@elevasis/ui 2.36.0 → 2.38.0

package/dist/auth/index.js

@@ -1,7 +1,11 @@
-export { AdminGuard, ProtectedRoute, useSessionCheck as useRefocusSessionCheck, useSessionCheck, useStableAccessToken } from '../chunk-VKIZUUPM.js';
+export { AccessGuard, ProtectedRoute, useSessionCheck as useRefocusSessionCheck, useSessionCheck, useStableAccessToken } from '../chunk-7YXZFS56.js';
+export { AccessKeys } from '../chunk-4O3VAALW.js';
+import '../chunk-C6BDBZRO.js';
 import '../chunk-533DUEQY.js';
+import '../chunk-566XWGPP.js';
 import '../chunk-DD3CCMCZ.js';
 import '../chunk-2Q2JQSQO.js';
+import '../chunk-6ROXVZ3L.js';
 import '../chunk-KJ3QUBNU.js';
 export { AuthProvider, useAuthContext } from '../chunk-BRJ3QZ4E.js';
 import '../chunk-I2KLQ2HA.js';

package/dist/charts/index.js

@@ -1,15 +1,21 @@
-export { ActivityTrendChart, ChartFrame, CombinedTrendChart, CostTrendChart, CyberAreaChart, CyberDonut, CyberDonutTooltip, CyberLegendItem, HeroStatsRow, getSeriesColor, useCyberColors } from '../chunk-SIQ3P4OR.js';
+export { ActivityTrendChart, ChartFrame, CombinedTrendChart, CostTrendChart, CyberAreaChart, CyberDonut, CyberDonutTooltip, CyberLegendItem, HeroStatsRow, getSeriesColor, useCyberColors } from '../chunk-7GQFIWP4.js';
+import '../chunk-I53EX4VU.js';
 import '../chunk-3KMDHCAR.js';
+import '../chunk-S3XR4II4.js';
 import '../chunk-NYBEU5TE.js';
 import '../chunk-DT3QYZVU.js';
 import '../chunk-2IFYDILW.js';
 import '../chunk-Q7DJKLEN.js';
-import '../chunk-GEFWMU26.js';
+import '../chunk-X66MVMZT.js';
 import '../chunk-KRWALB24.js';
-import '../chunk-VKIZUUPM.js';
+import '../chunk-7YXZFS56.js';
+import '../chunk-4O3VAALW.js';
+import '../chunk-C6BDBZRO.js';
 import '../chunk-533DUEQY.js';
+import '../chunk-566XWGPP.js';
 import '../chunk-DD3CCMCZ.js';
 import '../chunk-2Q2JQSQO.js';
+import '../chunk-6ROXVZ3L.js';
 import '../chunk-KJ3QUBNU.js';
 import '../chunk-BRJ3QZ4E.js';
 import '../chunk-I2KLQ2HA.js';

package/dist/chunk-4O3VAALW.js

@@ -0,0 +1,349 @@
+import { useOptionalElevasisSystems } from './chunk-C6BDBZRO.js';
+import { InitializationContext } from './chunk-533DUEQY.js';
+import { DEFAULT_ORGANIZATION_MODEL, listAllSystems, getSystem } from './chunk-566XWGPP.js';
+import { OrganizationContext } from './chunk-DD3CCMCZ.js';
+import { STALE_TIME_DEFAULT } from './chunk-6ROXVZ3L.js';
+import { ElevasisServiceContext } from './chunk-KJ3QUBNU.js';
+import { useContext, useMemo } from 'react';
+import { useQuery } from '@tanstack/react-query';
+import { z } from 'zod';
+
+// ../core/src/auth/multi-tenancy/permissions.ts
+var PERMISSIONS = {
+  ORG_READ: "org.read",
+  ORG_MANAGE: "org.manage",
+  ORG_DELETE: "org.delete",
+  MEMBERS_MANAGE: "members.manage",
+  ROLES_MANAGE: "roles.manage",
+  SECRETS_MANAGE: "secrets.manage",
+  OPERATIONS_READ: "operations.read",
+  OPERATIONS_MANAGE: "operations.manage",
+  ACQUISITION_MANAGE: "acquisition.manage",
+  PROJECTS_MANAGE: "projects.manage",
+  CLIENTS_MANAGE: "clients.manage"
+};
+var PERMISSION_CATALOG = [
+  {
+    key: "org.read",
+    description: "Read organization profile and listings",
+    isOrgGrantable: true
+  },
+  {
+    key: "org.manage",
+    description: "Update organization settings",
+    isOrgGrantable: false
+  },
+  {
+    key: "org.delete",
+    description: "Delete the organization (owner-only)",
+    isOrgGrantable: false
+  },
+  {
+    key: "members.manage",
+    description: "Invite, remove, and reassign roles for members",
+    isOrgGrantable: false
+  },
+  {
+    key: "roles.manage",
+    description: "Grant or revoke privileged system roles (owner, admin) within the organization",
+    isOrgGrantable: false
+  },
+  {
+    key: "secrets.manage",
+    description: "Create, update, and delete API keys and credentials",
+    isOrgGrantable: false
+  },
+  {
+    key: "operations.read",
+    description: "View executions, sessions, schedules, and command queue",
+    isOrgGrantable: true
+  },
+  {
+    key: "operations.manage",
+    description: "Run and modify executions, sessions, schedules, queue",
+    isOrgGrantable: true
+  },
+  {
+    key: "acquisition.manage",
+    description: "Create, update, and delete acquisition records (acq_companies, acq_contacts, acq_deals, acq_lists*, acq_content*, acquisition storage files)",
+    isOrgGrantable: false
+  },
+  {
+    key: "projects.manage",
+    description: "Create, update, and delete project records (prj_projects, prj_milestones, prj_tasks, prj_notes)",
+    isOrgGrantable: false
+  },
+  {
+    key: "clients.manage",
+    description: "Create, update, and delete client hub records (clients, clt_* satellites)",
+    isOrgGrantable: false
+  }
+];
+new Set(PERMISSION_CATALOG.map((p) => p.key));
+var DEFAULT_ACCESS_ACTION = "view";
+var PLATFORM_ADMIN_ACCESS_KEY = "platform.admin";
+var PLATFORM_ADMIN_ACCESS_KEY_SHORTHAND = "platformAdmin";
+var AccessActionSchema = z.enum(["view", "manage"]);
+var AccessKeyObjectSchema = z.object({
+  systemPath: z.string().trim().min(1),
+  action: AccessActionSchema.default(DEFAULT_ACCESS_ACTION)
+}).strict();
+var AccessKeyInputSchema = z.union([z.string().trim().min(1), AccessKeyObjectSchema]);
+var NormalizedAccessKeySchema = AccessKeyObjectSchema;
+var DIAGNOSTIC_VIEW_ACCESS_KEYS = [
+  "diagnostic.operations.overview",
+  "diagnostic.operations.recent-executions",
+  "diagnostic.monitoring.execution-logs",
+  "diagnostic.monitoring.notifications"
+];
+var AccessKeys = {
+  platformAdmin: { systemPath: PLATFORM_ADMIN_ACCESS_KEY, action: DEFAULT_ACCESS_ACTION },
+  organizationManage: { systemPath: "permission.org", action: "manage" },
+  membersManage: { systemPath: "permission.members", action: "manage" },
+  rolesManage: { systemPath: "permission.roles", action: "manage" },
+  secretsManage: { systemPath: "permission.secrets", action: "manage" },
+  operationsRead: { systemPath: "permission.operations", action: DEFAULT_ACCESS_ACTION },
+  operationsManage: { systemPath: "permission.operations", action: "manage" },
+  acquisitionManage: { systemPath: "permission.acquisition", action: "manage" },
+  projectsManage: { systemPath: "permission.projects", action: "manage" },
+  clientsManage: { systemPath: "permission.clients", action: "manage" },
+  operationsOverview: { systemPath: "diagnostic.operations.overview", action: DEFAULT_ACCESS_ACTION },
+  operationsRecentExecutions: { systemPath: "diagnostic.operations.recent-executions", action: DEFAULT_ACCESS_ACTION },
+  monitoringExecutionLogs: { systemPath: "diagnostic.monitoring.execution-logs", action: DEFAULT_ACCESS_ACTION },
+  monitoringNotifications: { systemPath: "diagnostic.monitoring.notifications", action: DEFAULT_ACCESS_ACTION }
+};
+var PERMISSION_ACCESS_KEY_DEFINITIONS = [
+  { key: AccessKeys.organizationManage, rolePermission: PERMISSIONS.ORG_MANAGE },
+  { key: AccessKeys.membersManage, rolePermission: PERMISSIONS.MEMBERS_MANAGE },
+  { key: AccessKeys.rolesManage, rolePermission: PERMISSIONS.ROLES_MANAGE },
+  { key: AccessKeys.secretsManage, rolePermission: PERMISSIONS.SECRETS_MANAGE },
+  { key: AccessKeys.operationsRead, rolePermission: PERMISSIONS.OPERATIONS_READ },
+  { key: AccessKeys.operationsManage, rolePermission: PERMISSIONS.OPERATIONS_MANAGE },
+  { key: AccessKeys.acquisitionManage, rolePermission: PERMISSIONS.ACQUISITION_MANAGE },
+  { key: AccessKeys.projectsManage, rolePermission: PERMISSIONS.PROJECTS_MANAGE },
+  { key: AccessKeys.clientsManage, rolePermission: PERMISSIONS.CLIENTS_MANAGE }
+];
+function normalizeAccessKey(input) {
+  const parsed = AccessKeyInputSchema.parse(input);
+  const normalized = typeof parsed === "string" ? {
+    systemPath: parsed === PLATFORM_ADMIN_ACCESS_KEY_SHORTHAND ? PLATFORM_ADMIN_ACCESS_KEY : parsed,
+    action: DEFAULT_ACCESS_ACTION
+  } : parsed;
+  return NormalizedAccessKeySchema.parse(normalized);
+}
+function rolePermissionForAccessKey(key) {
+  if (key.action === DEFAULT_ACCESS_ACTION) return void 0;
+  return `${key.systemPath}.${key.action}`;
+}
+function groupCatalogEntries(entries) {
+  const grouped = /* @__PURE__ */ new Map();
+  for (const entry of entries) {
+    const existing = grouped.get(entry.key.systemPath) ?? [];
+    existing.push(entry);
+    grouped.set(entry.key.systemPath, existing);
+  }
+  return grouped;
+}
+function buildCatalogEntry(systemPath, action, source) {
+  const key = normalizeAccessKey({ systemPath, action });
+  return {
+    key,
+    source,
+    rolePermission: rolePermissionForAccessKey(key)
+  };
+}
+function deriveAccessKeyCatalog(organizationModel, options = {}) {
+  const { diagnosticKeys = DIAGNOSTIC_VIEW_ACCESS_KEYS, includeManageActions = true } = options;
+  const entries = [
+    buildCatalogEntry(PLATFORM_ADMIN_ACCESS_KEY, DEFAULT_ACCESS_ACTION, "platform")
+  ];
+  for (const { path } of listAllSystems(organizationModel)) {
+    entries.push(buildCatalogEntry(path, DEFAULT_ACCESS_ACTION, "om-system"));
+    if (includeManageActions) {
+      entries.push(buildCatalogEntry(path, "manage", "om-system"));
+    }
+  }
+  for (const { key, rolePermission } of PERMISSION_ACCESS_KEY_DEFINITIONS) {
+    entries.push({
+      key,
+      source: "permission",
+      rolePermission
+    });
+  }
+  for (const systemPath of diagnosticKeys) {
+    entries.push(buildCatalogEntry(systemPath, DEFAULT_ACCESS_ACTION, "diagnostic"));
+  }
+  return {
+    bySystemPath: groupCatalogEntries(entries),
+    entries
+  };
+}
+function findAccessCatalogEntry(catalog, key) {
+  return catalog.bySystemPath.get(key.systemPath)?.find((entry) => entry.key.action === key.action);
+}
+
+// ../core/src/auth/access-model.ts
+var ALLOWED = { allowed: true, restrictedBy: null, reason: "allowed" };
+var PLATFORM_ADMIN_BYPASS = {
+  allowed: true,
+  restrictedBy: null,
+  reason: "platform-admin-bypass"
+};
+function deny(restrictedBy, reason) {
+  return { allowed: false, restrictedBy, reason };
+}
+function isPlatformAdmin(profile) {
+  return profile?.isPlatformAdmin === true || profile?.is_platform_admin === true;
+}
+function diagnosticAllowlistHas(allowlist, systemPath) {
+  if (allowlist === void 0) return false;
+  return "has" in allowlist ? allowlist.has(systemPath) : allowlist.includes(systemPath);
+}
+function lifecycleAllowsAccess(lifecycle, ctx) {
+  if (lifecycle === "active") return true;
+  if (lifecycle === "beta") return ctx.betaAccessEnabled === true || ctx.isDevelopment === true;
+  return false;
+}
+function getPermissionSource(ctx) {
+  return ctx.permissions ?? ctx.membership?.effectivePermissions;
+}
+function hasRequiredPermission(key, rolePermission, ctx) {
+  const permissionSource = getPermissionSource(ctx);
+  if (permissionSource === void 0 || permissionSource === null) return true;
+  const requiredPermission = rolePermission ?? `${key.systemPath}.${key.action}`;
+  return permissionSource.includes(requiredPermission);
+}
+function hasExplicitRequiredPermission(rolePermission, ctx) {
+  const permissionSource = getPermissionSource(ctx);
+  return rolePermission !== void 0 && permissionSource !== void 0 && permissionSource !== null ? permissionSource.includes(rolePermission) : false;
+}
+function checkAccess(input, ctx) {
+  if (isPlatformAdmin(ctx.profile)) return PLATFORM_ADMIN_BYPASS;
+  const parsed = (() => {
+    try {
+      return normalizeAccessKey(input);
+    } catch {
+      return null;
+    }
+  })();
+  if (parsed === null) return deny("catalog", "invalid-access-key");
+  const catalog = ctx.accessCatalog ?? deriveAccessKeyCatalog(ctx.organizationModel);
+  const catalogEntry = findAccessCatalogEntry(catalog, parsed);
+  if (catalogEntry === void 0) return deny("catalog", "unknown-access-key");
+  const membership = ctx.membership;
+  if (membership === void 0 || membership === null) return deny("membership", "missing-membership");
+  if (membership.organizationId !== ctx.organizationId) return deny("membership", "organization-mismatch");
+  if (parsed.systemPath === PLATFORM_ADMIN_ACCESS_KEY) {
+    return deny("role-permission", "role-permission-denied");
+  }
+  if (catalogEntry.source === "diagnostic") {
+    if (!diagnosticAllowlistHas(ctx.diagnosticAllowlist, parsed.systemPath)) {
+      return deny("diagnostic-allowlist", "diagnostic-key-not-allowed");
+    }
+    if (parsed.action !== DEFAULT_ACCESS_ACTION && !hasRequiredPermission(parsed, catalogEntry.rolePermission, ctx)) {
+      return deny("role-permission", "role-permission-denied");
+    }
+    return ALLOWED;
+  }
+  if (catalogEntry.source === "permission") {
+    if (!hasExplicitRequiredPermission(catalogEntry.rolePermission, ctx)) {
+      return deny("role-permission", "role-permission-denied");
+    }
+    return ALLOWED;
+  }
+  const system = getSystem(ctx.organizationModel, parsed.systemPath);
+  if (system === void 0 || !lifecycleAllowsAccess(system.lifecycle, ctx)) {
+    return deny("system-lifecycle", "system-not-active");
+  }
+  if (parsed.action !== DEFAULT_ACCESS_ACTION && !hasRequiredPermission(parsed, catalogEntry.rolePermission, ctx)) {
+    return deny("role-permission", "role-permission-denied");
+  }
+  return ALLOWED;
+}
+function createAccessModel(organizationModel) {
+  const catalog = deriveAccessKeyCatalog(organizationModel);
+  return {
+    catalog,
+    checkAccess: (key, ctx) => checkAccess(key, { ...ctx, organizationModel, accessCatalog: catalog })
+  };
+}
+
+// src/hooks/access/useAccess.ts
+var MISSING_CONTEXT_ANSWER = {
+  allowed: false,
+  restrictedBy: "membership",
+  reason: "missing-membership"
+};
+function readStringArray(value) {
+  return Array.isArray(value) && value.every((item) => typeof item === "string") ? value : void 0;
+}
+function membershipPermissions(membership) {
+  if (!membership || typeof membership !== "object") return void 0;
+  const record = membership;
+  return readStringArray(record.effectivePermissions) ?? readStringArray(record.effective_permissions);
+}
+function resolveOrganizationId(organization) {
+  const membership = organization?.currentMembership;
+  return organization?.currentSupabaseOrganizationId ?? membership?.organizationId ?? membership?.organization?.id ?? null;
+}
+function toAccessMembership(membership, organizationId, permissions) {
+  if (!membership || !organizationId) return null;
+  return {
+    id: membership.id,
+    organizationId: membership.organizationId ?? organizationId,
+    role: membership.role?.slug ?? null,
+    effectivePermissions: permissions
+  };
+}
+function useAccess(key) {
+  const initialization = useContext(InitializationContext);
+  const organization = useContext(OrganizationContext);
+  const services = useContext(ElevasisServiceContext);
+  const systems = useOptionalElevasisSystems();
+  const profile = initialization?.profile ?? null;
+  const isPlatformAdmin2 = profile?.is_platform_admin === true;
+  const organizationId = resolveOrganizationId(organization);
+  const membership = organization?.currentMembership ?? null;
+  const organizationModel = systems?.organizationModel ?? DEFAULT_ORGANIZATION_MODEL;
+  const permissionsFromMembership = useMemo(() => membershipPermissions(membership), [membership]);
+  const shouldFetchPermissions = Boolean(services?.isReady && organizationId && !isPlatformAdmin2);
+  const permissionsQuery = useQuery({
+    // eslint-disable-next-line @tanstack/query/exhaustive-deps -- services.apiRequest is a stable context fn, not cache-relevant; query is keyed by organizationId
+    queryKey: ["access-permissions", organizationId],
+    queryFn: () => services.apiRequest(`/memberships/my-permissions/${organizationId}`),
+    enabled: shouldFetchPermissions,
+    staleTime: STALE_TIME_DEFAULT
+  });
+  const permissions = useMemo(
+    () => isPlatformAdmin2 ? Object.values(PERMISSIONS) : permissionsQuery.data?.permissions ?? permissionsFromMembership ?? [],
+    [isPlatformAdmin2, permissionsFromMembership, permissionsQuery.data?.permissions]
+  );
+  const accessMembership = useMemo(
+    () => toAccessMembership(membership, organizationId, permissions),
+    [membership, organizationId, permissions]
+  );
+  const accessModel = useMemo(() => createAccessModel(organizationModel), [organizationModel]);
+  const answer = useMemo(() => {
+    if (!organizationId && !isPlatformAdmin2) return MISSING_CONTEXT_ANSWER;
+    return accessModel.checkAccess(key, {
+      organizationId: organizationId ?? "",
+      organizationModel,
+      membership: accessMembership,
+      profile,
+      permissions,
+      diagnosticAllowlist: DIAGNOSTIC_VIEW_ACCESS_KEYS,
+      isDevelopment: import.meta.env?.DEV ?? false
+    });
+  }, [accessMembership, accessModel, isPlatformAdmin2, key, organizationId, organizationModel, permissions, profile]);
+  const providerReady = initialization?.organizationReady ?? Boolean(organizationId && accessMembership && systems?.organizationModel);
+  const permissionsReady = !shouldFetchPermissions || !permissionsQuery.isPending;
+  const isReady = isPlatformAdmin2 ? initialization?.userReady ?? true : providerReady && permissionsReady;
+  return {
+    ...answer,
+    isReady,
+    isPlatformAdmin: isPlatformAdmin2,
+    permissions
+  };
+}
+
+export { AccessKeys, useAccess };

package/dist/{chunk-O2Q4VMRN.js → chunk-566XWGPP.js}

@@ -761,107 +761,9 @@ var EntitySchema = z.object({
 var EntitiesDomainSchema = z.record(z.string(), EntitySchema).refine((record) => Object.entries(record).every(([key, entry]) => entry.id === key), {
   message: "Each entity entry id must match its map key"
 }).default({});
-var ENTITY_ENTRY_INPUTS = [
-  {
-    id: "crm.deal",
-    order: 10,
-    label: "Deal",
-    description: "A CRM opportunity or sales pipeline record.",
-    ownedBySystemId: "sales.crm",
-    table: "crm_deals",
-    stateCatalogId: "crm.pipeline",
-    links: [{ toEntity: "crm.contact", kind: "has-many", via: "deal_contacts", label: "contacts" }]
-  },
-  {
-    id: "crm.contact",
-    order: 20,
-    label: "CRM Contact",
-    description: "A person associated with a CRM relationship or deal.",
-    ownedBySystemId: "sales.crm",
-    table: "crm_contacts"
-  },
-  {
-    id: "leadgen.list",
-    order: 30,
-    label: "Lead List",
-    description: "A prospecting list that groups companies and contacts for acquisition workflows.",
-    ownedBySystemId: "sales.lead-gen",
-    table: "acq_lists",
-    links: [
-      { toEntity: "leadgen.company", kind: "has-many", via: "acq_list_companies", label: "companies" },
-      { toEntity: "leadgen.contact", kind: "has-many", via: "acq_list_members", label: "contacts" }
-    ]
-  },
-  {
-    id: "leadgen.company",
-    order: 40,
-    label: "Lead Company",
-    description: "A company record sourced, enriched, and qualified during prospecting.",
-    ownedBySystemId: "sales.lead-gen",
-    table: "acq_list_companies",
-    stateCatalogId: "lead-gen.company",
-    links: [
-      { toEntity: "leadgen.list", kind: "belongs-to", via: "list_id", label: "list" },
-      { toEntity: "leadgen.contact", kind: "has-many", via: "company_id", label: "contacts" }
-    ]
-  },
-  {
-    id: "leadgen.contact",
-    order: 50,
-    label: "Lead Contact",
-    description: "A prospect contact discovered or enriched during lead generation.",
-    ownedBySystemId: "sales.lead-gen",
-    table: "acq_list_members",
-    stateCatalogId: "lead-gen.contact",
-    links: [
-      { toEntity: "leadgen.list", kind: "belongs-to", via: "list_id", label: "list" },
-      { toEntity: "leadgen.company", kind: "belongs-to", via: "company_id", label: "company" }
-    ]
-  },
-  {
-    id: "delivery.project",
-    order: 60,
-    label: "Project",
-    description: "A client delivery project.",
-    ownedBySystemId: "projects",
-    table: "projects",
-    links: [
-      { toEntity: "delivery.milestone", kind: "has-many", via: "project_id", label: "milestones" },
-      { toEntity: "delivery.task", kind: "has-many", via: "project_id", label: "tasks" }
-    ]
-  },
-  {
-    id: "delivery.milestone",
-    order: 70,
-    label: "Milestone",
-    description: "A delivery checkpoint within a project.",
-    ownedBySystemId: "projects",
-    table: "project_milestones",
-    links: [
-      { toEntity: "delivery.project", kind: "belongs-to", via: "project_id", label: "project" },
-      { toEntity: "delivery.task", kind: "has-many", via: "milestone_id", label: "tasks" }
-    ]
-  },
-  {
-    id: "delivery.task",
-    order: 80,
-    label: "Task",
-    description: "A delivery task that can move through the task status catalog.",
-    ownedBySystemId: "projects",
-    table: "project_tasks",
-    stateCatalogId: "delivery.task",
-    links: [
-      { toEntity: "delivery.project", kind: "belongs-to", via: "project_id", label: "project" },
-      { toEntity: "delivery.milestone", kind: "belongs-to", via: "milestone_id", label: "milestone" }
-    ]
-  }
-];
-var DEFAULT_ORGANIZATION_MODEL_ENTITIES = Object.fromEntries(
-  ENTITY_ENTRY_INPUTS.map((entity) => {
-    const parsed = EntitySchema.parse(entity);
-    return [parsed.id, parsed];
-  })
-);
+function defineEntities(entries) {
+  return defineDomainRecord(EntitySchema, entries);
+}
 
 // ../core/src/organization-model/domains/actions.ts
 var ActionResourceIdSchema = z.string().trim().min(1).max(255).regex(/^[A-Za-z0-9]+(?:[-._][A-Za-z0-9]+)*$/, "Resource IDs must use letters, numbers, -, _, or . separators");
@@ -1086,8 +988,33 @@ var IdentityDomainSchema = z.object({
    * background. Populated by /setup; surfaced to agents as organizational context.
    * Optional — many projects have no external client.
    */
-  clientBrief: z.string().trim().default("")
-});
+  clientBrief: z.string().trim().default(""),
+  /**
+   * Display name of the organization as shown to end users.
+   * Recommended placement for display naming — prefer this over the deprecated
+   * `branding.organizationName`. Falls back to `branding.organizationName` for
+   * legacy tenants that have not yet migrated.
+   */
+  organizationName: LabelSchema.optional(),
+  /**
+   * Display name of the primary product or platform.
+   * Recommended placement for display naming — prefer this over the deprecated
+   * `branding.productName`. Falls back to `branding.productName` for legacy tenants.
+   */
+  productName: LabelSchema.optional(),
+  /**
+   * Short abbreviated name used in space-constrained UI surfaces (max 40 chars).
+   * Recommended placement for display naming — prefer this over the deprecated
+   * `branding.shortName`. Falls back to `branding.shortName` for legacy tenants.
+   */
+  shortName: z.string().trim().min(1).max(40).optional(),
+  /**
+   * Plain-language description of the organization for display and discovery.
+   * Recommended placement for display naming — prefer this over the deprecated
+   * `branding.description`. Falls back to `branding.description` for legacy tenants.
+   */
+  description: DescriptionSchema.optional()
+}).passthrough();
 var DEFAULT_ORGANIZATION_MODEL_IDENTITY = {
   mission: "",
   vision: "",
@@ -1374,15 +1301,55 @@ function getAllProjectStatuses(model, appliesTo) {
 // ../core/src/organization-model/contracts.ts
 var PROJECTS_VIEW_ACTION_ID = "delivery.projects.view";
 var OrganizationModelBrandingSchema = z.object({
+  /**
+   * @deprecated Prefer `identity.organizationName`; branding retains it for back-compat.
+   * Legacy tenants that have not set `identity.organizationName` fall back to this field.
+   */
   organizationName: LabelSchema,
+  /**
+   * @deprecated Prefer `identity.productName`; branding retains it for back-compat.
+   * Legacy tenants that have not set `identity.productName` fall back to this field.
+   */
   productName: LabelSchema,
+  /**
+   * @deprecated Prefer `identity.shortName`; branding retains it for back-compat.
+   * Legacy tenants that have not set `identity.shortName` fall back to this field.
+   */
   shortName: z.string().trim().min(1).max(40),
+  /**
+   * @deprecated Prefer `identity.description`; branding retains it for back-compat.
+   * Legacy tenants that have not set `identity.description` fall back to this field.
+   */
   description: DescriptionSchema.optional(),
   logos: z.object({
     light: z.string().trim().min(1).max(2048).optional(),
     dark: z.string().trim().min(1).max(2048).optional()
-  }).default({})
-});
+  }).default({}),
+  /**
+   * Brand voice — how the organization communicates. Plain-language description
+   * of tone, register, and personality (e.g. "Direct and human — no jargon").
+   * Max 280 characters.
+   */
+  voice: z.string().trim().max(280).optional(),
+  /**
+   * Brand tagline or positioning statement — the memorable one-liner that
+   * captures the brand's promise or differentiator. Max 200 characters.
+   */
+  tagline: z.string().trim().max(200).optional(),
+  /**
+   * Core brand values — an ordered list of principles the organization stands
+   * for (e.g. ["Transparency", "Craftsmanship", "Velocity"]). Each entry must
+   * be a non-empty trimmed string.
+   */
+  values: z.array(z.string().trim().min(1)).optional(),
+  /**
+   * ID of the active UI theme preset from the UI theme-presets registry.
+   * The UI layer resolves this to colors and typography via `usePresetsContext()`.
+   * Free-form string — validation and fallback state are handled at the UI layer.
+   * Min 1, max 64 characters.
+   */
+  themePresetId: z.string().trim().min(1).max(64).optional()
+}).passthrough();
 var DEFAULT_ORGANIZATION_MODEL_BRANDING = {
   organizationName: "Default Organization",
   productName: "Organization OS",
@@ -2638,7 +2605,7 @@ var OrganizationModelSchemaBase = z.object({
   resources: ResourcesDomainSchema.default(DEFAULT_ORGANIZATION_MODEL_RESOURCES),
   topology: OmTopologyDomainSchema.default(DEFAULT_ORGANIZATION_MODEL_TOPOLOGY),
   actions: ActionsDomainSchema.default(DEFAULT_ORGANIZATION_MODEL_ACTIONS),
-  entities: EntitiesDomainSchema.default(DEFAULT_ORGANIZATION_MODEL_ENTITIES),
+  entities: EntitiesDomainSchema.default({}),
   policies: PoliciesDomainSchema.default(DEFAULT_ORGANIZATION_MODEL_POLICIES),
   // D3: flat Record<id, OrgKnowledgeNode> — no wrapper object
   knowledge: KnowledgeDomainSchema.default({})
@@ -2647,7 +2614,7 @@ var OrganizationModelSchema = OrganizationModelSchemaBase.superRefine(refineOrga
 
 // ../core/src/organization-model/defaults.ts
 var DEFAULT_ORGANIZATION_MODEL_KNOWLEDGE = {};
-var DEFAULT_ORGANIZATION_MODEL_ENTITIES2 = {};
+var DEFAULT_ORGANIZATION_MODEL_ENTITIES = {};
 var DEFAULT_ORGANIZATION_MODEL_NAVIGATION = {
   sidebar: {
     primary: {},
@@ -2675,7 +2642,7 @@ var DEFAULT_ORGANIZATION_MODEL = {
   // Generic empty actions map. Elevasis-specific action entries have been relocated to
   // `@repo/elevasis-core/src/organization-model/actions.ts`.
   actions: {},
-  entities: DEFAULT_ORGANIZATION_MODEL_ENTITIES2,
+  entities: DEFAULT_ORGANIZATION_MODEL_ENTITIES,
   policies: DEFAULT_ORGANIZATION_MODEL_POLICIES,
   knowledge: DEFAULT_ORGANIZATION_MODEL_KNOWLEDGE
 };
@@ -3745,4 +3712,4 @@ function projectOrganizationSurfaces(model) {
   });
 }
 
-export { ActionSchema, AgentResourceEntrySchema, DEFAULT_SEMANTIC_ICON_REGISTRY, EntitySchema, IdentityDomainSchema, IntegrationResourceEntrySchema, OntologyIdSchema, OrgKnowledgeNodeSchema, PROJECTS_VIEW_ACTION_ID, PolicySchema, RoleSchema, ScriptResourceEntrySchema, SemanticIcon, SurfaceDefinitionSchema, SystemEntrySchema, WorkflowResourceEntrySchema, ancestorsOf, buildOrganizationGraph, childrenOf, compileOrganizationOntology, defaultPathFor, defineActions, defineResources, defineTopology, devOnlyFor, extendSemanticIconRegistry, findById, findByPath, getAllBuildTemplates, getLeadGenStageCatalog, getResourcesForSystem, getSemanticIconComponent, getSortedSidebarEntries, getSystem, getSystemAncestors, listAllSystems, ontologyGraphNodeId, parentOf, parseOntologyId, projectOrganizationSurfaces, requiresAdminFor, resolveOrganizationModel, resolveSemanticIconComponent, resolveSystemConfig, topLevel, topologyRef, topologyRelationship };
+export { ActionSchema, AgentResourceEntrySchema, DEFAULT_ORGANIZATION_MODEL, DEFAULT_SEMANTIC_ICON_REGISTRY, EntitySchema, IdentityDomainSchema, IntegrationResourceEntrySchema, OntologyIdSchema, OrgKnowledgeNodeSchema, PROJECTS_VIEW_ACTION_ID, PolicySchema, RoleSchema, ScriptResourceEntrySchema, SemanticIcon, SurfaceDefinitionSchema, SystemEntrySchema, WorkflowResourceEntrySchema, ancestorsOf, buildOrganizationGraph, childrenOf, compileOrganizationOntology, defaultPathFor, defineActions, defineEntities, defineResources, defineTopology, devOnlyFor, extendSemanticIconRegistry, findById, findByPath, getAllBuildTemplates, getLeadGenStageCatalog, getResourcesForSystem, getSemanticIconComponent, getSortedSidebarEntries, getSystem, getSystemAncestors, listAllSystems, ontologyGraphNodeId, parentOf, parseOntologyId, projectOrganizationSurfaces, requiresAdminFor, resolveOrganizationModel, resolveSemanticIconComponent, resolveSystemConfig, topLevel, topologyRef, topologyRelationship };