HELM is an open-source execution kernel for governed AI tool calling. It sits on the execution boundary, applies fail-closed policy checks before dispatch, records signed receipts for allow and deny decisions, and exports evidence bundles that can be verified offline.
This repository is intentionally scoped to the OSS kernel:
core/contains the Go kernel, CLI, HTTP API, proxy, evidence export, and verification logic.protocols/,schemas/, andapi/openapi/define the wire contracts and generated SDK inputs.sdk/ships maintained public SDKs for Go, Python, TypeScript, Rust, and Java.dashboard/is a static local viewer for evidence bundles.examples/contains a small set of runnable integration examples.
Build from source:
git clone https://github.com/Mindburn-Labs/helm-oss.git
cd helm-oss
make buildRun the local proof loop:
./bin/helm onboard --yes
./bin/helm demo organization --template starter --provider mock
./bin/helm export --evidence ./data/evidence --out evidence.tar
./bin/helm verify --bundle evidence.tarRun the retained validation targets:
make test
make test-all
make crucibleGovern an existing OpenAI-compatible client:
./bin/helm proxy --upstream https://api.openai.com/v1Then point your client at http://localhost:8080/v1.
The retained public surfaces in this repository are:
- Go CLI and kernel API in
core/ - OpenAI-compatible proxy surface
- MCP server and bundle generation commands
- Evidence export and verification commands
- Public SDKs in
sdk/go,sdk/python,sdk/ts,sdk/rust, andsdk/java - Static evidence viewer in
dashboard/
This repository does not ship hosted control-plane features, private operational tooling, or product UIs outside the evidence viewer.
| Language | Path | Install |
|---|---|---|
| Go | sdk/go |
go get github.com/Mindburn-Labs/helm-oss/sdk/go |
| Python | sdk/python |
pip install helm-sdk |
| TypeScript | sdk/ts |
npm install @mindburn/helm |
| Rust | sdk/rust |
cargo add helm-sdk |
| Java | sdk/java |
com.github.Mindburn-Labs:helm-sdk:0.4.0 |
The HTTP client/types layer is generated from api/openapi/helm.openapi.yaml. Protobuf message bindings come from protocols/proto/ where a language SDK ships them. Both surfaces are validated by the SDK test targets.
| Path | Purpose |
|---|---|
core/ |
Go implementation of the kernel, CLI, HTTP API, proxy, and verification paths |
api/openapi/ |
OpenAPI contract used by the generated SDKs |
protocols/ |
Protocol specifications and schema sources |
schemas/ |
JSON schemas used by the kernel and verification flows |
tests/conformance/ |
Conformance profile, checklist, and verification tests |
reference_packs/ |
Example policy/reference bundles used by tests and examples |
dashboard/ |
Local static evidence-bundle viewer |
deploy/helm-chart/ |
Helm chart for running the kernel in Kubernetes |
- Quickstart
- Architecture
- Conformance
- Verification
- Publishing
- Compatibility
- SDK Index
- Security Model
- OWASP Mapping
The viewer in dashboard/ is a local diagnostic surface. It parses an evidence bundle in the browser and renders the manifest, decisions, and proof graph. It is not the authoritative verifier; use helm verify for cryptographic verification.
Apache-2.0. See LICENSE.