helm uses TypeScript types to register skills as typed functions with structured I/O. Permissions follow a clear precedence: exact→wildcard→skill→global.
Agents get a keyword search tool and a code-execution tool that runs JS inside an SES sandbox. A recursive proxy forwards calls over IPC to the parent, which enforces permissions.
The chat UI surfaces per-operation allow/ask/deny toggles. Approval requests stream to the UI and block the server until the user answers.
