Calendar

Authority

Service IDs:

Repos: PlatformApplications/TopoloCalendar

Hosts:

Dependencies: topolo-auth, topolo-chat, topolo-nexus, applications-packages

Depends on Topolo Auth: yes

Contract Source

Type: curated

Source: PlatformApplications/TopoloDocs/src/content/public/applications/calendar.mdx

Source exists: yes

Calendar is a Worker + D1 + per-host Durable Object application. D1 is the system of record for hosts, event types, availability rules, bookings, reserved slot-hold audit rows, and external calendar sync metadata. CalendarHostDO (keyed by host handle) serialises concurrent booking attempts, owns short-lived in-memory slot holds, and caches availability windows. Confirmed bookings are written through to D1 before the DO acknowledges success. Meeting sessions remain owned by Topolo Chat and are referenced from Calendar bookings by `meetingProviderRef` once that bridge is enabled; external providers (Microsoft Teams, Google Meet, Zoom) are brokered through Topolo Nexus for metering. The public root renders the shared Topolo LandingPage from Auth-managed Calendar landing config. Public booking pages (/<handle>/<event-type>) and availability/hold/confirm endpoints are unauthenticated. The admin `/login` route renders the shared first-party Topolo login on the app origin, with embedded email/password sign-in enabled by the UI Kit first-party registry, login config reads through `/api/auth/*`, and one-time `sso_code` completion on `/auth/callback`. Signed users without a Calendar host row complete the shared @topolo/onboarding first-run host setup flow before the admin workspace opens. Signed users with a host row enter a shared `TopoloShell` workspace with the shared app launcher mounted immediately for background catalog preload and a default weekly Calendar view backed by `GET /api/admin/bookings`. Admin endpoints require bearer tokens validated by @topolo/auth-middleware against srv_topolo_calendar and enforce route-level Calendar service permissions, accepting Auth's service-scoped canonical grant form such as `srv_topolo_calendar.host:read`. The embed SDK (@topolo/calendar-embed) supports iframe, popup, and floating bubble modes with a @topolo/calendar-react wrapper; embed origins are validated against the service manifest allowlist.

API key scopes in Auth catalog: 11

Auth Requirements

No global OpenAPI security scheme is declared.

• api_keys.write
• availability.read
• availability.write
• bookings.read
• bookings.write
• embed.issue
• event_types.read
• event_types.write
• external_sync.write
• host.read
• host.write

Runtime and Deployment

Wrangler surfaces: none detected

Environment variables: none derived

Routes: workers.dev or Pages-only delivery

Observability enabled: no explicit signal found