OSS_SCOPE
HELM OSS Scope
Canonical architecture: see ARCHITECTURE.md for the normative trust boundary model and TCB definition. For the canonical 8-package TCB inventory, see TCB_POLICY.md.
HELM OSS is the open execution kernel of the HELM stack.
It exists to keep the deterministic boundary small, portable, and independently trustworthy. The commercial HELM layers must extend this kernel, not replace it.
Kernel TCB (Trusted Computing Base)
The canonical TCB is bounded to 8 packages — the minimal trusted core. See TCB_POLICY.md for the authoritative package list, expansion criteria, and CI enforcement details.
Active OSS Packages
The following packages are part of the OSS kernel, including both TCB and non-TCB supporting infrastructure:
TCB Packages
| Package | Purpose | Status |
|---|---|---|
contracts/ |
Canonical data structures (Decision, Effect, Receipt, Intent) | ✅ Active |
crypto/ |
Ed25519 signing, JCS canonicalization | ✅ Active |
guardian/ |
Policy Enforcement Point (PEP), PRG enforcement | ✅ Active |
executor/ |
SafeExecutor with receipt generation | ✅ Active |
proofgraph/ |
Cryptographic ProofGraph DAG | ✅ Active |
trust/registry/ |
Event-sourced trust registry | ✅ Active |
runtime/sandbox/ |
WASI sandbox (wazero, deny-by-default) | ✅ Active |
receipts/ |
Receipt policy enforcement (fail-closed) | ✅ Active |
Supporting Infrastructure (Non-TCB)
| Package | Purpose | Status |
|---|---|---|
canonicalize/ |
RFC 8785 JCS implementation | ✅ Active |
manifest/ |
Tool args/output validation (PEP boundary) | ✅ Active |
agent/adapter.go |
KernelBridge choke point | ✅ Active |
runtime/budget/ |
Compute budget enforcement | ✅ Active |
escalation/ceremony/ |
RFC-005 Approval Ceremony | ✅ Active |
evidence/ |
Evidence pack export/verify | ✅ Active |
replay/ |
Replay engine for verification | ✅ Active |
mcp/ |
Tool catalog + MCP gateway | ✅ Active |
kernel/ |
Rate limiting, backpressure | ✅ Active |
a2a/ |
Agent-to-Agent trust protocol | ✅ Active |
otel/ |
OpenTelemetry governance telemetry | ✅ Active |
Deployment Infrastructure
| Package | Purpose | Status |
|---|---|---|
deploy/helm-operator/ |
K8s CRDs (PolicyBundle, GuardianSidecar) | ✅ Active |
protocols/spec/ |
RFC-style protocol specification | ✅ Active |
protocols/conformance/v1/owasp/ |
Machine-readable OWASP threat vectors | ✅ Active |
Removed from TCB (Enterprise)
The following packages were removed to minimize the attack surface:
| Package | Reason |
|---|---|
access/ |
Enterprise access control |
ingestion/ |
Brain subsystem data pipeline |
verification/refinement/ |
Enterprise verification |
cockpit/ |
UI dashboard |
ops/ |
Operations tooling |
multiregion/ |
Multi-region orchestration |
hierarchy/ |
Enterprise hierarchy |
heuristic/ |
Heuristic analysis |
perimeter/ |
Network perimeter |
First-Class Execution Surfaces
MCP Interceptor
The MCP gateway (core/pkg/mcp/) is a first-class governed surface,
not an adapter. It provides:
- Tool discovery with governance metadata (
/mcp/v1/capabilities) - Governed tool execution with signed receipts (
/mcp/v1/execute) - Schema validation against pinned tool contracts
- Full ProofGraph integration — MCP calls produce the same receipt chain as OpenAI proxy calls
OpenAI-Compatible Proxy
The governed proxy (/v1/chat/completions) intercepts OpenAI-compatible
tool calls and routes them through the PEP boundary.
Bounded-Surface Primitives
The OSS kernel includes configurable surface containment primitives (see CAPABILITY_MANIFESTS.md):
- Domain-scoped tool bundles
- Explicit capability manifests
- Read-only / write-limited / side-effect-class profiles
- Connector allowlists
- Destination scoping
- Filesystem/network deny-by-default (WASI)
- Sandbox profile requirement per tool class
Boundary Truth
OSS includes:
- Surface containment — capability manifests, tool bundles, sandbox profiles
- Dispatch enforcement — fail-closed PEP, policy evaluation, budget gates
- Verifiable receipts — signed receipts, ProofGraph, replay
- MCP interceptor — first-class governed MCP surface
- OpenAI proxy — governed proxy for OpenAI-compatible SDKs
- Adapters and integration surfaces
OSS does not include:
- Surface Design Studio (policy UI)
- Policy rollout / staging / shadow enforcement
- Certified connector program
- Managed federation
- Pack distribution and entitlements
- Compliance intelligence workflows
- Mission Control / Studio operations surfaces
- Enterprise evidence retention / legal hold
- Managed control plane and team operations
The invariant is simple: OSS must stay fully useful on its own. The commercial layer monetizes shared organizational control around the kernel, not artificial runtime crippleware.