Integrations

Every system of record we cover, searchable.

MCP adapters across the supply-chain stack — ERP, WMS, TMS, S&OP, quality, procurement, logistics, EDI, and more. Every adapter ships with production-grade architecture and a declared authentication contract. Use the search to verify your stack-of-record is covered on day one.

Total catalog surfaces 141 production-built, contract-tested Tier-1 connectors · the rest scaffolded, harden on demand (1–3 days for design partners) Latest wave Last updated
Honest-stage definition

What "production-grade" means here.

Every connector on this page ships with production-grade architectural scaffolding: BaseMcpClient implementation, declared authentication strategy, vendor metadata, and category taxonomy enforcement. Every connector compiles cleanly under our strict TypeScript build before merge.

141 connectors are production-built Tier-1 today — typed BaseMcpClient client, health-check ping(), fixture-driven contract tests, write-gate-denied stubs for high-risk operations, and — gate-enforced in CI — at least one real, non-stub data read each. The set includes SAP S/4HANA, SAP ECC, Oracle Fusion ERP, Blue Yonder WMS, and Rockwell FactoryTalk, normalized to canonical domain types. Reads are validated against synthetic replay fixtures synthesized from public API documentation; live-sandbox validation for customer wiring is per-tenant Day-1 onboarding work, not a today claim.

~700 catalog scaffolds elevate per customer signal. The architecture is in place. The authentication strategy is declared. The category taxonomy is enforced. Scaffolds carry the same shape as Tier-1 connectors and elevate to the Tier-1 rubric via a documented 3-hour cluster dispatch — codegen does most of it; customer signal triggers the dispatch. Most scaffolded ping() calls stub NotImplemented until the connector is activated against a real customer system.

Plus 8 generic adapters (JDBC, OData, OpenAPI, GraphQL, SFTP, SOAP, Webhook, X12) covering any vendor whose specific adapter isn't yet in the catalog — generic patterns that bridge to a real customer system on the same write-gate posture as a Tier-1 connector.

What this is not: we don't claim every connector is wired to your live systems today. 141 Tier-1 connectors are production-built and contract-tested, each verified in CI against synthetic replay fixtures — but live-sandbox validation against a real customer system is per-tenant Day-1 onboarding work. ~700 more are catalog scaffolds ready to elevate during a design-partner pilot; 8 are generics bridging the long tail. Nobody who scaffolds at this scale can honestly claim every one is live-wired to a customer. What we do guarantee: the architecture is production-grade and operates read-only against customer systems of record, the contract is declared, and the activation path is well-defined.

For engineers: technical contract details

All connectors extend BaseMcpClient with an abstract async ping(ctx: CallContext): Promise<HealthStatus> health-probe method. Read-only enforcement is two-tier: most high-risk writes have no executable code path at all (Tier-1 — the connector class never wraps them in executeWithGate()); the 644-entry write-gate registry (634 high-risk Tier-2 + 10 low/medium static) is the default-deny allow-list for the high-risk writes that do have code paths. CI lint refuses any PR adding an unregistered write (per ADR-0020). Per-tenant credential encryption via HKDF-SHA256. Per-tenant rate limiting at the adapter boundary. Egress allow-list + mTLS + cert pin per ADR-0012.

What do the authentication strategies mean?

All strategies are read-only-by-default per ADR-0020. Writes route through a human-gated approval queue regardless of authentication mode.

  • api-key — Long-lived secret token. Best for service-to-service connections to systems that don't support OAuth. Encrypted at rest per tenant.
  • bearer — Per-request Bearer header. Common for modern SaaS REST APIs.
  • oauth2-client-credentials — OAuth 2.0 machine-to-machine flow. Short-lived tokens, automatically refreshed. Enterprise-standard for service-account integrations.
  • oauth2-auth-code — OAuth 2.0 user-delegated flow. Used when an adapter must act on behalf of a specific named user, not the tenant in aggregate.

Showing 0 of 0 adapters

Loading the catalog…

Your stack-of-record not listed?

We add new adapters in 1–3 business days for design partners. Tell us the platform, the integration use case, and the version you're on — we'll come back with a scoped delivery window.