This glossary defines domain-specific terms used across ClaudePedia. General programming vocabulary (async, function, class) is intentionally excluded — every term here has a meaning that is specific to agent system design or that has a specialized meaning in the agent context that differs from general use. Each entry links to the primary page that explains the term most thoroughly.
Abort Signal
A cancellation token passed into the agent loop and all async operations it initiates (model calls, tool executions, hook invocations). When the abort signal fires, outstanding operations must complete their protocol obligations — including emitting synthetic tool results — before exiting cleanly. See: Agent Loop Architecture
Adaptive Max-Tokens
A recovery technique for context overflow errors where the exact token counts are parsed from the API error response and max_tokens is set precisely for the retry, rather than guessing. Prevents repeated 400 errors while avoiding the cost of unnecessarily reducing output budget. See: Error Recovery and Resilience
Agent Event Stream
The sequence of typed events yielded by the agent loop: RequestStart, TextDelta, ToolDispatch, ToolResult, Complete, ErrorEvent. Distinct from the terminal input event system (keystrokes, resize). See: Streaming and Events
Append-Tail
A mechanism for injecting content at the end of the assembled system prompt regardless of which priority chain level won — used for memory correction hints, team policy additions, and per-session overrides without modifying any static section. See: Prompt Architecture
Backpressure
The pressure a slow consumer exerts on a fast producer in a streaming pipeline. Handled through no-buffer (blocking producer), bounded buffer (producer runs ahead up to N), or unbounded buffer (producer never blocks) strategies. See: Streaming and Events
Behavioral Flags
Metadata fields on a tool that declare cross-cutting concerns: is_concurrency_safe, is_read_only, is_destructive, interrupt_behavior, requires_user_interaction. Read by different subsystems (dispatcher, permission system, UI) without the tool implementation knowing about those systems. See: Tool System Design
Bypass-Immune Check
A safety check that runs before the permission cascade and cannot be overridden by any policy source, permission mode, or rule configuration. Scope bounds checking is the canonical example. See: Safety and Permissions
Cache Fragmentation
The exponential multiplication of prefix cache keys when session-variable content is interleaved in the static zone of the system prompt. With N variable bits in the static zone, 2^N possible cache keys exist. See: Prompt Architecture
Capture-Bubble Dispatch
A two-phase event routing model for component trees: the capture phase walks root-to-target (ancestors can intercept before the target sees the event), and the bubble phase walks target-to-root (ancestors react after the target handles it). See: Streaming and Events
Circuit Breaker
A state machine wrapper around a service call that tracks failure rates and blocks calls when the failure rate exceeds a threshold, preventing retry storms against a known-down service. Transitions through Closed → Open → Half-Open states. See: Error Recovery and Resilience
Closed Taxonomy
A fixed, finite set of allowed memory types (user, feedback, project, reference) that constrains what the extraction agent is allowed to create, preventing the memory store from becoming an unstructured junk drawer. See: Memory and Context
Command Type
One of three discriminated union variants for commands: local (function call returning a result), interactive (renders a UI component), or prompt (injects content blocks into the conversation). See: Command and Plugin Systems
Compaction
The process of reducing the context window size when the message history approaches the limit. Runs through a cost-ordered pipeline: trim tool results → drop old messages → session memory compact → LLM summarization. See: Memory and Context
Concurrency Class
A classification of a tool's parallelism safety: READ_ONLY (safe for concurrent dispatch), WRITE_EXCLUSIVE (must run serially), or UNSAFE (must run serially and in isolation). Determined at dispatch time from the actual parsed arguments, not at registration time. See: Tool System Design
Context Window
The fixed-size input buffer that holds everything the model can see in a single turn: conversation history, tool results, injected facts, system instructions. Agent memory management is the art of deciding what occupies this finite space. See: Memory and Context
Coordinator
An agent in a multi-agent system that receives the user's task, breaks it into subtasks, delegates to workers, and synthesizes the results into a single coherent answer. The coordinator decides WHAT; workers decide HOW. See: Multi-Agent Coordination
Cursor (extraction)
A UUID identifying the last message successfully processed by the background fact extraction agent. Advances only on success, so failed runs reconsider the same messages on the next attempt. See: Memory and Context
Denial Tracking
Counting consecutive and total classifier denials per session and escalating to a user dialog when thresholds are crossed, preventing silent infinite rejection loops in classifier-based permission systems. See: Safety and Permissions
Discriminated Union
A type pattern where a tagged field (e.g., type: "TextDelta") determines which variant the value is, enabling exhaustive pattern matching by consumers. Used for both events and transitions throughout the agent architecture. See: Streaming and Events
Dynamic Zone
The portion of the system prompt that changes per-session or per-turn: session context, user memory, active tools, token budget. Content in this zone breaks prefix cache keys and must be updated each turn. See: Prompt Architecture
Escalation Ladder
A four-rung failure response in error recovery: retry the same operation (cost: latency) → fall back to an alternative implementation (cost: quality) → degrade by removing the capability (cost: lost feature) → fail entirely (cost: lost task). See: Error Recovery and Resilience
Fact Extraction
The process of identifying and persisting domain-specific facts from conversation messages to long-term storage. Run by the background extraction agent after each turn, gated on the mutual exclusion guard. See: Memory and Context
Fail-Closed Default
The design principle that any unset safety-critical configuration value defaults to the most restrictive behavior. A missing is_concurrency_safe defaults to false; a missing requires_permission defaults to true. See: Tool System Design
Graduated Trust
A hierarchy of instruction authority: system prompt (highest) > user turn > tool result > sub-agent output (lowest). An agent cannot grant itself elevated permissions; trust flows downward and cannot be escalated by lower-authority sources. See: Safety and Permissions
Hierarchy of Forgetting
A four-level memory model where each level down trades fidelity for space: in-context (perfect fidelity) → summary (compressed digest) → long-term storage (extracted facts) → forgotten (discarded). See: Memory and Context
Hook
A typed interceptor registered against a named lifecycle event. Hooks are configured as data — the hook runner evaluates their conditions and dispatches to the appropriate execution mode without the main loop knowing the details. See: Hooks and Extension Points
Interrupt Behavior
A per-tool flag declaring what happens when a user submits a new message while the tool is running: cancel (stop immediately) or block (finish before processing the new message). See: Tool System Design
Jitter
Random variation added to exponential backoff delays to prevent synchronized retry storms when many clients fail simultaneously. Standard formula: 25% random variation applied to the computed delay. See: Error Recovery and Resilience
Lazy Loading
Deferring the import of a command's implementation module until the command is invoked, keeping registry startup cost constant regardless of how many commands exist. See: Command and Plugin Systems
Mailbox
A directory of atomic message files used as the inter-agent communication channel across all executor backends. Provides uniformity (same interface for in-process and separate-process workers) and disk-inspectable message history. See: Multi-Agent Coordination
Max-Turns
A hard iteration limit on the agent loop, serving as a correctness requirement and circuit breaker. Not a preference — exceeding it signals a task design problem and should surface as an error, not a silent return. See: Agent Loop Architecture
MCP (Model Context Protocol)
A protocol for integrating external services into an agent's tool system via a standard capability discovery API (tools/list). The agent-side client bridges MCP tools into structurally identical Tool objects, making external tools invisible to the dispatcher. See: MCP Integration
Metadata-First Registration
A command registry pattern where each command is described as a metadata object before any code is loaded; implementation is deferred to invocation via lazy dynamic imports. See: Command and Plugin Systems
Model Fallback
Switching to a different model after repeated capacity errors on the primary model. Distinct from a circuit breaker: circuit breakers block calls to a failing service; model fallback changes which model handles the same request. See: Error Recovery and Resilience
Partition-Then-Gather
The tool dispatch algorithm that splits a list of tool calls into consecutive batches of safe/unsafe tools, processes batches sequentially, and parallelizes execution within each safe batch. See: Tool System Design
Permission Cascade
The six-source evaluation chain for permission decisions: policySettings → projectSettings → localSettings → userSettings → cliArg → session. The first matching rule wins; no match means DENY. See: Safety and Permissions
Permission Mode
A global semantic override on the permission cascade: default (ask for unlisted tools), plan (auto-deny writes), acceptEdits (auto-approve file edits), bypassPermissions (auto-approve all), dontAsk (silently deny unlisted). See: Safety and Permissions
Prompt Cache
A provider-side prefix cache that recognizes byte-identical prompt prefixes across API calls and serves them at reduced cost. Effective only when the static zone is identical across users, sessions, and turns. See: Prompt Architecture
Query-Source Partitioning
Classifying operations as foreground (user is waiting — retry on capacity errors) or background (user never sees results — fail fast on capacity errors) to prevent background retries from amplifying capacity events. See: Error Recovery and Resilience
Screen Diffing
The rendering model where a screen buffer is computed each frame, diffed against the previous frame, and only changed cells are emitted as terminal escape codes — preventing partial-render corruption and enabling frame-rate-controlled output. See: Streaming and Events
Section Registry
A prompt assembly system where each section is registered with an explicit cache intent (cached or volatile) rather than concatenated directly. Enables auditing of cache-breaking sections and enforces the static/dynamic boundary structurally. See: Prompt Architecture
Session Memory
Structured in-memory context that can serve as a zero-LLM-cost summary during compaction, replacing the need for a full LLM summarization call if session memory is available and non-empty. See: Memory and Context
Shadow Rule
A permission rule that can never be reached because a broader deny or ask rule is checked first. Shadow rules are detected at write time (when rules are added) rather than at evaluation time. See: Safety and Permissions
Sink Queue Pattern
An in-memory FIFO buffer that accumulates events before the logging sink is ready, drained via microtask on sink attachment. Prevents log loss during the window between agent startup and sink initialization. See: Observability and Debugging
SSRF Protection
Server-Side Request Forgery protection for HTTP hooks: blocking requests to private IP ranges, cloud metadata endpoints, and CGNAT ranges, validated at DNS resolution time to prevent DNS rebinding attacks. See: Hooks and Extension Points
State Struct Pattern
Carrying all mutable agent loop state in a typed struct that is replaced wholesale at every continue site, with a typed transition.reason field that makes continuation causes auditable. See: Agent Loop Architecture
Static Zone
The portion of the system prompt that is identical for every user, session, and turn: identity, behavioral rules, tool descriptions, numeric calibration. Content in this zone can be prefix-cached. See: Prompt Architecture
Stop Hook
A hook registered on the Stop lifecycle event that can evaluate an agent response, inject blocking messages that cause the loop to re-enter, or prevent continuation entirely. See: Agent Loop Architecture
Synthesis (multi-agent)
The LLM call a coordinator makes after all workers return, combining partial results, resolving conflicts, filling gaps, and producing a single integrated answer. Distinguishes a coordinator from a router. See: Multi-Agent Coordination
Three-Handler Architecture
The three permission resolution paths selected based on execution context: interactive handler (races four paths concurrently), coordinator handler (sequential), and swarm worker handler (forwards to leader via mailbox). See: Safety and Permissions
Tombstone
A marker placed on an orphaned partial assistant message that flags it for removal from history, UI rendering, and transcript serialization. Targeted removal that preserves surrounding context, unlike truncation. See: Agent Loop Architecture
Tool Bridge
The pattern of constructing standard Tool objects from MCP server capabilities at connection time, making external tools structurally identical to built-in tools from the dispatcher's perspective. See: MCP Integration
Tool Error Pipeline
The invariant that every tool execution failure yields a tool_result message with is_error: true rather than raising an exception, ensuring the message stream always has a valid response for every tool_use. See: Error Recovery and Resilience
Tool Partitioning
Giving the coordinator agent only coordination tools (spawn, send, stop) and workers only domain tools, preventing the coordinator from bypassing delegation and doing the work itself. See: Multi-Agent Coordination
Two-Phase Validation
Running schema validation (shape and type checking) followed by semantic validation (business logic) as two separate, always-running phases in the tool execution lifecycle. See: Tool System Design
Two-State Machine
The agent loop's core model: the loop alternates between two states — awaiting a model response and dispatching tool calls. If the model returns tool calls, stay in the loop; if not, exit. See: Agent Loop Architecture
Two-Zone Model
The architectural split of the system prompt into a static zone (cacheable, identical across users/sessions/turns) and a dynamic zone (per-session or per-turn, cache-breaking). See: Prompt Architecture
Verified-Metadata Contract
A logging pattern that requires explicit acknowledgment when logging string values in event metadata, making PII logging a deliberate, reviewable act rather than an accidental side effect. See: Observability and Debugging
Volatile Section
A prompt section registered with a reason argument indicating why it cannot be cached. The verbose registration variant creates friction that prevents accidental cache fragmentation in team codebases. See: Prompt Architecture
Worker (multi-agent)
An agent in a multi-agent system that receives a narrow, well-defined subtask from the coordinator, executes it with isolated context and domain-specific tools, and returns results for synthesis. See: Multi-Agent Coordination