{"id":49546162,"url":"https://github.com/macadmins/contour","last_synced_at":"2026-05-06T21:02:13.402Z","repository":{"id":351968185,"uuid":"1171041413","full_name":"macadmins/contour","owner":"macadmins","description":"Contour — device management configuration toolkit","archived":false,"fork":false,"pushed_at":"2026-04-29T12:13:54.000Z","size":5295,"stargazers_count":26,"open_issues_count":3,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-29T13:37:05.026Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/macadmins.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-02T20:09:00.000Z","updated_at":"2026-04-29T12:15:50.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/macadmins/contour","commit_stats":null,"previous_names":["headmin/contour"],"tags_count":10,"template":false,"template_full_name":null,"purl":"pkg:github/macadmins/contour","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/macadmins%2Fcontour","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/macadmins%2Fcontour/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/macadmins%2Fcontour/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/macadmins%2Fcontour/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/macadmins","download_url":"https://codeload.github.com/macadmins/contour/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/macadmins%2Fcontour/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32547644,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-02T19:18:06.202Z","status":"ssl_error","status_checked_at":"2026-05-02T19:16:21.335Z","response_time":132,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-05-02T19:30:59.624Z","updated_at":"2026-05-02T19:31:00.481Z","avatar_url":"https://github.com/macadmins.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"images/contour.png\" alt=\"Contour\" width=\"200\"\u003e\n\u003c/p\u003e\n\n# Contour\n\n**The Swiss Army Knife for Apple Device Management tasks**\n\n\u003e **Status: Preview** — almost feature-complete for core workflows, APIs and flags may still change before 1.0.\n\nOne signed binary that makes common device management tasks simpler. It normalizes device management configs consistently and surfaces errors clearly — so output diffs cleanly every time.\n\nContour works with profiles and DDM config payloads — whether you, your MDM vendor, or an AI agent wrote them.\n\nUse it to prepare and process configuration files for migration, GitOps workflows, or day-to-day config work. Run it from the terminal, in CI, or let an AI agent call it directly. Two modes, same core — every artifact is validated against the embedded Apple schema.\n\n\n## Why\n\n**Device config deserves the same rigor as the code you ship to production.**\n\nProfiles, DDM declarations, Santa rules, osquery policies — some of this config already runs in your device management solution. But the tooling around it has lived in GUIs and copy-paste for years. Drift happens over time. Typos slip through. And AI agents are now generating config without validation. Contour adds a validation step you can apply when useful.\n\n- **How.** The Apple schema for MDM/profiles, declarative management, and osquery is embedded. Processors and the generator validate against it before writing normalized config out. Identifiers and UUIDs are handled deterministically.\n- **What.** One signed binary. Output is normalized to diff cleanly, work consistently, and fail loud when something's wrong — whether you or an agent wrote it.\n\n## How it's used\n\nTwo modes — CLI on macOS or Linux. Same core: every artifact is processed with built-in tools and validated against the embedded schemas. For details on each tool, see the docs.\n\n### As a CLI toolkit\n\nEach tool can be used in CI, GitHooks, Scripts or the Terminal.\n\n| Tool | Description |\n|------|-------------|\n| [`contour profile`](docs/contour-profile.md) | Normalize, validate, sign, generate, search, and import Apple configuration profiles against the embedded schema. |\n| `contour profile synthesize` | Reverse-engineer managed preference plists into validated mobileconfigs. |\n| `contour profile import --jamf` | Import from [Jamf Pro backup](https://github.com/Jamf-Concepts/jamf-cli) YAML — extract, normalize, validate in one step. |\n| `contour profile command` | Generate MDM command plist payloads (RestartDevice, DeviceLock, EraseDevice, …) with `--base64` for the Fleet API. |\n| `contour profile enrollment` | Generate DEP/ADE enrollment profiles from Setup Assistant skip keys, platform/version-gated. |\n| `contour osquery` | Search and inspect the embedded osquery schema for writing queries and policies. |\n| [`contour pppc`](docs/contour-pppc.md) | Generate TCC/Privacy Preferences profiles from app bundles. Scan → configure → generate. |\n| [`contour santa`](docs/contour-santa.md) | Santa allowlists, CEL toolkit (compile, eval, validate, dry-run, classify), and FAA plist generation. |\n| [`contour mscp`](docs/contour-mscp.md) | mSCP baseline transformer with embedded schema query API and ODV support. |\n| [`contour btm`](docs/contour-btm.md) | Generate Background Task Management profiles for managed login items. |\n| [`contour notifications`](docs/contour-notifications.md) | Generate notification settings profiles with per-app control. |\n\nCommon commands:\n\n```bash\n# Normalize and validate profiles for GitOps\ncontour profile normalize ./profiles -r --org com.acme --name \"Acme Corp\"\n\n# Import from Jamf backup\ncontour profile import --jamf /path/to/jamf-backup/profiles/macos/ --all -o profiles/ --org com.acme\n\n# Synthesize mobileconfigs from managed preference plists\ncontour profile synthesize /Library/Managed\\ Preferences/ -o profiles/ --org com.acme --validate\n\n# Search + generate a profile\ncontour profile search passcode --json\ncontour profile generate com.apple.mobiledevice.passwordpolicy --full --org com.acme\n\n# MDM command for Fleet API\ncontour profile command generate DeviceLock --set PIN=123456 --uuid --base64\n\n# DEP enrollment profile\ncontour profile enrollment generate --platform macOS --interactive -o enrollment.dep.json\n\n# Query mSCP compliance rules\ncontour mscp schema baselines --json\ncontour mscp schema rules --baseline cis_lvl1 --json\n\n# PPPC profile\ncontour pppc scan -p /Applications -o pppc.toml --org com.acme\ncontour pppc generate pppc.toml -o pppc.mobileconfig\n\n# Santa allowlist\ncontour santa scan -f csv -o apps.csv\ncontour santa allow -i apps.csv --org com.acme -o santa.mobileconfig\n```\n\n### As an AI skill\n\nBecause validation is baked into every generator, Contour is also safe to hand to an agent. Install it as a skill for Claude Code (and similar):\n\n```bash\ncontour setup-agent\n```\n\nThe agent gets the Apple schema, routed SOPs for each task, and a generator that refuses to write a broken file. You ask in plain English; the agent picks the right command and the tool keeps it straight.\n\n```bash\ncontour help-ai                     # what the agent sees: command index + SOP routing\ncontour help-ai --sop profile       # profile generation SOP\ncontour help-ai --sop fleet-migrate # GitOps repo migration SOP\n```\n\n## Install\n\nDownload the latest `.pkg` from [Releases](https://github.com/macadmins/contour/releases):\n\n```bash\ncontour --help          # Overview of all tools\ncontour \u003ctool\u003e --help   # Tool-specific help\ncontour help-ai         # LLM-optimized help for AI-assisted workflows\n```\n\nThe binary is signed + notarized by Apple, stapled for offline verification.\n\n## Documentation\n\n- [Profile Toolkit](docs/contour-profile.md) — normalize, validate, sign, diff, DDM declarations, payload extraction\n- [PPPC Toolkit](docs/contour-pppc.md) — TCC services, interactive and batch configuration, CSV input\n- [Santa Toolkit](docs/contour-santa.md) — rule management, multiple fetch sources, `prep` for full Santa deployment\n- [mSCP Toolkit](docs/contour-mscp.md) — Fleet/Jamf/Munki output, ODV overrides, cross-baseline deduplication\n- [BTM Toolkit](docs/contour-btm.md) — launch item scanning, DDM declarations (macOS 15+), multi-machine merge\n- [Notifications Toolkit](docs/contour-notifications.md) — per-app alert control, interactive configuration wizard\n\n## License\n\nApache-2.0\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmacadmins%2Fcontour","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmacadmins%2Fcontour","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmacadmins%2Fcontour/lists"}