From 1b7e9751f66f7284bae5371c7a38ec1bc39db082 Mon Sep 17 00:00:00 2001 From: Sergey Enin Date: Wed, 3 Jun 2026 15:09:00 +0200 Subject: [PATCH] docs(limitations): apply ded-furby boundary clarifications on main (#117) Rebase PR #155 onto current main: keep the consolidated LIMITATIONS.md structure and add the two sharper boundary statements from @ded-furby: signing-key custody in the HMAC claim and tool invocation outside the governed path. Co-authored-by: ded-furby <190979964+ded-furby@users.noreply.github.com> --- LIMITATIONS.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/LIMITATIONS.md b/LIMITATIONS.md index fd64aa8..588d70d 100644 --- a/LIMITATIONS.md +++ b/LIMITATIONS.md @@ -23,7 +23,7 @@ This table is the source of truth for capability claims. If a demo or doc descri ## Evidence boundary -A valid signature proves that this evidence record was signed with the deployment's configured key and has not been modified since signing. It does not prove that the policy, model response, tool result, or operator decision was correct. +A valid signature proves that this evidence record was signed with the deployment's configured key and — assuming that key remains protected — has not been modified since signing. It does not prove that the policy, model response, tool result, or operator decision was correct. - Verify a record with `talon audit verify ` or `talon audit verify --file ` — see [evidence store](docs/explanation/evidence-store.md). - The signature covers the canonical JSON of the stored fields ([`VerifyRecord`](internal/evidence/store.go)). It is not instance attestation, and it does not vouch for upstream provider behavior. @@ -31,6 +31,7 @@ A valid signature proves that this evidence record was signed with the deploymen ## Tool-governance boundary - Today, forbidden tools are stripped from request bodies before forwarding ([`internal/gateway/tool_filter.go`](internal/gateway/tool_filter.go)); the README "pre-execution filter" wording reflects this. +- Talon does not prevent the same tool from being invoked on a separate path that does not pass through Talon. - Not yet: runtime execution interception or per-execution MCP tool-call governance with a signed deny. - "Tool governance: Yes" in the README comparison means request-body filtering today, not runtime execution control.