BY HOOP.DEV / OPEN SOURCE

Block what your AI agents
shouldn’t do

Fence blocks the catastrophic command before your agent runs it, and stays silent for everything else. It parses what a command actually does, so there is no denylist to evade.

Prebuilt, no compile step. macOS and Linux.Then hook it into Claude Code: fence init --globalOpen source: github.com/hoophq/fence

Open SourceRuns LocallyNear-zero false positives
01

Hook into your agent

One command adds the hook to Claude Code. The recommended rule pack ships in the binary and is always on.

fence init --global
02

Judge the intent

Fence parses every tool call into semantic facts. rm -rf ~, rm -fr ~, and sudo rm -rf $HOME are one dangerous intent, all caught.

→ intent: recursive delete of $HOME
03

Block, ask, or allow

Unambiguous catastrophe is blocked, the plausibly-legit gets a confirm prompt, and everyday work passes in silence.

✕ deny · ⚠ ask · ✓ allow

Configuration file-driven

.fence.yaml
# Layer your own rules on the built-in pack (auto-discovered)
rules:
  - id: no-terraform-destroy
    effect: deny
    match:
      shell: { command_in: [terraform] }
      regex: '\bterraform\b.*\bdestroy\b'

# Retune a built-in rule in one line
overrides:
  git-force-push: deny                # ask  -> deny
  pipe-to-shell-from-network: allow   # silence it

Holds in auto-accept

The hook runs before the permission system, so a deny blocks even in auto-accept or skip-permissions sessions.

Fails open

If Fence cannot parse a command, the command runs. A guardrail must never brick the agent it protects.

Agent-neutral

One portable rulepack. Claude Code today; Codex, Cursor, and Gemini next.

Want guardrails your developers can’t turn off?

Fence is local self-protection: it lives in your config and you can edit or remove it. hoop.dev enforces the same idea fleet-wide, with centrally managed rules, approval workflows, and audit the developer cannot override.