@openmdm/core 0.8.0 → 0.9.0

package/dist/index.d.ts

@@ -1,6 +1,7 @@
-import { WebhookConfig, Logger, MDMEvent, WebhookEndpoint, EventType, DatabaseAdapter, TenantManager, AuthorizationManager, AuditConfig, AuditManager, ScheduleManager, MessageQueueManager, DashboardManager, PluginStorageAdapter, MDMConfig, MDMInstance, EnrollmentRequest } from './types.js';
-export { AppInstallationSummary, AppRollback, AppVersion, Application, ApplicationManager, ApplicationNotFoundError, AuditAction, AuditLog, AuditLogFilter, AuditLogListResult, AuditSummary, AuthConfig, AuthenticationError, AuthorizationError, Command, CommandFilter, CommandManager, CommandNotFoundError, CommandResult, CommandStatus, CommandSuccessRates, CommandType, CreateAppRollbackInput, CreateApplicationInput, CreateAuditLogInput, CreateDeviceInput, CreateGroupInput, CreatePolicyInput, CreateRoleInput, CreateScheduledTaskInput, CreateTenantInput, CreateUserInput, DashboardStats, DeployTarget, Device, DeviceFilter, DeviceListResult, DeviceLocation, DeviceManager, DeviceNotFoundError, DeviceStatus, DeviceStatusBreakdown, EnqueueMessageInput, EnrollmentConfig, EnrollmentError, EnrollmentMethod, EnrollmentResponse, EnrollmentTrendPoint, EventFilter, EventHandler, EventPayloadMap, Group, GroupHierarchyStats, GroupManager, GroupNotFoundError, GroupTreeNode, HardwareControl, Heartbeat, InstalledApp, LogContext, MDMError, MDMPlugin, MaintenanceWindow, PasswordPolicy, Permission, PermissionAction, PermissionResource, PluginMiddleware, PluginRoute, PluginStorageEntry, Policy, PolicyApplication, PolicyManager, PolicyNotFoundError, PolicySettings, PushAdapter, PushBatchResult, PushConfig, PushMessage, PushProviderConfig, PushResult, PushToken, QueueMessageStatus, QueueStats, QueuedMessage, RegisterPushTokenInput, Role, RoleNotFoundError, ScheduledTask, ScheduledTaskFilter, ScheduledTaskListResult, ScheduledTaskStatus, SendCommandInput, StorageConfig, SystemUpdatePolicy, TaskExecution, TaskSchedule, TaskType, Tenant, TenantFilter, TenantListResult, TenantNotFoundError, TenantSettings, TenantStats, TenantStatus, TimeWindow, UpdateApplicationInput, UpdateDeviceInput, UpdateGroupInput, UpdatePolicyInput, UpdateRoleInput, UpdateScheduledTaskInput, UpdateTenantInput, UpdateUserInput, User, UserFilter, UserListResult, UserNotFoundError, UserWithRoles, ValidationError, VpnConfig, WebhookDeliveryResult, WebhookManager, WifiConfig } from './types.js';
+import { WebhookConfig, Logger, MDMEvent, WebhookEndpoint, EventType, MDMInstance, DeviceIdentityVerification, DatabaseAdapter, TenantManager, AuthorizationManager, AuditConfig, AuditManager, ScheduleManager, MessageQueueManager, DashboardManager, PluginStorageAdapter, MDMConfig, EnrollmentRequest } from './types.js';
+export { AppInstallationSummary, AppRollback, AppVersion, Application, ApplicationManager, ApplicationNotFoundError, AuditAction, AuditLog, AuditLogFilter, AuditLogListResult, AuditSummary, AuthConfig, AuthenticationError, AuthorizationError, Command, CommandFilter, CommandManager, CommandNotFoundError, CommandResult, CommandStatus, CommandSuccessRates, CommandType, CreateAppRollbackInput, CreateApplicationInput, CreateAuditLogInput, CreateDeviceInput, CreateGroupInput, CreatePolicyInput, CreateRoleInput, CreateScheduledTaskInput, CreateTenantInput, CreateUserInput, DashboardStats, DeployTarget, Device, DeviceFilter, DeviceListResult, DeviceLocation, DeviceManager, DeviceNotFoundError, DeviceStatus, DeviceStatusBreakdown, EnqueueMessageInput, EnrollmentChallenge, EnrollmentConfig, EnrollmentError, EnrollmentMethod, EnrollmentResponse, EnrollmentTrendPoint, EventFilter, EventHandler, EventPayloadMap, Group, GroupHierarchyStats, GroupManager, GroupNotFoundError, GroupTreeNode, HardwareControl, Heartbeat, InstalledApp, LogContext, MDMError, MDMPlugin, MaintenanceWindow, PasswordPolicy, Permission, PermissionAction, PermissionResource, PinnedKeyConfig, PluginMiddleware, PluginRoute, PluginStorageEntry, Policy, PolicyApplication, PolicyManager, PolicyNotFoundError, PolicySettings, PushAdapter, PushBatchResult, PushConfig, PushMessage, PushProviderConfig, PushResult, PushToken, QueueMessageStatus, QueueStats, QueuedMessage, RegisterPushTokenInput, Role, RoleNotFoundError, ScheduledTask, ScheduledTaskFilter, ScheduledTaskListResult, ScheduledTaskStatus, SendCommandInput, StorageConfig, SystemUpdatePolicy, TaskExecution, TaskSchedule, TaskType, Tenant, TenantFilter, TenantListResult, TenantNotFoundError, TenantSettings, TenantStats, TenantStatus, TimeWindow, UpdateApplicationInput, UpdateDeviceInput, UpdateGroupInput, UpdatePolicyInput, UpdateRoleInput, UpdateScheduledTaskInput, UpdateTenantInput, UpdateUserInput, User, UserFilter, UserListResult, UserNotFoundError, UserWithRoles, ValidationError, VpnConfig, WebhookDeliveryResult, WebhookManager, WifiConfig } from './types.js';
 export { ColumnDefinition, ColumnType, IndexDefinition, SchemaDefinition, TableDefinition, camelToSnake, getColumnNames, getPrimaryKey, getTableNames, mdmSchema, snakeToCamel, transformToCamelCase, transformToSnakeCase } from './schema.js';
+import { KeyObject } from 'crypto';
 
 /**
  * OpenMDM Agent Wire Protocol v2.
@@ -195,6 +196,182 @@ declare function createConsoleLogger(scope?: string[]): Logger;
  */
 declare function createSilentLogger(): Logger;
 
+/**
+ * OpenMDM Device Identity
+ *
+ * Device-pinned asymmetric identity, using an ECDSA P-256 keypair the
+ * device generates in its own Keystore and registers with the server on
+ * first enrollment. After pinning, every consumer can verify a signed
+ * request against the same pinned public key — no shared HMAC secret,
+ * no APK extraction footgun, no dependence on Google hardware
+ * attestation (which most non-GMS fleet hardware cannot produce).
+ *
+ * This module is the reusable primitive. `@openmdm/core` uses it to
+ * gate `/agent/enroll` and will use it for `/agent/*` in Phase 2c.
+ * External consumers (midiamob's `deviceValidation.ts`, other custom
+ * servers) import the same functions to verify requests against the
+ * same pinned key — one device identity, many consumers.
+ *
+ * Why zero dependencies: Node's built-in `node:crypto` supports EC
+ * P-256 SPKI import and `crypto.verify('sha256', ...)` over DER-encoded
+ * signatures, which is the default format the Android Keystore
+ * produces. We deliberately do not pull in `@peculiar/*` or `node-forge`
+ * for this primitive — the surface area we need is small enough that
+ * the built-in is the right call.
+ *
+ * @see docs/concepts/enrollment for the full flow
+ * @see docs/proposals/phase-2b-rollout for the Android + rollout story
+ */
+
+/**
+ * Import an EC P-256 public key from base64-encoded SubjectPublicKeyInfo
+ * (SPKI) bytes — the standard on-wire format the Android Keystore
+ * produces when you call `certificate.publicKey.encoded` on a
+ * `KeyStore.getCertificate(alias)` result.
+ *
+ * Throws `InvalidPublicKeyError` on any parse failure. This is a
+ * security boundary — we do NOT return `null` on malformed input,
+ * because a caller that forgot to handle the null case would silently
+ * treat bad keys as "no key configured" and fall through to an
+ * insecure path.
+ */
+declare function importPublicKeyFromSpki(spkiBase64: string): KeyObject;
+/**
+ * Verify an ECDSA-P256 signature over a message using a previously-
+ * imported or raw SPKI public key.
+ *
+ * Signature must be DER-encoded — the default Android Keystore
+ * produces DER, and `Signature.sign()` on JVM/Kotlin returns DER, so
+ * this matches what every reasonable agent sends on the wire.
+ *
+ * Returns `true` iff the signature is valid. Never throws on a bad
+ * signature (that is the whole point of a verify call). Throws only
+ * on an invalid public-key encoding, because that indicates a caller
+ * bug rather than a forged request.
+ */
+declare function verifyEcdsaSignature(publicKey: KeyObject | string, message: string, signatureBase64: string): boolean;
+/**
+ * Build the canonical message that an enrollment signature covers.
+ *
+ * Staying in lockstep with `@openmdm/client` and with the Android
+ * agent is load-bearing — any change here is a wire break across
+ * every enrolled device. The contract test in
+ * `packages/core/tests/device-identity.test.ts` guards against drift.
+ *
+ * Shape (order matters):
+ *
+ *   publicKey |
+ *   model | manufacturer | osVersion |
+ *   serialNumber | imei | macAddress | androidId |
+ *   method | timestamp | challenge
+ *
+ * The public key is prepended (rather than appended) because it's the
+ * field most likely to be the whole point of the message — putting it
+ * first makes the signature's intent visible at a glance in logs.
+ */
+declare function canonicalEnrollmentMessage(parts: {
+    publicKey: string;
+    model: string;
+    manufacturer: string;
+    osVersion: string;
+    serialNumber?: string;
+    imei?: string;
+    macAddress?: string;
+    androidId?: string;
+    method: string;
+    timestamp: string;
+    challenge: string;
+}): string;
+/**
+ * Build the canonical message that a *post-enrollment* request
+ * signature covers. Consumers (openmdm's `/agent/*` routes,
+ * midiamob's `deviceValidation.ts`, any custom server) call this
+ * with the fields they want committed to the signature.
+ *
+ * The shape is deliberately narrower than the enrollment form — only
+ * the parts every request has in common.
+ *
+ *   deviceId | timestamp | body | nonce
+ *
+ * `nonce` is optional; pass an empty string when the request does not
+ * carry a challenge. Replay protection on non-enrollment traffic is
+ * the caller's job — if your server already has a timestamp window
+ * check, you don't need a nonce per request.
+ */
+declare function canonicalDeviceRequestMessage(parts: {
+    deviceId: string;
+    timestamp: string;
+    body: string;
+    nonce?: string;
+}): string;
+/**
+ * Verify a signed request from an enrolled device against the
+ * public key pinned on that device's row.
+ *
+ * This is the primitive every consumer of device-pinned-key identity
+ * calls. It performs exactly the checks required to know the request
+ * came from the device that originally enrolled, in constant-ish
+ * time:
+ *
+ *  1. Look up the device by id.
+ *  2. Confirm the device has a pinned public key (refusing silently
+ *     if not — a device without a pinned key is still on the legacy
+ *     HMAC path and cannot be verified here).
+ *  3. Verify the ECDSA signature over the provided canonical message.
+ *
+ * Returns a tagged union so callers can react to the specific failure
+ * mode:
+ *
+ *  - `not-found`   — the device id doesn't exist. Almost always a bug
+ *                    in the caller, or a stolen/revoked device id.
+ *                    Return 401 to the client.
+ *  - `no-pinned-key` — the device is still on the HMAC path. Callers
+ *                    should fall through to their legacy verifier
+ *                    (or fail, if the caller has already migrated).
+ *  - `signature-invalid` — the signature did not verify against the
+ *                    pinned key. Return 401. **Do NOT** re-pin the
+ *                    submitted public key in response to a failure
+ *                    here — that's how re-pinning becomes a hijack.
+ */
+declare function verifyDeviceRequest(opts: {
+    mdm: MDMInstance;
+    deviceId: string;
+    canonicalMessage: string;
+    signatureBase64: string;
+}): Promise<DeviceIdentityVerification>;
+/**
+ * Thrown when a submitted public key cannot be parsed. This is a
+ * caller-facing error — the device sent something that is not a
+ * well-formed SPKI EC P-256 public key.
+ */
+declare class InvalidPublicKeyError extends Error {
+    readonly cause?: Error | undefined;
+    readonly code = "INVALID_PUBLIC_KEY";
+    constructor(message: string, cause?: Error | undefined);
+}
+/**
+ * Thrown when a device attempts to re-enroll with a public key that
+ * does not match the one originally pinned for its enrollment id.
+ *
+ * This is the core "device identity continuity" check. The server
+ * will NEVER automatically re-pin on mismatch — rebinding a device
+ * identity requires an explicit admin action (future work).
+ */
+declare class PublicKeyMismatchError extends Error {
+    readonly deviceId: string;
+    readonly code = "PUBLIC_KEY_MISMATCH";
+    constructor(deviceId: string);
+}
+/**
+ * Thrown when an enrollment attempts to use a challenge that is
+ * missing, expired, or already consumed.
+ */
+declare class ChallengeInvalidError extends Error {
+    readonly challenge?: string | undefined;
+    readonly code = "CHALLENGE_INVALID";
+    constructor(message: string, challenge?: string | undefined);
+}
+
 /**
  * OpenMDM Tenant Manager
  *
@@ -327,4 +504,4 @@ declare function parsePluginKey(key: string): {
 declare function createMDM(config: MDMConfig): MDMInstance;
 declare function verifyEnrollmentSignature(request: EnrollmentRequest, secret: string): boolean;
 
-export { AGENT_PROTOCOL_HEADER, AGENT_PROTOCOL_V2, type AgentAction, type AgentResponse, AuditConfig, AuditManager, AuthorizationManager, DashboardManager, DatabaseAdapter, EnrollmentRequest, EventType, Logger, MDMConfig, MDMEvent, MDMInstance, MessageQueueManager, PluginStorageAdapter, ScheduleManager, TenantManager, WebhookConfig, WebhookEndpoint, type WebhookPayload, agentFail, agentOk, createAuditManager, createAuthorizationManager, createConsoleLogger, createDashboardManager, createMDM, createMemoryPluginStorageAdapter, createMessageQueueManager, createPluginKey, createPluginStorageAdapter, createScheduleManager, createSilentLogger, createTenantManager, createWebhookManager, parsePluginKey, verifyEnrollmentSignature, verifyWebhookSignature, wantsAgentProtocolV2 };
+export { AGENT_PROTOCOL_HEADER, AGENT_PROTOCOL_V2, type AgentAction, type AgentResponse, AuditConfig, AuditManager, AuthorizationManager, ChallengeInvalidError, DashboardManager, DatabaseAdapter, DeviceIdentityVerification, EnrollmentRequest, EventType, InvalidPublicKeyError, Logger, MDMConfig, MDMEvent, MDMInstance, MessageQueueManager, PluginStorageAdapter, PublicKeyMismatchError, ScheduleManager, TenantManager, WebhookConfig, WebhookEndpoint, type WebhookPayload, agentFail, agentOk, canonicalDeviceRequestMessage, canonicalEnrollmentMessage, createAuditManager, createAuthorizationManager, createConsoleLogger, createDashboardManager, createMDM, createMemoryPluginStorageAdapter, createMessageQueueManager, createPluginKey, createPluginStorageAdapter, createScheduleManager, createSilentLogger, createTenantManager, createWebhookManager, importPublicKeyFromSpki, parsePluginKey, verifyDeviceRequest, verifyEcdsaSignature, verifyEnrollmentSignature, verifyWebhookSignature, wantsAgentProtocolV2 };

package/dist/index.js

@@ -1,4 +1,4 @@
-import { randomUUID, createHmac, timingSafeEqual } from 'crypto';
+import { randomUUID, createHmac, createPublicKey, verify, timingSafeEqual } from 'crypto';
 
 // src/index.ts
 
@@ -1093,12 +1093,20 @@ function createMessageQueueManager(db) {
 }
 
 // src/dashboard.ts
+function assertNoTenantScopeRequested(tenantId, method) {
+  if (tenantId) {
+    throw new Error(
+      `DashboardManager.${method} was called with a tenantId but the database adapter does not implement tenant-scoped dashboard queries. Implement the matching DatabaseAdapter method, or omit tenantId to accept global stats. See docs/proposals/tenant-rbac-audit.md for context.`
+    );
+  }
+}
 function createDashboardManager(db) {
   return {
     async getStats(_tenantId) {
       if (db.getDashboardStats) {
         return db.getDashboardStats(_tenantId);
       }
+      assertNoTenantScopeRequested(_tenantId, "getStats");
       const devices = await db.listDevices({
         limit: 1e4
         // Get all for counting
@@ -1156,6 +1164,7 @@ function createDashboardManager(db) {
       if (db.getDeviceStatusBreakdown) {
         return db.getDeviceStatusBreakdown(_tenantId);
       }
+      assertNoTenantScopeRequested(_tenantId, "getDeviceStatusBreakdown");
       const devices = await db.listDevices({
         limit: 1e4
       });
@@ -1188,6 +1197,7 @@ function createDashboardManager(db) {
       if (db.getEnrollmentTrend) {
         return db.getEnrollmentTrend(days, _tenantId);
       }
+      assertNoTenantScopeRequested(_tenantId, "getEnrollmentTrend");
       const now = /* @__PURE__ */ new Date();
       const startDate = new Date(now.getTime() - days * 24 * 60 * 60 * 1e3);
       const events = await db.listEvents({
@@ -1244,6 +1254,7 @@ function createDashboardManager(db) {
       if (db.getCommandSuccessRates) {
         return db.getCommandSuccessRates(_tenantId);
       }
+      assertNoTenantScopeRequested(_tenantId, "getCommandSuccessRates");
       const now = /* @__PURE__ */ new Date();
       const yesterday = new Date(now.getTime() - 24 * 60 * 60 * 1e3);
       const commands = await db.listCommands({ limit: 1e4 });
@@ -1292,6 +1303,7 @@ function createDashboardManager(db) {
       if (db.getAppInstallationSummary) {
         return db.getAppInstallationSummary(_tenantId);
       }
+      assertNoTenantScopeRequested(_tenantId, "getAppInstallationSummary");
       const apps = await db.listApplications();
       const appMap = new Map(apps.map((a) => [a.packageName, a]));
       const byStatus = {
@@ -1407,6 +1419,135 @@ function parsePluginKey(key) {
   const [namespace, ...parts] = key.split(":");
   return { namespace, parts };
 }
+function importPublicKeyFromSpki(spkiBase64) {
+  let buffer;
+  try {
+    buffer = Buffer.from(spkiBase64, "base64");
+  } catch (err) {
+    throw new InvalidPublicKeyError(
+      "Public key is not valid base64",
+      err instanceof Error ? err : void 0
+    );
+  }
+  if (buffer.length === 0) {
+    throw new InvalidPublicKeyError("Public key is empty");
+  }
+  try {
+    const key = createPublicKey({
+      key: buffer,
+      format: "der",
+      type: "spki"
+    });
+    const asymmetricKeyType = key.asymmetricKeyType;
+    if (asymmetricKeyType !== "ec") {
+      throw new InvalidPublicKeyError(
+        `Expected EC key, got ${asymmetricKeyType ?? "unknown"}`
+      );
+    }
+    const curve = key.asymmetricKeyDetails?.namedCurve;
+    if (curve && curve !== "prime256v1" && curve !== "P-256") {
+      throw new InvalidPublicKeyError(
+        `Unsupported EC curve: ${curve}. Only P-256 is accepted.`
+      );
+    }
+    return key;
+  } catch (err) {
+    if (err instanceof InvalidPublicKeyError) throw err;
+    throw new InvalidPublicKeyError(
+      "Failed to parse SPKI public key",
+      err instanceof Error ? err : void 0
+    );
+  }
+}
+function verifyEcdsaSignature(publicKey, message, signatureBase64) {
+  const key = typeof publicKey === "string" ? importPublicKeyFromSpki(publicKey) : publicKey;
+  let signatureBuffer;
+  try {
+    signatureBuffer = Buffer.from(signatureBase64, "base64");
+  } catch {
+    return false;
+  }
+  if (signatureBuffer.length === 0) return false;
+  try {
+    return verify("sha256", Buffer.from(message, "utf8"), key, signatureBuffer);
+  } catch {
+    return false;
+  }
+}
+function canonicalEnrollmentMessage(parts) {
+  return [
+    parts.publicKey,
+    parts.model,
+    parts.manufacturer,
+    parts.osVersion,
+    parts.serialNumber ?? "",
+    parts.imei ?? "",
+    parts.macAddress ?? "",
+    parts.androidId ?? "",
+    parts.method,
+    parts.timestamp,
+    parts.challenge
+  ].join("|");
+}
+function canonicalDeviceRequestMessage(parts) {
+  return [parts.deviceId, parts.timestamp, parts.body, parts.nonce ?? ""].join("|");
+}
+async function verifyDeviceRequest(opts) {
+  const device = await opts.mdm.devices.get(opts.deviceId);
+  if (!device) {
+    return { ok: false, reason: "not-found" };
+  }
+  if (!device.publicKey) {
+    return { ok: false, reason: "no-pinned-key", device };
+  }
+  let verified;
+  try {
+    verified = verifyEcdsaSignature(
+      device.publicKey,
+      opts.canonicalMessage,
+      opts.signatureBase64
+    );
+  } catch (err) {
+    opts.mdm.logger.child({ component: "device-identity" }).error(
+      {
+        deviceId: opts.deviceId,
+        err: err instanceof Error ? err.message : String(err)
+      },
+      "Pinned public key failed to parse"
+    );
+    return { ok: false, reason: "signature-invalid", device };
+  }
+  if (!verified) {
+    return { ok: false, reason: "signature-invalid", device };
+  }
+  return { ok: true, device };
+}
+var InvalidPublicKeyError = class extends Error {
+  constructor(message, cause) {
+    super(message);
+    this.cause = cause;
+    this.name = "InvalidPublicKeyError";
+  }
+  code = "INVALID_PUBLIC_KEY";
+};
+var PublicKeyMismatchError = class extends Error {
+  constructor(deviceId) {
+    super(
+      `Device ${deviceId} is already enrolled with a different pinned public key`
+    );
+    this.deviceId = deviceId;
+    this.name = "PublicKeyMismatchError";
+  }
+  code = "PUBLIC_KEY_MISMATCH";
+};
+var ChallengeInvalidError = class extends Error {
+  constructor(message, challenge) {
+    super(message);
+    this.challenge = challenge;
+    this.name = "ChallengeInvalidError";
+  }
+  code = "CHALLENGE_INVALID";
+};
 
 // src/schema.ts
 var mdmSchema = {
@@ -2650,7 +2791,13 @@ function createMDM(config) {
         `Enrollment method '${request.method}' is not allowed`
       );
     }
-    if (enrollment?.deviceSecret) {
+    const isPinnedKeyPath = Boolean(request.publicKey);
+    if (!isPinnedKeyPath && enrollment?.pinnedKey?.required) {
+      throw new EnrollmentError(
+        "Pinned-key enrollment is required but the request carried no publicKey. The agent must generate a Keystore keypair and submit the SPKI public key alongside an ECDSA signature over the canonical enrollment message."
+      );
+    }
+    if (!isPinnedKeyPath && enrollment?.deviceSecret) {
       const isValid = verifyEnrollmentSignature(
         request,
         enrollment.deviceSecret
@@ -2659,6 +2806,65 @@ function createMDM(config) {
         throw new EnrollmentError("Invalid enrollment signature");
       }
     }
+    let challengeRecord = null;
+    let importedPublicKey = null;
+    if (isPinnedKeyPath) {
+      if (!request.attestationChallenge) {
+        throw new EnrollmentError(
+          "Pinned-key enrollment requires attestationChallenge. Fetch a fresh challenge from /agent/enroll/challenge first."
+        );
+      }
+      if (!database.consumeEnrollmentChallenge) {
+        throw new EnrollmentError(
+          "Pinned-key enrollment requires an adapter that implements enrollment challenge storage. Upgrade to a database adapter that supports it, or submit an HMAC-signed enrollment instead."
+        );
+      }
+      try {
+        importedPublicKey = importPublicKeyFromSpki(request.publicKey);
+      } catch (err) {
+        throw new EnrollmentError(
+          err instanceof Error ? `Invalid enrollment public key: ${err.message}` : "Invalid enrollment public key"
+        );
+      }
+      challengeRecord = await database.consumeEnrollmentChallenge(
+        request.attestationChallenge
+      );
+      if (!challengeRecord) {
+        throw new ChallengeInvalidError(
+          "Enrollment challenge is missing, expired, or already consumed",
+          request.attestationChallenge
+        );
+      }
+      if (challengeRecord.expiresAt.getTime() < Date.now()) {
+        throw new ChallengeInvalidError(
+          "Enrollment challenge has expired",
+          request.attestationChallenge
+        );
+      }
+      const canonical = canonicalEnrollmentMessage({
+        publicKey: request.publicKey,
+        model: request.model,
+        manufacturer: request.manufacturer,
+        osVersion: request.osVersion,
+        serialNumber: request.serialNumber,
+        imei: request.imei,
+        macAddress: request.macAddress,
+        androidId: request.androidId,
+        method: request.method,
+        timestamp: request.timestamp,
+        challenge: request.attestationChallenge
+      });
+      const verified = verifyEcdsaSignature(
+        importedPublicKey,
+        canonical,
+        request.signature
+      );
+      if (!verified) {
+        throw new EnrollmentError(
+          "Invalid enrollment signature (device-pinned-key path)"
+        );
+      }
+    }
     if (enrollment?.validate) {
       const isValid = await enrollment.validate(request);
       if (!isValid) {
@@ -2673,13 +2879,23 @@ function createMDM(config) {
     }
     let device = await database.findDeviceByEnrollmentId(enrollmentId);
     if (device) {
-      device = await database.updateDevice(device.id, {
+      if (isPinnedKeyPath && device.publicKey) {
+        if (device.publicKey !== request.publicKey) {
+          throw new PublicKeyMismatchError(device.id);
+        }
+      }
+      const updateInput = {
         status: "enrolled",
         model: request.model,
         manufacturer: request.manufacturer,
         osVersion: request.osVersion,
         lastSync: /* @__PURE__ */ new Date()
-      });
+      };
+      if (isPinnedKeyPath && !device.publicKey) {
+        updateInput.publicKey = request.publicKey;
+        updateInput.enrollmentMethod = "pinned-key";
+      }
+      device = await database.updateDevice(device.id, updateInput);
     } else if (enrollment?.autoEnroll) {
       device = await database.createDevice({
         enrollmentId,
@@ -2692,6 +2908,12 @@ function createMDM(config) {
         androidId: request.androidId,
         policyId: request.policyId || enrollment.defaultPolicyId
       });
+      if (isPinnedKeyPath) {
+        device = await database.updateDevice(device.id, {
+          publicKey: request.publicKey,
+          enrollmentMethod: "pinned-key"
+        });
+      }
       if (enrollment.defaultGroupId) {
         await database.addDeviceToGroup(device.id, enrollment.defaultGroupId);
       }
@@ -2706,6 +2928,12 @@ function createMDM(config) {
         macAddress: request.macAddress,
         androidId: request.androidId
       });
+      if (isPinnedKeyPath) {
+        device = await database.updateDevice(device.id, {
+          publicKey: request.publicKey,
+          enrollmentMethod: "pinned-key"
+        });
+      }
     } else {
       throw new EnrollmentError(
         "Device not registered and auto-enroll is disabled"
@@ -2993,6 +3221,6 @@ function generateDeviceToken(deviceId, secret, expirationSeconds) {
   return `${header}.${payload}.${signature}`;
 }
 
-export { AGENT_PROTOCOL_HEADER, AGENT_PROTOCOL_V2, ApplicationNotFoundError, AuthenticationError, AuthorizationError, CommandNotFoundError, DeviceNotFoundError, EnrollmentError, GroupNotFoundError, MDMError, PolicyNotFoundError, RoleNotFoundError, TenantNotFoundError, UserNotFoundError, ValidationError, agentFail, agentOk, camelToSnake, createAuditManager, createAuthorizationManager, createConsoleLogger, createDashboardManager, createMDM, createMemoryPluginStorageAdapter, createMessageQueueManager, createPluginKey, createPluginStorageAdapter, createScheduleManager, createSilentLogger, createTenantManager, createWebhookManager, getColumnNames, getPrimaryKey, getTableNames, mdmSchema, parsePluginKey, snakeToCamel, transformToCamelCase, transformToSnakeCase, verifyEnrollmentSignature, verifyWebhookSignature, wantsAgentProtocolV2 };
+export { AGENT_PROTOCOL_HEADER, AGENT_PROTOCOL_V2, ApplicationNotFoundError, AuthenticationError, AuthorizationError, ChallengeInvalidError, CommandNotFoundError, DeviceNotFoundError, EnrollmentError, GroupNotFoundError, InvalidPublicKeyError, MDMError, PolicyNotFoundError, PublicKeyMismatchError, RoleNotFoundError, TenantNotFoundError, UserNotFoundError, ValidationError, agentFail, agentOk, camelToSnake, canonicalDeviceRequestMessage, canonicalEnrollmentMessage, createAuditManager, createAuthorizationManager, createConsoleLogger, createDashboardManager, createMDM, createMemoryPluginStorageAdapter, createMessageQueueManager, createPluginKey, createPluginStorageAdapter, createScheduleManager, createSilentLogger, createTenantManager, createWebhookManager, getColumnNames, getPrimaryKey, getTableNames, importPublicKeyFromSpki, mdmSchema, parsePluginKey, snakeToCamel, transformToCamelCase, transformToSnakeCase, verifyDeviceRequest, verifyEcdsaSignature, verifyEnrollmentSignature, verifyWebhookSignature, wantsAgentProtocolV2 };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map