Every tool call from an AI agent passes through a permission gate before touching any external system. Here’s the flow:
sequenceDiagram
participant A as AI Agent (Claude/ChatGPT)
participant WA as WorkingAgents.ai
participant P as Permissions DB
participant APP as 3rd-Party App (CRM/API)
participant L as Audit Log File
participant T as Notification Task
Note over A,WA: Agent connects via MCP/SSE
A->>WA: Tool Call: "Get Customer Data"
WA->>P: Verify User Permissions
alt Permission Granted
P-->>WA: Authorized (Allow)
WA->>APP: Execute API Request
APP-->>WA: Return Data
WA->>L: Write Success Record (Audit)
WA->>T: Trigger "Data Accessed" Notification
WA-->>A: Result: JSON Data
else Permission Denied
P-->>WA: Unauthorized (Block)
WA->>L: Write Security Alert Log
WA-->>A: Error: Access Denied
end