Glossary

Signed application archive (tar.gz) containing manifest.json, app.wasm, and optional abi.json. The deployable unit for Calimero applications.

Composite application identity: {package}:{signerId}. Determines the ApplicationId. Must stay stable across versions for the upgrade path to work.

32-byte hash identifying a WASM application.

Content-addressed identifier for binary blobs.

Binary Object Representation Serializer for Hashing. Deterministic binary serialization format used for state deltas, governance payloads, store entries, and wire protocol messages.

Borsh-serialized gossipsub payload enum (StateDelta, HashHeartbeat, SignedGroupOpV1, etc.).

Per-member u32 bitmask controlling group-level permissions (CAN_CREATE_CONTEXT, CAN_INVITE_MEMBERS, CAN_JOIN_OPEN_SUBGROUPS, MANAGE_MEMBERS, MANAGE_APPLICATION, CAN_CREATE_SUBGROUP, CAN_DELETE_SUBGROUP, CAN_MANAGE_VISIBILITY, CAN_MANAGE_METADATA).

A single DAG entry: delta_id, parents, payload, HLC, expected_root_hash.

Logical partition in the KV store (Meta, Config, Identity, State, Delta, Blobs, Application, Alias, Generic, Group).

An instance binding a Group to an Application. Has its own identity, state DAG, and member list.

Async facade over LazyRecipient<ContextMessage> for invoking context operations.

32-byte hash identifying a context.

Actix actor managing contexts, groups, governance DAGs, and application lifecycle.

Top-level message enum for ContextManager with 20+ variants.

Conflict-free Replicated Data Type. Data structures where replicas can be updated independently and merged to produce a consistent result regardless of message ordering.

Causal ordering structure used for both application state deltas and governance operations.

In-memory causal DAG with pending queue, topological ordering, and head tracking.

Async trait for applying deltas to storage. Implemented by GroupGovernanceApplier.

Temporary storage for state deltas that arrive before their context is initialized or while a sync session is active.

DID method that encodes an Ed25519 public key directly in the identifier string. Format: did:key:z{base58btc(0xed01 || public_key)}.

Elliptic-curve digital signature algorithm used for governance operations, bundle manifests, and challenge-response authentication.

A TEE replica node entitled to serve a namespace as a hardware-attested, read-only replica. It joins via the attestation announce flow — broadcasting a TeeAttestationAnnounce on the namespace topic, getting verified against the namespace TeeAdmissionPolicy, and being admitted as a ReadOnlyTee member via MemberJoinedViaTeeAttestation. Fleet-join is the end-to-end admission of such a node; eviction triggers a self-purge.

Grow-only Counter CRDT. Each node increments its own slot; value() returns the sum. Calimero's Counter type follows this pattern.

Periodic actor that cleans up stale data (unused blobs, expired entries). Default interval: 12 hours.

libp2p publish/subscribe protocol. Calimero uses context/<hex> topics for state deltas and group/<hex> topics for governance operations.

Reserved field on state deltas for future staleness checks. Will reject deltas from removed members. Currently stored but not enforced.

A root group (no parent) that serves as the application instance boundary and identity scope. Each namespace gets its own Ed25519 keypair (auto-generated on first create/join). Subgroups and contexts within the namespace share that identity. Different namespaces have different keys. All groups within a namespace share a single governance DAG. Operations are either cleartext RootOps (structural changes, key delivery) or encrypted GroupOps (membership, capabilities). New members receive group keys via ECDH-wrapped KeyDelivery.

A named WASM module within a multi-service application bundle. Each service has its own bytecode and optional ABI. Contexts specify which service they run via service_name. Single-service bundles do not require a service name.

Governance unit within a namespace, owning one or more Contexts. Manages membership and capabilities via signed operations. Subgroups inherit the root group's application. Access control is group-membership-based.

DeltaApplier implementation bridging the DAG to GroupStore for governance ops.

Gossip message carrying a signed governance operation with explicit DAG metadata (delta_id, parent_ids) for replication and catch-up.

Gossip message carrying a SignedNamespaceOp on namespace topics. Published when namespace governance operations are created. Receivers verify, apply to the namespace DAG, and may trigger key delivery.

A signed namespace governance operation containing a NamespaceOp (either a cleartext RootOp or an encrypted GroupOp). Signed with the node's namespace identity private key. Forms a single causal DAG per namespace.

A cleartext RootOp in the namespace governance DAG. Delivers an ECDH-wrapped group encryption key to a newly joined member. The sender wraps the key using ECDH(sender_sk, joiner_pk); the joiner unwraps using ECDH(joiner_sk, sender_pk). Delivers the per-group GroupKeyring key — not the node's KMS storage key (see the two key families entry).

The per-group symmetric encryption keys used to encrypt/decrypt a group's GroupOps and shared state. Each new member receives them via ECDH-wrapped KeyDelivery, they are rotated when a member is removed, and (as of #2776) they are deleted from a fleet node's disk on self-purge. Distinct from the node's KMS storage key (see the two key families entry).

Calimero TEE deployments involve two unrelated key families that are commonly conflated:

(1) KMS storage / disk key — per-node, fetched from the KMS only after the node's TEE measurement (MRTD) is verified. Encrypts the node's on-disk datastore. One per node; never delivered over governance.

(2) Per-group GroupKeyring encryption keys — per-group, ECDH-delivered to members via KeyDelivery, rotated on member removal, and (as of #2776) deleted on self-purge. Encrypt group operations and shared state. See TEE Fleet HA.

Mnemonic: the KMS key protects this node's disk; the GroupKeyring keys protect a group's shared data across all members.

A per-namespace Ed25519 keypair automatically generated on first create/join and persisted in the datastore (key prefix 0x37). Used for signing namespace governance ops and unwrapping group keys via ECDH. Shared across all subgroups and contexts in the namespace.

Deduplication-aware gossipsub subscription manager. Uses a RwLock<HashSet> to track active subscriptions and avoid redundant network calls. Supports namespace, group, and context topics.

Enum distinguishing the four member roles within a group: Admin, Member, ReadOnly, and ReadOnlyTee. ReadOnly and ReadOnlyTee both bar state mutation, but ReadOnlyTee is reserved for hardware-attested fleet replica nodes (directly-rowed, never inherited).

Lightweight notification enum broadcast after a governance op is applied. Used for real-time UI notifications.

Non-exhaustive enum of governance operations (MemberAdded, ContextRegistered, etc.). 25+ variants.

Periodic gossip message (default 30s) carrying DAG heads and member count. Peers compare heads and request missing ops on divergence.

Authoritative persistence layer for group state. Handles apply, OpLog, nonces, cascades.

Periodic gossip message carrying root_hash + dag_heads for divergence detection. Part of BroadcastMessage.

Logical clock combining wall-clock time with a counter for causal ordering.

Stream protocol init message enum (BlobShare, KeyShare, DeltaRequest, SnapshotStreamRequest, GroupDeltaRequest, etc.).

JSON Canonicalization Scheme (RFC 8785). Produces deterministic byte ordering for JSON. Used by mero-sign before hashing bundle manifests.

JSON-RPC 2.0 protocol for external method calls on contexts. Clients POST to /jsonrpc with method name and params.

Distributed hash table protocol from libp2p used for peer discovery, bootstrap routing, and record storage.

Key Management Service. Releases the per-node storage / disk key to a TEE node only after verifying its MRTD measurement (see TEE Mode). This is distinct from per-group GroupKeyring encryption keys (see the two key families entry). Supported: mero-kms-phala for Phala Cloud.

Deferred Actix actor address wrapper using Arc<OnceCell<Recipient>>. Breaks circular init dependencies.

Modular P2P networking framework providing transport (TCP/QUIC), discovery (Kademlia, mDNS), messaging (gossipsub), and stream protocols.

Merge strategy where concurrent updates are resolved by keeping the latest timestamp. Used by LwwRegister and per-entry in UnorderedMap.

JSON metadata inside an .mpk bundle: package, version, signerId, wasm/abi paths, migrations, and Ed25519 signature.

Struct holding the five capability bit constants for group-level authorization.

The governance operation a verifier publishes to admit a fleet node as a ReadOnlyTee member, after its TeeAttestationAnnounce has been validated against the namespace TeeAdmissionPolicy. It is the attestation-gated analogue of an ordinary member-add: it directly rows the node into the target namespace (never inherited) rather than delivering an invitation.

Trait for CRDT merge operations. Implemented by Map, Set, LwwRegister.

Tool for Ed25519 key generation and bundle manifest signing using JCS + SHA-256 + Ed25519.

Operator CLI for a running node. Command groups: app, context, group, call, blob, peers, node.

Calimero node daemon. Commands: init (create config), config (modify settings), run (start all actors and servers).

Debug CLI for direct RocksDB inspection: schema, export, validate, DAG export, YAML migration plans.

libp2p address format encoding layered protocol stacks (e.g. /ip4/127.0.0.1/tcp/2428/p2p/12D3KooW...).

Async facade over LazyRecipient<NetworkMessage>.

Events from the libp2p swarm (ListeningOn, Subscribed, Message, StreamOpened, BlobRequested, etc.).

Actix actor wrapping the libp2p Swarm.

Async facade over LazyRecipient<NodeMessage>.

Central Actix actor orchestrating network events, blob cache, heartbeats.

Cryptographic nonce for replay protection. Per-signer monotonic counter in governance ops.

Persistent log of applied SignedGroupOp entries, keyed by (group_id, sequence).

Latest sequence number + current DAG heads for a group.

libp2p peer identifier derived from the node's public key. Uniquely identifies a node in the P2P network.

Node-local storage column for data that should not be synchronized across peers.

Ed25519 public key used for identity and signing.

UDP-based transport with built-in encryption and multiplexing. Calimero nodes listen on both TCP and QUIC.

A per-group dedup record of a TDX quote already used to admit a fleet node. The verifier keys on the quote's hash so the same quote cannot admit a node twice within the same group, even if re-broadcast. Combined with the per-quote nonce in report_data, it closes the replay window on the TeeAttestationAnnounce → MemberJoinedViaTeeAttestation path.

Group member role that allows joining contexts and reading state but prevents all state mutations. Enforced at both local and remote nodes. A regular (non-attested) role; contrast with ReadOnlyTee, the hardware-attested fleet-node variant.

Read-only TEE fleet-node role. Like ReadOnly it bars all state mutation, but it is directly-rowed and NEVER inherited through subgroups: a fleet replica is only ReadOnlyTee in the exact namespace it was admitted to. Admission is gated on hardware TDX attestation (see TeeAttestationAnnounce / MemberJoinedViaTeeAttestation), and on eviction the node hard-purges its local rows and keys (see self-purge). A variant of GroupMemberRole.

The 64-byte free-form field bound into a TDX quote at generation time. For a fleet node's attestation it is nonce(32) || Sha256(pubkey): a fresh 32-byte nonce concatenated with the SHA-256 of the announcing node's public key. Binding the pubkey hash into the hardware-signed quote proves the quote belongs to that key; the nonce gives freshness for replay protection.

Sequence CRDT for character-level collaborative text editing with HLC-based CharIds and left-neighbor positioning.

Embedded LSM-tree key-value store backing all node persistence. 11 column families accessed via calimero-store.

The role-scoped local cleanup a fleet node runs on eviction from ReadOnlyTee. It hard-deletes the node's own local rows and keys for the namespace — its namespace signing-key material and, as of #2776, its per-group GroupKeyring encryption keys — so no residual state or decryption capability lingers on disk. Driven by a pending-self-purge marker plus a startup reconcile sweep, so an eviction missed while offline is still completed on the next boot. Failures and sweep outcomes are observable via the self_purge_* metrics.

Hash function used for content-addressed IDs (delta_id, blob_id), state hashes, and bundle signing.

Signed governance operation: version, group_id, parent_op_hashes, state_hash, signer, nonce, op, signature.

Admin-signed invitation token for joining a group.

Legacy gossip wrapper carrying opaque Borsh-serialized SignedGroupOp payload. Still accepted for compatibility.

did:key string from the Ed25519 key used to sign bundles. Establishes cryptographic update authority.

BroadcastMessage variant carrying encrypted state diff for a context. Part of the context DAG.

Wire format for sync streams: Init, Message, or OpaqueError.

Governance operation that links a child group to a parent, enabling membership inheritance.

Async task managing periodic sync. Selects from HashComparison, LevelWise, Snapshot, or Delta protocols.

Intel Trust Domain Extensions. Hardware TEE with attestation via measurement registers (MRTD, RTMR0-3).

Trusted Execution Environment. Hardware-isolated runtime protecting code and data. merod supports TEE mode with KMS key fetch.

The namespace-scoped measurement allowlist a fleet node's attestation is checked against. It pins the acceptable TDX measurements — allowed_mrtd, RTMR values, TCB-status bounds — plus an accept_mock escape hatch for non-TEE test runs. Resolved to the namespace root, so the whole namespace shares one policy. Admission of a TeeAttestationAnnounce succeeds only if the verified quote satisfies this policy.

The broadcast a fleet node publishes on its namespace topic (ns/<hex>) to announce itself for admission. It carries a fresh TDX quote whose report_data is nonce(32) || Sha256(pubkey) — binding the node's public key into the hardware-signed quote and supplying a nonce for freshness. A verifier validates it against the TeeAdmissionPolicy and, on success, publishes MemberJoinedViaTeeAttestation to admit the node as ReadOnlyTee.

Gossipsub topic identifier. Formats: context/<hex> for state, group/<hex> for governance.

Group setting controlling how application upgrades propagate: Automatic, LazyOnAccess, or Coordinated.

Group join behavior flag (default: true). When enabled, joining a group automatically subscribes the node to all contexts in the group and its descendant subgroups.

Runtime execution context: input, context_id, executor identity (auto-resolved from namespace identity), governance_epoch.

WASM host function dispatcher. Manages registers, memory, storage, events.

WebAssembly. Portable bytecode for application logic. Apps compile to wasm32-unknown-unknown and run via Wasmer with Cranelift JIT.

Cross-context fire-and-forget call from one context's WASM to another in the same namespace on the same node. Queued during execution, runs after commit. No return value, but the outcome — success, denial, or target error — is broadcast as an XCall event. Cross-namespace calls are denied; a target may opt into an entry-point allowlist with #[app::xcall] and read the verified caller via env::xcall_origin().