Getting started
fend is in alpha and macOS Apple Silicon only. The Linux and Windows ports share the same CLI surface but aren’t shipped yet — see the roadmap on GitHub.
Install
Section titled “Install”npm install -g @fendsh/cliThis pulls the macOS Apple Silicon binary as an optionalDependency. On any
other platform the package fails to install with a clear message.
Verify:
fend --version# fend 0.1.0-alpha.1The first fend <anything> invocation downloads the Linux kernel and prepares a
rootfs image (~1.5 GB, one-time, cached in ~/.fend/runtime/). It takes a few
minutes; subsequent invocations boot the VM in under a second.
First run
Section titled “First run”In any project with a package.json:
cd ~/repos/my-appfend npm installWhat you’ll see:
fend: auditing 412 package(s) against OSV.dev…fend: ready (0.8s)
added 412 packages in 28s
312 packages are looking for funding run `npm fund` for detailsThree things just happened:
- Audit — fend queried OSV.dev for known advisories
against your
package-lock.json. If anythingcriticalormalwarehad surfaced, the install would have been blocked before any script ran. - VM boot — a per-project Linux micro-VM started, mounted your project
directory via VirtioFS, and dispatched
npm installinside it. - Install —
node_modules/was written by the VM but appears on your host filesystem (so VS Code, TypeScript, ESLint all work natively).
The VM stays warm. The next fend <command> in this project starts in ~5ms.
Two ways to use it
Section titled “Two ways to use it”As a prefix
Section titled “As a prefix”The simplest mental model. Run fend before any command you want sandboxed:
fend npm installfend npm run dev # port 3000 forwards back to your hostfend npm testfend node scripts/seed.jsfend bun installfend pnpm run buildAs a shell hook
Section titled “As a shell hook”If you’d rather not type fend every time, install the shell hook once:
# zshecho 'eval "$(fend hook zsh)"' >> ~/.zshrc
# bashecho 'eval "$(fend hook bash)"' >> ~/.bashrcThen in any project:
cd my-projectfend on # npm/bun/pnpm/yarn/node/python now route through fendnpm install # sandboxednpm run dev # sandboxedfend off # back to normal — npm runs natively againThe hook only shims package managers and runtime entry points
(npm, npx, bun, bunx, yarn, pnpm, pnpx, node, python,
python3, uv, uvx, deno). Everything else (git, ls, cat, your
editor) runs natively.
Configuration
Section titled “Configuration”Generate a .fend.toml for the current project:
fend initThis auto-detects the project type (Node, Bun, pnpm, yarn, Python, generic) and writes a sensible default. Every field is optional. See the command reference for the full schema.
Common workflows
Section titled “Common workflows”Run Claude Code sandboxed:
fend claude # claude with your Anthropic OAuth token injected # nothing else from your machine reachableThe Anthropic credentials are injected only on this opt-in command, never on
the default fend <cmd> path.
Audit only, no install:
fend audit # report against OSV.devfend audit --fix # apply safe in-range upgrades + write overridesfend audit --json # structured output for CIInspect a running VM:
fend status # all VMs across all projectsfend stop # stop the VM for the current projectfend clean # destroy VM + per-project statefend doctor # check kernel, runtime, Docker, configWhere to go next
Section titled “Where to go next”- Command reference — every subcommand and flag
- Sandbox boundary — exactly what is and isn’t reachable
- Security policy — threat model, disclosure, what we collect