Glossary — Vocabulary for the Trusted Rig¶
Alphabetical. Each entry: term — definition. Where: document references.
AgentCursor — Per-agent projection in Conductor-E tracking the last event ordinal consumed, subscribed event types, concurrent slot count, and in-flight assignments. The mechanism that makes "exactly-once-per-agent" queryable. Where: observability.md, trust-model.md.
AGENTS.md — Cross-tool rules file in every repo, imported from rig-gitops/AGENTS.md. Enforces branching, commits, docs standard, review criteria for both humans and agents. Read by Dev-E, Review-E, Claude Code, other agent runtimes. Where: architecture-current.md.
OpenTelemetry GenAI conventions — Cross-vendor OTel semantic conventions for generative-AI spans (gen_ai.system, gen_ai.request.model, gen_ai.usage.*, etc.). Not Anthropic-specific — adopted by OpenAI, Google, and the OTel community. Experimental in 2026; emitted via OTEL_SEMCONV_STABILITY_OPT_IN=gen_ai/dup during stabilization. The portability substrate behind the rig's backend-agnostic observability. Where: observability.md, provider-portability.md.
Architect-E — Proposed new agent role. Shapes interfaces where semantic shape matters. Default configuration runs Claude Opus 4.7 via Claude Code CLI; configurable per provider-portability.md (Gemini 3.1 Pro is a natural alternative for long-context tasks). Output consumed by humans for T2 interface approval; humans retain final sign-off. Where: index.md, trust-model.md.
Attestation chain — Cryptographic sequence of attestations binding intent → commit → build → image → deploy, each signed by an identity we can trace via Rekor. Kyverno rejects at admission if any link is missing. Where: security.md.
Blast radius — The scope of potential impact of a change. Tier classification (T0/T1/T2/T3) encodes blast radius as a policy. Where: trust-model.md.
Budget exhaustion — State where an agent has spent its hourly or daily token budget. LiteLLM proxy returns 429, Conductor-E enters Open circuit state, dispatcher withholds new work. Where: cost-framework.md.
CaMeL — "Capability Mediation with L-values," from DeepMind's arXiv:2503.18813. Privileged LLM plans with trusted query, quarantined LLM processes untrusted data without tool access. Only prompt-injection defense with a formal guarantee. Where: safety.md, security.md.
Canary — Flagger Custom Resource that wraps an existing Deployment, orchestrating progressive rollout (5% → 25% → 50% → 100%) gated by Prometheus analysis. Where: self-healing.md.
Change Failure Rate (CFR) — DORA metric. % of merged PRs requiring rollback or hotfix within 7 days. Target: <5% for the trusted rig. Where: quality-and-evaluation.md.
Circuit Breaker (Conductor-E) — State machine (Closed / HalfOpen / Open) per agent, controlling dispatch when budget or 529-storm thresholds cross. Prevents runaway spend or retry-loops against an overloaded API. Where: cost-framework.md.
Cilium — eBPF-based CNI providing L3/L4 and L7 (HTTP, DNS/FQDN) network policies. Used for per-agent egress allowlists. Where: security.md.
CLAUDE_CODE_ENABLE_TELEMETRY — Environment variable activating Claude Code's native OpenTelemetry instrumentation. Emits spans per model request + tool execution. Codex CLI (CODEX_OTEL_ENDPOINT) and Gemini CLI (GEMINI_OTEL_EXPORTER_OTLP_ENDPOINT) have equivalent variables — see provider-portability.md. Where: observability.md.
Compaction — Claude Code's context-window management. Triggered at ~83% of the model's context limit. Summarizes prior messages into a 9-section structured summary. May drop mid-task context, causing re-reads. Where: safety.md.
Conductor-E — The rig's central coordinator. .NET 10 event-sourcing API on Marten + Postgres. Hosts the AgentCursor, AgentSubscription, ErrorBudget, and Attestation projections. Where: all documents.
Cosign — Sigstore image signing tool. Keyless via Fulcio OIDC. Signatures stored in Rekor transparency log. Verified at admission by Kyverno. Where: security.md.
Default-deny egress — NetworkPolicy posture where all outbound traffic is blocked except explicit allowlist. Standard for every agent namespace. Where: security.md, safety.md.
Dev-E — The dev-writing agent. Default configuration runs Claude Sonnet 4.6 via Claude Code CLI in a K8s pod; configurable per deployment to any LiteLLM-supported provider + runtime (OpenAI + Codex CLI, Google + Gemini CLI, etc. — see provider-portability.md). Scales to zero on KEDA. Where: all documents.
DORA metrics — Deployment frequency, lead time, MTTR, change failure rate. Google's 2018 research definition, adapted to agent-authored work. Where: quality-and-evaluation.md.
Error budget — 100% − SLO × window. A service with 99.9% SLO over 28d has an error budget of ~43 minutes of downtime per 28d. When exhausted, non-fix changes freeze. Where: observability.md, self-healing.md.
External Secrets Operator (ESO) — Kubernetes operator that pulls secrets from external sources (Vault, cloud KMS) and makes them available as native Secrets with short TTL. Where: security.md.
Flagd — OpenFeature reference daemon. Runs as sidecar injected via OpenFeature Operator mutating webhook. Serves feature flag evaluations. Where: self-healing.md.
Flagger — FluxCD-native progressive-delivery controller. Defines Canary CRD with Prometheus-backed analysis. Where: self-healing.md.
Fulcio — Sigstore certificate authority. Issues short-lived (10-minute) x509 certs bound to OIDC identities. Used by cosign and gitsign. Where: security.md.
Gitsign — Sigstore tool for signing git commits with ephemeral Fulcio certs. Rekor entry is the non-repudiable record. GitHub UI does not display as "Verified"; verify out-of-band via gitsign verify. Where: security.md.
Goal accuracy — % of dispatched tasks ending in merged PR without human rework. Stanford/NIST AI Agent Standards (2026) metric. Target: >85% for T1 tasks. Where: quality-and-evaluation.md.
GUPP — "Gas Town Universal Propulsion Principle." Gastown's design axiom: "if there's work on your hook, you must run it." Justifies direct-to-main autonomous agents. We do not adopt GUPP. Where: architecture-proposed-v2.md.
Hallucination (LLM) — LLM generating content with no grounding in fact. For code agents: fabricated APIs, nonexistent packages (slopsquatting), wrong line numbers, plausible-but-incorrect refactors. Where: safety.md.
Hook reliability spool — Local queue on the agent pod retaining events when Conductor-E is unreachable. Drain-on-next-hook with exponential backoff. Prevents silent event loss. Where: architecture-proposed-v2.md.
HumanCosign — Attestation from a human OIDC identity (via the prod-approvals GitHub Actions workflow's t3-approve environment). Required by the two-attestor Kyverno policy for any T3 namespace. Where: security.md.
in-toto — Framework for binding steps in a software supply chain to verifiable attestations. Statement is the payload type, Predicate the content. SLSA Provenance is a predicate type. Where: security.md.
Instructor — Python library for forcing structured output from LLMs via Pydantic validation. Claude integration retries on schema failure. Where: safety.md.
KEDA — Kubernetes Event-Driven Autoscaling. Scales pods based on external event source metrics (Valkey stream length, in our case). Scale-to-zero supported. Where: architecture-current.md.
Kill switch — Feature flag flip that disables a code path. Flagd-backed. Latency ~30 seconds from git commit to pod observation. Faster than rollback (~5 minutes). Where: self-healing.md.
Kyverno — Policy engine for Kubernetes. YAML CRDs, native cosign verification. Rejects admission for policy violations. Where: security.md, trust-model.md.
Langfuse — Self-hosted LLM observability platform (AGPL, ClickHouse + Postgres). Primary dashboard for agent cost, quality, prompt versioning, eval results. Where: observability.md.
LiteLLM — LLM gateway / proxy supporting per-virtual-key budgets, rate limits, multi-provider routing. The enforcement point for per-agent cost ceilings. Where: cost-framework.md.
LLM-as-judge — Pattern where one LLM evaluates another LLM's output for quality, consistency, or semantic correctness. Used for sampled quality checks on merged PRs. Where: quality-and-evaluation.md.
Marten — .NET event-store library on top of PostgreSQL. Used by Conductor-E. Supports append-only event log + projection-based read models. Where: architecture-current.md.
MCP — Model Context Protocol. Anthropic's open standard for LLM tool integrations. Implemented by per-MCP servers for GitHub, memory, etc. Where: architecture-current.md, security.md.
OIDC — OpenID Connect. Identity protocol used for keyless Sigstore signing. GitHub Actions issues OIDC tokens that Fulcio binds to x509 certs. Where: security.md.
OpenFeature — CNCF vendor-neutral feature-flag specification. flagd is the reference daemon. Where: self-healing.md.
pgroll — Xata's tool for zero-downtime Postgres migrations via expand/contract. Creates shadow columns, installs triggers for dual-write, keeps both schema versions queryable. Where: self-healing.md.
Prompt caching — Provider-side feature that makes cache hits cheaper than cache misses. Anthropic's cache hits cost ~10% of normal input token cost; OpenAI's prompt caching (beta) and Google's context caching have different discount curves. Requires stable system prompts and explicit cache breakpoints. See provider-portability.md for the cross-vendor pricing comparison. Where: cost-framework.md.
Prompt injection — Attack class where attacker-controlled content (issue body, README, API response) manipulates an LLM agent into unintended actions. Defended by CaMeL separation + L7 egress + tool scoping. Where: safety.md, security.md.
Property-based testing — Testing approach (via Hypothesis) that generates inputs satisfying declared properties and asserts invariants hold. Catches semantic bugs unit tests miss. arXiv:2510.09907 shows agents can generate these effectively. Where: safety.md, quality-and-evaluation.md.
Rekor — Sigstore transparency log. Append-only ledger of signatures and attestations. Entries publicly verifiable. Where: security.md.
Repair-dispatch (a.k.a. "Repair-E") — A dispatch mode of Dev-E, not a separate agent class. Same pod class, same model, triggered by an SLO-burn alert rather than an issue assignment, with a repair-specific system prompt that directs it to read trace + git blame + recent deploys and propose a forward-fix or revert PR. Confidence-scored. Earlier drafts of this whitepaper called it a fifth agent role; honest re-evaluation found the event-shaped-boundary test (see principles.md) is not cleanly met by a separate role. Where: self-healing.md.
Review-E — The code-reviewing agent. Separate from Dev-E (principle: reviewer ≠ author). Default runs Claude Sonnet 4.6, configurable per provider-portability.md. For T2/T3 reviews, may route to a cross-family model (e.g., GPT-5.2 reviewing Claude Sonnet's output) to avoid one-provider confirmation bias. Where: all documents.
SLA — Service Level Agreement. External promise to users. Not the same as SLO.
SLO — Service Level Objective. Internal target (e.g., "99.9% success rate over 28d"). Measured via SLI (Service Level Indicator). The budget math feeds Flagger's analysis gate. Where: observability.md.
SLSA — Supply-chain Levels for Software Artifacts. Framework v1.0 defines Build L0-L3 based on builder isolation and provenance quality. L3 via slsa-github-generator. Where: security.md.
Sigstore — Ecosystem of keyless signing tools (cosign, gitsign) + supporting infra (Fulcio, Rekor). Replaces long-lived PGP/KMS keys with ephemeral OIDC-bound certs. Where: security.md.
Slopsquatting — Supply-chain attack class where attackers pre-register commonly-hallucinated package names. 19.7% of LLM-generated package references are hallucinated; attackers exploit this. Where: safety.md.
Socket.dev — Dependency reputation service. Per-package security score. PR check fails if scores for new deps are below threshold. Where: security.md.
Spec-E — Proposed new agent role. Reads new issues, asks clarifying questions, produces TaskSpec. Default configuration runs Claude Haiku 4.5 (cheap for many small calls); configurable per provider-portability.md (Gemini Flash or local Ollama are natural alternatives for the same cost-sensitive task class). Where: trust-model.md.
StuckGuard — Middleware in agent runtime that watches the last N tool calls and detects five loop patterns (identical call, same-tool-same-error, monologue, ABAB, compaction-marker-repeat). Emits AgentStuck and exits. Where: safety.md, architecture-proposed-v2.md.
SWE-bench Pro — Scale AI's 1,865-task multi-language uncontaminated benchmark. Replacement for SWE-bench Verified (contaminated late 2025). Top models score 46-57%. Where: quality-and-evaluation.md.
T0 / T1 / T2 / T3 — Blast-radius autonomy tiers. T0 = Non-blast (docs, tests); T1 = Contained (single-service features); T2 = Cross-cutting (multi-repo, architect-level); T3 = Irreversible (auth, payments, destructive migrations). Where: trust-model.md.
TaskSpec — Typed artifact produced by Spec-E. Contains acceptance criteria, non-goals, blast-radius classification, test strategy, expected-effort-tokens budget, assigned agent. The unit of dispatched work. Where: trust-model.md.
Two-attestor policy — Kyverno policy that rejects manifests in T3 namespaces without both an agent-identity Sigstore signature and a human-OIDC Sigstore co-sign. Where: security.md, trust-model.md.
Valkey — Open-source Redis fork. Used as the stream backend for Conductor-E's pub/sub-style dispatch signals. Where: architecture-current.md.
Vault — HashiCorp secret-management system. Issues short-lived credentials (DB creds, GitHub tokens). Accessed via External Secrets Operator. Where: security.md.
Workload identity — Pattern where workload (pod) has its own identity, used to mint short-lived credentials, instead of mounting a long-lived secret. SPIFFE SVID or GitHub Actions OIDC are concrete implementations. Where: security.md.
Notes for readers¶
- For AI agents: when reading this whitepaper, look up any unfamiliar term here first before asking a human. Most terms have specific technical meaning in this context.
- For humans: where a term has a common alternate meaning (e.g., "drift" in data pipelines vs. here in LLM behavior), the definition in this glossary is the one this whitepaper uses.
- Missing terms: if a term is used in a whitepaper document without a glossary entry, that's a documentation gap — file an issue or PR the glossary.
See also¶
- index.md — whitepaper master
- All other whitepaper documents reference terms defined here.