Skip to content

docs: anti-goals roadmap (#123) + install matrix fixes (#124) #165

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sergeyenin merged 2 commits into from
Jun 3, 2026
Merged

docs: anti-goals roadmap (#123) + install matrix fixes (#124) #165

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3882923
docs: public anti-goals roadmap (#123) and fix install matrix (#124)
sergeyenin Jun 3, 2026
2e54985
docs(roadmap): refocus narrative for EMEA SMB buyers (200–1k)
sergeyenin Jun 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions LIMITATIONS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ A valid signature proves that this evidence record was signed with the deploymen

## Further reading

- [ROADMAP.md](ROADMAP.md) — public anti-goals, wedge focus, and phased direction
- [SECURITY.md](SECURITY.md) — security boundaries and threat-model snapshot
- [Evidence store](docs/explanation/evidence-store.md) — how records are created, signed, and verified
- [Evidence integrity specification](docs/reference/evidence-integrity-spec.md) — byte-exact fields, serialization, signing, and independent verification
Expand Down
44 changes: 34 additions & 10 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,16 @@

[Docs](docs/README.md) ·
[Limitations](LIMITATIONS.md) ·
[Roadmap & focus](ROADMAP.md) ·
[Quickstart](docs/tutorials/proxy-quickstart.md) ·
[Docker demo](examples/docker-compose/README.md) ·
[Dashboard](docs/reference/gateway-dashboard.md) ·
[Releases](https://github.com/dativo-io/talon/releases/latest)

Talon is a single Go binary that sits in front of OpenAI, Anthropic, AWS Bedrock, Azure OpenAI, and any OpenAI-compatible client. Change one URL and every request is policy-checked, PII-scanned, cost-tracked, and written to a tamper-evident, HMAC-signed evidence record — same SDK, same response shape, governed path. Built for EU teams that need real governance signals for GDPR, NIS2, DORA, and the EU AI Act. Apache 2.0.

**Positioning:** Portkey helps you operate AI. AGT helps you build governed agents. **Talon helps you prove your AI traffic was governed — inside Europe, with signed evidence.** See [Roadmap & focus](ROADMAP.md) for what we deliberately do *not* build.

```
$ talon audit list
ID TIME CALLER PII COST(€) MODEL DECISION
Expand Down Expand Up @@ -230,21 +233,41 @@ Fair, factual positioning. Talon's differentiation is evidence-grade compliance

---

## Install options
## Install

Talon requires **CGO** (SQLite). Go **1.22+** recommended (CI uses 1.25.x).

| Method | Platforms | Artifact / command |
|--------|-----------|------------------|
| **From source (recommended on macOS)** | linux, darwin (amd64, arm64) | `git clone … && make install` → `$(go env GOPATH)/bin/talon` |
| **`go install`** | linux, darwin (amd64, arm64) | `go install github.com/dativo-io/talon/cmd/talon@latest` |
| **Release tarball** | **linux/amd64 only** | `talon_<version>_linux_amd64.tar.gz` + `checksums.txt` on [Releases](https://github.com/dativo-io/talon/releases/latest) |
| **Install script** | linux/amd64 prebuilt; **darwin/arm64 falls back to `go install`** | `curl -sSL https://install.gettalon.dev \| sh` |
| **Docker / GHCR** | linux/amd64 images | `docker pull ghcr.io/dativo-io/talon:latest` (also `:vX.Y.Z`, `:X.Y`) |

- **Go (fastest):** `go install github.com/dativo-io/talon/cmd/talon@latest`
- **Release binary:** [GitHub Releases](https://github.com/dativo-io/talon/releases/latest) (verify against `checksums.txt`)
- **Docker / GHCR:** `docker pull ghcr.io/dativo-io/talon:latest` (also `:vX.Y.Z`, `:X.Y`)
- **Install script (checksum verification included):** `curl -sSL https://install.gettalon.dev | sh`
On macOS, if `go install` fails with `unsupported tapi file type '!tapi-tbd'`, use system Clang:

```bash
CC=/usr/bin/clang CGO_ENABLED=1 go install github.com/dativo-io/talon/cmd/talon@latest
```

Or clone the repo and run `make install` (Makefile sets `CC=/usr/bin/clang` on Darwin).

### First run (`talon init` → `talon run`)

```bash
export TALON_SECRETS_KEY="$(openssl rand -hex 32)" # vault encryption key
talon init --scaffold --name my-agent # agent.talon.yaml + talon.config.yaml
talon run --dry-run "hello" # no LLM API key required
```

Talon requires Go 1.22+ and CGO (for SQLite). On macOS, if `go install` fails with `unsupported tapi file type '!tapi-tbd'`, build with system Clang: `CC=/usr/bin/clang go install github.com/dativo-io/talon/cmd/talon@latest`, or clone and run `make install`.
For a governed live call, set a provider key: `talon secrets set openai-api-key --value "$OPENAI_API_KEY"` (see [Your first governed agent](docs/tutorials/first-governed-agent.md)).

Verify release artifacts:
Verify release assets (linux/amd64):

```bash
LATEST=$(gh release view --json tagName -q .tagName)
gh release view "$LATEST" --json assets -q '.assets[].name'
docker pull ghcr.io/dativo-io/talon:latest
gh release view --repo dativo-io/talon --json tagName,assets -q '.assets[].name'
# e.g. checksums.txt, talon_1.5.5_linux_amd64.tar.gz
```

---
Expand Down Expand Up @@ -299,6 +322,7 @@ llm:
- [Provider registry](docs/reference/provider-registry.md)
- [Evidence store](docs/explanation/evidence-store.md)
- [Conformance suite & count](docs/reference/conformance.md)
- [Roadmap & focus](ROADMAP.md)
- [Gateway dashboard](docs/reference/gateway-dashboard.md)
- [OpenClaw integration](docs/guides/openclaw-integration.md)
- [Slack bot integration](docs/guides/slack-bot-integration.md)
Expand Down
167 changes: 110 additions & 57 deletions ROADMAP.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,57 +1,110 @@
# Roadmap

## v0.9.0 (February 2026) — Community & Launch Readiness

- [x] Policy engine (embedded OPA/Rego)
- [x] PII detection (25+ EU patterns across 27 member states)
- [x] Evidence store (HMAC-SHA256 signed, SQLite)
- [x] Secrets vault (AES-256-GCM, per-agent ACL)
- [x] Multi-LLM support (OpenAI, Anthropic, Bedrock, Ollama)
- [x] MCP server (native JSON-RPC 2.0)
- [x] HTTP API + embedded dashboard
- [x] Agent memory (governed, PII-scanned, Constitutional AI)
- [x] LLM API Gateway (transparent proxy at `/v1/proxy/*`)
- [x] Attachment scanning (prompt injection prevention)
- [x] Cron scheduler + webhook triggers
- [x] Mock provider + docker-compose demo (no API key)
- [x] Flow 0 verification (60-second demo)
- [x] JSON Schema for `talon.config.yaml` and `agent.talon.yaml`
- [x] Quickstart tutorials (Diataxis)
- [x] Starter OPA/Rego policy library
- [x] Community governance files (CODE_OF_CONDUCT, MAINTAINERS, CODEOWNERS)
- [x] Production deploy templates (systemd, docker-compose)

## v1.0.0 (March 2026) — Stable MVP

- [x] Operational control plane — run lifecycle (kill/pause/resume), tenant lockdown, runtime overrides, tool approval gates
- [ ] MCP Proxy (vendor integration for Zendesk, Intercom, etc.)
- [ ] Shadow mode dashboard tab (AI usage discovery)
- [ ] Per-caller/team cost dashboards
- [x] `talon init` interactive wizard (default in TTY); `--scaffold`, `--pack`, `--list-providers` / `--list-packs` / `--list-features`
- [ ] Additional industry packs (beyond openclaw, fintech-eu, etc.)

## v1.1.0 (May 2026) — Enterprise

- [ ] PostgreSQL backend (high-availability evidence store)
- [ ] LGTM observability stack integration (Grafana, Loki, Tempo, Mimir)
- [ ] Infisical integration (secret rotation, SAML)
- [ ] RBAC (role-based access control for the API)
- [ ] SSO/SAML authentication

## Future

- [ ] A2A protocol (agent-to-agent communication)
- [ ] Kubernetes operator
- [ ] Vector-search agent memory
- [ ] Advanced PII detection (Presidio integration)
- [ ] S3 WORM evidence storage
- [ ] gVisor/Firecracker agent isolation

## How to Influence the Roadmap

- Open a [feature request](https://github.com/dativo-io/talon/issues/new?template=feature_request.yml) with your use case
- Vote on existing issues with a thumbs-up reaction
- Join the discussion in [GitHub Discussions](https://github.com/dativo-io/talon/discussions)

Roadmap items are prioritized by: (1) community demand, (2) compliance
deadlines (EU AI Act August 2026), (3) engineering feasibility.
# Roadmap & focus (EMEA SMB)

**Who this is for.** European and EMEA organisations in roughly the **200–1,000 employee** range — regulated mid-market companies with a small platform or DevOps team, a DPO or compliance function, and growing use of LLMs and vendor AI tools. You do not have a dedicated “AI platform” division; you need **defensible controls** without replatforming every app.

**What you are buying.** Proof that AI traffic was governed **inside your region**, with records you can hand to an auditor, customer security review, or board — not another model catalog or agent framework.

> **Portkey helps you operate AI. AGT helps you build governed agents. Talon helps you prove your AI traffic was governed — inside Europe, with signed evidence.**

Talon is one self-hosted Go binary on the **network path** in front of OpenAI-compatible and MCP traffic. Change a base URL; keep your SDKs. Every call is policy-checked, PII-scanned, and stored as an HMAC-signed evidence record.

For what Talon does *not* claim (compliance outcomes, signatures, tool execution), see [LIMITATIONS.md](LIMITATIONS.md).

---

## What EMEA SMB teams need from us

| Role | Job to be done | How Talon helps today |
|------|----------------|------------------------|
| **CTO / Head of Engineering** | Pass customer and board scrutiny on AI use without a 12-month platform project | Drop-in gateway, cost caps, EU routing posture, signed audit trail |
| **Compliance / DPO** | Show **supporting controls and evidence** for GDPR, NIS2, DORA, EU AI Act — not a “trust us” slide | Framework-mapped exports, `talon audit verify`, regulator-oriented report scaffolding |
| **Platform / DevOps** (often 2–10 people) | Run governance without Kubernetes complexity or per-app SDK work | Single binary, SQLite default, `talon init`, Docker demo, optional linux/amd64 release |
| **SecOps** | Stop PII and spend before it hits the provider; know which agent did what | Input/output PII scan, pre-forward policy deny, evidence per caller/agent |

**Success for our ICP:** your auditor or enterprise customer accepts a Talon evidence pack with little manual rework — and your team can operate it without a managed US control plane.

---

## Near-term focus (the wedge)

We optimize for **“make the auditor and enterprise customer comfortable without leaving the EU”**:

- **Signed evidence** — tamper-evident records and offline verification (`talon audit verify`), not generic logs.
- **EU egress posture** — `eu_strict` / `eu_preferred` routing; non-compliant paths denied with signed proof (see [limitations](LIMITATIONS.md) for proxy vs `talon run` behavior).
- **Self-host on your terms** — on-prem or EU cloud; air-gap friendly; no required Talon SaaS.
- **Drop-in for existing apps** — sales copilots, support bots, internal tools already on OpenAI-compatible APIs.

We are **not** optimizing for maximum model count, a polished multi-tenant SaaS, or greenfield agent frameworks.

---

## Roadmap by outcome (not feature laundry)

### Now — trust you can show in a review

What we are shipping so a skeptical EU technical buyer can complete a **10-minute proof** and a light audit:

- Public trust docs: [limitations](LIMITATIONS.md), [threat model](docs/reference/threat-model.md), [evidence integrity spec](docs/reference/evidence-integrity-spec.md), [conformance](docs/reference/conformance.md), [benchmarks](docs/reference/benchmarks.md).
- Richer **auditor-oriented packs** — RoPA / EU AI Act Annex IV-style output on top of `talon compliance report` (today: control-mapping summary).
- Clearer **data-flow / egress** story for “where did this prompt leave the building?”

### Next — production confidence for regulated traffic

What SMB platform teams ask for once Talon is on the critical path:

- **Reliability** — retry/fallback and failover so governance does not become the outage.
- **Runtime tool governance** — deny dangerous MCP/tool *execution*, not only strip tools from the request body.
- **Per-agent identity** — evidence that answers “which bot or integration made this call?” for NIS2-style accountability.

### Later — scale across teams and vendors

- Stronger attachment / injection testing for document-heavy workflows (HR, legal, support).
- Cross-session and workflow-level governance as agent chains mature.
- EMEA **case studies**, DE/FR docs, and named adopters in regulated verticals (financial services, health, B2B SaaS selling into enterprise).

---

## Anti-goals (what we will not build for 2.0)

These protect a small EMEA team from “platform creep.” If your primary need is below, another product is likely a better lead.

| We are **not** building | Why it matters for EMEA SMB |
|-------------------------|-----------------------------|
| **Multi-language SDKs** | Your apps already speak HTTP; we govern at the gateway, not inside every codebase. |
| **Full agent-to-agent trust mesh** | Rare at 200–1k scale; lightweight per-agent identity comes first. |
| **Kubernetes operator / gVisor** | Most ICP teams want systemd or Docker Compose, not another cluster abstraction. |
| **Managed Talon cloud (yet)** | Data residency and procurement often rule out US-hosted control planes; self-host first. |
| **1,600-model catalogs** | You need **EU-relevant providers done well**, not every frontier model on day one. |
| **“AI governance platform” as the headline** | You need **provable records** for GDPR / EU AI Act / customer DPAs — not another vague category. |

Commodity gateway features (caching, dashboards, budgets) exist **in service of the wedge**, not as the reason to buy.

---

## When to choose Talon (and when not to)

| Your situation (EMEA SMB) | Recommendation |
|-------------------------|----------------|
| Enterprise customers or regulators ask **how you govern existing** ChatGPT/Copilot/vendor AI traffic | **Talon** — network proof point |
| You are **building a new agent platform** and need deep in-process tool hooks | **Microsoft AGT** (Talon can sit in front for egress evidence) |
| You need **US-centric AI ops**: broad routing, prompt CMS, largest model matrix | **Portkey** |
| You need **both** deep in-process tool policy **and** EU egress evidence | **AGT + Talon** — complementary layers |
| You only need log shipping / cost dashboards, not signed per-request evidence | Observability stack may suffice; validate against your DPA |

---

## Already available

Policy engine (OPA), EU PII patterns, HMAC evidence store, LLM gateway proxy, MCP server, `talon init`, Docker no-key demo, compliance report scaffolding. See [CHANGELOG.md](CHANGELOG.md) and [releases](https://github.com/dativo-io/talon/releases).

**Persona workflows:** [Persona guides](docs/PERSONA_GUIDES.md) · **Adoption paths:** [Adoption scenarios](docs/ADOPTION_SCENARIOS.md)

---

## How to influence the roadmap

We prioritize EMEA SMB outcomes: **evidence depth**, **EU deployment realism**, then community demand.

- [Feature request](https://github.com/dativo-io/talon/issues/new?template=feature_request.yml) — describe your sector, size, and review type (customer DPA, ISO, EU AI Act, etc.).
- 👍 on existing issues.
- [GitHub Discussions](https://github.com/dativo-io/talon/discussions)
2 changes: 2 additions & 0 deletions docs/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ Choose the shortest path for your situation:
| [What Talon does to your request](explanation/what-talon-does-to-your-request.md) | Full request lifecycle: every check, every byte transformation, latency budget. |
| [Why not just a PII proxy?](explanation/why-not-a-pii-proxy.md) | Five failure scenarios: what a PII-only proxy misses, what Talon does, and how to verify. |
| [Evidence store](explanation/evidence-store.md) | Evidence record structure, session_id, HMAC signing (TALON_SIGNING_KEY), progressive disclosure, storage, and export (CSV/JSON columns). |
| [Roadmap & focus](../ROADMAP.md) | Public anti-goals, wedge narrative, phased direction, and buyer fit (what we are not building for 2.0). |
| [Adoption scenarios](ADOPTION_SCENARIOS.md) | Greenfield, brownfield custom, brownfield vendor; timelines and ROI. |
| [Persona guides](PERSONA_GUIDES.md) | Who uses Talon (DevOps, Compliance, CTO, SecOps, FinOps) and what they do. |
| [Vendor integration guide](VENDOR_INTEGRATION_GUIDE.md) | Why vendor compliance matters; MCP proxy and patterns. |
Expand All @@ -100,6 +101,7 @@ Choose the shortest path for your situation:
| [Evidence integrity specification](reference/evidence-integrity-spec.md) | Byte-exact spec so a third party can independently verify a record. |
| [Conformance suite & count](reference/conformance.md) | Reproducible passing-test count for the evidence + policy paths (`make conformance`). |
| [Reproducible benchmarks](reference/benchmarks.md) | `make benchmarks` — gateway overhead, PII scan, evidence write on your hardware. |
| [Roadmap & focus](../ROADMAP.md) | Anti-goals and focus — answers "are you trying to be Portkey + AGT?" |
| [Evidence integrity 5-minute proof](tutorials/evidence-integrity-demo.md) | Fast proof moment for auditors/operators, including offline signed-export verification. |
| [Threat model](reference/threat-model.md) | Attack surface, trust boundaries, and what the HMAC signature does and does not prove. |
| [Security policy](../SECURITY.md) | Vulnerability reporting process and security scope. |
Expand Down
14 changes: 6 additions & 8 deletions docs/tutorials/first-governed-agent.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,25 +2,23 @@

In this tutorial we will get from zero to a policy-enforced AI agent in one path: install Talon, initialize a project, configure an LLM key, run a query, and see evidence recorded. By the end you will have run a governed agent and seen the audit trail.

**Prerequisites:** Go 1.22+ (or a pre-built binary) and an LLM API key (OpenAI or Anthropic) or a local Ollama instance.
**Prerequisites:** Go 1.22+ with CGO (or a **linux/amd64** release tarball), and an LLM API key (OpenAI or Anthropic) or a local Ollama instance for live runs. Dry-run works without an API key.

---

## 1. Install Talon

First, build or install the Talon binary.
See the [README install matrix](../../README.md#install) for all methods. **macOS and arm64 Linux:** use from-source or `go install` (prebuilt GitHub tarballs are **linux/amd64 only**).

```bash
# From source
# Recommended on macOS / arm64
git clone https://github.com/dativo-io/talon.git && cd talon
make build # → bin/talon
# or: make install # → $GOPATH/bin/talon
make install # → $(go env GOPATH)/bin/talon

# Or install a released version
go install github.com/dativo-io/talon/cmd/talon@latest
# Or: go install github.com/dativo-io/talon/cmd/talon@latest
```

**macOS:** If `go install` or `go build` fails with `unsupported tapi file type '!tapi-tbd'` (Homebrew LLVM vs Apple SDK), use system Clang: `CC=/usr/bin/clang go install github.com/dativo-io/talon/cmd/talon@latest`, or clone the repo and run `make build` / `make install`.
**macOS:** If linking fails with `unsupported tapi file type '!tapi-tbd'`, use `make install` or `CC=/usr/bin/clang CGO_ENABLED=1 go install github.com/dativo-io/talon/cmd/talon@latest`.

Check that it works:

Expand Down
Loading
Loading