Mindburn Labs
Founding Cohort

Cómo funciona HELM

El proceso de cuatro etapas que convierte cada llamada a una herramienta de inteligencia artificial en un recibo verificable.

STAGE 1Intent capturetool name + argsidentitytimestamp + Lamport clockSTAGE 2Policy checkCPI schema validationPEP rule evaluationfail closed by defaultSTAGE 3VerdictALLOW or DENYreason codeDecisionRecord signatureSTAGE 4Receipt and chainargs + effect hashesProofGraph linkEvidencePack exportFAIL CLOSEDDETERMINISTICOFFLINE VERIFIABLE
Cómo funciona HELM: referencia técnica de esta página.

Cómo funciona HELM

Key idea: HELM is a proxy that sits between your AI agent and its tools. Every tool call is policy-checked and produces a cryptographic receipt — creating a tamper-proof audit trail you can verify offline.

The pipeline

Every tool call passes through four stages:

Stage Component Output
1 Intent Capture Tool name, args, identity, Lamport clock
2 Policy Check (PEP) Schema validation → rule matching
3 Verdict ALLOW or DENY + reason code
4 Receipt Signed receipt → ProofGraph (hash chain)
EvidencePack (verifiable offline)

1. Intent Capture

The agent declares intent to invoke a tool. HELM captures:

  • Tool name and arguments
  • Caller identity
  • Timestamp and Lamport sequence number (monotonic causal order)

2. Policy Check (PEP)

The Policy Enforcement Point evaluates the call against your policy rules:

Request → Schema validation (CPI) → Policy rules (PEP) → Verdict

Evaluation is deterministic — same input always produces the same verdict. Rules are evaluated in order. First match wins. If no rule matches, the default is DENY (fail-closed).

3. Verdict

The Guardian produces a DecisionRecord:

Field Value
Action ALLOW or DENY
Reason code Machine-readable (e.g. DENY_TOOL_NOT_FOUND)
Evidence JCS-canonicalized inputs
Signature Ed25519 proof of decision integrity

4. Receipt

A cryptographic receipt is appended to the ProofGraph:

Receipt field Value
EffectHash SHA-256 of tool output
ArgsHash SHA-256 of canonicalized input
PrevReceiptHash Hash chain link to previous receipt
LamportClock Monotonic causal order
ReasonCode ALLOW or DENY reason
Signature Ed25519 cryptographic proof

Three guarantees

Fail-closed

If anything goes wrong — unknown tool, invalid schema, policy engine error — the default is DENY. There is no code path from model to tool that skips the PEP.

Deterministic

Same policy + same tool call = same verdict. Always. No probabilistic gates, no LLM-in-the-loop decisions. JCS canonicalization (RFC 8785) ensures identical serialization.

Offline-verifiable

Anyone with the receipt chain can independently verify:

  1. No receipts were removed — PrevHash integrity check
  2. No receipts were reordered — LamportClock monotonicity
  3. No receipts were modified — SHA-256 + Ed25519 signature

Next steps

Goal Guide
Get running in 5 minutes Quickstart
Deep technical reference Architecture
Write policy rules Policy Files