No cloud account
The local proof needs no model key, Docker, or production credentials.
HELM AI Kernel is a fail-closed execution firewall for local AI agents. It installs a local MCP server and PreToolUse hook, denies risky calls by default, and writes signed receipts for review.
Run it locally
brew install mindburnlabs/tap/helm-ai-kernel
helm-ai-kernel setup claude-code --yes 
The local proof needs no model key, Docker, or production credentials.
Setup installs local Claude Code or Codex config and leaves approvals explicit.
A blocked tool call produces a receipt you can verify offline.
Toggle the conditions that decide whether the request is allowed, escalated, or denied. Then run the local Claude Code or Codex setup path to produce the same kind of receipt from a real tool call.
Fail-closed: human approval, connector scope missing for iam_permission_change.v3.
rcpt-demo-f703476e Use Claude Code or Codex first. OpenClaw and Hermes stay as next demos after the first local denial and receipt verification path is clear.
Security evals are useful only when the boundary stays explicit. HELM controls effects that reach its policy path; it is not a substitute for model alignment, app sandboxing, or product review.
Blocks when the agent dispatches the request
LAN traffic drops and non-allowlisted HTTPS returns a proxy block.Quarantines or escalates before dispatch
Unrecognized MCP/tool calls do not silently become trusted effects.Outside the Kernel boundary until it becomes an action
A text attack that never reaches a tool needs model/app controls too.Cannot catch an action the agent never attempts
Low-signal eval passes can mean no tool call reached the boundary.After the model session ends, the record still shows what was requested, what HELM decided, and what evidence belongs with the decision.
Changed receipt - signature check fails.
See sample receipts and EvidencePacksInstall the local hook, deny one risky call, and verify the receipt before expanding to framework demos.