Phylax
Health Warn
- License — License: Apache-2.0
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Low visibility — Only 5 GitHub stars
Code Pass
- Code scan — Scanned 12 files during light audit, no dangerous patterns found
Permissions Pass
- Permissions — No dangerous permissions requested
No AI report is available for this listing yet.
Phylax a security layer for AI coding agents. It enforces fine grained read, write, and delete permissions using explicit policy buckets and OS level controls, ensuring agents operate safely within defined boundaries.
⭐ Phylax | OS-level protection for AI coding agents
A Windows security layer that applies real ACLs so the kernel blocks AI agents from touching protected files.
- Blocks reads to
.env, keys, secrets via DENY ACEs - Blocks deletes to
migrations/, config, infra via MIC labels - Works with Claude Code, Cursor, Windsurf, Aider, OpenCode, Copilot
- Phase 1: user-mode ACL enforcement. Phase 2: kernel minifilter driver (in development)
- Open source (Apache 2.0). 100% local. Seeking technical review.
Technical feedback & security review appreciated.
Found a limitation? Open an issue. Want to audit the code?cargo build --workspace.
What is Phylax
Phylax is a safety boundary for AI coding agents. It ensures agents can edit your source code — but never touch your secrets, configs, or system files.
Under the hood, it applies real Windows ACLs so the OS kernel itself returns ACCESS_DENIED before the agent ever touches a protected file. Claude Code, Cursor, OpenCode, Copilot, Windsurf, Aider — it doesn't matter which agent. If the kernel says no, the agent gets nothing.
Why it exists
AI agents have unrestricted filesystem access. They can read secrets, delete migrations, or wipe config files — without asking.
Real examples from the wild:
Claude tried to delete migrations/ → BLOCKED
Cursor tried to read .env → BLOCKED
OpenCode tried to modify secrets/ → BLOCKED
Thousands of open issues across Claude Code, Cursor, Copilot, and others document agents silently destroying data. Not because they're malicious — because they don't understand context, value, or consequence.
Phylax draws a boundary. The agent can edit your source code. It can never touch your .env, your SSH keys, or your policy files.
Install
Inspect the installer first:
install.ps1
irm https://raw.githubusercontent.com/TheUser99-spec/Phylax/main/install.ps1 | iex
phylax init
phylax run
git clone https://github.com/TheUser99-spec/Phylax.git
cd Phylax
cargo build --workspace --release
Who is this for?
- Vibe coders using Claude, Cursor, Windsurf, or any AI coding tool
- Developers working with agents that hallucinate file operations
- Anyone with
.env, API keys, configs, or infrastructure files - Teams who want agent productivity without agent risk
- People who've already lost data to an AI agent and never want it to happen again
Why Phylax is different
| Not this | This |
|---|---|
| Not a linter | Kernel-level enforcement |
| Not a sandbox | Real Windows ACLs + MIC labels |
| Not a plugin | Works with all agents, no integration needed |
| Not a prompt rule | The OS blocks the I/O — the agent can't override it |
| No cloud dependency | 100% local, zero telemetry |
How it works
- Detect — Phylax identifies AI agent processes by name, environment variables, and command-line inspection
- Classify — Every file I/O is checked against your
phylax.tomlrules - Enforce — Matched files get DENY ACEs + Mandatory Integrity Control labels. The Windows kernel blocks access at ring 3
- Audit — Every blocked attempt is logged in local SQLite
🛡️ Anti-bypass (3 layers of protection)
Even if an agent tries to modify ACLs or take ownership, Phylax blocks it at the OS level.
| Layer | Mechanism | Blocks |
|---|---|---|
| 1 | DENY ACE → Everyone → GENERIC_ALL | Read, write, delete |
| 2 | DENY ACE → Everyone → WRITE_DAC, WRITE_OWNER, DELETE | ACL modification, ownership change |
| 3 | MIC label → High Integrity + NO_WRITE_UP | icacls /remove:d and privilege bypass |
Layer 3 is the kill shot: even if an agent runs icacls /remove:d to strip the DENY ACE, it fails because the agent runs at Medium integrity while the file is labeled High integrity with NO_WRITE_UP. The kernel rejects the write regardless of ownership.
Permission model
Six buckets ordered by priority. Deny always wins.
| Priority | Bucket | Meaning |
|---|---|---|
| 1 | [deny] |
Complete block |
| 2 | [ask] |
User must approve |
| 3 | [full] |
Unrestricted |
| 4 | [delete] |
Read + Delete |
| 5 | [write] |
Read + Write |
| 6 | [read] |
Read only |
When no rule matches: read allowed, write asks, delete denied.
phylax.toml
[project]
name = "my-project"
default = "conservative"
[deny]
files = [".env", ".env.*", "secrets/**", "*.pem", "*.key"]
[ask]
files = ["Cargo.lock", "migrations/**"]
[write]
files = ["src/**", "tests/**"]
[read]
files = ["README.md", "docs/**"]
Commands
| Command | What it does |
|---|---|
phylax init |
Create phylax.toml, start daemon, register project |
phylax run |
Start daemon + open dashboard (60fps) |
phylax stop |
Stop daemon (releases file locks) |
phylax status |
Live status: projects, agents, events, blocks |
phylax project validate |
Validate phylax.toml syntax |
phylax project check -f <f> -o <op> |
Dry-run file access check |
phylax project verify |
Audit protection coverage |
phylax global add deny "*.env" |
Add global deny rule |
phylax audit list |
View audit history |
phylax update |
Auto-update from GitHub |
Build from source
git clone https://github.com/TheUser99-spec/Phylax.git
cd Phylax
cargo build --workspace --release
Roadmap
- Process detection & AI agent classification
- phylax.toml parser with glob-based policy engine
- Windows ACL/ACE enforcement
- Three-layer anti-bypass (DENY ACEs + MIC labels)
- SQLite audit log
- IPC protocol (20 request types)
- Terminal dashboard (ratatui, 60fps)
- Unified CLI
- Invisible daemon
- Kernel minifilter driver (Phase 2)
- Agent-only blocking (no need to stop daemon)
- Cross-platform (macOS/Linux)
Docs
| Doc | Topic |
|---|---|
| Quickstart | Complete guide |
| Architecture | System design |
| Core types | Permission model |
| Manifest & policy | phylax.toml |
| Storage & audit | SQLite schema |
| Detection | Process classification |
| IPC & daemon/CLI | Protocol + lifecycle |
| ADR index | Architecture decisions |
| Landing page | Full product site |
| Tutorial | 5-minute setup guide |
| Tutorial Kit | Video scripts for content creators |
| Press Kit | Brand assets, logos, colors |
| Curriculum | Full course structure (35 lessons) |
Community
- ⭐ GitHub — stars, issues, contributions
- 🐦 X / Twitter — updates, announcements
- 📖 Documentation — full reference
- 🎓 Tutorial — get started in 5 minutes
- 🎬 Tutorial Kit — make a video about Phylax
License
Phylax is open-source under the Apache 2.0 License. See LICENSE.
Comes with no warranty. See DISCLAIMER.md.
If Phylax saved your .env today, you know what to do →
Built with Rust — Windows-first, agent-proof.
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found