| Shell | The platform container — provides identity, RBAC, service registry, and billing to all services |
| Shell JWT | A HS256 JWT issued by Shell API after authentication. Contains sub, email, roles, organizationId. Different from the Keycloak token. |
| Keycloak token | The OAuth2 access token issued by Keycloak. Used by Shell API for token exchange and by remote services to get service-scoped JWTs. |
| PKCE | Proof Key for Code Exchange (RFC 7636). Prevents auth code interception. Shell uses S256: code_challenge = BASE64URL(SHA256(code_verifier)). |
| code_verifier | A 32-byte random string generated per login. Stored in Redis, sent to Keycloak during token exchange. Never sent to the browser. |
| code_challenge | BASE64URL(SHA256(code_verifier)). Sent to Keycloak in the authorize URL. Keycloak verifies it during token exchange. |
| Dual Keycloak URL | Two separate env vars: APP_ENV_KEYCLOAK_URL (public, browser-facing) and APP_ENV_KEYCLOAK_INTERNAL_URL (cluster-internal, server-side token exchange). Required in K8s. |
| ignis-grpc | Custom Connect RPC gateway library in Shell API (src/lib/ignis-grpc/). Exposes gRPC handlers over plain HTTP POST. |
| Connect RPC | A protocol that wraps gRPC over HTTP/1.1 or HTTP/2. Allows calling gRPC services with plain fetch. |
| Module Federation | Webpack/Vite feature that allows loading JavaScript modules from remote URLs at runtime. Shell UI is the host; remote services expose components. |
| ShellEntry | The standard component that every remote service must expose at ./ShellEntry. Shell UI uses this to render the service inside the Shell frame. |
| BroadcastChannel | Web API for cross-tab / cross-iframe messaging. Shell UI broadcasts auth tokens to remote micro-frontends on the veni-auth channel. |
| Service Registry | The services table in the Shell DB. Records name, slug, entryUrl, type, and status for each registered service. |
| SCS | Self-Contained System. Each service owns its UI, API, and data. Services communicate through well-defined APIs, not shared databases. |
| kustomize | Kubernetes configuration management tool. VENI-AI uses overlays (dev, uat, prod) layered over a shared base/. |
| overlay | A kustomize directory that patches the base manifests for a specific environment (e.g. infrastructure/k8s/overlays/dev/). |
| Plan limit | A per-resource usage cap defined in plan_limits (e.g. max 50 employees). Enforced via POST /api/subscriptions/check-limit. |
| Plan usage | Current usage for a resource tracked in plan_usage. Incremented via POST /api/subscriptions/consume. |
| Ignis | Internal framework wrapping Hono. Provides dependency injection, BaseService, BaseController, decorators, and lifecycle hooks. |
| Drizzle ORM | TypeScript ORM for PostgreSQL. Schema defined in src/schemas/*.schema.ts. Migrations in database/migrations/. |
| Casbin | Open-source RBAC/ABAC policy engine. Shell loads the model from config/rbac_model.conf at startup. |
| readOnlyRootFilesystem | Kubernetes security setting that prevents writing to /. Shell API sets APP_ENV_LOG_PATH=/tmp to write logs to the writable /tmp mount. |