DisplaySync

Glossary

Quick reference for the terms used across DisplaySync docs. Alphabetical.

A

ACL (Access Control List) The Tailscale policy file that decides which devices on your tailnet can reach which others. See Tailscale integration → ACL.

Active hours Windows Update setting that prevents automatic reboots during a configured time window. The provisioner sets this to 6 AM–11 PM by default.

Audit log Backend-side record of state transitions and operator actions. The backend records audit events; surfacing them in the dashboard UI is on the v2 roadmap.

Auth key A pre-authorized Tailscale credential baked into the kiosk image so each kiosk can join the tailnet without human interaction. See Tailscale integration.

B

Backend The DisplaySync server-side application running at api.displaysync.live. Handles REST + WebSocket traffic from dashboards, mobile apps, and kiosks.

C

Claim The act of binding a physical kiosk to a Sign record in an event. Two flows: Flow A (claim creates a new record) and Flow B (link binds the kiosk to a pre-created record). See Claiming signs.

Clone detection The desktop sign's logic that detects when a kiosk has been deployed from a captured image and clears stale identity automatically. Compares stored MAC against current network interfaces on every boot.

Command queue Redis-backed queue (24-hour TTL) that holds destructive remote commands when a sign is offline; drains on reconnect. See Remote control → Offline command queueing.

Command token A 32-byte random hex string minted backend-side and attached to destructive commands (reboot, fetch logs, update) along with a timestamp. The kiosk validates token presence + non-empty + a 30-second window only — there is no signature check. Cross-org isolation comes from Socket.IO room scoping.

Concurrent events The number of events in active state at once for an org. Tier-limited — see Pricing tiers.

Content What a sign displays. In v1, content is a webpage URL.

Content reachability HTTP HEAD probe done by each kiosk every 60 seconds against its assigned URL. Two consecutive failures trigger an unreachable state.

Controlled rollout The desktop-sign update model: per-environment latest.yml artifacts on updates.displaysync.live (Cloudflare R2), plus a manual update sequence via Squirrel and electron-updater. No silent push-during-event behavior — production updates are always operator-initiated. See Stability over features → Production tag freezes.

D

DERP relay Tailscale's encrypted fallback relay used when direct peer-to-peer between two devices isn't possible.

Deferred notification A 60-second delay between an offline transition and the actual push/email notification, to filter brief blips. See Notifications.

Desktop sign The Electron application that runs on each kiosk, displaying content and reporting heartbeats to the backend.

E

Electron The cross-platform desktop application framework the desktop sign is built on. Bundles a Chromium browser with Node.js for the desktop sign's needs.

Event A scheduled gathering — conference, trade show, sports event, etc. — that has a venue, dates, and a roster of signs and team members. The unit of work in DisplaySync.

Event date display Event start and end dates render as calendar dates — the date you typed is the date everyone sees, regardless of their time zone. Heartbeat / audit-log / "X seconds ago" timestamps stay in viewer-local time zone; only event start/end dates use the calendar-date treatment. See Your first event → A note about dates for the operator-facing explanation.

Event role Per-event role that determines write access. Two assignable values: manager, technician. Viewer is implicit for org members.

EventLog Per-sign analytics event stream rendered on the AnalyticsTab of the sign detail page. The dashboard's formatter maps each raw event type (frame_anomaly, page_frozen, process_crash, etc.) to a human-readable display string. See Dashboard tour → Event log on the sign detail page.

EventStats Per-event aggregate stats card on the event detail page — sign count, online %, content distribution. Live-updates over the WebSocket as kiosks report.

EventUser The database table for explicit per-user-per-event role assignments. One row = (user, event, role). Implicit roles (org-owner / org-admin → manager on every event) do NOT create EventUser rows; they're derived at read time.

Explicit role A stored EventUser row with a role field — technician, manager, or owner. Counterpart to Implicit role (which is derived from org membership rather than stored).

F

Fetch logs Remote command that pulls the kiosk's sign.log to the dashboard for triage. See Remote control → Fetch logs.

Fleet A collection of deployed kiosks managed as a unit, typically by an AV company or agency.

Freeze window A period during a live event when production-tagged desktop sign versions don't get updated. Conservative default to avoid mid-show surprises.

G

Golden image The captured Windows image used to deploy multiple kiosks. See Capturing the image.

H

Heartbeat A 5-second periodic message from a kiosk to the backend carrying its current state, content URL, and device telemetry. See Monitoring → Heartbeats.

Hierarchical role check The combined check that asks: "does this user's effective event role meet or exceed the required threshold?" Effective role = max of the user's explicit EventUser role AND any implicit role from org-owner/admin status. Implemented in getEffectiveEventRole(user, eventId).

I

Identity The combination of signId (UUID), shortCode (6-char), and macAddress that uniquely identifies a kiosk install. Generated on first boot, persisted across reboots.

Implicit role A derived (not stored) role: org owner or admin → manager on every event in their org. Implicit rights apply automatically; no EventUser row needs to exist. Counterpart to Explicit role.

Invitation Pending org-membership invite. Carries a single-use token, target role (member/admin/owner), and expiry. Stored in the Invitations table. Once accepted, the invite is consumed and an OrganizationUser row is created.

IoT Enterprise Windows 11 IoT Enterprise LTSC — a SKU that supports Shell Launcher and Unified Write Filter for stricter kiosk lock-down. See Kiosk configuration → Optional Shell Launcher.

K

Kiosk The physical thin-client device running the desktop sign app. Distinct from the Sign (the dashboard record) — one kiosk can have many sign records over time as it's claimed/unclaimed.

Kiosk user A dedicated low-privilege Windows local account (default name: DisplaySync) that auto-logs in and runs the sign app. Designed to limit blast radius from the auto-login plaintext password.

L

Link The Flow B claim variant — binding a kiosk to a pre-existing Sign DB record rather than creating a new one. See Claiming signs → Flow B.

LinkAckHandler The desktop-sign service that confirms or rejects a link/claim attempt by verifying the kiosk can actually load the requested URL. Replaces the optimistic-write claim semantics. Emits link_ack over WebSocket on success or with a structured failure sub-reason. See Claiming signs.

link_ack The WebSocket event a kiosk emits after attempting to load a URL during a claim/link handshake. Carries a success flag and, on failure, a structured sub-reason (url_unreachable, url_load_failed, sign_timeout).

M

MAC address The hardware address of a kiosk's first non-internal NIC, captured at first boot and used for clone detection. Doesn't update if the kiosk switches between Ethernet and Wi-Fi.

MagicDNS Tailscale's automatic DNS resolution within the tailnet. DisplaySync kiosks register as sign-<serial>.<tailnet>.ts.net. Convenient for ad-hoc remote access without memorizing IPs. See Tailscale integration.

Monitoring mode A runtime mode where the sign hides the display, mutes audio, throttles renderer frame rate, and pauses watchdogs while continuing to emit heartbeats. Toggled via Ctrl+Shift+M or the dashboard Enter/Exit Monitoring button. Persists across reboot. See Remote control → Monitoring mode.

Maintenance mode A state where the watchdog refuses to relaunch the sign app, allowing operators to take a sign offline for hardware work. Triggered by Ctrl+Shift+Q on the kiosk or by creating C:\ProgramData\DisplaySync\.maintenance. See Crash recovery → Maintenance mode.

N

NSIS The installer framework the desktop sign uses on Windows. Supports /S (silent), /D=path (custom directory), and /RESET (wipe identity).

network_failover Notification fired when a sign's active network interface switches between Ethernet and Wi-Fi (or vice-versa). Single-channel (in-app only), filtered under the signOffline notification key.

Notification Per-user persisted record of a notification event. Distinct from the in-app feed (which is the rendering layer) and from email/push deliveries (which are channel-side). The Notifications table is the source of truth for what was generated for a user.

O

Org / Organization A multi-tenant container that owns events, signs, content, and a team. The top-level unit for billing and access control.

Org role Per-org role: owner, admin, or member. Determines what actions a user can take within that org. See Roles & permissions.

OrganizationUser The database table for explicit per-user-per-org role assignments. Org owner and admin roles carry implicit event-manager privilege without needing EventUser rows; see Implicit role.

P

Pilot tier An admin-assigned, billing-exempt tier used for demos and customer trials. Not self-serve.

pendingSign A short-lived Redis record (24h TTL) holding a sign's signId + shortCode between QR-mint and successful claim. Expires if the claim is abandoned. Pending signs survive backend restarts.

Provisioner The PowerShell script (provision-windows.ps1) that automates installing the desktop sign + kiosk lockdown in a single command. See Installing DisplaySync.

R

RBAC (Role-Based Access Control) The combined system of system, org, and event roles that gates every action in DisplaySync.

Reachability See Content reachability.

requestId A UUID tagging each claim/link request during the acknowledged handshake. Used for idempotent retries — the kiosk replays the cached ack for a duplicate requestId rather than re-running the URL load.

Remote control The set of dashboard-issued commands that drive a kiosk's behavior over WebSocket — refresh, reboot, reboot_device, update, fetch_logs.

requireMinEventRole Backend middleware factory that gates an event-scoped route by minimum role. Rejects with HTTP 403 if the caller's role on the event is below the required threshold. Role ordering: technician < manager < owner.

S

Schedule (v2) Time-based content rules — what to display when. Models exist in v1 but the UI ships in v2.

Sentry Third-party error tracking service used by DisplaySync. Captures errors from desktop sign, dashboard, mobile app, and backend.

Shell Launcher A Windows IoT Enterprise feature that replaces Explorer entirely with the sign app — strictest available kiosk lockdown.

Short code The 6-character uppercase alphanumeric code derived from a kiosk's signId. Displayed below the QR for manual entry when scanning isn't possible.

shortCode The 6-character alphanumeric code in the field-name form used by the API and Redis pendingSign records. Pairs with signId in the pendingSign record. Surface name in the UI is "Short code" (with space) — see that entry above.

Sign A Sign record in the database — the dashboard-side representation of a kiosk. Has a name, location, status, assigned URL, and (when linked) device fields. Distinct from kiosk.

Sign-day Any calendar day during which a sign was linked to an event. The unit of metering for paid tiers. See Pricing tiers → Sign-day.

signId The kiosk's UUID v4, generated on first boot, used to identify it across reboots. Synonyms in code: deviceSignId.

sign:content_recovered Counterpart to sign:content_unreachable. Fires only AFTER an unreachable notification was actually delivered to subscribers. If the kiosk never blocked long enough to notify, the recovery is silent.

sign:content_unreachable Backend-emitted notification fired when a sign's content URL fails the 60-second reachability check. Bundled under the signOffline notification filter. The 60s defer + delivered-key tracking ensures spurious blips don't notify.

sign:link_ack WebSocket event emitted by LinkAckHandler after a link/claim attempt. Cross-link to the existing link_ack glossary entry above for the carried payload.

Sysprep Microsoft's tool for generalizing a Windows install before capturing it as a deployable image. See Capturing the image.

T

Tag (Tailscale) An identifier on a Tailscale device that drives ACL grants. DisplaySync uses tag:displaysync-sign for kiosks.

Tailnet Your private Tailscale network — the set of devices that can reach each other through Tailscale.

Tailscale The mesh VPN platform DisplaySync uses for remote access to kiosks. See Tailscale integration.

Tier The subscription level an org is on: Free, Starter, Professional, Agency, Enterprise, plus the special Pilot and Managed. See Pricing tiers.

Tier add-on A billing concept: extras layered on top of a base tier — additional signs beyond the tier cap, longer audit retention, etc. Implemented as line items on the Stripe subscription. Documented per-tier on Pricing tiers.

U

Unattended (Tailscale) The flag passed to tailscale up that lets the service run without an interactive logged-in user. Required for kiosks.

Unlinked A sign state — the Sign record exists in the dashboard but no physical device is bound to it. See Sign states.

Unregister The dashboard action that wipes a sign's device fields (signId, MAC, shortCode), leaving the dashboard record but releasing the kiosk to be claimed elsewhere.

Update channel The configured electron-updater channel for a kiosk — typically production or staging. Determines which latest.yml artifact the kiosk polls when the dashboard issues sign:update. Default for shipped fleet kiosks: production.

Uptime The percentage of time during an event when a sign was online. Computed per-sign and per-event.

V

Venue The physical location of an event. A free-form text field on the Event record.

V1_MODE / V2_MODE Backend feature-flag mode for legacy fleet routing. V1_MODE is the current production routing path; V2_MODE was carved out during Round 1.5 and is staged but not live for general fleet. The dashboard surfaces the active mode in the dev console; operators rarely see it.

W

Watchdog The Windows Scheduled Task that auto-relaunches the sign app if it crashes. Configured with 3 retries × 1 minute interval. See Crash recovery.

WIM Windows Imaging Format. The disk image format that Sysprep produces and DISM deploys. The DisplaySync deployment workflow captures a WIM after image cleanup and uses it for parallel kiosk rollout. See Capturing the image.

Webhook (v2) A signed POST to your endpoint when a subscribed event happens. Part of the v2 public API. See API overview.

WebSocket The persistent bidirectional connection between a kiosk (or dashboard) and the backend, used for real-time heartbeats and remote commands.

Enumerations

These are the closed value sets defined in code; UI elements that show them should use these labels exactly.

Event status

upcomingactivecompleted. Plus manual archived. Date-driven transitions: status flips to active when current date is between startDate and endDate; flips to completed the day after endDate. archived is operator-set and applies from any state.

Schedule status (v2)

active / pending / expired. Used by the v2 Schedule UI; the underlying data model exists in v1 but the UI ships in v2.

Invitation role

member / admin / owner. Same domain as the Org role glossary entry above.

Auth provider

local / google. local = email + password; google = OAuth via Google sign-in.

Notification channel

email / push / inApp. Operators configure these per notification type in Profile → Settings → Notifications.

Audit log action

CREATE / UPDATE / DELETE / LOGIN / LOGOUT / LOGIN_FAILED / PERMISSION_DENIED / EXPORT / IMPORT.

Audit log resource

user / organization / event / sign / content / schedule / playlist / analytics / audit_log / invitation.

Audit log status

success / failure.

Content type

image / video / webpage / playlist. (V1 typically uses webpage for the assigned URL.)

Content status

active / archived / processing / failed.

See also