Docs

Security & the Compiler

How rush build turns your source into a sealed, signed container — and what protects it at runtime.

The compiler#

When you run rush build, Prix does not ship your source directory. It compiles your agent.yaml, prompt.yaml, and assets into a single encrypted container and writes an agent.lock that hashes every file inside.

agent.yaml + prompt.yaml + assets/
        │
        ▼   rush build  (encrypt, sign, lock)
        │
   [email protected]   →   encrypted · signed · tamper-locked

The prompt and orchestration logic live inside the encrypted container. They are never published in plaintext, so installing an agent does not expose how it works.

Integrity & signing#

The container carries an Ed25519 signature. On install, the client verifies that signature and re-checks every file hash in agent.lock before the agent can run. A tampered or stale container fails the build outright.

terminal
$ rush build ./my-researcher
  Validated agent.yaml + prompt.yaml
  Prompt encrypted
  Signed with Ed25519
  Generated agent.lock (9 files hashed)
Build fails if agent.lock is missing or stale, or if any file hash no longer matches — that is the tamper check, enforced before the runtime ever loads the agent.

Runtime sandboxing#

Agents declare the permissions they need. Users approve or deny them at install time, the way iOS does, and the runtime holds the agent to exactly what it asked for — no ambient access to the rest of the machine.

Build-time quality review#

Before an agent reaches the registry, rush build runs an LLM review that flags rigid rules, missing sections, and prompt smells. Publishing is gated on a clean pass (disable with --skip-quality during local iteration).

The moment rush publish returns, your agent is already encrypted and signed. There is nothing extra to configure.
Documentation | Prix | Prix