Tool Requests
Builders asked to connect software that isn’t in your catalog yet. Each one blocks an agent from going live until you act.
3 builders are waiting on you. Their agents are built and tested against a stand-in, but cannot go live until you fulfil these connections.
Queue
Connect Salesforce
External serviceLinnea ParkSubcontracts Follow-upRequested 2 days ago
What it needs to do
Update the subcontractor’s contact record after a milestone status changes, so the CRM stays in sync.
What would cross the boundary
Direction
Outbound (agent → Salesforce)
Data classification
Internal — contact details + subcontract reference
Egress account
vds-egress-prod · 4455-2210-9087
Owning party
Contracts Platform
Authorization status
None on file (not FedRAMP-authorized)
Generated egress broker
Generated for you# egress-broker/salesforce.yaml (platform-generated)
Resources:
SalesforceEgressBroker:
Type: AWS::Serverless::Function
Properties:
Runtime: python3.12
Handler: broker.handler
VpcConfig: # customer sanctioned-egress account
SubnetIds: [ !Ref EgressSubnet ]
Environment:
Variables:
TARGET_HOST: api.salesforce.com
PATH_ALLOWLIST: /services/data/v60.0/sobjects/Contact
BrokerInvokePolicy:
Type: AWS::IAM::ManagedPolicy # granted to the Tool Dispatcher onlyRuns in your sanctioned-egress account, outside the platform VPC. The agent reaches it as an ordinary in-VPC Tool — it never knows there’s a broker.
Document & accept the risk
- Subcontract and contact data will leave the platform boundary to reach Salesforce.
- Salesforce is not FedRAMP-authorized; no package is on file.
- You accept this risk on behalf of the org, as the recorded risk owner.
- This is recorded in the interconnection inventory (CA-3 / SA-9) with your name and the date.
Check the box to record your acceptance.
On accept: Linnea Park is notified, and Subcontracts Follow-up’s sandbox re-tests against the live Salesforce connection.