HELM Architecture Brief

HELM is the execution firewall for AI-agent side effects.

Models propose. HELM governs execution. Every allowed, denied, or escalated decision leaves a signed receipt.

Verify the receipt path Request architecture review

Mechanism

The brief in twelve points.

Each point is intentionally narrow: HELM controls execution before the side effect, records the decision, and keeps public proof separate from private customer context.

Problem

Models can propose work without owning company authority.

The risk is not that a model wrote a bad sentence. The risk is a proposed action reaching a tool, connector, data store, release path, or customer channel without a separate authority check.

Boundary

PEP/CPI separates intent from execution.

HELM treats model output as a proposal. Policy Enforcement Point and Capability Policy Interface checks decide whether the action is allowed, denied, or escalated before the side effect.

Verdict flow

A decision must resolve before dispatch.

The boundary checks actor, action, scope, connector, approval state, risk tier, and evidence. Missing authority fails closed or routes to review.

Receipts

Every decision leaves a signed receipt.

The receipt records the proposed action, policy, verdict, timestamp, proof inputs, and the canonicalized payload hash needed for later verification.

Replay

Evidence should be reviewable after the fact.

Receipts, ProofGraph edges, and EvidencePacks give reviewers a bounded way to inspect what happened without turning private company context into public proof.

Company layer

Company AI OS adds reviewed access around the kernel.

The company layer connects artifacts, GeneratedSpecs, approvals, integrations, and review queues. It does not weaken the kernel boundary or make raw context into authority.

Code graph

Code Intelligence Graph grounds engineering proposals.

Engineering specs can cite pinned commits, CodeIndexReceipts, CodeImpact reports, affected tests, write scope, and closure diff checks without making the graph execution authority.

Activation

OrgGenome/VGL turns reviewed org law into bounded authority.

OrgDNA is intake. OrgGenome authority requires review, deterministic mirror, simulation, P0 ceilings, approval, attestation, and receipts.

Runtime

Business loops run through the same boundary.

Night Shift and business-function packs create proposals, run only low-risk allowlisted work, escalate risky work, deny forbidden work, and write closure evidence back.

Gateway

Analog and kinetic work stays contract-gated.

HELM governs command gateways only where connector contracts, safety profiles, telemetry, approvals, jurisdiction boundaries, and EvidencePacks exist.

Claim gate

Public wording follows the Claim Matrix.

Unsupported robot, factory, entire-company, ERP replacement, and engineer replacement claims stay forbidden unless real source-backed evidence upgrades the matrix.

Evaluation

A design-partner review starts with one governed action.

The useful first conversation names the side effect, required approval, connector scope, evidence need, failure state, and receipt a reviewer would accept.

Proof path

Evaluate the public kernel before reviewing the company layer.

The OSS kernel is the public execution boundary. The Company AI OS layer is reviewed access because it involves real company workflows, integrations, approvals, and evidence needs.

Open