Steps to Reproduce
- Install fence to
/usr/bin/
- Create
~/.config/fence/fence.json:
{
"filesystem": {
"defaultDenyRead": true,
"allowRead": ["."],
"denyRead": ["**/.env"]
}
}
- Run from a large project directory:
Expected Behavior
Command runs quickly with .env files blocked.
Actual Behavior
Command hangs during glob expansion. The ** patterns cause fence to walk the entire directory tree at sandbox startup.
Cause
Fence expands ** glob patterns at startup via ExpandGlobPatterns(), walking all matching files before the sandbox starts. For large projects or patterns like **/.env, this causes significant delays.
Suggestion
Consider evaluating glob patterns at runtime rather than pre-expanding them. This would:
- Avoid startup delays
- Handle patterns that match many files
- Match files created after sandbox start
Workaround
Use non-recursive patterns like .env or *.env for root directory only, or use defaultDenyRead: true with explicit allowRead paths.
Steps to Reproduce
/usr/bin/~/.config/fence/fence.json:{ "filesystem": { "defaultDenyRead": true, "allowRead": ["."], "denyRead": ["**/.env"] } }Expected Behavior
Command runs quickly with
.envfiles blocked.Actual Behavior
Command hangs during glob expansion. The
**patterns cause fence to walk the entire directory tree at sandbox startup.Cause
Fence expands
**glob patterns at startup viaExpandGlobPatterns(), walking all matching files before the sandbox starts. For large projects or patterns like**/.env, this causes significant delays.Suggestion
Consider evaluating glob patterns at runtime rather than pre-expanding them. This would:
Workaround
Use non-recursive patterns like
.envor*.envfor root directory only, or usedefaultDenyRead: truewith explicitallowReadpaths.