictions

Topics

sandbox seccomp socat seatbelt bubblewrap code-security landlock coding-agent

Resources

Readme

License

Apache-2.0 license

Contributing

Contributing

Security policy

Security policy
Activity
Custom properties

Stars

316 stars

Watchers

2 watching

Forks

4 forks
Report repository

Releases 17

v0.1.16 Latest
Jan 26, 2026
+ 16 releases

Contributors 3

Languages