A prompt injection can win the argument with your agent's model. It can't win against the gate.
Here's why. When an injected README or a poisoned web page convinces your agent to do something harmful, the model's compromised decision still has to leave the harness as a tool call: install this, write that file, run this command. That call hits Dryx at the action boundary. Dryx checks the action against a verdict it already computed, with zero attention to the persuasive text that produced it.
The injection talked its way past the model. Then it ran into a wall that doesn't read.
That's the whole idea, made physical. Your agent anchors to Dryx before it acts. Offline. No model in the loop. The same verdict for the same action, every time.
Most security tools hand you a report and walk away. You read it, you triage it, you forget it. The risk it found is still sitting there the next time your agent acts.
Dryx started as a scanner — it maps what every AI agent on your Mac can reach. But a map you read once isn't where the danger lives. The danger lives at the moment your agent acts: installs the MCP server, writes the config, runs the command, reaches for the secret.
So Dryx moved to that moment. It compiles what it knows about your workspace into a fixed reference your agent takes its bearings from before every action, and stays silent on everything that's fine.
No dashboard to read. No alert to triage. Your agent already has the answer.
See the exposure graph Dryx maps, or why a scan-only or cloud-gateway tool isn't this.
Deterministic and instant sound like opposites. They aren't. You only have to separate the thinking from the checking.
On every inspection, Dryx walks your exposure graph across all seven risk layers and writes down a verdict for what each agent can reach. That becomes a signed WorkspacePolicy — a fixed picture of your workspace, stamped with when it was built and sealed with an offline signature so a forged “allow” can't slip in.
This is where the time goes. Seconds, if your workspace is rich. It happens off to the side, never while your agent is waiting.
When your agent goes to act, a tiny gate reads the action, looks up the answer in that signed policy, and comes back with a verdict. No network. No model. No re-thinking. Just a lookup against work already done.
Hot-path budget · under 10msThat's how a verdict that took deep analysis to compute comes back fast enough to sit in front of every tool call. Covers more, never thinks more. See signing and verify-before-honor on /security.
Action Guard is the switch that puts Dryx at your agent's action boundary. It has three states, and you move through them at your pace.
The gate isn't armed. Dryx still maps your workspace and answers when your agent asks — it just isn't standing at the boundary.
The gate evaluates every action against the full policy and writes down what it would have stopped, without interrupting anything. You get a quiet record of the calls Dryx would have caught, so you can see how it'll behave before you let it act. One thing still holds the line even here: the destructive floor (think rm -rf /, dd to a disk) blocks in Observe too.
The gate is live. The safe majority pass through untouched. On a precomputed-dangerous action, your agent gets a verdict back — in its own voice, as its own careful reasoning — and the harmful call doesn't run.
Dryx will suggest moving to Enforce after a clean Observe window. It asks once. It never arms itself behind your back. See turning Action Guard on, or which build carries Enforce.
The honest answer most security tools won't give: the vast majority of what your agent does is fine, and a tool that interrupts you on the safe stuff trains you to turn it off.
So Dryx stays out of it. On an action that's authorized and in-bounds, the gate returns a silent allow: no prompt, no banner, no log line in your face. Your agent keeps working. You don't hear from Dryx at all.
It speaks only on a precomputed-dangerous action: a live secret heading for an endpoint that isn't on the allowlist, an install that resolves to a typosquat, a write to a protected config. Known truth, surfaced at the one moment it matters, in your agent's own words.
Silent on the safe majority · speaks once on real risk.
We think the right way to judge a tool like this is by how rarely you hear from it. A gate that's silent on the safe majority is one you leave armed, and a tool you leave armed is the only kind that ever catches anything. That's how this is supposed to work — verifiable, not taken on our word.
The verdict can't. The agent it protects still can.
That distinction is the whole design. Prompt injection works by talking the model into something. Dryx's verdict isn't a model — it's a lookup against a signed policy. There's no prompt to inject into a lookup. You can convince the agent; you cannot convince the answer.
So the realistic attack isn't “trick Dryx into allowing.” It's “get Dryx out of the way.” We treat the gate itself as something worth attacking, and we say so plainly.
Here's the honest ceiling. This is a defense that runs in your user space, against attacks that run in the same user space. A determined process that races us can make Dryx loudly visible rather than always armed. We'd rather tell you that than sell you a tool that hides its own edges.
Read the full hook-integrity, verify-before-honor, and disclosure policy.
No. And that's a feature, not a shortcut.
The gate doesn't weigh, infer, or interpret. It reads the action, looks up the verdict that was already computed, and returns it. Same action, same workspace, same answer — every single time. Nothing to talk it out of, nothing that drifts between runs, nothing that phones home to decide.
The reasoning happened earlier, on the slow path, when Dryx compiled the policy from your exposure graph. The hot path inherits that reasoning frozen. That split is what lets a deterministic verdict be instant, and what lets you treat “allow” as a fact you can build on, not a probability that might flip tomorrow.
It also gives you something no model-based gate can. When you override a verdict once, Dryx remembers exactly — and only — what you allowed. That permission is tied to the precise action and the exact state of your workspace. Change the workspace and the permission stops matching, so Dryx asks again, once, and tells you what changed.
Compare a deterministic lookup against an LLM-guardrail or cloud-gateway tool.
We'll state the scope as plainly as we'd want a tool to state it to us.
What that means in practice:
Dryx takes real risk off the table at the action boundary. It does not take all risk away. A tool that claimed otherwise would be selling you false confidence, which, for an authority, is worse than nothing. See the structurally-empty seat.
One honest detail about how this ships, because it changes what you can do. Arming Enforce means letting a small, notarized helper stand at your agent's action boundary. The Mac App Store sandbox doesn't allow that helper. So the two builds differ on purpose.
Same inspection. Same exposure graph. Same signed policy underneath. The difference is whether Dryx can stand at the boundary or watch it from beside. See the Founding Member Lifetime or App Store vs direct download.
Dryx compiles one signed policy and stands it in front of every agent that exposes an action boundary, and watches the ones that don't.
Claude Code · Claude Desktop · Cursor · Codex CLI · Cline · GitHub Copilot · Windsurf · Gemini · Ollama — plus any MCP-capable agent, every agent on your machine.
Where a harness gives Dryx a hook, the gate enforces — live now on Claude Code, rolling out per agent through launch, with the goal of Enforce across all major supported agents by launch. Where a harness doesn't, Dryx keeps the voluntary reflex and passive monitoring — it still sees what landed. We tell you exactly which is live and which is next, in the app, rather than implying a coverage we haven't shipped.
One exposure graph behind all of them. That's the part nobody else built, and it's why the verdict can be cross-vendor instead of locked to one tool's idea of safe. See why cross-vendor + exposure-graph-aware is the empty seat.
Everything on this page is meant to be checkable, not taken on our word.
An authority that asks you to trust it isn't one. Verify, then anchor to it.
The action boundary is where the runtime authority lives. The frame around it is the Triad: you, your agent, and the Authority Anchor it consults.
You set the bearing and keep the override. Dryx asks once before it arms; it never arms itself behind your back.
Your agent acts — and relays Dryx's verdict back to you in its own voice, as its own careful reasoning.
The fixed, offline source of truth your agent takes its bearings from before it acts. It stays put. The action moves toward it.