mdm-cobordism

plurigrid's avatarfrom plurigrid

macOS MDM with auth manifolds as cobordisms for credential derivation

1stars🔀2forks📁View on GitHub🕐Updated Jan 9, 2026
[IT Helpdesk and Runbooks]

When & Why to Use This Skill

This Claude skill provides a sophisticated framework for macOS Mobile Device Management (MDM) by modeling authentication as mathematical cobordisms. It enables automated device enrollment, secure credential derivation, and verifiable state transitions for enterprise Apple device management, ensuring that device identity and management states are structurally sound and cryptographically derived.

Use Cases

  • Automating the macOS MDM enrollment lifecycle, including SCEP certificate requests and DEP/ABM supervision transitions.
  • Managing secure credentials within the macOS Keychain using a verifiable state-transition model to prevent unauthorized access or state errors.
  • Implementing 'unworld' security architectures where credentials are dynamically derived from device state rather than stored as static entities.
  • Validating the integrity of complex authentication flows through GF(3) conservation checks to ensure complete and secure device management sequences.
namemdm-cobordism
descriptionmacOS MDM with auth manifolds as cobordisms for credential derivation
version1.0.0

MDM Cobordism Skill: Auth Manifolds as State Transitions

Status: ✅ Production Ready Trit: 0 (ERGODIC - transport/derivation) Color: #26D826 (Green) Principle: Auth is cobordism W: ∂₀ → ∂₁, not event sequence Frame: No demos, only derivation

Overview

MDM Cobordism models authentication and device management as cobordisms — manifolds with boundaries representing auth state transitions. Following the unworld philosophy:

  • Credentials don't "exist" — they derive
  • There is no "authentication event" — only state derivation
  • Keys don't "expire" — their chain position becomes unreachable

GF(3) Triads

Forms valid triads with MINUS (-1) and PLUS (+1) skills:

sheaf-cohomology (-1) ⊗ mdm-cobordism (0) ⊗ gay-mcp (+1) = 0 ✓  [Credential Derivation]
temporal-coalgebra (-1) ⊗ mdm-cobordism (0) ⊗ oapply-colimit (+1) = 0 ✓  [State Observation]
three-match (-1) ⊗ mdm-cobordism (0) ⊗ koopman-generator (+1) = 0 ✓  [Pattern Learning]

Auth Cobordisms

Cobordism Source → Target Trit Role
W₁ generate_key Unauth → HasKey +1 Generator
W₂ request_scep HasKey → HasCert 0 Coordinator
W₃ validate_cert HasCert → HasToken -1 Validator
W₄ check_in_mdm HasToken → Enrolled +1 Generator
W₅ verify_enroll Enrolled → Enrolled -1 Validator

GF(3) Conservation: +1 + 0 + (-1) + (+1) + (-1) = 0 ✓

Boundary Types

# Auth manifold boundaries
Unauthenticated  # ∂₀: No identity
HasKey           # Device has private key
HasCertificate   # Device has CA-signed cert
HasToken         # Device has session token
Enrolled         # Device enrolled in MDM
Supervised       # Device under full management

Keychain Integration

macOS Keychain operations with GF(3) tracking:

# Store (+1) → Retrieve (0) → Validate (-1) = 0 ✓
Keychain.store_then_verify(service, account, secret)
Operation Trit Description
store +1 Create credential
retrieve 0 Transport credential
delete -1 Remove credential

Commands

# Run MDM cobordism demo
python src/mdm_mcp_server.py

# Keychain operations (macOS)
security add-generic-password -s "mdm-token" -a "$USER" -w
security find-generic-password -s "mdm-token" -a "$USER" -w
security delete-generic-password -s "mdm-token" -a "$USER"

# Verify GF(3) for auth flow
just mdm-gf3-check

API

from mdm_mcp_server import (
    W1_GENERATE_KEY, W2_REQUEST_CERT, W3_VALIDATE_CERT,
    W4_CHECK_IN, W5_VERIFY, Unauthenticated, verify_gf3
)

# Execute enrollment chain
state = Unauthenticated(device_serial="C02XG1PDJHD4")
state = W1_GENERATE_KEY(state)
state = W2_REQUEST_CERT(state)
state = W3_VALIDATE_CERT(state)
state = W4_CHECK_IN(state)
state = W5_VERIFY(state)

# Verify GF(3)
trits = [W1.trit, W2.trit, W3.trit, W4.trit, W5.trit]
assert verify_gf3(trits)  # True

Apple MDM Protocol

SCEP Enrollment

<dict>
    <key>PayloadType</key>
    <string>com.apple.security.scep</string>
    <key>URL</key>
    <string>https://scep.example.com/scep</string>
    <key>KeySize</key>
    <integer>2048</integer>
</dict>

DEP/ABM Supervision

Device activates → DEP lookup → MDM URL → Enroll → Supervised

Supervision is an irreversible cobordism in normal flow.

Philosophy

No Demos

There are no demonstrations. MDM enrollment is not a "process that runs" but a derivation chain that is.

Demo:       "Watch me enroll this device"  → temporal, performative
Derivation: "Enrollment derives from serial" → atemporal, structural

Untological Credentials

Credentials don't "exist" with properties. They derive from chain positions:

# Ontological (what IS this key?)
key.is_valid?  # property of thing

# Untological (what DERIVES this key?)
key = derive(device_serial, enrollment_time)
key.chain_position  # position in derivation

Cobordism Composition

Auth flows compose like cobordisms:

W = W₅ ∘ W₄ ∘ W₃ ∘ W₂ ∘ W₁ : Unauthenticated → Enrolled

The composite W is itself a cobordism with GF(3) = 0.

Security Best Practices

  1. Never store secrets in env vars — use Keychain
  2. Use SCEP for certificate enrollment — not PKCS#12 import
  3. Verify GF(3) for all auth flows — ensures completeness
  4. Supervision = irreversible — plan accordingly

MCP Tools

mdm_enroll_device    // Initiate enrollment (trit: +1)
keychain_store       // Store credential (trit: +1)
keychain_retrieve    // Retrieve credential (trit: 0)
keychain_delete      // Delete credential (trit: -1)
auth_cobordism_check // Verify GF(3) (trit: -1)

Files

  • src/mdm_mcp_server.py — Cobordism state machine
  • architecture/MDM_AUTH_COBORDISM.md — Architecture docs

Skill Name: mdm-cobordism Type: Device Management / Auth State Machine Trit: 0 (ERGODIC) Color: #26D826 (Green) GF(3): Conserved by construction Demos: None (νο δῆμος) Ontology: Replaced with untology

Scientific Skill Interleaving

This skill connects to the K-Dense-AI/claude-scientific-skills ecosystem:

Graph Theory

  • networkx [○] via bicomodule
    • Universal graph hub

Bibliography References

  • general: 734 citations in bib.duckdb

Cat# Integration

This skill maps to Cat# = Comod(P) as a bicomodule in the equipment structure:

Trit: 0 (ERGODIC)
Home: Prof
Poly Op: ⊗
Kan Role: Adj
Color: #26D826

GF(3) Naturality

The skill participates in triads satisfying:

(-1) + (0) + (+1) ≡ 0 (mod 3)

This ensures compositional coherence in the Cat# equipment structure.

mdm-cobordism – AI Agent Skills | Claude Skills