Parent epic: #114.
Problem. Today only request-body filtering (internal/gateway/tool_filter.go); a real tool execution is not intercepted. This is the "weaker than AGT" gap.
Deliverable. Intercept the actual tool execution through the Talon MCP proxy and allow/deny it at runtime, returning a governance error on deny.
Done when: a forbidden tool execution (not just a stripped schema) is blocked at the proxy with a returned governance error.
Kickoff context
Pointers: MCP proxy internal/mcp/{proxy.go,server.go,proxy_config.go}, policy on the proxy internal/policy/proxy.go, today's request-body filter internal/gateway/tool_filter.go (the mechanism we're upgrading).
Approach: intercept the actual tool execution routed through the Talon MCP proxy and evaluate allow/deny/approve per call before it runs; deny → returned governance error. This is the genuinely hard delta vs request-body filtering.
Testing: extend internal/mcp/proxy_test.go to prove a forbidden tool execution (not just a stripped schema) is blocked with a governance error.
Dependencies: parent #114; emits per-execution evidence via #146; approval routing via #147.
Conventions: evidence-by-default per execution; OTel span per tool call.
📋 Talon project context (self-contained background — read first)
What Talon is. An EU-first, single Go binary that acts as a network gateway / proxy in front of LLM and MCP (Model Context Protocol) tool traffic. Every LLM/tool call passes through an embedded policy engine (OPA/Rego) and becomes an HMAC-signed, regulator-mapped evidence record in SQLite. Value prop: policy-enforced AI execution + audit trail + EU data sovereignty, self-hostable with zero per-agent code changes. Apache 2.0.
The 2.0 thesis (wedge). "Portkey helps you operate AI. AGT helps you build governed agents. Talon helps you prove your AI traffic was governed — inside Europe, with signed evidence." We win EU-sovereign egress evidence + auditor exports, not model breadth or agent primitives.
Competitors referenced in issues.
- AGT = Microsoft Agent Governance Toolkit: an in-process library (multi-language) for agent tool/action governance + identity. Strong on runtime tool-action interception; explicitly not a turnkey compliance solution; no content/PII or egress governance; EU residency is an Azure concern.
- Portkey = US enterprise AI gateway/control-plane: routing, caching, observability, guardrails, budgets, 1,600+ models. Weak on signed evidence, per-article EU regulatory mapping, EU-first self-host.
2.0 milestone plan (GA target 2026-08-25).
- M0 Credibility & Demo Gate (due 2026-06-16) — trust docs + the live 10-minute demo; runs in parallel.
- M1 EU-Compliance Moat (due 2026-07-14) — the wedge: compliance reports, egress governance, air-gap, PII quality.
- M2 Parity & Narrowing AGT — 2.0 GA (due 2026-08-25) — reliability layer, runtime tool-call governance, agent identity.
- Talon 2.1 / Future — out of 2.0 scope.
Feature-bet legend (issues say "5.x"). 5.1 turnkey compliance report generator · 5.2 data-flow/egress governance · 5.3 air-gapped self-host · 5.4 reliability layer (failover/retry/cache) · 5.5 runtime tool-call governance via MCP proxy · 5.6 per-agent identity + attestation · 5.7 red-team CLI + sandbox · 5.8 workflow/cross-session governance.
Proof-bar legend (issues say "area N"). The 5 things a skeptical EU CTO must verify: 1 reliability parity · 2 runtime tool governance · 3 credibility surface (LIMITATIONS/threat model/benchmarks/specs/adopters) · 4 compliance-claim discipline (never "makes you compliant") · 5 focus (published anti-goals).
Codebase map (Go, under internal/). gateway/ proxy path (gateway.go, router.go, forward.go, tool_filter.go, response_pii.go, evidence.go, errors.go, ratelimit.go) · llm/ provider router.go + providers/ · policy/ embedded OPA (engine.go, gateway_engine.go, proxy.go, rego/) · evidence/ (signature.go, store.go, generator.go, export.go, signed_export.go, cache_event.go) · compliance/ (mapping.go, report.go) · classifier/ PII (pii.go, patterns.go, enrichment.go, registry.go, render/) · cache/ (store.go, embedder.go, key.go, policy.go, pii_scrubber.go) · mcp/ (proxy.go, server.go) · secrets/ (vault.go, acl.go) · agent/ (runner.go, tool_approval.go, hooks.go, circuit_breaker.go, tool_failures.go, plan_review.go) · approver/ · server/ dashboard+API · cmd/ CLI. Key CLI: talon run | serve | audit verify | audit export | compliance report.
Engineering conventions (non-negotiable). Single binary, no runtime deps for basic use. Evidence-by-default: every LLM/tool/secret/memory action emits a signed evidence record (even on failure) — HMAC-SHA256, includes correlation_id/tenant_id/agent_id/decision/cost/timestamp. Multi-tenant: every state path includes tenant_id; validate against path traversal. OTel spans on every significant op (attrs: correlation_id, tenant_id, agent_id; GenAI semconv for LLM calls). Context timeouts always (LLM 60s, tool 5m, agent 30m); never unbounded. Wrap errors fmt.Errorf("...: %w", err); domain errors as package vars (ErrPolicyViolation, ErrBudgetExceeded, ErrPIIDetected, ErrSecretAccessDenied, ErrInjectionDetected, …). Tests: table-driven + testify, t.TempDir(), target 70%+ on core pkgs. Compliance language: "supporting controls/evidence for
", never "makes you compliant".
Full strategy (optional deeper context). internal_docs/talon-2/ — 01 positioning, 03 gap analysis, 04 feature bets, 06 roadmap/anti-goals, 08 buyer proof bar, 09 messaging, 10 GitHub backlog map. This issue is meant to be actionable without them.
Parent epic: #114.
Problem. Today only request-body filtering (
internal/gateway/tool_filter.go); a real tool execution is not intercepted. This is the "weaker than AGT" gap.Deliverable. Intercept the actual tool execution through the Talon MCP proxy and allow/deny it at runtime, returning a governance error on deny.
Done when: a forbidden tool execution (not just a stripped schema) is blocked at the proxy with a returned governance error.
Kickoff context
Pointers: MCP proxy
internal/mcp/{proxy.go,server.go,proxy_config.go}, policy on the proxyinternal/policy/proxy.go, today's request-body filterinternal/gateway/tool_filter.go(the mechanism we're upgrading).Approach: intercept the actual tool execution routed through the Talon MCP proxy and evaluate allow/deny/approve per call before it runs; deny → returned governance error. This is the genuinely hard delta vs request-body filtering.
Testing: extend
internal/mcp/proxy_test.goto prove a forbidden tool execution (not just a stripped schema) is blocked with a governance error.Dependencies: parent #114; emits per-execution evidence via #146; approval routing via #147.
Conventions: evidence-by-default per execution; OTel span per tool call.
📋 Talon project context (self-contained background — read first)
What Talon is. An EU-first, single Go binary that acts as a network gateway / proxy in front of LLM and MCP (Model Context Protocol) tool traffic. Every LLM/tool call passes through an embedded policy engine (OPA/Rego) and becomes an HMAC-signed, regulator-mapped evidence record in SQLite. Value prop: policy-enforced AI execution + audit trail + EU data sovereignty, self-hostable with zero per-agent code changes. Apache 2.0.
The 2.0 thesis (wedge). "Portkey helps you operate AI. AGT helps you build governed agents. Talon helps you prove your AI traffic was governed — inside Europe, with signed evidence." We win EU-sovereign egress evidence + auditor exports, not model breadth or agent primitives.
Competitors referenced in issues.
2.0 milestone plan (GA target 2026-08-25).
Feature-bet legend (issues say "5.x"). 5.1 turnkey compliance report generator · 5.2 data-flow/egress governance · 5.3 air-gapped self-host · 5.4 reliability layer (failover/retry/cache) · 5.5 runtime tool-call governance via MCP proxy · 5.6 per-agent identity + attestation · 5.7 red-team CLI + sandbox · 5.8 workflow/cross-session governance.
Proof-bar legend (issues say "area N"). The 5 things a skeptical EU CTO must verify: 1 reliability parity · 2 runtime tool governance · 3 credibility surface (LIMITATIONS/threat model/benchmarks/specs/adopters) · 4 compliance-claim discipline (never "makes you compliant") · 5 focus (published anti-goals).
Codebase map (Go, under
internal/).gateway/proxy path (gateway.go, router.go, forward.go, tool_filter.go, response_pii.go, evidence.go, errors.go, ratelimit.go) ·llm/provider router.go + providers/ ·policy/embedded OPA (engine.go, gateway_engine.go, proxy.go, rego/) ·evidence/(signature.go, store.go, generator.go, export.go, signed_export.go, cache_event.go) ·compliance/(mapping.go, report.go) ·classifier/PII (pii.go, patterns.go, enrichment.go, registry.go, render/) ·cache/(store.go, embedder.go, key.go, policy.go, pii_scrubber.go) ·mcp/(proxy.go, server.go) ·secrets/(vault.go, acl.go) ·agent/(runner.go, tool_approval.go, hooks.go, circuit_breaker.go, tool_failures.go, plan_review.go) ·approver/·server/dashboard+API ·cmd/CLI. Key CLI:talon run | serve | audit verify | audit export | compliance report.Engineering conventions (non-negotiable). Single binary, no runtime deps for basic use. Evidence-by-default: every LLM/tool/secret/memory action emits a signed evidence record (even on failure) — HMAC-SHA256, includes correlation_id/tenant_id/agent_id/decision/cost/timestamp. Multi-tenant: every state path includes
", never "makes you compliant".tenant_id; validate against path traversal. OTel spans on every significant op (attrs: correlation_id, tenant_id, agent_id; GenAI semconv for LLM calls). Context timeouts always (LLM 60s, tool 5m, agent 30m); never unbounded. Wrap errorsfmt.Errorf("...: %w", err); domain errors as package vars (ErrPolicyViolation, ErrBudgetExceeded, ErrPIIDetected, ErrSecretAccessDenied, ErrInjectionDetected, …). Tests: table-driven + testify,t.TempDir(), target 70%+ on core pkgs. Compliance language: "supporting controls/evidence forFull strategy (optional deeper context).
internal_docs/talon-2/— 01 positioning, 03 gap analysis, 04 feature bets, 06 roadmap/anti-goals, 08 buyer proof bar, 09 messaging, 10 GitHub backlog map. This issue is meant to be actionable without them.