UI Design System
Interactive showcase of every component in the Publecto design system.
Use Ctrl+K to open the command palette.
Design Tokens
CSS custom properties that encode every visual decision. All component styles use only these tokens — never hardcoded values.
--space-1
--space-2
--space-3
--space-4
--space-5
--space-6
--space-8
--space-10
--space-12
--space-16
--radius-sm
4px
--radius-base
6px
--radius-md
8px
--radius-lg
12px
--radius-full
999px
--shadow-sm
--shadow-base
--shadow-md
--shadow-lg
Typography
Type scale using Inter (sans) and JetBrains Mono (code).
--font-size-xs
The quick brown fox jumps over the lazy dog.
--font-size-sm
The quick brown fox jumps over the lazy dog.
--font-size-base
The quick brown fox jumps over the lazy dog.
--font-size-md
The quick brown fox jumps over the lazy dog.
--font-size-lg
The quick brown fox jumps over the lazy dog.
--font-size-xl
The quick brown fox jumps over the lazy dog.
--font-size-2xl
The quick brown fox jumps over the lazy dog.
--font-size-3xl
The quick brown fox jumps over the lazy dog.
const greeting = "Hello, World!"; // JetBrains Mono
Buttons
All button variants, sizes, states, and loading behavior.
Forms
All form input types with validation states, helpers, and special controls.
Cards & Info
- Posts published
- 12
- Pages updated
- 4
- Media uploaded
- 38 files
- Comments
- 91
- New users
- 7
Platform Architecture Overview
A comprehensive look at Publecto's layered architecture — Base Foundation, Site Design, Modules, and Add-Ons.
Badges, Pills & Tags
Alerts & Banners
storage/published/static/ and can be served from any CDN.Toast Notifications
Click the buttons to fire toasts. They auto-dismiss; pause on hover.
Modals & Dialogs
Drawers
Icon Bar Position
Move the icon bar to any edge of the shell. Top and bottom positions turn it into a horizontal strip; panel tabs and sidebar offsets adapt automatically.
Tooltips & Popovers
- Status
- Published
- Author
- Alice Martin
- Words
- 820
- Created
- Jan 15, 2024
Are you sure you want to delete this item?
Collapsible Panels
Configure SEO metadata, publishing date, canonical URL, and Open Graph images for this post.
Edit the author bio, social links, and profile photo used on post pages.
Control caching, CDN purge behavior, static generation triggers, and webhook firing conditions.
Toolbar & Ribbon
Data Table
Fully interactive: sort columns, search, paginate, select rows, expand rows. 20 rows of sample content.
Floating Window
App Shell
The shell on this very page demonstrates the full layout: header, icon bar, left sidebar, right sidebar, main content area, and footer. Drag the sidebar handles to resize.
i18n & RTL
Select Arabic from the language menu in the header. The entire shell switches to right-to-left layout.
[data-i18n] elements without a page reload. RTL mirrors the entire layout via CSS [dir="rtl"] rules.Empty & Loading States
Auth & Login Patterns
Centered authentication card, CSRF hidden field, error state, and subdirectory-safe form action patterns introduced in Wave 002B.
Enter your credentials to continue.
Enter your credentials to continue.
- All mutating forms (
POST) must include<input type="hidden" name="_csrf_token" value="…">populated fromCsrfService::getSessionToken(). - The
actionattribute must use the$baseUrlprefix passed from the route handler:action="<?= $e(($baseUrl ?? '') . '/login') ?>". This ensures subdirectory deployments (e.g. XAMPP/publecto.com/public/) work correctly. - The
nexthidden field carries the intended post-login destination. The server validates it is a relative path to prevent open-redirect attacks. - On invalid credentials the server re-renders with HTTP 401 and
'error' => 'invalid_credentials'. Inputs receivearia-invalid="true". The error message is always generic (never leaks which field was wrong). - The outer body uses flex centering; the card has
max-width: 400pxand box-shadow. Background is--color-bg-secondaryto distinguish from the card surface. - All design tokens (colors, spacing, radius, shadow) are from the token system — no hardcoded values.
Admin Security Patterns
Admin table layout, permission badge, empty-state, action-confirmation (assign / revoke), and flash feedback patterns introduced in Wave 002C.
| UUID | Status | Joined | |
|---|---|---|---|
a1b2c3d4… |
alice@example.com | active | 2024-01-15 |
e5f6a7b8… |
bob@example.com | inactive | 2024-02-20 |
c9d0e1f2… |
carol@example.com | active | 2024-03-01 |
| User | Role | Scope | Assigned | Action |
|---|---|---|---|---|
| alice@example.com | platform_admin | global | 2024-03-10 |
- All admin POST actions (assign, revoke) must carry
_csrf_tokenverified server-side byCsrfService::verifyToken(). - UUIDs are displayed as first-8-chars + "…" in tables; full UUID is never shown in UI but is preserved in forms as hidden values.
- Role/permission keys use
font-family: var(--font-family-mono)to signal machine-readable identifiers. - Flash messages are stored in
$_SESSION['admin_flash'], read once on GET, then cleared. Values map to i18n keys via$t('admin_' . $flash). - Revoke buttons use
onclick="return confirm(…)"as a lightweight confirmation guard for the demo; production should use a modal dialog for better UX. - password_hash is never exposed in any user-facing listing, API response, or audit log — only uuid, email, status, and created_at.
- Audit events (assign / revoke) use
actor_uuidin metadata because actorId (BIGINT) cannot store a UUID. actorId is set tonull.
Runtime Readiness Patterns
Status badge, readiness category card, per-item check row, and deferred-action patterns introduced in Wave 002D. All static demo — no DB required.
|
PHP Version
PHP 8.2.x (requires >= 8.2)
|
Ready |
| Required Extensions | Ready |
| .env File | Ready |
| DB Config | Ready |
| Writable Directories | Ready |
|
Migrations Applied
2 migration(s) pending — run: php scripts/migrate.php run
|
Warning |
|
Stale Applied Migrations
1 applied migration name(s) not found on disk
|
Warning |
- Status badges use inline styles (5 fixed colors) — no extra CSS classes needed.
- Category cards use the standard
.card/.card-header/.card-bodycomponents. - Check rows use a borderless table inside
.card-bodywithpadding:0. - All detail text comes from i18n keys (
detail_key+detail_params) — never raw English strings from the service. - Readiness checks are all read-only. Deferred actions use
disabled+aria-disabled="true"to signal unavailability without removing the button from the accessibility tree. - The live console at
/admin/runtime-readinessrequiressettings.managepermission. The demo on this page is DB-independent.