Topolo Developers

Authority

Service IDs:

Repos: PlatformApplications/TopoloDevelopers

Hosts:

Dependencies: topolo-auth, topolo-one, topolo-p2p

Depends on Topolo Auth: yes

Contract Source

Type: curated

Source: PlatformApplications/TopoloDevelopers/src/App.tsx

Source exists: yes

Topolo Developers owns its own Pages Functions + D1 backend for authenticated workspace summary, onboarding, app drafts, Android/iOS mobile artifact records, public /api/apps catalog output, Developers-owned /api/store/catalog, /api/store/search, and /api/store/apps/:idOrSlug app store reads for TopoloOne and public store surfaces, app submissions, build requests, transfer codes, internal review workflows, app commerce controls, payout-account state, payout ledger events, P2P capability source records plus the public /api/p2p/capabilities/:id read-through endpoint, scaffold-provisioning routes for authenticated developer self-service, first-party Topolo scaffold registration into the Topolo-owned developer workspace, and per-app launcher quick-link authoring through the signed marketing editor. That D1 schema is now migration-managed from checked-in SQL in the Developers repo rather than being created on request. The app still exposes shared public landing and first-party embedded password-login surfaces at / and /login plus a dedicated public signup handoff at /signup, creates the org-backed developer workspace in Auth during signup, treats that workspace as the publisher boundary for many developer apps, and consumes Auth only for identity, central API-key surfaces, app-switcher entitlements, approved-app registration into the shared service catalog, install/launch authorization, and Auth-hosted end-user OAuth consent for registered third-party clients. The legacy Developers browser consent route forwards to Auth and must not require developer workspace admission. Developer apps now also carry explicit ownerType, portfolio, audience, tenancy, surfaceModel, optional containerAppId, distribution metadata, and launcher quick-link metadata so Topolo first-party platform/personal apps stay distinct from third-party business/personal apps, organization-internal apps stay private to the owning workspace, and the shared launcher can surface publisher-approved deep links without hardcoded per-app command lists. App visibility and mutation resolve from workspace org membership plus per-app owner/editor/viewer membership metadata, owner-issued transfer codes with destination-workspace claim, built-in developer_app API-key resource bindings for approved apps, explicit review:read/review:write permissions for staff-only review routes, explicit commerce:read/commerce:write permissions or Topolo super-admin access for staff-only commerce routes, the production Topolo Technology developer profile and first-party platform plus mobile app rows used to exercise the publisher workflow as Topolo, the Topolo Mobile records for the 22 retained Flutter apps under TopoloMobileApps with finalized app.topolo.mobile.* identifiers and Android APK artifacts published to the shared topolo-apks R2 bucket through apk.topolo.app, cleanup for 8 retired one-off mobile app records, the completed demo-suite developer profile used for platform auth audits, and the repo-level CI gate recorded in CloudControl.

API key scopes in Auth catalog: 18

Auth Requirements

No global OpenAPI security scheme is declared.

• apps.read
• apps.write
• commerce.read
• commerce.write
• credentials.read
• credentials.write
• marketplace.read
• marketplace.write
• requests.read
• requests.write
• review.read
• review.write
• settings.read
• settings.write
• submissions.read
• submissions.write
• workspace.read
• workspace.write

Runtime and Deployment

Wrangler surfaces: PlatformApplications/TopoloDevelopers/workers/catalog-cron/wrangler.toml, PlatformApplications/TopoloDevelopers/wrangler.toml

Environment variables: AUTH_API_URL, CATALOG_EMBEDDINGS_URL, P2P_API_URL

Routes: workers.dev or Pages-only delivery

Observability enabled: yes