@bsuite/theme 0.3.2 → 0.4.1

package/README.md

@@ -1,15 +1,14 @@
 # @bsuite/theme
 
-Universal D2C Neon Electric theme for the BSuite monorepo. Ships the canonical palette, Tailwind tokens, CSS variables, React ThemeProvider, and a framework-agnostic FOUC-prevention script.
+Universal theme package for the BSuite monorepo. Ships the D2C Neon Electric baseline, the Braden Corporate baseline, Tailwind tokens, CSS variables, React `ThemeProvider`, runtime `BrandingProvider`, and a framework-agnostic FOUC-prevention script.
 
 ## What's inside
 
-- **CSS variables** — 11 neon electric colours + light/dark surface tokens + WCAG AA-compliant text tokens
-- **Tailwind v3 preset** — drop-in `presets: [require('@bsuite/theme/tailwind-preset')]`
-- **Tailwind v4 `@theme` block** — `@import '@bsuite/theme/preset-v4.css'`
+- **CSS variables** — OKLCH source palettes, role aliases, light/dark surfaces, shadcn bridge variables, and WCAG AA-compliant anti-glare text tokens
+- **Dual brand baselines** — D2C via `@bsuite/theme/css`; Braden via `@bsuite/theme/braden-css`
+- **Tailwind v4+ `@theme` block** — `@import '@bsuite/theme/preset-v4.css'`
 - **`<ThemeProvider>`** + **`useTheme()`** with localStorage persistence + system preference
-- **`<BrandingProvider>`** + **`useBranding()`** for runtime tenant branding
-- **`usePlatformLogo()`** and `resolvePlatformLogo()` for shared light/dark/mark/favicon logo fallback selection
+- **`<BrandingProvider>`** — enterprise runtime white-labelling for D2C apps; Braden short-circuits to static corporate tokens
 - **`getThemeInitScript()`** — stringified JS for inline `<script>` tags to prevent FOUC
 
 ## Install
@@ -20,7 +19,7 @@ pnpm add @bsuite/theme
 
 ## Consumer setup
 
-### Vite (v4 Tailwind) — BSU / CRM7 / R80.3
+### Vite (Tailwind v4+) — BSU / CRM7 / R80.3 / Throughput
 
 **1.** `src/index.css` or equivalent global stylesheet:
 
@@ -32,6 +31,13 @@ pnpm add @bsuite/theme
 /* your app-specific @theme {} overrides below */
 ```
 
+Braden uses the same Tailwind bridge shape but imports the corporate baseline:
+
+```css
+@import 'tailwindcss';
+@import '@bsuite/theme/braden-css';
+```
+
 **2.** `src/main.tsx`:
 
 ```tsx
@@ -48,7 +54,7 @@ ReactDOM.createRoot(document.getElementById('root')!).render(
 
 Paste the result of `getThemeInitScript()` into `<head>` before stylesheets.
 
-### Next.js 16 (v4 Tailwind) — conduit
+### Next.js 16 (Tailwind v4+) — conduit
 
 **1.** `src/app/globals.css`:
 
@@ -81,27 +87,11 @@ export default function RootLayout({ children }) {
 }
 ```
 
-### Vite (v3 Tailwind) — throughput
-
-**1.** `tailwind.config.js`:
+### Tailwind floor
 
-```js
-module.exports = {
-  presets: [require('@bsuite/theme/tailwind-preset')],
-  content: ['./src/**/*.{js,ts,jsx,tsx}'],
-}
-```
-
-**2.** Global stylesheet:
-
-```css
-@tailwind base;
-@tailwind components;
-@tailwind utilities;
-@import '@bsuite/theme/css';
-```
-
-**3.** `src/main.tsx` + `index.html` — same as the v4 Vite setup above.
+All consumers must use Tailwind CSS v4 or later. The legacy `./tailwind-preset`
+export remains only so older published package metadata does not break import
+resolution; it is not a supported BSuite consumption path.
 
 ## Using the hook
 
@@ -120,46 +110,21 @@ export function ThemeToggleButton() {
 
 The `resolvedTheme` always returns `'light'` or `'dark'` — use this when you need the _effective_ theme (it resolves `'system'` for you).
 
-## Runtime branding and platform logos
-
-Wrap BSuite apps in `BrandingProvider` when tenant/platform branding should be resolved from Supabase. Braden Corporate can pass `brand="braden"` to keep using static corporate tokens.
+## Palette And Roles
 
-```tsx
-import { BrandingProvider, usePlatformLogo } from '@bsuite/theme/react'
-
-function HeaderLogo() {
-  const { src, alt, isLoading } = usePlatformLogo({
-    slot: 'header',
-    scheme: 'light',
-    fallback: '/logos/bsuite.svg',
-  })
+All 11 canonical electric colours are available as palette tokens, but consumer UI should bind to role/shadcn tokens. Palette names are presentational; roles are the stable contract for white-labelling.
 
-  if (isLoading || !src) return null
-  return <img src={src} alt={alt} />
-}
-```
-
-Use `resolvePlatformLogo()` in non-React code or tests when you already have a branding payload and need the same fallback order without mounting a provider.
-
-## Palette
+| Role / token | OKLCH source | Notes |
+|---|---|---|
+| `--role-primary` / Electric Blue | `oklch(0.546 0.215 262.9)` | Primary actions and focus affordances |
+| `--role-accent` / Electric Cyan | `oklch(0.769 0.132 191.7)` | Accents, highlights, visible focus in dark mode |
+| `--role-success` | `oklch(0.723 0.192 149.6)` | Success; never rely on colour alone |
+| `--role-warning` | `oklch(0.728 0.168 22.5)` | Warning; pair with icon/text |
+| `--role-error` / `--role-destructive` | `oklch(0.568 0.202 283.1)` | Purple by platform policy; coral/red must not be semantic error/destructive |
 
-All 11 canonical electric colours are available via Tailwind classes:
+Braden keeps separate corporate identity tokens in `@bsuite/theme/braden-css`: Braden Red `oklch(0.51 0.17 19)`, Braden Gold `oklch(0.77 0.10 82)`, and Braden Navy `oklch(0.34 0.04 250)`. Red is identity only; Braden error/destructive roles still map to purple.
 
-| Token | Hex | Use |
-|---|---|---|
-| `neon-electric-blue` | `#2563eb` | Primary, highlights |
-| `neon-electric-cyan` | `#00cec9` | Accents, borders |
-| `neon-electric-indigo` | `#4f46e5` | Secondary actions |
-| `neon-electric-purple` | `#6c5ce7` | Gradients, effects |
-| `neon-electric-magenta` | `#fd79a8` | Interactive |
-| `neon-electric-pink` | `#ec4899` | Hover states |
-| `neon-electric-coral` | `#ff4757` | Alerts, destructive |
-| `neon-electric-orange` | `#ff7675` | Warnings |
-| `neon-electric-yellow` | `#fdcb6e` | Info |
-| `neon-electric-green` | `#22c55e` | Success |
-| `neon-electric-lavender` | `#a29bfe` | Subtle accents |
-
-WCAG AA compliance: use `text-color-accent-text` and `text-color-primary-text` for text on light backgrounds. These are the accessible equivalents of cyan and blue — same visual identity, 5:1+ contrast on `#f2f2f2`.
+WCAG AA compliance: use semantic text tokens (`text-foreground`, `text-muted-foreground`, `text-text-on-primary`, `text-text-on-accent`) rather than raw `text-white`/`text-black`. Dark-surface text is capped at L=0.94 for extended-session comfort.
 
 ## License
 

package/dist/react/BrandingProvider.d.ts

@@ -10,16 +10,16 @@ export interface TenantBranding {
     accent?: string;
     /** Full logo URL (SVG or raster) */
     logo_url?: string;
-    /** Light-mode full logo URL (SVG or raster) */
+    /** Light-mode full logo URL */
     logo_light_url?: string;
-    /** Dark-mode full logo URL (SVG or raster) */
+    /** Dark-mode full logo URL */
     logo_dark_url?: string;
     /** Mark / icon logo URL */
     mark_url?: string;
     /** Favicon URL */
     favicon_url?: string;
-    /** Display name used for default image alt text */
-    company_name?: string | null;
+    /** Display name used for generated logo alt text */
+    company_name?: string;
     /** Optional CSS font-family stack string */
     font_stack?: string | null;
 }

package/dist/react/BrandingProvider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"BrandingProvider.d.ts","sourceRoot":"","sources":["../../src/react/BrandingProvider.tsx"],"names":[],"mappings":"AAmCA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,OAAO,CAAA;AACtC,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAA;AAE3D,eAAO,MAAM,oBAAoB,2BAA2B,CAAA;AAC5D,eAAO,MAAM,sBAAsB,kCAAkC,CAAA;AAErE,yDAAyD;AACzD,MAAM,WAAW,cAAc;IAC7B,wDAAwD;IACxD,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,4DAA4D;IAC5D,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,oCAAoC;IACpC,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,+CAA+C;IAC/C,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,8CAA8C;IAC9C,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,2BAA2B;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,kBAAkB;IAClB,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,mDAAmD;IACnD,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;IAC5B,4CAA4C;IAC5C,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;CAC3B;AAED,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,cAAc,GAAG,IAAI,CAAA;IAC/B,SAAS,EAAE,OAAO,CAAA;IAClB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAA;IACnB,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAA;CAC7B;AAED,eAAO,MAAM,eAAe,2DAA6D,CAAA;AAEzF,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,QAAQ,CAAA;AAE9C,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,SAAS,CAAA;IACnB,2DAA2D;IAC3D,cAAc,EAAE,cAAc,CAAA;IAC9B;;;;OAIG;IACH,KAAK,CAAC,EAAE,YAAY,CAAA;IACpB;;;OAGG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAA;CAChC;AA6JD,wBAAgB,gBAAgB,CAAC,EAC/B,QAAQ,EACR,cAAc,EACd,KAAgB,EAChB,qBAA4B,GAC7B,EAAE,qBAAqB,2CA+EvB"}
+{"version":3,"file":"BrandingProvider.d.ts","sourceRoot":"","sources":["../../src/react/BrandingProvider.tsx"],"names":[],"mappings":"AA4CA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,OAAO,CAAA;AACtC,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAA;AAO3D,eAAO,MAAM,oBAAoB,2BAA2B,CAAA;AAC5D,eAAO,MAAM,sBAAsB,kCAAkC,CAAA;AAErE,yDAAyD;AACzD,MAAM,WAAW,cAAc;IAC7B,wDAAwD;IACxD,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,4DAA4D;IAC5D,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,oCAAoC;IACpC,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,+BAA+B;IAC/B,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,8BAA8B;IAC9B,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,2BAA2B;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,kBAAkB;IAClB,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,oDAAoD;IACpD,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,4CAA4C;IAC5C,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;CAC3B;AAED,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,cAAc,GAAG,IAAI,CAAA;IAC/B,SAAS,EAAE,OAAO,CAAA;IAClB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAA;IACnB,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAA;CAC7B;AAED,eAAO,MAAM,eAAe,2DAA6D,CAAA;AAEzF,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,QAAQ,CAAA;AAE9C,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,SAAS,CAAA;IACnB,2DAA2D;IAC3D,cAAc,EAAE,cAAc,CAAA;IAC9B;;;;OAIG;IACH,KAAK,CAAC,EAAE,YAAY,CAAA;IACpB;;;OAGG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAA;CAChC;AA+KD,wBAAgB,gBAAgB,CAAC,EAC/B,QAAQ,EACR,cAAc,EACd,KAAgB,EAChB,qBAA4B,GAC7B,EAAE,qBAAqB,2CA+EvB"}

package/dist/react/BrandingProvider.js

@@ -1,7 +1,7 @@
 import { jsx as _jsx } from "react/jsx-runtime";
 /**
  * BrandingProvider — runtime enterprise white-labelling
- * Version 0.3.0
+ * Version 0.4.1
  *
  * On mount:
  *  1. Calls supabase.rpc('branding_json_for_tenant') using the user's authed session.
@@ -17,6 +17,15 @@ import { jsx as _jsx } from "react/jsx-runtime";
  *    Colourblind policy (purple error) is a system-level requirement, not a brand pref.
  *  - brand="braden" short-circuits all Supabase calls — Braden corporate site uses
  *    static CSS tokens, not runtime tenant overrides.
+ *  - SEC-002 / SEC-003 (added 0.4.1) — tenant-controlled URL fields
+ *    (`logo_url`, `logo_light_url`, `logo_dark_url`, `mark_url`,
+ *    `favicon_url`) and `font_stack` are routed through `branding-sanitize`
+ *    at the DOM-apply sink. Dangerous schemes (`javascript:`, `data:`,
+ *    `vbscript:`, `blob:`, `file:`) are rejected; the URL is parsed and
+ *    re-serialised so breakout chars are percent-encoded; the `url()`
+ *    token is emitted in the safe quoted form with `"` and `\` escaped;
+ *    font values carrying CSS-breakout tokens (`< > ( ) { } ; @ \ /* *\/`)
+ *    are rejected and the var is cleared so the default font applies.
  *
  * Environment flags:
  *  - VITE_ENABLE_BRANDING_OVERRIDE (default: 'true') — set 'false' as kill switch.
@@ -34,6 +43,7 @@ import { jsx as _jsx } from "react/jsx-runtime";
  *    </BrandingProvider>
  */
 import { createContext, useCallback, useEffect, useMemo, useRef, useState } from 'react';
+import { sanitizeBrandingUrl, sanitizeFontFamily, toCssUrl, } from './branding-sanitize';
 export const BRANDING_STORAGE_KEY = 'bsuite_tenant_branding';
 export const BRANDING_OVERRIDE_FLAG = 'VITE_ENABLE_BRANDING_OVERRIDE';
 export const BrandingContext = createContext(undefined);
@@ -72,13 +82,9 @@ const BRANDING_CSS_MAP = {
     logo_dark_url: '--logo-dark-url',
     mark_url: '--mark-url',
     favicon_url: '--favicon-url',
+    company_name: '',
     font_stack: '--font-stack',
 };
-function setUrlCssVar(root, cssVar, value) {
-    const trimmed = value?.trim();
-    if (trimmed)
-        root.style.setProperty(cssVar, `url(${trimmed})`);
-}
 function applyBrandingToRoot(branding) {
     if (typeof document === 'undefined')
         return;
@@ -97,7 +103,7 @@ function applyBrandingToRoot(branding) {
     }
     if (branding.primary) {
         if (!isValidOklch(branding.primary)) {
-            if (process.env.NODE_ENV === 'development') {
+            if (isDevEnvironment()) {
                 console.warn(`[BrandingProvider] Rejected primary colour "${branding.primary}" — must be oklch(). ` +
                     'Only oklch() values are accepted. Hex/rgb/hsl are not permitted in the token system.');
             }
@@ -111,7 +117,7 @@ function applyBrandingToRoot(branding) {
     }
     if (branding.accent) {
         if (!isValidOklch(branding.accent)) {
-            if (process.env.NODE_ENV === 'development') {
+            if (isDevEnvironment()) {
                 console.warn(`[BrandingProvider] Rejected accent colour "${branding.accent}" — must be oklch().`);
             }
         }
@@ -121,19 +127,36 @@ function applyBrandingToRoot(branding) {
             root.style.setProperty('--app-accent', branding.accent);
         }
     }
-    setUrlCssVar(root, '--logo-url', branding.logo_url);
-    setUrlCssVar(root, '--logo-light-url', branding.logo_light_url);
-    setUrlCssVar(root, '--logo-dark-url', branding.logo_dark_url);
-    setUrlCssVar(root, '--mark-url', branding.mark_url);
-    setUrlCssVar(root, '--favicon-url', branding.favicon_url);
-    if (branding.font_stack) {
-        root.style.setProperty('--font-stack', branding.font_stack);
+    // Tenant-controlled URL and font values pass through `branding-sanitize`
+    // (SEC-002 / SEC-003) so a crafted row cannot break out of the `url(...)`
+    // token or the font declaration and inject arbitrary CSS. Each setter is
+    // paired with a removeProperty fall-through so a malicious value clears
+    // the var (caller falls back to the default) rather than persisting a
+    // previous tenant's URL.
+    const setOrClearUrlVar = (cssVar, raw) => {
+        const safe = toCssUrl(sanitizeBrandingUrl(raw));
+        if (safe)
+            root.style.setProperty(cssVar, safe);
+        else
+            root.style.removeProperty(cssVar);
+    };
+    setOrClearUrlVar('--logo-url', branding.logo_url);
+    setOrClearUrlVar('--logo-light-url', branding.logo_light_url);
+    setOrClearUrlVar('--logo-dark-url', branding.logo_dark_url);
+    setOrClearUrlVar('--mark-url', branding.mark_url);
+    setOrClearUrlVar('--favicon-url', branding.favicon_url);
+    const safeFontStack = sanitizeFontFamily(branding.font_stack ?? null);
+    if (safeFontStack) {
+        root.style.setProperty('--font-stack', safeFontStack);
+    }
+    else {
+        root.style.removeProperty('--font-stack');
     }
     root.setAttribute('data-branding-loaded', 'true');
 }
 // Warn in dev if a caller tries to set a protected key
 function warnIfProtectedKeyAttempted(branding) {
-    if (process.env.NODE_ENV !== 'development')
+    if (!isDevEnvironment())
         return;
     // Check for any attempt to set error/destructive via unexpected RPC fields
     const raw = branding;
@@ -145,6 +168,10 @@ function warnIfProtectedKeyAttempted(branding) {
         }
     }
 }
+function isDevEnvironment() {
+    const env = import.meta.env;
+    return env?.DEV === true || env?.MODE === 'development' || env?.NODE_ENV === 'development';
+}
 function persistBranding(branding) {
     try {
         if (branding) {

package/dist/react/branding-sanitize.d.ts

@@ -0,0 +1,60 @@
+/**
+ * branding-sanitize — neutralises CSS injection in tenant-controlled
+ * white-label values before they reach CSS custom properties.
+ *
+ * Closes two risks in the `applyBrandingToRoot` sink in `BrandingProvider`:
+ *
+ *   SEC-002 — CSS injection via `font_stack`. A crafted value written to
+ *             `--font-stack` can carry `</style>`, `expression(...)`,
+ *             `url(...)` or a declaration breakout.
+ *   SEC-003 — CSS injection via `logo_url` / `mark_url` / `logo_*_url` /
+ *             `favicon_url`. An unescaped value embedded in an unquoted
+ *             `url(...)` token can close the token early and inject
+ *             arbitrary CSS, or smuggle a dangerous scheme
+ *             (`javascript:`, `data:text/html`, …).
+ *
+ * The three white-label tables backing `branding_json_for_tenant`
+ * (`platform_branding`, `tenant_branding`, `tenant_app_branding`) are
+ * writable by semi-trusted platform/tenant admins, so the sanitiser runs
+ * at the DOM-apply boundary — every write path is covered, not just the
+ * admin UI.
+ *
+ * Mirrors the canonical sanitiser shipped on
+ *   business-suite-unified/src/lib/branding-sanitize.ts (BSU#485, merged
+ *   2026-05-25)
+ *   crm7/src/lib/branding-sanitize.ts (crm7#857, open draft)
+ * — DRY-merged into `@bsuite/theme` here so every consumer of
+ * `<BrandingProvider>` is covered with a single version bump.
+ *
+ * All helpers are pure and regex-free (per the BSuite No-Regex-by-Default
+ * rule); they are exercised directly in `./branding-sanitize.test.ts`.
+ */
+/**
+ * Validate a branding image URL (logo / mark / favicon).
+ *
+ * Accepts and returns:
+ *  - absolute `http(s)` URLs — parsed and normalised via the URL API
+ *  - root-relative paths (`/logo.svg`) — same-origin, no scheme to abuse
+ *
+ * Returns `null` for everything else — dangerous schemes, protocol-relative
+ * `//host` forms, control characters, unparseable input, over-long input.
+ * Callers treat `null` as "no logo" and fall back to the default.
+ */
+export declare function sanitizeBrandingUrl(raw: string | null | undefined): string | null;
+/**
+ * Wrap a validated URL in a `url("...")` token, escaping `"` and `\` so the
+ * string cannot be closed early. Always pair with {@link sanitizeBrandingUrl}
+ * — never call this on un-validated input. Returns `null` for `null` input
+ * so call sites can pass the result straight to a set-or-clear helper.
+ */
+export declare function toCssUrl(safeUrl: string | null | undefined): string | null;
+/**
+ * Validate a CSS `font-family` value. Legitimate font stacks are
+ * comma-separated family names (`"Inter", "Helvetica Neue", sans-serif`)
+ * and never need braces, semicolons, parentheses, at-rules or comment
+ * markers. The presence of any forbidden token means an injection attempt,
+ * so the whole value is rejected (returns `null` → caller falls back to the
+ * default font).
+ */
+export declare function sanitizeFontFamily(raw: string | null | undefined): string | null;
+//# sourceMappingURL=branding-sanitize.d.ts.map

package/dist/react/branding-sanitize.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"branding-sanitize.d.ts","sourceRoot":"","sources":["../../src/react/branding-sanitize.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AA0CH;;;;;;;;;;GAUG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,MAAM,GAAG,IAAI,CAoBjF;AAED;;;;;GAKG;AACH,wBAAgB,QAAQ,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,MAAM,GAAG,IAAI,CAG1E;AAED;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,MAAM,GAAG,IAAI,CAShF"}

package/dist/react/branding-sanitize.js

@@ -0,0 +1,134 @@
+/**
+ * branding-sanitize — neutralises CSS injection in tenant-controlled
+ * white-label values before they reach CSS custom properties.
+ *
+ * Closes two risks in the `applyBrandingToRoot` sink in `BrandingProvider`:
+ *
+ *   SEC-002 — CSS injection via `font_stack`. A crafted value written to
+ *             `--font-stack` can carry `</style>`, `expression(...)`,
+ *             `url(...)` or a declaration breakout.
+ *   SEC-003 — CSS injection via `logo_url` / `mark_url` / `logo_*_url` /
+ *             `favicon_url`. An unescaped value embedded in an unquoted
+ *             `url(...)` token can close the token early and inject
+ *             arbitrary CSS, or smuggle a dangerous scheme
+ *             (`javascript:`, `data:text/html`, …).
+ *
+ * The three white-label tables backing `branding_json_for_tenant`
+ * (`platform_branding`, `tenant_branding`, `tenant_app_branding`) are
+ * writable by semi-trusted platform/tenant admins, so the sanitiser runs
+ * at the DOM-apply boundary — every write path is covered, not just the
+ * admin UI.
+ *
+ * Mirrors the canonical sanitiser shipped on
+ *   business-suite-unified/src/lib/branding-sanitize.ts (BSU#485, merged
+ *   2026-05-25)
+ *   crm7/src/lib/branding-sanitize.ts (crm7#857, open draft)
+ * — DRY-merged into `@bsuite/theme` here so every consumer of
+ * `<BrandingProvider>` is covered with a single version bump.
+ *
+ * All helpers are pure and regex-free (per the BSuite No-Regex-by-Default
+ * rule); they are exercised directly in `./branding-sanitize.test.ts`.
+ */
+/** Schemes permitted in a branding image URL. Everything else
+ *  (`javascript:`, `data:`, `vbscript:`, `blob:`, `file:`, …) is rejected. */
+const SAFE_URL_SCHEMES = new Set(['http:', 'https:']);
+/** Upper bound on a branding URL — guards against pathological input. */
+const MAX_URL_LENGTH = 2048;
+/** Upper bound on a font-family value — real font stacks are short. */
+const MAX_FONT_LENGTH = 200;
+/**
+ * Substrings that must never appear in a font-family value. Each can
+ * break out of the declaration or open an injection vector:
+ *  - angle brackets    → closing-tag breakout
+ *  - parentheses       → url() / expression() invocation
+ *  - braces, semicolon → declaration / ruleset breakout
+ *  - at-sign           → at-rules such as the import rule
+ *  - backslash         → CSS escape sequences
+ *  - the comment-open / comment-close digraphs
+ * Real font stacks are comma-separated family names and need none of these.
+ */
+const FONT_FORBIDDEN_TOKENS = [
+    '<', '>', '(', ')', '{', '}', ';', '@', '\\', '/*', '*/',
+];
+/** True when the string contains an ASCII control character (incl. newlines),
+ *  any of which can terminate a CSS token early. Regex-free by design. */
+function hasControlChar(value) {
+    for (let i = 0; i < value.length; i += 1) {
+        const code = value.charCodeAt(i);
+        if (code < 0x20 || code === 0x7f)
+            return true;
+    }
+    return false;
+}
+/** Escape the characters that could close a double-quoted CSS string early. */
+function escapeCssString(value) {
+    return value.split('\\').join('\\\\').split('"').join('\\"');
+}
+/**
+ * Validate a branding image URL (logo / mark / favicon).
+ *
+ * Accepts and returns:
+ *  - absolute `http(s)` URLs — parsed and normalised via the URL API
+ *  - root-relative paths (`/logo.svg`) — same-origin, no scheme to abuse
+ *
+ * Returns `null` for everything else — dangerous schemes, protocol-relative
+ * `//host` forms, control characters, unparseable input, over-long input.
+ * Callers treat `null` as "no logo" and fall back to the default.
+ */
+export function sanitizeBrandingUrl(raw) {
+    if (typeof raw !== 'string')
+        return null;
+    const value = raw.trim();
+    if (value === '' || value.length > MAX_URL_LENGTH)
+        return null;
+    if (hasControlChar(value))
+        return null;
+    // Root-relative path: same-origin, no scheme. Reject the protocol-relative
+    // `//host` form, which resolves to an arbitrary (attacker-chosen) origin.
+    if (value.startsWith('/')) {
+        return value.startsWith('//') ? null : value;
+    }
+    let parsed;
+    try {
+        parsed = new URL(value);
+    }
+    catch {
+        return null;
+    }
+    if (!SAFE_URL_SCHEMES.has(parsed.protocol))
+        return null;
+    return parsed.href;
+}
+/**
+ * Wrap a validated URL in a `url("...")` token, escaping `"` and `\` so the
+ * string cannot be closed early. Always pair with {@link sanitizeBrandingUrl}
+ * — never call this on un-validated input. Returns `null` for `null` input
+ * so call sites can pass the result straight to a set-or-clear helper.
+ */
+export function toCssUrl(safeUrl) {
+    if (!safeUrl)
+        return null;
+    return `url("${escapeCssString(safeUrl)}")`;
+}
+/**
+ * Validate a CSS `font-family` value. Legitimate font stacks are
+ * comma-separated family names (`"Inter", "Helvetica Neue", sans-serif`)
+ * and never need braces, semicolons, parentheses, at-rules or comment
+ * markers. The presence of any forbidden token means an injection attempt,
+ * so the whole value is rejected (returns `null` → caller falls back to the
+ * default font).
+ */
+export function sanitizeFontFamily(raw) {
+    if (typeof raw !== 'string')
+        return null;
+    const value = raw.trim();
+    if (value === '' || value.length > MAX_FONT_LENGTH)
+        return null;
+    if (hasControlChar(value))
+        return null;
+    for (const token of FONT_FORBIDDEN_TOKENS) {
+        if (value.includes(token))
+            return null;
+    }
+    return value;
+}

package/dist/react/components/StatusBadge.d.ts

@@ -0,0 +1,76 @@
+/**
+ * StatusBadge — canonical status pill across BSuite apps.
+ *
+ * Brand-Token Strategy A (operator-approved 2026-05-13): consolidates the
+ * 4 parallel implementations from crm7/conduit/BSU/R80.3 into one published
+ * primitive. Apps replace their local StatusBadge with `import { StatusBadge }
+ * from '@bsuite/theme/react'`.
+ *
+ * Self-contained (no router, no className util peer-dep):
+ *   - Visual-only by default. Wrap in your app's `<Link>` / `<button>` for
+ *     navigation/click behaviour. Keeps this package router-agnostic.
+ *   - Includes `variant` (6 colours) + auto-resolver `getStatusVariant()` +
+ *     `formatStatusLabel()`. Exports `AutoStatusBadge` for the common
+ *     "give me a badge from a status string" case.
+ *
+ * Visual contract (D2C Neon Electric + Braden Corporate compatible):
+ *   - Tailwind v4 classes against the role tokens consumers ship via
+ *     `@bsuite/theme/css` or `@bsuite/theme/braden-css`.
+ *   - Dark-mode handled via `dark:` prefix on each variant.
+ *
+ * Sizes: 'sm' (default — table cells), 'md' (cards), 'lg' (heroes).
+ */
+import { type ReactNode, type CSSProperties } from 'react';
+export type BadgeVariant = 
+/** Green — Approved, Active, Complete */
+'success'
+/** Amber — Pending, In Progress */
+ | 'warning'
+/** Red — Rejected, Failed, Overdue */
+ | 'error'
+/** Blue — Draft, New, Scheduled */
+ | 'info'
+/** Purple — Converted, Promoted */
+ | 'purple'
+/** Gray — Inactive, Archived */
+ | 'neutral';
+export interface StatusBadgeProps {
+    variant: BadgeVariant;
+    label: string;
+    /** sm = table cells (default), md = cards, lg = heroes */
+    size?: 'sm' | 'md' | 'lg';
+    className?: string;
+    style?: CSSProperties;
+    /** Optional id/data attributes for testing */
+    'data-testid'?: string;
+}
+export declare function StatusBadge({ variant, label, size, className, style, 'data-testid': testId, }: StatusBadgeProps): ReactNode;
+/**
+ * Map a status string to a semantic BadgeVariant.
+ *
+ * Normalizes lowercase + trim + underscores/hyphens → spaces, then matches
+ * against the canonical synonym sets. Pass `overrides` to remap a domain-
+ * specific status without forking the function.
+ */
+export declare function getStatusVariant(status: string, overrides?: Partial<Record<string, BadgeVariant>>): BadgeVariant;
+/**
+ * Format a raw status string into a human-readable label.
+ * Examples: 'in_progress' → 'In Progress', 'not_yet_competent' → 'Not Yet Competent'.
+ */
+export declare function formatStatusLabel(status: string): string;
+export interface AutoStatusBadgeProps extends Omit<StatusBadgeProps, 'variant' | 'label'> {
+    status: string;
+    /** Optional label override; auto-formatted from status when omitted. */
+    label?: string;
+    /** Override specific status→variant mappings for domain-specific needs. */
+    variantOverrides?: Partial<Record<string, BadgeVariant>>;
+}
+/**
+ * Convenience wrapper: derives variant + label from a raw status string.
+ *
+ * @example
+ * <AutoStatusBadge status="in_progress" />
+ * // renders <StatusBadge variant="warning" label="In Progress" />
+ */
+export declare function AutoStatusBadge({ status, label, variantOverrides, ...rest }: AutoStatusBadgeProps): ReactNode;
+//# sourceMappingURL=StatusBadge.d.ts.map

package/dist/react/components/StatusBadge.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"StatusBadge.d.ts","sourceRoot":"","sources":["../../../src/react/components/StatusBadge.tsx"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,OAAO,EAAE,KAAK,SAAS,EAAE,KAAK,aAAa,EAAE,MAAM,OAAO,CAAC;AAE3D,MAAM,MAAM,YAAY;AACtB,yCAAyC;AACvC,SAAS;AACX,mCAAmC;GACjC,SAAS;AACX,sCAAsC;GACpC,OAAO;AACT,mCAAmC;GACjC,MAAM;AACR,mCAAmC;GACjC,QAAQ;AACV,gCAAgC;GAC9B,SAAS,CAAC;AAEd,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,YAAY,CAAC;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,0DAA0D;IAC1D,IAAI,CAAC,EAAE,IAAI,GAAG,IAAI,GAAG,IAAI,CAAC;IAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,aAAa,CAAC;IACtB,8CAA8C;IAC9C,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAqBD,wBAAgB,WAAW,CAAC,EAC1B,OAAO,EACP,KAAK,EACL,IAAW,EACX,SAAS,EACT,KAAK,EACL,aAAa,EAAE,MAAM,GACtB,EAAE,gBAAgB,GAAG,SAAS,CAc9B;AAED;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAC9B,MAAM,EAAE,MAAM,EACd,SAAS,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC,GAChD,YAAY,CAoCd;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CASxD;AAED,MAAM,WAAW,oBAAqB,SAAQ,IAAI,CAAC,gBAAgB,EAAE,SAAS,GAAG,OAAO,CAAC;IACvF,MAAM,EAAE,MAAM,CAAC;IACf,wEAAwE;IACxE,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,2EAA2E;IAC3E,gBAAgB,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC,CAAC;CAC1D;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAAC,EAC9B,MAAM,EACN,KAAK,EACL,gBAAgB,EAChB,GAAG,IAAI,EACR,EAAE,oBAAoB,GAAG,SAAS,CAIlC"}

package/dist/react/components/StatusBadge.js

@@ -0,0 +1,98 @@
+import { jsx as _jsx } from "react/jsx-runtime";
+const variantClasses = {
+    success: 'bg-emerald-50 text-emerald-700 border-emerald-200 dark:bg-emerald-950 dark:text-emerald-300 dark:border-emerald-800',
+    warning: 'bg-amber-50 text-amber-700 border-amber-200 dark:bg-amber-950 dark:text-amber-300 dark:border-amber-800',
+    error: 'bg-red-50 text-red-700 border-red-200 dark:bg-red-950 dark:text-red-300 dark:border-red-800',
+    info: 'bg-sky-50 text-sky-700 border-sky-200 dark:bg-sky-950 dark:text-sky-300 dark:border-sky-800',
+    purple: 'bg-purple-50 text-purple-700 border-purple-200 dark:bg-purple-950 dark:text-purple-300 dark:border-purple-800',
+    neutral: 'bg-muted text-muted-foreground border-border',
+};
+const sizeClasses = {
+    sm: 'text-xs px-2 py-0.5',
+    md: 'text-sm px-2.5 py-1',
+    lg: 'text-base px-3 py-1.5',
+};
+export function StatusBadge({ variant, label, size = 'sm', className, style, 'data-testid': testId, }) {
+    const classes = [
+        'inline-flex items-center font-medium rounded-full border',
+        variantClasses[variant],
+        sizeClasses[size],
+        className,
+    ]
+        .filter(Boolean)
+        .join(' ');
+    return (_jsx("span", { className: classes, style: style, "data-testid": testId, children: label }));
+}
+/**
+ * Map a status string to a semantic BadgeVariant.
+ *
+ * Normalizes lowercase + trim + underscores/hyphens → spaces, then matches
+ * against the canonical synonym sets. Pass `overrides` to remap a domain-
+ * specific status without forking the function.
+ */
+export function getStatusVariant(status, overrides) {
+    const normalized = status.toLowerCase().trim().replace(/_/g, ' ').replace(/-/g, ' ');
+    if (overrides && normalized in overrides) {
+        const override = overrides[normalized];
+        if (override)
+            return override;
+    }
+    const SUCCESS = [
+        'approved', 'active', 'complete', 'completed', 'won',
+        'current', 'on track', 'competent', 'pass', 'passed',
+        'filled', 'resolved', 'closed won',
+    ];
+    const WARNING = [
+        'pending', 'in progress', 'review', 'under review',
+        'at risk', 'on leave', 'offered', 'onboarding',
+        'probation', 'investigating', 'action required',
+    ];
+    const ERROR = [
+        'rejected', 'failed', 'lost', 'overdue', 'fail',
+        'cancelled', 'canceled', 'terminated', 'suspended',
+        'behind', 'unavailable', 'expired', 'not yet competent',
+        'closed lost',
+    ];
+    const INFO = [
+        'draft', 'new', 'scheduled', 'open',
+        'applicant', 'interviewing', 'reported',
+    ];
+    const PURPLE = ['converted', 'promoted', 'shortlisted'];
+    if (SUCCESS.includes(normalized))
+        return 'success';
+    if (WARNING.includes(normalized))
+        return 'warning';
+    if (ERROR.includes(normalized))
+        return 'error';
+    if (INFO.includes(normalized))
+        return 'info';
+    if (PURPLE.includes(normalized))
+        return 'purple';
+    return 'neutral';
+}
+/**
+ * Format a raw status string into a human-readable label.
+ * Examples: 'in_progress' → 'In Progress', 'not_yet_competent' → 'Not Yet Competent'.
+ */
+export function formatStatusLabel(status) {
+    return status
+        .replace(/_/g, ' ')
+        .replace(/-/g, ' ')
+        .trim()
+        .split(' ')
+        .filter(Boolean)
+        .map((word) => word.charAt(0).toUpperCase() + word.slice(1).toLowerCase())
+        .join(' ');
+}
+/**
+ * Convenience wrapper: derives variant + label from a raw status string.
+ *
+ * @example
+ * <AutoStatusBadge status="in_progress" />
+ * // renders <StatusBadge variant="warning" label="In Progress" />
+ */
+export function AutoStatusBadge({ status, label, variantOverrides, ...rest }) {
+    const variant = getStatusVariant(status, variantOverrides);
+    const displayLabel = label ?? formatStatusLabel(status);
+    return _jsx(StatusBadge, { variant: variant, label: displayLabel, ...rest });
+}

package/dist/react/index.d.ts

@@ -6,6 +6,8 @@ export { THEME_STORAGE_KEY } from '../index';
 export { BrandingProvider, BrandingContext, BRANDING_STORAGE_KEY, BRANDING_OVERRIDE_FLAG, } from './BrandingProvider';
 export type { TenantBranding, BrandingContextValue } from './BrandingProvider';
 export { useBranding } from './useBranding';
-export { resolvePlatformLogo, usePlatformLogo, } from './usePlatformLogo';
+export { resolvePlatformLogo, usePlatformLogo } from './usePlatformLogo';
 export type { PlatformLogoHookResult, PlatformLogoOptions, PlatformLogoScheme, PlatformLogoSlot, PlatformLogoSource, ResolvedPlatformLogo, } from './usePlatformLogo';
+export { StatusBadge, AutoStatusBadge, getStatusVariant, formatStatusLabel, } from './components/StatusBadge';
+export type { BadgeVariant, StatusBadgeProps, AutoStatusBadgeProps, } from './components/StatusBadge';
 //# sourceMappingURL=index.d.ts.map

package/dist/react/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/react/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAA;AAC/C,YAAY,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAA;AACzD,OAAO,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAA;AACrC,YAAY,EAAE,iBAAiB,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,UAAU,CAAA;AAC3E,OAAO,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAA;AAC5C,OAAO,EACL,gBAAgB,EAChB,eAAe,EACf,oBAAoB,EACpB,sBAAsB,GACvB,MAAM,oBAAoB,CAAA;AAC3B,YAAY,EAAE,cAAc,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAA;AAC9E,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAA;AAC3C,OAAO,EACL,mBAAmB,EACnB,eAAe,GAChB,MAAM,mBAAmB,CAAA;AAC1B,YAAY,EACV,sBAAsB,EACtB,mBAAmB,EACnB,kBAAkB,EAClB,gBAAgB,EAChB,kBAAkB,EAClB,oBAAoB,GACrB,MAAM,mBAAmB,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/react/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAA;AAC/C,YAAY,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAA;AACzD,OAAO,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAA;AACrC,YAAY,EAAE,iBAAiB,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,UAAU,CAAA;AAC3E,OAAO,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAA;AAC5C,OAAO,EACL,gBAAgB,EAChB,eAAe,EACf,oBAAoB,EACpB,sBAAsB,GACvB,MAAM,oBAAoB,CAAA;AAC3B,YAAY,EAAE,cAAc,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAA;AAC9E,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAA;AAC3C,OAAO,EAAE,mBAAmB,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AACxE,YAAY,EACV,sBAAsB,EACtB,mBAAmB,EACnB,kBAAkB,EAClB,gBAAgB,EAChB,kBAAkB,EAClB,oBAAoB,GACrB,MAAM,mBAAmB,CAAA;AAG1B,OAAO,EACL,WAAW,EACX,eAAe,EACf,gBAAgB,EAChB,iBAAiB,GAClB,MAAM,0BAA0B,CAAA;AACjC,YAAY,EACV,YAAY,EACZ,gBAAgB,EAChB,oBAAoB,GACrB,MAAM,0BAA0B,CAAA"}

package/dist/react/index.js

@@ -3,4 +3,6 @@ export { useTheme } from './useTheme';
 export { THEME_STORAGE_KEY } from '../index';
 export { BrandingProvider, BrandingContext, BRANDING_STORAGE_KEY, BRANDING_OVERRIDE_FLAG, } from './BrandingProvider';
 export { useBranding } from './useBranding';
-export { resolvePlatformLogo, usePlatformLogo, } from './usePlatformLogo';
+export { resolvePlatformLogo, usePlatformLogo } from './usePlatformLogo';
+// Components — see ./components/<Name>.tsx
+export { StatusBadge, AutoStatusBadge, getStatusVariant, formatStatusLabel, } from './components/StatusBadge';

package/dist/react/usePlatformLogo.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"usePlatformLogo.d.ts","sourceRoot":"","sources":["../../src/react/usePlatformLogo.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAA;AAGxD,MAAM,MAAM,gBAAgB,GAAG,QAAQ,GAAG,SAAS,GAAG,MAAM,GAAG,SAAS,GAAG,MAAM,CAAA;AACjF,MAAM,MAAM,kBAAkB,GAAG,OAAO,GAAG,MAAM,CAAA;AACjD,MAAM,MAAM,kBAAkB,GAAG,UAAU,GAAG,UAAU,GAAG,MAAM,CAAA;AAEjE,MAAM,WAAW,mBAAmB;IAClC,IAAI,CAAC,EAAE,gBAAgB,CAAA;IACvB,MAAM,CAAC,EAAE,kBAAkB,CAAA;IAC3B,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;IACxB,cAAc,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC,CAAC,CAAA;IACjE,GAAG,CAAC,EAAE,MAAM,CAAA;CACb;AAED,MAAM,WAAW,oBAAoB;IACnC,GAAG,EAAE,MAAM,GAAG,IAAI,CAAA;IAClB,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,EAAE,gBAAgB,CAAA;IACtB,MAAM,EAAE,kBAAkB,CAAA;IAC1B,MAAM,EAAE,kBAAkB,CAAA;IAC1B,YAAY,EAAE,OAAO,CAAA;IACrB,WAAW,EAAE,MAAM,CAAA;CACpB;AAED,MAAM,WAAW,sBAAuB,SAAQ,oBAAoB;IAClE,QAAQ,EAAE,cAAc,GAAG,IAAI,CAAA;IAC/B,SAAS,EAAE,OAAO,CAAA;IAClB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAA;IACnB,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAA;CAC7B;AA+CD,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,cAAc,GAAG,IAAI,GAAG,SAAS,EAC3C,OAAO,GAAE,mBAAwB,GAChC,oBAAoB,CAiBtB;AAED,wBAAgB,eAAe,CAAC,OAAO,GAAE,mBAAwB,GAAG,sBAAsB,CAczF"}
+{"version":3,"file":"usePlatformLogo.d.ts","sourceRoot":"","sources":["../../src/react/usePlatformLogo.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAA;AAGxD,MAAM,MAAM,gBAAgB,GAAG,QAAQ,GAAG,SAAS,GAAG,MAAM,GAAG,SAAS,GAAG,MAAM,CAAA;AACjF,MAAM,MAAM,kBAAkB,GAAG,OAAO,GAAG,MAAM,CAAA;AACjD,MAAM,MAAM,kBAAkB,GAAG,UAAU,GAAG,UAAU,GAAG,MAAM,CAAA;AAEjE,MAAM,WAAW,mBAAmB;IAClC,IAAI,CAAC,EAAE,gBAAgB,CAAA;IACvB,MAAM,CAAC,EAAE,kBAAkB,CAAA;IAC3B,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;IACxB,cAAc,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC,CAAC,CAAA;IACjE,GAAG,CAAC,EAAE,MAAM,CAAA;CACb;AAED,MAAM,WAAW,oBAAoB;IACnC,GAAG,EAAE,MAAM,GAAG,IAAI,CAAA;IAClB,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,EAAE,gBAAgB,CAAA;IACtB,MAAM,EAAE,kBAAkB,CAAA;IAC1B,MAAM,EAAE,kBAAkB,CAAA;IAC1B,YAAY,EAAE,OAAO,CAAA;IACrB,WAAW,EAAE,MAAM,CAAA;CACpB;AAED,MAAM,WAAW,sBAAuB,SAAQ,oBAAoB;IAClE,QAAQ,EAAE,cAAc,GAAG,IAAI,CAAA;IAC/B,SAAS,EAAE,OAAO,CAAA;IAClB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAA;IACnB,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAA;CAC7B;AAqDD,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,cAAc,GAAG,IAAI,GAAG,SAAS,EAC3C,OAAO,GAAE,mBAAwB,GAChC,oBAAoB,CAiBtB;AAED,wBAAgB,eAAe,CAAC,OAAO,GAAE,mBAAwB,GAAG,sBAAsB,CAczF"}

package/dist/react/usePlatformLogo.js

@@ -25,7 +25,13 @@ function getLogoCandidates(branding, slot, scheme) {
     if (!branding)
         return [];
     if (slot === 'favicon') {
-        return [branding.favicon_url, branding.mark_url, branding.logo_url, branding.logo_light_url, branding.logo_dark_url];
+        return [
+            branding.favicon_url,
+            branding.mark_url,
+            branding.logo_url,
+            branding.logo_light_url,
+            branding.logo_dark_url,
+        ];
     }
     if (slot === 'mark') {
         return [branding.mark_url, branding.logo_url, branding.logo_light_url, branding.logo_dark_url];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bsuite/theme",
-  "version": "0.3.2",
+  "version": "0.4.1",
   "type": "module",
   "license": "UNLICENSED",
   "publishConfig": {
@@ -11,7 +11,7 @@
     "url": "https://github.com/GaryOcean428/bsuite.git",
     "directory": "packages/theme"
   },
-  "description": "BSuite Universal theme — D2C Neon Electric + Braden Corporate baselines. Tailwind v4 preset, CSS vars (5-layer), role aliases, colourblind-safe tokens, eye-strain-safe text scale, BrandingProvider (runtime white-label). Used by BSU, CRM7, conduit, R80.3, throughput (D2C) and braden.com.au (Corporate).",
+  "description": "BSuite Universal theme \u2014 D2C Neon Electric + Braden Corporate baselines. Tailwind v4 preset, CSS vars (5-layer), role aliases, colourblind-safe tokens, eye-strain-safe text scale, BrandingProvider (runtime white-label). Used by BSU, CRM7, conduit, R80.3, throughput (D2C) and braden.com.au (Corporate).",
   "files": [
     "dist",
     "src/css",
@@ -50,7 +50,7 @@
     "@supabase/supabase-js": ">=2.0.0",
     "react": ">=18.0.0",
     "react-dom": ">=18.0.0",
-    "tailwindcss": ">=3.4.0"
+    "tailwindcss": ">=4.0.0"
   },
   "peerDependenciesMeta": {
     "@supabase/supabase-js": {
@@ -61,16 +61,18 @@
     }
   },
   "devDependencies": {
-    "@supabase/supabase-js": "^2.49.4",
+    "@supabase/supabase-js": "^2.105.3",
     "@testing-library/jest-dom": "^6.9.1",
     "@testing-library/react": "^16.3.2",
-    "@types/node": "^20.0.0",
-    "@types/react": "^18.3.28",
-    "@vitejs/plugin-react": "^5.2.0",
-    "jsdom": "^28.1.0",
-    "react": "^18.3.1",
-    "react-dom": "^18.3.1",
-    "typescript": "~5.7.3",
-    "vitest": "^3.2.4"
+    "@types/node": "^24.12.2",
+    "@types/react": "^19.2.14",
+    "@types/react-dom": "^19.2.3",
+    "@vitejs/plugin-react": "^6.0.1",
+    "jsdom": "^29.1.1",
+    "react": "^19.2.5",
+    "react-dom": "^19.2.5",
+    "typescript": "~5.9.3",
+    "vite": "^8.0.10",
+    "vitest": "^4.1.5"
   }
 }

package/src/css/braden.css

@@ -23,8 +23,8 @@
  * Eye-strain policy is PRESERVED:
  *   Dark text capped at L=0.94. Light text capped at L=0.22 (navy hue 250).
  *
- * OKLCH format mandatory for all new tokens. HSL values below are for
- * legacy Tailwind v3 interop only, marked with LEGACY comments.
+ * OKLCH format mandatory for all new tokens. Tailwind v4+ is the only
+ * supported Tailwind engine for BSuite consumers.
  */
 
 /* ============================================================

package/src/css/runtime-branding.css

@@ -0,0 +1,22 @@
+/*
+ * runtime-branding.css — populated at runtime by <BrandingProvider>
+ *
+ * DO NOT add static values here. BrandingProvider reads the tenant's
+ * branding JSON from Supabase and calls
+ *   document.documentElement.style.setProperty('--primary', value)
+ * for each key. This file is a documentation placeholder only.
+ *
+ * Keys populated at runtime (if tenant has branding configured):
+ *   --primary         (oklch string)
+ *   --accent          (oklch string)
+ *   --accent-primary  (oklch string)
+ *   --app-primary     (oklch string)
+ *   --app-accent      (oklch string)
+ * Logo URLs are injected via JS into CSS vars:
+ *   --logo-url        (url() string)
+ *   --mark-url        (url() string)
+ */
+
+:root[data-branding-loaded="true"] {
+  /* intentionally empty — BrandingProvider injects vars directly via JS */
+}

package/src/css/tokens-brand-corporate-braden.css

@@ -0,0 +1,43 @@
+/*
+ * @bsuite/theme — tokens-brand-corporate-braden.css
+ *
+ * Braden corporate brand deviation.
+ * Applied via .theme-braden or data-brand="braden" — NEVER auto-applied.
+ *
+ * ⚠️  This file is EXEMPT from the D2C oklch-only rule (BRADEN-EXEMPT).
+ *     Do NOT import this file from index.css or any D2C app entry point.
+ *     Braden's own stylesheet opts in explicitly.
+ *
+ * Source of truth: TOKEN-MAPPING.md §4 + §6
+ */
+
+.theme-braden,
+[data-brand="braden"] {
+
+  /* ===== Braden brand primitives ===== */
+  --app-primary:      oklch(0.488 0.170 17.6);    /* Braden Red */
+  --app-accent:       oklch(0.769 0.096 90.9);    /* Braden Gold */
+  --app-primary-dark: oklch(0.400 0.137 16.8);    /* Braden Red — pressed/hover state */
+
+  /* ===== Background ===== */
+  --bg-body:    oklch(1 0 0);
+  --bg-panel:   oklch(1 0 0);
+  --bg-surface: oklch(0.975 0 0);
+
+  /* ===== Text ===== */
+  --text-primary: oklch(0.156 0 0);
+
+  /* ===== Border ===== */
+  --border-color: oklch(0.916 0 0);
+
+  /* ===== Accent / brand ===== */
+  --accent-primary:   oklch(0.488 0.170 17.6);   /* Braden Red */
+  --accent-secondary: oklch(0.769 0.096 90.9);   /* Braden Gold */
+
+  /* ===== shadcn/ui bridge tokens ===== */
+  --primary:            oklch(0.488 0.170 17.6);  /* Braden Red */
+  --primary-foreground: oklch(1 0 0);
+  --accent:             oklch(0.769 0.096 90.9);  /* Braden Gold */
+  --accent-foreground:  oklch(0.156 0 0);
+  --ring:               oklch(0.488 0.170 17.6);  /* Braden Red ring */
+}

package/src/css/tokens-dark.css

@@ -0,0 +1,86 @@
+/*
+ * @bsuite/theme — tokens-dark.css
+ *
+ * Full semantic token set for the dark theme.
+ * Applied to .dark.
+ *
+ * All values are in OKLCH — no hex, no hsl() wrappers.
+ * Source of truth: TOKEN-MAPPING.md v0.2.0 + vars.css
+ */
+
+.dark {
+
+  /* ===== Text ===== */
+  --text-primary:        oklch(0.94 0.012 260);
+  --text-secondary:      oklch(0.82 0.015 260);
+  --text-muted:          oklch(0.68 0.018 260);
+  --text-subtle:         oklch(0.56 0.015 260);
+  --text-disabled:       oklch(0.44 0.010 260);
+  --text-on-primary:     oklch(0.99 0 0);
+  --text-on-surface:     oklch(0.94 0.012 260);
+  --color-primary-text:  oklch(0.623 0.188 259.8);   /* WCAG AA blue text on dark bg */
+  --color-accent-text:   oklch(0.769 0.132 191.7);   /* WCAG AA cyan text on dark bg */
+
+  /* ===== Background ===== */
+  --bg-body:      oklch(0.166 0.026 269.4);           /* deep navy */
+  --bg-surface:   oklch(0.19 0.02 260);
+  --bg-panel:     oklch(0.242 0.03 269.9);
+  --bg-tertiary:  oklch(0.326 0.036 266.7);
+  --bg-elevated:  oklch(0.292 0.034 270);
+  --bg-input:     oklch(0.242 0.03 269.9 / 0.6);
+  --bg-hover:     oklch(0.39 0.035 265);
+  --bg-selected:  oklch(0.546 0.215 262.9 / 0.15);
+
+  /* ===== Border ===== */
+  --border-color:        oklch(0.769 0.132 191.7 / 0.15);
+  --border-color-strong: oklch(0.769 0.132 191.7 / 0.3);
+  --border-shell:        oklch(0.769 0.132 191.7 / 0.18);
+
+  /* ===== Accent / brand ===== */
+  --accent-primary:   oklch(0.546 0.215 262.9);   /* Electric Blue */
+  --accent-secondary: oklch(0.769 0.132 191.7);   /* Electric Cyan */
+
+  /* ===== Status (same values in both themes) ===== */
+  --color-success: oklch(0.697 0.135 172.1);
+  --color-warning: oklch(0.868 0.125 81.4);
+  --color-error:   oklch(0.568 0.202 283.1);
+  --color-info:    oklch(0.769 0.132 191.7);
+
+  /* ===== shadcn/ui bridge tokens ===== */
+  --background:             oklch(0.166 0.026 269.4);
+  --foreground:             var(--text-primary);
+  --card:                   oklch(0.242 0.03 269.9);
+  --card-foreground:        var(--text-primary);
+  --popover:                oklch(0.292 0.034 270);
+  --popover-foreground:     var(--text-primary);
+  --primary:                oklch(0.769 0.132 191.7);  /* Cyan as primary in dark */
+  --primary-foreground:     oklch(0.166 0.026 269.4);
+  --secondary:              oklch(0.242 0.03 269.9);
+  --secondary-foreground:   var(--text-primary);
+  --muted:                  oklch(0.242 0.03 269.9);
+  --muted-foreground:       var(--text-muted);
+  --accent:                 oklch(0.546 0.215 262.9);  /* Blue as accent in dark */
+  --accent-foreground:      var(--text-primary);
+  --destructive:            var(--color-error);
+  --destructive-foreground: oklch(0.99 0 0);
+  --border:                 oklch(0.769 0.132 191.7 / 0.15);
+  --input:                  oklch(0.769 0.132 191.7 / 0.15);
+  --ring:                   oklch(0.769 0.132 191.7);  /* Cyan ring in dark */
+
+  /* ===== Box shadows — deep blacks + neon cyan glow ===== */
+  --shadow-elev-0: none;
+  --shadow-elev-1: 0 1px 3px oklch(0 0 0 / 0.3);
+  --shadow-elev-2: 0 4px 8px oklch(0 0 0 / 0.4), 0 1px 3px oklch(0 0 0 / 0.3);
+  --shadow-elev-3: 0 8px 16px oklch(0 0 0 / 0.5), 0 4px 8px oklch(0 0 0 / 0.3);
+  --shadow-elev-4: 0 16px 32px oklch(0 0 0 / 0.6), 0 8px 16px oklch(0 0 0 / 0.4);
+
+  /* ===== Neon glow helpers ===== */
+  --glow-button:       0 0 20px oklch(0.769 0.132 191.7 / 0.3);
+  --glow-button-hover: 0 0 30px oklch(0.769 0.132 191.7 / 0.5);
+  --glow-card:         0 0 15px oklch(0.769 0.132 191.7 / 0.08);
+  --glow-card-hover:   0 0 25px oklch(0.769 0.132 191.7 / 0.15);
+
+  /* ===== Button shadow ===== */
+  --button-shadow:       0 0 20px oklch(0.769 0.132 191.7 / 0.3);
+  --button-hover-shadow: 0 0 30px oklch(0.769 0.132 191.7 / 0.5);
+}

package/src/css/tokens-high-contrast.css

@@ -0,0 +1,34 @@
+/*
+ * @bsuite/theme — tokens-high-contrast.css
+ *
+ * AAA accessibility overrides for users who have opted into
+ * "More Contrast" in their OS/browser settings.
+ *
+ * Kept intentionally minimal — only tokens that fail AAA at default
+ * values are overridden. All other tokens inherit from tokens-light.css
+ * or tokens-dark.css.
+ *
+ * Source of truth: TOKEN-MAPPING.md v0.2.0
+ */
+
+@media (prefers-contrast: more) {
+
+  /* ----- Light mode overrides (default / :root) ----- */
+  :root,
+  .light {
+    --text-primary:        oklch(0 0 0);   /* pure black */
+    --text-secondary:      oklch(0.1 0 0);
+    --text-muted:          oklch(0.2 0 0);
+    --border-color:        oklch(0 0 0);
+    --border-color-strong: oklch(0 0 0);
+  }
+
+  /* ----- Dark mode overrides ----- */
+  .dark {
+    --text-primary:        oklch(1 0 0);   /* pure white */
+    --text-secondary:      oklch(0.9 0 0);
+    --text-muted:          oklch(0.8 0 0);
+    --border-color:        oklch(1 0 0);
+    --border-color-strong: oklch(1 0 0);
+  }
+}

package/src/css/tokens-light.css

@@ -0,0 +1,89 @@
+/*
+ * @bsuite/theme — tokens-light.css
+ *
+ * Full semantic token set for the light theme.
+ * Applied to :root and .light.
+ *
+ * All values are in OKLCH — no hex, no hsl() wrappers.
+ * Source of truth: TOKEN-MAPPING.md v0.2.0
+ */
+
+:root,
+.light {
+
+  /* ===== Text ===== */
+  --text-primary:        oklch(0.22 0.015 260);
+  --text-secondary:      oklch(0.38 0.018 260);
+  --text-muted:          oklch(0.52 0.018 260);
+  --text-subtle:         oklch(0.60 0.012 260);
+  --text-disabled:       oklch(0.72 0.010 260);
+  --text-on-primary:     oklch(0.99 0 0);
+  --text-on-surface:     oklch(0.22 0.015 260);
+  --color-primary-text:  oklch(0.485 0.243 263.6);   /* WCAG AA blue text on light bg */
+  --color-accent-text:   oklch(0.486 0.084 191.5);   /* WCAG AA cyan text on light bg */
+
+  /* ===== Background ===== */
+  --bg-body:      oklch(0.961 0 0.5);
+  --bg-surface:   oklch(0.982 0.002 248);
+  --bg-panel:     oklch(1 0 0);
+  --bg-tertiary:  oklch(0.963 0.003 228.9);
+  --bg-elevated:  oklch(1 0 0);
+  --bg-input:     oklch(0.982 0.002 248);
+  --bg-hover:     oklch(0.963 0.003 228.9);
+  --bg-selected:  oklch(0.546 0.215 262.9 / 0.08);
+
+  /* ===== Border ===== */
+  --border-color:        oklch(0.916 0.006 248);
+  --border-color-strong: oklch(0.741 0.022 250 / 0.5);
+  --border-shell:        oklch(0.741 0.022 250 / 0.2);
+
+  /* ===== Accent / brand ===== */
+  --accent-primary:   oklch(0.546 0.215 262.9);   /* Electric Blue */
+  --accent-secondary: oklch(0.769 0.132 191.7);   /* Electric Cyan */
+
+  /* ===== Status ===== */
+  --color-success: oklch(0.697 0.135 172.1);
+  --color-warning: oklch(0.868 0.125 81.4);
+  --color-error:   oklch(0.568 0.202 283.1);
+  --color-info:    oklch(0.769 0.132 191.7);
+
+  /* ===== shadcn/ui bridge tokens ===== */
+  --background:             oklch(0.961 0 0.5);
+  --foreground:             var(--text-primary);
+  --card:                   oklch(1 0 0);
+  --card-foreground:        var(--text-primary);
+  --popover:                oklch(1 0 0);
+  --popover-foreground:     var(--text-primary);
+  --primary:                oklch(0.546 0.215 262.9);  /* Electric Blue */
+  --primary-foreground:     var(--text-on-primary);
+  --secondary:              oklch(0.961 0 0.5);
+  --secondary-foreground:   var(--text-primary);
+  --muted:                  oklch(0.961 0 0.5);
+  --muted-foreground:       var(--text-muted);
+  --accent:                 oklch(0.769 0.132 191.7);  /* Electric Cyan */
+  --accent-foreground:      oklch(0.17 0.02 260);
+  --destructive:            var(--color-error);
+  --destructive-foreground: oklch(0.99 0 0);
+  --border:                 oklch(0.916 0.006 248);    /* from hsl(214.3 31.8% 91.4%) */
+  --input:                  oklch(0.916 0.006 248);
+  --ring:                   oklch(0.546 0.215 262.9);  /* Electric Blue */
+
+  /* ===== Border-radius ===== */
+  --radius: 0.5rem;
+
+  /* ===== Box shadows — soft neutral, no neon glow in light mode ===== */
+  --shadow-elev-0: none;
+  --shadow-elev-1: 0 1px 2px oklch(0 0 0 / 0.05);
+  --shadow-elev-2: 0 4px 6px oklch(0 0 0 / 0.07), 0 2px 4px oklch(0 0 0 / 0.06);
+  --shadow-elev-3: 0 10px 15px oklch(0 0 0 / 0.1), 0 4px 6px oklch(0 0 0 / 0.05);
+  --shadow-elev-4: 0 20px 25px oklch(0 0 0 / 0.1), 0 10px 10px oklch(0 0 0 / 0.04);
+
+  /* ===== Glow helpers — disabled in light mode ===== */
+  --glow-button:       none;
+  --glow-button-hover: none;
+  --glow-card:         none;
+  --glow-card-hover:   none;
+
+  /* ===== Button shadow — transparent/none in light mode ===== */
+  --button-shadow: none;
+}

package/src/css/utilities.css

@@ -2,7 +2,7 @@
  * @bsuite/theme — utility classes
  *
  * Pure CSS (no Tailwind @apply) so this file is safe to import from any
- * consumer regardless of their Tailwind version (v3 or v4).
+ * consumer on Tailwind v4 or later.
  */
 
 /* ===== Glow effects (oklch with alpha scaled by glow-strength) ===== */