Helio enforces the limits your agent can't bypass — what it can spend, what needs your sign-off and what it can never touch. It runs as a proxy in front of your tools, so there's nothing to skip and no code to change. Open-source, self-hosted and works with any MCP agent.
$ npx @gethelio/proxy init ▸ Scaffolding project in ./helio Created helio.yaml Created policies/default.yaml ✓ Done. Run npx @gethelio/proxy start to launch the proxy.
$ npx @gethelio/proxy start Loading config from helio.yaml... Registered 2 policy rules ✓ Proxy listening on :3100 ✓ Dashboard at http://localhost:3100 Waiting for connections...
Works with the agents you already use
Claude
ChatGPT
Cursor
LangChain
LangGraph
CrewAI
AutoGen
Any MCP-compatible agent
Guardrails that hold when you're not watching
Prompt-based rules drift, reset, and get talked past. Helio enforces from outside the agent - so the lines you set stay set, every call.
It sits in the path, not the prompt
A rule inside the agent's context can be crowded out under load or argued away by a malicious tool. Helio enforces from outside, in the path every call travels so it can't be bypassed because it was never in the agent to begin with.
It remembers
A spend cap that resets on every call isn't a cap. Helio carries a running total across a window, demands evidence from a prior result before allowing an action, and enforces that prerequisite steps actually ran. None of which a stateless checker can do.
It catches tools that change
A tool can pass review on install, then quietly redefine itself a week later to do something you never approved. Helio captures each tool's definition and diffs it on every load, blocking anything that drifted until you've reviewed the change.
Five minutes from npx to governed
A YAML file. A proxy. No agent code changes.
MCP Client
Agent
Helio
Governance proxy
Policy engine
Evidence grounding
Approval workflows
Cross-tool spend budgets
Rate & spend limits
Audit trail
Self-repair feedback
MCP Server
Tools
MCP Client
Agent
Helio
Governance proxy
Policy engine
Evidence grounding
Approval workflows
Cross-tool spend budgets
Rate & spend limits
Audit trail
Self-repair feedback
MCP Server
Tools
Optional
Python SDK
thin · annotates calls
sideband
Helio sits between your agent and your tools as a transparent MCP proxy. Every call passes through.
1
Install
Scaffold helio.yaml. Helio starts in audit-only mode: recording, not blocking.
$npx @gethelio/proxy init
Created helio.yaml
Generated dashboard.api_secret
0a1c45ef…41f1d5
(also stored in helio.yaml)
2
Configure
Write rules in YAML — what to block, what to rate-limit, what it can spend.
Helio enforces on the amount a tool call declares. Fixed-cost tools that declare nothing are a rate-limit problem, and spend your provider meters after the fact is out of scope.
What a working helio.yaml looks like:
helio.yaml
version: '1'upstream:
url: 'http://localhost:3001/mcp'# Your existing MCP serverlisten:
port: 3000# Helio listens herepolicies:
default: allowrules:
# Block destructive operations
- match:
tool: 'delete_*'action: denyfeedback:
message: 'Destructive operations are disabled'# Rate limit expensive API calls
- match:
tool: 'search_*'action: rate_limitlimits:
max_calls: 100window: 1hkey: toolbudgets:
# One depleting pot across every tool that spends
- name: agent-paymentslimit: 50currency: USDwindow: session# never replenishes on a timerkey: sessionon_exceed: require_approval# a breach raises a break-glass ticketapproval:
channel: dashboardcontributors:
- tool: 'stripe_*'field: '$.amount'
- tool: 'paypal_*'field: '$.total'audit:
storage: sqliteretention: 90dinclude_responses: truedashboard:
enabled: trueport: 3100api_secret: '${HELIO_DASHBOARD_SECRET}'
Production-grade governance for AI agents
Declarative policies, human-in-the-loop approvals, evidence grounding, and a complete audit trail without changing your agent code or MCP servers.
Policy Engine
Declarative YAML rules that control which tools agents can call. Match by path, method, or custom attributes.
Approval Workflow
Route sensitive actions to humans via Slack, email, or dashboard. Configurable timeouts and escalation paths.
Audit Trail
Every tool call logged with full context - who requested it, what policy matched, whether it was approved, and the result.
Spend Budgets
One depleting pot across every tool that spends. Breach it and the call is denied, or held for human approval.
Evidence Grounding
Capture the reasoning context that led to each tool call. Audit not just what happened, but why.
Protocol Native
Sits between any MCP client and server as a transparent proxy. No agent code changes required.
How Helio compares
Most governance is locked to one platform, one framework, or only controls which tools an agent can reach. Helio governs every tool call across any MCP agent without any code changes.
Helio
Obot
Built-in (Anthropic / OpenAI)
Framework (LangChain / CrewAI)
Features
What it governs
Per-call actions, stateful across calls
Which tools are reachable
Agent permissions inside one platform
Agent behavior inside one framework
Governs agents you didn't build
Any MCP agent
Any MCP agent
One platform only
One framework only
No agent code changes
Proxy in the path
Gateway in the path
Within platform
Integration required
Evidence grounding
Cumulative
None
None
Limited
Cumulative spend control
Cross-tool budgets
Basic
None
Limited
Open source
Apache 2.0
Apache 2.0
No
Varies
Helio
Features
What it governs
Per-call actions, stateful across calls
Governs agents you didn't build
Any MCP agent
No agent code changes
Proxy in the path
Evidence grounding
Cumulative
Cumulative spend control
Cross-tool budgets
Open source
Apache 2.0
See what your AI agents are actually doing
Open source, local-first, free. Scaffolds your config - one more command boots the proxy and dashboard.