HELMHELM AI Kernel
MCPLLMs

HELM AI Kernel

MCP Quarantine Before Tool Dispatch

Open-source execution kernel, CLI, MCP, conformance, verification, and compatibility.
PublicSource-ownedMarkdown export

MCP makes tools discoverable to agents. That is powerful, but discovery is not authorization. A server can be unknown, a tool can be new, or a schema can be missing the pin needed for a safe dispatch decision.

HELM AI Kernel treats that state as quarantine. Unknown servers, unknown tools, and missing schema pins return DENY or ESCALATE before fixture dispatch. A known schema-pinned call can be allowed.

Quarantine Flow

DiagramMCP discovery -> HELM registry check -> Quarantine -> Authorize fixture call -> DENY or ESCALATE receipt
flowchart LR
    Discovery["MCP discovery"] --> Registry["HELM registry check"]
    Registry --> Server{"Known server?"}
    Server -->|No| Quarantine["Quarantine"]
    Server -->|Yes| Tool{"Known tool and schema pin?"}
    Tool -->|No| Quarantine
    Tool -->|Yes| Permit["Authorize fixture call"]
    Quarantine --> Receipt["DENY or ESCALATE receipt"]
    Permit --> Receipt
Mermaid source
flowchart LR
    Discovery["MCP discovery"] --> Registry["HELM registry check"]
    Registry --> Server{"Known server?"}
    Server -->|No| Quarantine["Quarantine"]
    Server -->|Yes| Tool{"Known tool and schema pin?"}
    Tool -->|No| Quarantine
    Tool -->|Yes| Permit["Authorize fixture call"]
    Quarantine --> Receipt["DENY or ESCALATE receipt"]
    Permit --> Receipt

HELM MCP quarantine and receipt proof board

The local MCP launch demo exercises the path end to end:

  • inspect fixture metadata and schema
  • create a fail-closed wrapper profile
  • deny unknown server and unknown tool calls
  • approve a registry record bound to a HELM receipt
  • allow one schema-pinned local.echo fixture call

Run it locally:

git clone https://github.com/Mindburn-Labs/helm-ai-kernel.git
cd helm-ai-kernel
make build
bash scripts/launch/demo-mcp.sh

The sanitized transcript is checked in at examples/launch/assets/mcp-quarantine.transcript.txt.

For a source-owned proof bundle with signed denial/escalation receipts, sealed EvidencePack output, and offline verifier output, run:

helm-ai-kernel mcp proof \
  --scenario all \
  --out /tmp/helm-mcp-proof \
  --run-id public-mcp-proof \
  --at 2026-06-09T00:00:00Z \
  --json

The command covers malicious or unknown MCP servers, prompt-injected tool output, excessive agency, confused-deputy scope mismatch, missing schema pins, schema drift, and replay or reordering attempts. Every case must report dispatched=false.

See MCP competitive threat conformance for the source files and validation commands.

Source Truth