Vexal Documentation by WileyLabs

Vexal Experience Framework

Stable

Applies to: Hub, Intake, SmartBlocks, Media, Portfolio, and future Vexal products

Updated: July 2026 — platform milestone

The Vexal Experience Framework is a set of cross-product contracts. Products share architecture and rules—not copied class libraries.

Governing rule

Vexal owns the client-facing experience. WordPress owns authentication security. Each Vexal product owns its authorization, routing, and customer-context rules.

Experience catalog

ExperiencePurposeReference
Authentication ExperienceBranded login, lost-password request, notices, post-reset returnIntake 1.0.028+, Hub 0.3.007+
Workspace ExperienceCustomer shell, account/site context, fail-closed accessHub /vexal-workspace/
Dashboard ExperienceOperator/admin product dashboardsHub Operator Console; SmartBlocks admin
Card ExperienceTrusted registered cardsHub Workspace card registry
Invitation ExperienceSecure invites and email-locked registrationVexal Intake
Notification ExperienceEmail, notices, future SMS/activityEvolving

Authentication Experience

  • Vexal owns UI — branded login and account routes.
  • WordPress owns credentials — hashes, reset keys, cookies, sessions, wp_signon, retrieve_password.
  • Product owns authorization — who may use this product’s client surface.
  • Product owns routing and notices — allow-listed, server-rendered messages only.
  • No parallel password store, custom reset tokens, or second session system.
  • wp-login.php keeps a link back to the product login; administrators keep core recovery.

See Authentication layers, Hub authentication, and Intake authentication.

Workspace Experience

  • Workspace Shell — theme-agnostic full-page app
  • Card Registry — trusted PHP-registered cards
  • Customer Context and Site Context — server-resolved
  • Fail-closed authorization — never guess the first account/site
  • No WordPress admin for Workspace customers
  • Operator capability does not invent customer context

See Hub Workspace.

Dashboard Experience

  • Dashboard Shell for operators/admins
  • Product cards and customer summaries where applicable
  • Product independence — do not conflate with customer Workspace

Card Experience

  • Cards are registered in a trusted PHP registry
  • Product-owned card implementations
  • Customer-safe data only; fail states are first-class
  • Designed for future extensibility without ad-hoc remote HTML

Invitation Experience

  • Client invitations prove email ownership for a product purpose
  • Registration and account ownership remain WordPress-backed
  • Email validation / locked invite email where authoritative
  • Authorized access after invite — product-specific rules

See Intake invitations.

Notification Experience

  • Email (product-owned today)
  • Workspace / account notices (allow-listed keys)
  • SMS — future shared implementation
  • Activity notifications / feeds — product-owned until a shared contract stabilizes

Anti-patterns

  • Copying Intake WI_* classes into Hub (or the reverse)
  • Guessing account/site when context is ambiguous
  • Granting Workspace context from operator capability alone
  • Rendering arbitrary query-string notice text
  • Globally hijacking all wp-login.php traffic

See also