Skip to main content

Changelog

All notable changes to Dativo Talon are documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

Unreleased

Changed

  • feat(compliance): RoPA now distinguishes redacted from raw PII at each recipient, and cross-checks declared residency against observed transfers. Two accuracy gaps surfaced during field testing. (1) Section 5 (Recipients) listed identifier types per destination (e.g. email → openai) without saying whether the raw values actually reached the recipient — misleading when redact_pii was on and the provider only ever received placeholders. Types that were redacted in every flow to a destination are now annotated (redacted before egress); a type forwarded raw even once stays unannotated (no overstatement in either direction). The JSON export gains a redacted_entity_types field per destination. (2) Declaring compliance.data_residency: eu while running llm.routing.data_sovereignty_mode: eu_preferred/global let non-EU transfers happen silently relative to the declaration; the RoPA now adds a consistency: warning when EU residency is declared but non-EU/LOCAL destinations appear in the data-flow evidence, pointing at the two honest resolutions — enforce eu_strict, or document the transfer mechanism (SCCs/adequacy) with your DPO. Verify quickly: declare data_residency: eu, run traffic through a US provider, regenerate talon compliance ropa and see the warning; docs: RoPA declarations guide, configuration reference.

  • feat(cmd): talon audit show now renders the Data Flow section. The data_flow evidence section was signed and exported but invisible in the human-readable view — operators had to fall back to audit export --format signed-json + jq to see where a request's data went. audit show <id> now prints one line per flow item: source → destination (kind, name, model, region), disposition (forwarded/redacted/blocked/surfaced), data tier, and detected entity types. The PII Redacted line now labels both directions (input=… output=…): it previously showed only the output flag, which read as a contradiction next to a redacted input flow ("PII Redacted: false" while the prompt was in fact redacted before egress).

  • feat(evidence): data-flow evidence now covers all governed traffic, not only classified data. Previously the data_flow evidence section was recorded only when PII or tier > 0 data was detected, and only on the gateway path — so a clean talon run against OpenAI produced a RoPA with empty Recipients (Art. 30(1)(d)) and Transfers (Art. 30(1)(e)) sections despite real egress to a US provider. Now every request that egresses records at least its prompt → destination flow (provider, model, region): gateway requests, CLI/scheduled/webhook agent runs (new), and MCP proxy tool calls. Provider regions for agent runs resolve from registered provider metadata (e.g. openai → US, mistral → EU, ollama → LOCAL). Blocked flows are recorded as evidence but no longer counted as RoPA recipients/transfers — blocked data never reached the destination. Verify quickly: talon run "hello" then talon compliance ropa --format html --output ropa.html — Section 5 lists your provider and Section 6 flags non-EU transfers with the SCC/adequacy note. No migration impact: data_flow remains optional in the integrity spec (requests denied before egress still omit it); records signed under earlier spec versions verify unchanged.

Added

  • feat(evidence): governance parity across all entry paths — MCP server and graph adapter now record data flow; a runtime guardrail prevents future drift. Two paths lagged behind the consolidated data-flow posture and are now reconciled. (1) The embedded MCP server (talon servePOST /mcp) classifies tool arguments and results for PII and records a data_flow section on every tools/call — including policy-denied calls (disposition: blocked) — with destination region LOCAL (embedded tools execute in-process). (2) The graph adapter (POST /v1/graph/events) records an orchestrator-reported prompt → external:<framework> flow on run_end whenever the external runtime reported a model or non-zero cost; content never transits Talon on this path, so the item carries no entity types and region unknown — Talon never guesses, and the unresolved region deliberately surfaces in RoPA Section 6 as a prompt to gateway the traffic. The shared contract is now enforced in three layers: evidence.ValidateGovernedRecord runs on every store and logs governance_parity_violation warnings (fail-open — evidence is never dropped), TestGovernanceParity_EntryPathContract enumerates all five entry paths in CI, and smoke section 29 verifies black-box that every model-call record in the live evidence DB carries data_flow. New reference doc: Governance control matrix — which controls run on which path, by-design limitations, and the checklist for adding new entry paths. Verify quickly: call any embedded tool via POST /mcp and check talon audit show <id> for the data_flow section. No migration impact: data_flow remains optional in the integrity spec; existing signatures verify unchanged.
  • feat(compliance): talon compliance annex-iv — EU AI Act Annex IV technical-documentation pack (#126). CTOs and DPOs preparing for the AI Act (high-risk obligations apply from 2 August 2026) can now generate an Annex IV-shaped pack (HTML or JSON) combining declared system facts (compliance.declarations.system in agent.talon.yaml: description, intended purpose, oversight arrangements) with runtime records from signed evidence: models/providers observed, policy denials and reasons (Art. 9 risk controls), plan-review human-oversight events (Art. 14), routing/egress decisions, audited memory writes, and post-market monitoring coverage (Art. 72). The pack explicitly lists items Talon cannot produce (model development process, performance metrics, declaration of conformity) with their owners — honest scoping for deployers. Verify quickly: talon compliance annex-iv --format html --output annex-iv.html, or see examples/auditor-pack/annex-iv.html. Docs: export runbook. Supporting documentation for Annex IV review, not a conformity assessment.
  • feat(compliance): talon compliance ropa — GDPR Art. 30 Record of Processing Activities export (#125). DPOs and platform teams can now generate an Art. 30(1)-shaped RoPA (HTML print-to-PDF-ready, or JSON) that merges declared facts (controller identity from talon.config.yaml compliance.controller; purposes/retention/legal basis from agent.talon.yaml compliance.declarations) with runtime facts from the signed evidence store (processing activities observed, personal-data identifiers detected, recipients and regions, third-country transfers). Missing declarations never fail the export — they are listed as warnings and rendered as flagged "DECLARATION MISSING" sections so the document tells you what to complete before auditor handoff. Every document carries an evidence-linkage block (record count, sample IDs, talon audit verify command) and a claims-discipline footer: supporting records for review, not a legal filing. Verify quickly: talon compliance ropa --format html --output ropa.html after any governed traffic, or see the committed sample in examples/auditor-pack/ropa.html. Docs: export runbook, configuration reference. No migration impact: both declaration blocks are optional.

Release Note Quality Bar

For user-facing entries, include:

  • why this change matters (problem solved),
  • who should care (operator/developer persona),
  • how to verify quickly (command or path),
  • any upgrade/migration impact,
  • at least one share artifact reference (screenshot, GIF, or snippet) when applicable.

1.6.0 - 2026-06-10

Added

  • feat(gateway): egress allow/deny by destination and data classification (#130). Operators can now declare which destinations (providers and/or regions) each data tier may egress to via gateway.default_policy.egress (per-caller override under callers[].policy_overrides.egress). Denials happen in the policy step — before secrets retrieval and before any bytes reach the upstream — return HTTP 403 with machine codes egress_tier_destination_disallowed / egress_destination_disallowed, and map to the new POLICY_DENIED_EGRESS explanation code. This supports data-transfer controls (e.g. GDPR Chapter V transfer policies) for CTO/DPO personas; Talon enforces and evidences the rule, it does not make the compliance determination. Verify quickly: add a tier_2 rule with allowed_regions: ["EU", "LOCAL"], send a payload containing an IBAN to a US-region provider, and expect a 403 plus an egress_decision evidence section. Unconfigured deployments are unchanged (egress is not evaluated); in shadow mode violations are recorded but forwarded.
  • feat(evidence): egress_decision evidence section (integrity spec v1.2). Signed evidence records now carry an optional egress_decision object (tier, provider, region, decision, matched_rule, reason) whenever an egress policy is configured. The field is additive and appended after data_flow: records signed under spec 1.0/1.1 verify unchanged.
  • feat(gateway): named data-tier aliases in config. Tier fields in the gateway config (egress.rules[].tier, callers[].policy_overrides.max_data_tier) now accept public/internal/confidential (case-insensitive) interchangeably with 0/1/2, following the ascending-sensitivity convention used by ISO 27001 practice and Microsoft Purview/AGT. This makes policies self-documenting for operators without changing tier semantics: evidence records, Rego inputs, and the JSON schema keep numeric tiers (schema accepts both forms). No migration needed — numeric configs remain valid.
  • feat(observability): egress decision telemetry. New counter talon.gateway.egress.decisions (tenant_id, tier, gen_ai.system, region, decision) and talon.egress.* span attributes on gateway request spans; egress denials emit a structured gateway_egress_denied log line with correlation_id, tenant_id, tier, destination, and reason.

Changed

  • fix(config): removed phantom config keys that the runtime never read. talon init no longer generates tenants:, evidence:, llm_provider:, or secrets_key_env: blocks in talon.config.yaml — none of these were parsed by any loader, which misled operators into believing budgets/rate limits or evidence paths were configured there (they live in agent.talon.yaml and {data_dir}/evidence.db respectively). Existing configs with these keys keep working (keys are ignored, as before); regenerate with talon init or delete the blocks to clean up.
  • feat(config): log_level / log_format in talon.config.yaml now take effect. Previously only the --log-level/--log-format flags worked and the YAML values were silently ignored. Precedence: flag > config file > default.
  • feat(cache): cache.ttl_by_tier is now enforced. The documented per-tier TTL overrides (public/internal/confidential, seconds) were parsed but never applied; cache entries now use the tier-specific TTL and record their real data tier (previously always public). talon doctor validates the keys. Verify: set ttl_by_tier.internal: 900, store a tier-1 entry, and check its expires_at.
  • feat(policy): one canonical agent schema. talon validate previously used an embedded schema that had drifted from the documented schemas/agent.talon.schema.json. The embedded schema (now internal/policy/agent.talon.schema.json) is canonical and backfilled with all parsed sections (tool_policies, copaw, semantic_enrichment, session_limits, compliance.plan_review, extended rate/resource limits, destructive_patterns); schemas/agent.talon.schema.json is an exact synced copy enforced by a test.
  • feat(policy): unknown-key warnings on policy load. Misspelled or misplaced keys in agent.talon.yaml were silently ignored (e.g. policies.plan_review instead of compliance.plan_review). The loader now logs a structured warning naming the unknown field; loading still succeeds for backward compatibility. A test guards that all shipped examples and pack overlays are warning-free.
  • feat(schema): talon.config.schema.json now covers the full Go config surface — top-level fields (data_dir, secrets_key, signing_key, default_policy, max_attachment_mb, ollama_base_url, log_level, log_format), the cache block, and previously missing gateway fields (upstream_auth_mode, dashboard_listen, response_scanning, network_interception, tool/attachment governance, full caller overrides).
  • fix(policy): proxy compliance accepts data_residency: "eu". The proxy Rego only matched the literal "eu-only", so the "eu" token that talon init writes was silently unenforced. Both tokens now require EU upstream regions.
  • feat(otel): routing spans emit talon.routing.* attributes. llm.route/llm.graceful_route spans now carry talon.data.tier, talon.routing.sovereignty_mode, talon.provider.jurisdiction, talon.provider.region, talon.routing.rejected_count, and talon.routing.selection_reason (constants existed but were never emitted; the old non-namespaced data.tier key is replaced).
  • docs: model_routing.*.location documented as declarative. The field is informational; region enforcement comes from provider registry metadata + llm.routing.data_sovereignty_mode (and gateway egress rules). Documented defaults corrected: audit.retention_days (2555 when section omitted, not 90), attachment_handling.mode (permissive when omitted), memory defaults (max_entries 100, max_entry_size_kb 10, mode: active when enabled), action_on_detection value log_only (not log), and a new cache configuration reference section.

Fixed

  • fix(policy): compliance.plan_review.volume_threshold and mode were silently dropped on load. The YAML-facing policy.PlanReviewConfig lacked volume_threshold, so the documented volume-detection recipe never reached the runtime; the runner mapping also dropped mode. Both now flow through to plan review and talon intent classify.
  • fix(pack): EU AI Act overlay require_for_tier: "2" was a no-op. The parser accepts tier_0/tier_1/tier_2; the overlay now uses tier_2 so tier-based plan review actually triggers.
  • fix(schema): talon.config.schema.json caller field renamed source_cidrssource_ip_ranges to match what the gateway actually parses, and the gateway mode schema default corrected from shadow to enforce (the runtime default when mode is omitted).
  • docs: consistency fixes across config docs. Quickstart demo claimed data tier 3 (tiers are 0–2; confidential = 2); policy cookbook caller example used nonexistent api_key (now tenant_key); human_oversight examples used invalid on_demand (canonical: on-demand); the tool-class governance recipe documented a nonexistent policies.plan_review path with unimplemented fields (now shows compliance.plan_review + built-in class defaults); add-talon-to-existing-app copy-paste config was missing the required base_url for the enabled openai provider.

1.5.5 - 2026-06-01

Added

  • feat(evidence): signed export and offline file verification. Added talon audit export --format signed-json|signed-ndjson and talon audit verify --file <path> so operators and compliance teams can verify evidence integrity outside the running instance. This matters for GDPR/NIS2 handoffs where auditors request portable, tamper-evident artifacts. Verify quickly with talon audit export --format signed-json --output signed.json && talon audit verify --file signed.json.
  • feat(dashboard): persistent evidence integrity UX. Evidence rows now expose explicit integrity states (Verified, Invalid, Not checked, Unable to verify), with a persistent detail/signature block that shows signed fields and trust/spend context in one view. This makes integrity obvious to CTO/DPO users without requiring CLI-first workflows.

Docs

  • docs(evidence): add 5-minute tamper-proof demo and signed export runbook updates. Added docs/./evidence-integrity-demo.md, updated the 60-second demo and compliance export runbook to distinguish reduced reporting exports from signed integrity exports, and documented /v1/evidence/{id}/verify response shape in the evidence store reference.

1.5.0 - 2026-06-01

Added

  • feat(serve): OpenAI-compatible quickstart proxy mode. Added talon serve --proxy-quickstart for dev/local host-root compatibility (POST /v1/chat/completions, POST /v1/responses) without gateway YAML, while keeping policy, PII redaction, and evidence active.
  • feat(gateway): upstream auth mode support for quickstart. Added provider upstream_auth_mode (secret default, client_bearer quickstart path) with client bearer forwarding, OPENAI_API_KEY fallback, and explicit 401 when no upstream key is available.
  • feat(evidence): quickstart upstream auth metadata. Evidence records now include additive fields upstream_auth_mode, upstream_key_source, upstream_key_fingerprint, and gateway_annotations (backward compatible with existing records).
  • feat(metrics): periodic reconciliation loop and status telemetry. Added bounded/idempotent collector reconciliation (ReconcileFromStore + loop), OTel reconcile metrics, and /v1/status fields for reconcile runs/recovered events/errors.
  • feat(server): consolidated SSOT gate suite. Added internal/server/ssot_gate_test.go plus make test-ssot-gate and wired it into make check as an explicit release gate.
  • feat(events): sanitized reasons[] on operational events. /api/v1/events/recent and /api/v1/events/stream now include deterministic, deduped, length-bounded reasons[] derived from policy decision reasons, explanation reasons, and execution errors. This improves operator context without exposing raw payloads. Verify quickly with curl -s -H "X-Talon-Admin-Key: $TALON_ADMIN_KEY" "http://localhost:8080/api/v1/events/recent?limit=1" | jq '.events[0].reasons'.

Changed

  • change(server): dev-mode route relocation under quickstart. When --proxy-quickstart is enabled, host-root OpenAI-compatible paths are handled by the quickstart facade. Tenant agent chat is available at POST /v1/agents/chat/completions only when the operator has configured real tenant keys; in default quickstart (no tenant keys), that route is not mounted and returns 404 Not Found to preserve a strict facade-only boundary.
  • change(serve): quickstart no longer registers a synthetic tenant key. Quickstart mode is strictly a host-root OpenAI-compatibility facade; it will not silently unlock tenant APIs. When tenant keys are configured, the relocated tenant endpoint sits behind standard tenant-auth middleware and returns 401 Unauthorized without a valid key.
  • change(serve): --gateway-config exclusivity check uses explicit flag set. --proxy-quickstart is rejected alongside --gateway or any explicitly passed --gateway-config, detected via cobra.Flags().Changed rather than the default string value.
  • change(gateway): quickstart unsafe-listen signal threaded via config. The quickstart_unsafe_listen evidence annotation is driven by GatewayConfig.QuickstartUnsafeListen, populated from --unsafe-listen through QuickstartOptions, instead of a process environment variable.
  • change(events/metrics): evidence-first projection parity hardening. Operational event reason fields now prefer deterministic explanation payloads, evidence/event ordering is stabilized on timestamp DESC, id DESC, and metrics conversion is unified through evidence-driven projection paths for stronger CLI/API/dashboard parity.
  • change(dashboard/cli): reliability signals surfaced in routine flows. Dashboard and gateway pages now expose degraded/reliability warning chips, and talon metrics / talon events tail print preflight warnings when /v1/status reports degradation.
  • change(observability/events): SSOT scope contract locked. /api/v1/metrics is documented as all-activity (gateway and agent-run evidence-backed runtime), and /api/v1/events/* is documented as one event per persisted evidence row, including terminal outcomes plus evidence-backed lifecycle subset records (plan_review, graph runtime). Endpoint shapes remain backward-compatible.
  • change(metrics/evidence): pragmatic SSOT live-feed unification. Dashboard live metrics are now fed from evidence.Store.Store() post-commit observer notifications (all invocation types), while periodic reconciliation remains bounded/idempotent repair. Degraded evidence-write signaling is centralized in the evidence store path, and production serve wiring no longer double-emits via direct gateway metrics recorder attachment.

Fixed

  • fix(session): auto-migrate legacy sessions schema on startup. Session store initialization now adds missing max_cost and reasoning columns when older SQLite tables are detected, preventing run/session creation failures on upgraded installs. Verify with go test ./internal/session -run MigratesLegacySessionsTable.
  • fix(agent): preserve audit trail on evidence write failures. Runner paths that previously ignored evidence/step write errors now log structured failures (correlation_id, tenant_id, agent_id) so silent audit-loss conditions are observable during denied, dry-run, cached, and tool-step flows.
  • fix(memory): redact low-risk PII before memory governance checks. Memory observations now sanitize person/location entities before validation, allowing safe useful memories while sensitive PII still fails closed under governance policy.
  • fix(events): expand stream reliability telemetry. Event stream handling now increments disconnect and backlog-drop counters (in addition to gap/replay signals) and exposes them in status output for faster operator diagnosis.
  • fix(gateway/metrics): no metrics emission without persisted evidence. Gateway collector events are now emitted only after successful evidence persistence, preventing runtime telemetry drift when evidence writes fail.
  • fix(metrics): surface collector backpressure drops. Collector channel overflow drops now increment dropped_events, emit OTel counter talon.metrics.events_dropped.total, and appear in /v1/status as metrics_events_dropped.

1.4.6 - 2026-04-14

Added

  • feat(explanation): deterministic explanation normalization. Added canonical normalization for deterministic policy explanation tokens so equivalent outcomes converge to stable, reusable phrasing across runs and audit surfaces. This helps operators compare evidence reliably and reduces explanation drift in dashboards and tests. Verify quickly with go test ./internal/./....

Fixed

  • fix(explanation): stage taxonomy and token collapse consistency. Aligned explanation stage taxonomy (including MCP PII semantics) and fixed edge cases where fully-collapsed tokens were not returned as a single deduplicated canonical token. This improves consistency between policy decisions and rendered explanations.

  • fix(gateway): canonical explanation stage propagation. Gateway explanation output now uses the canonical explanation stage instead of pipeline-stage values, preventing mismatched stage labels in downstream evidence and UI surfaces.

  • fix(graphadapter): preserve graph evidence identity fields. Graph adapter run evidence now retains session and model fields on graph execution paths, improving traceability for stateful graph runs and downstream audit analysis.

Docs

  • docs(quickstart): add verification snippet. Quickstart now includes an explicit verification snippet so operators can validate a governed setup immediately after onboarding with less ambiguity.

1.4.5 - 2026-04-12

Added

  • feat(graphadapter): graph runtime governance control plane. Added graph-aware governance execution with event-aware policy checks, lineage-aware evidence hooks, and integration points for LangChain/LangGraph stateful flows. Operators and framework integrators get first-class graph execution visibility while preserving existing run governance semantics. Verify quickly with tests/smoke_sections/30_graph_events.sh and go test ./tests/integration -run Graph.

  • feat(policy): graph governance Rego policies and tests. Added dedicated graph governance policy modules and policy tests to enforce graph-specific constraints and deny handling at runtime, including deterministic explanation rendering for governance outcomes.

  • docs(integration): LangChain/LangGraph integration guide and examples. Added end-to-end integration docs and runnable examples under examples/langchain-integration/ to demonstrate stateless and stateful adapter usage patterns with Talon governance.

Fixed

  • fix(graphadapter): tenant binding and denial propagation hardening. Tightened tenant binding checks, stabilized run-end denial handling, and improved ./evidence consistency under denied branches and error paths.

  • fix(graphadapter): concurrency and lint hardening. Addressed run-state race conditions, aligned request construction with context-aware patterns, and added regression tests for concurrent denial tracking and retry guardrails.

Test

  • test(graphadapter): full graph governance test pyramid. Added broad unit, handler, policy, integration, and smoke coverage for graph event execution and governance decisions, reducing regression risk for graph-enabled agent pipelines.

1.4.0 - 2026-03-31

Added

  • feat(agent): operational control plane. Run lifecycle state machine (QUEUED → RUNNING → COMPLETED|FAILED|TERMINATED|BLOCKED|DENIED) with structured failure taxonomy (cost_exceeded, llm_error, tool_timeout, policy_deny, operator_kill, etc.) in evidence records. New admin API surfaces: GET /v1/runs (list active), POST /v1/runs/{id}/kill (terminate), POST /v1/runs/kill-all?tenant_id=X (tenant-wide kill), POST /v1/runs/{id}/pause / resume (mid-execution pause). Operator overrides: POST /v1/overrides/{tenant_id}/lockdown (reject all new runs + kill active), dynamic tool disable (/v1/overrides/{tenant_id}/tools/disable), runtime policy tightening (/v1/overrides/{tenant_id}/policy). Pre-tool approval gates: tools listed in resource_limits.require_approval pause for human decision via POST /v1/tool-approvals/{id}/decide (5 min default timeout). Single-shot cost check catches expensive LLM calls that exceed per-request budget. Per-run tool failure escalation auto-disables tools after 3 consecutive failures. All new endpoints are admin-only (X-Talon-Admin-Key). See Operational control plane reference.

  • feat(agent): input prompt PII redaction. New redact_input / redact_output fields in data_classification config give granular control over when PII is redacted from prompt (before LLM) and response (before returning). The legacy redact_pii field is preserved as a shorthand that defaults both. Evidence now includes input_pii_redacted for audit. Schema, template, init merge, smoke test (section 26), and PII enrichment quality test updated.

  • feat(classifier): PII semantic enrichment. Optional semantic attributes on PII placeholders: PERSON → gender (from title/honorific), LOCATION → scope (city/region/country). Canonical entity model and adapter from current detector; built-in enricher; Rego policy semantic_enrichment.rego (mode off/shadow/enforce, allowed_attributes). Placeholder renderer: legacy [TYPE] or XML-style <PII type="..." id="..." .../>. Config: policies.semantic_enrichment (enabled, mode, confidence_threshold, allowed_attributes). Metrics: talon.pii.enrichment.attempts.total, talon.pii.enrichment.attributes.emitted.total, talon.pii.enrichment.fallback_unknown.total. Smoke section 26 (5+5 runs with enrichment off/enforce). Docs: PII semantic enrichment reference, policy cookbook snippet, Presidio migration note.

  • feat(evidence): deterministic policy explanations. Policy explanation rendering is now deterministic across evidence generation and surfaces, reducing ordering drift and making repeated runs easier to compare in audits and tests.

  • chore(legal): add LICENSE file. Repository now includes a root LICENSE file for explicit distribution terms.

Fixed

  • fix(security): governance hardening. Governance pipeline checks were tightened based on adversarial audit findings to reduce bypass risk under hostile or malformed inputs.

Changed

  • fix(readme): improve trust signals. Status and metadata links now render as badge images; the previous "Trust Signals" text block was removed for a more scannable project header.

Test

  • test(classifier): enrichment quality comparison script. Added a dedicated semantic enrichment quality comparison script to support repeatable validation of enrichment behavior.

1.3.0 - 2026-03-18

Added

  • feat(dashboard): Mission Control UX. Governance and Gateway dashboards unified under a shared Mission Control layout with consistent 3-band information architecture, new widgets (posture, interventions, fleet risk, drift/PII signals), session timeline and compliance report preview panels (#35).
  • feat(agent): intent governance tooling. New talon intent CLI (classify/classes) backed by internal/agent/intent.go infers operation class, risk, and bulk signals from tool names and JSON params to determine plan review requirements (#36).
  • feat(agent): tool safety gaps T7, T8, T9. T7: per-tool max_row_count and require_dry_run with Rego deny and pre-execution row count guard; T8: IdempotencyStore (SQLite) deduplicates tool calls by (agent_id, correlation_id, tool_name, argument_hash) with pending/completed lifecycle; T9: forbidden_argument_values in ToolPIIPolicy with Rego deny for specific argument values (e.g. mode=overwrite). Session governance Rego (cost, max_candidates, max_judge_calls), session store, evidence session/stage fields, tool registry schema validation (#37).
  • feat(agent): tool_governance idempotency config. New tool_governance policy section for per-tool idempotency: scope (request_id/session_id), cache_ttl, duplicate handling (return_cached/fail), strict_mode. Runner applies idempotency only to listed tools; keys use correlation_id or session_id; cached results stored after PII redaction. IdempotencyStore supports TTL-based expiration (#38).

Fixed

  • fix(agent): Idempotency cache now stores PII-scanned results and handles pending status explicitly so cached results are redacted and non-idempotent tools are not double-executed on retry (#37).

Changed

  • chore(build): Go bumped to 1.25.8 for stdlib vulnerability fixes (govulncheck: GO-2026-4603, GO-2026-4602, GO-2026-4601).
  • feat(init): Pack validation derived from pack.ValidPackIDs(), additional industry packs in wizard, dedicated langchain/generic agent templates (#36).
  • docs: Policy cookbook update_records hardening example; talon intent output fields (#36, #37).

1.2.0 - 2026-03-13

Added

  • feat(evidence): session_id in export and API. Evidence records and audit export (CSV, JSON, NDJSON) now include session_id for lifecycle session correlation. Plan-gated runs and their auto-dispatch share the same session; export and GET /v1/evidence/{id} include it when present.

Fixed

  • fix(smoke): Section 24 plan-dispatch: accept HTTP 202 for plan_pending (human_oversight); use section-local response file and admin key for evidence read when serve runs without gateway; relax rate limit (requests_per_minute=300) to avoid OPA deny from shared evidence DB; capture plan execute stderr and dispatch evidence session_id diagnostics on failure.

Changed

  • docs: Evidence store: document session_id, fix HMAC key (TALON_SIGNING_KEY), retention in agent.talon.yaml, CSV/export columns. Auth: note that serve without --gateway has no tenant keys (admin key only). Agent planning: plan stores session_id, dispatcher reuses it. Compliance export runbook and config reference (TALON_ADMIN_KEY) updated.

1.1.0 - 2026-03-09

Added

  • feat(cache): governed semantic cache. Optional semantic cache for LLM requests: SQLite store, BM25 embedder, PII scrubber, OPA policy (internal/cache, cache.rego). Config section cache (disabled by default), wizard and doctor support, init templates. Integration in agent runner and gateway (lookup/store, policy, evidence). Evidence: CacheHit, CacheEntryID, CacheSimilarity, CostSaved; CacheEvent for erasure. CLI: talon cache config|stats|list|erase; talon audit, talon costs, talon report show cache savings. Docs: cache vs memory, policy cookbook, config reference; smoke test section for cache.

  • ci: CodeQL workflow. .github/workflows/codeql.yml for Go analysis with advanced config; .github/codeql-config.yml to exclude go/weak-sensitive-data-hashing (SHA-2 used for cache key derivation, not secrets).

Fixed

  • fix(cache): Record actual similarity score in evidence instead of threshold; centralize cache key derivation in cache.DeriveEntryKey; gateway uses config-derived tenant ID for cache key (CodeQL taint); remove dead code and clarify cache key hashing docs.
  • fix(server): HEAD support for dashboard so curl -I returns 200 (health checks / smoke tests).
  • fix(cmd): Cache prompt (y/N) to match default n and readLine [n].
  • fix(lint): Resolve golangci-lint gosec and noctx (agent postBudgetAlert ctx, enforce path validation, mounts/retention nolint, gateway tests with NewRequestWithContext); gofmt gateway.go, noctx in otel chi_test and MCP tests.

Changed

  • ci: Coverage threshold lowered to 65%; enforce.go nolint G703 for validated path; response_pii_test noctx.
  • docs(gateway): Clarify cacheKeyHash is cache lookup, not password hashing (CodeQL).

1.0.0 - 2026-03-06

Added

  • feat(docs): self-adoption overhaul (Gates 1–5). README hero shows talon audit list with blocked tool + blocked PII; one-line mechanism and inline 60-second demo. "What it stops" replaces "Why Talon?" with four failure-first bullets (LiteLLM, CloakLLM, DIY proxy). QUICKSTART simplified to 3-path job-to-be-done (existing app / new agent / understand first). New guide Add Talon to your existing app (Gate 4, first real request). Quickstart-demo: "What you just proved", "Now wire this to your app" (Python/Node/curl), "You're done". "You're done" + next-steps table added to all guides. New comment-playbook (internal Reddit/HN templates) and Why not just a PII proxy?. Docs index updated; P8 buzzwords removed from reader-facing copy.

Changed

  • chore(build): make test and make test-e2e now run with -count=1 so the test cache is disabled and results are always fresh.

[0.9.5] - 2026-03-04

Added

  • feat(copaw): CoPaw integration. Govern CoPaw (AgentScope/Alibaba DAMO personal AI assistant) via Talon's LLM API gateway. One URL change in CoPaw (Base URL → Talon, API Key → caller key) routes all LLM traffic through Talon for PII scanning, cost limits, and audit. New init pack talon init --pack copaw, caller copaw-main / talon-gw-copaw-001, DashScope support in wizard, CoPaw dashboard tab and /v1/copaw/stats, /v1/copaw/alerts API, OTel span attributes copaw.caller and copaw.channel, MCP-to-CoPaw skill bridge (internal/copaw/bridge.go), memory governor (internal/copaw/memory_governor.go), Rego policy copaw_skills.rego and .talon.yaml copaw.skills schema. Docs: CoPaw integration guide, Docker primer, examples/copaw. Design doc: internal_docs/copaw_integration_design_doc.md.

Fixed

  • fix(copaw): /v1/copaw/alerts now returns "alerts": [] instead of "alerts": null when no matching evidence records are found, consistent with the no-store path and clients expecting an array.

0.9.2 - 2026-03-03

Added

  • feat(init): zero-config init wizard. In a terminal, talon init runs an interactive wizard: choose workload type (agent/proxy), framework pack (OpenClaw, generic, etc.), primary LLM provider, region (if applicable), data residency (EU strict / preferred / global), and compliance features (PII, audit, cost, injection, EU AI Act, DORA). Non-interactive options: talon init --scaffold for quick defaults, talon init --pack <id> for starter packs, or scripted talon init --provider openai --name my-agent with optional --data-sovereignty, --features. New list commands: --list-providers, --list-packs, --list-features. When stdin is not a TTY, init prints guidance instead of running the wizard. Pack and feature registries (internal/pack, internal/feature) drive wizard choices; post-init verification reuses talon doctor; next steps are vault-first (TALON_SECRETS_KEY then talon secrets set).

Fixed

  • fix(init): gosec nolint for init wizard (G705/G703/G115 false positives). Unit tests added for coverage ≥70% (packName, providerName, dataResidencyLabel, readLine, readChoice, BuildConfigs branches, marshalWithHeader, WriteConfigs, PostInitVerify, runList*).

Changed

  • docs: All user-facing docs updated for init wizard (README, QUICKSTART, configuration reference, first-governed-agent tutorial, persona guides, OpenClaw guides, provider-registry, ADOPTION_SCENARIOS, ROADMAP).

0.9.1 - 2026-03-02

Changed

  • Version bump to 0.9.1.

0.9.0 - 2026-02-27

Added

  • feat(community): implement PROMPT_10 launch track and quality track. Full community adoption plan build-out with a launch-first approach — 36 new files across docs, examples, schemas, deploy templates, and community governance.

Launch Track (demo-first for HN virality)

  • Mock OpenAI provider (examples/docker-compose/mock-provider/main.go): Standalone server with streaming + non-streaming support, realistic token counts, canned PII-triggering responses. No API key needed.
  • Docker Compose demo stack (examples/docker-compose/): docker compose up starts Talon + mock provider. 60-second demo from clone to evidence record.
  • README hero rewrite: Terminal output of talon audit list is now the first visible content. Proxy-as-hook framing, Flow 0 commands, CI/license badges. Compliance language moved below the fold.
  • Show HN post updated (internal_docs/show-hn.md): Reframed around "intercept all AI API calls with one URL change" narrative.
  • Request lifecycle doc (docs/./what-talon-does-to-your-request.md): 10-step gateway pipeline breakdown, latency budget table (<15ms overhead), "What Talon Does NOT Do" section, streaming behavior, source code pointers.
  • Verification scripts: scripts/verify-flow0.sh (automated end-to-end Flow 0 test) and scripts/demo-recorder.sh (generates 10 varied evidence records for screenshots/GIFs).

Quality Track (examples, docs, governance)

  • examples/gateway-minimal/: Smallest working LLM gateway config with run.sh and README.
  • examples/mcp-proxy-minimal/: Smallest working MCP proxy config with tool filtering.
  • examples/plan-review/: Human-in-the-loop demo for EU AI Act Article 14 compliance.
  • examples/policies/: Starter OPA/Rego library — cost-budget, pii-block, model-allowlist, data-residency.
  • docs/./evidence-store.md: HMAC signing, progressive disclosure, storage, export, compliance mapping.
  • docs/./quickstart-demo.md: Flow 0 tutorial (no API key, Docker Compose).
  • schemas/: JSON Schema for talon.config.yaml and agent.talon.yaml — enables editor autocomplete and CI validation.
  • deploy/: systemd unit file (hardened, non-root) and production docker-compose (Talon + PostgreSQL + OTel Collector).
  • Community files: CODE_OF_CONDUCT.md (Contributor Covenant v2.1), MAINTAINERS.md, ROADMAP.md, .github/CODEOWNERS.
  • Makefile targets: demo-gateway, demo-full, demo-clean, verify-flow0.
  • docs/README.md: Updated index with all new tutorials, explanations, examples, and policy reference.

0.8.14 - 2026-02-26

Added

  • feat(audit): show tool governance in talon audit show. Gateway evidence records now display a "Tool Governance (gateway)" section with Requested, Filtered, and Forwarded tool names when the request included a tools array, so operators can verify which tools were stripped by forbidden_tools before the LLM saw them.
  • docs(gateway): Added gateway-default-policy-tool-governance-snippet.yaml in the OpenClaw primer for pasting forbidden_tools and tool_policy_action into talon.config.yaml.

Fixed

  • fix(gateway): persist tool governance when any of requested/filtered/forwarded is non-empty. Previously RecordGatewayEvidence only set tool_governance when ToolsRequested had length; it now persists whenever any of the three slices is non-empty.

Test

  • test(gateway): TestRecordGatewayEvidence_ToolGovernanceRoundTrip ensures tool governance is stored and returned by Get() (same path as talon audit show).

0.8.13 - 2026-02-26

(No notable changes in this release.)

0.8.12 - 2026-02-26

Added

  • feat(gateway): attachment scanning for base64-encoded file blocks (#23). The gateway now detects base64-encoded file blocks in OpenAI (Chat Completions file/image_url + Responses API input_file) and Anthropic (document/image with source.type: "base64") requests. Text is extracted from supported formats (PDF, TXT, CSV, HTML), scanned for PII and prompt injection, and governed by a new attachment_policy with four actions: allow, warn (default — log findings, forward unchanged), strip (remove file blocks before forwarding), block (reject request with HTTP 400). Per-caller overrides via policy_overrides.attachment_policy. Images are logged for evidence but skip text-based scanning.
  • feat(gateway): enforce PII actions on streaming responses. handleStreamingPIIScan now buffers the SSE stream, scans the completed content, and either forwards as-is (warn), rewrites the SSE payload with redacted content (redact), or returns HTTP 451 (block). Default response_pii_action is warn.

Changed

  • refactor(gateway): decompose openclaw_incident_test.go by testing pyramid. The 1134-line monolith is now split into layered test files: gateway_test_helpers_test.go, response_pii_test.go, extract_test.go, forward_test.go, gateway_integration_test.go, responses_api_test.go, evidence_test.go.

Test

  • test(gateway): Extensive attachment scanning coverage: multi-file requests, size/type enforcement, Responses API input_file, Anthropic base64 document/image blocks, multi-turn string content tolerance, corrupt/empty/unsupported formats, warn/strip/block/allow modes, per-caller override propagation, and full gateway integration tests.
  • test(attachment): PDF extraction tests with buildTestPDF helper generating valid PDFs; ExtractBytesWithLimit override tests.
  • test(gateway): Streaming response PII tests covering warn/redact/block behaviours with real SSE format.

0.8.11 - 2026-02-26

Fixed

  • fix(gateway): streaming response PII scanning no longer breaks SSE clients. The v0.8.10 approach of forcing stream:false on upstream requests caused OpenClaw (and any SSE-expecting client) to hang — it received a plain JSON response but was waiting for SSE events. The gateway now buffers the full SSE stream from the upstream, extracts the completed response from the response.completed event (Responses API) or delta accumulation (Chat Completions), scans for PII, and either forwards the original buffered events (no PII) or returns a redacted response wrapped in valid SSE format. Streaming is preserved when PII action is allow.

Test

  • test(gateway): Replaced disableStreaming-based tests with SSE-native tests: TestGateway_ResponsesAPI_StreamingResponsePIIRedacted (redact mode with SSE), TestGateway_ResponsesAPI_StreamingNoPII (clean passthrough), TestGateway_StreamingAllowed_WhenPIIActionAllow, and TestGateway_ResponsesAPI_StreamingPIIBlock. All tests use real SSE response format.

0.8.10 - 2026-02-26

Fixed

  • fix(gateway): response PII scanning now works when clients send stream:true (superseded by v0.8.11 — see above). This version forced stream:false which broke SSE clients.

Test

  • test(gateway): Added streaming PII scanning tests (updated in v0.8.11).

0.8.9 - 2026-02-26

Fixed

  • fix(gateway): Refactored extractResponseContentText and redactResponseContentFields in response_pii.go to reduce cyclomatic complexity below the linter threshold (gocyclo > 15). Extracted Anthropic and Responses API parsing into dedicated helpers.
  • fix(gateway): redactOpenAIBody no longer injects content: null into Responses API input array items that have no content field (e.g. item_reference entries). Previously this caused 400 Unknown parameter: 'input[N].content' from OpenAI.
  • fix(gateway): openAIContentToText and redactOpenAIContent now recognize input_text and output_text block types in addition to text, covering all Responses API content block formats.

Test

  • test(gateway): Added 8 full-pipeline integration tests for the Responses API path: request PII redaction (string input, array content, input_text blocks), item_reference preservation (no content:null injection), response PII redaction and blocking, clean passthrough, and block-mode request rejection. These tests exercise the complete gateway handler including routing, store:true injection, PII scanning, evidence recording, and upstream forwarding.

0.8.8 - 2026-02-26

Fixed

  • fix(gateway): PII scanning and redaction now handles the OpenAI Responses API format (output[].content[].text with type: "output_text") in addition to Chat Completions (choices[].message.content) and Anthropic (content[].text). Previously, emails and other PII in Responses API output passed through unredacted.
  • fix(gateway): Request-path PII extraction and redaction now handles the Responses API input field (string or array of message objects), in addition to Chat Completions messages[]. All other request fields (store, previous_response_id, etc.) are preserved during redaction.

Test

  • test(gateway): Added Responses API test cases for response PII scanning (email, IBAN in output[].content), content extraction (single/multiple outputs, non-text outputs ignored), request extraction (input as string/array/content blocks), and request redaction (string input, array input, field preservation).

0.8.7 - 2026-02-26

Fixed

  • fix(gateway): Force store: true on OpenAI Responses API requests instead of only adding it when missing. OpenClaw (and other clients) may send store: false explicitly; the gateway now overwrites it so multi-turn conversations work through the proxy.

0.8.6 - 2026-02-26

Fixed

  • fix(gateway): Automatically inject store: true into OpenAI Responses API requests (/v1/responses) when not explicitly set. Without this, OpenAI does not persist response items, causing 404 errors on multi-turn conversations when the client (e.g. OpenClaw) references previous response IDs. Explicit store: false from the client is preserved.

Test

  • test(gateway): Added TestIsResponsesAPIPath and TestEnsureResponsesStore — path detection for Responses API, store injection with field preservation, explicit store override, and invalid JSON safety.

0.8.5 - 2026-02-26

Fixed

  • fix(gateway): Strip Accept-Encoding from headers forwarded to upstream providers. Go's http.Transport only auto-decompresses gzip responses when it manages the header itself; forwarding the client's Accept-Encoding caused raw gzip bytes to be written back to the client, producing "404 + binary garbage" in OpenClaw and other clients. Also strip stale Content-Length (invalid after PII redaction). Defensive strip added in both the gateway handler and the Forward() function.
  • fix(version): talon version and OTel service.version resource now use runtime/debug.ReadBuildInfo() as fallback when ldflags are not injected (e.g. go install ...@v0.8.5), so the correct module version is displayed instead of "dev" in both CLI output and trace spans.

Docs

  • docs(openclaw): Added troubleshooting entry for "Talon dev" version string after go install.

Test

  • test(gateway): Added TestForward_GzipErrorDecompressed and TestForward_GzipSuccessDecompressed — verify that gzip-compressed upstream responses (both 404 and 200) are transparently decompressed for the client, PII scanner, and token usage parser.

0.8.4 - 2026-02-25

Fixed

  • fix(gateway): Response PII scanner now scans only LLM-generated content fields (choices[].message.content for OpenAI, content[].text for Anthropic) instead of the entire JSON body. Prevents false positives on API envelope fields (created timestamp, token counts, id, system_fingerprint). The [NATIONAL_ID] false positive on created timestamps is eliminated.
  • fix(init): talon init --pack openclaw now shows TALON_SECRETS_KEY as step 1 before talon secrets set, preventing vault key mismatch errors.

Docs

  • docs: macOS go install linker error (unsupported tapi file type) workaround added to README, OpenClaw integration guide, and first-governed-agent tutorial.

Test

  • test(gateway): Comprehensive response PII false-positive prevention suite — 12 envelope-only subtests (timestamps, large tokens, fingerprints, Anthropic format, multi-choice, multimodal, empty/null content), 4 content-PII-with-envelope-preserved subtests, 9 extractResponseContentText unit tests, 5 scanResponseForPII mode tests.

0.8.2 - 2026-02-25

Added

  • feat(init): talon init --pack openclaw generates OpenClaw gateway starter (agent.talon.yaml + talon.config.yaml) with post-init instructions.
  • docs(openclaw): Integration guide — baseUrl with trailing /v1 for correct upstream paths; two-keys clarification (TALON_SECRETS_KEY vs caller api_key); troubleshooting (404, binary garbage, vault key); diagnostics script; recommended sequence (secrets then serve). Standardized caller api_key to talon-gw-openclaw-001 across examples and guides; install instructions (go install, install.gettalon.dev).

Fixed

  • fix(gateway): Error responses (4xx/5xx) from upstream are no longer streamed; body is read and forwarded so clients receive readable JSON instead of raw binary/gzip (fixes OpenClaw "404 + garbage" when upstream returned error with SSE content-type).

Test

  • test(gateway): Forward-level tests for error responses (404/500/429/400/401 with SSE or JSON) not streamed; success stream unchanged. Gateway pipeline tests: upstream 404/500 readable, 404 with SSE content-type, evidence recorded on upstream error, PII redact then upstream 404, 429 rate-limit forwarded with headers.

0.8.1 - 2026-02-25

Added

  • feat(governance): Tool-aware PII redaction with per-tool, per-argument policies — allow/redact/audit/block categories (Gap T1).
  • feat(gateway): Response-path PII scanning with redact/block/warn modes for both MCP proxy and LLM gateway (Gap F).
  • feat(agent): Kill switch via ActiveRunTracker.Kill() Go API (Gap D). CLI and HTTP wrappers planned for next release.
  • feat(agent): Circuit breaker with half-open recovery for repeated policy denials, configurable via circuit_breaker_threshold and circuit_breaker_window in .talon.yaml (Gap C).
  • feat(policy): Destructive operation detection in tool_access.rego — blocks delete, drop, remove patterns (Gap A).
  • feat(policy): Per-agent rate limit isolation in rate_limits.rego with requests_last_minute_agent policy input (Gap B).
  • feat(agent): Contextual volume detection in plan review — flags high-volume operations (Gap E).
  • feat(evidence): SanitizeForEvidence defense-in-depth — scrubs PII from evidence payloads before storage (Gap G).
  • feat(memory): Optional HMAC signing for memory entries (Gap H).
  • feat(evidence): Pre-execution pending evidence for tool calls — writes "pending" step record before tool.Execute(), updates to "completed"/"failed" after. A kill or crash never creates an unaudited action (Gap T2).
  • feat(mcp): tools/list filtering in MCP proxy — agents only see tools in their allowed_tools list (Gap T3).
  • feat(agent): Separate tool failure tracking — tool execution errors feed ToolFailureTracker with operator alerting, not the circuit breaker. Configurable via tool_failure_threshold and tool_failure_window (Gap T4).
  • feat(agent): Per-tool execution timeouts — reads ToolPIIPolicy.Timeout and wraps tool.Execute() with context.WithTimeout (Gap T5).
  • feat(agent): Tool argument validation interface — tools implementing ArgumentValidator get pre-execution validation. Full JSON Schema validation planned for Phase 2 (Gap T6).
  • feat(gateway): Per-caller and global rate limiting enforced via token bucket (golang.org/x/time/rate). Configured via global_requests_per_min and per_caller_requests_per_min.
  • fix(agent): Wire circuit breaker into Runner execution — checks before policy evaluation, records denials/successes.
  • fix(agent): Pass requests_last_minute_agent to OPA policy input — per-agent rate limiting now functional.
  • test: Comprehensive E2E governance test suite covering OpenClaw incident failure modes.

0.8.0 - 2026-02-24

Added

  • Memory Phase 1: Input-hash deduplication; memory.governance.dedup_window_minutes; per-run --no-memory; talon audit show without ID shows latest; retention/max_entries enforcement. See docs/./memory-governance.md.
  • Memory Phase 2: Consolidation pipeline (ADD/UPDATE/INVALIDATE/NOOP); temporal invalidation (preserved for audit); point-in-time AsOf (CLI talon memory as-of &lt;RFC3339> and API GET /v1/memory/as-of). See docs/./memory-governance.md.
  • Memory Phase 3: Three-type memory (semantic, episodic, procedural) and relevance-scored retrieval (relevance × recency × type weight × trust); enhanced input fingerprint (prompt + attachment hashes). See docs/./memory-governance.md.

0.7.6 - 2026-02-23

Changed

  • CLI: When talon run is invoked without --agent, the runtime agent ID (evidence, memory, secrets) is now taken from the loaded policy file (agent.name in the YAML) instead of the CLI default "default". Explicit --agent &lt;name> continues to override. This aligns config file and runtime identity when using the default policy.

Added

  • CLI: resolveRunAgentName and unit tests for default vs explicit agent name resolution; --agent flag description updated; QUICKSTART and PERSONA_GUIDES note the behavior when --agent is omitted.

0.7.5 - 2026-02-23

Added

  • Policy: policies.data_classification.block_on_pii — when true, runs are denied (no LLM call) when the user prompt or any attachment content contains PII; prompt and attachment text are scanned and evidence is recorded on deny. Documented in policy cookbook.

Fixed

  • Agent: Deterministic ordering of PIIDetected / pii_detected in evidence and logs (merged PII entity names are now sorted to avoid flaky tests and unstable serialized evidence).

0.7.2 - 2026-02-23

Fixed

  • CI: Dockerfile Go 1.24 to match go.mod; goreleaser skip linux/arm64 (CGO assembler incompatibility in goreleaser-cross); gitleaks allowlist for test/doc placeholders.

0.7.1 - 2026-02-23

Fixed

  • Release: Use goreleaser-cross for CGO cross-compilation (fix darwin/arm64 build from Linux). GoReleaser archive deprecations (format → formats).
  • Security: Run gitleaks CLI instead of gitleaks-action@v2 to avoid org license requirement. Dependency upgrades for govulncheck: OpenTelemetry v1.28 → v1.40 (GO-2026-4394), OPA v0.62 → v0.68 (GO-2024-3141), golang.org/x/net → v0.38 (GO-2025-3595). Go 1.22 → 1.23 for stdlib fixes.

0.7.0 - 2026-02-23

Added

  • Bootstrap & CLI: Cobra CLI with OpenTelemetry integration; zerolog structured logging with OTel bridge; Makefile, Dockerfile, docker-compose, CI workflows.
  • Policy engine: Embedded OPA with v2.0 schema; Rego policies for cost limits, rate limits, time restrictions, resource limits, tool access, secret access, memory governance, data classification; talon init and talon validate (strict mode); template-based init.
  • MCP proxy: Architecture and onboarding docs; proxy Rego policies (tool allowlists, rate limits, PII redaction, high-risk blocking).
  • PII, attachments, LLM: Regex-based PII classifier (EU patterns); attachment scanner with extraction, instruction detection, sandboxing; multi-provider LLM router (OpenAI, Anthropic, Bedrock EU, Ollama); cost estimation and tier-based routing.
  • Agent pipeline: Full runner (policy → classify → scan attachments → OPA → secrets → route LLM → evidence); execution plan generation and plan review gate (EU AI Act Art. 11/13); pipeline hooks (webhook delivery); MCP tool registry; talon run with --dry-run, --agent, --tenant, --attach, --policy.
  • Secrets & evidence: AES-256-GCM secrets vault with per-secret ACL; secret rotation and audit log; SQLite evidence store with HMAC-SHA256; progressive disclosure (list → timeline → detail); talon audit list/verify, talon secrets set/list/audit/rotate.
  • Cost & PII: Graceful cost degradation (fallback model when budget threshold reached); expanded EU PII patterns.
  • Testing: Test pyramid (unit, integration, e2e); shared internal/testutil (mock provider, policy helpers, constants); e2e CLI flows (init, run, validate, audit, costs, secrets, memory); fuzz and benchmarks; CI coverage threshold 70%.
  • Memory, context, triggers: Governed agent memory (Constitutional AI, allowed/forbidden categories, PII scan); shared enterprise context mounts with privacy tags; cron scheduler and webhook handler; memory CLI and search.
  • SMB governance: Onboarding and governance improvements for SMB use cases.
  • Agent planning: Bounded agentic loop; step-level evidence; loop containment policy; tests and docs.
  • Observability & CLI: Config show, doctor, costs/report commands; examples and docs.
  • HTTP API & MCP: REST API with 15+ endpoints; MCP JSON-RPC 2.0 server; MCP proxy for vendor integration; embedded dashboard (evidence, plan review, memory); per-tenant rate limits.
  • CI/CD & release: Golden tests for policy engine; integration full-flow and gateway stub tests; gofmt, vet, OPA policy tests, Codecov in CI; security workflow (govulncheck, gitleaks, SBOM); docs workflow (markdown link check); install script with checksum verification; GoReleaser with SBOM and Docker (GHCR); SECURITY.md; issue and PR templates.

Fixed

  • Policy engine post-review fixes (PR #4).
  • Memory: prevent data race on shared Governance OPA evaluator.

Security

  • AES-256-GCM encryption for secrets at rest.
  • HMAC-SHA256 signatures for evidence integrity.
  • Timing-safe API key comparison; per-agent/tenant ACL; fail-closed policy evaluation.

Compliance

  • ISO 27001: policy, classification, audit, secrets controls.
  • GDPR: controller obligations, privacy by design, processing records, security.
  • NIS2: risk management, incident reporting via evidence timeline.
  • EU AI Act: risk management, transparency, human oversight (Art. 9, 13, 14).
  • Data residency: tier-based EU model routing.