Developers / OSS
Secure agent tool calls now.
Start with the Apache-2.0 kernel, CLI/API, proxy, receipts, demo, and GitHub repo. View GitHub.
HELM
HELM is a fail-closed execution firewall for AI agent tool calls.
HELM sits between agents and the tools they want to use. It checks actions before execution, returns allow, deny, or escalate verdicts, and records a receipt for the decision. It is not an agent framework, copilot, or generic orchestration dashboard.
Start inside HELM
Choose the surface by the action risk you need to control.
Mindburn Labs stays the company wrapper. HELM owns the product-local paths for developers, operating teams, enterprise evaluators, and standards readers.
Teams / operators
Ship agentic features without losing control.
Use HELM as the boundary for approvals, policies, evidence handling, and operator workflow around the same kernel. Request design partner access.
Enterprise evaluators
Evaluate execution authority and auditability.
Review PEP/CPI, ProofGraph, EvidencePacks, fail-closed connectors, deployment isolation, and evidence retention. Request architecture review.
Research / standards
Inspect the protocol and proof model.
Use research, public artifacts, and HELM proof surfaces to separate current implementation from long-horizon thesis. Read research.
Mechanism
Agent action → policy check → verdict → execution or block → receipt.
The model proposes an action. HELM evaluates authority at the boundary. Allowed actions can proceed. Denied actions stop. Ambiguous actions wait for human approval. Every verdict creates evidence.
Agent actionRefund $42
Policy checksupport-refund-boundary.v1
VerdictAllow
Receiptdemo.refund-trap.03
Agent actionExport customer list
Policy checkdata scope
VerdictDeny
Receiptdemo.refund-trap.05
Use cases
HELM governs actions that need authority.
The common pattern is not a chat interface. It is a proposed side effect that must be checked before it touches the world.
Action class
Tool calls
Evaluate tool intent before a connector runs.
Action class
Code deployment
Require policy and approval before changes reach infrastructure.
Action class
Data access
Keep reads and exports inside scoped authority.
Action class
Refunds / payments
Allow small actions, escalate larger ones, deny out-of-scope requests.
Action class
External communications
Hold outbound messages when review is required.
Action class
Infrastructure changes
Block side effects when the boundary cannot verify the action.
Architecture
Simple surface first. Technical depth one layer down.
HELM exposes a plain boundary: action, policy, verdict, receipt. The technical model underneath uses a policy enforcement point, deterministic validation, ProofGraph records, EvidencePacks, signed receipts, and fail-closed connector behavior.
View technical proof terms
Policy Enforcement Point
The side-effect boundary where authority is checked before dispatch.
Constraint and Proof Interface
The deterministic validator for policy and proof constraints.
ProofGraph
The causal record of intents, verdicts, receipts, and effects.
EvidencePack
A signed evidence bundle that lets a decision be checked outside the live system.
Product-local surfaces
One kernel. Different operating contexts.
The OSS kernel is public. Team workflow and enterprise evaluation language must stay additive and source-backed.
Implemented / public
Developers and OSS
Apache-2.0 execution kernel, CLI/API, proxy, evidence export, verifier path, and public SDK surfaces.
Commercial workflow
Teams and operators
Organizational workflow around the kernel: policies, approvals, evidence services, retention, and operator surfaces. Treat this as the Teams bridge unless stronger SKU docs say more.
Evaluation / target state
Enterprise evaluators
Institutional deployment patterns belong here only when source evidence supports the public wording: architecture, isolation, auditability, evidence, and retention.
Anti-claim
Not a generic orchestration product.
HELM does not try to be the agent. It governs whether proposed execution is allowed.
HELM proof
Inspect the artifacts behind the claim.
HELM should never ask for trust first. This section points to the repo, versioned artifact, protocol notes, demo receipt, and verifier path.
public-proof
HELM OSS repository
Public Apache-2.0 OSS kernel repository for HELM's execution boundary.
public-proof
HELM OSS v0.4.0
Current public HELM OSS line used by this site for versioned proof references.
preview
Receipt format
Public protocol note for receipt shape, hash binding, signer metadata, and replay requirements.
sample
Refund Trap demo receipt
Scripted support-agent scenario with real receipt tamper verification against static signed fixtures.
preview
Verifier
Public verifier note for checking HELM evidence outside the runtime that produced it.
Models propose. HELM decides. Evidence proves.
Start with the OSS kernel, run the demo, or contact Mindburn Labs about an execution boundary.