Glossary
For domain classes (Agent, Pipeline, Decision, Mandate, AuditEvent, …) this page is a short definition — the authoritative entry with file:line references and fields is Architecture → Domain objects. When they conflict, the architecture page wins.
Product & governance
Section titled “Product & governance”Agent — A governed AI workload. Has an agent_id (slug), a UUID
(stable), a tp_ key, and a policy binding. Not the LLM — the
caller. Canonical: Agent.
Agent pact — The declared contract for an agent (purpose, max classification, allowed tools, cost envelope, PII exposure). Compared at runtime against observed behaviour. Canonical: AgentPact.
Agent session — A conversation thread grouping consecutive LLM calls so we can aggregate cost, detections, and escalation state. Canonical: AgentSession.
Agent trust profile — Signed (ES256) behavioural-evidence package shared with third parties. Generated from the audit trail, not a judgement — observations only. Canonical: AgentTrustProfile.
Audit event — A single row in audit_events. Hash-chained and
Ed25519-signed. Canonical:
AuditEvent.
Audit trail — The full, append-only sequence of audit events. Customer compliance evidence is derived from it.
Capability token — Legacy / SDK-only. The older Ed25519-signed delegation-chain token. Superseded by Mandate on the hot path; retained as an SDK export for external integrators who built against the earlier model. Don't reach for it in new code. See CapabilityToken (legacy).
Control plane — Admin APIs (agents, policies, keys, audit). Auth via SSO session JWT.
Data plane — Governed LLM calls (/v1/chat/completions,
/v1/messages). Auth via tp_ API key.
Decision — The structured policy outcome:
allow | block | escalate | modify | dispatch_to_sandbox. When
allow, embeds a Mandate JWS. Canonical:
Decision.
Detection — A normalised finding from a pipeline step or detection backend. Category, severity, label, score, text. Canonical: Detection.
Detection backend — A pluggable scanner (NeMo Guardrails, LLM
Guard, Azure Content Safety, …). Multiple can run per step;
findings aggregate into the Detection[] the runner carries.
Gateway — The HTTP surface that terminates customer requests and
routes them through the pipeline, then to providers. Lives at
tappass/gateway/.
Governance flag — A per-request override (mode=observe,
pii=mask, …) set in a header or SDK parameter. Enumerated at
docs.tappass.ai/governance/flags.
Mandate — The live authorization primitive. Signed, scoped,
revocable. AP2-compatible wire format. Minted when Decision.outcome == "allow". Superseded CapabilityToken. Canonical:
Mandate.
Mandate capability — One permission slice inside a Mandate,
structured as action:resource:qualifier (e.g.
call_llm:anthropic:claude-opus). Canonical:
MandateCapability.
Observability plane — Outbound streams of audit events to customer SIEMs (Splunk, Sentinel, webhooks).
Pipeline — The ordered governance plan an agent runs under (categories → steps). Compiled from OPA policy + Profile + overrides. Canonical: Pipeline.
Pipeline context — The per-request flow container passed through every step. Carries the agent, session, payload, running detections, audit buffer. Canonical: PipelineContext.
Pipeline step — A single unit of logic (detect_pii,
rate_limit, call_llm, …). One file per step in
tappass/pipeline/steps/. See Pipeline step
anatomy.
Policy — Rego (OPA) rules that map detections → Decisions. Per-org.
Posture check — A pipeline step verifying the agent is registered, has an active key, and isn't paused.
Provider — An LLM vendor (OpenAI, Anthropic, Azure, Google, Bedrock). Credentials live in the vault; keys never leave the server.
Proxy pattern — Our core architecture: agent → TapPass → provider. The agent never sees the provider key; TapPass does the outbound call.
Tenant / Org — A customer organisation. Top-level isolation
unit. Everything in the data path scopes by org_id.
Trust score — 0–1000 per agent, computed from five dimensions (compliance, data safety, security, stability, efficiency) over the audit trail.
Vault — Server-side secret store for provider keys + per-org config. Row-level ciphertext, AEAD-decrypted via a KMS-wrapped DEK (see Security → Encryption at rest).
Engineering
Section titled “Engineering”ADR — Architecture Decision Record. A short markdown document describing a non-trivial decision. Template in How we work.
Break-glass — Emergency override that temporarily widens an agent's policy. Every use is logged and reviewed.
Contract test — A test that hits a live external API (OpenAI, Stripe, …) to ensure our client still works. Runs nightly, not on every PR.
Fail-open / Fail-closed — How the SDK behaves when the server is unreachable. Cached policies + buffered audit → fail-open-cached; reject the call → fail-closed. See public docs Resilience.
Feature flag — Config-driven toggle. See Feature flags.
Hash chain — Linked sequence where each event contains the hash of the previous event. Breaks if any event is altered.
Idempotency key — Header we set on provider calls so retries don't produce duplicates. Derived from audit event ID.
Mental model — The picture of the system you carry in your head. If someone says "what's your mental model of X?", they mean "describe how you think it works."
Pre/Post-LLM phase — Whether a pipeline step runs before or after the LLM call. Pre steps can block/redact the request; post steps scan the response.
Rego — The policy language OPA speaks. We use it for routing, authz, tool decisions, break-glass approval.
Runbook — A specific, step-by-step doc for handling a known scenario. Lives under Runbooks.
Snapshot test — A test that stores a reference output and compares on future runs. syrupy is our tool.
SPIFFE / SPIRE — Workload identity via short-lived mTLS certs. Replaces long-lived API keys for agent-to-agent auth.
Three-phase migration — Add → backfill → remove. Pattern for zero-downtime schema changes. See Database & migrations.
Commercial
Section titled “Commercial”ACV — Annual Contract Value.
MRR / ARR — Monthly / Annual Recurring Revenue.
OEM — A partner reselling TapPass under their own brand. See OEM overview.
QBR — Quarterly Business Review. Joint meeting with key customers on usage, roadmap, issues.
SLA — Service Level Agreement. Uptime and response-time commitments. See Support SLAs.
TAM — (1) Total Addressable Market; (2) Technical Account Manager (Enterprise-tier support role).
Trust Center — Public site (trust.tappass.ai) listing DPA, subprocessors, security posture. Customers point their procurement teams here.
Cloudflare-specific
Section titled “Cloudflare-specific”Access — Cloudflare Access. Zero-trust proxy that gates apps behind SSO. We use it on internal-docs.tappass.ai and all internal surfaces.
Pages — Cloudflare Pages. Static hosting with Git-based deploys. We use it for docs.tappass.ai, internal-docs.tappass.ai, tappass.ai, trust.tappass.ai.
Tunnel — Cloudflare Tunnel (cloudflared). Outbound-only connection from a private origin to Cloudflare's edge. We use it for ssh.tappass.ai and some legacy demos. Being phased out where Pages can replace it.
Zero Trust — Cloudflare's umbrella product for Access + Gateway + WARP. We mainly use Access.