DOC-3498: Expand acronyms on first prose use across on-premises pages

kemister85 · kemister85 · commit 157f923ec2d7 · 2026-05-13T15:08:21.000+10:00
Expand 18 acronyms (OCI, JWT, LLM, SSE, TLS, CORS, MCP, NTP, HPA,
OTLP, IRSA, ADC, SSR, CSP, SIEM, PII, HA, mTLS) on first prose
occurrence per page for readers unfamiliar with the terms.
diff --git a/modules/ROOT/pages/tinymceai-on-premises-advanced.adoc b/modules/ROOT/pages/tinymceai-on-premises-advanced.adoc
@@ -150,7 +150,7 @@ The assistant calls the `search_knowledge_base` tool, retrieves the relevant pol
 
 == Multi-tenant SaaS platform
 
-*Use case:* A SaaS platform provides AI writing features to customers. Each customer gets isolated conversations, separate LLM budgets, and per-tenant configuration.
+*Use case:* A SaaS platform provides AI writing features to customers. Each customer gets isolated conversations, separate large language model (LLM) budgets, and per-tenant configuration.
 
 === Architecture
 
@@ -171,7 +171,7 @@ Each environment provides:
 * Customer B -> Environment `env-customer-b`
 * Customer C -> Environment `env-customer-c`
 
-. *Token server generates JWTs with the correct environment:*
+. *Token server generates JSON Web Tokens (JWTs) with the correct environment:*
 +
 .Multi-tenant JWT generation
 [%collapsible]
diff --git a/modules/ROOT/pages/tinymceai-on-premises-database.adoc b/modules/ROOT/pages/tinymceai-on-premises-database.adoc
@@ -4,7 +4,7 @@
 :keywords: AI, on-premises, database, MySQL, PostgreSQL, Redis, Docker, Podman, file storage, S3, Azure Blob
 
 This page covers the data layer: the SQL database, Redis, and file storage.
-For container runtimes, reverse proxies, TLS, Kubernetes, and ECS deployment, see the xref:tinymceai-on-premises-production.adoc[Production deployment guide].
+For container runtimes, reverse proxies, Transport Layer Security (TLS), Kubernetes, and ECS deployment, see the xref:tinymceai-on-premises-production.adoc[Production deployment guide].
 
 == Supported versions
 
@@ -439,7 +439,7 @@ docker run --add-host=host.docker.internal:host-gateway ...
 
 == Redis
 
-Every AI service instance must reach Redis. Redis holds session coordination, SSE delivery, and rate-limiting state. A temporary Redis outage degrades streaming but does not destroy persistent data.
+Every AI service instance must reach Redis. Redis holds session coordination, Server-Sent Events (SSE) delivery, and rate-limiting state. A temporary Redis outage degrades streaming but does not destroy persistent data.
 
 === Setup
 
diff --git a/modules/ROOT/pages/tinymceai-on-premises-frameworks.adoc b/modules/ROOT/pages/tinymceai-on-premises-frameworks.adoc
@@ -7,10 +7,10 @@
 This page covers the *editor-side* configuration that connects TinyMCE to the on-premises AI service. It assumes:
 
 * The AI service is already running. See xref:tinymceai-on-premises-getting-started.adoc[Getting started] for setup instructions.
-* A token endpoint exists that signs JWTs for the AI service. See xref:tinymceai-on-premises-jwt.adoc[JWT authentication] for back-end implementations.
+* A token endpoint exists that signs JSON Web Tokens (JWTs) for the AI service. See xref:tinymceai-on-premises-jwt.adoc[JWT authentication] for back-end implementations.
 * The TinyMCE API key has the AI feature enabled. Retrieve or upgrade a key at https://www.tiny.cloud/my-account/integrate/.
 
-For general framework setup (installing wrappers, component structure, SSR patterns), see the existing integration guides:
+For general framework setup (installing wrappers, component structure, server-side rendering (SSR) patterns), see the existing integration guides:
 
 * xref:react-cloud.adoc[React]
 * xref:vue-cloud.adoc[Vue.js]
@@ -151,7 +151,7 @@ This pattern avoids cookies entirely and works well for cross-origin setups.
 
 == Cross-origin requests to the AI service
 
-When `tinymceai_service_url` points to a different origin from the page (the common production case), the AI service must return CORS headers permitting the editor origin. The service reads the `ALLOWED_ORIGINS` environment variable for this.
+When `tinymceai_service_url` points to a different origin from the page (the common production case), the AI service must return Cross-Origin Resource Sharing (CORS) headers permitting the editor origin. The service reads the `ALLOWED_ORIGINS` environment variable for this.
 
 To verify CORS from a terminal:
 
@@ -167,7 +167,7 @@ The response should include `Access-Control-Allow-Origin: \https://app.yourcompa
 
 
 
-== Content Security Policy
+== Content Security Policy (CSP)
 
 If the application sets a `Content-Security-Policy` header, allow the AI service origin in `connect-src`:
 
@@ -197,7 +197,7 @@ If using the Tiny CDN instead of self-hosted assets, also add `\https://cdn.tiny
 |Confirm the fetch sends the session cookie (`credentials: 'include'`) or `Authorization` header that the back end expects.
 
 |AI responses hang then time out
-|Reverse proxy is buffering SSE
+|Reverse proxy is buffering Server-Sent Events (SSE)
 |Disable proxy buffering. See xref:tinymceai-on-premises-production.adoc[Production deployment].
 
 |Browser console shows a CORS error on `/v1/conversations`
@@ -217,6 +217,6 @@ For other issues, see xref:tinymceai-on-premises-troubleshooting.adoc[Troublesho
 
 * xref:tinymceai-on-premises-getting-started.adoc[Getting started]
 * xref:tinymceai-on-premises-jwt.adoc[JWT authentication]
-* xref:tinymceai-on-premises-providers.adoc[LLM providers]
+* xref:tinymceai-on-premises-providers.adoc[large language model (LLM) providers]
 * xref:tinymceai-on-premises-production.adoc[Production deployment]
 * xref:tinymceai-on-premises-troubleshooting.adoc[Troubleshooting]
diff --git a/modules/ROOT/pages/tinymceai-on-premises-getting-started.adoc b/modules/ROOT/pages/tinymceai-on-premises-getting-started.adoc
@@ -238,7 +238,7 @@ Always create environments through the Management Panel UI. Environments created
 
 === Create the token server
 
-The token server signs JWTs for the editor. The Node.js example below is for the demo only; the xref:tinymceai-on-premises-jwt.adoc[JWT authentication] guide contains production-ready endpoints in 8 languages (Node, Django, Flask, Laravel, Rails, .NET, Go, Spring Boot).
+The token server signs JSON Web Tokens (JWTs) for the editor. The Node.js example below is for the demo only; the xref:tinymceai-on-premises-jwt.adoc[JWT authentication] guide contains production-ready endpoints in 8 languages (Node, Django, Flask, Laravel, Rails, .NET, Go, Spring Boot).
 
 Create `package.json`:
 
@@ -351,7 +351,7 @@ npm start
 
 === Open the demo
 
-Open *http://localhost:3000* in a browser. The editor loads with the AI toolbar. Select text and try the AI features. Responses stream in real time from the chosen LLM provider, processed entirely within the local infrastructure.
+Open *http://localhost:3000* in a browser. The editor loads with the AI toolbar. Select text and try the AI features. Responses stream in real time from the chosen large language model (LLM) provider, processed entirely within the local infrastructure.
 
 The TinyMCE AI on-premises service is now running.
 
@@ -423,7 +423,7 @@ event: done
 data: {}
 ----
 
-If the stream emits `event: error`, inspect the `data` payload. Provider errors (invalid API key, IAM denial, model unavailable) ride inside the SSE response. The HTTP status stays 200. See the xref:tinymceai-on-premises-troubleshooting.adoc[LLM provider errors] section in the Troubleshooting guide for details.
+If the stream emits `event: error`, inspect the `data` payload. Provider errors (invalid API key, IAM denial, model unavailable) ride inside the Server-Sent Events (SSE) response. The HTTP status stays 200. See the xref:tinymceai-on-premises-troubleshooting.adoc[LLM provider errors] section in the Troubleshooting guide for details.
 
 A successful round-trip confirms: container health, database connectivity, Redis connectivity, JWT signing, JWT verification, permissions checking, environment registration, LLM provider authentication, and SSE streaming. If problems persist after these checks, focus on the editor configuration next.
 
diff --git a/modules/ROOT/pages/tinymceai-on-premises-jwt.adoc b/modules/ROOT/pages/tinymceai-on-premises-jwt.adoc
@@ -3,7 +3,7 @@
 :description: JWT authentication for the TinyMCE AI on-premises service using HS256 symmetric signing
 :keywords: AI, on-premises, JWT, authentication, HS256
 
-The on-premises AI service uses *HS256* (HMAC-SHA256, symmetric shared secret) for JWT authentication. This is different from the Tiny Cloud AI service, which uses RS256.
+The on-premises AI service uses *HS256* (HMAC-SHA256, symmetric shared secret) for JSON Web Token (JWT) authentication. This is different from the Tiny Cloud AI service, which uses RS256.
 
 [WARNING]
 --
@@ -186,7 +186,7 @@ Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
 
 === Clock-skew leeway
 
-The service allows up to 60 seconds of clock skew on the `exp` claim. Keep the token server and the AI service synchronized with NTP.
+The service allows up to 60 seconds of clock skew on the `exp` claim. Keep the token server and the AI service synchronized with Network Time Protocol (NTP).
 
 
 
@@ -868,7 +868,7 @@ When debugging, start here. Most "auth failures" reflect wrong claim values rath
 |`allowed: false` on specific endpoints only |Missing the specific permission |Decode token, check the `auth.ai.permissions` array against the table above.
 |Token silently rejected, no decoded error |RS256 signature |Re-sign with HS256.
 |`aud` claim type mismatch |`aud` issued as array instead of string |Some JWT libraries default to array `aud`. Force string.
-|Editor shows "Failed to authenticate" |Token endpoint returned non-JSON, returned `token` as nested object, or CORS blocked the request |Open browser devtools → Network → inspect the response from `/api/ai-token`.
+|Editor shows "Failed to authenticate" |Token endpoint returned non-JSON, returned `token` as nested object, or Cross-Origin Resource Sharing (CORS) blocked the request |Open browser devtools → Network → inspect the response from `/api/ai-token`.
 |===
 
 === Sanity-check a token manually
@@ -906,6 +906,6 @@ Short-lived tokens limit exposure if a token leaks through a browser extension,
 == See also
 
 * xref:tinymceai-on-premises-getting-started.adoc[Getting started] -- end-to-end deployment, including a demo token server
-* xref:tinymceai-on-premises-providers.adoc[LLM providers] -- configuring custom models through `MODELS` and the `ai:models:<provider>:<model-id>` permission syntax
+* xref:tinymceai-on-premises-providers.adoc[large language model (LLM) providers] -- configuring custom models through `MODELS` and the `ai:models:<provider>:<model-id>` permission syntax
 * xref:tinymceai-on-premises-troubleshooting.adoc[Troubleshooting] -- full troubleshooting catalog beyond JWT
 * xref:tinymceai-on-premises-frameworks.adoc[Framework integration] -- editor-side integration patterns for React, Vue, and Angular, including `tinymceai_token_provider` wrappers
diff --git a/modules/ROOT/pages/tinymceai-on-premises-production.adoc b/modules/ROOT/pages/tinymceai-on-premises-production.adoc
@@ -17,7 +17,7 @@ The AI service is stateless, persists all state to MySQL/PostgreSQL and Redis, a
 
 == TLS / HTTPS
 
-The AI service does not terminate TLS. Place a reverse proxy in front.
+The AI service does not terminate Transport Layer Security (TLS). Place a reverse proxy in front.
 
 === Nginx example
 
@@ -48,7 +48,7 @@ server {
 
 [IMPORTANT]
 --
-SSE streaming requires `proxy_buffering off`. Without it, AI responses appear to hang until the entire response is generated.
+Server-Sent Events (SSE) streaming requires `proxy_buffering off`. Without it, AI responses appear to hang until the entire response is generated.
 --
 
 === AWS ALB
@@ -383,7 +383,7 @@ spec:
 [cols=",",options="header",]
 |===
 |Service |AWS recommendation
-|Database |RDS for MySQL 8.0 (Multi-AZ for HA)
+|Database |RDS for MySQL 8.0 (Multi-AZ for high availability (HA))
 |Redis |ElastiCache for Redis 7 (cluster mode)
 |Storage |Same-region S3 bucket
 |Load balancer |ALB with `/health` target health check, 300 s idle timeout
@@ -400,16 +400,16 @@ spec:
 |Practice |Implementation
 |Network isolation |Place the AI service in a private subnet; expose only through a load balancer. Restrict database and Redis to the AI service security group.
 |Block panel from the public internet |Restrict `/panel/` to an admin VPN or IP allowlist. The panel manages secrets and access keys.
-|TLS everywhere |Terminate TLS 1.3 at the reverse proxy. Use internal mTLS between the AI service and the data layer where supported.
+|TLS everywhere |Terminate TLS 1.3 at the reverse proxy. Use internal mutual TLS (mTLS) between the AI service and the data layer where supported.
 |Secrets management |Use Vault, AWS Secrets Manager, Azure Key Vault, or GCP Secret Manager. Never store secrets directly in orchestration manifests or commit them to source control.
 |Database encryption at rest |Turn on encryption at rest in the cloud provider console. RDS, Cloud SQL, and Azure Database enable this by default.
 |Redis authentication |Always set `REDIS_PASSWORD` (or use a managed Redis instance with authentication enabled).
 |Container security |Run as non-root, use a read-only filesystem where possible, and drop unnecessary Linux capabilities.
 |Image scanning |Scan `registry.containers.tiny.cloud/ai-service` with Trivy, Snyk, or the registry's built-in scanner.
-|Least-privilege JWTs |Grant only the permissions each user role requires. Avoid full-access tokens in production.
+|Least-privilege JSON Web Tokens (JWTs) |Grant only the permissions each user role requires. Avoid full-access tokens in production.
 |API secret rotation |Periodically create a new access key, add the new key to the configuration, then revoke the old key. The token endpoint reads the secret at request time.
-|Audit logging |Enable `ENABLE_METRIC_LOGS=true` and ship logs to a SIEM.
-|LLM API key rotation |Add the new key to the `PROVIDERS` array, restart the service, then revoke the old key after confirming the new one works.
+|Audit logging |Enable `ENABLE_METRIC_LOGS=true` and ship logs to a Security Information and Event Management (SIEM).
+|Large language model (LLM) API key rotation |Add the new key to the `PROVIDERS` array, restart the service, then revoke the old key after confirming the new one works.
 |===
 
 == Rate limiting
@@ -479,7 +479,7 @@ When enabled, the service writes a structured JSON entry for each request. Key f
 |===
 |Variable |Required |Default |Description
 |`LLM_TELEMETRY_ENABLED` |Yes |`false` |Primary telemetry switch
-|`OTEL_EXPORTER_OTLP_TRACES_ENDPOINT` |Yes |- |OTLP endpoint URL
+|`OTEL_EXPORTER_OTLP_TRACES_ENDPOINT` |Yes |- |OpenTelemetry Protocol (OTLP) endpoint URL
 |`OTEL_TRACES_SAMPLER_ARG` |No |`1.0` |Sampling rate (0.0 to 1.0)
 |`OTEL_DEBUG` |No |- |Verbose OTLP diagnostic logging
 |===
@@ -632,7 +632,7 @@ These values are approximate and vary with hardware, provider latency, and promp
 |1 to 50 |1 |db.t3.small (or 2 vCPU / 4 GB self-managed) |cache.t3.micro |Development and small teams
 |50 to 500 |2 |db.r6g.large |cache.r6g.large |Small production
 |500 to 5,000 |3 to 5 |db.r6g.xlarge (Multi-AZ) |cache.r6g.xlarge (cluster) |Medium production
-|5,000{plus} |5{plus} (HPA) |db.r6g.2xlarge{plus} |cache.r6g.2xlarge{plus} |Large production; contact Tiny for guidance
+|5,000{plus} |5{plus} (Horizontal Pod Autoscaler (HPA)) |db.r6g.2xlarge{plus} |cache.r6g.2xlarge{plus} |Large production; contact Tiny for guidance
 |===
 
 Starting point for self-managed deployments:
diff --git a/modules/ROOT/pages/tinymceai-on-premises-providers.adoc b/modules/ROOT/pages/tinymceai-on-premises-providers.adoc
@@ -6,7 +6,7 @@
 
 
 
-The `PROVIDERS` environment variable tells the AI service how to reach the upstream LLM. The `MODELS` environment variable tells the service which models are exposed to clients and which features each model supports. This page is the definitive reference for both: every supported `type`, every required field, and every known issue encountered in production.
+The `PROVIDERS` environment variable tells the AI service how to reach the upstream large language model (LLM). The `MODELS` environment variable tells the service which models are exposed to clients and which features each model supports. This page is the definitive reference for both: every supported `type`, every required field, and every known issue encountered in production.
 
 Start with the xref:tinymceai-on-premises-getting-started.adoc[Getting Started guide] if the AI service container is not yet running. The following sections assume a running `ai-service` container.
 
@@ -19,7 +19,7 @@ The AI service uses two related environment variables:
 |Variable |Type |What it does
 |`PROVIDERS` |JSON object |Map of provider IDs to provider configurations. Each entry says how to authenticate with one upstream LLM API.
 |`MODELS` |JSON array |List of models exposed to clients. Each model points at a `PROVIDERS` entry and declares which features it can serve.
-|JWT `auth.ai.permissions` |string array |Per-user authorization list. Includes `ai:models:<provider-key>:<model-id>` entries to gate access to individual models.
+|JSON Web Token (JWT) `auth.ai.permissions` |string array |Per-user authorization list. Includes `ai:models:<provider-key>:<model-id>` entries to gate access to individual models.
 |===
 
 The `PROVIDERS` keys are arbitrary identifiers (for example `"openai"`, `"my-bedrock"`, `"team-azure"`). Each value object has a `type` field that picks the implementation:
@@ -378,7 +378,7 @@ Amazon's hosted-model marketplace (Anthropic, Meta, Mistral, Cohere, Amazon Tita
 .Configuration details
 [%collapsible]
 ====
-IMPORTANT: The AI service does *not* use the AWS SDK default credential chain. `AWS_PROFILE`, `~/.aws/credentials`, IRSA, EC2 instance profiles, ECS task roles, and web identity tokens are all ignored. Inline the credentials in the `PROVIDERS` JSON.
+IMPORTANT: The AI service does *not* use the AWS SDK default credential chain. `AWS_PROFILE`, `~/.aws/credentials`, IAM Roles for Service Accounts (IRSA), EC2 instance profiles, ECS task roles, and web identity tokens are all ignored. Inline the credentials in the `PROVIDERS` JSON.
 
 *JSON shape:*
 
@@ -505,7 +505,7 @@ Google's enterprise model surface. Project-scoped, IAM-driven, GCP-billed. Crede
 .Configuration details
 [%collapsible]
 ====
-IMPORTANT: The Vertex adapter ignores ADC, `GOOGLE_APPLICATION_CREDENTIALS`, GKE Workload Identity, and Compute Engine metadata server credentials. Inline either a service-account key or an account-bound API key in the `PROVIDERS` JSON.
+IMPORTANT: The Vertex adapter ignores Application Default Credentials (ADC), `GOOGLE_APPLICATION_CREDENTIALS`, GKE Workload Identity, and Compute Engine metadata server credentials. Inline either a service-account key or an account-bound API key in the `PROVIDERS` JSON.
 
 *JSON shape (service account):*
 
@@ -666,7 +666,7 @@ For any HTTP API that implements the OpenAI Chat Completions interface, includin
 |===
 |Field |Required |Notes
 |`type` |Yes |Literal `"openai-compatible"`
-|`baseUrl` |Yes |*Must include the `/v1` suffix.* Without it, every request fails with a misleading "Not Found" SSE error.
+|`baseUrl` |Yes |*Must include the `/v1` suffix.* Without it, every request fails with a misleading "Not Found" Server-Sent Events (SSE) error.
 |`apiKeys` |No |Sent as `Authorization: Bearer <key>`. Most local runtimes ignore it.
 |`headers` |No |Additional headers such as auth tokens or tenant IDs.
 |===
diff --git a/modules/ROOT/pages/tinymceai-on-premises-reference.adoc b/modules/ROOT/pages/tinymceai-on-premises-reference.adoc
diff --git a/modules/ROOT/pages/tinymceai-on-premises-troubleshooting.adoc b/modules/ROOT/pages/tinymceai-on-premises-troubleshooting.adoc
diff --git a/modules/ROOT/pages/tinymceai-on-premises.adoc b/modules/ROOT/pages/tinymceai-on-premises.adoc
