Skip to content

Mindburn-Labs/helm-oss

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

215 Commits
.github
.github
 
 
api/openapi
api/openapi
 
 
artifacts/golden
artifacts/golden
 
 
benchmarks
benchmarks
 
 
core
core
 
 
deploy
deploy
 
 
docs
docs
 
 
examples
examples
 
 
fixtures/minimal
fixtures/minimal
 
 
oss-fuzz
oss-fuzz
 
 
proofs
proofs
 
 
protocols
protocols
 
 
reference_packs
reference_packs
 
 
release
release
 
 
schemas
schemas
 
 
scripts
scripts
 
 
sdk
sdk
 
 
tests/conformance
tests/conformance
 
 
tools
tools
 
 
.editorconfig
.editorconfig
 
 
.gitignore
.gitignore
 
 
.golangci.yml
.golangci.yml
 
 
.goreleaser.yml
.goreleaser.yml
 
 
BEST_PRACTICES.md
BEST_PRACTICES.md
 
 
CHANGELOG.md
CHANGELOG.md
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
Dockerfile
Dockerfile
 
 
Dockerfile.slim
Dockerfile.slim
 
 
GOVERNANCE.md
GOVERNANCE.md
 
 
LICENSE
LICENSE
 
 
MAINTAINERS.md
MAINTAINERS.md
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
RELEASE.md
RELEASE.md
 
 
SECURITY.md
SECURITY.md
 
 
VERSION
VERSION
 
 
docker-compose.yml
docker-compose.yml
 
 
go.work
go.work
 
 
install.sh
install.sh
 
 
jitpack.yml
jitpack.yml
 
 
mcp-bundle.json
mcp-bundle.json
 
 
release.high_risk.v3.toml
release.high_risk.v3.toml
 
 

Repository files navigation

HELM

License: Apache 2.0 OpenSSF Scorecard OpenSSF Best Practices Cosign verified SLSA Level 3 SBOM CycloneDX

HELM is an open-source execution kernel for governed AI tool calling. It sits on the execution boundary, applies fail-closed policy checks before dispatch, records signed receipts for allow and deny decisions, and exports evidence bundles that can be verified offline.

This repository is intentionally scoped to the OSS kernel:

  • core/ contains the Go kernel, CLI, HTTP API, proxy, evidence export, and verification logic.
  • protocols/, schemas/, and api/openapi/ define the wire contracts and generated SDK inputs.
  • sdk/ ships maintained public SDKs for Go, Python, TypeScript, Rust, and Java.
  • examples/ contains a small set of runnable integration examples.

Quick Start

brew install mindburnlabs/tap/helm
helm serve --policy ./release.high_risk.v3.toml
helm verify evidence-pack.tar
helm receipts tail --agent agent.titan.exec

helm serve --policy starts the local boundary on 127.0.0.1:7714 by default and stores receipts durably in SQLite unless DATABASE_URL is set. helm verify evidence-pack.tar runs offline by default. Add --online to check embedded pack metadata against the configured public proof API.

Build from source remains supported:

git clone https://github.com/Mindburn-Labs/helm-oss.git
cd helm-oss
make build
./bin/helm serve --policy ./release.high_risk.v3.toml

Run the retained validation targets before publishing changes:

make test
make test-all
make crucible

Govern an existing OpenAI-compatible client:

./bin/helm proxy --upstream https://api.openai.com/v1

Then point your client at http://localhost:8080/v1.

Public Interfaces

The retained public surfaces in this repository are:

  • Go CLI and kernel API in core/
  • OpenAI-compatible proxy surface
  • MCP server and bundle generation commands
  • Evidence export and verification commands
  • Public SDKs in sdk/go, sdk/python, sdk/ts, sdk/rust, and sdk/java

This repository does not ship hosted control-plane features, private operational tooling, browser UI, static UI, embedded UI, or HTML report surfaces.

SDKs

Language Path Install
Go sdk/go go get github.com/Mindburn-Labs/helm-oss/sdk/go
Python sdk/python pip install helm-sdk
TypeScript sdk/ts npm install @mindburn/helm
Rust sdk/rust cargo add helm-sdk
Java sdk/java com.github.Mindburn-Labs:helm-sdk:0.4.0

The HTTP client/types layer is generated from api/openapi/helm.openapi.yaml. Protobuf message bindings come from protocols/proto/ where a language SDK ships them. Both surfaces are validated by the SDK test targets.

Repository Map

Path Purpose
core/ Go implementation of the kernel, CLI, HTTP API, proxy, and verification paths
api/openapi/ OpenAPI contract used by the generated SDKs
protocols/ Protocol specifications and schema sources
schemas/ JSON schemas used by the kernel and verification flows
tests/conformance/ Conformance profile, checklist, and verification tests
reference_packs/ Example policy/reference bundles used by tests and examples
deploy/helm-chart/ Helm chart for running the kernel in Kubernetes

Documentation

Public OSS docs are sourced from this repository and canonically published through docs.mindburn.org. The owned docs set for sync is declared in docs/public-docs.manifest.json.

License

Apache-2.0. See LICENSE.

About

HELM OSS kernel: policy enforcement, proof receipts, evidence verification, protocol contracts, SDKs, and local evidence viewer.

Topics

open-source mcp helm audit ai-safety policy-engine policy-enforcement ai-governance tool-calling fail-closed deterministic-execution evidence-pack cryptographic-receipts proofgraph wasi-sandbox evidencepack proof-graph

Resources

Readme

License

Apache-2.0 license

Contributing

Contributing

Security policy

Security policy
Activity
Custom properties

Stars

5 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases 1

HELM OSS v0.4.0 Latest
Apr 25, 2026

Packages

 
 
 

Contributors

Languages