--- title: "HELM Launchpad" canonical: "https://helm.docs.mindburn.org/helm-ai-kernel/launchpad" source: "helm-ai-kernel/docs/LAUNCHPAD.md" edit: "https://github.com/Mindburn-Labs/helm-ai-kernel/edit/main/docs/LAUNCHPAD.md" section: "start-here" access: "public" sensitivity: "public" last_reviewed: "2026-05-20" checksum_sha256: "sha256:b02f61386ff66b8758fdb6a056b1b1159d3a93481792f8161532f371d335c1e6" build_timestamp: "2026-05-24T13:40:27.882Z" --- # HELM Launchpad Status: OpenClaw, Hermes, OpenCode, and Kilo Code are `oss_supported` for `local-container` after signed artifact, SBOM, vulnerability scan, live conformance, teardown, receipt, and offline EvidencePack verification in workflow `26198407296`. Codex, Claude Code, Cursor, and Junie remain external BYO adapters. LaunchKit is the product entrypoint for one-command app bootstrap. It uses the existing Launchpad registry/runtime/receipt implementation as the compatibility foundation, then exposes the Tier-1 operator command: ```bash helm up openclaw helm up hermes --target cloud:aws --verify-only ``` Launchpad remains the OSS local-container implementation layer. LaunchKit starts verified AI apps through a fail-closed execution firewall, preserves the MCP interceptor posture, records signed receipts, emits EvidencePacks that verify offline, and opens the Console at the receipt-backed run URL. ## Audience Operators and maintainers validating the release-backed Launchpad path in HELM AI Kernel. ## Outcome You can identify the supported app matrix, the exact verifier commands, the GHCR digests promoted by CI, and the passing clean-install gate behind public GA claims. ## Source Truth - CLI entrypoint: `core/cmd/helm-ai-kernel/launch_cmd.go` - Runtime package: `core/pkg/launchpad/` - App and substrate registry: `registry/launchpad/` - Policy packs: `policies/launchpad/` - Contract schemas: `schemas/launchpad/` - UX architecture: `docs/launchpad/UX_ARCHITECTURE.md` - Hosted account/entitlement target contract: `docs/launchpad/MINDBURN_ACCOUNT_ENTITLEMENTS_SPEC.md` - Release report: `docs/launchpad/final_report.json` - Clean-install GA gate: `docs/launchpad/CLEAN_INSTALL_GA.md` - v1.0 redacted evidence report: `docs/launchpad/v1_report.json` ## Current CLI ```bash helm up openclaw helm up hermes --target local helm up openclaw --demo helm up hermes --verify-only helm up hermes --target cloud:aws --yes helm up openclaw --resume helm-ai-kernel launch matrix --json helm-ai-kernel launch apps --json helm-ai-kernel launch substrates --json helm-ai-kernel launch secrets set model_gateway --provider openrouter --value-env OPENROUTER_API_KEY helm-ai-kernel launch secrets status helm-ai-kernel launch plan openclaw local-container --json helm-ai-kernel launch openclaw local-container --headless --output json helm-ai-kernel launch hermes local-container --headless --output json helm-ai-kernel launch opencode local-container --headless --output json helm-ai-kernel launch kilocode local-container --headless --output json helm-ai-kernel launch openclaw digitalocean --live-cloud-beta --approval --cost-ceiling-usd --headless --output json helm-ai-kernel launch hermes hetzner --live-cloud-beta --approval --cost-ceiling-usd --headless --output json helm-ai-kernel launch status --json helm-ai-kernel launch logs helm-ai-kernel launch repair helm-ai-kernel launch delete --cascade helm-ai-kernel launch evidence --export --json helm-ai-kernel launch evidence --output helm-ai-kernel evidence inspect helm-ai-kernel evidence diff helm-ai-kernel verify --bundle ``` `helm-ai-kernel` remains the backwards-compatible binary and command namespace. Release builds also ship `helm` as the primary product command. ## Account and Entitlement Boundary The Kernel repo currently exposes one self-hostable Launchpad surface backed by the existing Launchpad APIs. Free, Individual, and Enterprise hosted account entitlements are target architecture, not production Kernel behavior in this repo. Console must not infer account tier or invent entitlement state; it may only render explicit backend fields or clearly labeled test fixtures. The hosted integration contract lives in `docs/launchpad/MINDBURN_ACCOUNT_ENTITLEMENTS_SPEC.md`. ## App Classification | App | Availability | Evidence | | --- | --- | --- | | OpenClaw | `oss_supported` | `ghcr.io/mindburn-labs/helm-launchpad/openclaw@sha256:4da80a1e48b5603fd203b7d2b98539a01f796142b0ed9315e5ed86b25bf5d995`; workflow `26198407296`; live conformance, teardown, receipts, and offline EvidencePack verification passed | | Hermes | `oss_supported` | `ghcr.io/mindburn-labs/helm-launchpad/hermes@sha256:4ec024dd8d0191fc887f04dc92c959fc865808d1526f782b5093f395fdd41652`; workflow `26198407296`; live conformance, teardown, receipts, and offline EvidencePack verification passed | | OpenCode | `oss_supported` | `ghcr.io/mindburn-labs/helm-launchpad/opencode@sha256:cdbeb88cfbd698809e673339d525083cdf1cdb3e91529e01c6834cd90b778550`; workflow `26198407296`; live conformance, teardown, receipts, and offline EvidencePack verification passed | | Kilo Code | `oss_supported` | `ghcr.io/mindburn-labs/helm-launchpad/kilocode@sha256:7b03834725235714ea8e698d38d89ce9b8bd81230b7e784016cb20a2c3c93ca6`; workflow `26198407296`; live conformance, teardown, receipts, and offline EvidencePack verification passed | | Codex / Claude Code / Cursor / Junie | `external_proprietary_adapter` | BYO/external adapters only; HELM governs execution and does not redistribute them | ## Safety Model - Runtime verdicts are only `ALLOW`, `DENY`, or `ESCALATE`. - `oss_supported` requires license, immutable signed OCI artifact, policy pack, sandbox, healthcheck, e2e, signed MCP manifest refs, teardown, signed receipts, a hash-chained EvidencePack graph, and offline-verifiable proof. - Local default substrate is `local-container`. - Registry substrate metadata now declares isolation strength, network enforcement, secret mode, receipt support, teardown proof, and lifecycle support. Substrates without receipts or teardown proof cannot graduate beyond experimental. - OpenRouter egress uses launch-scoped proxy receipts; non-OpenRouter allowlists are rejected. - Current local-container model access uses a logical `model_gateway` secret binding that projects the provider env var only inside the launch process. Proxy-only secretless model access remains the stricter target and is not yet a public GA claim. - Supported apps route MCP through HELM-owned signed manifest refs. Unknown servers/tools quarantine, schema pins are required, and side-effect tools require approval receipts. - DigitalOcean and Hetzner cloud substrates remain opt-in beta and dry-run by default. CLI live paths require `--live-cloud-beta`, an approval receipt, a cost ceiling, provider readiness, and idempotency reconciliation before any public claim can move beyond beta. - Host `curl | bash`, mutable live git update, and package-manager mutation inside the current worktree are denied by installer tests. ```mermaid flowchart TD subgraph Ingestion["1. Ingestion & Context Plane"] Registry["Registry entry"] Plan["Deterministic launch plan"] end subgraph Evaluation["2. Evaluation & Policy Plane"] Policy["Policy pack"] end subgraph Execution["3. Execution & Verdict Plane"] Gate["ALLOW / DENY / ESCALATE"] end subgraph Ledger["4. Tamper-Evident Ledger Plane"] Receipt["Signed receipt"] Evidence["Offline EvidencePack"] end %% Operational Flow Edges Registry --> Policy Policy --> Plan Plan --> Gate Gate --> Receipt Receipt --> Evidence %% Premium Styling Rules style Policy fill:#2d3748,stroke:#4a5568,stroke-width:2px,color:#fff style Gate fill:#e53e3e,stroke:#9b2c2c,stroke-width:2px,color:#fff style Receipt fill:#2f855a,stroke:#276749,stroke-width:2px,color:#fff style Evidence fill:#2f855a,stroke:#276749,stroke-width:2px,color:#fff ``` ## Evidence Inspection Every generated Launchpad EvidencePack includes `04_EXPORTS/launchpad_evidence_graph.json`. The graph hash-chains receipts for plan/verdict, sandbox preflight, MCP quarantine, model gateway grant, install, start, healthcheck, teardown, and failure paths when present. ```bash helm-ai-kernel evidence inspect helm-ai-kernel evidence inspect --json helm-ai-kernel evidence diff helm-ai-kernel verify --bundle ``` ## Clean Install Gate Clean-install validation is intentionally separate from the build machine: ```bash brew update brew install mindburnlabs/tap/helm-ai-kernel helm-ai-kernel launch matrix --json helm-ai-kernel launch openclaw local-container --headless --output json helm-ai-kernel launch hermes local-container --headless --output json helm-ai-kernel launch opencode local-container --headless --output json helm-ai-kernel launch kilocode local-container --headless --output json helm-ai-kernel launch delete --cascade helm-ai-kernel verify --bundle ``` The reusable gate is `scripts/launch/clean_install_gate.sh`. It writes only redacted JSON evidence to `docs/launchpad/clean_install_report.json`; raw logs, provider keys, key fragments, and host identifiers are not committed. `--include-candidates` remains accepted for backward compatibility, but OpenCode and Kilo Code are part of the supported clean-install app set after workflow `26198407296`. For current source-backed details, use the Launchpad specs and conformance docs: `docs/launchpad/APP_SPEC.md`, `docs/launchpad/SUBSTRATE_SPEC.md`, `docs/launchpad/POLICY_PACKS.md`, `docs/launchpad/SECURITY_REVIEW.md`, `docs/launchpad/CONFORMANCE.md`, and `docs/launchpad/CLEAN_INSTALL_GA.md`. ## Troubleshooting | Symptom | First check | | --- | --- | | Published output is stale or incomplete | Run `npm run helm-public:accuracy` in `docs-platform`, then check the source path and public manifest row for this page. | | A launch reaches `REPAIR_REQUIRED` | Check `helm-ai-kernel launch logs ` and `helm-ai-kernel launch evidence --export --json`; logs redact scoped provider keys. | | A claim needs implementation backing | Check the Source Truth files above and update the implementation, manifest, source inventory, or page in the same change. |