{ "generated_at": "2026-04-28T23:58:28.623Z", "system": { "id": "topolo-mdm", "name": "TopoloMDM", "slug": "topolo-mdm", "kind": "application", "summary": "MDM platform cluster spanning a device API, tenant realtime hub, operator console, Android DPC, and mobile scaffold.", "aliases": [], "lifecycle": "active", "last_verified": "2026-04-27", "owners": [ "device-platform" ], "repo_paths": [ "PlatformApplications/TopoloMDM", "PlatformApplications/TopoloMDM/topolo-provision" ], "service_ids": [ "svc_topolo_mdm_console", "svc_topolo_mdm_api", "svc_topolo_state_api" ], "visibility": "public", "api_contract": { "type": "curated", "source": "PlatformApplications/TopoloDocs/src/content/public/applications/mdm.mdx", "notes": "Canonical MDM coverage now lives in the docs application, and the console authenticated workspace renders through `TopoloAppShell`, inheriting shared Improve Topolo and TopoloNotify chrome while keeping fleet workflows MDM-owned. The console now routes launcher catalog reads plus tenant bootstrap through same-origin /api/auth/* on the app host. The console browser callback delegates one-time `sso_code` exchange to the shared Auth client instead of carrying MDM-local `/sso/exchange` protocol logic. The API worker validates browser console JWTs against `svc_topolo_mdm_console` while keeping API-key validation under `svc_topolo_mdm_api`. Device registration and first-poll recovery consume authenticated enrollment-session tokens, then issue device credentials required for subsequent poll, command-status, device realtime, and device FCM-token registration calls. The API worker owns a tenant-scoped `TENANT_EVENTS` Durable Object for operator WebSocket fleet events and device command wakeups, and uses Firebase Cloud Messaging HTTP v1 as a data-only wake channel for enrolled Android devices that have posted an FCM token. TopoloProvision QR/R2 APK builds remain the device-owner enrollment path, while Google Play internal-testing builds are a sales/demo distribution lane that runs without kiosk/device-owner assumptions until Android Enterprise enrollment. Current Android DPC builds call `https://topolo-mdm-api.topolo.app`; the Android package id is `com.topolo.provision` for Firebase, Google Play, and Android Enterprise device-admin payloads. Install-package catalog reads now point at the Developers-owned `https://developers.topolo.app/api/apps` route, where Topolo Feed, Topolo Provision, and the 22 retained Topolo Mobile Android APKs are R2-backed installable rows served from apk.topolo.app, while Topolo MDM Mobile remains Android/iOS metadata until its own mobile release. The mobile scaffold reads only the SDK-managed topolo_access_token key for bearer API requests, subscribes to `/events` for fleet freshness, and resolves `topolo_auth_flutter` from the canonical Auth repo git package path." }, "primary_hosts": [ "https://topolo-mdm-api.topolo.app", "https://topolo-mdm-api.topolo.workers.dev" ], "doc_paths": [ "applications/mdm", "internal/apps/mdm" ], "security_assurance": { "risk_tier": "critical", "auth_boundary": "Topolo Auth one-time SSO exchange-code callback with MDM-owned device, tenant, and API authorization. Protected MDM API bearer-token requests must validate through Auth, browser console JWTs validate against the console service id, API-key requests validate against the API service id, device enrollment consumes one-time server-issued enrollment tokens before issuing per-device credentials, and no path may fall back to locally decoded JWT claims from a Worker secret.", "tenant_isolation": "organization_scoped", "external_inputs": [ "browser", "api", "callback", "queue", "scheduled_task" ], "sensitive_data": [ "identity", "org_data", "customer_content", "telemetry" ], "last_security_review": "2026-04-22", "security_review_status": "not_started", "pentest_status": "not_started", "evidence_doc": "internal/apps/mdm" }, "dependencies": [ "topolo-auth", "applications-packages", "topolo-developers" ], "public_hub_url": "/systems/topolo-mdm", "internal_hub_url": null, "application_api_url": "/reference/apps/topolo-mdm", "generated_openapi_url": null, "machine_urls": { "system": "/machine/systems/topolo-mdm.json", "application": "/machine/applications/topolo-mdm.json" } }, "docs": { "public": [ { "id": "applications/commerce.mdx", "title": "TopoloCommerce", "summary": "Public overview of the multi-vertical commerce platform for venue operations, guest runtimes, and staff execution.", "audience": "public", "tags": [ "commerce", "venues", "kiosk" ], "url": "/applications/commerce.mdx", "last_verified": "2026-04-28" }, { "id": "applications/mdm.mdx", "title": "TopoloMDM", "summary": "Public overview of the device-management cluster spanning the MDM API, operator console, and mobile scaffold.", "audience": "public", "tags": [ "mdm", "devices", "operations" ], "url": "/applications/mdm.mdx", "last_verified": "2026-04-28" } ], "internal": [], "runbooks": [] }, "authority": { "owners": [ "device-platform" ], "repo_paths": [ "PlatformApplications/TopoloMDM", "PlatformApplications/TopoloMDM/topolo-provision" ], "service_ids": [ "svc_topolo_mdm_console", "svc_topolo_mdm_api", "svc_topolo_state_api" ], "dependencies": [ "topolo-auth", "applications-packages", "topolo-developers" ], "aliases": [] }, "interfaces": { "contract_type": "curated", "contract_source": "PlatformApplications/TopoloDocs/src/content/public/applications/mdm.mdx", "contract_source_exists": true, "openapi": null, "readme": { "path": "PlatformApplications/TopoloMDM/README.md", "intro": [ "Canonical documentation for TopoloMDM lives in `PlatformApplications/TopoloDocs`.", "Use this repository for implementation only. Local product and operational docs have been retired in favor of the docs application." ], "headings": [ "TopoloMDM" ], "routeHighlights": [], "commandHighlights": [] } }, "auth": { "depends_on_topolo_auth": true, "api_key_scopes": [ { "id": "aks_mdm_apps_read", "name": "apps.read", "description": "View app catalog and installations", "resourcePattern": null, "kind": "api_key_scope" }, { "id": "aks_mdm_apps_write", "name": "apps.write", "description": "Manage app deployments", "resourcePattern": null, "kind": "api_key_scope" }, { "id": "aks_mdm_dashboard_read", "name": "dashboard.read", "description": "View MDM dashboard", "resourcePattern": null, "kind": "api_key_scope" }, { "id": "aks_mdm_devices_admin", "name": "devices.admin", "description": "Administer managed devices and tenant-level device access", "resourcePattern": null, "kind": "api_key_scope" }, { "id": "aks_mdm_devices_control", "name": "devices.control", "description": "Send commands to devices (lock, wipe, etc)", "resourcePattern": null, "kind": "api_key_scope" }, { "id": "aks_mdm_devices_read", "name": "devices.read", "description": "View device inventory and status", "resourcePattern": null, "kind": "api_key_scope" }, { "id": "aks_mdm_devices_write", "name": "devices.write", "description": "Enroll and configure devices", "resourcePattern": null, "kind": "api_key_scope" }, { "id": "aks_mdm_policies_read", "name": "policies.read", "description": "View device policies and profiles", "resourcePattern": null, "kind": "api_key_scope" }, { "id": "aks_mdm_policies_write", "name": "policies.write", "description": "Create and edit device policies", "resourcePattern": null, "kind": "api_key_scope" }, { "id": "aks_mdm_reports_read", "name": "reports.read", "description": "View MDM reports and analytics", "resourcePattern": null, "kind": "api_key_scope" }, { "id": "aks_mdm_api_keys_write", "name": "api_keys.write", "description": "Manage MDM API machine credentials", "resourcePattern": null, "kind": "api_key_scope" }, { "id": "aks_mdm_api_admin", "name": "mdm.admin", "description": "Full device management access", "resourcePattern": null, "kind": "api_key_scope" }, { "id": "aks_mdm_api_read", "name": "mdm.read", "description": "Read device information", "resourcePattern": null, "kind": "api_key_scope" }, { "id": "aks_mdm_api_write", "name": "mdm.write", "description": "Send commands to managed devices", "resourcePattern": null, "kind": "api_key_scope" }, { "id": "aks_state_analytics_read", "name": "analytics.read", "description": "Access device analytics and metrics", "resourcePattern": null, "kind": "api_key_scope" }, { "id": "aks_state_commands_read", "name": "commands.read", "description": "View device command history", "resourcePattern": null, "kind": "api_key_scope" }, { "id": "aks_state_commands_write", "name": "commands.write", "description": "Send commands to devices", "resourcePattern": null, "kind": "api_key_scope" }, { "id": "aks_state_events_read", "name": "events.read", "description": "View device events and logs", "resourcePattern": null, "kind": "api_key_scope" }, { "id": "aks_state_read", "name": "state.read", "description": "Read device state and status data", "resourcePattern": null, "kind": "api_key_scope" }, { "id": "aks_state_write", "name": "state.write", "description": "Update device state information", "resourcePattern": null, "kind": "api_key_scope" } ], "service_permissions": [ { "id": "perm_mdm_apps_read", "name": "apps:read", "description": "View app catalog and installations", "resourcePattern": null, "kind": "permission" }, { "id": "perm_mdm_apps_write", "name": "apps:write", "description": "Manage app deployments", "resourcePattern": null, "kind": "permission" }, { "id": "perm_mdm_dashboard_read", "name": "dashboard:read", "description": "View MDM dashboard", "resourcePattern": null, "kind": "permission" }, { "id": "perm_mdm_devices_admin", "name": "devices:admin", "description": "Administer managed devices and tenant-level device access", "resourcePattern": null, "kind": "permission" }, { "id": "perm_mdm_devices_control", "name": "devices:control", "description": "Send commands to devices (lock, wipe, etc)", "resourcePattern": null, "kind": "permission" }, { "id": "perm_mdm_devices_read", "name": "devices:read", "description": "View device inventory and status", "resourcePattern": null, "kind": "permission" }, { "id": "perm_mdm_devices_write", "name": "devices:write", "description": "Enroll and configure devices", "resourcePattern": null, "kind": "permission" }, { "id": "perm_mdm_policies_read", "name": "policies:read", "description": "View device policies and profiles", "resourcePattern": null, "kind": "permission" }, { "id": "perm_mdm_policies_write", "name": "policies:write", "description": "Create and edit device policies", "resourcePattern": null, "kind": "permission" }, { "id": "perm_mdm_reports_read", "name": "reports:read", "description": "View MDM reports and analytics", "resourcePattern": null, "kind": "permission" }, { "id": "perm_mdm_api_keys_write", "name": "api_keys:write", "description": "Manage MDM API machine credentials", "resourcePattern": null, "kind": "permission" }, { "id": "perm_mdm_api_admin", "name": "mdm:admin", "description": "Full device management access", "resourcePattern": null, "kind": "permission" }, { "id": "perm_mdm_api_read", "name": "mdm:read", "description": "Read device information", "resourcePattern": null, "kind": "permission" }, { "id": "perm_mdm_api_write", "name": "mdm:write", "description": "Send commands to managed devices", "resourcePattern": null, "kind": "permission" }, { "id": "perm_state_analytics_read", "name": "analytics:read", "description": "Access device analytics and metrics", "resourcePattern": null, "kind": "permission" }, { "id": "perm_state_commands_read", "name": "commands:read", "description": "View device command history", "resourcePattern": null, "kind": "permission" }, { "id": "perm_state_commands_write", "name": "commands:write", "description": "Send commands to devices", "resourcePattern": null, "kind": "permission" }, { "id": "perm_state_events_read", "name": "events:read", "description": "View device events and logs", "resourcePattern": null, "kind": "permission" }, { "id": "perm_state_read", "name": "state:read", "description": "Read device state and status data", "resourcePattern": null, "kind": "permission" }, { "id": "perm_state_write", "name": "state:write", "description": "Update device state information", "resourcePattern": null, "kind": "permission" } ] }, "runtime": { "primary_hosts": [ "https://topolo-mdm-api.topolo.app", "https://topolo-mdm-api.topolo.workers.dev" ], "repo_entries": [ "PlatformApplications/TopoloMDM/README.md", "PlatformApplications/TopoloMDM/migration.config.ts", "PlatformApplications/TopoloMDM/topolo-mdm-api/", "PlatformApplications/TopoloMDM/topolo-mdm-console/", "PlatformApplications/TopoloMDM/topolo-mdm-mobile/", "PlatformApplications/TopoloMDM/topolo-provision/", "PlatformApplications/TopoloMDM/topolo.cloudcontrol.json", "PlatformApplications/TopoloMDM/topolo-provision/app/", "PlatformApplications/TopoloMDM/topolo-provision/build-play-internal-aab.sh", "PlatformApplications/TopoloMDM/topolo-provision/build-provision-apk.sh", "PlatformApplications/TopoloMDM/topolo-provision/build.gradle.kts", "PlatformApplications/TopoloMDM/topolo-provision/checksums.sh", "PlatformApplications/TopoloMDM/topolo-provision/deployR2.sh", "PlatformApplications/TopoloMDM/topolo-provision/docs/", "PlatformApplications/TopoloMDM/topolo-provision/feat_payments/", "PlatformApplications/TopoloMDM/topolo-provision/feat_payments_dfm/", "PlatformApplications/TopoloMDM/topolo-provision/gradle/", "PlatformApplications/TopoloMDM/topolo-provision/gradle.properties", "PlatformApplications/TopoloMDM/topolo-provision/gradlew", "PlatformApplications/TopoloMDM/topolo-provision/gradlew.bat" ], "wrangler_surfaces": [ { "path": "PlatformApplications/TopoloMDM/topolo-mdm-api/wrangler.toml", "observabilityEnabled": true, "environments": [], "routes": [], "vars": [ "APP_CATALOG_URL", "AUTH_BASE_URL", "BROWSER_SERVICE_ID", "DEFAULT_TENANT", "FEED_API_URL", "SERVICE_ID", "STATE_API_URL" ], "bindings": [], "cronTriggers": [], "workerName": "topolo-mdm-api", "compatibilityDate": "2026-04-10", "main": "index.js" }, { "path": "PlatformApplications/TopoloMDM/topolo-mdm-console/wrangler.toml", "observabilityEnabled": true, "environments": [], "routes": [], "vars": [], "bindings": [], "cronTriggers": [], "workerName": "topolo-mdm-console", "compatibilityDate": "2026-04-10" }, { "path": "PlatformApplications/TopoloMDM/topolo-provision/wrangler.toml", "observabilityEnabled": false, "environments": [], "routes": [], "vars": [], "bindings": [], "cronTriggers": [], "workerName": "topolo-provision" } ], "packages": [ { "path": "PlatformApplications/TopoloMDM/topolo-mdm-api/package.json", "name": "topolo-mdm-api", "description": "State management API for Topolo MDM multi-tenant system", "scripts": [ "dev", "deploy", "deploy:dry-run", "lint", "build", "test", "local-dev", "remote-dev", "seed-test-data", "dev:with-test-data", "dev:with-remote" ], "scriptCommands": [ { "name": "dev", "command": "wrangler dev" }, { "name": "deploy", "command": "wrangler deploy" }, { "name": "deploy:dry-run", "command": "npx --yes wrangler@4 deploy --dry-run --config wrangler.toml" }, { "name": "lint", "command": "find handlers middleware -name '*.js' -print0 | xargs -0 -n1 node --check && node --check index.js && node --check deviceProfiles.js && node --check fcm.js && node --check runtime-config.js && node --check realtime.js && node --check utils.js" }, { "name": "build", "command": "node --check index.js" }, { "name": "test", "command": "node --test test/auth-contract.test.mjs" }, { "name": "local-dev", "command": "node scripts/start-local-dev.js" }, { "name": "remote-dev", "command": "node scripts/start-local-dev.js --remote" }, { "name": "seed-test-data", "command": "node scripts/seed-test-data.js" }, { "name": "dev:with-test-data", "command": "node scripts/start-local-dev.js" }, { "name": "dev:with-remote", "command": "node scripts/start-local-dev.js --remote" } ] }, { "path": "PlatformApplications/TopoloMDM/topolo-mdm-console/package.json", "name": "topolo-mdm-console", "description": "Topolo MDM Console - Enterprise Device Management", "scripts": [ "dev", "build", "deploy", "lint", "preview", "astro", "typecheck" ], "scriptCommands": [ { "name": "dev", "command": "astro dev" }, { "name": "build", "command": "astro build" }, { "name": "deploy", "command": "npm run build && npx wrangler pages deploy dist --project-name topolo-mdm-console" }, { "name": "lint", "command": "npm run typecheck" }, { "name": "preview", "command": "astro preview" }, { "name": "astro", "command": "astro" }, { "name": "typecheck", "command": "tsc --noEmit" } ] } ] }, "data": { "env_vars": [ "APP_CATALOG_URL", "AUTH_BASE_URL", "BROWSER_SERVICE_ID", "DEFAULT_TENANT", "FEED_API_URL", "SERVICE_ID", "STATE_API_URL" ], "bindings": [], "queue_bindings": [], "storage_kinds": [], "workflow_signals": [] }, "deployment": { "commands": [ { "name": "deploy", "command": "PlatformApplications/TopoloMDM/topolo-mdm-api/package.json :: wrangler deploy" }, { "name": "deploy:dry-run", "command": "PlatformApplications/TopoloMDM/topolo-mdm-api/package.json :: npx --yes wrangler@4 deploy --dry-run --config wrangler.toml" }, { "name": "build", "command": "PlatformApplications/TopoloMDM/topolo-mdm-api/package.json :: node --check index.js" }, { "name": "build", "command": "PlatformApplications/TopoloMDM/topolo-mdm-console/package.json :: astro build" }, { "name": "deploy", "command": "PlatformApplications/TopoloMDM/topolo-mdm-console/package.json :: npm run build && npx wrangler pages deploy dist --project-name topolo-mdm-console" }, { "name": "preview", "command": "PlatformApplications/TopoloMDM/topolo-mdm-console/package.json :: astro preview" } ], "routes": [], "environments": [], "assets_directories": [], "observability_enabled": true }, "debugging": { "failure_modes": [], "entrypoints": [ "PlatformApplications/TopoloMDM/topolo-mdm-api/wrangler.toml", "PlatformApplications/TopoloMDM/topolo-mdm-console/wrangler.toml", "PlatformApplications/TopoloMDM/topolo-provision/wrangler.toml", "PlatformApplications/TopoloDocs/src/content/public/applications/mdm.mdx", "PlatformApplications/TopoloMDM/README.md", "PlatformApplications/TopoloMDM/topolo-mdm-api/package.json", "PlatformApplications/TopoloMDM/topolo-mdm-console/package.json" ] } }