Phylax prevent AI agents from reading or deleting your files

Phylax, a new OS-level security tool, prevents AI coding agents like Claude Code and Cursor from reading, writing, or deleting private files by enforcing Windows kernel-level access controls. The tool applies Windows ACLs and Mandatory Integrity Control to return ACCESS_DENIED before an agent can touch a single byte, operating entirely locally with no cloud, accounts, or telemetry. Phylax protects against the full filesystem access that AI agents currently have, allowing users to define granular permissions for specific files and directories.

Windows security layer for AI coding agents Phylax stops AI agents before they touch your private files. Real OS-level protection. The kernel returns ACCESS DENIED, the agent never sees a single byte. 100% local · No accounts · No cloud · No telemetry Why Phylax The problem is real. The solution is local. AI agents like Claude Code, Cursor, and OpenCode have full filesystem access . They can read, write, or delete anything. Phylax puts a real OS-level boundary between them and your secrets. No proxy, no wrapper. The kernel enforces it. 100% Local No account, no cloud, no telemetry. Everything stays on your machine. Audit logs in local SQLite. Works fully offline. Multi-Agent Detection Recognizes Claude, Cursor, OpenCode, Copilot, Windsurf, Aider, and more. Detects agents by process name, environment variables, and child inheritance. OS-level Enforcement Applies real Windows ACLs DENY ACEs + Mandatory Integrity Control . The kernel itself returns ACCESS DENIED - the agent never touches the file. Phylax applies three layers of Windows security to every denied file: DENY ACEs for read/write/delete, WRITE DAC protection for ACL modification, and Mandatory Integrity Control to stop privilege bypass. How it works Three steps. Zero cloud. No cloud proxy, no API keys, no network required. Everything runs locally on your machine. Detect Identifies AI agent processes by image name, environment variables, and command-line inspection. Child processes inherit the agent label automatically. Decide Checks your phylax.toml rules against the file path and operation. Deny always wins. Priority-ordered buckets resolve every access attempt. Block Applies real Windows ACLs. The kernel returns ACCESS DENIED before the agent touches a single byte. No userspace trick can bypass it. Real example A real example. This is what happens when an AI agent tries to access a protected file. Policies Choose your protection level. Phylax uses six permission buckets ordered by priority. Deny always wins. Start with a preset, then customize via phylax.toml . deny Complete block ask User approves full Unrestricted delete Read + Delete write Read + Write read Read only Conservative default When no rule matches: read = Allow, write = Ask, delete = Deny. Recommended Protects secrets and critical files. Source edits are fast. Lockfile changes ask for confirmation. Blocks .env, .pem, .key. Allows src/ and tests/ . Prompts for migrations and lockfiles. project name = "my-phylax-project" default = "conservative" deny files = ".env", ".env. ", "secrets/ ", " .pem", " .key", "phylax.toml" ask files = "Cargo.lock", "package-lock.json", "migrations/ " write files = "src/ ", "tests/ ", "docs/ " read files = "README.md", "docs/ " Strict Maximum security. Every source edit and lockfile change requires explicit approval. Denies .env, .pem, .key, .p12, .pfx, secrets/ . Asks for every source edit. Read-only by default. project name = "phylax-strict" default = "conservative" deny files = ".env", ".env. ", "secrets/ ", "keys/ ", " .pem", " .key", " .p12", "phylax.toml" ask files = "src/ ", "tests/ ", "Cargo.lock", "package-lock.json", "migrations/ " read files = "README.md", "docs/ ", "src/ ", "tests/ " Fast & Flexible Lets agents edit freely. Only secrets and the manifest are protected. Blocks .env, .pem, .key, phylax.toml. Everything else is writable. No prompts for normal edits. project name = "phylax-fast" default = "conservative" deny files = ".env", ".env. ", "secrets/ ", " .pem", " .key", "phylax.toml" write files = "src/ ", "tests/ ", "docs/ ", "examples/ ", "Cargo.lock", "package-lock.json" read files = "README.md", "docs/ ", "src/ ", "tests/ ", "examples/ " Install One command. Zero configuration. One command. No accounts, no cloud, no telemetry. The daemon runs invisibly in the background. phylax init Creates phylax.toml and starts the daemon phylax run Daemon + live terminal dashboard 60fps phylax stop Stops daemon and releases file locks phylax status Live view: projects, agents, events, blocks