HDP for Agentic Function Calls Is Now in the Google Gemma Cookbook

HDP is no longer only a draft, a paper, and a reference repository. A public example has now landed in the Google Gemma cookbook, showing how Gemma 4 function calls can be checked against human-issued delegation before a tool executes.

The significance is not that a single repository path exists. The significance is that the problem of human authorization in agentic systems is becoming concrete enough to show up inside a mainstream open-model developer workflow. The current cookbook README frames the example as Gemma 4 plus HDP for securing agentic function calls, with a notebook and middleware that place verification in the path before execution rather than after the fact.

That is exactly where this problem belongs. Once a model can call tools, move data, send messages, or trigger downstream agents, the question is no longer just whether the call is syntactically valid. The question is whether the system can prove a human principal actually authorized that action and the scope in which it was meant to occur.

What Actually Merged

The public Gemma cookbook example does not present HDP as abstract theory. It shows the security model in operational terms:

The README also connects the software-side control path to edge and physical deployments. It explicitly points readers from HDP toward HDP-P for cases where Gemma 4 is directing physical actuators on devices such as a Jetson Nano or Raspberry Pi based robotics stack.

Why This Matters Beyond One Merge

Security categories usually become real in stages. First the risk is named. Then it is researched. Then it gets a reference implementation. Only after that does it become normal engineering work. The Gemma cookbook example matters because it helps push human provenance and delegated authority one step further along that path.

For Helixar, this is also strategically important. We are a commercial company focused on agentic threat detection, response, and behavioral visibility. HDP is not our commercial moat. HDP is an open protocol contribution that helps define the infrastructure layer this market is going to need. The company and the protocol have different roles, and that distinction matters.

Open Protocol, Commercial Company, Different Jobs

HDP is open. It is published publicly, free to implement, and documented through the IETF draft, the arXiv paper, and the reference repository. It is designed to answer one narrow but important question: what did the human authorize, and can every downstream participant verify that chain?

Helixar is commercial. The company is building agentic threat detection: behavioral monitoring, drift detection, out-of-scope action analysis, and operational controls for AI systems running in real environments. Those layers sit adjacent to protocol work rather than replacing it. In our view, the future of agentic security needs both: provenance for what should have happened, and detection for what actually did.

That is why this cookbook inclusion matters as more than a branding moment. It shows that human provenance is not a side topic. It belongs in the practical stack developers reach for when they wire models to tools.

Helixar's Open Strategy for the Agentic Future

The cookbook example starts with function calls, but the market does not stop there. The same control problem gets sharper as agents move from software actions into financial workflows, supply chains, infrastructure changes, and eventually physical systems where rollback is limited or impossible. That is why HDP matters beyond one implementation example. It is part of the rules layer this category still needs to build.

Helixar's view is straightforward: new threat categories need shared awareness, shared controls, and shared language before they can be defended properly. That is why part of our strategy is open. Open protocols and open-source tools accelerate adoption, make the problem legible to the market, and help establish the standards people will need before agentic systems are operating at machine speed across enterprises, developer pipelines, and robotics environments.

Those contributions are not separate stories. They are early pieces of the same thesis: the agentic future will need provenance, release integrity, protocol hygiene, and behavioral detection working together. HDP helps define what should have been allowed. Helixar's commercial platform is being built to detect what actually happened in production, including drift, misuse, and emerging attack paths that no static rule set will catch on its own.

The hook for the market is simple: if agents are going to execute more human work at machine speed, the security model has to be designed before that operating model is everywhere. That is the future Helixar is building for. If you are shaping agentic infrastructure, deploying tool-calling models, or thinking about robotics and irreversible AI actions, this is the right time to talk to us at press@helixar.ai.