Conduit is an agent-native MCP server that mirrors every contract, insurance certificate, lien waiver and compliance record from Procore into Salesforce — and keeps projects, financials and contacts in bidirectional sync too. One secure connection; your AI agent acts across both systems.
Click any scenario. Watch the broker fetch, deduplicate, field-map and upsert across both systems, step by step. Health and OAuth checks hit the real deployed Worker; sync scenarios animate the exact logic that ships in the codebase. The Advanced row walks through the full MCP protocol surface — prompts & autocomplete, elicitation, sampling, tasks, and SSE streaming — each labeled with its spec method and revision.
MCP tool calls are instant and agent-driven; durable sync needs a queue, dedup and a scheduler. Conduit splits cleanly so each does what it's best at — a design grounded in primary-source research of the MCP spec and Procore's webhook contract.
Dual-provider OAuth, at-least-once webhooks, governor limits, conflict resolution — the hard problems are solved up front, not patched in production.
The server issues its own bound MCP token, then brokers and refreshes both Procore and Salesforce tokens per tenant via a token-exchange callback — no API keys ever shared with the agent.
Procore delivers at-least-once with a 5-second timeout. Conduit ACKs instantly, deduplicates by event id, and reconciles out of band — so replay storms become no-ops, never duplicates.
Every outbound call honors Retry-After with exponential backoff, respecting Procore's hourly limits and Salesforce's daily governor limits under load.
When both sides edit the same record, a pluggable policy decides — last-write-wins, source-of-truth-per-field, or escalate for human review. Your ownership model, your rules.
Runs on Cloudflare Workers with a Durable Object per session for stateful, multi-tenant sync, KV-backed token + dedup storage, and a cron-driven reconciliation backstop.
187 unit + integration tests at ~99% line coverage, including a real MCP client driving the server end-to-end and a webhook replay-storm test. The build is green before it ships.
Legal documents lead the model — contracts, insurance certificates, lien waivers and compliance records sync bidirectionally: Procore is the document system of record, while legal/CRM edits in Salesforce (status, approval outcomes) flow back to Procore. Master data also syncs both ways; financials and PM records flow into the CRM for reporting. Each mapping is anchored by a Salesforce External ID for idempotent upserts.
| Procore | Direction | Salesforce | Match key |
|---|---|---|---|
| Company / Vendor | ⇄ bi | Account | Procore_Company_Id__c |
| Project | ⇄ bi | Procore_Project__c | Procore_Project_Id__c |
| Directory Contact / User | ⇄ bi | Contact | Procore_Contact_Id__c |
| ★ Legal documents — featured · bidirectional | |||
| Contract Document | ⇄ bi | Procore_Contract_Document__c | Procore_Id__c |
| Insurance Certificate | ⇄ bi | Procore_Insurance_Certificate__c | Procore_Id__c |
| Lien Waiver | ⇄ bi | Procore_Lien_Waiver__c | Procore_Id__c |
| Compliance Document | ⇄ bi | Procore_Compliance_Document__c | Procore_Id__c |
| Financial documents | |||
| Prime Contract | → to SF | Procore_Prime_Contract__c | Procore_Id__c |
| Commitment / Change Order | → to SF | Procore_Commitment__c | Procore_Id__c |
| RFI | → to SF | Procore_RFI__c | Procore_Id__c |
| Submittal | → to SF | Procore_Submittal__c | Procore_Id__c |
Legal docs, always in the CRM
Every executed contract, insurance certificate, lien waiver and compliance record is mirrored into Salesforce — your legal and sales teams query one source of truth.
Agent-ready today
Any MCP client — Claude included — connects with one OAuth flow and can read and act across both platforms safely.
Audit-friendly
Soft-deletes preserve CRM history, idempotent writes prevent duplicates, and every sync is traceable by external id.
Yours to own
Self-hostable on your Cloudflare account, no per-seat SaaS tax, and the mapping + conflict policy are fully configurable.
Conduit is a standards-compliant remote MCP server. Point any MCP client at the endpoint and complete the OAuth handshake — discovery is automatic.
Conduit isn't a closed app — it's an endpoint your own AI client connects to. Add it once, approve the secure login, and your agent instantly gains eighteen Procore ⇄ Salesforce capabilities. Here's the whole flow, end to end.
The endpoint is deployed and healthy. The connection, OAuth handshake, and tool discovery are fully real — connect a client during your demo and the eighteen tools appear, proving Conduit is a genuine, standards-compliant MCP server.
GET /healthz → 200 · POST /mcp → 401 until you sign in
Wiring each customer's own Procore & Salesforce OAuth apps is the next phase, so when presenting:
All six run on the api OAuth scope Conduit already uses — no add-on required. Grounded in primary Salesforce docs (ContentVersion multipart, Process Approvals REST, Contract SOQL).
Tip: a one-time setup step the customer runs first — after that, the read, sync and workflow tools act on their behalf.
Straight talk so you can trust the demo. The server is built, deployed and heavily tested; a few things are deliberately tuned per-org or staged for a later phase. Nothing here is hidden.
Hardening priorities are research-backed (bidirectional-sync conflict strategies, Salesforce CDC delivery semantics, Cloudflare KV vs Durable Object consistency) and tracked in SPEC §8a and the CHANGELOG.
Conduit ships as a single Worker that combines an OAuth 2.1 authorization server, a per-session Durable Object for stateful sync, KV storage for tokens and dedup, a cron reconciliation trigger, and static assets — all behind one global edge URL with sub-100ms cold starts.
V8 isolates at the edge, nodejs_compat enabled. Observed ~65ms startup, 324 KB gzip bundle. Observability (Workers Logs) turned on.
The McpAgent binds to a SQLite-backed Durable Object (ProcoreSalesforceMCP, migration tag v1) — one instance per MCP session for isolated, multi-tenant sync state.
OAUTH_KV holds grants & brokered provider tokens; DEDUP_KV holds webhook event ids with a TTL so replays are no-ops across the fleet.
@cloudflare/workers-oauth-provider fronts the Worker: OAuth 2.1 + PKCE (S256), /authorize · /token · /register, RFC-8414 discovery, and a token-exchange callback that brokers both upstream providers.
A scheduled trigger (*/30 * * * *) runs a delta sweep as a backstop — catching any webhook drops, since at-least-once delivery is not exactly-once.
Client secrets and the AES-256-GCM token key are set via wrangler secret put (never committed). The GUI you're reading is served from the Worker [assets] binding.
Conduit is a standards-compliant remote MCP server, so any MCP-capable client or agent framework works out of the box. Reads are Resources, actions are Tools, and the whole thing is open to extension in a few lines.
After the OAuth handshake, any MCP client lists and invokes tools. Conduit brokers the Procore + Salesforce calls for you.
Two entrypoints share one codebase — develop on Node, deploy to Workers. Both speak Streamable HTTP.
Append one object to the MAPPINGS registry — resource name, SF object, External-ID field, direction, fields. The sync engine and tools pick it up automatically.
Register a new MCP tool in mcp/server.ts with a Zod input schema; it's instantly callable by every connected agent, with validation handled for you.
Implement resolveConflict() in sync/conflict.ts to match your data-ownership model — last-write-wins, field-level source-of-truth, or human review.
This wasn't vibe-coded. It started with a multi-source, adversarially fact-checked research pass on the MCP spec, Procore's webhook contract, and Cloudflare's hosting stack — then a written spec, a layered implementation, a full test suite, and a global deploy.
A modern, type-safe, edge-native stack — every layer chosen for correctness, security, and operability. Nothing exotic, nothing legacy.
Front-end of this page: hand-written HTML/CSS/JS (no framework), typeset in Bricolage Grotesque, Hanken Grotesk & IBM Plex Mono. Integrates the Procore REST & Webhooks APIs and Salesforce REST / Bulk API 2.0 / Change Data Capture.
Every decision favored correctness, security, and operability over shortcuts. Here's what's enforced in the code, not just promised.
Idempotent by design
Upsert-by-External-ID + event dedup mean every write is replay-safe. No duplicates, ever.
OAuth 2.1 + PKCE
The server issues its own bound token and brokers provider tokens — agents never touch raw API keys.
Fail-fast config
Zod validates all env at boot, so a misconfigured deploy errors loudly instead of throwing opaque 401s later.
Strict TypeScript
noUncheckedIndexedAccess & friends — the compiler catches the bugs before runtime does.
Backoff & rate-limit aware
All outbound calls honor Retry-After with exponential backoff for 429s and 5xx.
No silent data loss
Conflicts resolve via explicit policy; deletes soft-delete to preserve CRM history.
Tested to ~99%
Unit + real MCP client integration + webhook replay-storm tests, with coverage gates in CI.
Secure transport
Origin validation & DNS-rebinding protection on the MCP endpoint, per the spec's MUST.
Separation of concerns
Agent plane vs sync plane; client / mapping / engine layers — each independently testable.
Secrets at rest
Provider tokens encrypted with AES-256-GCM; credentials live in Wrangler secrets, never in git.
One codebase, two runtimes
Shared logic targets both Node and Workers — no fork, no drift.
Verifiable claims
API contracts tagged for live verification; the design traces to primary-source docs.
Every layer is written down — from system design to a file-by-file API reference. Browse it in the repository; each document and its purpose is below.
The design traces to official specs and developer docs — each surfaced by a multi-source research pass and adversarially fact-checked. VERIFIED marks sources confirmed primary during research; Procore & Salesforce data-layer contracts are tagged for live re-verification before production.
Research method: 5 search angles → 22 sources fetched → 48 claims extracted → 25 adversarially verified (24 confirmed). Sources marked VERIFIED were confirmed as primary during that pass; remaining Procore/Salesforce contracts are authoritative docs to confirm against the live versions before production cutover.
Conduit is deployed, tested, and waiting. Run the live demo above, or talk to us about wiring it to your Procore and Salesforce instances.