Glossary & Core Concepts
A quick reference for the vocabulary used throughout the azuma nori documentation. These are the nouns you will meet when creating a project, running an analysis, and reading results.
Analysis model
Policy : A compliance or security framework that nori can evaluate a codebase against — for example BSI TR-03161 or the EU Cyber Resilience Act. Each project targets one policy.
Control
: A single requirement within a policy (for example, a cryptography requirement identified as
O.Cryp_2). A policy is made up of many controls, each evaluated independently.
Sub-agent : A bounded LLM task that evaluates a specific slice of the work. nori deliberately splits an analysis across many sub-agents rather than asking one model to judge an entire standard, so each evaluation stays focused and evidence-backed. See Architecture.
Wiki : A set of compact, local Markdown indices that nori builds from your codebase during the Indexing Phase. The Wiki summarizes your architecture, dependencies, and structure, and is fed to sub-agents as trusted context so they don't have to re-scan the whole repository.
Finding
: An individual issue a sub-agent reports for a control, carrying a severity and a concrete
file:line reference. Findings are grouped as Critical, Potential, and
Informational in the results view.
Verdict / Score : The outcome of evaluating a control, expressed as a 0–100 score and a Pass / Fail status. Control scores are aggregated into an Overall Score for the run.
Run : One execution of an analysis against a project at a point in time. Each run records its status, metrics (duration, tokens, cost), overall score, and per-control results. Runs are listed in the Analysis History.
Project : A target codebase bound to a single policy, plus its workspace configuration (root directory, data directory, and AI-model settings). See Create a Project.
Configuration & execution
Depth : How thorough an analysis run is (for example Light, Medium, or Extreme). Higher depth means more scrutiny per control at the cost of more time and tokens.
Root Directory : The folder containing the source code you want to analyze. nori reads from it but never writes to it.
Data Directory (.nori)
: A separate, writable workspace where nori stores its configuration, cache, Wiki, and exports.
Keep it outside your source tree. See Standalone Client.
Evidence / Document Indexing : External proof — PDFs, certificates, diagrams, pentest reports — attached to a project or a specific control so that requirements which can't be verified from source code alone can still be evaluated. See External Evidence.
Regulatory Report : A per-control compliance dossier suitable for auditors, assembled deterministically from a run's findings and metadata. See Reporting & Exports.
Platform terms
Workspace : An organization's licensed environment. You select a licensed nori workspace at sign-in, and it determines which policies and settings are available to you.
Freemium : A free tier that exposes a subset of controls, letting you try a policy before a full license is in place.
Policy Stability : A maturity label shown on each policy:
- Stable — production-ready and fully supported.
- Beta — usable and reasonably complete, but still being refined.
- Preview — early access; may be limited in availability and subject to change.