release orchestrator pivot, architecture and planning

docs/modules/release-orchestrator/appendices/glossary.md

@@ -0,0 +1,235 @@
+# Glossary
+
+## Core Concepts
+
+### Agent
+A software component installed on deployment targets that receives and executes deployment tasks. Agents communicate with the orchestrator via mTLS and execute deployments locally on the target.
+
+### Approval
+A human decision to authorize a promotion request. Approvals may require multiple approvers and enforce separation of duties.
+
+### Approval Policy
+Rules defining who can approve promotions to specific environments, including required approval counts and SoD requirements.
+
+### Blue-Green Deployment
+A deployment strategy using two identical production environments. Traffic switches from "blue" (current) to "green" (new) after validation.
+
+### Canary Deployment
+A deployment strategy that gradually rolls out changes to a small subset of targets before full deployment, allowing validation with real traffic.
+
+### Channel
+A version stream for components (e.g., "stable", "beta", "nightly"). Each channel tracks the latest compatible version.
+
+### Component
+A deployable unit mapped to a container image repository. Components have versions tracked via digest.
+
+### Compose Lock
+A Docker Compose file with all image references pinned to specific digests, ensuring reproducible deployments.
+
+### Connector
+A plugin that integrates Release Orchestrator with external systems (registries, CI/CD, notifications, etc.).
+
+### Decision Record
+An immutable record of all gate evaluations and conditions considered when making a promotion decision.
+
+### Deployment Job
+A unit of work representing the deployment of a release to an environment. Contains multiple deployment tasks.
+
+### Deployment Task
+A single target-level deployment operation within a deployment job.
+
+### Digest
+A cryptographic hash (SHA-256) that uniquely identifies a container image. Format: `sha256:abc123...`
+
+### Drift
+A mismatch between the expected deployed version (from version sticker) and the actual running version on a target.
+
+### Environment
+A logical grouping of deployment targets representing a stage in the promotion pipeline (e.g., dev, staging, production).
+
+### Evidence Packet
+An immutable, cryptographically signed record of deployment decisions and outcomes for audit purposes.
+
+### Freeze Window
+A time period during which deployments to an environment are blocked (e.g., holiday code freeze).
+
+### Gate
+A checkpoint in the promotion workflow that must pass before deployment proceeds. Types include security gates, approval gates, and custom policy gates.
+
+### Promotion
+The process of moving a release from one environment to another, subject to gates and approvals.
+
+### Release
+A versioned bundle of component digests representing a deployable unit. Releases are immutable once created.
+
+### Rolling Deployment
+A deployment strategy that updates targets in batches, maintaining availability throughout the process.
+
+### Rollback
+The process of reverting to a previous release version when a deployment fails or causes issues.
+
+### Security Gate
+An automated gate that evaluates security policies (vulnerability thresholds, compliance requirements) before allowing promotion.
+
+### Separation of Duties (SoD)
+A security principle requiring that the person who requests a promotion cannot be the same person who approves it.
+
+### Step
+A single unit of work within a workflow template. Steps have types (deploy, approve, notify, etc.) and can have dependencies.
+
+### Target
+A specific deployment destination (host, service, container) within an environment.
+
+### Tenant
+An isolated organizational unit with its own environments, releases, and configurations. Multi-tenancy ensures data isolation.
+
+### Version Map
+A mapping of image tags to digests for a component, allowing tag-based references while maintaining digest-based deployments.
+
+### Version Sticker
+Metadata placed on deployment targets indicating the currently deployed release and digest.
+
+### Workflow
+A DAG (Directed Acyclic Graph) of steps defining the deployment process, including gates, approvals, and verification.
+
+### Workflow Template
+A reusable workflow definition that can be customized for specific deployment scenarios.
+
+## Module Abbreviations
+
+| Abbreviation | Full Name | Description |
+|--------------|-----------|-------------|
+| INTHUB | Integration Hub | External system integration |
+| ENVMGR | Environment Manager | Environment and target management |
+| RELMAN | Release Management | Component and release management |
+| WORKFL | Workflow Engine | Workflow execution |
+| PROMOT | Promotion & Approval | Promotion and approval handling |
+| DEPLOY | Deployment Execution | Deployment orchestration |
+| AGENTS | Deployment Agents | Agent management |
+| PROGDL | Progressive Delivery | A/B and canary releases |
+| RELEVI | Release Evidence | Audit and compliance |
+| PLUGIN | Plugin Infrastructure | Plugin system |
+
+## Deployment Strategies
+
+| Strategy | Description |
+|----------|-------------|
+| All-at-once | Deploy to all targets simultaneously |
+| Rolling | Deploy in batches with availability |
+| Canary | Gradual rollout with metrics validation |
+| Blue-Green | Parallel environment with traffic switch |
+
+## Status Values
+
+### Promotion Status
+
+| Status | Description |
+|--------|-------------|
+| `pending` | Promotion created, not yet evaluated |
+| `pending_approval` | Waiting for human approval |
+| `approved` | Approved, ready for deployment |
+| `rejected` | Rejected by approver |
+| `deploying` | Deployment in progress |
+| `completed` | Successfully deployed |
+| `failed` | Deployment failed |
+| `cancelled` | Cancelled by user |
+
+### Deployment Job Status
+
+| Status | Description |
+|--------|-------------|
+| `pending` | Job created, not started |
+| `preparing` | Generating artifacts |
+| `running` | Tasks executing |
+| `completing` | Verifying deployment |
+| `completed` | Successfully completed |
+| `failed` | Deployment failed |
+| `rolling_back` | Rollback in progress |
+| `rolled_back` | Rollback completed |
+
+### Agent Status
+
+| Status | Description |
+|--------|-------------|
+| `online` | Agent connected and healthy |
+| `offline` | Agent not connected |
+| `degraded` | Agent connected but reporting issues |
+
+### Target Health Status
+
+| Status | Description |
+|--------|-------------|
+| `healthy` | Target responding correctly |
+| `unhealthy` | Target failing health checks |
+| `unknown` | Health status not determined |
+
+## API Error Codes
+
+| Code | Description |
+|------|-------------|
+| `RELEASE_NOT_FOUND` | Release ID does not exist |
+| `ENVIRONMENT_NOT_FOUND` | Environment ID does not exist |
+| `PROMOTION_BLOCKED` | Promotion blocked by gate or freeze |
+| `APPROVAL_REQUIRED` | Promotion requires approval |
+| `INSUFFICIENT_APPROVALS` | Not enough approvals |
+| `SOD_VIOLATION` | Separation of duties violated |
+| `FREEZE_WINDOW_ACTIVE` | Environment in freeze window |
+| `SECURITY_GATE_FAILED` | Security requirements not met |
+| `NO_AGENT_AVAILABLE` | No agent available for target |
+| `DEPLOYMENT_IN_PROGRESS` | Another deployment running |
+| `ROLLBACK_NOT_POSSIBLE` | No previous version to rollback to |
+
+## Integration Types
+
+| Type | Category | Description |
+|------|----------|-------------|
+| `docker-registry` | Registry | Docker Registry v2 |
+| `ecr` | Registry | AWS ECR |
+| `acr` | Registry | Azure Container Registry |
+| `gcr` | Registry | Google Container Registry |
+| `harbor` | Registry | Harbor Registry |
+| `gitlab-ci` | CI/CD | GitLab CI/CD |
+| `github-actions` | CI/CD | GitHub Actions |
+| `jenkins` | CI/CD | Jenkins |
+| `slack` | Notification | Slack |
+| `teams` | Notification | Microsoft Teams |
+| `email` | Notification | Email (SMTP) |
+| `hashicorp-vault` | Secrets | HashiCorp Vault |
+| `prometheus` | Metrics | Prometheus |
+
+## Workflow Step Types
+
+| Type | Category | Description |
+|------|----------|-------------|
+| `approval` | Control | Wait for human approval |
+| `wait` | Control | Wait for duration |
+| `condition` | Control | Branch based on condition |
+| `parallel` | Control | Execute children in parallel |
+| `security-gate` | Gate | Evaluate security policy |
+| `custom-gate` | Gate | Custom OPA policy |
+| `freeze-check` | Gate | Check freeze windows |
+| `deploy-docker` | Deploy | Deploy single container |
+| `deploy-compose` | Deploy | Deploy Compose stack |
+| `health-check` | Verify | HTTP/TCP health check |
+| `smoke-test` | Verify | Run smoke tests |
+| `notify` | Notify | Send notification |
+| `webhook` | Integration | Call external webhook |
+| `trigger-ci` | Integration | Trigger CI pipeline |
+| `rollback` | Recovery | Rollback deployment |
+
+## Security Terms
+
+| Term | Description |
+|------|-------------|
+| mTLS | Mutual TLS - both client and server authenticate with certificates |
+| JWT | JSON Web Token - used for API authentication |
+| RBAC | Role-Based Access Control |
+| OPA | Open Policy Agent - policy evaluation engine |
+| SoD | Separation of Duties |
+| PEP | Policy Enforcement Point |
+
+## References
+
+- [Design Principles](../design/principles.md)
+- [API Overview](../api/overview.md)
+- [Security Overview](../security/overview.md)