Phylax is a Windows OS-level security layer that blocks AI coding agents from reading, writing, or deleting sensitive files. It applies real Windows ACLs enforced by the kernel.

Does Phylax require a cloud account?

No. Phylax is 100% local. No accounts, no cloud, no telemetry. All audit logs stay on your machine in SQLite.

What AI agents does Phylax support?

Phylax detects Claude Code, Cursor, OpenCode, GitHub Copilot CLI, Windsurf, Aider, Goose, Cline, and Gemini CLI automatically via process name, environment variables, and command-line inspection.

Yes, Phylax is free and open-source under the Apache 2.0 license.

Windows security layer for AI coding agents

Phylax stops AI agents before they touch your private files.

Q: How does Phylax enforcement work?

Phylax applies three layers of Windows security: DENY ACEs block file access, WRITE_DAC prevents ACL modification, and Mandatory Integrity Control labels stop privilege bypass.

Real OS-level protection. The kernel returns ACCESS_DENIED, the agent never sees a single byte.

100% local · No accounts · No cloud · No telemetry

Install now View on GitHub

phylax daemon

08:16:08 AGENT opencode.exe detected

08:16:08 TRY opencode.exe → .env

08:16:08 MATCH deny bucket → .env

08:16:08 BLOCK ACCESS_DENIED

08:16:09 AUDIT stored in local SQLite

Phylax ● LIVE

Why Phylax

The problem is real. The solution is local.

The problem

AI agents like Claude Code, Cursor, and OpenCode have full filesystem access. They can read, write, or delete anything.

The solution

Phylax puts a real OS-level boundary between them and your secrets. No proxy, no wrapper. The kernel enforces it.

100% Local

No account, no cloud, no telemetry. Everything stays on your machine. Audit logs in local SQLite. Works fully offline.

Multi-Agent Detection

Recognizes Claude, Cursor, OpenCode, Copilot, Windsurf, Aider, and more. Detects agents by process name, environment variables, and child inheritance.

OS-level Enforcement

Applies real Windows ACLs (DENY ACEs + Mandatory Integrity Control). The kernel itself returns ACCESS_DENIED - the agent never touches the file.

Anti-bypass protection

Phylax applies three layers of Windows security to every denied file: DENY ACEs for read/write/delete, WRITE_DAC protection for ACL modification, and Mandatory Integrity Control to stop privilege bypass.

How it works

Three steps. Zero cloud.

No cloud proxy, no API keys, no network required. Everything runs locally on your machine.

Detect

Identifies AI agent processes by image name, environment variables, and command-line inspection. Child processes inherit the agent label automatically.

Decide

Checks your phylax.toml rules against the file path and operation. Deny always wins. Priority-ordered buckets resolve every access attempt.

Block

Applies real Windows ACLs. The kernel returns ACCESS_DENIED before the agent touches a single byte. No userspace trick can bypass it.

target="_blank" rel="noreferrer"> See full architecture → Docs

Real example

A real example.

This is what happens when an AI agent tries to access a protected file.

phylax audit tail ● LIVE

08:16:08AGENTopencode.exe detected (env: OPENAICLIENT)

08:16:08TRYopencode.exe → read .env.local

08:16:08MATCHdeny bucket → .env.*

08:16:08BLOCKDENY ACE applied → ACCESS_DENIED

08:16:08MICHigh Integrity label applied

08:16:09AUDITevent stored in local SQLite

Three layers of Windows security: DENY ACEs block file access, WRITE_DAC prevents ACL modification, and Mandatory Integrity Control stops privilege bypass. The kernel returns ACCESS_DENIED, the agent never sees a single byte.

Policies

Choose your protection level.

Phylax uses six permission buckets ordered by priority. Deny always wins. Start with a preset, then customize via phylax.toml.

Priority

deny Complete block

›

ask User approves

›

full Unrestricted

›

delete Read + Delete

›

write Read + Write

›

read Read only

Conservative default When no rule matches: read = Allow, write = Ask, delete = Deny.

Recommended Best first run

[project]
name = "my-phylax-project"
default = "conservative"

[deny]
files = [".env", ".env.*", "secrets/**", "*.pem", "*.key", "phylax.toml"]

[ask]
files = ["Cargo.lock", "package-lock.json", "migrations/**"]

[write]
files = ["src/**", "tests/**", "docs/**"]

[read]
files = ["README.md", "docs/**"]

Maximum control

Strict

Maximum security. Every source edit and lockfile change requires explicit approval.

Denies .env, .pem, .key, .p12, .pfx, secrets/**. Asks for every source edit. Read-only by default.

[project]
name = "phylax-strict"
default = "conservative"

[deny]
files = [".env", ".env.*", "secrets/**", "keys/**", "*.pem", "*.key", "*.p12", "phylax.toml"]

[ask]
files = ["src/**", "tests/**", "Cargo.lock", "package-lock.json", "migrations/**"]

[read]
files = ["README.md", "docs/**", "src/**", "tests/**"]

Low friction

Fast & Flexible

Lets agents edit freely. Only secrets and the manifest are protected.

Blocks .env, .pem, .key, phylax.toml. Everything else is writable. No prompts for normal edits.

[project]
name = "phylax-fast"
default = "conservative"

[deny]
files = [".env", ".env.*", "secrets/**", "*.pem", "*.key", "phylax.toml"]

[write]
files = ["src/**", "tests/**", "docs/**", "examples/**", "Cargo.lock", "package-lock.json"]

[read]
files = ["README.md", "docs/**", "src/**", "tests/**", "examples/**"]

Install

One command. Zero configuration.

One command. No accounts, no cloud, no telemetry. The daemon runs invisibly in the background.

PowerShell

PS> irm https://raw.githubusercontent.com/TheUser99-spec/Phylax/main/install.ps1 | iex

No admin required. The daemon runs gracefully in the background.

Copied

phylax init Creates phylax.toml and starts the daemon

phylax run Daemon + live terminal dashboard (60fps)

phylax stop Stops daemon and releases file locks

phylax status Live view: projects, agents, events, blocks

Runs locally No login No cloud No telemetry