# The Tool Call Lifecycle When an Agent acts, every action is a tool call. Every tool call follows the same six-step lifecycle through the MCP Gateway. The decisions made along this path are what governance is. *** ### 📖 Key Concepts * **Tool call**: A single Agent action against a Connection (read, write, delete, send). Cakewalk evaluates each tool call independently. * **Action type**: Cakewalk's classification of what the tool call does: **Read**, **Write**, **Destructive** or **External**. Derived from MCP annotations or Catalog lookup. See [Policies](/docs/ai-agent-access/concepts/policies.md) for how action types feed the Policy engine. * **MCP elicitation**: The approval channel. When a tool call requires approval, the Agent client (Cursor, Claude Desktop) shows an inline prompt to the User who delegated. They approve or deny without leaving their workflow. * **Decision**: One of three outcomes for every tool call: **Approve**, **Require approval** or **Deny**. :bulb: *Why this matters:* The lifecycle is what makes governance fast in the common case and deliberate in the sensitive case. Auto-approved Reads pass through with millisecond overhead. Sensitive Writes pause for a User to confirm. Destructive actions stop unless a Policy explicitly allows them. *** ### 🔁 The Six Steps Every tool call runs the same sequence at the MCP Gateway. #### Step 1: Identify The MCP Gateway extracts the three actors from the inbound tool call: * The Agent (which AI client made the call) * The User (which person delegated this Agent) * The Connection (which downstream app the tool call targets) If no session exists, the MCP Gateway creates one. The session is what links every tool call back to the three actors in the audit trail. #### Step 2: Check the Credential The MCP Gateway looks up the User's credential for the target Connection in the vault. If no credential is present, the call cannot proceed: the User has not connected the Connection yet or the credential has been revoked. The Agent receives a structured signal to surface a connect or reconnect prompt. #### Step 3: Evaluate Policy The MCP Gateway runs the tool call through the Policy engine. Inputs: * **Action type**: Read, Write, Destructive or External * **User attributes**: department, title, location, user category * **Connection attributes**: name, category, risk level Output: one of three decisions. * **Auto-approve** → continue to Step 5. * **Require approval** → continue to Step 4. * **Deny** → return a structured denial. Log and stop. Conflict resolution between overlapping Policies is deterministic: see [Policies](/docs/ai-agent-access/concepts/policies.md). #### Step 4: Pause for Approval (MCP elicitation) When the decision is Require approval, the MCP Gateway suspends the tool call and surfaces an MCP elicitation prompt inside the Agent client. The User who delegated sees the prompt inline (in Cursor, Claude Desktop or whichever Agent they are using) and approves or denies. * **Approved** → continue to Step 5. * **Denied** → return a structured denial. * **Timeout** → the default policy applies (typically Deny on timeout). If the Agent client does not support MCP elicitation, the default policy decides the outcome. There is no separate notification channel for approvals today. #### Step 5: Proxy the Call The MCP Gateway retrieves the real credential from the vault, injects it into the outbound HTTP request and proxies the call to the Connection. The Connection sees a request as if the User made it directly. The Agent receives the response, never the credential. #### Step 6: Record the Decision Every evaluation produces an [audit event](/docs/ai-agent-access/concepts/audit-log.md): the request payload, the response payload and every triggered Policy with its outcome. Audit events are queryable, exportable and immutable. Admins inspect them through the Sessions tabs and Agent Activity. *** ### ⏩ The Common Path Most tool calls auto-approve. A typical Read of a non-sensitive Connection runs Steps 1, 2, 3, 5 and 6 with millisecond overhead. The Agent feels a normal MCP round-trip. The MCP Gateway is invisible at the protocol level. *** ### Related Concepts * [The MCP Gateway](/docs/ai-agent-access/concepts/the-mcp-gateway.md): the proxy that runs this lifecycle * [Policies](/docs/ai-agent-access/concepts/policies.md): how Step 3 produces a decision * [Audit Log](/docs/ai-agent-access/concepts/audit-log.md): what Step 6 records * [Trust and Security](/docs/ai-agent-access/concepts/trust-and-security.md): how credential mediation works at Step 5 --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.cakewalk.security/docs/ai-agent-access/concepts/the-tool-call-lifecycle.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.