# 14 · Glossary of Terms — Stella Ops
(v1.0 — 12 Jul 2025 · first real content, replaces placeholder v0.1)
### 0 Purpose
A concise, single‑page “what does that acronym actually mean?” reference for
developers, DevOps engineers, IT managers and auditors who are new to the
Stella Ops documentation set.
If you meet a term in any Stella Ops doc that is not listed here, please open a PR and append it alphabetically.
## A – C
| Term | Short definition | Links / notes |
|---|---|---|
| ADR | Architecture Decision Record – lightweight Markdown file that captures one irreversible design decision. | ADR template lives at /docs/adr/ |
| AIRE | AI Risk Evaluator – optional Plus/Pro plug‑in that suggests mute rules using an ONNX model. | Commercial feature |
| Azure‑Pipelines | CI/CD service in Microsoft Azure DevOps. | Recipe in Pipeline Library |
| BDU | Russian (FSTEC) national vulnerability database: База данных уязвимостей. | Merged with NVD by FeedMerger |
| BuildKit | Modern Docker build engine with caching and concurrency. | Needed for layer cache patterns |
| CI | Continuous Integration – automated build/test pipeline. | Stella integrates via CLI |
| Cosign | Open‑source Sigstore tool that signs & verifies container images and files. | Images & OUK tarballs |
| CWV / CLS | Core Web Vitals metric – Cumulative Layout Shift. | UI budget ≤ 0.1 |
| CycloneDX | Open SBOM (BOM) standard alternative to SPDX. | Planned report format plug‑in |
## D – G
| Term | Definition | Notes |
|---|---|---|
| Digest (image) | SHA‑256 hash uniquely identifying a container image or layer. | Pin digests for reproducible builds |
| Docker‑in‑Docker (DinD) | Running Docker daemon inside a CI container. | Used in GitHub / GitLab recipes |
| DTO | Data Transfer Object – C# record serialised to JSON. | Schemas in doc 11 |
| FeedMerger | Background job that merges NVD JSON and (optionally) BDU XML into Redis. | Cron default 0 1 * * * |
| FSTEC | Russian regulator issuing SOBIT certificates. | Pro GA target |
| Gitea | Self‑hosted Git service – mirrors GitHub repo. | OSS hosting |
| GOST TLS | TLS cipher‑suites defined by Russian GOST R 34.10‑2012 / 34.11‑2012. | Provided by OpenSslGost or CryptoPro |
| Grype | Alternative OSS vulnerability scanner; can be hot‑loaded as plug‑in. | Scanner interface IScannerRunner |
## H – L
| Term | Definition | Notes |
|---|---|---|
| Helm | Kubernetes package manager (charts). | Beta chart under /charts/core |
| Hot‑load | Runtime discovery & loading of plug‑ins without restart. | Cosign‑signed DLLs |
| Hyperfine | CLI micro‑benchmark tool used in Performance Workbook. | Outputs CSV |
| JWT | JSON Web Token – bearer auth token issued by OpenIddict. | Scope scanner, admin, ui |
| K3s / RKE2 | Lightweight Kubernetes distributions (Rancher). | Supported in K8s guide |
| Kubernetes NetworkPolicy | K8s resource controlling pod traffic. | Redis/Mongo isolation |
## M – O
| Term | Definition | Notes |
|---|---|---|
| Mongo (optional) | Document DB storing > 180 day history and audit logs. | Off by default in Core |
| Mute rule | JSON object that suppresses specific CVEs until expiry. | Schema mute-rule‑1.json |
| NVD | US‑based National Vulnerability Database. | Primary CVE source |
| ONNX | Portable neural‑network model format; used by AIRE. | Runs in‑process |
| OpenIddict | .NET library that implements OAuth2 / OIDC in Stella backend. | Embedded IdP |
| OUK | Offline Update Kit – signed tarball with images + feeds for air‑gap. | Admin guide #24 |
| OTLP | OpenTelemetry Protocol – exporter for traces & metrics. | /metrics endpoint |
## P – S
| Term | Definition | Notes |
|---|---|---|
| P95 | 95th‑percentile latency metric. | Target ≤ 5 s SBOM path |
| PDF SAR | Security Assessment Report PDF produced by Pro edition. | Cosign‑signed |
| Plug‑in | Hot‑loadable DLL implementing a Stella contract (IScannerRunner, ITlsProvider, etc.). |
Signed with Cosign |
| Problem Details | RFC 7807 JSON error format returned by API. | See API ref §0 |
| Redis | In‑memory datastore used for queue + cache. | Port 6379 |
| Rekor | Sigstore transparency log; future work for signature anchoring. | Road‑map P4 |
| RPS | Requests Per Second. | Backend perf budget 40 rps |
| SBOM | Software Bill of Materials – inventory of packages in an image. | Trivy JSON v2 |
| Santech | Lightweight cli that sends SBOM for vulnerability scanning | |
| Seccomp | Linux syscall filter JSON profile. | Backend shipped non‑root |
| SLA | Service‑Level Agreement – 24 h / 1‑ticket for Pro. | SRE runbook |
| Span |
.NET ref‑like struct for zero‑alloc slicing. | Allowed with benchmarks |
| Styker.NET | Mutation testing runner used on critical libs. | Coverage ≥ 60 % |
## T – Z
| Term | Definition | Notes |
|---|---|---|
| Trivy | OSS CVE scanner powering the default IScannerRunner. |
CLI pinned 0.64 |
| Trivy‑srv | Long‑running Trivy server exposing gRPC API; speeds up remote scans. | Variant A |
| UI tile | Dashboard element showing live metric (scans today, feed age, etc.). | Angular Signals |
| WebSocket | Full‑duplex channel (/ws/scan, /ws/stats) for UI real‑time. |
Used by tiles |
| Zastava | Lightweight agent that inventories running containers and can enforce kills. |
### 11 Change log
| Version | Date | Notes |
|---|---|---|
| v1.0 | 2025‑07‑12 | First populated glossary – 52 terms covering Core docs. |
(End of Glossary v1.0)