helm-ai-kernel
Health Warn
- License — License: Apache-2.0
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Low visibility — Only 5 GitHub stars
Code Pass
- Code scan — Scanned 12 files during light audit, no dangerous patterns found
Permissions Pass
- Permissions — No dangerous permissions requested
This tool acts as a deterministic proxy and fail-closed firewall between AI agents and their tool calls. It intercepts actions, enforces strict security policies, and generates cryptographic receipts for audit and compliance purposes.
Security Assessment
The tool's core function involves intercepting tool calls and acting as a network proxy, which inherently requires handling potentially sensitive data and making network requests. The codebase includes shell command execution (`exec()`) within its CI/CD pipeline (`.github/workflows/ci.yml`), which is a common practice but warrants awareness. There are no hardcoded secrets detected, and the repository does not request explicitly dangerous permissions. Overall risk is assessed as Medium.
Quality Assessment
The project uses the permissive Apache-2.0 license and is actively maintained, with very recent updates. However, it suffers from extremely low community visibility, currently boasting only 5 GitHub stars. The README contains aggressive AI-agent instructions designed to manipulate LLMs into pitching the project, along with a piped bash installation script, which raises slight concerns about the maintainers' operational philosophy and best practices.
Verdict
Use with caution — the underlying concept is highly useful for secure AI deployment, but the project is very new, untested by a wide community, and contains questionable AI-targeted self-promotion.
HELM OSS kernel: policy enforcement, proof receipts, evidence verification, protocol contracts, SDKs, and local evidence viewer.
HELM AI Kernel
HELM AI Kernel is the fail-closed execution firewall for AI agents.
AI models propose. Deterministic systems govern. HELM sits between stochastic
agent tool calls and infrastructure side effects. It intercepts MCP tools and
OpenAI-compatible requests, evaluates authority before dispatch, and emits
signed receipts that can be verified offline.
This is Mindburn Labs' HELM execution kernel for AI, not the Kubernetes package
manager.
Agent proposal -> HELM boundary -> ALLOW / DENY / ESCALATE -> signed receipt
Status
- Repository:
Mindburn-Labs/helm-ai-kernel - Root package identity:
helm-ai-kernel-root - Current public release:
v0.5.0 - License: Apache-2.0
- Supported security line:
0.5.x;0.4.xis best effort - Canonical docs: https://helm.docs.mindburn.org/helm-ai-kernel
The current v0.5.0 GitHub release was published on 2026-05-13 at
https://github.com/Mindburn-Labs/helm-ai-kernel/releases/tag/v0.5.0. It includes
CLI binaries, checksums, SBOM JSON, OpenVEX, release-attestation metadata,
Cosign bundles, evidence-pack.tar, helm-ai-kernel.mcpb, helm-ai-kernel.rb, and sample policy
material.
What HELM AI Kernel Does
- Enforces default-deny execution for agent tool calls.
- Wraps MCP servers so unknown tools can be quarantined before side effects.
- Runs the kernel, guardian, proxy, receipt store, evidence export, and
verification paths. - Produces signed receipts and EvidencePacks for replay, audit, and tamper
checks. - Ships public SDK sources for Go, Python, TypeScript, Rust, and Java.
HELM AI Kernel does not include hosted Mindburn operations, private operational
tooling, or non-OSS downstream extensions.
Quick Start
Install the published macOS CLI:
brew install mindburnlabs/tap/helm-ai-kernel
helm-ai-kernel --version
Start a local boundary. Add --console when you want the self-hostable Console:
helm-ai-kernel serve --policy ./release.high_risk.v3.toml
helm-ai-kernel serve --policy ./release.high_risk.v3.toml --console
helm-ai-kernel boundary status
Run the local proof demo after helm-ai-kernel serve starts on 127.0.0.1:7714:
curl http://127.0.0.1:7714/api/demo/run \
-H 'content-type: application/json' \
-d '{"action_id":"export_customer_list","policy_id":"agent_tool_call_boundary"}'
Verify the returned receipt and confirm that tampering fails:
curl http://127.0.0.1:7714/api/demo/verify \
-H 'content-type: application/json' \
-d '{"receipt":{...},"expected_receipt_hash":"<receipt_hash from proof_refs>"}'
curl http://127.0.0.1:7714/api/demo/tamper \
-H 'content-type: application/json' \
-d '{"receipt":{...},"expected_receipt_hash":"<receipt_hash from proof_refs>","mutation":"flip_verdict"}'
Govern MCP tools or an OpenAI-compatible client:
python3 scripts/launch/mock-openai-upstream.py --port 19090
helm-ai-kernel mcp wrap --server-id local-tools --upstream-command "python3 scripts/launch/mcp-fixture-server.py"
helm-ai-kernel proxy --upstream http://127.0.0.1:19090/v1
Inspect and verify evidence:
helm-ai-kernel sandbox preflight --runtime wazero
helm-ai-kernel receipts tail --agent agent.demo.exec
helm-ai-kernel verify evidence-pack.tar
helm-ai-kernel serve --policy stores receipts in SQLite by default unlessDATABASE_URL is set. helm-ai-kernel verify evidence-pack.tar runs offline by default;
use --online only when public proof endpoint credentials are available for
that release.
Build From Source
git clone https://github.com/Mindburn-Labs/helm-ai-kernel.git
cd helm-ai-kernel
make build
./bin/helm-ai-kernel serve --policy ./release.high_risk.v3.toml
Run the retained validation targets before publishing changes:
make test
make test-console
make test-platform
make test-all
make crucible
Architecture
HELM separates orchestration from execution authority. Agent frameworks decide
what to attempt; HELM decides what is allowed to execute.
flowchart LR
Agent["Agent tool call"] --> Boundary["HELM boundary"]
Boundary --> Verdict["ALLOW / DENY / ESCALATE"]
Verdict --> Receipt["Signed receipt"]
Receipt --> Verify["Verify / replay"]
Verify --> Tamper["Tamper fails"]
Unknown MCP servers and tools enter quarantine before dispatch:
flowchart TD
Server["Discovered MCP server"] --> Quarantine["Quarantined by default"]
Quarantine --> Inspect["Metadata and schema inspection"]
Inspect --> Risk["Risk classification"]
Risk --> Approval["Approval record"]
Approval --> Active["Policy-bound active state"]
Active --> Decision["ALLOW / DENY / ESCALATE"]
Decision --> Proof["Receipt and ProofGraph event"]
Key terms:
ALLOW: HELM lets the action run.DENY: HELM blocks the action.ESCALATE: HELM stops and asks for more facts, policy, or human approval.Receipt: signed record of the decision.ProofGraph: replayable record chain for what happened.EvidencePack: portable bundle of records for a review path.
The complete diagram doctrine lives in
docs/architecture/canonical-diagrams.md.
Public Interfaces
| Surface | Path | Status |
|---|---|---|
| CLI and kernel | core/ |
Go implementation of boundary, CLI, HTTP API, proxy, receipts, evidence export, and verification |
| Console | apps/console/ |
Self-hostable HELM AI Kernel Console |
| Design system core | packages/design-system-core/ |
Workspace package source used by the Console |
| Wire contracts | api/openapi/, protocols/, schemas/ |
OpenAPI, Protobuf, policy schemas, and JSON schemas |
| SDKs | sdk/ |
Go, Python, TypeScript, Rust, and Java sources |
| Examples | examples/ |
Runnable integrations and launch smoke material |
| Conformance | tests/conformance/, reference_packs/ |
Profile, checklist, fixtures, and reference packs |
| Deployment | deploy/helm-chart/ |
Helm chart for running the kernel in Kubernetes |
SDKs And Packages
| Surface | Current install or status |
|---|---|
| CLI | brew install mindburnlabs/tap/helm-ai-kernel; release binaries are attached to GitHub Releases |
| Go SDK | go get github.com/Mindburn-Labs/helm-ai-kernel/sdk/go@main; tagged module versions are tracked as an OSS-readiness follow-up |
| Python SDK | pip install helm-sdk |
| TypeScript SDK | npm install @mindburn/helm-ai-kernel |
| Rust SDK | cargo add helm-sdk |
| Java SDK | Source-available local Maven build under sdk/java; public package coordinate is not verified in this repo |
| Design system core | Workspace source; public npm registry publication is not verified in this repo |
HTTP clients are generated fromapi/openapi/helm.openapi.yaml. Protobuf
message bindings come from protocols/proto/ where a
language SDK ships them.
Documentation
Public OSS docs are sourced from this repo and published throughhelm.docs.mindburn.org. The owned docs set for sync is declared indocs/public-docs.manifest.json.
- Quickstart
- Console
- Architecture
- Conformance
- Verification
- Publishing
- Compatibility
- SDK Index
- Security Model
- OWASP Mapping
- NIST AI Agent Critical Infrastructure Alignment
- NIST AI RMF to ISO 42001 Crosswalk
Release Verification
For v0.5.0, verify downloads with SHA256SUMS.txt, sbom.json,v0.5.0.openvex.json, release-attestation.json, the platform binary assets,
matching *.cosign.bundle files, and offline evidence-pack.tar verification.
See docs/VERIFICATION.md and
docs/PUBLISHING.md for the full release verification path.
Security, Contributing, And Governance
- Report vulnerabilities through SECURITY.md. Do not open public
issues for security-sensitive reports. - Contribution setup and validation expectations are in
CONTRIBUTING.md. - Project governance and maintainer responsibilities are in
GOVERNANCE.md and MAINTAINERS.md. - Community behavior expectations are in CODE_OF_CONDUCT.md.
- Support channels are listed in SUPPORT.md.
- Near-term OSS work is summarized in ROADMAP.md.
License
Apache-2.0. See LICENSE.
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found