Glossary¶
This glossary gathers the technical and conceptual terms used throughout the PerfShop documentation. Entries are sorted alphabetically.
A¶
A1 to A16 — Naming of the 16 business anomalies of Business Chaos, cumulative by level. A1 = VAT at 19.6% instead of 20%, A16 = cancellation without stock refund. See Business Chaos.
Agent (pedagogical journey) — Shop user account identified by is_pedagogique = TRUE and bearing a spy name (Jason Bourne, Alan Enigma, Lisbeth Docker, Ethan Lorem, Ada Cipher). Each agent corresponds to a level BAC1 to BAC5 and is invisible in the admin UI. Agent passwords are revealed progressively by the enigmas.
Agent Code — 4-digit code displayed to the student on the order confirmation page, after validation of the pedagogical journey. It is part of the final validation chain and is computed deterministically from the level and the session.
AGPL-3.0-or-later — Strong copyleft open source license used by PerfShop. It allows use, modification and redistribution provided that any modified version exposed on a network is published. See License.
Alias — Optional pseudonym entered by the student when starting a pedagogical journey. If left empty, the system generates a name like Agent-XXXX.
applyI18n() — Vanilla JavaScript function that walks the DOM looking for the attributes data-i18n, data-i18n-html, data-i18n-placeholder, data-i18n-title and replaces their content with the corresponding translation. Used by chaos-admin, monitoring, scripts-ui, jmeter-ui.
B¶
BAC1, BAC2, BAC3, BAC4, BAC5 — Levels of the pedagogical journey, in increasing order of difficulty. BAC1 is freemium-accessible, BAC3 to BAC5 require a license, BAC5 carries the "Master" nickname. Each level contains 20 distinct enigmas and a unique agent code to discover.
BCrypt — Password hashing algorithm used by PerfShop for admin_users.password_hash and users.password. PerfShop uses $2b$10$... (strength 10 = 1024 internal iterations).
Bootstrap superadmin — Automatic creation of the superadmin account at backend startup, triggered by AdminUserService @EventListener(ApplicationReadyEvent) from the environment variables PERFSHOP_ADMIN_EMAIL and PERFSHOP_ADMIN_PASSWORD.
C¶
Pedagogical memory cache — Option that the instructor can enable, which stores MutableSession objects in JVM memory in addition to the database. When enabled, these sessions become visible in heap dumps if a Memory Chaos is active — a concrete pedagogical demonstration of a token leak.
Chaos Agent (frontend) — chaos-agent.js script imported by App.jsx, which runs in the browser and polls /api/chaos/frontend/state every 5 seconds to enable or disable frontend chaos types (CPU burn, memory leak, DOM flood, fetch flood).
Functional Chaos — Chaos family that injects real Java exceptions into the application flow. Levels F1 (NullPointerException on payment), F2 (StackOverflow), F3 (OutOfMemoryError), F4 (silent corruption — Master level).
Business Chaos — Chaos family that injects anomalies into the e-commerce business rules. 16 anomalies A1-A16 cumulative by level. The pedagogical objective (TMAP / ISTQB) is to detect bugs without exception or stack trace, only by comparison with the expected behavior.
Pedagogical Chaos — 5-level escape-room journey BAC1-BAC5. Each level offers 20 steps alternating product search, mathematical computation, hint reading, decoding and validation.
Performance Chaos — Chaos family that degrades backend resources: CPU, JVM memory, GC, DB connection pool, Tomcat threads, slow SQL queries, deadlocks, network.
Scripting Chaos — Chaos family that complicates the HTTP handling of the checkout: rolling tokens, CSRF, HMAC, per-step signatures. Five levels: Disabled, Junior, Confirmed, Expert, Maestro.
Security Chaos — Chaos family that injects OWASP Top 10 flaws. 12 cumulative flaws S1-S12. The Master level (N4) activates a chained S10-S11-S12 scenario on a vulnerable admin portal.
Agent code — See "Agent Code".
CORS (Cross-Origin Resource Sharing) — Browser security mechanism that restricts requests across different origins. PerfShop manages CORS via the CORS_ALLOWED_ORIGINS variable.
D¶
data-i18n — Declarative HTML attribute read by applyI18n() indicating which dictionary key to load into the element's textContent. Example: <h1 data-i18n="admin.title">Chaos Engineering</h1>.
DataTruncation — MySQL exception triggered when trying to insert a value that exceeds a column's size. The users.postal_code column is deliberately limited to VARCHAR(5) — Pedagogical Chaos Level 2+ tries to insert a longer value to trigger this exception in a pedagogical way.
DECIMAL(18,2) — Extended precision used for product prices to accommodate company valuations (billions of euros) in the "Companies" catalog category.
docker-compose.build.yml — Compose file intended for local builds on Linux / Unix VPS / CI.
docker-compose.desktop.yml — Compose file intended for Docker Desktop on Windows or macOS.
docker-compose.yml — Main compose file intended for NAS production with pre-built images.
E¶
Enigma — Elementary unit of a pedagogical journey. Each enigma contains a statement (text), an optional hint (hint) and a cultural note displayed after validation (culturalNote). Answers are hard-coded on the Java side in the PedagogiqueEnigmeBacN classes.
Enterprise — Most complete license plan, unlocking all current and future features. See License system.
Extraction answer hash — extraction_answer_hash column of pedagogique_sessions that stores the SHA-256 of the dynamic answer computed at /join according to the level. Allows the server to validate the final answer without storing the value in clear.
F¶
F1, F2, F3, F4 — Java exceptions injected by Functional Chaos. F1 = NullPointerException, F2 = StackOverflowError, F3 = OutOfMemoryError, F4 = silent data corruption (Master level).
Flyway — Database migration tool used by PerfShop. Migrations are in backend/src/main/resources/db/migration-fr/ (V1 to V10). See Database schema.
Forgejo — Community fork of Gitea, used by PerfShop as a self-hosted Git server. Fully replaces GitHub or GitLab for the PerfShop ecosystem. See Forgejo.
Freemium — License model that makes part of PerfShop accessible without a license: shop, student page, HTML monitoring, BAC1, BAC2, and the level-1 settings of Performance Chaos and Scripting Chaos. See Freemium vs Pro.
Functional (license plan) — Entry-level license plan that unlocks chaos-admin, admin, monitoring, scripts-ui. Does not include jmeter-ui (reserved for the Performance plan).
H¶
HMAC (Hash-based Message Authentication Code) — Signature technique used by Scripting Chaos at Expert and Maestro levels. At Expert level, the HMAC key is static; at Maestro level, it is derived per session via HMAC-SHA256(sessionToken, staticSecret).
Hints toggle — volatile boolean pedagogiqueHintsEnabled flag on the backend, modifiable on the fly by the instructor via POST /pedagogique/hints. When disabled, the "Hint" button disappears from the pedagogical overlay on the student side.
I¶
I18nService — Spring Boot bean that loads the messages_*.properties files at startup and exposes t(key) and t(key, args...) for resolution on the Java side.
I18nContext — React provider that loads fr.json and en.json at build time and exposes the useT() hook for resolution on the React side.
IDOR (Insecure Direct Object Reference) — OWASP A01 flaw — a user can access a resource (order, account) by guessing its identifier, with no ownership check. PerfShop simulates this flaw in S2 (IDOR on orders) and S12 (IDOR for privilege escalation).
Interceptor — Spring MVC component (HandlerInterceptor) that intercepts HTTP requests before they reach controllers. LicenseInterceptor blocks protected interfaces with HTTP 402 if no valid license is active.
is_pedagogique — Boolean flag on the users and products tables that identifies pedagogical agents and pedagogical products. These records are invisible in the admin UI and protected against accidental modification.
L¶
LCG (Linear Congruential Generator) — Deterministic pseudo-random generator used by ThemeLogique to draw reproducible logic questions from a seed derived from the X-Student-Token.
LicenseInterceptor — Spring MVC interceptor that blocks protected interfaces without a valid license. See License system.
LicenseService — Spring Boot service that loads, validates and caches the active license. Verifies the integrity of the RSA public key at startup via SHA-256.
Logic (pool) — Set of 25 general mathematical questions used by some pedagogical journeys. 5 questions are randomly drawn via LCG per session.
M¶
Master (level 4) — Name given to level 4 of every chaos family. Requires a license. Includes qualitatively different mechanics: chained scenarios, silent corruption, derived HMAC key, etc.
messages_fr.properties / messages_en.properties — Spring Boot backend Java Properties files containing about 430 translation keys each.
mkdocs-static-i18n — MkDocs plugin that handles internationalization of the documentation. Configured for 5 languages (fr, en, es, de, it) in mkdocs.yml.
MutableSession — Backend internal class representing a pedagogical session in memory. When the memory cache is enabled, these objects appear in heap dumps when a Memory Chaos is active.
O¶
OpenSearch — Alternative log sink (Apache 2.0) integrated into the PerfShop observability stack alongside Loki.
OWASP Top 10 — Ranking of the 10 most critical web security risks, maintained by OWASP. PerfShop simulates several of these risks in its Security Chaos family (S1-S12).
P¶
Student page — chaos-admin/public/index.html interface intended for students. Allows them to activate chaos types themselves within the limits of freemium or the active license. See Student chaos page.
Instructor panel — chaos-admin/public/admin/ interface reserved for authenticated admin accounts. Provides access to all chaos types, account management and the license panel.
Pedagogical journey — See "Pedagogical Chaos".
PedagogiqueOrchestrator — React component mounted once in AppShell, outside <Routes>, that survives all navigations and displays the pedagogical overlay when a journey is active.
Performance (license plan) — Intermediate license plan that unlocks the entire Functional plan + jmeter-ui.
PERFSHOP_LANG — Single environment variable that controls the language of the entire PerfShop stack. Replaces the Accept-Language HTTP header. See i18n overview.
PFSH- — Prefix of a PerfShop license key, in the format PFSH-<base64url_payload>.<base64url_signature>.
Admin portal — AdminPortal.jsx page accessible at /admin on the shop frontend. Pedagogically vulnerable surface of Master Security Chaos (S10-S11-S12 scenario). Distinct from the chaos-admin instructor panel.
Pyroscope — Continuous profiling platform (CPU, memory) integrated into the PerfShop observability stack.
R¶
RSA-PSS — Cryptographic signature scheme used for PerfShop licenses. Parameters: RSA 2048 bits, SHA-256, MGF1, salt 32 bytes, trailer 1.
S¶
S1 to S12 — Naming of the 12 OWASP flaws of Security Chaos. S1 = SQLi on search, S12 = IDOR for privilege escalation. See Security Chaos.
Weather scenario — Preset combining backend chaos types, named N<level>-<number> (e.g. N2-03). 20 scenarios are provided (N1-01 to N4-05). Only one scenario can be active at a time on the student side.
Superadmin — Single admin account with is_superadmin = TRUE, non-deletable, with fixed rights. Bootstrapped at backend startup from PERFSHOP_ADMIN_EMAIL and PERFSHOP_ADMIN_PASSWORD.
SPDX-License-Identifier — Standardized header present in every PerfShop source file, declaring the applicable license. For PerfShop, it is always AGPL-3.0-or-later.
SQLi (SQL Injection) — OWASP A03 flaw where a user injects SQL through a poorly escaped form field. PerfShop simulates SQLi in S1 (product search) and S11 (admin portal login).
successUrl — URL of the form /s/<token> generated at the end of a validated pedagogical journey. The token is opaque and unguessable; it authenticates the standalone success page.
Stars (star system) — Performance rating system for a student during a journey. BAC+N can earn up to N stars (BAC+1 = 1 star max, BAC+5 = 5 stars). One star is removed if the timer has expired.
T¶
t() / _t() — Translation functions. t() on the React side (useT() hook) and on the Java side (I18nService). _t() on the vanilla JavaScript side (chaos-admin, monitoring, etc.). All return a translated string according to the active language.
Tempo — OpenTelemetry distributed traces backend integrated into the PerfShop observability stack.
Pedagogical token — See "X-Student-Token".
V¶
V1 to V10 — Consolidated PerfShop Flyway migrations, in backend/src/main/resources/db/migration-fr/. V1 creates the full schema, V2-V9 seed product catalogs by category, V10 creates the pedagogical infrastructure (products + agents BAC1-BAC5).
VITE_LANG — Variable injected by Vite at build time or by env-inject.sh at runtime in the Docker frontend image. Read by I18nContext.jsx to determine the active language.
W¶
welcome/entrypoint.sh — Shell script that runs at welcome container startup. Handles the two ip and dns modes, replaces markers in welcome.js and injects the i18n dictionary.
WELCOME_MODE — Environment variable (ip or dns) that controls the URL construction strategy in the welcome page.
Write-through — Cache strategy used by DefaultPedagogiqueSessionService: every session mutation is first persisted to the database, then mirrored to the memory cache (if enabled). The database is always the source of truth.
X¶
X-Admin-Token — HTTP header carrying an opaque admin authentication token, generated at login. Used in addition to the HTTP session for cross-origin deployments where the session cookie does not follow. Automatically injected by the adminFetch() wrapper of the chaos-admin panel.
X-Action-Token, X-CSRF-Token, X-Step-Token, X-Signature — Additional headers introduced by the advanced levels of Scripting Chaos (Confirmed, Expert, Maestro) to complicate HTTP correlation.
X-License-Required — Response header added by LicenseInterceptor when it returns HTTP 402. Allows clients to quickly detect a license block without parsing the JSON.
X-Session-Token — HTTP header introduced by Junior-level Scripting Chaos, mandatory on every checkout step. Generated at login and identical for the entire session.
X-Student-Token — HTTP header that identifies an individual pedagogical session. Generated by the backend at /join, stored by the frontend in localStorage.ped_student_token, and sent on status polls and order creation. Cornerstone of the pedagogical multi-session architecture.