---
render_with_liquid: false
---

# Appendix C: Glossary

| Term | Definition |
|:---|:---|
| **Age** | Modern file-encryption tool using X25519 + ChaCha20-Poly1305. Stores secrets in the repository encrypted at rest. |
| **Agent Profile** | A named behaviour template for AI agents (e.g. architect, hardener). Stored in `dot_config/ai/patterns/`. |
| **ANSI Colors** | The 16 foreground/background color slots (c0 through c15) used by terminal emulators. |
| **Apple Desktop APR** | XMP metadata in dynamic HEIC wallpapers mapping image indices to light/dark appearance modes. |
| **Attestation** | Signed JSON document asserting machine identity, policy, tool versions, and Git state at a point in time. |
| **Baseline (security)** | Reference state used by `detect-secrets` to distinguish new leaks from known acceptable patterns. |
| **Chaos** | Intentional corruption (`dot chaos`) used to verify `dot heal` recovers to a healthy state. |
| **Chezmoi** | The templating engine handling per-platform rendering and applying configuration to `$HOME`. |
| **CIELAB** | Color space designed for perceptual uniformity. Used by the theme engine for K-Means clustering. |
| **CycloneDX** | SBOM format used by the repository for machine-readable dependency inventories. |
| **Dank Material Shell (DMS)** | A shell for the Niri Wayland compositor that provides polished theming hooks. |
| **Drift** | Local changes to managed files that diverge from the source tree. Detected by `dot status`. |
| **Dynamic HEIC** | Apple's single-file wallpaper format that contains both light and dark variants with appearance metadata. |
| **Fleet** | Two or more workstations sharing a single `.dotfiles` source repository. |
| **Gitleaks** | Secret-pattern scanner that blocks commits containing obvious secret patterns. |
| **Golden Ratio** | 1.618... Used as the target brightness ratio between dark and light theme variants. |
| **Heal** | The `dot heal` command's action of auto-fixing drift, missing tools, and broken symlinks. |
| **Idempotent** | Property where running an operation twice has the same result as running it once. |
| **K-Means** | Clustering algorithm partitioning data into k groups by proximity to centroids. Used for dominant color extraction. |
| **K-Means++** | Variant of K-Means with smart initialization that reduces sensitivity to random seeding. |
| **MCP** | Model Context Protocol — standard for connecting AI models to external tools and data. |
| **Mise** | User-space language and tool version manager. Replaces asdf, nvm, rbenv, pyenv. |
| **Nix Flakes** | Nix's reproducible-build system. Used for strict repeatability when Mise's approximations aren't enough. |
| **Niri** | Wayland compositor with scrollable tiling layout. |
| **Policy Hash** | SHA-256 of the active MCP policy JSON. Included in attestations for drift detection. |
| **Prewarm** | `dot prewarm` regenerates shell init caches, eliminating slow first-shell startup. |
| **Profile** | Named collection of settings in `.chezmoidata.toml` selectable via `dot profile`. |
| **SOPS** | "Secrets OPerationS" — YAML-aware envelope encryption tool that wraps Age (or PGP/AWS KMS). |
| **SBOM** | Software Bill of Materials — machine-readable dependency list, generated by Syft, scanned by Grype. |
| **Trust Anchor** | The root public key from which all other trust derives. For `.dotfiles`, the user's SSH ED25519 signing key. |
| **WCAG AAA** | Web Content Accessibility Guidelines Level AAA — 7:1 text contrast ratio, the highest accessibility tier. |
| **XDG Base Directory** | Spec defining `~/.config`, `~/.cache`, `~/.local/share`, `~/.local/state` for app data locations. |