SCRATCH CODE · NO. 001
The iterations behind the enforcement architecture
Reconstructed from the scratch work — on paper, then in code — with the failure that forced each iteration. Explained plainly.
>
Every accounting system can show you what it posted. Almost none can prove what it refused to post — or that its checks were running at all.
That gap is the architecture. Two non-provisional patent applications went to the USPTO in April 2026 on the mechanisms that close it; the earliest priority filing dates to April 2025. Filings read as if the invention arrived whole. It never does. What follows is the scaffolding — the iterations, abstracted from the production code, with the failure that forced each one.
The setting matters. More than 365,000 community associations govern the homes of some 75 million Americans — housing stock worth over $11 trillion. The people running that money are volunteers. The treasurer is a neighbor with a day job. Boards turn over, and the institutional memory leaves with them. Every financial control in that world is procedural: a policy in a binder, a second signature, a promise. The ledger records what happened. Nothing records what was prevented, or whether anyone was checking.
PART I
The ledger that records its refusals
guard chain runs BEFORE commit
refusal = same evidence as approval
no decision = bypass ← the invariant
scanner hunts orphans nightly
# iteration 0 — how every accounting system does it
def post_entry(entry):
if entry.debits != entry.credits:
raise ValidationError("unbalanced")
entry.save()
This is validation. It works until you ask it the question it cannot answer: prove the check ran. A validator that is broken, bypassed, or commented out looks exactly like a validator that always passes. The ledger it produces is indistinguishable from a ledger produced with no controls at all. Auditors know this — it is why they sample transactions and interview staff. They are reconstructing, from the outside, evidence the system never kept.
# iteration 1 — one door
class JournalEngine:
def post_transaction(self, transaction_type, lines, ...):
outcome = dispatcher.enforce_pre_persist(context)
if outcome.blocked:
raise PostingRefused(outcome.blocking_reason)
entry = self._persist(lines)
dispatcher.record_post_persist(context, entry.id)
return entry
One posting interface. No code path creates a ledger entry except this one, and nothing gets past the dispatcher. The weakness is obvious: “no other code path” is a convention, and conventions do not survive a new hire, a migration script, or a Friday deploy. Iteration 1 built the door. It could not prove the walls existed.
# iteration 2 — the decision becomes a record
class EnforcementDecision(ImmutableModel):
journal_entry = ForeignKey(JournalEntry, null=True) # null when BLOCKED —
# the refusal persists even
# though the entry never did
decision = Choice("ALLOW", "BLOCK", "OVERRIDE", "ERROR")
guard_results = JSON() # every guard: outcome, reason codes, elapsed ms
context = JSON() # the inputs, frozen at decision time
def save(self, *args, **kwargs):
if self._already_exists():
raise Immutable("decisions are written once")
Now every decision — including every refusal — is a permanent record. A blocked transaction leaves the same quality of evidence as an approved one. The record cannot be edited afterward, by anyone, including us. But a record that is merely written can be quietly not-written. Iteration 2 still had the auditor’s problem: how do you detect the log line that never happened?
# iteration 3 — make silence detectable
# every posted entry must have exactly one confirming decision (db constraint),
# and a daily scan hunts for entries that have none:
def integrity_scan(hoa):
orphans = JournalEntry.objects.exclude(
enforcement_decisions__event_type="POST_PERSIST"
)
for entry in orphans:
raise_finding(severity="CRITICAL", entry=entry) # this pages someone
This is the inversion the whole design turns on. In most systems a missing log line is noise — invisible by definition. Here the schema makes absence visible: an entry with no decision is not an anomaly to shrug at, it is the precise signature of a bypass or a bug, and a scanner hunts for it every night. The doctrine is one sentence, and it sits in the docstrings of the production code: no decision logged = precise signal of bypass or bug. Silence is an alarm.
# iteration 4 — guards are pure; overrides convert, never skip
for guard_id in guards_for(flow, transaction_type): # deterministic chain per flow
result = guard.evaluate(context) # pure: same inputs, same verdict
if result.outcome == "FAIL":
override = guard.check_override(context)
if override and override.is_valid():
result.outcome = "PASS"
result.override_id = override.id # the conversion is recorded
decision = "OVERRIDE" # never silently ALLOW
continue
return BLOCK(guard_id, result) # fast-fail
Fourteen guards run in production — balance, closed periods, fund segregation, trust segregation, subledger integrity, covenant evaluation, and the rest — each a pure function with no side effects. The registry that holds them is a static manifest checked by CI: guards cannot be renamed or removed silently, and a comment in the file states the design position outright — no rules engine by accident. No DSL, no dynamic loading.
The part that matters most is the override path. An override never skips the guard. The guard runs, fails, and the failure is preserved in the record. What the override changes is the outcome — and the conversion itself is evidence: which authority, which scope, which expiry, a use count — linked permanently to the decision it permitted. Emergency powers exist. They cannot be quiet.
# iteration 5 — the decision remembers the rules it was decided under
snapshot = canonical_json(rules_in_force(hoa, today)) # guards, flows, policies
decision.policy_snapshot_hash = sha256(snapshot) # snapshot stored once,
# keyed by its own hash
Rules change. Boards revise policies, thresholds move, guards get added. Without this, a decision from last March is evidence about rules nobody can reproduce. With it, every decision carries a fingerprint of the rule set in force the moment it ran, and the fingerprinted snapshot is stored under its own hash. Any decision, from any day, can be replayed against exactly the policy that judged it. The ledger of transactions gained a ledger of judgments. The ledger of judgments gained a ledger of laws.
EXAMINATION
What an examiner asks
Patent examination compresses to two questions, and they are the same questions a senior engineer asks: what is actually new here, and wouldn’t the obvious design do?
“Isn’t this a rules engine?”
A rules engine returns verdicts. Ask it in June what it decided in March — under which rule versions, on which inputs — and it has nothing to say. Here the decision is not a return value. It is an immutable record bound one-to-one to the artifact it authorized, carrying the inputs it saw and the hash of the rules that judged it.
“Isn’t this an audit log?”
An audit log is written by the code it monitors, after the fact, on a best-effort basis. Nothing notices a missing line. Here the record precedes the transaction, the transaction cannot exist through any other door, and a nightly scan treats a missing record as a critical finding. An audit log describes behavior. This constrains it.
“Wouldn’t any competent engineer combine the two?”
The obvious combination writes the decision inside the same database transaction as the entry — atomic, tidy, and wrong. Couple them, and a telemetry failure rolls back a valid financial transaction: the monitoring layer can now destroy the thing it monitors. The design that survived decouples them on purpose — a decision before the commit, a confirmation after, an explicit error record if the commit fails between them — and closes the resulting gap with detection instead of coupling. Accept a window; make the window observable. That trade was not on the shelf.
PART II
Law as data
The second filing applies the same discipline to a different substrate: not the association’s rules, but the state’s.
text → frozen snapshot → sha256
drift = hash compare, not research
amendment → flag every dependent
fee caps live in corpus, not code
# iteration 0 — how legal content is published everywhere
html = "Under RCW 64.90.640, the association must deliver ..."
The citation is string art. When the legislature amends the section, this sentence does not know. Multiply by every article, every disclosure form, every fee cap hardcoded into every document generator, across fifty states that amend their statutes every session.
# iteration 1 — the citation becomes a row
class Statute(Model):
citation = CharField(unique=True) # "RCW 64.90.640"
official_url = URLField() # where the text of record lives
status = Choice("ACTIVE", "AMENDED", "REPEALED")
Statutes, case law, session laws, and regulations become first-class records with protected foreign keys — an authority cannot be deleted out from under the content that depends on it. Better. Still blind: the row knows the statute exists. It does not know when the text moves.
# iteration 2 — the text becomes evidence
class SourceSnapshot(ImmutableModel):
statute = ForeignKey(Statute, on_delete=PROTECT)
snapshot_date = DateField()
full_text = TextField() # frozen as of this date
content_hash = CharField() # sha256 of normalized text
# drift detection is now one comparison:
drifted = hash(fetch(statute.official_url)) != latest_snapshot.content_hash
Frozen text, hashed, immutable — to update a snapshot, you take a new one. Detecting legislative drift stops being a research task and becomes a hash comparison.
# iteration 3 — change propagates to everything built on the old text
class LawChangeEvent(Model):
previous_snapshot = ForeignKey(SourceSnapshot)
new_snapshot = ForeignKey(SourceSnapshot)
def flag_affected_citations(self):
return Citation.objects.filter(
statute=self.statute, needs_reverification=False
).update(needs_reverification=True)
Every published claim that cites an authority is pinned to the snapshot it was verified against. One amendment in Olympia or Tallahassee flips a re-verification flag on every dependent artifact in a single sweep — articles, disclosure profiles, statutory thresholds. Nothing waits to be noticed. When a human resolves the flag, the fix becomes a dated, public revision record on the article itself. Citators tell a lawyer that the law changed. Nothing tells your published claims. This does.
# iteration 4 — numbers live in the corpus, not the code
fee_cap = thresholds.get("TX_RC_FEE_CAP_CONDO")
# $375 — Tex. Prop. Code §82.157(f), as amended by SB 711 (2025),
# pinned to the statute snapshot it was verified against
The resale-certificate generator does not know the Texas fee cap. It knows where the cap lives. When the next legislature changes the number, a corpus row changes, every dependent artifact gets flagged, and the code does not ship a release. Ten compliance profiles across seven states run on this today. Underneath them: 548 statutes and 346 machine-verified statutory thresholds.
PART III
The form that refuses to guess
The third mechanism was published as a technical disclosure in April 2026. It answers the humblest question in the stack: how does a volunteer treasurer create a correct journal entry at 9 p.m. on a Tuesday?
sides = roles, not account numbers
can’t resolve a role? disable + say why
never guess the fund. never.
provenance survives the posting
# iteration 0 — the form every volunteer treasurer fears
# Debit: [ pick from the full chart of accounts ]
# Credit: [ pick from the full chart of accounts ]
The form assumes an accountant. Most treasurers are neighbors with day jobs. Every mis-picked cash account is a fund-segregation violation waiting for the guard chain to catch — the gate holds, but the person bounces off it.
# iteration 1 — patterns instead of accounts
PATTERNS = {
"bank_fee": {"debit": "EXP_BANK", "credit": "CASH_OPER"},
"interest_income": {"debit": "CASH_OPER", "credit": "INC_INT"},
"transfer_to_reserve": {"debit": "CASH_RESV", "credit": "CASH_OPER"},
...
}
The user picks what happened. The sides are role tokens, not account numbers, resolved per association against its own chart of accounts. No user ever selects a cash account — which retires an entire class of error, and an entire class of mischief.
# iteration 2 — refuse rather than guess
account = resolve(role=FUND_TO_CASH_ROLE[fund], hoa=hoa)
if account is None:
disable_pattern(reason=MissingRole(role)) # named reason, fix-it link —
# never a silent fallback to a
# cash account in the wrong fund
entry.origination_pattern = pattern_key # provenance survives the posting
Two decisions define the mechanism. First: when a role cannot be resolved for an association, the pattern is disabled and says exactly why. There is no fallback to an account that might belong to the wrong fund. The system would rather refuse than guess. Second: only patterns whose typed invariants can be fully satisfied from a form are allowed to post as typed transactions. The rest deliberately post as plain entries, with the pattern preserved as provenance — because fabricating a subledger reference to satisfy a validator is the exact shape of fraud the guards exist to catch.
And every entry the guided form produces walks through the same gate as everything else. Guided origination, mandatory enforcement. The three mechanisms meet at the choke point.
CLOSE
What this is for
None of this is specific to homeowner associations. The shape repeats anywhere you find segregated funds, fiduciary duty, statutory constraints, thin staffing, and outside parties who need proof instead of testimony: law-firm trust accounts, property-management escrow, special districts, unions, school activity funds, retirement-plan administration. CommunityPay’s position in its own market is deliberately narrow — serve the lenders, insurers, CPAs, and title companies who rely on the records; compete with none of them. The filings are what let the mechanism travel further than the company will: licensed into verticals we will never enter, relied on by institutions we will never compete with.
The scratch code is the argument. Each iteration exists because the previous one could not answer a question an auditor, an examiner, or a treasurer was going to ask. The system that resulted does not ask to be trusted. It keeps the receipts —