The Story
I trusted AI agents with my filesystem.
That was a mistake.
This is why Phylax exists - and where we're going next.
Part 1 - The Wake-Up Call
It started with vibecoding. You know the flow: describe what you want, watch the AI build it, iterate fast. It feels like magic. Until it doesn't.
I was vibecoding a new tool. The AI agent was generating modules, refactoring files, moving fast. Then I noticed something: entire directories were gone. Configuration files, API keys, database migration scripts - files containing months of work. The agent had deleted them without asking, without warning, without any prompt that said "delete." It just... did it.
While building a product integration, the AI agent read environment files and leaked API keys. A DeepSeek API key and a Cloudflare Workers token were exposed in generated documentation that got committed. The agent didn't understand these were secrets - it just saw text and used it. I had to rotate everything the same day.
The worst one. I was testing a security product prototype (similar to what Phylax would become). The AI agent, given broad filesystem access, wiped critical Windows files. The system froze. No response to keyboard, mouse, anything. Had to hard reboot. Lost hours of work, corrupted a project, and spent a day recovering. The agent didn't know what it was doing - it was just following instructions too literally, with no guardrails.
Part 2 - This Is Happening Everywhere
I thought I was alone. I wasn't. Here are real, documented incidents of AI agents causing data loss, filed by real developers:
Filed May 31, 2026. User reports the agent ignored CLAUDE.md rules and destroyed data across multiple sessions. The system designed to be safe failed silently.
GitHub Issues · anthropics/claude-code Automatic cleanup deleted 6 active sessions without warningFiled May 31, 2026. Six active development sessions with hours of context were silently purged. Token loss, work loss, no recovery.
GitHub Issues · anthropics/claude-code Auto-update loses spaces.json, causing empty project listFiled May 29, 2026. Auto-update mechanism wiped project configuration data. Users opened Claude to find all their projects gone.
GitHub Issues · anthropics/claude-code Claude fabricates security findings and proposes destructive remediationAgent hallucinated security vulnerabilities that didn't exist, then proposed destructive file operations as "fixes" - before tool output even returned.
These aren't edge cases. These are thousands of open issues across Claude Code, Cursor, Copilot, and other AI coding tools. The pattern is clear: AI agents with unrestricted filesystem access will eventually destroy something. Not because they're malicious - because they don't understand context, value, or consequence.
Part 3 - The Birth of Phylax
After the system crash, I asked a simple question:
"Why does my AI agent have the same filesystem permissions as me?"
It shouldn't. An AI agent is not a human developer. It doesn't understand that .env contains secrets. It doesn't know that deleting migrations/ destroys your database history. It can't tell the difference between a config file and a scratch file.
Phylax was born from that question. A security layer that sits between the AI agent and your filesystem. Not a wrapper. Not a proxy. Real Windows ACLs enforced by the OS kernel itself.
AI agents need filesystem access to be useful. But they don't need access to everything. Phylax draws a boundary: the agent can edit your source code, but it can never touch your secrets, your git history, or your policy files. Period.
I built the MVP in weeks. Not because it was easy - because it was urgent. Every day without protection is another day an agent could delete something irreplaceable.
The Road Ahead
Phylax is built in phases. Each phase adds a fundamentally stronger layer of protection.
Phase 1 - ACL Enforcement
What you're using right now. The daemon applies DENY ACEs + Mandatory Integrity Control labels to files matching your [deny] rules. The Windows kernel enforces the block.
| Feature | Status |
|---|---|
| phylax.toml parser & glob engine | Done |
| Multi-agent detection (5 signals) | Done |
| DENY ACEs + MIC labels (3-layer anti-bypass) | Done |
| SQLite audit log | Done |
| IPC protocol (20 request types) | Done |
| Terminal dashboard (ratatui, 60fps) | Done |
| Invisible daemon (survives terminal close) | Done |
| Global rules + per-project rules | Done |
| CLI (14 commands: init, run, stop, status, audit...) | Done |
Protection is active while the daemon runs. phylax stop removes DENY ACEs and files become accessible. ACEs apply to Everyone (including you). You must stop the daemon to edit protected files yourself.
Phase 2 - Kernel Minifilter
A C++ Windows kernel driver (driver/phylax.sys) that intercepts I/O operations at ring 0. The driver pauses IRPs inline and evaluates them before the agent ever touches a byte. This is the real deal.
| Feature | What it means |
|---|---|
| Agent-only blocking | The driver distinguishes between human and agent processes. You can edit denied files without stopping the daemon. The agent is blocked; you are not. |
| Real-time I/O interception | IRPs are paused at kernel level and inspected inline. Zero polling delay. The agent never touches the file. |
| Protection survives daemon restart | The driver persists independently. phylax stop no longer removes protection. Kill the daemon, kill the process - the driver still enforces. |
| Ask flow enforced | When a rule says [ask], the driver pauses the IRP, notifies the daemon, displays a prompt, and waits for your response. Timeout = deny. |
| Per-agent overrides | Different rules for different agents. Claude gets write access to src/, Cursor gets read-only. The driver passes PID to daemon for per-agent evaluation. |
| Tamper-proof audit | Audit events logged at kernel level. No user-mode process can modify or delete them - not even the agent. |
| Advanced agent detection | Kernel-level process creation callbacks + ETW tracing. Zero detection window. The driver knows about new processes before they execute their first instruction. |
Phase 2.5 - Cross-Platform
Phylax was born on Windows because that's where the damage happened. But AI agents run everywhere.
Fanotify + eBPF-based filesystem interception. Kernel-level blocking via LSMs (Landlock, SELinux). Systemd daemon integration. Snap/Flatpak/AppImage distribution.
Endpoint Security (ES) framework for kernel-level I/O interception. LaunchDaemon background service. Homebrew installation. Native sandbox integration via App Groups.
Same phylax.toml. Same permission model. Same audit trail. Different kernel.
Phase 3 - Project Nightfall
Some things can't be announced before they're built. But here's what we can say:
The system learns what "normal" agent behavior looks like and flags anomalies before they become incidents. An agent that suddenly tries to read 50 files in 2 seconds? Flagged. An agent that starts traversing directories it has never touched? Blocked.
Filesystem protection is Phase 1 and 2. Phase 3 extends the boundary to the network. Agents that try to exfiltrate data over HTTP, WebSocket, or DNS tunneling are intercepted at the kernel level before packets leave the machine.
Protection policies that can be verified, signed, and shared. A team of developers can agree on a security baseline and cryptographically guarantee it hasn't been tampered with. Your phylax.toml becomes a verifiable security contract.
■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
Phase 3 details will be published when the kernel driver ships. Some things are better shown than told.
This Project Is Personal
I built Phylax because I lost data. Real data. Hours of work. API keys. System stability. I don't want anyone else to experience that.
AI agents are the future of software development. But they need guardrails. Not because they're bad - because they're powerful. And power without boundaries is dangerous.
Phylax is that boundary.