Glossary (consolidated, deduped)
| Term | Meaning |
|---|---|
acl_rule | A declared authorization rule row referencing entity fields and templates ({{caller.organization_memberships}}); compiled by the BFF into SQL-WHERE / predicate / Q. |
action_type + 6 child classes | The execution-plane primitive: an action row plus parameters, criteria, edits, creates, side-effects, and placements. Compiled per request into an ActionDefinition. |
action_placement | A row projecting an action onto a surface as a button/form; read-time availability reuses submit-time gate criteria. |
ActionDefinition | The Pydantic contract the BFF compiles from action_type rows (30s TTL); run by the uniform 8-step pipeline. |
admin_entity_config | BFF/ontology row carrying per-tenant admin presentation (list/detail config, dashboard_config, nav). Forkable. |
admin_configs: lane | Sheet importer lane (#440, admin_entity_config_explicit) carrying per-row application, bypassing the entities[] type-gate so KC-virtual rows ride it. |
APPLY_ORDER / _APPLIED_BLOCKS | FK-ordered list governing the sheet apply walk (yaml_import.py). |
| Atelier | The operator-facing product: declare applications as data; the platform generates the running multi-tenant experience. |
| BFF (admin-api) | The backend-for-frontend and UMS-v2 PEP; owns all plane and public-surface semantics; the ontology engine does not. |
| Block descriptor | The surface-plane unit: a declarative spec dispatched to a WidgetKind by resolveWidget. The authoring↔rendering seam is Block[] + registry keys. |
| Compile-on-save | Publishing a portal_page synchronously, pre-commit, fail-closed emits graduated UMS ACL rules so reader and writer agree by construction. |
control_plane (metadata axis) | Marks shared infra/vocab/runtime types a fork must NEVER copy. Distinct from forkable. |
| CloudEvents bridge | Fire-and-forget CloudEvents 1.0 emit turning execution_mode=workflow actions into durable Martha creates. emit_cloud_event never raises. |
| Creator-baked ACL | A view freezes its creator's ACL (+ every JOINed type's ACL) into compiled_sql; X-Tenant-Id never narrows a view. Both a feature and a footgun. |
| DataProvider | Per-host security-scoped data fetcher the renderer uses; the admin provider throws on citizen lanes. |
dashboard_config | Admin dashboard authored on the __dashboard__ admin_entity_config row; edited on the template plane via act-as, forked per tenant. |
| Disclosure floor / projection | Field-level allowlist applied after Gates A+B in the public reader. |
execution_mode | engine (synchronous BFF pipeline) vs workflow (offloaded to Martha as a submission). |
Fork (fork_tenant) | One-shot 5-phase full-catalog copy of forkable rows from template_municipality, FK-rewired into a new tenant. Copy-on-create, no live inheritance. |
forkable (metadata axis) | Per-tenant-config opt-in; the fork copies exactly these rows (fork_plan.py:91-101). |
| Gate A / Gate B | Public reader's twin gates: A = surface admissibility (public_entity_surface), B = UMS row-RLS. |
| Graduated principal | A citizen/anonymous reader whose grants are resolved through UMS for public surfaces. |
| Identity (4 signals) | tenant claim, JWT azp, SpiceDB org/group membership, per-app namespace. |
| Ontology engine (ontology-core-v2) | The runtime schema-evolution data plane; plane-agnostic; one GET /api/v1/{code} read surface; cursor pagination only. |
page_template / portal_page | Shared non-forked page shapes (9 codes) vs per-tenant forkable portal page rows. |
| PEP consumer application | The BFF's role in UMS-v2: resolve grants under its own application_id, compile, apply at the boundary. |
prepare_sheet_plan | The four-stage sheet pipeline entry (parse→validate→diff→apply, sheet_apply.py:49). |
public_entity_surface | Registry row admitting an entity/view for public read (Gate A). |
resolve_grants / resolveWidget | UMS grant resolution (authz) / widget dispatch registry (surface) — distinct subsystems, similarly named. |
source_kind: view | A public surface backed by an ontology view (citizen aggregates). Bypasses Gates A+B — trust concentrated on one operator-authored row. |
| Submission | The durable-create primitive: a thin action_submissions ledger row durable at accept time, later materialised by Martha's generic submission_create workflow. |
submission_contract | The declared shape Martha calls back against to create the entity. |
| Vertical Sheet | The single declarative YAML expressing one application across all three functional planes under its identity.code. |
| Vocabulary / Template / Tenant planes | Provisioning-plane axis (tenant codes system / template_municipality / per-fork); distinguished only by tenant_id. |
X-Author-Tenant | The sole cross-plane authoring bridge; honored only for callers holding the right UMS tier grant. |
X-Tenant-Id | Outbound ontology tenant header, derived from JWT — never trusted inbound. |
tenant_scoped | Whether an entity type's rows are tenant-partitioned. REQUIRED-EXPLICIT in the sheet; engine repo default is False (the named divergence). |
Role tiers (platform_admins / tenant_admins_<T>) | Control-plane tiers derived from organization_membership(role=admin) on root orgs. |
NotificationWorkflow | The one Temporal workflow the BFF owns in-process (5 activities) on the admin-notifications queue. |
notification_event/rule/template | First-class notification ontology rows (Epic #33); the in-code REGISTRY is seed-only. |