Documentation

Everything you need to protect your code from AI agents.

Phylax sits between your filesystem and any AI agent. This guide covers every command, concept, and configuration option.

Getting Started

Install Phylax with a single PowerShell command. No accounts, no cloud, no telemetry.

PowerShell

irm https://raw.githubusercontent.com/TheUser99-spec/Phylax/main/install.ps1 | iex

Once installed, two commands get you protected:

Terminal

phylax init       # Creates phylax.toml, starts daemon, registers your project
phylax run        # Opens the live terminal dashboard (60fps)

That's it. Phylax is now running. Any AI agent that tries to touch a denied file gets ACCESS_DENIED from the Windows kernel.

Daemon Lifecycle

The daemon runs invisibly in the background - no console window, survives terminal close. It applies and removes Windows ACLs as protections change.

Command	What it does
`phylax daemon start`	Start daemon invisibly in the background
`phylax stop`	Stop daemon - releases all Windows file locks
`phylax run`	Daemon + TUI dashboard together
`phylax ui`	TUI only (daemon must already be running)
`phylax status`	Live view: projects, agents, events, blocks
`phylax update`	Auto-update from GitHub

Understanding file locks

While the daemon runs, files matching [deny] rules are locked by Windows ACLs. You cannot edit them either. To modify .env, phylax.toml, or any denied file:

phylax stop
# edit your files safely...
phylax daemon start

You can also press Q in the TUI dashboard to stop the daemon, or use phylax project off to temporarily disable protection without stopping the daemon.

All Commands

Every command available. Use phylax --help for the full CLI reference.

Project

Command	Description
`phylax init`	Create phylax.toml, start daemon, register project
`phylax project validate`	Validate phylax.toml syntax and rules
`phylax project check -f <file> -o <op>`	Dry-run: what would happen if an agent tried `<op>` on `<file>`
`phylax project verify`	Audit: counts effective deny coverage vs expected
`phylax project on`	Turn protection ON for current project
`phylax project off`	Turn protection OFF (files become accessible)

Global Rules

Command	Description
`phylax global add deny "*.env"`	Add a global deny rule (applies to all projects)
`phylax global add ask "Cargo.lock"`	Add a global ask rule
`phylax global list`	List all active global rules
`phylax global remove <id>`	Remove a global rule by ID

Audit & Monitoring

Command	Description
`phylax status`	Live overview: running projects, active agents, blocked events, rules loaded
`phylax audit list`	View recent audit history (blocked/allowed events)
`phylax audit tail`	Follow audit events in real time (like tail -f)

Permission Model

Phylax uses a priority-ordered bucket system. Deny always wins - even if a file matches multiple buckets, the highest priority takes effect.

High

denyNo access

›

askUser approves

›

fullAll allowed

›

deleteRead + Delete

›

writeRead + Write

›

readRead only

Low

Bucket	Read	Write	Delete	When to use
`[deny]`	No	No	No	Secrets, keys, policy files
`[ask]`	Prompt	Prompt	Prompt	Sensitive but legitimate operations
`[full]`	Yes	Yes	Yes	Trusted project directories
`[delete]`	Yes	No	Yes	Files safe to read and delete, not modify
`[write]`	Yes	Yes	No	Source code and docs
`[read]`	Yes	No	No	Reference files, README

Conservative default

When no rule matches a file: read is allowed, write asks the user, and delete is denied.

phylax.toml

The configuration file lives at the root of your project. It defines what each bucket protects using glob patterns.

phylax.toml

[project]
name = "my-project"
default = "conservative"

[deny]
files = [".env", ".env.*", "secrets/**", "*.pem", "*.key", "phylax.toml"]

[ask]
files = ["Cargo.lock", "package-lock.json", "migrations/**"]

[write]
files = ["src/**", "tests/**", "docs/**"]

[read]
files = ["README.md", "docs/**"]

Mandatory deny patterns

The daemon always denies these paths, even if they're missing from your config:

phylax.toml · .env · .env.* · .git/** · **/*.key · **/*.pem · **/*.p12 · **/*.pfx

Anti-Bypass Protection

Phylax applies three independent layers of Windows security to each denied file. Even if one layer is bypassed, the others still hold.

Layer	Mechanism	Blocks	Bypass attempt
1	`DENY ACE → Everyone → GENERIC_ALL`	Read, write, delete	None - kernel enforces
2	`DENY ACE → Everyone → WRITE_DAC \| WRITE_OWNER \| DELETE`	ACL modification, ownership change, file deletion	Agent tries to remove ACLs
3	`MIC label → High Integrity + NO_WRITE_UP`	Writes from Medium-integrity processes	icacls /remove:d (blocked)

Layer 3 is critical: even if an agent runs icacls /remove:d to strip the DENY ACE, it fails because the agent runs at Medium integrity and the file is labeled High integrity with NO_WRITE_UP. The kernel rejects the write regardless of ownership.

Phase 1 vs Phase 2

Phase 1 (Current)

Protection is active while the daemon runs. phylax stop removes DENY ACEs and files become accessible. ACEs apply to Everyone (including you). There is a ~750ms polling window between agent detection and ACE application. Audit logs in SQLite are user-writable.

Phase 2 (In Development - driver/)

A C++ kernel minifilter driver pauses I/O IRPs inline at the kernel level. Protection survives daemon restart. Per-agent overrides and ask flow enforce in real time. Audit logs are tamper-proof at kernel level. phylax stop no longer removes protection - the driver persists independently.

	Phase 1	Phase 2
Enforcement	Windows ACLs	Kernel I/O interception
Protection on daemon stop	Removed	Persists (driver stays loaded)
Per-operation control	ACL-based	IRP-level pause & inspect
Ask flow	Not enforceable	IRP paused, waits for user
Per-agent rules	Stored, not evaluated	PID passed to daemon
Audit integrity	User-writable SQLite	Kernel-level, tamper-proof
Bypass via killing daemon	Possible	Blocked

The kernel driver lives in driver/phylax.sys. It communicates with the Rust daemon via IOCTLs on a device interface. It is optional - Phase 1 works entirely in user mode.