@fencesandbox/opencode-fence 0.1.1

package/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2026 Tusk AI, Inc
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/README.md

@@ -0,0 +1,123 @@
+# Fence Sandbox Plugin for OpenCode
+
+OpenCode plugin that routes the `bash` tool through [Fence](https://github.com/fencesandbox/fence)'s pre-tool-use hook for command-policy enforcement.
+
+Fence is a lightweight, container-free process sandbox for running commands with network, filesystem, and command policies.
+
+## What it does
+
+When OpenCode's agent calls the `bash` tool, this plugin intercepts the call and asks Fence to evaluate the command against your policy. Three outcomes:
+
+| Fence verdict | Plugin behavior |
+|---|---|
+| **Deny** | Throws an `Error` with Fence's reason. OpenCode surfaces the error in the UI and the command does not run. |
+| **Wrap** | Rewrites the command to run inside `fence -c "..."`. The command then inherits Fence's filesystem and network policy in addition to the command-policy check it just passed. |
+| **Allow** | Leaves the command unchanged. |
+
+## Why use this
+
+Fence's command policy is enforced at two points:
+
+1. **Preflight** — once, on whatever command is given to `fence` (e.g. `fence -- opencode` only preflights `opencode`).
+2. **Runtime exec** — at the kernel exec boundary, against descendant processes.
+
+Runtime exec on macOS, and Linux without `runtimeExecPolicy: "argv"`, only handles single-token denies (e.g. `sudo`). Multi-token rules like `gh repo create`, `git push`, and `npm publish` are preflight-only — so when OpenCode spawns one of those after Fence has already preflighted `opencode`, the deny rule does not fire.
+
+This plugin closes that gap by re-running preflight on every shell invocation OpenCode's agent issues, before the command runs. See Fence's [Enforcement Across Child Processes](https://github.com/fencesandbox/fence/blob/main/docs/configuration.md#enforcement-across-child-processes) for the full model.
+
+## Installation
+
+> [!NOTE]
+> This package moved from `@use-tusk/opencode-fence` to `@fencesandbox/opencode-fence`. If you installed the old package manually, remove it from your OpenCode config and use the new package name below.
+
+### Prerequisite
+
+Install [Fence](https://github.com/fencesandbox/fence) and confirm it's on your `PATH`:
+
+```bash
+fence --version
+```
+
+You need Fence v0.1.52 or later for the `--opencode-pre-tool-use` subcommand the plugin spawns.
+
+### Add the plugin to OpenCode
+
+The easiest way is to let Fence install it for you:
+
+```bash
+fence hooks install --opencode
+```
+
+This adds `@fencesandbox/opencode-fence` to your `~/.config/opencode/opencode.json` (or `opencode.jsonc` if you use that). See [`fence hooks install --opencode`](https://github.com/fencesandbox/fence/blob/main/docs/agents.md#hooks) for details and flags (e.g. `--file` to target a project-local config).
+
+If you'd rather edit the config file by hand:
+
+```jsonc
+// ~/.config/opencode/opencode.json
+{
+  "$schema": "https://opencode.ai/config.json",
+  "plugin": ["@fencesandbox/opencode-fence"]
+}
+```
+
+OpenCode installs the package via Bun and loads the plugin automatically on next launch.
+
+## Configuration
+
+The package's default export is a `Plugin` configured with sensible defaults — it is what gets loaded when you list `@fencesandbox/opencode-fence` in opencode.json's `plugin` array.
+
+To customize behavior (custom fence binary, pinned settings file, or template), import the factory from the `/factory` sub-path and construct the plugin yourself in a local plugin shim:
+
+```ts
+// ~/.config/opencode/plugins/fence.ts
+import { createFencePlugin } from "@fencesandbox/opencode-fence/factory";
+
+export const Fence = createFencePlugin({
+  // Pin a specific config file (mutually exclusive with `template`).
+  settingsPath: "/Users/me/work/fence.json",
+
+  // Or pin a built-in Fence template (mutually exclusive with `settingsPath`).
+  // template: "code",
+
+  // Override the fence binary location (default: "fence" on PATH).
+  // fenceBinary: "/opt/homebrew/bin/fence",
+
+  // For local development only. In production this turns the plugin into a no-op
+  // when fence is missing or crashes; leave false.
+  // failOpenOnRunnerError: false,
+});
+```
+
+If you use the local-shim form, **remove `@fencesandbox/opencode-fence` from opencode.json's `plugin` array** to avoid registering the plugin twice. The shim file is auto-loaded by OpenCode; the array entry would also load the no-options version.
+
+The factory and the supporting types live on a sub-path so they don't appear in the main entry's exports — OpenCode's plugin loader iterates every export of a package's entry module and tries to register each one as a plugin, so anything other than the `Plugin` itself must live elsewhere.
+
+If neither `settingsPath` nor `template` is set, Fence resolves config from the working directory the same way it does for direct invocations: walking upward for `fence.jsonc`/`fence.json`, falling back to `~/.config/fence/`.
+
+### Composing with whole-agent wrapping
+
+You can (and should) run OpenCode itself under Fence:
+
+```bash
+fence -t code -- opencode
+```
+
+…and additionally enable this plugin. The plugin detects `FENCE_SANDBOX=1` (set by Fence on the wrapped process) and stops adding `fence -c` wrappers, so commands aren't double-sandboxed. The deny check still runs, which is the whole point of using both: whole-agent wrapping handles filesystem and network policy; the plugin handles multi-token command policy on platforms where Fence's runtime exec deny can't.
+
+## Limitations
+
+### User-typed `!` commands bypass this plugin
+
+OpenCode's plugin lifecycle does **not** currently fire `tool.execute.before` for commands typed directly into the TUI with the `!` prefix. Those commands still run, just outside this plugin's reach.
+
+If you need user-typed `!` commands to also be policy-checked today, run OpenCode under Fence (`fence -t code -- opencode`). That gives you Fence's whole-process sandbox for all descendants, with the documented caveat that multi-token denies (which this plugin would catch) remain preflight-only for the `!` path.
+
+### Spawn cost per bash call
+
+The plugin spawns `fence` once per `bash` tool call. Fence's preflight is fast (sub-100ms in our benchmarks), but cold OS-level process spawn cost adds up if your agent is hammering `bash`. If this becomes a problem in practice, let us know.
+
+## Contributing
+
+See [CONTRIBUTING.md](./CONTRIBUTING.md) for setup, local-development install patterns, and the release process.
+
+Bug reports, feature requests, and PRs welcome.

package/dist/errors.d.ts

@@ -0,0 +1,3 @@
+export type { FenceHookRequest, FenceHookResponse } from "./fence-runner.js";
+export { FenceRunnerError } from "./fence-runner.js";
+//# sourceMappingURL=errors.d.ts.map

package/dist/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAQA,YAAY,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAC7E,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC"}

package/dist/errors.js

@@ -0,0 +1,9 @@
+// Re-export the runner error class on a sub-path so it does not appear in the
+// main entry's exports. OpenCode's plugin loader calls every named export of
+// the entry module as `await fn(input)`; a class export there would throw
+// "cannot be invoked without 'new'" or worse, run as a malformed Plugin.
+//
+// Local plugin shims that need to catch this error type should import it
+// from `@fencesandbox/opencode-fence/errors`.
+export { FenceRunnerError } from "./fence-runner.js";
+//# sourceMappingURL=errors.js.map

package/dist/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAC9E,6EAA6E;AAC7E,0EAA0E;AAC1E,yEAAyE;AACzE,EAAE;AACF,yEAAyE;AACzE,8CAA8C;AAG9C,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC"}

package/dist/factory.d.ts

@@ -0,0 +1,64 @@
+import type { Plugin } from "@opencode-ai/plugin";
+export interface FencePluginOptions {
+    /**
+     * Override the path to the `fence` executable. Defaults to `fence` on PATH.
+     */
+    fenceBinary?: string;
+    /**
+     * Pass `--settings <path>` through to fence so the plugin uses a specific config
+     * file regardless of which directory OpenCode is running in. Mutually exclusive
+     * with `template`.
+     */
+    settingsPath?: string;
+    /**
+     * Pass `--template <name>` through to fence (e.g. "code", "code-relaxed"). Mutually
+     * exclusive with `settingsPath`.
+     */
+    template?: string;
+    /**
+     * If true, fail open when fence cannot be invoked (binary missing, helper crashed).
+     * Defaults to false: by default, plugin errors block tool execution.
+     *
+     * Setting this to true is **only** appropriate for development. In production, a
+     * silent fail-open turns a security policy into a no-op.
+     */
+    failOpenOnRunnerError?: boolean;
+}
+/**
+ * createFencePlugin returns an OpenCode `Plugin` that routes the `bash` tool
+ * through Fence's pre-tool-use hook, configured with the supplied options.
+ *
+ * Most users should NOT call this directly. The default export of
+ * `@fencesandbox/opencode-fence` is already a `Plugin` with sensible defaults
+ * suitable for the `plugin: [...]` array in opencode.json. Use this factory
+ * only when you need to override one of the FencePluginOptions (e.g. pinning
+ * a specific Fence settings file or template), and write a local plugin shim
+ * under .opencode/plugins/ that constructs the Plugin yourself.
+ *
+ * Why a separate file: OpenCode's plugin loader iterates every export of the
+ * package's entry point and calls each one with `(input)` to register hooks.
+ * If the entry point exported a factory, OpenCode would call it as
+ * `factory(input)` instead of `factory(options)`, silently producing a
+ * malformed Plugin instance. Keeping the factory in a sub-path
+ * (`@fencesandbox/opencode-fence/factory`) ensures it is never accidentally
+ * iterated by the loader.
+ *
+ * Behavior of the returned Plugin:
+ * - For each `tool.execute.before` invocation of the `bash` tool, the plugin
+ *   sends the command to Fence's hook helper.
+ * - If Fence denies the command, the plugin throws an Error with the Fence
+ *   reason; OpenCode surfaces this in the UI and the command does not run.
+ * - If Fence allows the command, the plugin rewrites it to run inside
+ *   `fence -c "..."`, so the command inherits filesystem and network policy
+ *   from Fence's sandbox.
+ * - If `FENCE_SANDBOX=1` is set in the environment (i.e. the agent is already
+ *   running inside `fence -- opencode`), the plugin enforces deny rules but
+ *   skips wrapping — nesting `fence` inside `fence` would double-sandbox
+ *   without benefit.
+ *
+ * Limitation: OpenCode's plugin lifecycle does not currently fire
+ * `tool.execute.before` for user-typed `!`-prefixed commands. Those bypass
+ * this plugin. See https://github.com/fencesandbox/opencode-fence#limitations.
+ */
+export declare const createFencePlugin: (options?: FencePluginOptions) => Plugin;
+//# sourceMappingURL=factory.d.ts.map

package/dist/factory.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"factory.d.ts","sourceRoot":"","sources":["../src/factory.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAGlD,MAAM,WAAW,kBAAkB;IACjC;;OAEG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;OAIG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;;;;;OAMG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAC;CACjC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AACH,eAAO,MAAM,iBAAiB,GAAI,UAAS,kBAAuB,KAAG,MAuDpE,CAAC"}

package/dist/factory.js

@@ -0,0 +1,103 @@
+import { FenceRunnerError, runFence } from "./fence-runner.js";
+/**
+ * createFencePlugin returns an OpenCode `Plugin` that routes the `bash` tool
+ * through Fence's pre-tool-use hook, configured with the supplied options.
+ *
+ * Most users should NOT call this directly. The default export of
+ * `@fencesandbox/opencode-fence` is already a `Plugin` with sensible defaults
+ * suitable for the `plugin: [...]` array in opencode.json. Use this factory
+ * only when you need to override one of the FencePluginOptions (e.g. pinning
+ * a specific Fence settings file or template), and write a local plugin shim
+ * under .opencode/plugins/ that constructs the Plugin yourself.
+ *
+ * Why a separate file: OpenCode's plugin loader iterates every export of the
+ * package's entry point and calls each one with `(input)` to register hooks.
+ * If the entry point exported a factory, OpenCode would call it as
+ * `factory(input)` instead of `factory(options)`, silently producing a
+ * malformed Plugin instance. Keeping the factory in a sub-path
+ * (`@fencesandbox/opencode-fence/factory`) ensures it is never accidentally
+ * iterated by the loader.
+ *
+ * Behavior of the returned Plugin:
+ * - For each `tool.execute.before` invocation of the `bash` tool, the plugin
+ *   sends the command to Fence's hook helper.
+ * - If Fence denies the command, the plugin throws an Error with the Fence
+ *   reason; OpenCode surfaces this in the UI and the command does not run.
+ * - If Fence allows the command, the plugin rewrites it to run inside
+ *   `fence -c "..."`, so the command inherits filesystem and network policy
+ *   from Fence's sandbox.
+ * - If `FENCE_SANDBOX=1` is set in the environment (i.e. the agent is already
+ *   running inside `fence -- opencode`), the plugin enforces deny rules but
+ *   skips wrapping — nesting `fence` inside `fence` would double-sandbox
+ *   without benefit.
+ *
+ * Limitation: OpenCode's plugin lifecycle does not currently fire
+ * `tool.execute.before` for user-typed `!`-prefixed commands. Those bypass
+ * this plugin. See https://github.com/fencesandbox/opencode-fence#limitations.
+ */
+export const createFencePlugin = (options = {}) => {
+    return async () => {
+        return {
+            "tool.execute.before": async (input, output) => {
+                if (input.tool !== "bash")
+                    return;
+                // Best-effort extraction. The "bash" tool ships `command: string` on its
+                // input; future schema changes would need a small adapter here.
+                const args = output.args;
+                const command = typeof args.command === "string" ? args.command : "";
+                if (command.trim() === "")
+                    return;
+                const cwd = typeof args.cwd === "string" ? args.cwd : undefined;
+                const runnerOpts = buildRunnerOptions(options);
+                let result;
+                try {
+                    result = runFence({
+                        hook_event_name: "PreToolUse",
+                        tool_name: "Bash",
+                        tool_input: cwd === undefined ? { command } : { command, cwd },
+                    }, runnerOpts);
+                }
+                catch (err) {
+                    if (options.failOpenOnRunnerError && err instanceof FenceRunnerError) {
+                        // Surface a warning so the user knows policy is not being applied. We
+                        // still run the command (because failOpenOnRunnerError was set), but
+                        // we want them to notice in the logs.
+                        console.warn(`[opencode-fence] ${err.message} (continuing because failOpenOnRunnerError=true)`);
+                        return;
+                    }
+                    throw err;
+                }
+                if (result.decision === "deny") {
+                    throw new Error(`Fence denied this command: ${result.reason}`);
+                }
+                if (result.decision === "wrap" && result.rewrittenCommand) {
+                    // Honor the same env contract Fence uses for nested invocations: if the
+                    // agent is already running inside fence, don't double-wrap.
+                    if ((runnerOpts.env?.FENCE_SANDBOX ?? process.env.FENCE_SANDBOX) === "1") {
+                        return;
+                    }
+                    args.command = result.rewrittenCommand;
+                }
+                // decision === "allow" or wrap was suppressed: leave args.command alone.
+            },
+        };
+    };
+};
+function buildRunnerOptions(options) {
+    if (options.settingsPath && options.template) {
+        throw new Error("opencode-fence: settingsPath and template are mutually exclusive");
+    }
+    const extraArgs = [];
+    if (options.settingsPath) {
+        extraArgs.push("--settings", options.settingsPath);
+    }
+    if (options.template) {
+        extraArgs.push("--template", options.template);
+    }
+    const runnerOpts = { extraArgs };
+    if (options.fenceBinary !== undefined) {
+        runnerOpts.fenceBinary = options.fenceBinary;
+    }
+    return runnerOpts;
+}
+//# sourceMappingURL=factory.js.map

package/dist/factory.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"factory.js","sourceRoot":"","sources":["../src/factory.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAA2B,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AA4BxF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,UAA8B,EAAE,EAAU,EAAE;IAC5E,OAAO,KAAK,IAAI,EAAE;QAChB,OAAO;YACL,qBAAqB,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE;gBAC7C,IAAI,KAAK,CAAC,IAAI,KAAK,MAAM;oBAAE,OAAO;gBAElC,yEAAyE;gBACzE,gEAAgE;gBAChE,MAAM,IAAI,GAAG,MAAM,CAAC,IAA+B,CAAC;gBACpD,MAAM,OAAO,GAAG,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;gBACrE,IAAI,OAAO,CAAC,IAAI,EAAE,KAAK,EAAE;oBAAE,OAAO;gBAElC,MAAM,GAAG,GAAG,OAAO,IAAI,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;gBAChE,MAAM,UAAU,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;gBAE/C,IAAI,MAAmC,CAAC;gBACxC,IAAI,CAAC;oBACH,MAAM,GAAG,QAAQ,CACf;wBACE,eAAe,EAAE,YAAY;wBAC7B,SAAS,EAAE,MAAM;wBACjB,UAAU,EAAE,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,GAAG,EAAE;qBAC/D,EACD,UAAU,CACX,CAAC;gBACJ,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,IAAI,OAAO,CAAC,qBAAqB,IAAI,GAAG,YAAY,gBAAgB,EAAE,CAAC;wBACrE,sEAAsE;wBACtE,qEAAqE;wBACrE,sCAAsC;wBACtC,OAAO,CAAC,IAAI,CACV,oBAAoB,GAAG,CAAC,OAAO,kDAAkD,CAClF,CAAC;wBACF,OAAO;oBACT,CAAC;oBACD,MAAM,GAAG,CAAC;gBACZ,CAAC;gBAED,IAAI,MAAM,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;oBAC/B,MAAM,IAAI,KAAK,CAAC,8BAA8B,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;gBACjE,CAAC;gBAED,IAAI,MAAM,CAAC,QAAQ,KAAK,MAAM,IAAI,MAAM,CAAC,gBAAgB,EAAE,CAAC;oBAC1D,wEAAwE;oBACxE,4DAA4D;oBAC5D,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,aAAa,IAAI,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,KAAK,GAAG,EAAE,CAAC;wBACzE,OAAO;oBACT,CAAC;oBACD,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,gBAAgB,CAAC;gBACzC,CAAC;gBAED,yEAAyE;YAC3E,CAAC;SACF,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC,CAAC;AAEF,SAAS,kBAAkB,CAAC,OAA2B;IACrD,IAAI,OAAO,CAAC,YAAY,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QAC7C,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;IACtF,CAAC;IAED,MAAM,SAAS,GAAa,EAAE,CAAC;IAC/B,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;QACzB,SAAS,CAAC,IAAI,CAAC,YAAY,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IACrD,CAAC;IACD,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACrB,SAAS,CAAC,IAAI,CAAC,YAAY,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IACjD,CAAC;IAED,MAAM,UAAU,GAAuB,EAAE,SAAS,EAAE,CAAC;IACrD,IAAI,OAAO,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;QACtC,UAAU,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;IAC/C,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC"}

package/dist/fence-runner.d.ts

@@ -0,0 +1,75 @@
+import { spawnSync } from "node:child_process";
+/**
+ * Wire format produced by `fence --opencode-pre-tool-use`. The plugin synthesizes
+ * the request, the Fence helper writes the response to stdout.
+ *
+ * Intentionally close to Claude/Cursor pre-tool-use payloads so a future Fence
+ * binary can dispatch all three through one code path.
+ */
+export interface FenceHookRequest {
+    /** Stable string identifying the calling agent. */
+    hook_event_name: "PreToolUse";
+    tool_name: "Bash";
+    /** OpenCode-flavored tool input. We always include `command`; `cwd` is best-effort. */
+    tool_input: {
+        command: string;
+        cwd?: string;
+    };
+}
+export interface FenceHookResponse {
+    /**
+     * "deny": Fence's command policy rejected the command.
+     *   - `reason` contains a human-readable explanation surfaced to the user.
+     * "wrap": Fence allows the command but rewrote it to run inside a `fence -c` shell.
+     *   - `tool_input.command` is the rewritten command.
+     * "allow": Fence allows the command unchanged.
+     */
+    decision: "deny" | "wrap" | "allow";
+    reason?: string;
+    tool_input?: {
+        command?: string;
+    };
+}
+export interface FenceRunnerOptions {
+    /**
+     * Path to the `fence` executable. Defaults to "fence" on PATH.
+     */
+    fenceBinary?: string;
+    /**
+     * Subcommand flag. Today targets a Fence subcommand we still need to add upstream.
+     * When that lands in fence we can flip the default; until then, callers can pass
+     * `"--claude-pre-tool-use"` to fall back to the existing helper.
+     *
+     * TODO(opencode-pre-tool-use): wire this up in fence/cmd/fence/hooks_*.go and remove
+     * the override path here.
+     */
+    subcommand?: string;
+    /** Extra args passed through to fence (e.g. `--settings` or `--template`). */
+    extraArgs?: readonly string[];
+    /**
+     * Environment passed to the fence subprocess. Defaults to `process.env`.
+     * Tests inject this; production callers should leave it undefined.
+     */
+    env?: NodeJS.ProcessEnv;
+    /**
+     * Timeout in ms for the Fence subprocess. Defaults to 5 seconds; preflight is in-process
+     * config evaluation so it is fast, but a hung filesystem/IO operation should not stall
+     * a tool call indefinitely.
+     */
+    timeoutMs?: number;
+    /**
+     * Injected spawnSync, for testing. Production callers should leave this undefined.
+     */
+    spawn?: typeof spawnSync;
+}
+export interface RunFenceResult {
+    decision: "deny" | "wrap" | "allow";
+    reason?: string;
+    rewrittenCommand?: string;
+}
+export declare class FenceRunnerError extends Error {
+    readonly cause?: unknown | undefined;
+    constructor(message: string, cause?: unknown | undefined);
+}
+export declare function runFence(request: FenceHookRequest, options?: FenceRunnerOptions): RunFenceResult;
+//# sourceMappingURL=fence-runner.d.ts.map

package/dist/fence-runner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fence-runner.d.ts","sourceRoot":"","sources":["../src/fence-runner.ts"],"names":[],"mappings":"AAAA,OAAO,EAAyB,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAEtE;;;;;;GAMG;AACH,MAAM,WAAW,gBAAgB;IAC/B,mDAAmD;IACnD,eAAe,EAAE,YAAY,CAAC;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,uFAAuF;IACvF,UAAU,EAAE;QACV,OAAO,EAAE,MAAM,CAAC;QAChB,GAAG,CAAC,EAAE,MAAM,CAAC;KACd,CAAC;CACH;AAED,MAAM,WAAW,iBAAiB;IAChC;;;;;;OAMG;IACH,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;IACpC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE;QACX,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,CAAC;CACH;AAED,MAAM,WAAW,kBAAkB;IACjC;;OAEG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;;;;OAOG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,8EAA8E;IAC9E,SAAS,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC9B;;;OAGG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC,UAAU,CAAC;IACxB;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;OAEG;IACH,KAAK,CAAC,EAAE,OAAO,SAAS,CAAC;CAC1B;AAED,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;IACpC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,qBAAa,gBAAiB,SAAQ,KAAK;aAGd,KAAK,CAAC,EAAE,OAAO;gBADxC,OAAO,EAAE,MAAM,EACU,KAAK,CAAC,EAAE,OAAO,YAAA;CAK3C;AAKD,wBAAgB,QAAQ,CACtB,OAAO,EAAE,gBAAgB,EACzB,OAAO,GAAE,kBAAuB,GAC/B,cAAc,CA2FhB"}

package/dist/fence-runner.js

@@ -0,0 +1,82 @@
+import { spawnSync } from "node:child_process";
+export class FenceRunnerError extends Error {
+    cause;
+    constructor(message, cause) {
+        super(message);
+        this.cause = cause;
+        this.name = "FenceRunnerError";
+    }
+}
+const DEFAULT_TIMEOUT_MS = 5_000;
+const DEFAULT_SUBCOMMAND = "--opencode-pre-tool-use";
+export function runFence(request, options = {}) {
+    const { fenceBinary = "fence", subcommand = DEFAULT_SUBCOMMAND, extraArgs = [], env, timeoutMs = DEFAULT_TIMEOUT_MS, spawn = spawnSync, } = options;
+    const args = [subcommand, ...extraArgs];
+    const stdin = JSON.stringify(request);
+    let result;
+    try {
+        result = spawn(fenceBinary, args, {
+            input: stdin,
+            encoding: "utf8",
+            timeout: timeoutMs,
+            env: env ?? process.env,
+        });
+    }
+    catch (err) {
+        throw new FenceRunnerError(`Failed to invoke ${fenceBinary}`, err);
+    }
+    if (result.error) {
+        const code = result.error.code;
+        if (code === "ENOENT") {
+            throw new FenceRunnerError(`Could not find the \`${fenceBinary}\` executable on PATH. Install Fence (https://github.com/fencesandbox/fence) or set fenceBinary in plugin options.`, result.error);
+        }
+        throw new FenceRunnerError(`Failed to invoke ${fenceBinary}: ${result.error.message}`, result.error);
+    }
+    if (result.signal) {
+        throw new FenceRunnerError(`${fenceBinary} terminated by signal ${result.signal}`);
+    }
+    if (typeof result.status !== "number") {
+        throw new FenceRunnerError(`${fenceBinary} did not return an exit status`);
+    }
+    // Non-zero exit: treat as a Fence policy / runtime error. Fence's hook helpers
+    // exit non-zero for malformed input or internal failures; in those cases we
+    // surface the stderr text rather than silently allowing the command.
+    if (result.status !== 0) {
+        const stderr = (result.stderr || "").trim();
+        const stdout = (result.stdout || "").trim();
+        const detail = stderr || stdout || `exit ${result.status}`;
+        throw new FenceRunnerError(`Fence hook helper failed: ${detail}`);
+    }
+    const stdout = (result.stdout || "").trim();
+    if (stdout === "") {
+        // No-op response: the helper saw nothing it needed to do (e.g. pure `cd`,
+        // command already wrapped). Treat as allow-unchanged.
+        return { decision: "allow" };
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(stdout);
+    }
+    catch (err) {
+        throw new FenceRunnerError(`Fence returned non-JSON response: ${stdout.slice(0, 200)}`, err);
+    }
+    switch (parsed.decision) {
+        case "deny":
+            return {
+                decision: "deny",
+                reason: parsed.reason ?? "Command blocked by Fence policy.",
+            };
+        case "wrap": {
+            const rewritten = parsed.tool_input?.command;
+            if (!rewritten) {
+                throw new FenceRunnerError("Fence returned decision=wrap with no tool_input.command");
+            }
+            return { decision: "wrap", rewrittenCommand: rewritten };
+        }
+        case "allow":
+            return { decision: "allow" };
+        default:
+            throw new FenceRunnerError(`Fence returned unknown decision: ${JSON.stringify(parsed.decision)}`);
+    }
+}
+//# sourceMappingURL=fence-runner.js.map

package/dist/fence-runner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fence-runner.js","sourceRoot":"","sources":["../src/fence-runner.ts"],"names":[],"mappings":"AAAA,OAAO,EAAyB,SAAS,EAAE,MAAM,oBAAoB,CAAC;AA0EtE,MAAM,OAAO,gBAAiB,SAAQ,KAAK;IAGd;IAF3B,YACE,OAAe,EACU,KAAe;QAExC,KAAK,CAAC,OAAO,CAAC,CAAC;QAFU,UAAK,GAAL,KAAK,CAAU;QAGxC,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;IACjC,CAAC;CACF;AAED,MAAM,kBAAkB,GAAG,KAAK,CAAC;AACjC,MAAM,kBAAkB,GAAG,yBAAyB,CAAC;AAErD,MAAM,UAAU,QAAQ,CACtB,OAAyB,EACzB,UAA8B,EAAE;IAEhC,MAAM,EACJ,WAAW,GAAG,OAAO,EACrB,UAAU,GAAG,kBAAkB,EAC/B,SAAS,GAAG,EAAE,EACd,GAAG,EACH,SAAS,GAAG,kBAAkB,EAC9B,KAAK,GAAG,SAAS,GAClB,GAAG,OAAO,CAAC;IAEZ,MAAM,IAAI,GAAG,CAAC,UAAU,EAAE,GAAG,SAAS,CAAC,CAAC;IACxC,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IAEtC,IAAI,MAAgC,CAAC;IACrC,IAAI,CAAC;QACH,MAAM,GAAG,KAAK,CAAC,WAAW,EAAE,IAAI,EAAE;YAChC,KAAK,EAAE,KAAK;YACZ,QAAQ,EAAE,MAAM;YAChB,OAAO,EAAE,SAAS;YAClB,GAAG,EAAE,GAAG,IAAI,OAAO,CAAC,GAAG;SACxB,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,gBAAgB,CAAC,oBAAoB,WAAW,EAAE,EAAE,GAAG,CAAC,CAAC;IACrE,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,MAAM,IAAI,GAAI,MAAM,CAAC,KAA+B,CAAC,IAAI,CAAC;QAC1D,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;YACtB,MAAM,IAAI,gBAAgB,CACxB,wBAAwB,WAAW,oHAAoH,EACvJ,MAAM,CAAC,KAAK,CACb,CAAC;QACJ,CAAC;QACD,MAAM,IAAI,gBAAgB,CACxB,oBAAoB,WAAW,KAAK,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,EAC1D,MAAM,CAAC,KAAK,CACb,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAClB,MAAM,IAAI,gBAAgB,CAAC,GAAG,WAAW,yBAAyB,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IACrF,CAAC;IAED,IAAI,OAAO,MAAM,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;QACtC,MAAM,IAAI,gBAAgB,CAAC,GAAG,WAAW,gCAAgC,CAAC,CAAC;IAC7E,CAAC;IAED,+EAA+E;IAC/E,4EAA4E;IAC5E,qEAAqE;IACrE,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,MAAM,MAAM,GAAG,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QAC5C,MAAM,MAAM,GAAG,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QAC5C,MAAM,MAAM,GAAG,MAAM,IAAI,MAAM,IAAI,QAAQ,MAAM,CAAC,MAAM,EAAE,CAAC;QAC3D,MAAM,IAAI,gBAAgB,CAAC,6BAA6B,MAAM,EAAE,CAAC,CAAC;IACpE,CAAC;IAED,MAAM,MAAM,GAAG,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IAC5C,IAAI,MAAM,KAAK,EAAE,EAAE,CAAC;QAClB,0EAA0E;QAC1E,sDAAsD;QACtD,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;IAC/B,CAAC;IAED,IAAI,MAAyB,CAAC;IAC9B,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAsB,CAAC;IACnD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,gBAAgB,CAAC,qCAAqC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;IAC/F,CAAC;IAED,QAAQ,MAAM,CAAC,QAAQ,EAAE,CAAC;QACxB,KAAK,MAAM;YACT,OAAO;gBACL,QAAQ,EAAE,MAAM;gBAChB,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,kCAAkC;aAC5D,CAAC;QACJ,KAAK,MAAM,CAAC,CAAC,CAAC;YACZ,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,EAAE,OAAO,CAAC;YAC7C,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,MAAM,IAAI,gBAAgB,CAAC,yDAAyD,CAAC,CAAC;YACxF,CAAC;YACD,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,gBAAgB,EAAE,SAAS,EAAE,CAAC;QAC3D,CAAC;QACD,KAAK,OAAO;YACV,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;QAC/B;YACE,MAAM,IAAI,gBAAgB,CACxB,oCAAoC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CACtE,CAAC;IACN,CAAC;AACH,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,28 @@
+import type { Plugin } from "@opencode-ai/plugin";
+/**
+ * The default `@fencesandbox/opencode-fence` plugin. Routes the `bash` tool
+ * through `fence --opencode-pre-tool-use` using the Fence binary on PATH and
+ * the active project / user Fence config.
+ *
+ * Wire it into opencode.json's `plugin` array:
+ *
+ *     {
+ *       "plugin": ["@fencesandbox/opencode-fence"]
+ *     }
+ *
+ * For non-default behavior (custom fence binary, pinned settings file or
+ * template, fail-open in dev), import `createFencePlugin` from
+ * `@fencesandbox/opencode-fence/factory` and construct it yourself in a local
+ * plugin shim under `.opencode/plugins/`.
+ *
+ * Why this entry point is so thin: OpenCode's plugin loader iterates *every*
+ * export of the package's entry module and calls each one with the loader's
+ * input object to register hooks. Anything else exported here (a factory, an
+ * error class, a helper) would be invoked the same way and either crash the
+ * loader or silently register a malformed Plugin. So the entry point is
+ * deliberately just one Plugin and its default-export alias; everything else
+ * lives in sub-paths.
+ */
+export declare const FencePlugin: Plugin;
+export default FencePlugin;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAGlD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,eAAO,MAAM,WAAW,EAAE,MAA4B,CAAC;AAEvD,eAAe,WAAW,CAAC"}

package/dist/index.js

@@ -0,0 +1,28 @@
+import { createFencePlugin } from "./factory.js";
+/**
+ * The default `@fencesandbox/opencode-fence` plugin. Routes the `bash` tool
+ * through `fence --opencode-pre-tool-use` using the Fence binary on PATH and
+ * the active project / user Fence config.
+ *
+ * Wire it into opencode.json's `plugin` array:
+ *
+ *     {
+ *       "plugin": ["@fencesandbox/opencode-fence"]
+ *     }
+ *
+ * For non-default behavior (custom fence binary, pinned settings file or
+ * template, fail-open in dev), import `createFencePlugin` from
+ * `@fencesandbox/opencode-fence/factory` and construct it yourself in a local
+ * plugin shim under `.opencode/plugins/`.
+ *
+ * Why this entry point is so thin: OpenCode's plugin loader iterates *every*
+ * export of the package's entry module and calls each one with the loader's
+ * input object to register hooks. Anything else exported here (a factory, an
+ * error class, a helper) would be invoked the same way and either crash the
+ * loader or silently register a malformed Plugin. So the entry point is
+ * deliberately just one Plugin and its default-export alias; everything else
+ * lives in sub-paths.
+ */
+export const FencePlugin = createFencePlugin();
+export default FencePlugin;
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAEjD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,CAAC,MAAM,WAAW,GAAW,iBAAiB,EAAE,CAAC;AAEvD,eAAe,WAAW,CAAC"}

package/package.json

@@ -0,0 +1,71 @@
+{
+  "name": "@fencesandbox/opencode-fence",
+  "version": "0.1.1",
+  "description": "OpenCode plugin that routes bash tool invocations through Fence for command-policy enforcement.",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    },
+    "./factory": {
+      "types": "./dist/factory.d.ts",
+      "import": "./dist/factory.js"
+    },
+    "./errors": {
+      "types": "./dist/errors.d.ts",
+      "import": "./dist/errors.js"
+    }
+  },
+  "files": [
+    "dist",
+    "LICENSE",
+    "README.md"
+  ],
+  "publishConfig": {
+    "access": "public",
+    "registry": "https://registry.npmjs.org/"
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.build.json",
+    "typecheck": "tsc --noEmit",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "lint": "biome check src",
+    "lint:fix": "biome check --write src",
+    "format": "biome format --write src",
+    "prepublishOnly": "npm run lint && npm run typecheck && npm test && npm run build"
+  },
+  "keywords": [
+    "opencode",
+    "opencode-plugin",
+    "fence",
+    "sandbox",
+    "security"
+  ],
+  "author": "Fence Sandbox",
+  "license": "Apache-2.0",
+  "homepage": "https://github.com/fencesandbox/opencode-fence",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/fencesandbox/opencode-fence.git"
+  },
+  "bugs": {
+    "url": "https://github.com/fencesandbox/opencode-fence/issues"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "peerDependencies": {
+    "@opencode-ai/plugin": ">=1.14.0"
+  },
+  "devDependencies": {
+    "@biomejs/biome": "^2.0.0",
+    "@opencode-ai/plugin": "^1.14.28",
+    "@types/node": "^20.0.0",
+    "typescript": "^5.5.0",
+    "vitest": "^2.0.0"
+  }
+}