Phylax prevents AI agents from reading or deleting your files
Phylax is a Windows security layer that uses OS-level ACL enforcement to prevent AI coding agents from accessing your private files. It runs 100% locally with no accounts, cloud, or telemetry, supports multi-agent detection, and offers anti-bypass protection.
Windows security layer for AI coding agents
Phylax stops AI agents before they touch your private files.
Real OS-level protection. The kernel returns ACCESS_DENIED, the agent never sees a single byte.
100% local · No accounts · No cloud · No telemetry
Install now View on GitHub
phylax daemon
08:16:08 AGENT opencode.exe detected
08:16:08 TRY opencode.exe → .env
08:16:08 MATCH deny bucket → .env
08:16:08 BLOCK ACCESS_DENIED
08:16:09 AUDIT stored in local SQLite
Phylax ● LIVE
See how it works
The solution
Phylax puts a real OS-level boundary between them and your secrets. No proxy, no wrapper. The kernel enforces it.
100% Local
No account, no cloud, no telemetry. Everything stays on your machine. Audit logs in local SQLite. Works fully offline.
Multi-Agent Detection
Recognizes Claude, Cursor, OpenCode, Copilot, Windsurf, Aider, and more. Detects agents by process name, environment variables, and child inheritance.
OS-level Enforcement
Applies real Windows ACLs (DENY ACEs + Mandatory Integrity Control). The kernel itself returns ACCESS_DENIED - the agent never touches the file.
Anti-bypass protection
Phylax applies three layers of Windows security to every denied file: DENY ACEs for read/write/delete, WRITE_DAC protection for ACL modification, and Mandatory Integrity Control to stop privilege bypass.
01
Detect
Identifies AI agent processes by image name, environment variables, and command-line inspection. Child processes inherit the agent label automatically.
02
Decide
Checks your phylax.toml rules against the file path and operation. Deny always wins. Priority-ordered buckets resolve every access attempt.
03
Block
Applies real Windows ACLs. The kernel returns ACCESS_DENIED before the agent touches a single byte. No userspace trick can bypass it.
target="_blank" rel="noreferrer"> See full architecture → Docs
phylax audit tail ● LIVE
08:16:08AGENTopencode.exe detected (env: OPENAICLIENT)
08:16:08TRYopencode.exe → read .env.local
08:16:08MATCHdeny bucket → .env.*
08:16:08BLOCKDENY ACE applied → ACCESS_DENIED
08:16:08MICHigh Integrity label applied
08:16:09AUDITevent stored in local SQLite
Three layers of Windows security: DENY ACEs block file access, WRITE_DAC prevents ACL modification, and Mandatory Integrity Control stops privilege bypass. The kernel returns ACCESS_DENIED, the agent never sees a single byte.
Priority
deny Complete block
›
ask User approves
›
full Unrestricted
›
delete Read + Delete
›
write Read + Write
›
read Read only
Conservative default When no rule matches: read = Allow, write = Ask, delete = Deny.
Recommended Best first run
Recommended
Protects secrets and critical files. Source edits are fast. Lockfile changes ask for confirmation.
Blocks .env, .pem, .key. Allows src/ and tests/. Prompts for migrations and lockfiles.
[project] name = "my-phylax-project" default = "conservative"
[deny] files = [".env", ".env.*", "secrets/**", "*.pem", "*.key", "phylax.toml"]
[ask] files = ["Cargo.lock", "package-lock.json", "migrations/**"]
[write] files = ["src/", "tests/", "docs/**"]
[read] files = ["README.md", "docs/**"]
Maximum control
Strict
Maximum security. Every source edit and lockfile change requires explicit approval.
Denies .env, .pem, .key, .p12, .pfx, secrets/**. Asks for every source edit. Read-only by default.
[project] name = "phylax-strict" default = "conservative"
[deny] files = [".env", ".env.*", "secrets/", "keys/", "*.pem", "*.key", "*.p12", "phylax.toml"]
[ask] files = ["src/", "tests/", "Cargo.lock", "package-lock.json", "migrations/**"]
[read] files = ["README.md", "docs/", "src/", "tests/**"]
Low friction
Fast & Flexible
Lets agents edit freely. Only secrets and the manifest are protected.
Blocks .env, .pem, .key, phylax.toml. Everything else is writable. No prompts for normal edits.
[project] name = "phylax-fast" default = "conservative"
[deny] files = [".env", ".env.*", "secrets/**", "*.pem", "*.key", "phylax.toml"]
[write] files = ["src/", "tests/", "docs/", "examples/", "Cargo.lock", "package-lock.json"]
[read] files = ["README.md", "docs/", "src/", "tests/", "examples/"]
PowerShell
PS> irm https://raw.githubusercontent.com/TheUser99-spec/Phylax/main/install.ps1 | iex
No admin required. The daemon runs gracefully in the background.
Copied
phylax init Creates phylax.toml and starts the daemon
phylax run Daemon + live terminal dashboard (60fps)
phylax stop Stops daemon and releases file locks
phylax status Live view: projects, agents, events, blocks
Runs locally No login No cloud No telemetry