From c9a8d597df6c2c01cb3dee3bcb3b512ca60d10fb Mon Sep 17 00:00:00 2001
From: Sergey Enin <sergeyenin@gmail.com>
Date: Wed, 3 Jun 2026 08:54:20 +0200
Subject: [PATCH] docs: sharpen LIMITATIONS boundaries (tool path + key
 custody)

Fold two honest scope points from the community PR #155 (@ded-furby) into
the existing LIMITATIONS.md:

- Tool-governance: note that Talon does not prevent the same tool from
  being invoked on a path that does not pass through Talon.
- Evidence: state the signing-key-custody assumption inline in the
  integrity claim ("assuming that key remains protected").

Co-authored-by: ded-furby <ded-furby@users.noreply.github.com>
---
 LIMITATIONS.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/LIMITATIONS.md b/LIMITATIONS.md
index 648f210..4d950cc 100644
--- a/LIMITATIONS.md
+++ b/LIMITATIONS.md
@@ -23,7 +23,7 @@ This table is the source of truth for capability claims. If a demo or doc descri
 
 ## Evidence boundary
 
-A valid signature proves that this evidence record was signed with the deployment's configured key and has not been modified since signing. It does not prove that the policy, model response, tool result, or operator decision was correct.
+A valid signature proves that this evidence record was signed with the deployment's configured key and — assuming that key remains protected — has not been modified since signing. It does not prove that the policy, model response, tool result, or operator decision was correct.
 
 - Verify a record with `talon audit verify <id>` or `talon audit verify --file <export>` — see [evidence store](docs/explanation/evidence-store.md).
 - The signature covers the canonical JSON of the stored fields ([`VerifyRecord`](internal/evidence/store.go)). It is not instance attestation, and it does not vouch for upstream provider behavior.
@@ -32,6 +32,7 @@ A valid signature proves that this evidence record was signed with the deploymen
 
 - Today, forbidden tools are stripped from request bodies before forwarding ([`internal/gateway/tool_filter.go`](internal/gateway/tool_filter.go)); the README "pre-execution filter" wording reflects this.
 - Not yet: runtime execution interception or per-execution MCP tool-call governance with a signed deny.
+- It does not prevent the same tool from being invoked on a path that does not pass through Talon.
 - "Tool governance: Yes" in the README comparison means request-body filtering today, not runtime execution control.
 
 ## Isolation boundary