Tool Catalog
Two-tier registry. Org tools approved by Platform Admin and visible to every team. Team tools registered by a Team Admin and scoped to that team.
The model-driving runtime holds zerotool IAM. It can only invoke its agent's Tool Dispatcher, which holds each Tool's scoped permissions (granted at deploy time), enforces the Agent's allowlist and input schema, invokes the Tool, and records the call in the Trajectory. One enforcement and audit point per agent — so a prompt injection can never reach an AWS API the Dispatcher doesn't already gate.
tool spans.| Tool | Kind | Scope | Sensitivity | IAM actions | Approved by | In use by |
|---|---|---|---|---|---|---|
ServiceNow Search Read-only IT-ticket search across ServiceNow. | http | org | read | none (in-VPC HTTP) | Platform Admin 2026-02-04 | 4 agents |
Vendor & Account Lookup Read vendor, account, and contact records from the CRM. | http | org | read | none (in-VPC HTTP) | Platform Admin 2026-01-22 | 6 agents |
Engineering Wiki (Confluence) MCP server fronting the internal engineering wiki. | mcp | org | read | bedrock:Retrieve | Platform Admin 2026-01-22 | 5 agents |
AP / Payments (Costpoint) Quote and list payable items. Mutations gated by approval-broker. | http | team | mutating | none (in-VPC HTTP) | Priya Shah (Team Admin) 2026-03-11 | 1 agents |
Approval Broker Issues human-in-the-loop approval requests via Slack + email. | lambda | org | egress | sns:Publishses:SendEmail | Platform Admin 2026-01-30 | 3 agents |
GitHub Issues File and read issues on configured repos. | http | team | mutatinguntrusted-returning | none (in-VPC HTTP) | Marcus Chen (Team Admin) 2026-04-02 | 1 agents |
Datadog Query Query metrics, logs, traces. Read-only. | http | team | read | none (in-VPC HTTP) | Marcus Chen (Team Admin) 2026-04-02 | 1 agents |
Solicitation & Past-Performance Lookup Read solicitations and past-performance records. | http | team | read | none (in-VPC HTTP) | Linnea Park (Team Admin) 2026-03-18 | 2 agents |
ERP Write (Costpoint) Post records to the core ERP. Mutations only. | http | team | mutating | none (in-VPC HTTP) | Linnea Park (Team Admin) 2026-03-18 | 2 agents |
Document Upload S3 multipart upload to the team's intake bucket (proposal docs / CUI). | aws | org | mutating | s3:PutObject | Platform Admin 2026-02-15 | 1 agents |
Imagery & Terrain Service Initiate and read geospatial imagery and terrain data for mission planning. | http | team | egressuntrusted-returning | none (in-VPC HTTP) | Marcus Chen (Team Admin) 2026-05-15 | 1 agents |
Scheduling Create scheduling links for end users. | http | org | egress | none (in-VPC HTTP) | Platform Admin 2026-02-15 | 1 agents |
A Team Admin can register a team tool immediately. Promotion to org tier requires Platform Admin review and a security questionnaire.
Every tool advertises a typed schema (input + output). The interview agent uses these to suggest tools that fit the user's described intent.
Every Tool endpoint is reachable from inside the air-gapped VPC — a Lambda ARN, an in-VPC HTTP API over PrivateLink/interface endpoint, or an AWS service action. There is no public-internet egress: no IGW, no NAT, no forward proxy.
A tool that returns content the model didn't author is untrusted-returning (always-on for External-Connection-backed tools, opt-in for in-VPC). Once one runs, the session is tainted: every later egress/mutating call must be a declared Safe Sink, escalate for approval, or be denied.