# Phylax prevent AI agents from reading or deleting your files > Source: > Published: 2026-06-04 05:45:42+00:00 Windows security layer for AI coding agents # Phylax stops AI agents before they touch your private files. Real OS-level protection. The kernel returns ACCESS_DENIED, the agent never sees a single byte. 100% local · No accounts · No cloud · No telemetry Why Phylax ## The problem is real. The solution is local. AI agents like Claude Code, Cursor, and OpenCode have **full filesystem access**. They can read, write, or delete anything. Phylax puts a **real OS-level boundary** between them and your secrets. No proxy, no wrapper. The kernel enforces it. ### 100% Local No account, no cloud, no telemetry. Everything stays on your machine. Audit logs in local SQLite. Works fully offline. ### Multi-Agent Detection Recognizes Claude, Cursor, OpenCode, Copilot, Windsurf, Aider, and more. Detects agents by process name, environment variables, and child inheritance. ### OS-level Enforcement Applies real Windows ACLs (DENY ACEs + Mandatory Integrity Control). The kernel itself returns ACCESS_DENIED - the agent never touches the file. Phylax applies three layers of Windows security to every denied file: DENY ACEs for read/write/delete, WRITE_DAC protection for ACL modification, and Mandatory Integrity Control to stop privilege bypass. How it works ## Three steps. Zero cloud. No cloud proxy, no API keys, no network required. Everything runs locally on your machine. ### Detect Identifies AI agent processes by image name, environment variables, and command-line inspection. Child processes inherit the agent label automatically. ### Decide Checks your `phylax.toml` rules against the file path and operation. Deny always wins. Priority-ordered buckets resolve every access attempt. ### Block Applies real Windows ACLs. The kernel returns ACCESS_DENIED before the agent touches a single byte. No userspace trick can bypass it. Real example ## A real example. This is what happens when an AI agent tries to access a protected file. Policies ## Choose your protection level. Phylax uses six permission buckets ordered by priority. **Deny always wins.** Start with a preset, then customize via `phylax.toml` . **deny** Complete block **ask** User approves **full** Unrestricted **delete** Read + Delete **write** Read + Write **read** Read only Conservative default When no rule matches: read = Allow, write = Ask, delete = Deny. ### Recommended Protects secrets and critical files. Source edits are fast. Lockfile changes ask for confirmation. Blocks .env, .pem, .key. Allows src/** and tests/**. Prompts for migrations and lockfiles. ``` [project] name = "my-phylax-project" default = "conservative" [deny] files = [".env", ".env.*", "secrets/**", "*.pem", "*.key", "phylax.toml"] [ask] files = ["Cargo.lock", "package-lock.json", "migrations/**"] [write] files = ["src/**", "tests/**", "docs/**"] [read] files = ["README.md", "docs/**"] ``` ### Strict Maximum security. Every source edit and lockfile change requires explicit approval. Denies .env, .pem, .key, .p12, .pfx, secrets/**. Asks for every source edit. Read-only by default. ``` [project] name = "phylax-strict" default = "conservative" [deny] files = [".env", ".env.*", "secrets/**", "keys/**", "*.pem", "*.key", "*.p12", "phylax.toml"] [ask] files = ["src/**", "tests/**", "Cargo.lock", "package-lock.json", "migrations/**"] [read] files = ["README.md", "docs/**", "src/**", "tests/**"] ``` ### Fast & Flexible Lets agents edit freely. Only secrets and the manifest are protected. Blocks .env, .pem, .key, phylax.toml. Everything else is writable. No prompts for normal edits. ``` [project] name = "phylax-fast" default = "conservative" [deny] files = [".env", ".env.*", "secrets/**", "*.pem", "*.key", "phylax.toml"] [write] files = ["src/**", "tests/**", "docs/**", "examples/**", "Cargo.lock", "package-lock.json"] [read] files = ["README.md", "docs/**", "src/**", "tests/**", "examples/**"] ``` Install ## One command. Zero configuration. One command. No accounts, no cloud, no telemetry. The daemon runs invisibly in the background. `phylax init` Creates phylax.toml and starts the daemon `phylax run` Daemon + live terminal dashboard (60fps) `phylax stop` Stops daemon and releases file locks `phylax status` Live view: projects, agents, events, blocks