Let your AI agents run
unsupervised

Helio enforces the limits your agent can't bypass — what it can spend, what needs your sign-off and what it can never touch. It runs as a proxy in front of your tools, so there's nothing to skip and no code to change. Open-source, self-hosted and works with any MCP agent.

Terminal
$ npx @gethelio/proxy init
▸ Scaffolding project in ./helio
Created helio.yaml
Created policies/default.yaml
✓ Done. Run npx @gethelio/proxy start to launch the proxy.

$ npx @gethelio/proxy start
Loading config from helio.yaml...
Registered 2 policy rules
✓ Proxy listening on :3100
✓ Dashboard at http://localhost:3100
Waiting for connections...

Works with the agents you already use

  • Claude
  • ChatGPT
  • Cursor
  • LangChain
  • LangGraph
  • CrewAI
  • AutoGen
  • Any MCP-compatible agent

Guardrails that hold when you're not watching

Prompt-based rules drift, reset, and get talked past. Helio enforces from outside the agent - so the lines you set stay set, every call.

It sits in the path, not the prompt

A rule inside the agent's context can be crowded out under load or argued away by a malicious tool. Helio enforces from outside, in the path every call travels so it can't be bypassed because it was never in the agent to begin with.

It remembers

A spend cap that resets on every call isn't a cap. Helio carries a running total across a window, demands evidence from a prior result before allowing an action, and enforces that prerequisite steps actually ran. None of which a stateless checker can do.

It catches tools that change

A tool can pass review on install, then quietly redefine itself a week later to do something you never approved. Helio captures each tool's definition and diffs it on every load, blocking anything that drifted until you've reviewed the change.

Five minutes from npx to governed

A YAML file. A proxy. No agent code changes.

MCP Client

Agent

Helio

Governance proxy

  • Policy engine
  • Evidence grounding
  • Approval workflows
  • Cross-tool spend budgets
  • Rate & spend limits
  • Audit trail
  • Self-repair feedback

MCP Server

Tools

Helio sits between your agent and your tools as a transparent MCP proxy. Every call passes through.

1

Install

Scaffold helio.yaml. Helio starts in audit-only mode: recording, not blocking.

$ npx @gethelio/proxy init

  Created helio.yaml

  Generated dashboard.api_secret
    0a1c45ef…41f1d5
    (also stored in helio.yaml)
2

Configure

Write rules in YAML — what to block, what to rate-limit, what it can spend.

# helio.yaml
policies:
  rules:
    - match:
        tool: 'delete_*'
      action: deny
    - match:
        tool: 'search_*'
      action: rate_limit
      limits:
        max_calls: 100
        window: 1h
3

Run

Start the proxy. The dashboard ships inside it — there's no separate install.

$ npx @gethelio/proxy start

  Proxy: 127.0.0.1:3000
  Policies: 2 rules (allow)
  Upstream: localhost:8080/mcp
    (streamable-http)
  Dashboard: 127.0.0.1:3100
  Approvals: 300s → deny
    1 channel configured
  Budgets: 1 (agent-payments)
  Watching helio.yaml

Helio enforces on the amount a tool call declares. Fixed-cost tools that declare nothing are a rate-limit problem, and spend your provider meters after the fact is out of scope.

What a working helio.yaml looks like:

helio.yaml
version: '1'

upstream:
  url: 'http://localhost:3001/mcp' # Your existing MCP server

listen:
  port: 3000 # Helio listens here

policies:
  default: allow

  rules:
    # Block destructive operations
    - match:
        tool: 'delete_*'
      action: deny
      feedback:
        message: 'Destructive operations are disabled'

    # Rate limit expensive API calls
    - match:
        tool: 'search_*'
      action: rate_limit
      limits:
        max_calls: 100
        window: 1h
        key: tool

budgets:
  # One depleting pot across every tool that spends
  - name: agent-payments
    limit: 50
    currency: USD
    window: session # never replenishes on a timer
    key: session
    on_exceed: require_approval # a breach raises a break-glass ticket
    approval:
      channel: dashboard
    contributors:
      - tool: 'stripe_*'
        field: '$.amount'
      - tool: 'paypal_*'
        field: '$.total'

audit:
  storage: sqlite
  retention: 90d
  include_responses: true

dashboard:
  enabled: true
  port: 3100
  api_secret: '${HELIO_DASHBOARD_SECRET}'

Production-grade governance for AI agents

Declarative policies, human-in-the-loop approvals, evidence grounding, and a complete audit trail without changing your agent code or MCP servers.

Policy Engine

Declarative YAML rules that control which tools agents can call. Match by path, method, or custom attributes.

Approval Workflow

Route sensitive actions to humans via Slack, email, or dashboard. Configurable timeouts and escalation paths.

Audit Trail

Every tool call logged with full context - who requested it, what policy matched, whether it was approved, and the result.

Spend Budgets

One depleting pot across every tool that spends. Breach it and the call is denied, or held for human approval.

Evidence Grounding

Capture the reasoning context that led to each tool call. Audit not just what happened, but why.

Protocol Native

Sits between any MCP client and server as a transparent proxy. No agent code changes required.

How Helio compares

Most governance is locked to one platform, one framework, or only controls which tools an agent can reach. Helio governs every tool call across any MCP agent without any code changes.

Helio

Features

What it governs
Per-call actions, stateful across calls
Governs agents you didn't build
Any MCP agent
No agent code changes
Proxy in the path
Evidence grounding
Cumulative
Cumulative spend control
Cross-tool budgets
Open source
Apache 2.0

See what your AI agents are actually doing

Open source, local-first, free. Scaffolds your config - one more command boots the proxy and dashboard.

$ npx @gethelio/proxy init