Eleven steps execute the operation. Only some of those steps make it into the audit trail.
Imagine asking the same system to run one action seven times, and each time the request stops at a different point: invalid arguments, denied permission, an exhausted rate limit, a confirmation that never arrives. Each path leaves a different trace — and not all of them leave the same trace. That's what you're about to walk through here, now with its technical name: the real invocation plan of ToolRegistry::call(), step by step, including the rules that can't fire today.
Runtime x-ray
The eleven-step walk is a good entry point. The real implementation adds boundaries that matter for security, cost, confirmation, and interception.
Select a path
Audit coverage changes depending on the return point.
| Output | Callback | Audit evidence |
|---|---|---|
| Nonexistent tool | No | no explicit log |
| Invalid args | No | validation failure |
| Policy denied | No | auth failure |
| Plan / confirmation | No | no explicit log |
| Cache short-circuit | No | tool.executed |
| Pure veto | No | known gap |
| Callback / throw | Yes | executed / failed |
| Step | Role | Presence | Source |
|---|---|---|---|
| Resolve | Guard | Active | registry lookup |
| Validate | Guard | Active | tool declares inputSchema |
| Clamp | Transform | Skipped | tool declares no clamps |
| Authorize | Guard | Active | channel 'web': require_auth=true, allow_all=false; tool declares no scopes; DB rules: skipped (no provider) |
| Rate limit | Guard | Skipped | host wiring: rateLimiter absent; cost mutating?5:1 (mutating=false → cost 1) |
| Plan mode | Branch | Conditional | fires if ctx.mode is 'plan'; current value: execute |
| Confirm | Branch | Dormant | neither tool.requiresConfirmation nor the channel policy require confirmation for this tool |
| Emit executing | Hook | Skipped | host wiring: dispatcher absent (anchor + cache/veto) |
| Execute | Execution | Active | callback; _ctx injected |
| Contain exception | Boundary | Active | wraps execute; \Throwable → INTERNAL_ERROR |
| Audit | Outcome | Active | audits: validate-fail, authz-fail, rate-limit, cache-hit, execute-success, execute-failure; does NOT audit: resolve-miss, plan-mode, confirm, veto |
- Dormant — the rule exists but can't fire
- Skipped — the subsystem isn't wired in
The guarantee reads per branch
“Everything is audited” doesn't describe every early return today. This artifact makes both the implemented guarantees and the gaps visible.
Evidence and scope
getmilpa-tool-runtime/src/ToolRegistry.php:348-570 · wording in ToolAuditLogger.php:45-57,204-232.