Fence blocks the catastrophic command before your agent runs it, and stays silent for everything else. It parses what a command actually does, so there is no denylist to evade.
Prebuilt, no compile step. macOS and Linux.Then hook it into Claude Code: fence init --globalOpen source: github.com/hoophq/fence
How it works
One command adds the hook to Claude Code. The recommended rule pack ships in the binary and is always on.
Fence parses every tool call into semantic facts. rm -rf ~, rm -fr ~, and sudo rm -rf $HOME are one dangerous intent, all caught.
Unambiguous catastrophe is blocked, the plausibly-legit gets a confirm prompt, and everyday work passes in silence.
Configuration file-driven
# Layer your own rules on the built-in pack (auto-discovered)
rules:
- id: no-terraform-destroy
effect: deny
match:
shell: { command_in: [terraform] }
regex: '\bterraform\b.*\bdestroy\b'
# Retune a built-in rule in one line
overrides:
git-force-push: deny # ask -> deny
pipe-to-shell-from-network: allow # silence itBuilt for control
The hook runs before the permission system, so a deny blocks even in auto-accept or skip-permissions sessions.
If Fence cannot parse a command, the command runs. A guardrail must never brick the agent it protects.
One portable rulepack. Claude Code today; Codex, Cursor, and Gemini next.
Want guardrails your developers can’t turn off?
Fence is local self-protection: it lives in your config and you can edit or remove it. hoop.dev enforces the same idea fleet-wide, with centrally managed rules, approval workflows, and audit the developer cannot override.