Security & the Compiler
How rush build turns your source into a sealed, signed container — and what protects it at runtime.
The compiler#
When you run rush build, Prix does not ship your source directory. It compiles your agent.yaml, prompt.yaml, and assets into a single encrypted container and writes an agent.lock that hashes every file inside.
agent.yaml + prompt.yaml + assets/
│
▼ rush build (encrypt, sign, lock)
│
[email protected] → encrypted · signed · tamper-lockedThe prompt and orchestration logic live inside the encrypted container. They are never published in plaintext, so installing an agent does not expose how it works.
Integrity & signing#
The container carries an Ed25519 signature. On install, the client verifies that signature and re-checks every file hash in agent.lock before the agent can run. A tampered or stale container fails the build outright.
$ rush build ./my-researcher
Validated agent.yaml + prompt.yaml
Prompt encrypted
Signed with Ed25519
Generated agent.lock (9 files hashed)agent.lock is missing or stale, or if any file hash no longer matches — that is the tamper check, enforced before the runtime ever loads the agent.Runtime sandboxing#
Agents declare the permissions they need. Users approve or deny them at install time, the way iOS does, and the runtime holds the agent to exactly what it asked for — no ambient access to the rest of the machine.
Build-time quality review#
Before an agent reaches the registry, rush build runs an LLM review that flags rigid rules, missing sections, and prompt smells. Publishing is gated on a clean pass (disable with --skip-quality during local iteration).
rush publish returns, your agent is already encrypted and signed. There is nothing extra to configure.