Protect Claude Code or Codex before tools run.

HELM AI Kernel is a fail-closed execution firewall for local AI agents. It installs a local MCP server and PreToolUse hook, denies risky calls by default, and writes signed receipts for review.

Run it locally

brew install mindburnlabs/tap/helm-ai-kernel
helm-ai-kernel setup claude-code --yes

No cloud account

The local proof needs no model key, Docker, or production credentials.

MCP + hook

Setup installs local Claude Code or Codex config and leaves approvals explicit.

Signed denial

A blocked tool call produces a receipt you can verify offline.

See one decision before it becomes a side effect.

Toggle the conditions that decide whether the request is allowed, escalated, or denied. Then run the local Claude Code or Codex setup path to produce the same kind of receipt from a real tool call.

Request

Change IAM permission

actor
admin-agent
policy
iam_permission_change.v3
target
Identity provider
HELM checks
Verdict DENY

Fail-closed: human approval, connector scope missing for iam_permission_change.v3.

PermissionReceipt rcpt-demo-f703476e

Start with the agent you already use.

Use Claude Code or Codex first. OpenClaw and Hermes stay as next demos after the first local denial and receipt verification path is clear.

What the Kernel catches, and what it does not.

Security evals are useful only when the boundary stays explicit. HELM controls effects that reach its policy path; it is not a substitute for model alignment, app sandboxing, or product review.

Network egress

Blocks when the agent dispatches the request

LAN traffic drops and non-allowlisted HTTPS returns a proxy block.

Unknown tools

Quarantines or escalates before dispatch

Unrecognized MCP/tool calls do not silently become trusted effects.

Prompt-only manipulation

Outside the Kernel boundary until it becomes an action

A text attack that never reaches a tool needs model/app controls too.

Agent non-engagement

Cannot catch an action the agent never attempts

Low-signal eval passes can mean no tool call reached the boundary.

Receipts make the decision reviewable.

After the model session ends, the record still shows what was requested, what HELM decided, and what evidence belongs with the decision.

verdict
ALLOW / DENY / ESCALATE
policy
policy snapshot
actor
request identity
receipt
recorded decision
signature
tamper check
EvidencePack
review bundle

Changed receipt - signature check fails.

See sample receipts and EvidencePacks

Start with Claude Code or Codex.

Install the local hook, deny one risky call, and verify the receipt before expanding to framework demos.