> ## Documentation Index
> Fetch the complete documentation index at: https://docs.invokehq.run/llms.txt
> Use this file to discover all available pages before exploring further.

# How Invoke Controls Agent Tool Calls

> Invoke runs a three-step execution loop on every tool call: classify risk, write a commit record, reconcile unknown outcomes, and return execution proof.

Every time your agent reaches for a real tool, Invoke intercepts the call and runs it through a controlled execution loop before any side effect lands. The loop has three steps and four underlying primitives.

<Note>
  Invoke does not replace your agent framework. It controls what happens when the agent reaches for a real tool. Keep your LangChain chains, Claude Code tools, OpenAI functions, MCP servers, and custom scripts unchanged.
</Note>

## The three-step execution loop

<Steps>
  <Step title="Agent sends intent">
    Your agent calls Invoke with everything needed to authorize and control the action: the tool name, parameters, a stable agent ID, workflow context, and an optional idempotency key.

    ```typescript theme={null}
    await invoke.call({
      tool: "stripe.charge_customer",
      params: { customer_id: "cust_123", amount: 2400 },
      agentId: "billing-agent",
      idempotencyKey: "charge:cust_123:2400"
    })
    ```
  </Step>

  <Step title="Invoke controls execution">
    Invoke runs the call through four sequential controls:

    1. **Validates schema and scope** — confirms the tool is within the agent's registered policy
    2. **Classifies the tool** — determines the safety class to decide execution behavior
    3. **Reconciles unknown outcomes** — checks live state before allowing a retry
    4. **Gates risky actions** — pauses approval-bound tools and blocks failed checks

    If any control fails, Invoke stops execution and returns the reason. No side effect lands.
  </Step>

  <Step title="Your system gets an outcome">
    The agent receives a structured result:

    | Outcome            | Meaning                                                     |
    | ------------------ | ----------------------------------------------------------- |
    | `executed`         | The tool ran and the side effect landed                     |
    | `blocked`          | The call failed a policy, scope, or identity check          |
    | `pending_approval` | The tool is approval-bound and waiting for a human decision |
    | `reconciled`       | A prior attempt succeeded; the duplicate was stopped        |
    | `replan_required`  | Live state no longer matches the agent's assumed state      |
  </Step>
</Steps>

## The four control primitives

### Classify the tool

Before execution, Invoke assigns a safety class: **idempotent**, **write-once-checkable**, **irreversible**, or **approval-bound**. The class determines what Invoke does if the first attempt returns an unknown outcome.

### Write the commit record

Before the tool touches the outside world, Invoke writes a durable execution record with the execution ID, tool name, parameters, agent ID, and idempotency key.

### Reconcile before retry

When an outcome is unknown, Invoke checks live source-of-truth state before allowing another call. If the action already succeeded, Invoke blocks the retry. The agent never needs to implement this logic itself.

### Return execution proof

Every completed call returns a structured trace with policy decisions, attempts, reconciliation checks, and the final outcome.

```json theme={null}
{
  "status": "reconciled",
  "final_outcome": "already_succeeded",
  "idempotency_key": "charge_992",
  "retry": "blocked"
}
```
