# Console branding

Purpose
- Provide tenant-aware branding without rebuilding the UI.
- Keep branding changes auditable, deterministic, and offline friendly.
- Allow config defaults with per-tenant overrides after login.

Branding record (Authority)
- brandingId, tenantId, displayName
- logo and favicon (data URI or asset reference)
- themeTokens (CSS variable map for light, dark, high-contrast)
- updatedBy, updatedAtUtc, hash (sha256 of canonical JSON)

Constraints
- Logo and favicon up to 256 KB each.
- Allowed formats: image/svg+xml, image/png, image/jpeg.
- Theme tokens limited to a whitelist; no arbitrary CSS.

Configuration layering
1) Static defaults from config.json.
2) Tenant branding fetched after login.
3) Session-only preview overrides (not persisted).
- If Authority is unreachable, the UI uses static defaults.

API surface
- GET /console/branding (ui.read, authority:branding.read)
- PUT /console/admin/branding (ui.admin, authority:branding.write, fresh-auth)
- POST /console/admin/branding/preview (ui.admin, authority:branding.write)

UI application
- Branding service applies CSS variables to documentElement.
- Updates header logo and document title.
- Supports theme-specific tokens via data-theme selectors.

Audit and offline
- Branding updates emit authority.branding.updated events.
- Branding bundles are exported with detached signatures for offline import.
- Console displays the last applied branding hash for verification.

Related references
- docs/architecture/console-branding.md
- docs/ui/branding.md