Glossary

Reference definitions for terms used throughout this site. One paragraph each. Alphabetical.

Adaptive Cards — A Microsoft-standard JSON format for rendering rich, interactive UI cards in Teams, Outlook, and other Microsoft 365 surfaces. Passkey Portal uses Adaptive Cards (via Bot Framework) to deliver approval requests, share-link notifications, and renewal prompts directly in Teams chat. The card templates exist in code but the bot is not yet registered — cards are not being delivered.

App Service — Azure’s managed platform for hosting web applications. Passkey Portal runs on App Service for Linux (Node 22). Staging uses B1 tier; production is expected to use S1 or P1V2 for custom domain support and VNet integration. Deploy method is zip deploy via az webapp deploy --type zip.

Commander — Keeper Commander is Keeper Security’s CLI/SDK tool for vault administration. Passkey Portal uses it as a Python subprocess (python3 -m keepercommander) to create one-time share URLs for credential delivery. It’s the only Keeper interface that supports programmatic share creation. The subprocess wrapper is in commander.ts; error classification (transient/persistent/terminal) determines retry behavior.

Entra ID — Microsoft’s cloud identity service, formerly Azure Active Directory (Azure AD). Passkey Portal uses Entra ID for user authentication via JWT validation. Users authenticate through MSAL in the React frontend; the backend validates JWTs against the tenant’s JWKS endpoint. Group memberships from Entra are used in the permission model.

Flexible Server — Azure Database for PostgreSQL Flexible Server, the current-generation managed PostgreSQL offering. Staging uses Burstable B1ms (1 vCore, 2 GB). Supports zone-redundant HA, automatic backups, and configurable maintenance windows. The application connects via SSL with connection string in Key Vault.

FIDO2 — An open authentication standard that enables passwordless sign-in using hardware security keys or platform authenticators (Windows Hello, Touch ID). Mentioned in v4 context as a stronger alternative to SMS-based OTP for second-factor authentication.

Governance Decision Trace — A Prisma model (GovernanceDecisionTrace) that records every policy engine evaluation. Each row captures: the decision stage (submission, authority resolution, approval, issuance, revocation), the outcome (allow/deny/pending), structured reasons and constraints as JSON, the policy version, the evaluating code’s git SHA, and a SHA-256 hash of the canonicalized inputs for reproducibility.

INV-1 — The immutable-authority invariant. Active GovernedResourceAuthority rows cannot be updated — only revoked (by setting revokedAt) or replaced (revoke + insert with supersededById linkage). Enforced at the database level by a Postgres BEFORE UPDATE trigger, and at the application level by routing all writes through authority.service.ts.

INV-5 — The share-URL-never-persisted invariant. One-time share URLs returned by Commander are transit-only data. Only the SHA-256 hash is stored in IssuanceEvent.shareLinkHash. The issuance.service.ts rejects hash values that match URL patterns as a defense-in-depth check. Verified by approve-then-issue.test.ts.

Key Vault (KV) — Azure Key Vault, a cloud service for securely storing secrets, keys, and certificates. Passkey Portal stores DATABASE_URL, KSM_CONFIG, and ENTRA_TENANT_ID as Key Vault secrets. The App Service accesses them via managed identity and Key Vault references (@Microsoft.KeyVault(SecretUri=...)). RBAC mode (not access policies).

KSM (Keeper Secrets Manager) — Keeper’s SDK for programmatic, read-only access to vault records. Passkey Portal uses the @keeper-security/secrets-manager-core npm package via RealVaultReadService to fetch record metadata (title, revision, owner) and folder structure. KSM uses an Application token scoped to specific shared folders. Does not support share creation (that’s Commander’s job).

KSM Application — A Keeper Secrets Manager Application — an identity that grants read access to specific shared folders in the Keeper vault. Created in the Keeper Admin Console. Has an IP lock setting (checked by default at creation, which needs to be unchecked or configured to match the App Service’s outbound IP). Folders must be explicitly granted to the Application.

Lease — A time-bounded credential access grant. Not a separate database model — the lease is implicit in the Request row via leaseStartedAt and leaseExpiresAt fields. The lease lifecycle is: start (on approval) → active → renewal window → release or expiry. Background jobs (lease-scheduler.ts) manage expiry and renewal prompts.

MFA (Multi-Factor Authentication) — Authentication using two or more factors (something you know, have, are). v4 proposes adding SMS-based OTP as a second factor to credential retrieval (the first factor being the issuance token). The existing Entra ID authentication is already MFA-capable at the identity layer.

NAT Gateway — Azure NAT Gateway provides outbound internet connectivity for resources in a VNet with a static public IP. Planned for production to give the App Service a predictable outbound IP (useful for Keeper IP-locking, firewall rules, and audit logs).

OTP (One-Time Password) — A single-use code, typically 6 digits, sent via SMS or generated by an authenticator app. v4’s SMS MFA would deliver an OTP to the requester’s registered phone number during credential retrieval.

Prisma — An ORM (Object-Relational Mapping) for Node.js and TypeScript. Passkey Portal uses Prisma to define the database schema (schema.prisma), generate typed database clients, and manage migrations. The schema defines 13 models across core workflow, governance, vault sync, and observability domains.

Policy Engine — The pure-function evaluator in backend/src/policy/engine.ts. Given a policy context (request details, actor identity, resource metadata, authority mappings) and a list of rules, it returns a decision (AUTO_APPROVE, DENY, ROUTE_TO_AUTHORITY, REQUIRES_HUMAN_TRIAGE) with a full rule-by-rule trace. No side effects, no database access, no network calls.

RequestStatus — The 9-value enum that tracks the lifecycle of a credential request: PENDING (awaiting decision), APPROVED (approved, awaiting issuance), ISSUED (credential available), DENIED (policy rejected), EXPIRED (lease time elapsed), RELEASED (requester returned access early), RENEWAL_PENDING (in renewal window), REQUIRES_TRIAGE (policy flagged for human review), UNFULFILLABLE (approved but Commander couldn’t deliver).

VNet (Virtual Network) — Azure Virtual Network provides network isolation. Production deployment plans to place the App Service behind a VNet with private endpoints for Key Vault and Postgres, and a NAT Gateway for outbound traffic. This ensures the database and secrets are not directly internet-accessible.

Vault (in Passkey Portal context) — Refers to the Keeper Security vault — the encrypted, zero-knowledge storage where credentials (passwords, SSH keys, API tokens) are kept. The application doesn’t store credentials itself; it mediates access to credentials in the vault through governance, approval, and time-bounded leases. The vault-* naming in the codebase is deliberately vendor-neutral to preserve the swap-in seam.

Vault Deployment Mode — The VAULT_DEPLOYMENT_MODE configuration value that controls which vault service implementations are active: local-mock (both mock — for local development), staging (real KSM reads, stubbed Commander shares), full (both real — for production). Set in appsettings-staging.json / appsettings-prod.json.

Zip Deploy — The deployment method used by Passkey Portal. A pre-built artifact (compiled backend + frontend + node_modules) is compressed into a tar archive and deployed via az webapp deploy --type zip. No build step runs on the server (SCM_DO_BUILD_DURING_DEPLOYMENT=false). Deploy scripts are in deploy/deploy-staging.ps1 and deploy/deploy-prod.ps1.