展示 HN: Fence – 沙盒化 CLI 命令，限制网络/文件系统权限

展示 HN: Fence – 沙盒化 CLI 命令，限制网络/文件系统权限
Show HN: Fence – Sandbox CLI commands with network/filesystem restrictions

## Fence：安全运行不受信任的代码 Fence 是一个为 CLI 设计的沙箱工具，旨在以受控的访问权限运行潜在的风险代码——例如包安装、构建脚本或来自 AI 代理的代码。它**默认阻止所有网络访问**，并根据可配置的规则限制文件系统操作和命令。您可以定义允许的域名、可写目录和禁止的命令，或使用**预构建模板**（例如 npm/pypi 的“code”）。Fence 跨平台工作（macOS 和 Linux），使用原生沙箱技术。主要功能包括： * **网络隔离：** 除非明确允许，否则阻止所有出站连接。 * **文件系统控制：** 限制对特定路径的读/写访问。 * **命令阻止：** 防止执行危险命令。 * **监控模式：** 识别和记录尝试的违规行为。 Fence 可作为 CLI 工具或 Go 包使用，其灵感来自 Anthropic 的 sandbox-runtime，为执行不受信任的代码提供了一层宝贵的安全性。

## Fence：一个CLI命令沙箱 “Fence”是一个新工具，旨在通过网络和文件系统限制来安全地运行潜在不可信的CLI命令。它由Tusk Drift的开发者创建，默认情况下阻止网络访问并限制文件写入，非常适合运行包安装程序、构建脚本或AI编码代理等任务。用户可以使用标志自定义限制：`-t`允许特定的注册表（例如用于`npm install`），`-m`监控被阻止的操作，`--dangerously-skip-permissions`可以与Claude等代理一起使用（并导入权限设置）。 Fence利用操作系统原生沙箱（macOS & Linux）和基于代理的过滤。虽然它不能作为防止恶意软件的万无一失的安全解决方案，但它提供了一个有价值的控制层，尤其适用于防止CLI工具的“回传”行为。开发者正在寻求来自具有类似沙箱需求的人们的反馈。

原文

Fence wraps commands in a sandbox that blocks network access by default and restricts filesystem operations based on configurable rules. It's most useful for running semi-trusted code (package installs, build scripts, CI jobs, unfamiliar repos) with controlled side effects, and it can also complement AI coding agents as defense-in-depth.

You can also think of Fence as a permission manager for your CLI agents.

# Block all network access (default)
fence curl https://example.com  # → 403 Forbidden

# Allow specific domains
fence -t code npm install  # → uses 'code' template with npm/pypi/etc allowed

# Block dangerous commands
fence -c "rm -rf /"  # → blocked by command deny rules

curl -fsSL https://raw.githubusercontent.com/Use-Tusk/fence/main/install.sh | sh

Other installation methods

Go install:

go install github.com/Use-Tusk/fence/cmd/fence@latest

Build from source:

git clone https://github.com/Use-Tusk/fence
cd fence
go build -o fence ./cmd/fence

Additional requirements for Linux:

bubblewrap (for sandboxing)
socat (for network bridging)
bpftrace (optional, for filesystem violation visibility when monitoring with -m)

# Run command with all network blocked (no domains allowed by default)
fence curl https://example.com

# Run with shell expansion
fence -c "echo hello && ls"

# Enable debug logging
fence -d curl https://example.com

# Use a template
fence -t code -- claude  # Runs Claude Code using `code` template config

# Monitor mode (shows violations)
fence -m npm install

# Show all commands and options
fence --help

Fence reads from ~/.fence.json by default:

{
  "extends": "code",
  "network": { "allowedDomains": ["private.company.com"] },
  "filesystem": { "allowWrite": ["."] },
  "command": { "deny": ["git push", "npm publish"] }
}

Use fence --settings ./custom.json to specify a different config.

fence import --claude -o ~/.fence.json

Network isolation - All outbound blocked by default; allowlist domains via config
Filesystem restrictions - Control read/write access paths
Command blocking - Deny dangerous commands like rm -rf /, git push
SSH Command Filtering - Control which hosts and commands are allowed over SSH
Built-in templates - Pre-configured rulesets for common workflows
Violation monitoring - Real-time logging of blocked requests (-m)
Cross-platform - macOS (sandbox-exec) + Linux (bubblewrap)

Fence can be used as a Go package or CLI tool.

Inspired by Anthropic's sandbox-runtime.

展示 HN: Fence – 沙盒化 CLI 命令，限制网络/文件系统权限 Show HN: Fence – Sandbox CLI commands with network/filesystem restrictions

展示 HN: Fence – 沙盒化 CLI 命令，限制网络/文件系统权限
Show HN: Fence – Sandbox CLI commands with network/filesystem restrictions