{"slug": "phylax-prevent-ai-agents-from-reading-or-deleting-your-files", "title": "Phylax prevent AI agents from reading or deleting your files", "summary": "Phylax, a new OS-level security tool, prevents AI coding agents like Claude Code and Cursor from reading, writing, or deleting private files by enforcing Windows kernel-level access controls. The tool applies Windows ACLs and Mandatory Integrity Control to return ACCESS_DENIED before an agent can touch a single byte, operating entirely locally with no cloud, accounts, or telemetry. Phylax protects against the full filesystem access that AI agents currently have, allowing users to define granular permissions for specific files and directories.", "body_md": "Windows security layer for AI coding agents\n\n# Phylax stops AI agents before they touch your private files.\n\nReal OS-level protection. The kernel returns ACCESS_DENIED, the agent never sees a single byte.\n\n100% local · No accounts · No cloud · No telemetry\n\nWhy Phylax\n\n## The problem is real. The solution is local.\n\nAI agents like Claude Code, Cursor, and OpenCode have **full filesystem access**. They can read, write, or delete anything.\n\nPhylax puts a **real OS-level boundary** between them and your secrets. No proxy, no wrapper. The kernel enforces it.\n\n### 100% Local\n\nNo account, no cloud, no telemetry. Everything stays on your machine. Audit logs in local SQLite. Works fully offline.\n\n### Multi-Agent Detection\n\nRecognizes Claude, Cursor, OpenCode, Copilot, Windsurf, Aider, and more. Detects agents by process name, environment variables, and child inheritance.\n\n### OS-level Enforcement\n\nApplies real Windows ACLs (DENY ACEs + Mandatory Integrity Control). The kernel itself returns ACCESS_DENIED - the agent never touches the file.\n\nPhylax applies three layers of Windows security to every denied file: DENY ACEs for read/write/delete, WRITE_DAC protection for ACL modification, and Mandatory Integrity Control to stop privilege bypass.\n\nHow it works\n\n## Three steps. Zero cloud.\n\nNo cloud proxy, no API keys, no network required. Everything runs locally on your machine.\n\n### Detect\n\nIdentifies AI agent processes by image name, environment variables, and command-line inspection. Child processes inherit the agent label automatically.\n\n### Decide\n\nChecks your `phylax.toml`\n\nrules against the file path and operation. Deny always wins. Priority-ordered buckets resolve every access attempt.\n\n### Block\n\nApplies real Windows ACLs. The kernel returns ACCESS_DENIED before the agent touches a single byte. No userspace trick can bypass it.\n\nReal example\n\n## A real example.\n\nThis is what happens when an AI agent tries to access a protected file.\n\nPolicies\n\n## Choose your protection level.\n\nPhylax uses six permission buckets ordered by priority. **Deny always wins.** Start with a preset, then customize via `phylax.toml`\n\n.\n\n**deny** Complete block\n\n**ask** User approves\n\n**full** Unrestricted\n\n**delete** Read + Delete\n\n**write** Read + Write\n\n**read** Read only\n\nConservative default When no rule matches: read = Allow, write = Ask, delete = Deny.\n\n### Recommended\n\nProtects secrets and critical files. Source edits are fast. Lockfile changes ask for confirmation.\n\nBlocks .env, .pem, .key. Allows src/** and tests/**. Prompts for migrations and lockfiles.\n\n```\n[project]\nname = \"my-phylax-project\"\ndefault = \"conservative\"\n\n[deny]\nfiles = [\".env\", \".env.*\", \"secrets/**\", \"*.pem\", \"*.key\", \"phylax.toml\"]\n\n[ask]\nfiles = [\"Cargo.lock\", \"package-lock.json\", \"migrations/**\"]\n\n[write]\nfiles = [\"src/**\", \"tests/**\", \"docs/**\"]\n\n[read]\nfiles = [\"README.md\", \"docs/**\"]\n```\n\n### Strict\n\nMaximum security. Every source edit and lockfile change requires explicit approval.\n\nDenies .env, .pem, .key, .p12, .pfx, secrets/**. Asks for every source edit. Read-only by default.\n\n```\n[project]\nname = \"phylax-strict\"\ndefault = \"conservative\"\n\n[deny]\nfiles = [\".env\", \".env.*\", \"secrets/**\", \"keys/**\", \"*.pem\", \"*.key\", \"*.p12\", \"phylax.toml\"]\n\n[ask]\nfiles = [\"src/**\", \"tests/**\", \"Cargo.lock\", \"package-lock.json\", \"migrations/**\"]\n\n[read]\nfiles = [\"README.md\", \"docs/**\", \"src/**\", \"tests/**\"]\n```\n\n### Fast & Flexible\n\nLets agents edit freely. Only secrets and the manifest are protected.\n\nBlocks .env, .pem, .key, phylax.toml. Everything else is writable. No prompts for normal edits.\n\n```\n[project]\nname = \"phylax-fast\"\ndefault = \"conservative\"\n\n[deny]\nfiles = [\".env\", \".env.*\", \"secrets/**\", \"*.pem\", \"*.key\", \"phylax.toml\"]\n\n[write]\nfiles = [\"src/**\", \"tests/**\", \"docs/**\", \"examples/**\", \"Cargo.lock\", \"package-lock.json\"]\n\n[read]\nfiles = [\"README.md\", \"docs/**\", \"src/**\", \"tests/**\", \"examples/**\"]\n```\n\nInstall\n\n## One command. Zero configuration.\n\nOne command. No accounts, no cloud, no telemetry. The daemon runs invisibly in the background.\n\n`phylax init`\n\nCreates phylax.toml and starts the daemon `phylax run`\n\nDaemon + live terminal dashboard (60fps) `phylax stop`\n\nStops daemon and releases file locks `phylax status`\n\nLive view: projects, agents, events, blocks", "url": "https://wpnews.pro/news/phylax-prevent-ai-agents-from-reading-or-deleting-your-files", "canonical_source": "https://phylaxx.pages.dev/", "published_at": "2026-06-04 05:45:42+00:00", "updated_at": "2026-06-04 06:18:13.932649+00:00", "lang": "en", "topics": ["ai-agents", "ai-safety", "ai-tools", "ai-products", "ai-startups"], "entities": ["Phylax", "Claude Code", "Cursor", "OpenCode", "Copilot", "Windsurf", "Aider", "Microsoft"], "alternates": {"html": "https://wpnews.pro/news/phylax-prevent-ai-agents-from-reading-or-deleting-your-files", "markdown": "https://wpnews.pro/news/phylax-prevent-ai-agents-from-reading-or-deleting-your-files.md", "text": "https://wpnews.pro/news/phylax-prevent-ai-agents-from-reading-or-deleting-your-files.txt", "jsonld": "https://wpnews.pro/news/phylax-prevent-ai-agents-from-reading-or-deleting-your-files.jsonld"}}