Phylax - OS-level Protection for AI Coding Agents<br>Windows security layer for AI coding agents<br>Phylax stops AI agents before they touch your private files.
Real OS-level protection. The kernel returns ACCESS_DENIED, the agent never sees a single byte.
100% local · No accounts · No cloud · No telemetry
Install now View on GitHub
phylax daemon<br>08:16:08 AGENT opencode.exe detected<br>08:16:08 TRY opencode.exe → .env<br>08:16:08 MATCH deny bucket → .env<br>08:16:08 BLOCK ACCESS_DENIED<br>08:16:09 AUDIT stored in local SQLite
Phylax ● LIVE
See how it works
01 Why Phylax<br>The problem is real. The solution is local.<br>The problem AI agents like Claude Code, Cursor, and OpenCode have full filesystem access . They can read, write, or delete anything.
The solution Phylax puts a real OS-level boundary between them and your secrets. No proxy, no wrapper. The kernel enforces it.
100% Local<br>No account, no cloud, no telemetry. Everything stays on your machine. Audit logs in local SQLite. Works fully offline.
Multi-Agent Detection<br>Recognizes Claude, Cursor, OpenCode, Copilot, Windsurf, Aider, and more. Detects agents by process name, environment variables, and child inheritance.
OS-level Enforcement<br>Applies real Windows ACLs (DENY ACEs + Mandatory Integrity Control). The kernel itself returns ACCESS_DENIED - the agent never touches the file.
Anti-bypass protection Phylax applies three layers of Windows security to every denied file: DENY ACEs for read/write/delete, WRITE_DAC protection for ACL modification, and Mandatory Integrity Control to stop privilege bypass.
02 How it works<br>Three steps. Zero cloud.
No cloud proxy, no API keys, no network required. Everything runs locally on your machine.
01<br>Detect<br>Identifies AI agent processes by image name, environment variables, and command-line inspection. Child processes inherit the agent label automatically.
02<br>Decide<br>Checks your phylax.toml rules against the file path and operation. Deny always wins. Priority-ordered buckets resolve every access attempt.
03<br>Block<br>Applies real Windows ACLs. The kernel returns ACCESS_DENIED before the agent touches a single byte. No userspace trick can bypass it.
target="_blank" rel="noreferrer"><br>See full architecture → Docs
03 Real example<br>A real example.
This is what happens when an AI agent tries to access a protected file.
phylax audit tail ● LIVE<br>08:16:08AGENTopencode.exe detected (env: OPENAICLIENT)<br>08:16:08TRYopencode.exe → read .env.local<br>08:16:08MATCHdeny bucket → .env.*<br>08:16:08BLOCKDENY ACE applied → ACCESS_DENIED<br>08:16:08MICHigh Integrity label applied<br>08:16:09AUDITevent stored in local SQLite
Three layers of Windows security: DENY ACEs block file access, WRITE_DAC prevents ACL modification, and Mandatory Integrity Control stops privilege bypass. The kernel returns ACCESS_DENIED, the agent never sees a single byte.
04 Policies<br>Choose your protection level.
Phylax uses six permission buckets ordered by priority. Deny always wins. Start with a preset, then customize via phylax.toml.
Priority deny Complete block<br>› ask User approves<br>› full Unrestricted<br>› delete Read + Delete<br>› write Read + Write<br>› read Read only
Conservative default<br>When no rule matches: read = Allow, write = Ask, delete = Deny.
Recommended Best first run Recommended<br>Protects secrets and critical files. Source edits are fast. Lockfile changes ask for confirmation.<br>Blocks .env, .pem, .key. Allows src/** and tests/**. Prompts for migrations and lockfiles.
View config ↓<br>[project]<br>name = "my-phylax-project"<br>default = "conservative"
[deny]<br>files = [".env", ".env.*", "secrets/**", "*.pem", "*.key", "phylax.toml"]
[ask]<br>files = ["Cargo.lock", "package-lock.json", "migrations/**"]
[write]<br>files = ["src/**", "tests/**", "docs/**"]
[read]<br>files = ["README.md", "docs/**"]<br>Maximum control Strict<br>Maximum security. Every source edit and lockfile change requires explicit approval.<br>Denies .env, .pem, .key, .p12, .pfx, secrets/**. Asks for every source edit. Read-only by default.
View config ↓<br>[project]<br>name = "phylax-strict"<br>default = "conservative"
[deny]<br>files = [".env", ".env.*", "secrets/**", "keys/**", "*.pem", "*.key", "*.p12", "phylax.toml"]
[ask]<br>files = ["src/**", "tests/**", "Cargo.lock", "package-lock.json", "migrations/**"]
[read]<br>files = ["README.md", "docs/**", "src/**", "tests/**"]<br>Low friction Fast & Flexible<br>Lets agents edit freely. Only secrets and the manifest are protected.<br>Blocks .env, .pem, .key, phylax.toml. Everything else is writable. No prompts for normal edits.
View config ↓<br>[project]<br>name = "phylax-fast"<br>default = "conservative"
[deny]<br>files = [".env", ".env.*", "secrets/**", "*.pem", "*.key", "phylax.toml"]
[write]<br>files = ["src/**", "tests/**", "docs/**", "examples/**", "Cargo.lock", "package-lock.json"]
[read]<br>files = ["README.md", "docs/**", "src/**", "tests/**", "examples/**"]
05 Install<br>One command. Zero configuration.
One command. No...