LATTICE

Authorized Workspace Access

Workspace operations scope

Tenant admin surface

Brand Settings

Brand Settings owns account-facing identity and presentation doctrine under workspace scope. Tier 1 safe branding projection already exists for the public storefront contract, while tenant-admin review and publish controls remain deferred.

Current route is /dashboard today. Target hosted tenant admin entry remains admin.runsonlattice.com/workspaces/{workspace_slug} later. Dashboard is tenant-scoped admin work; it is not Unity and not the public storefront.

You are here

Account areas

Current area: Brand Settings.

Surface ownership

Brand Settings

Partially implemented

Brand Settings owns account-facing identity and presentation doctrine under workspace scope. Tier 1 safe branding projection already exists for the public storefront contract, while tenant-admin review and publish controls remain deferred.

Current route
/dashboard/brand-settings
Target route
admin.runsonlattice.com/workspaces/{workspace_slug}
View type
Planning view
Access today
No live access rules are shown here yet.

Planning view

Unity Owner command centerFuture runtime requires separate approval and module enablement from Unity Owner > Platform Entitlements before Dashboard should expose live workflows.

Current doctrine

Safe published branding already exists in the brand/storefront contract. This area should become the tenant-admin review shell for that contract before any edit or publish workflow is approved.

Storefront-safe identity

What a shared storefront shell can safely vary

Published storefront baseline

Tenant Storefront Baseline

A safe published storefront look that future tenant operators can shape without changing application code.

Safe projection
PrimaryAccentlight modesoft radiusstandard density
Identity fields
Display name, short name, and tagline
Storefront copy
Announcement, hero title/body, footer note, and safe empty or unavailable messages
Presentation presets
Hero layout, catalog layout, image ratio, card style, button style, and product action language
Safe links only
Internal navigation stays allowlisted; external links must be validated https destinations

Tenant admin shell

What stays light inside admin

Workspace label
Tenant Storefront Baseline
Short label
Optional
Welcome copy
Safe published branding feeds the shared storefront renderer. Drafts, history, and raw settings stay behind the admin boundary until a later approved workflow.
Support label
Support

Tenant admin should feel like Lattice first. Branding here is light identity, not a fully tenant-skinned control panel.

Public safety

How public rendering fails closed

  • Published branding only: draft, archived, disabled, or invalid branding falls back to known-good defaults publicly.
  • Tenant input stays structured: plain text, validated colors, enum presets, and approved URLs only.
  • Public storefront rendering consumes a safe projection, not raw editor state or theme history.

Feeds

Where this shell points next

  • Account Preview

    Draft review belongs here before any release control is added.

  • Public Shop

    Public rendering should consume only the published safe projection.

  • {tenant_slug}.runsonlattice.com

    Future tenant storefront resolution should keep using host-based storefront context rather than browser-supplied scope IDs.

Not this slice

What stays deferred

  • No CMS, markdown rendering, or upload-driven public media.
  • No theme history browser, publish controls, or provider automation.
  • No checkout enablement, cart persistence, or public workflow changes.

Owns

What belongs here

  • Brand identity and safe storefront presentation defaults
  • Light workspace/admin identity that remains recognizably Lattice
  • Workspace-to-brand presentation boundary for preview and public storefront release

Exists now

What exists here today

  • Tier 1 safe branding schema and validation exist for published storefront projection.
  • Default storefront and preview shells already consume the same safe branding model.

Next attach

What should Codex build next

  • Tenant-admin read model and preview review should attach here before any publish workflow.
  • Draft editing, version review, and release controls require a separate approved slice.

Keep out of this slice

What must not be bundled here

  • No arbitrary HTML, CSS, JavaScript, embeds, or upload-driven branding in this slice.
  • No DNS, host routing automation, or publish claims here.

Behind the scenes

What supports this area today

Live data

Safe branding contract

Typed validation, normalization, and safe fallback rules already constrain tenant-controlled branding input.

Stored records

Branding projection tables

Published-safe branding versions already sit on the brand/storefront spine without exposing raw settings publicly.

Planning notes

Public storefront resolver

Public storefront rendering already consumes only the safe published branding projection or known-good defaults.