Glossary
Use this section as a shared dictionary for terms we use across the docs.
Definitions here stay generic. If LEF uses a term in a narrower or special way, that usage is described in the relevant Architecture or How-we-work pages.
Linking convention
Section titled “Linking convention”- Link the first meaningful occurrence of a term on a page to its glossary entry.
- Don’t link every repetition (it hurts readability).
- If a page depends heavily on a set of terms, add a short “Definitions used” line with links.
| Term | What it means |
|---|---|
| ACME | Automated certificate issuance and renewal protocol. |
| API | Application Programming Interface; interaction contract. |
| Aspect model | Describe a service through development, delivery, security, and operations. |
| Backup | Data copy created so it can be restored. |
| Backend | Server-side logic/data (or a proxy routing target). |
| C4 model | “Zoomable” diagramming model for software architecture. |
| Certificate authority (CA) | Issues and signs certificates used by TLS. |
| Component | A responsibility boundary inside a container. |
| Container | Major runtime building block inside a system (app or data store). |
| Deployment | Releasing changes and/or mapping software onto infrastructure. |
| DNS | Name resolution: maps domains/hostnames to records. |
| DTAP | Development → Test → Acceptance → Production lifecycle flow. |
| Endpoint | Where clients connect (URL / hostname+port). |
| Entry point | User/system-facing way to access a service or system. |
| Environment | Isolated deployment context (DTAP). |
| ESG | Environmental, Social, and Governance considerations for organizations. |
| Guideline | Recommended default approach (adaptable with context). |
| Hostname | Human-readable name for a host/service in DNS. |
| Identity provider (IdP) | Authenticates users and issues identities/tokens. |
| Incident | Unplanned interruption or degradation requiring response. |
| Ingress | Inbound traffic path into a system. |
| Lane | Named lifecycle track/stage used to separate risk and access. |
| Least privilege | Minimum necessary access for the shortest time. |
| Multi-factor authentication (MFA) | Authentication using two or more factors. |
| Object storage | Stores data as objects accessed via APIs. |
| Observability | Understand system state via logs, metrics, traces. |
| OpenID Connect (OIDC) | Modern SSO via tokens on top of OAuth 2.0. |
| Platform | Shared capabilities foundation for building and running services. |
| Policy | Intent/rules that set expectations and constraints. |
| Principle | Stable, decision-shaping rule or stance. |
| Procedure | Repeatable steps to achieve a goal. |
| Requirement | Mandatory condition that must be met. |
| RDP | Remote Desktop Protocol (GUI remote access). |
| Restore | Recovering from backups to regain availability/integrity. |
| Reverse proxy | Routes client requests to backends. |
| Rootless | Running without root privileges to reduce blast radius. |
| Runbook | Step-by-step ops guide for tasks/incidents. |
| S3 | Widely used object storage API. |
| SAML | SSO standard for exchanging authentication assertions. |
| Service | Capability provided via a defined interface. |
| Single sign-on (SSO) | Authenticate once to access multiple apps/services. |
| Software system | Coherent system delivering value to people/systems. |
| Split-horizon DNS | Different DNS answers for internal vs external clients. |
| SSH | Encrypted remote access for shell sessions and tunneling. |
| Subject alternative name (SAN) | X.509 certificate field listing additional hostnames covered by the certificate. |
| TCP proxy | Routes raw TCP connections to backends. |
| TLS | Encrypts network connections; authenticates endpoints. |
| Troubleshooting | Systematic diagnosis via hypotheses and verification. |
| Upstream | Proxy/load balancer target (often a server group). |
| Virtual host (vhost) | Multiple sites/services hosted by hostname/port. |
| Virtual machine (VM) | Software-defined computer running an OS on shared hardware. |
| VPN | Encrypted remote access into a private network. |