Mindburn Labs
Founding Cohort

Escribir archivos de políticas

Defina reglas deterministas para permitir o rechazar llamadas a herramientas de IA: formato YAML, patrones de coincidencia y pruebas.

REQUESTCandidate tool calltool nameargs payloadcaller identityRULE 1allow-readstoolName: "get_*"verdict: allowRULE 2allow-listtoolName: "list_*"verdict: allowRULE 3allow-user-writestoolName: "write_file"path startsWith "/home/"verdict: allowRULE 4deny-alltoolName: "*"verdict: denyreason: "default-deny"DECISION RECORDSigned verdictALLOW or DENYmachine-readable reason codereceipt chained into ProofGraphFirst match wins. If no rule matches, defaultVerdict applies and HELM fails closed.
Escribir archivos de políticas: referencia técnica de esta página.

Escribir archivos de políticas

HELM policies control what AI agents can and cannot do. They are YAML files with deterministic rules — same input always produces the same verdict.

Starter policy (copy-paste)

This policy allows read operations and blocks everything else:

version: "1.0"
defaultVerdict: deny

rules:
  # Allow all read operations
  - name: allow-reads
    match:
      toolName: "get_*"
    verdict: allow

  - name: allow-list
    match:
      toolName: "list_*"
    verdict: allow

  # Allow writes to user directories only
  - name: allow-user-writes
    match:
      toolName: "write_file"
      args:
        path:
          startsWith: "/home/"
    verdict: allow

  # Everything else is denied (explicit for clarity)
  - name: deny-all
    match:
      toolName: "*"
    verdict: deny
    reason: "default-deny"

Save as policy.yaml in your HELM data directory.

How rules work

  • Rules evaluate in order — first match wins
  • If no rule matches, defaultVerdict applies
  • Default is deny (fail-closed) — you must explicitly allow

Match patterns

Exact match

- name: allow-list-files
  match:
    toolName: "list_files"
  verdict: allow

Glob patterns

- name: allow-all-reads
  match:
    toolName: "get_*"
  verdict: allow

- name: deny-all-writes
  match:
    toolName: "delete_*"
  verdict: deny
  reason: "destructive-action-blocked"

Argument matching

- name: deny-system-files
  match:
    toolName: "read_file"
    args:
      path:
        startsWith: "/etc/"
  verdict: deny
  reason: "system-path-blocked"

Reason codes

Every deny verdict should include a machine-readable reason field:

Code When to use
destructive-action-blocked Tool would modify or delete data
system-path-blocked Path is in a protected directory
rate-limit-exceeded Too many calls in time window
unauthorized-caller Identity not in allowlist
default-deny No rule matched

These map to kernel reason codes like DENY_BUDGET_EXCEEDED, DENY_SCHEMA_MISMATCH, DENY_TOOL_NOT_FOUND.

Policy bundles

For organizations, policies can be composed into signed bundles — signed with Ed25519, content-addressed, and versioned. See Policy Bundles.

Testing your policy

# Start the proxy with your policy (standalone proxy listens on :9090)
helm proxy --upstream https://api.openai.com/v1 --policy ./policy.yaml

# Exercise your normal client against http://localhost:9090/v1,
# then inspect the latest local receipt
curl -s http://localhost:9090/helm/receipts | tail -n 1

For comprehensive end-to-end policy testing:

helm conform --level L2 --json

Next steps

Goal Guide
Get running in 5 minutes Quickstart
Understand policy precedence Architecture
See conformance gates Conformance