HELM AI Kernel

Fail-closed execution firewall for AI agents.

HELM AI Kernel is the public boundary. A model can ask to use a tool. HELM checks the request first, and the tool does not run when the request is not allowed.

Open GitHub Read Kernel docs

Define kernel proof terms

ProofGraph: A record chain that helps replay and check what happened.
DENY: HELM blocks the action.
ALLOW: HELM lets the action run.
ESCALATE: HELM stops and asks for more facts, policy, or human approval.

Quickstart shape

Evaluate policy, then verify the receipt.

Start with a low-risk action request. The kernel returns a decision before the action runs, then records a receipt that can be checked later.

01
Pick an action request
Use a tool call, data export, message send, or code change that needs approval.
02
Check active policy
Check who is asking, what they want to do, risk, approval, and proof before action.
03
Verify the receipt
Review the decision, policy snapshot, action request, and evidence link.

{
  "action": "customer_message.send",
  "actor": "support-agent",
  "policy": "customer_message.low_risk.v1",
  "verdict": "ALLOW | DENY | ESCALATE",
  "receipt": "rcpt-demo-e3f8a0b2"
}

Fail-Closed Execution FirewallMCPPOLICYRECEIPTAUDIT

A technical figure for MCP/tool-call requests: HELM checks policy before dispatch, denies unsafe actions, and emits receipt evidence.

Text description

Agent request: an AI agent proposes a tool call through MCP.

HELM gate: HELM AI Kernel checks policy before dispatch and fails closed when the action violates policy.

Decision and proof: the action is denied, no side effect is dispatched, and a signed receipt is written for later audit.

Mobile boundary map

Fail closed before the tool runs.

HELM checks an action request, blocks unsafe action, and writes proof that can be checked later.

01 / request AI agent proposes a tool call execute_sql: "DROP TABLE users;"
02 / policy gate HELM evaluates risk and scope
Actor, action, connector, approval, and proof are checked first.
03 / decision DENY before the tool runs
No side effect leaves the boundary when policy or approval is missing.
04 / proof Receipt written to ProofGraph
The verdict, policy hash, and evidence pointer can be inspected later.

Canonical verdicts

Every side effect resolves to ALLOW, DENY, or ESCALATE.

The failure mode is deterministic. Unknown, stale, tainted, malformed, or unsigned requests do not become connector calls.

Fail-closed examplesbefore dispatch

Condition	Result
Unknown MCP server	DENY until quarantine review and approval receipt exist.
Schema drift	DENY when connector or payload schema hashes do not match the approved contract.
Replayed nonce	DENY when a prior authorization token or intent nonce is reused.
Tainted egress	DENY when secret or hostile-output labels would leave the boundary.
Invalid signature	DENY when signer identity, canonicalization, or receipt signature verification fails.
Stale policy hash	DENY or ESCALATE when the request was built against old policy.
Missing approval	ESCALATE when the policy requires a human ceremony before dispatch.

Proof posture

Receipts and EvidencePacks are the review surface.

HELM records why action was allowed, denied, or escalated so later reviewers can replay the proof path and catch tampering.

Signed authorization

ALLOW emits a deterministic execution authorization tied to policy, principal, connector, and payload hashes.

Denial receipt

DENY emits a stable reason code and receipt without running the connector.

Escalation receipt

ESCALATE emits approval requirements, ceremony state, summary hash, and review evidence.

ProofGraph record

Decisions bind intent hash, plan hash, policy hash, verdict, reason code, connector refs, and evidence refs.

EvidencePack verification

Offline verification catches missing indexes, bad hashes, broken chains, invalid signatures, altered payloads, stale policy, and schema mismatch.

HELM AI Kernel mechanism demo

AI proposes a tool call. HELM decides whether it may run. The receipt makes the decision checkable later.

DENYT3 / blocked

ProposeDecideReceipt

Change IAM permissionDENY · iam_permission_change.v3 · rcpt-demo-f703476e

Tamper detectable: changing the verdict produces a different receipt.

Developer wedge

Put a boundary before AI can act.

Policy check

Check who is asking, what they want to do, risk, approval, connector scope, and proof.

Fail closed

If approval is missing or unclear, the action returns DENY or ESCALATE. It does not run silently.

Receipt proof

Record the verdict, policy, and evidence so the decision can be checked later.

Boundaries

What HELM AI Kernel is and is not.

HELM AI Kernel is public, self-hostable, and Apache-2.0. It is the kernel surface, not the reviewed-access company workflow layer.

Reference packs are policy primitives. They are not legal advice, third-party assurances, or a substitute for your compliance program.

Review Trust Center Request Company AI OS Review →

FAQ

HELM AI Kernel FAQ

What is HELM AI Kernel?

HELM AI Kernel is the public Apache-2.0 execution kernel for policy-checked AI-agent actions, receipts, and evidence packs.

Is this the reviewed-access company layer?

No. HELM AI Kernel is the public boundary. The reviewed-access company layer adds workflows, review inboxes, and integrations around it.

Are reference packs external assurance reports?

No. Reference packs are policy primitives. They are not legal advice, third-party assurances, or a replacement for an operator-run compliance program.

What does Launchpad add?

Launchpad is the local-container app launcher for signed OpenClaw, Hermes, OpenCode, and Kilo Code artifacts, with verifier commands and clean-install status tracked in HELM docs. DigitalOcean and Hetzner remain opt-in beta substrates; Hetzner live launch stays blocked until scoped provider credentials exist.

Evaluate

Start with the public kernel.

Use the repository and docs to inspect the boundary. Use contact routing for company evaluation conversations.

Open GitHub Request architecture review