Glossary
Terms that show up across the backend, the dashboards, and the POS.
Planes and identities
Section titled “Planes and identities”- ADMIN plane - the operator-facing side (
/admin/*), authenticated as aPlatformUserin the central database. Never sends aTenant-IDheader. - TENANT plane - the business-facing side, authenticated as an
AppUserin a tenant’s own database. Sends aTenant-IDheader on every request. - PlatformUser - an operator account in the central database.
- AppUser - a business-staff account inside a single tenant’s database.
Tenancy
Section titled “Tenancy”- Tenant - one business. Has its own isolated database and its own users.
- Central database - the platform’s own database; tracks tenants, platform users, and provisioning state.
- Shared tier - many tenants in one database, one schema and one restricted role each.
- Dedicated tier - a tenant with a database of its own.
- Graduation - promoting a shared tenant to the dedicated tier, optionally onto a different server.
- Server pool - the set of database servers tenants can be placed on.
Contract terms
Section titled “Contract terms”- Capability / module - a per-tenant feature entitlement, read from
GET /capabilities. A disabled module answers403 module_disabled. - Permission - a verb-based right, read from
GET /me/permissionsand re-checked server-side on every request. - Money-as-string - money is a quoted decimal string on the wire, never a number or float.
- Plane audience - the JWT audience that binds a token to one plane; a token from the other plane is rejected.
- Offline-first - the POS operates against a local database and syncs when it can reach the backend.
- Client id / idempotency key - a client-generated id used as the server-side primary key, so a re-sent operation is a no-op instead of a duplicate.
- Needs-attention - the queue of parked operations (conflict, rejected, terminal) surfaced for manual resolution.
- Drain - the process of sending queued local operations to the backend in order.