CommunityPay uses a controlled vocabulary for its institutional artifacts and enforcement mechanisms. This reference defines each term precisely, maps it to the production code artifact that implements it, and identifies the lineage classification that governs its mutability.
This page is intended for CPAs, underwriters, escrow officers, and integration partners who need to understand exactly what CommunityPay means when it uses these terms in evidence packs, exports, and attestations.
Lineage Classifications
Every data artifact in CommunityPay has a lineage classification that determines its mutability rules:
| Classification | Mutability | Purpose |
|---|---|---|
| SNAPSHOT | Immutable after activation; versioned | Definitions, rules, trigger conditions |
| ROOT_EVENT | Status updates allowed; history tracked | Active records with lifecycle (exclusions, packets) |
| LINK_EVENT | Append-only; no updates or deletes | Events, notifications, status transitions |
| ARTIFACT | Fully immutable; no updates or deletes | Evaluation results, decisions, trigger hits |
These classifications are enforced at the application layer. ARTIFACT records use ImmutableModelMixin, which raises a ValueError on any attempt to update or delete.
Enforcement Constructs
EnforcementDecision
An immutable record of a financial authorization decision. Every production financial flow — journal entries, fund transfers, bill payments, invoice creation, payment receipts, and year-end closures — produces an EnforcementDecision before execution.
| Field | Description |
|---|---|
| event_type | PRE_PERSIST, POST_PERSIST, or PERSIST_ERROR |
| decision | ALLOW, BLOCK, OVERRIDE, or ERROR |
| flow_name | Canonical flow (journal_entry, fund_transfer, bill_payment, invoice_creation, payment_receipt, year_end_close) |
| guard_results | JSON: per-guard outcomes with timing |
| correlation_id | UUID for request tracing across events |
| decision_seq | Ordering within a correlation (0 = PRE, 1 = POST, 2 = ERROR) |
Lineage: ARTIFACT (immutable via ImmutableModelMixin)
Production status: Enforced since January 24, 2025. 100% of journal entries evaluated since cutover.
EnforcementDispatcher
The mandatory choke point for all enforcement decisions. A service — not a model. Every protected flow calls dispatcher.enforce_pre_persist() and receives an EnforcementOutcome.
Design law: "No decision logged = precise signal of bypass or bug."
Guard
A stateless enforcement primitive that checks one specific invariant. Guards are: - Stateless: Same inputs produce same outputs - Independent: No guard depends on another guard's result - Composable: Guards combine into chains via Flow configuration
Eight production guards are registered in the Guard Manifest:
| ID | Name | Category | Invariant |
|---|---|---|---|
| GUARD_001 | BalanceGuard | INVARIANT | Debits equal credits |
| GUARD_002 | ClosedPeriodGuard | TEMPORAL | No posting to closed periods |
| GUARD_003 | FundSegregationGuard | POLICY | Operating/Reserve fund boundaries |
| GUARD_004 | SubledgerGuard | INVARIANT | Control account / subledger reconciliation |
| GUARD_005 | InvariantGuard | INVARIANT | Accounting equation (A = L + E) |
| GUARD_006 | FundEligibilityGuard | ELIGIBILITY | L5 eligibility evaluation |
| GUARD_007 | BillPaymentGuard | POLICY | Vendor payment validation and limits |
| GUARD_008 | ReversalGuard | INVARIANT | Reversal entries match originals |
Guard Manifest
A CI-enforced registry of all guards. Guard IDs are stable — changing or removing a guard ID would break the audit trail. The manifest includes a get_manifest_hash() function that produces a SHA-256 fingerprint of the entire guard configuration.
Flow
A named mapping from transaction type to guard sequence. Flows determine which guards run for each transaction type.
Six canonical flows exist:
| Flow | Guards | Approval Required |
|---|---|---|
| journal_entry | 001, 002, 003, 004, 005 | No |
| fund_transfer | 001, 002, 003, 006 | Yes (all amounts) |
| bill_payment | 001, 002, 003, 006, 007 | Yes (threshold) |
| invoice_creation | 001, 002, 004 | No |
| payment_receipt | 001, 002, 004 | No |
| year_end_close | 001, 002, 005 | Yes |
AuditOverride
A controlled bypass of a guard decision. Overrides are never automatic. They require explicit user action, a documented reason, and an expiration date.
| Field | Description |
|---|---|
| scope | SINGLE, BATCH, TEMPORAL, CATEGORICAL |
| authorization_type | BOARD_APPROVAL, ADMIN_EMERGENCY, SYSTEM_MIGRATION, AUDIT_CORRECTION |
| max_uses | Usage limit (null = unlimited within window) |
| current_uses | Counter incremented on each use |
| status | ACTIVE, EXPIRED, EXHAUSTED, REVOKED |
Lineage: ROOT_EVENT (status updates tracked)
EnforcementOutcome
The return type from enforcement evaluation. Contains the decision, all guard results, timing, blocking guard identification, and context fields for POST_PERSIST recording. This is a runtime dataclass — not persisted directly. The EnforcementDecision model is the persisted form.
Institutional Packet Types
InstitutionalPacket
The canonical record for every institutional output. All packet types share this model with type-specific evidence snapshots.
| Field | Description |
|---|---|
| packet_type | HDEP, GCA, FADR, RC, RSR, OLR, OIR, OTR, OBR |
| reference_number | Human-readable: {TYPE}-{HOA}-{SCOPE}-{DATE}-v{VER} |
| public_id | UUID for external API references |
| evidence_snapshot | Frozen JSON of all financial and governance data |
| content_hash | SHA-256 of canonical JSON evidence snapshot |
| previous_packet_hash | Links to predecessor for chain continuity |
| version | Increments with each regeneration for same HOA/type/scope |
| status | draft, generated, delivered, superseded, void |
Lineage: ROOT_EVENT (lifecycle status mutable; evidence fields immutable)
HDEP (HOA Disclosure & Evidence Packet)
A comprehensive disclosure package for resale transactions. Contains financial summaries, reserve study status, governance attestation, vendor compliance, and assessment schedules for a specific unit.
Scope: Per unit (e.g., A204 for unit A204)
GCA (Governance Controls Attestation)
A board-facing report on internal control effectiveness. Measures control pass rates, override patterns, exclusion activity, and vendor compliance across a reporting period.
Scope: Per HOA/period (e.g., 2025-Q1)
Assessment levels: STRONG (>95% pass rate), ADEQUATE (>85%), NEEDS_IMPROVEMENT (>70%), DEFICIENT (<70%)
FADR (Funds Authorization & Disbursement Record)
A complete payment evidence chain for escrow and audit. Documents every step from bill creation through payment execution, including the full approval chain, policy snapshots, journal entry lines, and vendor compliance status at payment time.
Scope: Per HOA/period (e.g., 2025-01)
Verification status: VERIFIED, NEEDS_REVIEW, FLAGGED
RC (Resale Certificate)
A statute-mapped resale disclosure for unit sales. Generated from compliance profiles that define jurisdiction-specific requirements (e.g., WA RCW 64.34.425 for Washington condominiums).
Scope: Per unit
RSR (Reserve Study Report)
A reserve funding analysis with component inventory, remaining useful life calculations, funding scenarios, and 30-year cash flow projections.
Scope: Per HOA/period
Risk Intelligence Constructs
ExclusionTrigger
A versioned definition of conditions that create exclusions (bind blocks). Triggers define what signals to evaluate, what thresholds to apply, and what effect fires when conditions are met.
| Field | Description |
|---|---|
| trigger_id | Stable UUID across versions |
| code | Machine-readable identifier (e.g., HIGH_DISPUTE_RATE) |
| trigger_type | THRESHOLD, PATTERN, EVENT, COMPOUND |
| effect_type | BLOCK (block binding), REVIEW (require manual review), WARN (warning only) |
| severity | LOW, MEDIUM, HIGH, CRITICAL |
| conditions | JSON expression format with signal references |
| conditions_hash | SHA-256 of conditions JSON for immutability verification |
Lineage: SNAPSHOT (conditions immutable once ACTIVE; versioned)
Exclusion
An active hold on an entity. Created when an ExclusionTrigger fires. Exclusions are never deleted — they are resolved, expired, or overridden.
| Status | Meaning |
|---|---|
| ACTIVE | Currently enforced |
| RESOLVED | Manually resolved with documented reason |
| EXPIRED | Duration elapsed |
| OVERRIDDEN | Bypassed with AuditOverride |
Lineage: ROOT_EVENT (status transitions tracked via ExclusionStatusHistory)
ExclusionTriggerHit
An immutable record that a trigger's conditions were met for a specific entity at a specific time. Contains the evaluated signals, computed values, and the trigger version that was active.
Lineage: ARTIFACT (fully immutable)
EligibilityRule
A declarative rule that defines eligibility criteria. Rules are versioned and immutable once published.
| Field | Description |
|---|---|
| code | Stable identifier (e.g., TENURE_6M) |
| expression | Evaluable expression referencing signal values |
| effect_type | REQUIRE, DENY, PREFER, REFER |
| category | TENURE, FINANCIAL, GOVERNANCE, COMPLIANCE, VOLUME |
| status | DRAFT, ACTIVE, DEPRECATED, ARCHIVED |
Lineage: SNAPSHOT (expression immutable once ACTIVE)
EligibilityEvaluation
An immutable record of a complete eligibility evaluation. Captures all rule versions active at evaluation time, all signal values, and the per-rule pass/fail results.
Lineage: ARTIFACT (fully immutable via ImmutableModelMixin)
Signal Provider
A pluggable component that gathers real-time data for eligibility and exclusion evaluation. Signal providers operate in namespaces (e.g., FINANCIAL, GOVERNANCE, COMPLIANCE) and return typed key-value pairs.
Vendor Intelligence Constructs
VECR (Vendor Eligibility & Compliance Record)
An institutional-grade vendor attestation. Contains credential status (COI, license, bond, W9), compliance history, performance metrics, and an eligibility determination.
Eligibility statuses: ELIGIBLE, CONDITIONAL, INELIGIBLE, REVIEW_REQUIRED
Content hash: SHA-256 of all sections for tamper detection.
BuildRated Score
A composite vendor quality score (0-100) computed from 18 signal categories across licensing, insurance, bonding, violations, payment history, and HOA relationship quality.
Compliance Alert
An automated notification generated when a vendor's credentials approach or reach expiration. Alert types include COI_EXPIRING, LICENSE_EXPIRED, BOND_LAPSED, and DEBARMENT_DETECTED.
CARI Constructs (Community Association Risk Index)
CARI
Community Association Risk Index. A deterministic, consent-gated index that summarizes attested governance, financial, and operational risk signals for community associations, derived directly from an authoritative system of record. CARI is not a credit score and does not make eligibility or lending decisions. See What Is a Community Association Risk Index? for an introduction and CARI Methodology and Scoring Framework for the full technical specification.
CARI Score
A composite numeric value (0-100, higher = healthier) computed from five weighted components: Financial Health (30%), Governance (25%), Vendor Risk (15%), Enforcement Integrity (15%), and Payment Behavior (15%). Scores are immutable after computation and include a SHA-256 calculation hash for deterministic verification.
Lineage: ARTIFACT (immutable via save override; append-only time series)
CARI Grade
A letter grade (A+ through F) derived from the CARI Score using published threshold mappings. Grade thresholds are defined in the active ScoreMethodology version.
| Grade Range | Score Threshold |
|---|---|
| A+ | 97+ |
| A | 93-96 |
| A- | 90-92 |
| B+ | 87-89 |
| B | 83-86 |
| B- | 80-82 |
| C+ | 77-79 |
| C | 73-76 |
| C- | 70-72 |
| D | 60-69 |
| F | Below 60 |
CARI Confidence
An assessment of data completeness behind a CARI Score. Three tiers:
| Level | Data Completeness | Meaning |
|---|---|---|
| HIGH | 80%+ of signals available | Score is well-supported by evidence |
| MEDIUM | 50-79% of signals available | Score is directionally reliable |
| LOW | Below 50% of signals available | Score should be interpreted with caution |
ScoreMethodology
A versioned, immutable record of scoring weights, grade thresholds, and confidence tiers. Only one methodology version is ACTIVE at any time. Historical scores always reference the methodology version used at computation time.
Lineage: SNAPSHOT (immutable once ACTIVE)
OracleConsent
An HOA's explicit authorization for third-party access to its CARI data. Score queries are rejected without active consent. Consent can be scoped to all subscribers, a specific subscriber, or a subscriber type.
| Consent Type | Scope |
|---|---|
| ALL_SUBSCRIBERS | Any authorized subscriber may access |
| SPECIFIC_SUBSCRIBER | Named subscriber only |
| SUBSCRIBER_TYPE | All subscribers of a given type (e.g., all lenders) |
Lineage: ROOT_EVENT (revocable; status transitions tracked)
OracleSubscriber
A third-party organization authorized to consume CARI data via API. Subscribers are classified by type (Lender, Insurer, Title Company, Escrow, Real Estate, Other) and tier (Basic, Professional, Enterprise) which governs rate limits and feature access.
APIKey
A hashed API credential for machine-to-machine authentication. The raw key is shown once at creation and stored as a SHA-256 hash. Keys have scoped permissions (score:read, report:generate, monitor:subscribe, webhook:manage) and optional expiration.
Lineage: ROOT_EVENT (revocable; last_used_at updated on use)
CARI Monitor
A subscriber's request to receive real-time notifications when an HOA's CARI Score changes. Monitors can filter by event type (score.changed, score.grade_changed, score.threshold_breached) and custom thresholds (floor/ceiling alerts).
CARI Report Types
| Type | Code | Audience | Scope |
|---|---|---|---|
| CARI Lender Report | OLR | Mortgage underwriters | HOA |
| CARI Insurer Report | OIR | D&O insurance pricing | HOA |
| CARI Title Report | OTR | Escrow/title companies | HOA + Unit |
| CARI Buyer Report | OBR | Homebuyers | HOA + Unit |
All CARI reports are generated as InstitutionalPackets with SHA-256 content hashes, version chains, and full audit trails via BaseAttestationService.
Governance Constructs
GovernanceAttestation
A formal attestation of governance effectiveness for a specific period. Generated from weekly GovernanceDigest aggregations and exception register data.
Exception Register
An automatically generated register of governance exceptions. Populated from exclusion events, escalation events, and SLA breaches. Auditors typically build these manually; CommunityPay generates them from source data.
Control Plane Health Snapshot
Technical metrics about enforcement dispatcher operation: guard execution statistics, decision distribution, average evaluation time, and guard-specific performance data.
Export Constructs
Institutional Export
A machine-parseable JSON export designed for consumption by external validators.
| Export Type | Consumer | Schema |
|---|---|---|
| AUDIT_READINESS | CPAs, external auditors | audit_readiness_v1 |
| CONTROLS_SNAPSHOT | Insurance underwriters | controls_snapshot_v1 |
| ESCROW_DISCLOSURE | Escrow officers, title companies | escrow_disclosure_v1 |
All exports include ExportMetadata with a SHA-256 content hash.
Cryptographic Constructs
Content Hash
SHA-256 hex digest computed from canonical JSON serialization of an evidence snapshot. Canonical JSON uses sorted keys, minimal separators ((",",":")) and UTF-8 encoding to ensure identical data always produces identical hashes.
Previous Packet Hash
The content hash of the preceding version of the same packet type/scope, stored on successor packets to create a tamper-evident chain.
Conditions Hash
SHA-256 hex digest of an ExclusionTrigger's conditions JSON, computed at save time. Used to enforce immutability of ACTIVE trigger conditions — if the hash changes, the save is rejected.
Manifest Hash
SHA-256 fingerprint of the entire Guard Manifest configuration. Changes to the manifest (adding, removing, or modifying guard definitions) produce a different hash, enabling CI verification that the manifest hasn't been silently altered.
How CommunityPay Enforces This
- Every term maps to a production code artifact with a stable identifier
- Artifact types follow SNAPSHOT / ROOT_EVENT / LINK_EVENT / ARTIFACT lineage classifications
- All definitions are grounded in production schema — not aspirational
- Versioned schemas ensure backward compatibility for external integrators