An illustrative roster of five C-suite fractional agents (Grant CFO, Penny CMO, Leo CLO, Grace CHRO, Katharine CRO) with specific picks in each of the ten tool categories — vendor MCP servers, substrate components, per-agent allocations, proof-of-work artifacts, and a dual-use pattern. This is one stack, opinionated, off-the-shelf. For the wider landscape (categories, options per category, how to choose), start at the tools hub. For the wiring that connects this stack, see the architecture leaf.
Last reviewed: 2026-05-17 · Cadence: hot (quarterly) · Plan: agent-platform repo
Before a single vendor MCP server lights up, an agent needs a runtime, a protocol, a permission gate, an audit trail, a sandbox for code, an identity, a dual-use bridge, and a trace contract. These are the eight load-bearing picks. Each is verified production in 2026 and self-hostable, so a partner can clone the whole pattern.
LangGraph or Vercel AI SDK — switches between Claude, GPT, Gemini, Ollama, vLLM by config.
oss · multi-providerEdge caching + rate limits + routing proxy that targets any provider. Keeps model choice a config decision.
cloudflare + oss500+ servers in the official registry. Tool discovery + invocation, vendor-neutral.
anthropic-origin · ossYAML policies per agent. <1 ms decision. One principalPolicy file per role.
OpenTelemetry-compatible. Replayable traces. ClickHouse-backed. Free at scale.
langfuse · oss (MIT)Firecracker microVMs. Hardware boundary for code an agent writes itself.
e2b · oss corePer-agent service token + short-TTL capability JWTs. No extra IdP.
cloudflare · saasOne function fires from a form OR an MCP tool. Single code path, single audit row.
inngest · oss core + cloudSemantic conventions for gen_ai.agent.id, gen_ai.tool.call.id, etc.
All eight are vendor-maintained, GA, and as of May 2026 the safest picks for a partner-facing showcase. A third-party MCP server might be richer, but every dependency is a future maintenance bill — vendor-hosted servers are zero-effort to keep alive.
Repos, PRs, issues, code search. The legal-review and platform-engineering substrate.
Contacts, deals, marketing-email send, campaign analytics. Penny + Katharine's CRM.
Pipeline objects + flows. Katharine's enterprise-CRM lane for teams running on Salesforce.
Gmail, Drive, Calendar, Sheets, Docs. The default office substrate for many SME setups.
Read-only analytics queries. Grant's CFO data backend; Katharine read-only too.
Post messages, read channels, list users. Posting is destructive: gated by approval.
Pages, databases, comments. Where agent drafts and playbooks accrue.
Jira issues + Confluence pages. Leo's compliance lane + general engineering tracker.
Each agent has a tight allowlist — eight tools or fewer. Read scopes are wide by default; mutations are narrow and gated. Each agent's Cerbos principalPolicy lives at a stable path like cerbos/policies/<agent>.yaml — readable rules, not implementation details to take on trust.
Read finance datasets, run analytics SQL. The CFO's primary data tool.
Read the books; create invoices and bills with human approval.
The warehouse layer for non-BigQuery finance data.
Working files. Grant can write to spreadsheets he owns.
Post to #finance, #cfo-updates, #leadership. Approval required.
Submit returns. Always approval-gated. Typically a thin wrapper over SARS eFiling APIs.
Run finance models in a sandbox — recon, forecasts, journal generation.
The dual-use export. Same fn fires from a CFO form or from Grant directly.
Contacts, lists, deals, campaigns. Sends gated by approval.
Drafts only by default. Send goes through the Inngest gate.
Write scoped to marketing and brand folders.
Briefs, playbooks, campaign trackers. Read + create + update.
Logo + image bucket. Penny can read and write here, no other agent can.
Read freely; post with approval.
Generate images via Vertex Imagen / Flux inside the sandbox; outputs land in R2.
The flagship dual-use fn. Human form or agent tool, same code path.
Read repos and PRs for IP / open-source compliance. Comment, never merge.
Write scoped to legal, contracts, compliance folders.
Read incoming + draft replies. Send is human-only.
Legal playbooks, POPIA checklists, contract templates.
Case-law and regulatory lookups. Read-only.
Run diff tools across contract drafts; output the redlined PDF to R2.
Post to #legal, #compliance, #leadership. Approval gated.
Routes a contract for signature to the human signatory.
Read + draft. Sends via Inngest with approval.
Strictly scoped to people / hr / playbooks folders.
Read, create, update events. The interview / 1-1 / review surface.
Write only to spreadsheets Grace owns. Read broadly.
HR playbooks, onboarding tracks, leadership memos.
DMs free; #people + #leadership posts approval-gated.
The offer + onboarding-pack dual-use fns. Always human-approved.
Read everything; update contacts + deals (deal-stage changes are gated).
For teams on SFDC. Same patterns as HubSpot.
#sales, #revenue, #deals, #leadership.
Draft outreach. Send via Inngest send-proposal fn.
Book discovery and demo slots.
Account plans, deal rooms, proposals.
Scoped to sales_marts + revenue_reporting datasets.
Moving a deal to Closed-Won is never silent. Always logged, always approved.
Every tool call — agent or human — emits the same four artifacts, all tied by a single run_id. Anyone reviewing the catalog — an auditor, another agent — can pivot from any one of them to the others, replay the run in the Langfuse UI, and verify nothing happened off-record.
The replayable trace. Agent prompts, tool args, decisions, latencies, costs — everything an auditor needs to reconstruct what happened, including the agent's reasoning.
tool_callsThe durable summary. Cheap to query, indexed by agent, tool, decision, time. Powers dashboards and approval queues without paging the trace store.
When the tool produced a file (image, PDF, CSV, audio), it lands at runs/{run_id}/{filename}. The trace and the row both link to it.
Destructive actions block until a human decides. The decision is its own row in approvals with approver id, time, and note. A "yes" is as audited as a "no".
A tool that mutates state lives once, as an Inngest function. The function is callable from a plain HTML form (humans) or from the MCP gateway (agents). The Langfuse trace is identical except for one attribute: source. That's how the audit log treats humans and agents the same way — because the code path is the same.
penny.send-emailpenny.send_marketing_email via MCP. The gateway logs decision=approval_required and fires Inngest event penny.send_email.requested with source: "agent".approval.decided. A human approver sees a card in the audit UI, reviews the proposed copy + audience, clicks approve.tool_calls row.source: "human". No pause — the form submission is the approval.source attribute differs.The catalog describes a self-hostable pattern. There is no managed multi-tenant service behind it — teams clone the architecture and run it on their own Cloudflare + Fly accounts.
The catalog gates tool calls. Model traffic (Anthropic, Vertex, Bedrock) goes direct from the agent. Use Cloudflare AI Gateway or equivalent for model-side routing.
Multiple stacks land at the same architecture. The picks in this catalog favour OSS + self-hostable + readable policies. Substitute confidently when a different OSS option suits the situation; the architecture survives the swap.