Platform · Architecture

Three layers. One product. One contract.

CCEN is built like an operating system and shipped like a platform. The data layer is shared and opinionated. The middle layer is a standard contract every operational app follows. The top layer is open to anyone, our team, third parties, or your team.

Read the SDK contractTalk to engineering
The stackL2 / L1 / L0
L2
Application layer
iframe
First-party · third-party · forks · agents
SubscriptionsForked ReturnsPO Planner agentRFM tileWholesale portalReviews
L1
Standard app interfaces
iframe
Typed contracts. Reference implementations. Pluggable.
SupplyInventoryWarehouseChannelsShippingReturnsCSFinanceMarketing
L0
Core data primitives
native React
Universal entities every commerce business shares
OrdersProductsListingsCustomersCalendarReportsAudit log
L0 surfaces render natively inside CCEN. L1 and L2 apps render in their own secure containers, served from per-app subdomains, and talk to the main app through a shared toolkit (the App Bridge SDK). The browser enforces the boundary. The toolkit enforces the contract.
The thesis

Architecturally an OS. Publicly a platform.

iOS is a useful reference. Architecturally, iOS is an operating system: a kernel, a set of system frameworks (UIKit, CoreData, Metal), and a sandboxed application layer. Publicly, Apple ships it as a platform you adopt as a developer. The substrate is the product. The apps are the surface. The contract between them is what makes the whole thing work.

CCEN is shaped the same way. L0 is the kernel: an opinionated data substrate that holds the entities every commerce business shares. L1 is the framework layer: a typed contract for every operational domain, with first-party reference implementations. L2 is the application layer: every app, ours or yours or a third party's, runs as a peer on the same iframe contract.

The reason this matters is composability. When the substrate is shared, you do not pay a vendor to translate between two tools that both pretend to own your inventory. When the contract is shared, replacing the Inventory app does not break the Returns app. When the app layer is open, your team can fork the L1 reference, customize it for the seventeen ways your business is weird, and ship the result without asking permission.

L0

Seven entities. Universal by design.

L0 is the foundation. Seven entities, modeled the same way for every commerce business. Universal. Minimal. Opinionated. Whether you sell dresses or drill bits, you have these. That shared shape is what makes the rest of the platform possible.

Orders

01 / 07

Line items, fulfillments, returns, exchanges. Unified across every channel a brand sells through. An Order Item points to a Listing Variant, not directly to a Product Variant. That single choice is what makes bundles work without a per-channel hack.

Products

02 / 07

Variants. Inventory levels per location. Internal source of truth for catalog data: images, dimensions, ingredients, hazmat flags, customs codes. Every channel's listing is a projection of this; this never projects from the channel.

Listings

03 / 07

Marketplace-specific representations of Products. Three field-population modes: copy direct from Product, compute from a template (e.g., Brand + Title), or set custom for the channel. A Listing can map to multiple Products, which is how bundles are first-class.

Customers

04 / 07

Records, segments, contacts, lifetime value, RFM scores, order history. One customer entity across DTC, wholesale, and marketplace. Same identity, same merge rules, same audit trail when records are linked or split.

Marketing Moments calendar

05 / 07

A flexible calendar of holidays, sales, launches, and campaigns. Each moment is a tagged date range with metadata. Required for agents to make meaningful decisions: an inventory rebalancer cannot weigh forecasts without knowing when Mother's Day is.

Reports

06 / 07

The report builder and visualization engine. Reports are user-generated content sitting on top of this engine. Every L0 entity and every L1 app's tables are queryable. Saved reports become dashboard tiles. Tiles compose into dashboards.

Audit log

07 / 07

Every mutation, every actor, every timestamp, every IP, every prompt that produced an agent action. Exportable as Parquet, streamable to a SIEM, queryable in DuckDB. Foundational for compliance, debugging, and giving agents a memory of what they have already done.

L1

Nine domains. Each a typed contract.

Every operational domain is a typed interface. CCEN ships the reference implementation for each. Third-party apps compete on quality, specialization, or integrations. Your team can fork any of them. The minimum schema is fixed. Everything beyond it is metadata.

Supply

Upstream / inbound

Vendors, vendor scorecards, product development, purchase orders, vendor invoices, inbound shipments, receiving and discrepancy resolution. Every Supply app on CCEN, ours or third-party, has to do the same minimum: a standard PO line-item shape, a way to ingest ASNs (advance ship notices) from vendors, and a discrepancy signal other apps can listen for.

Inventory

Midstream / positions

Stock positions across locations. Available, reserved, on-hand, in-transit. Reorder points, safety stock, transfer suggestions. Every Inventory app has to do the same minimum: stock positions for each SKU at each location, a way to reserve stock when an order comes in, and a transfer record that warehouse apps can act on.

Warehouse

Midstream / floor ops

WMS surfaces: picking, packing, bin management, cycle counts, pick-path optimization. Every Warehouse app has to do the same minimum: bin-level positions, a pick-list entity, a pack-confirm event, and an exceptions surface for short-picks and damaged items. Every warehouse app on CCEN has to implement the same shape.

Channels

Midstream / connections

Shopify, Amazon, Walmart, eBay, TikTok Shop, EDI partners. Every Channels app has to do the same minimum: a standard connector shape, a way to sync listings, a way to ingest orders, and a per-channel rate-limit budget so one chatty channel does not starve the others. Apps can compete on which channels they support and how reliably they sync.

Shipping

Downstream / outbound

Outbound order fulfillment, label generation, manifest creation, tracking ingestion, proof of delivery. Every Shipping app has to do the same minimum: buy a label, ingest tracking events, quote a carrier rate, and issue a return label that the Returns app can read from.

Returns

Reverse outbound

RMA creation, refund issuance, exchanges, restocking decisions. Every Returns app has to do the same minimum: a reason-code taxonomy, a credit-memo entity, an inspection event, and a routing rule for the warehouse. Returns apps can specialize on B2B credit memos, marketplace claims, or consumer self-serve.

CS

Customer-facing ops

Tickets, SLA tracking, escalations, unified inbox across email, chat, and channel-native messaging. Every CS app has to do the same minimum: a ticket entity scoped to an order, an SLA policy registry, an agent-assignment event, and a macro library. CS apps can compete on routing logic and inbox UX.

Finance

Financial ops

Banking, reconciliation, payouts, chargebacks, cash flow, GL feed (the line items your accountant pushes into QuickBooks or NetSuite). Every Finance app has to do the same minimum: a transaction entity, a reconciliation status, a payout reconciliation surface for each channel, and a chargeback ingestion path. Finance apps can compete on close speed and accounting-system fidelity.

Marketing

Demand-side

Campaigns, MTA (multi-touch attribution), MMM (marketing mix modeling), ad-platform integrations, A/B testing. Every Marketing app has to do the same minimum: a campaign record, an attribution event stream, a budget envelope, and a creative-asset library so the channels app can pick the right banner.

L2

The application layer. All peers.

L2 is the marketplace. First-party CCEN apps, third-party apps, internal forks, AI-composed reports, and agents all live here. The platform contract is identical for every installer. We do not get a privileged door.

Marketplace apps

Distributed at apps.ccen.co. Priced by the developer. Reviewed editorially. Run in the same iframe sandbox as our first-party apps.

Custom micro-apps

Internal-only forks of L1 references, custom dashboards, ops-specific tooling. Live in your tenant. Never touch the marketplace.

AI-composed reports

An agent generates a report tile from a prompt. The tile is a real L2 surface, not a chat overlay. Pinnable, shareable, exportable.

Agents

First-party and custom agents register tools, run workflows, and route approvals. The agent shelf is an L2 surface like any other.

Render boundary

Native React for L0. Iframes for L1 and L2.

Your CCEN home and the seven L0 surfaces (Orders, Products, Customers, Listings, Calendar, Reports, Audit) render in the main app. Every other app, ours and third-party, runs inside its own secure container. Same design system, same tokens, same components. The visual goal: you don't notice.

One toolkit (the App Bridge SDK) bridges across. The main app owns who you are, your theme, the URL bar, the command palette (⌘K), modal dialogs, and keyboard shortcuts. Each app owns its own surface. Every cross-boundary call goes through the toolkit.

Host shell · ccen.co
L0 native Reactsame process as host
OrdersProductsListingsCustomersCalendarReportsAudit log
↕ App Bridge SDK · shared toolkit, both directions, audited
L1 iframe per appinventory.apps.ccen.co · etc
SupplyInventoryWarehouseChannelsShippingReturnsCSFinanceMarketing
L2 iframe per appsubscriptions.apps.ccen.co · etc
SubscriptionsReviewsB2B PortalForked ReturnsPO Planner agentWholesale
Cross-iframe concerns

The seams. And how they hide.

The hard part of the iframe model is making the boundary invisible. These are the surfaces that have to cross it cleanly, and the contracts that handle them.

ConcernHow it works
Command palette (⌘K)The main app owns the palette. Apps register entries through the shared toolkit, scoped to their own surface. Even when focus is inside an app, ⌘K still fires.
ThemingTheme tokens get pushed into every app at mount, and refreshed when the operator switches themes. Apps subscribe through the shared toolkit and apply your tokens to their own UI.
ModalsWhen an app opens a dialog, it floats above the whole CCEN window, not just inside the app's panel. So a 'confirm transfer' dialog never gets clipped at the seam.
ShortcutsHost shortcuts win. Apps register scoped shortcuts that fire only when focus is inside their iframe. Conflicts are resolved at the host layer.
LocaleOperator locale passes in at iframe mount. Apps render dates, currencies, and numbers via the SDK helpers, which read the locale from the host.
TimezoneOperator timezone passes in at iframe mount. All time-bearing entities use the operator's timezone for display, UTC for storage.
Why iframes

The alternatives we rejected.

The iframe is unfashionable. It is also the only model the browser actually enforces. Every other approach trades isolation for ergonomics, and the platform contract has to hold against a hostile third-party app, not just a well-behaved one.

ApproachDecisionReasoning
Shadow DOMRejectedStyle encapsulation only, not a security boundary. Apps would share the host's JavaScript context, so a single compromised dependency in one app reads memory across every other app and the host.
Web WorkersRejectedNo DOM access. Workers are fine for compute, useless for rendering an interactive operational app. Would require a parallel rendering layer in the host, which collapses back to the same trust model as Shadow DOM.
WebAssembly UI sandboxRejectedThe WASM module still renders through host JS. The bytecode is sandboxed, the rendering is not. The framework cost is high and the isolation gain over an iframe is zero.
Single-page app with route-based isolationRejectedNo isolation. Same origin, same JS context, same cookies. Every app sees every other app's state. The model that every other commerce platform ships with, and the model their security incidents originate from.
iframe + COOP / COEPAdoptedBrowser-enforced isolation. Per-origin, per-process, per-cookie-jar. Battle-tested by Stripe, Shopify, and Google Docs. Extra modern hardening (COOP and COEP) layered on top to defend against the latest browser memory attacks. The cost is the App Bridge SDK, which we needed anyway.
The contract

The App Bridge SDK is the contract.

One toolkit. Apps import it. They register the tools they expose, ask for the permissions they need, listen for events from the rest of CCEN, and read or write your data. The full reference is published with every release.

App Bridge SDK reference
@ccen/app-bridge · representative surface
import { ccen } from "@ccen/app-bridge";

// Read L0 entities through typed methods
const orders = await ccen.orders.list({ status: "processing" });

// Open a host-level modal from inside an iframe
await ccen.modal.open({ title: "Edit transfer", url: "/transfer/edit" });

// Register a scoped shortcut
ccen.shortcut.register("cmd+s", () => save());

// Subscribe to theme changes from the host
ccen.theme.onChange((tokens) => applyTheme(tokens));

// Register a tool the agent runtime can pick up
ccen.tools.register({
  id: "transfer.create",
  capability: "inventory.transfer",
  scope: ["inventory:write"],
  approval: "single_sign_off",
  // ...
});
For engineering teams

Read the contract. Then talk to us.

The App Bridge SDK reference is published. Every L1 interface has a typed contract. The reference apps are open source. Pull them apart, find the seams, then book a conversation with our engineering team about your platform fit.

Read the App Bridge SDK docsTalk to engineering