Glossary
| Term | Definition |
|---|---|
| Shell | The central orchestrator — provides identity, RBAC, service registry, and billing to all applications. |
| Satellite | An independent business application (e.g., Drive, HRM) that plugs into the Shell. Also referred to as a "Remote Service." |
| SCS | Self-Contained System. The architectural pattern where each Satellite owns its own UI, API, and Data to ensure maximum autonomy. |
| Shell JWT | An RS256 JWT issued by Shell API after authentication. Validated by Satellites via the public JWKS endpoint. |
| JWKS | JSON Web Key Set. A standard for exposing the Shell's public keys so that Satellites can verify the platform's tokens independently. |
| Keycloak | The primary OIDC Identity Provider used by the Shell for external user authentication. |
| PKCE | Proof Key for Code Exchange. A security protocol used during login to prevent authorization code interception. |
| Module Federation | The technology that allows the Shell to load Satellite UI components at runtime from different URLs. |
| ShellEntry | The mandatory UI component that every Satellite must expose so it can be mounted inside the Shell workspace. |
| Service Registry | The apps table in the Shell database that tracks the URLs and metadata for all active Satellites. |
| Connect RPC | The high-performance protocol (Protobuf over HTTP/2) used for internal server-to-server communication. |
| Casbin | The policy engine used by the Shell to manage fine-grained Role-Based Access Control (RBAC). |
| Ignis v2 | The internal backend framework (based on Hono + Bun) used to implement platform services consistently. |
| Drizzle ORM | The TypeScript ORM used for all PostgreSQL interactions and database migrations. |
| Multitenancy | The architecture where multiple organizations share the same infrastructure but remain logically isolated (via organization_id). |
| Kustomize | The tool used to manage Kubernetes manifests across different environments (Dev, UAT, Prod). |