Interop opportunity — cryptographic authorization receipts + IronCurtain policy

[rodchalski]

Hey Niels — great work on IronCurtain. The constitution-based policy approach is elegant.

We've been building the complementary layer: Permission Protocol issues cryptographic authorization receipts (Ed25519-signed, timestamped, scope-bound) before any agent action executes. Think of it as the enforcement proof that sits alongside IronCurtain's policy layer.

The combination is powerful:

• IronCurtain defines WHAT an agent is allowed to do (constitution)
• Permission Protocol proves THAT each action WAS authorized (receipt)

Together: policy + cryptographic proof. The full stack for auditable agent authorization.

We just submitted our architecture to NIST's AI Agent Security RFI (Docket NIST-2025-0035) and published open-source SDKs:

• pip install permission-protocol
• npm install @permission-protocol/sdk
• GitHub: permission-protocol/python-sdk

Would love to explore interoperability. Happy to discuss here or jump on a call.

— Rod Carvalho, Founder, Permission Protocol

[mindburnlabs]

The framing in this issue is exactly right, and HELM OSS is directly relevant here.

What HELM adds to this picture

HELM implements both layers natively in a single execution kernel rather than as two cooperating systems:

1. Policy evaluation — before each tool call dispatch, HELM evaluates a pluggable policy (ALLOW/DENY, fail-closed). This can call an external policy engine (IronCurtain's constitution evaluation), or use HELM's own schema-pinned rule set.
2. Signed receipt emission — atomically with the policy decision, HELM emits an Ed25519-signed receipt per call: { toolName, params, policyDecision, outcome, timestamp, sessionKey, Lamport clock }. Tamper-evident, verifiable offline.

The key architectural difference from a two-system approach: in HELM the receipt and the policy decision are atomic — the receipt is emitted by the same kernel that enforces the policy, so you get a proof that enforcement actually happened at the call boundary (not a post-hoc log that enforcement should have happened).

Concrete interop path

IronCurtain as HELM's constitution source is a natural fit:

• HELM intercepts each tool call before dispatch
• Calls IronCurtain's policy evaluator with { agent, tool, params, provenance }
• Receives ALLOW/DENY + annotation
• Enforces fail-closed
• Emits Ed25519-signed receipt including the IronCurtain policy annotation

This gives you IronCurtain's rich plain-English constitution semantics plus HELM's cryptographic proof graph.

We're also keen to align with NIST-2025-0035 — HELM's receipt format maps naturally onto the auditability requirements in the RFI.

Happy to discuss or sketch a concrete adapter. Repo: https://github.com/Mindburn-Labs/helm-oss