Überprüfen und exportieren

Verify any HELM release or execution session — offline, with zero trust assumptions. Every verification check is deterministic and reproducible.

Verify the latest release

npx @mindburn/helm-cli

Output:

✓ HELM v0.1.1 — verified
  sha256  c4d5e6f7a8b9...
  chain   12 receipts · 0 gaps
  level   L2 (receipt-backed + chained)

Verify a specific EvidencePack

# Export from a running HELM instance
helm export --evidence ./data/evidence --out evidence.tar

# Verify offline — zero network
helm verify --bundle evidence.tar

Expected: verification: PASS

What gets verified

CI integration

GitHub Actions

- name: Verify HELM
  run: |
    RESULT=$(npx @mindburn/helm-cli --ci)
    VERDICT=$(echo "$RESULT" | jq -r '.verdict')
    if [ "$VERDICT" != "PASS" ]; then
      echo "::error::HELM verification failed"
      exit 1
    fi

GitLab CI

verify:
  script:
    - npx @mindburn/helm-cli
  allow_failure: false

CI JSON output

npx @mindburn/helm-cli --ci | jq .

{
  "verdict": "PASS",
  "sha256": "c4d5e6f7...",
  "chain": { "receipts": 12, "gaps": 0 },
  "level": "L2",
  "timestamp": "2026-02-21T10:00:00Z"
}

Exit codes

Advanced options

# Full chain replay (slower, exhaustive — for audits)
npx @mindburn/helm-cli --depth 2

# Specific conformance level
npx @mindburn/helm-cli --level L2

# Generate HTML proof report
npx @mindburn/helm-cli --report ./helm-report.html

# Combine flags
npx @mindburn/helm-cli --ci --bundle ./evidence --depth 2 --level L2

Release attestation flow

Every HELM release follows this chain:

Build → Test → Evidence Pack → Attestation → Publish
                                    │
                              Bundle Root Hash

Attestation keys are pinned in the website repository at contracts/helm_public_keys.json. Key rotation requires a PR so older releases remain independently verifiable.

Next steps