Add initial documentation

docs/14_GLOSSARY_OF_TERMS.md

@@ -0,0 +1,112 @@
+# 14 · Glossary of Terms — Stella Ops  
+*(v1.0 — 12 Jul 2025 · first real content, replaces placeholder v0.1)*  
+
+---
+
+### 0 Purpose  
+A concise, single‑page **“what does that acronym actually mean?”** reference for
+developers, DevOps engineers, IT managers and auditors who are new to the
+Stella Ops documentation set.
+
+*If you meet a term in any Stella Ops doc that is **not** listed here, please
+open a PR and append it alphabetically.*
+
+---
+
+## A – C  
+
+| Term | Short definition | Links / notes |
+|------|------------------|---------------|
+| **ADR** | *Architecture Decision Record* – lightweight Markdown file that captures one irreversible design decision. | ADR template lives at `/docs/adr/` |
+| **AIRE** | *AI Risk Evaluator* – optional Plus/Pro plug‑in that suggests mute rules using an ONNX model. | Commercial feature |
+| **Azure‑Pipelines** | CI/CD service in Microsoft Azure DevOps. | Recipe in Pipeline Library |
+| **BDU** | Russian (FSTEC) national vulnerability database: *База данных уязвимостей*. | Merged with NVD by FeedMerger |
+| **BuildKit** | Modern Docker build engine with caching and concurrency. | Needed for layer cache patterns |
+| **CI** | *Continuous Integration* – automated build/test pipeline. | Stella integrates via CLI |
+| **Cosign** | Open‑source Sigstore tool that signs & verifies container images **and files**. | Images & OUK tarballs |
+| **CWV / CLS** | *Core Web Vitals* metric – Cumulative Layout Shift. | UI budget ≤ 0.1 |
+| **CycloneDX** | Open SBOM (BOM) standard alternative to SPDX. | Planned report format plug‑in |
+
+---
+
+## D – G  
+
+| Term | Definition | Notes |
+|------|------------|-------|
+| **Digest (image)** | SHA‑256 hash uniquely identifying a container image or layer. | Pin digests for reproducible builds |
+| **Docker‑in‑Docker (DinD)** | Running Docker daemon inside a CI container. | Used in GitHub / GitLab recipes |
+| **DTO** | *Data Transfer Object* – C# record serialised to JSON. | Schemas in doc 11 |
+| **FeedMerger** | Background job that merges NVD JSON and (optionally) BDU XML into Redis. | Cron default `0 1 * * *` |
+| **FSTEC** | Russian regulator issuing SOBIT certificates. | Pro GA target |
+| **Gitea** | Self‑hosted Git service – mirrors GitHub repo. | OSS hosting |
+| **GOST TLS** | TLS cipher‑suites defined by Russian GOST R 34.10‑2012 / 34.11‑2012. | Provided by `OpenSslGost` or CryptoPro |
+| **Grype** | Alternative OSS vulnerability scanner; can be hot‑loaded as plug‑in. | Scanner interface `IScannerRunner` |
+
+---
+
+## H – L  
+
+| Term | Definition | Notes |
+|------|------------|-------|
+| **Helm** | Kubernetes package manager (charts). | Beta chart under `/charts/core` |
+| **Hot‑load** | Runtime discovery & loading of plug‑ins **without restart**. | Cosign‑signed DLLs |
+| **Hyperfine** | CLI micro‑benchmark tool used in Performance Workbook. | Outputs CSV |
+| **JWT** | *JSON Web Token* – bearer auth token issued by OpenIddict. | Scope `scanner`, `admin`, `ui` |
+| **K3s / RKE2** | Lightweight Kubernetes distributions (Rancher). | Supported in K8s guide |
+| **Kubernetes NetworkPolicy** | K8s resource controlling pod traffic. | Redis/Mongo isolation |
+
+---
+
+## M – O  
+
+| Term | Definition | Notes |
+|------|------------|-------|
+| **Mongo (optional)** | Document DB storing > 180 day history and audit logs. | Off by default in Core |
+| **Mute rule** | JSON object that suppresses specific CVEs until expiry. | Schema `mute-rule‑1.json` |
+| **NVD** | US‑based *National Vulnerability Database*. | Primary CVE source |
+| **ONNX** | Portable neural‑network model format; used by AIRE. | Runs in‑process |
+| **OpenIddict** | .NET library that implements OAuth2 / OIDC in Stella backend. | Embedded IdP |
+| **OUK** | *Offline Update Kit* – signed tarball with images + feeds for air‑gap. | Admin guide #24 |
+| **OTLP** | *OpenTelemetry Protocol* – exporter for traces & metrics. | `/metrics` endpoint |
+
+---
+
+## P – S  
+
+| Term | Definition | Notes |
+|------|------------|-------|
+| **P95** | 95th‑percentile latency metric. | Target ≤ 5 s SBOM path |
+| **PDF SAR** | *Security Assessment Report* PDF produced by Pro edition. | Cosign‑signed |
+| **Plug‑in** | Hot‑loadable DLL implementing a Stella contract (`IScannerRunner`, `ITlsProvider`, etc.). | Signed with Cosign |
+| **Problem Details** | RFC 7807 JSON error format returned by API. | See API ref §0 |
+| **Redis** | In‑memory datastore used for queue + cache. | Port 6379 |
+| **Rekor** | Sigstore transparency log; future work for signature anchoring. | Road‑map P4 |
+| **RPS** | *Requests Per Second*. | Backend perf budget 40 rps |
+| **SBOM** | *Software Bill of Materials* – inventory of packages in an image. | Trivy JSON v2 |
+| **Santech** | Lightweight cli that sends SBOM for vulnerability scanning |  |
+| **Seccomp** | Linux syscall filter JSON profile. | Backend shipped non‑root |
+| **SLA** | *Service‑Level Agreement* – 24 h / 1‑ticket for Pro. | SRE runbook |
+| **Span<T>** | .NET ref‑like struct for zero‑alloc slicing. | Allowed with benchmarks |
+| **Styker.NET** | Mutation testing runner used on critical libs. | Coverage ≥ 60 % |
+
+---
+
+## T – Z  
+
+| Term | Definition | Notes |
+|------|------------|-------|
+| **Trivy** | OSS CVE scanner powering the default `IScannerRunner`. | CLI pinned 0.64 |
+| **Trivy‑srv** | Long‑running Trivy server exposing gRPC API; speeds up remote scans. | Variant A |
+| **UI tile** | Dashboard element showing live metric (scans today, feed age, etc.). | Angular Signals |
+| **WebSocket** | Full‑duplex channel (`/ws/scan`, `/ws/stats`) for UI real‑time. | Used by tiles |
+| **Zastava** | Lightweight agent that inventories running containers  and can enforce kills. |  |
+
+---
+
+### 11 Change log
+
+| Version | Date | Notes |
+|---------|------|-------|
+| **v1.0** | 2025‑07‑12 | First populated glossary – 52 terms covering Core docs. |
+
+*(End of Glossary v1.0)*