Parent epic: #115. Relates to prior "multi-agent governance" (the identity slice of it).
Problem. AGT's headline is "which agent did this?" Talon should answer at gateway level without a full trust mesh.
Deliverable. Per-agent identity keys + a signed attestation on each governed request, woven into the evidence record (verifiable agent attribution). No full A2A mesh (anti-goal for 2.0).
Done when: every governed request's evidence attributes the action to a verifiable agent identity.
Kickoff context
Pointers: signing internal/evidence/signature.go, caller identity internal/gateway/caller.go, key material internal/secrets/{vault.go,acl.go}, policy input internal/policy/gateway_engine.go.
Approach: per-agent identity keys + a signed attestation on each governed request woven into the evidence record (verifiable "which agent did this"). Lightweight — NOT a full A2A trust mesh (anti-goal for 2.0).
Testing: evidence records attribute the action to a verifiable agent identity; tampered attestation fails verification.
Dependencies: parent #115; the identity slice that the Future multi-agent work (#153) builds on.
📋 Talon project context (self-contained background — read first)
What Talon is. An EU-first, single Go binary that acts as a network gateway / proxy in front of LLM and MCP (Model Context Protocol) tool traffic. Every LLM/tool call passes through an embedded policy engine (OPA/Rego) and becomes an HMAC-signed, regulator-mapped evidence record in SQLite. Value prop: policy-enforced AI execution + audit trail + EU data sovereignty, self-hostable with zero per-agent code changes. Apache 2.0.
The 2.0 thesis (wedge). "Portkey helps you operate AI. AGT helps you build governed agents. Talon helps you prove your AI traffic was governed — inside Europe, with signed evidence." We win EU-sovereign egress evidence + auditor exports, not model breadth or agent primitives.
Competitors referenced in issues.
- AGT = Microsoft Agent Governance Toolkit: an in-process library (multi-language) for agent tool/action governance + identity. Strong on runtime tool-action interception; explicitly not a turnkey compliance solution; no content/PII or egress governance; EU residency is an Azure concern.
- Portkey = US enterprise AI gateway/control-plane: routing, caching, observability, guardrails, budgets, 1,600+ models. Weak on signed evidence, per-article EU regulatory mapping, EU-first self-host.
2.0 milestone plan (GA target 2026-08-25).
- M0 Credibility & Demo Gate (due 2026-06-16) — trust docs + the live 10-minute demo; runs in parallel.
- M1 EU-Compliance Moat (due 2026-07-14) — the wedge: compliance reports, egress governance, air-gap, PII quality.
- M2 Parity & Narrowing AGT — 2.0 GA (due 2026-08-25) — reliability layer, runtime tool-call governance, agent identity.
- Talon 2.1 / Future — out of 2.0 scope.
Feature-bet legend (issues say "5.x"). 5.1 turnkey compliance report generator · 5.2 data-flow/egress governance · 5.3 air-gapped self-host · 5.4 reliability layer (failover/retry/cache) · 5.5 runtime tool-call governance via MCP proxy · 5.6 per-agent identity + attestation · 5.7 red-team CLI + sandbox · 5.8 workflow/cross-session governance.
Proof-bar legend (issues say "area N"). The 5 things a skeptical EU CTO must verify: 1 reliability parity · 2 runtime tool governance · 3 credibility surface (LIMITATIONS/threat model/benchmarks/specs/adopters) · 4 compliance-claim discipline (never "makes you compliant") · 5 focus (published anti-goals).
Codebase map (Go, under internal/). gateway/ proxy path (gateway.go, router.go, forward.go, tool_filter.go, response_pii.go, evidence.go, errors.go, ratelimit.go) · llm/ provider router.go + providers/ · policy/ embedded OPA (engine.go, gateway_engine.go, proxy.go, rego/) · evidence/ (signature.go, store.go, generator.go, export.go, signed_export.go, cache_event.go) · compliance/ (mapping.go, report.go) · classifier/ PII (pii.go, patterns.go, enrichment.go, registry.go, render/) · cache/ (store.go, embedder.go, key.go, policy.go, pii_scrubber.go) · mcp/ (proxy.go, server.go) · secrets/ (vault.go, acl.go) · agent/ (runner.go, tool_approval.go, hooks.go, circuit_breaker.go, tool_failures.go, plan_review.go) · approver/ · server/ dashboard+API · cmd/ CLI. Key CLI: talon run | serve | audit verify | audit export | compliance report.
Engineering conventions (non-negotiable). Single binary, no runtime deps for basic use. Evidence-by-default: every LLM/tool/secret/memory action emits a signed evidence record (even on failure) — HMAC-SHA256, includes correlation_id/tenant_id/agent_id/decision/cost/timestamp. Multi-tenant: every state path includes tenant_id; validate against path traversal. OTel spans on every significant op (attrs: correlation_id, tenant_id, agent_id; GenAI semconv for LLM calls). Context timeouts always (LLM 60s, tool 5m, agent 30m); never unbounded. Wrap errors fmt.Errorf("...: %w", err); domain errors as package vars (ErrPolicyViolation, ErrBudgetExceeded, ErrPIIDetected, ErrSecretAccessDenied, ErrInjectionDetected, …). Tests: table-driven + testify, t.TempDir(), target 70%+ on core pkgs. Compliance language: "supporting controls/evidence for
", never "makes you compliant".
Full strategy (optional deeper context). internal_docs/talon-2/ — 01 positioning, 03 gap analysis, 04 feature bets, 06 roadmap/anti-goals, 08 buyer proof bar, 09 messaging, 10 GitHub backlog map. This issue is meant to be actionable without them.
Parent epic: #115. Relates to prior "multi-agent governance" (the identity slice of it).
Problem. AGT's headline is "which agent did this?" Talon should answer at gateway level without a full trust mesh.
Deliverable. Per-agent identity keys + a signed attestation on each governed request, woven into the evidence record (verifiable agent attribution). No full A2A mesh (anti-goal for 2.0).
Done when: every governed request's evidence attributes the action to a verifiable agent identity.
Kickoff context
Pointers: signing
internal/evidence/signature.go, caller identityinternal/gateway/caller.go, key materialinternal/secrets/{vault.go,acl.go}, policy inputinternal/policy/gateway_engine.go.Approach: per-agent identity keys + a signed attestation on each governed request woven into the evidence record (verifiable "which agent did this"). Lightweight — NOT a full A2A trust mesh (anti-goal for 2.0).
Testing: evidence records attribute the action to a verifiable agent identity; tampered attestation fails verification.
Dependencies: parent #115; the identity slice that the Future multi-agent work (#153) builds on.
📋 Talon project context (self-contained background — read first)
What Talon is. An EU-first, single Go binary that acts as a network gateway / proxy in front of LLM and MCP (Model Context Protocol) tool traffic. Every LLM/tool call passes through an embedded policy engine (OPA/Rego) and becomes an HMAC-signed, regulator-mapped evidence record in SQLite. Value prop: policy-enforced AI execution + audit trail + EU data sovereignty, self-hostable with zero per-agent code changes. Apache 2.0.
The 2.0 thesis (wedge). "Portkey helps you operate AI. AGT helps you build governed agents. Talon helps you prove your AI traffic was governed — inside Europe, with signed evidence." We win EU-sovereign egress evidence + auditor exports, not model breadth or agent primitives.
Competitors referenced in issues.
2.0 milestone plan (GA target 2026-08-25).
Feature-bet legend (issues say "5.x"). 5.1 turnkey compliance report generator · 5.2 data-flow/egress governance · 5.3 air-gapped self-host · 5.4 reliability layer (failover/retry/cache) · 5.5 runtime tool-call governance via MCP proxy · 5.6 per-agent identity + attestation · 5.7 red-team CLI + sandbox · 5.8 workflow/cross-session governance.
Proof-bar legend (issues say "area N"). The 5 things a skeptical EU CTO must verify: 1 reliability parity · 2 runtime tool governance · 3 credibility surface (LIMITATIONS/threat model/benchmarks/specs/adopters) · 4 compliance-claim discipline (never "makes you compliant") · 5 focus (published anti-goals).
Codebase map (Go, under
internal/).gateway/proxy path (gateway.go, router.go, forward.go, tool_filter.go, response_pii.go, evidence.go, errors.go, ratelimit.go) ·llm/provider router.go + providers/ ·policy/embedded OPA (engine.go, gateway_engine.go, proxy.go, rego/) ·evidence/(signature.go, store.go, generator.go, export.go, signed_export.go, cache_event.go) ·compliance/(mapping.go, report.go) ·classifier/PII (pii.go, patterns.go, enrichment.go, registry.go, render/) ·cache/(store.go, embedder.go, key.go, policy.go, pii_scrubber.go) ·mcp/(proxy.go, server.go) ·secrets/(vault.go, acl.go) ·agent/(runner.go, tool_approval.go, hooks.go, circuit_breaker.go, tool_failures.go, plan_review.go) ·approver/·server/dashboard+API ·cmd/CLI. Key CLI:talon run | serve | audit verify | audit export | compliance report.Engineering conventions (non-negotiable). Single binary, no runtime deps for basic use. Evidence-by-default: every LLM/tool/secret/memory action emits a signed evidence record (even on failure) — HMAC-SHA256, includes correlation_id/tenant_id/agent_id/decision/cost/timestamp. Multi-tenant: every state path includes
", never "makes you compliant".tenant_id; validate against path traversal. OTel spans on every significant op (attrs: correlation_id, tenant_id, agent_id; GenAI semconv for LLM calls). Context timeouts always (LLM 60s, tool 5m, agent 30m); never unbounded. Wrap errorsfmt.Errorf("...: %w", err); domain errors as package vars (ErrPolicyViolation, ErrBudgetExceeded, ErrPIIDetected, ErrSecretAccessDenied, ErrInjectionDetected, …). Tests: table-driven + testify,t.TempDir(), target 70%+ on core pkgs. Compliance language: "supporting controls/evidence forFull strategy (optional deeper context).
internal_docs/talon-2/— 01 positioning, 03 gap analysis, 04 feature bets, 06 roadmap/anti-goals, 08 buyer proof bar, 09 messaging, 10 GitHub backlog map. This issue is meant to be actionable without them.