UC-001: PEP Allow — Safe Tool Execution

Scenario

A user's AI application calls a calculator tool through the HELM proxy. The tool is on the Guardian allowlist. Execution is approved and a signed receipt is generated.

Preconditions

• HELM proxy running with --upstream https://api.openai.com/v1
• Guardian allowlist includes calculator
• Ed25519 signing enabled (--sign)

Steps

1. Application sends chat completion with tool_call: calculator({"a": 2, "b": 3})
2. Proxy intercepts the response, extracts tool_call
3. Args validated and canonicalized (JCS → SHA-256 hash)
4. Guardian checks allowlist → ALLOW
5. ProofGraph node appended
6. Signed receipt emitted to JSONL store

Assertions

• Receipt has status: "PROXY_ALLOW"
• Receipt has reason_code: "TOOL_ALLOWED"
• Receipt args_hash is deterministic (same input → same hash)
• Receipt signature is valid Ed25519
• Receipt prev_hash links to previous receipt (causal chain)
• ProofGraph node contains receipt hash as node ID

Expected Output

{
  "receipt_id": "rcpt_...",
  "tool_name": "calculator",
  "args_hash": "sha256:abcdef...",
  "status": "PROXY_ALLOW",
  "reason_code": "TOOL_ALLOWED",
  "prev_hash": "sha256:000000...",
  "lamport": 1,
  "signature": "ed25519:..."
}

Script

See: UC-001_pep_allow_safe.sh