CONCEPT Cited by 1 source

Elicitation gate

Definition

An elicitation gate is the agent-architecture mechanism by which an agentic system solicits approval, preferences, or missing information from the user or another system mid-execution, and — critically — cannot proceed past the gate without it. In the MCP / Agent Lee context, the elicitation is the confirmation prompt a user sees before a write operation executes on their behalf.

"Elicitations allow agentic systems to actively solicit information, preferences, or approvals from users or other systems mid-execution. When Agent Lee needs to take non-read actions on a user's behalf we use elicitations by requiring an explicit approval action in the user interface." — Source: sources/2026-04-15-cloudflare-introducing-agent-lee.

Gate vs prompt

The load-bearing distinction Cloudflare draws (Agent Lee post):

"The permission model is the enforcement layer, and the confirmation prompt you see is not a UX courtesy. It's the gate."

A prompt is a courtesy the agent can bypass (and under pressure will). A gate is a structural invariant — the agent cannot skip it by construction because approval is checked by a component the planner has no way to address or modify.

Agent Lee mechanism

The gate is implemented by a Durable Object that sits on the path from the sandbox to the upstream MCP server. The DO:

1. Inspects the generated code (method + body).
2. Classifies it read vs write.
3. Proxies reads directly.
4. Blocks writes until the user explicitly approves via the dashboard UI.

Because credentials live inside the DO (not in the generated code), even a jailbroken sandbox cannot route around the gate — it has no API key to make the write with. See patterns/credentialed-proxy-sandbox for the surrounding pattern.

Why it's necessary

An agent that can take arbitrary action on a user's account needs a boundary tighter than "the model is pretty reliable." Evals, hallucination scorers, and tool-call success rates (all of which Agent Lee runs) reduce the base-rate probability of an unintended write but cannot drive it to zero. The elicitation gate is the component that makes the probability of an un-approved write structurally zero.

Design shift: "An agent that can take action on your account needs to be reliable and secure. [...] These guardrails allow Agent Lee to truly be a partner alongside you in managing your resource safely."

Seen in

• sources/2026-04-15-cloudflare-introducing-agent-lee — the canonical in-wiki instance. "Agent Lee cannot skip this step." Surfaces the gate as an explicit architectural component of the MCP permission system, not a UX toast.

Related

• patterns/credentialed-proxy-sandbox — the architectural pattern that places the gate at a credential boundary the sandbox cannot cross.
• systems/model-context-protocol — the protocol layer whose write operations the gate authorises.
• systems/cloudflare-durable-objects — the runtime substrate hosting the gate in Cloudflare's deployment.
• systems/agent-lee — the production agent whose write path is fully gated.