Windows security layer for AI coding agents
Real OS-level protection. The kernel returns ACCESS_DENIED, the agent never sees a single byte.
100% local · No accounts · No cloud · No telemetry
Why Phylax
The problem is real. The solution is local. #
AI agents like Claude Code, Cursor, and OpenCode have full filesystem access. They can read, write, or delete anything.
Phylax puts a real OS-level boundary between them and your secrets. No proxy, no wrapper. The kernel enforces it.
100% Local
No account, no cloud, no telemetry. Everything stays on your machine. Audit logs in local SQLite. Works fully offline.
Multi-Agent Detection
Recognizes Claude, Cursor, OpenCode, Copilot, Windsurf, Aider, and more. Detects agents by process name, environment variables, and child inheritance.
OS-level Enforcement
Applies real Windows ACLs (DENY ACEs + Mandatory Integrity Control). The kernel itself returns ACCESS_DENIED - the agent never touches the file.
Phylax applies three layers of Windows security to every denied file: DENY ACEs for read/write/delete, WRITE_DAC protection for ACL modification, and Mandatory Integrity Control to stop privilege bypass.
How it works
Three steps. Zero cloud. #
No cloud proxy, no API keys, no network required. Everything runs locally on your machine.
Detect
Identifies AI agent processes by image name, environment variables, and command-line inspection. Child processes inherit the agent label automatically.
Decide
Checks your phylax.toml
rules against the file path and operation. Deny always wins. Priority-ordered buckets resolve every access attempt.
Block
Applies real Windows ACLs. The kernel returns ACCESS_DENIED before the agent touches a single byte. No userspace trick can bypass it.
Real example
A real example. #
This is what happens when an AI agent tries to access a protected file.
Policies
Choose your protection level. #
Phylax uses six permission buckets ordered by priority. Deny always wins. Start with a preset, then customize via phylax.toml
.
deny Complete block
ask User approves
full Unrestricted
delete Read + Delete
write Read + Write
read Read only
Conservative default When no rule matches: read = Allow, write = Ask, delete = Deny.
Recommended
Protects secrets and critical files. Source edits are fast. Lockfile changes ask for confirmation.
Blocks .env, .pem, .key. Allows src/** and tests/**. Prompts for migrations and lockfiles.
[project]
name = "my-phylax-project"
default = "conservative"
[deny]
files = [".env", ".env.*", "secrets/**", "*.pem", "*.key", "phylax.toml"]
[ask]
files = ["Cargo.lock", "package-lock.json", "migrations/**"]
[write]
files = ["src/**", "tests/**", "docs/**"]
[read]
files = ["README.md", "docs/**"]
Strict
Maximum security. Every source edit and lockfile change requires explicit approval.
Denies .env, .pem, .key, .p12, .pfx, secrets/**. Asks for every source edit. Read-only by default.
[project]
name = "phylax-strict"
default = "conservative"
[deny]
files = [".env", ".env.*", "secrets/**", "keys/**", "*.pem", "*.key", "*.p12", "phylax.toml"]
[ask]
files = ["src/**", "tests/**", "Cargo.lock", "package-lock.json", "migrations/**"]
[read]
files = ["README.md", "docs/**", "src/**", "tests/**"]
Fast & Flexible
Lets agents edit freely. Only secrets and the manifest are protected.
Blocks .env, .pem, .key, phylax.toml. Everything else is writable. No prompts for normal edits.
[project]
name = "phylax-fast"
default = "conservative"
[deny]
files = [".env", ".env.*", "secrets/**", "*.pem", "*.key", "phylax.toml"]
[write]
files = ["src/**", "tests/**", "docs/**", "examples/**", "Cargo.lock", "package-lock.json"]
[read]
files = ["README.md", "docs/**", "src/**", "tests/**", "examples/**"]
Install
One command. Zero configuration. #
One command. No accounts, no cloud, no telemetry. The daemon runs invisibly in the background.
phylax init
Creates phylax.toml and starts the daemon phylax run
Daemon + live terminal dashboard (60fps) phylax stop
Stops daemon and releases file locks phylax status
Live view: projects, agents, events, blocks