---
title: "Kilo Code on HELM"
canonical: "https://helm.docs.mindburn.org/helm-ai-kernel/launchpad/apps/kilocode"
source: "helm-ai-kernel/docs/launchpad/apps/KILOCODE.md"
edit: "https://github.com/Mindburn-Labs/helm-ai-kernel/edit/main/docs/launchpad/apps/KILOCODE.md"
section: "start-here"
access: "public"
sensitivity: "public"
last_reviewed: "2026-06-11"
checksum_sha256: "sha256:bf8f7b84a0f50587f3e9fba9389358d698696e86e35f9b36636f698077ef8245"
build_timestamp: "2026-06-10T22:15:26.620Z"
---
# Kilo Code on HELM

## What this proves
Kilo Code runs through HELM’s fail-closed execution boundary. The launch is driven by a registry-pinned app definition and a safe default-deny policy: HELM installs Kilo Code into a sandboxed local container, gates every tool call through the kernel verdict path, and emits a signed receipt for each lifecycle step, from install and healthcheck to teardown. The run ends with an exported EvidencePack that anyone can verify offline, so a coding agent's session leaves a replayable proof trail instead of just terminal scrollback.

```mermaid
flowchart TD
    A[Kilo Code Agent] -->|Request Tool Call| B(HELM AI Kernel)
    B -->|Check Policy| C{Verdict}
    C -->|ALLOW| D[Execute Action]
    C -->|DENY| E[Block & Return Error]
    C -->|ESCALATE| F[Step-Up / Operator Approval]
    D -->|Teardown / Receipt| G[EvidencePack Export]
```

## Headless path
```bash
helm-ai-kernel launch kilocode local-container --headless --output json
```

## Source Truth
- Registry source: `registry/launchpad/apps/kilocode.yaml`
- Policy source: `policies/launchpad/apps/kilocode.safe.toml`

## Evidence requirements
- cpi_output
- kernel_verdict
- sandbox_grant
- launch_receipt
- install_receipt
- healthcheck_receipt
- teardown_receipt
- evidence_pack
- evidence_graph
- mcp_quarantine
- mcp_manifest
- artifact_digest
- cosign_signature
- syft_sbom
- grype_vulnerability_scan

## Verify
```bash
helm-ai-kernel verify --bundle <pack>
```