How to govern CoPaw with Talon
This guide shows how to route CoPaw's LLM traffic through Talon so every request is audited and policy-enforced. CoPaw is an open-source personal AI assistant (AgentScope/Alibaba DAMO) with multi-channel support (DingTalk, Feishu, Discord, etc.). Allow about 15 minutes.
For a Docker-based setup, see the CoPaw + Talon primer.
Prerequisites
- Talon installed (
go install github.com/dativo-io/talon/cmd/talon@latestorcurl -sL https://install.gettalon.dev | sh) - CoPaw installed (
pip install copawor from source) - Your real LLM provider API key (OpenAI, DashScope, or other OpenAI-compatible provider)
Steps
1. Install Talon and generate CoPaw config
# Generate a gateway-ready project pre-configured for CoPaw:
mkdir talon-copaw && cd talon-copaw
talon init --pack copaw --name copaw-gateway
# Or run `talon init` and choose CoPaw from the wizard.
This creates agent.talon.yaml — the copaw-gateway agent: CoPaw's Talon traffic identity (agent.key.secret_name: copaw-gateway-talon-key) plus its policy override (cost limits, gateway model allowlist, metadata.tags: [copaw] for the CoPaw dashboard views) — and talon.config.yaml (gateway config with providers, the organization baseline under organization_policy, and shadow mode by default).
2. Set the vault key, store the real provider key, mint the agent key
export TALON_SECRETS_KEY=$(openssl rand -hex 32)
talon secrets set openai-api-key "sk-your-openai-key"
# Or for DashScope: talon secrets set dashscope-api-key "sk-your-dashscope-key"
# Mint the agent key CoPaw will present (bound via agent.key.secret_name)
COPAW_KEY="$(openssl rand -hex 24)"
talon secrets set copaw-gateway-talon-key "$COPAW_KEY"
talon serve --gateway
Use the same TALON_SECRETS_KEY when running talon secrets set and talon serve. The agent key ($COPAW_KEY) is the token CoPaw sends to Talon; it resolves to the copaw-gateway agent (and its derived tenant) and goes into CoPaw's provider api_key field.
3. Confirm the gateway is running
curl -s -X POST http://localhost:8080/v1/proxy/openai/v1/chat/completions \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $COPAW_KEY" \
-d '{"model":"gpt-4o-mini","messages":[{"role":"user","content":"Say hi"}],"max_tokens":5}'
You should get a JSON completion. If Talon runs on another host, use http://<talon-host>:8080.
4. Point CoPaw at the gateway
CoPaw stores provider settings in ~/.copaw.secret/providers.json and can be configured via the CoPaw Console (port 8088) or the CoPaw CLI.
Option A — CoPaw Console (Settings → Models):
- Open the CoPaw web UI (e.g.
http://localhost:8088). - Go to Settings → Models.
- Select the provider you use (e.g. OpenAI or a custom one).
- Set Base URL to
http://localhost:8080/v1/proxy/openai/v1(orhttp://<talon-host>:8080/v1/proxy/openai/v1). - Set API Key to the agent key you minted in step 2 (
$COPAW_KEY). - Save. CoPaw will use this endpoint for all LLM calls.
Option B — Environment variables (when starting CoPaw):
export OPENAI_BASE_URL=http://localhost:8080/v1/proxy/openai/v1
export OPENAI_API_KEY=$COPAW_KEY
copaw run
Option C — CoPaw CLI / REST API:
Use copaw providers or the REST API to set the provider's base_url and api_key to the Talon gateway URL and the agent key.
Important:
- The API Key in CoPaw is the Talon agent key (
$COPAW_KEY), not your real OpenAI/DashScope key. Talon resolves thecopaw-gatewayagent by this key and injects the real key when forwarding. - Base URL must end with
/v1so that paths likechat/completionsbecome.../v1/chat/completions. - Rotation:
talon secrets set copaw-gateway-talon-key <new>+ restart Talon, then update CoPaw — one active key per agent, never two.
5. Verify
Send a message through CoPaw (Console or any connected channel), then check the audit trail:
talon audit list
talon audit list --agent copaw-gateway
Evidence rows will show agent_id: copaw-gateway. The Talon dashboard (/dashboard) has a CoPaw Agents tab with stats and alerts (driven by the copaw entry in the agent's metadata.tags).
6. Policy and monitoring
- Shadow mode: The generated config uses
gateway.mode: shadowso violations are logged but not enforced. After 24h runtalon enforce report, then switch toenforceintalon.config.yamlif desired. - Cost limits: Adjust
policies.cost_limits.dailyand.monthlyin the agent file — each replaces the organization baseline cap when > 0. - PII: Set the floor in
gateway.organization_policy.defaults.pii_action; tighten per agent via thepolicies.data_classificationbooleans (input_scan+redact_input→ redact;block_on_pii→ block;input_scanalone scans without changing the action). The merge is monotonic — an agent can only tighten the org floor, never weaken it.
Troubleshooting
| Symptom | Cause | Fix |
|---|---|---|
| "Invalid or missing agent key" | CoPaw is not sending the agent key, or key mismatch | Set CoPaw's API Key to exactly the value minted into copaw-gateway-talon-key. |
| "Service configuration error" | Vault key mismatch | Use the same TALON_SECRETS_KEY for talon secrets set and talon serve. |
| 404 on chat/completions | Base URL missing /v1 | Use http://talon-host:8080/v1/proxy/openai/v1 (trailing /v1). |
| CoPaw uses DashScope | Provider base URL | Add a dashscope provider in Talon gateway config with base_url: https://dashscope.aliyuncs.com/compatible-mode (no trailing /v1; gateway appends the path) and point CoPaw at http://talon-host:8080/v1/proxy/dashscope/v1. |
See also
- Choosing an integration path
- OpenClaw integration (same gateway pattern)
- CoPaw + Talon Docker primer
You're done
You now have CoPaw sending all LLM traffic through Talon. Talon is logging every request, scanning for PII, and enforcing per-agent policy and cost limits.
Next steps:
| I want to… | Doc |
|---|---|
| Cap cost or restrict models for CoPaw | How to cap daily spend per team or application |
| Run CoPaw + Talon in Docker | CoPaw + Talon Docker primer |
| Export evidence for auditors | How to export evidence for auditors |
| Add another app through the gateway | Add Talon to your existing app |