COMMUNITYPAY / ENGINEERING
ALL POSTS

SCRATCH CODE · NO. 001

The iterations behind the enforcement architecture

Reconstructed from the scratch work — on paper, then in code — with the failure that forced each iteration. Explained plainly.

>

Every accounting system can show you what it posted. Almost none can prove what it refused to post — or that its checks were running at all.

That gap is the architecture. Two non-provisional patent applications went to the USPTO in April 2026 on the mechanisms that close it; the earliest priority filing dates to April 2025. Filings read as if the invention arrived whole. It never does. What follows is the scaffolding — the iterations, abstracted from the production code, with the failure that forced each one.

The setting matters. More than 365,000 community associations govern the homes of some 75 million Americans — housing stock worth over $11 trillion. The people running that money are volunteers. The treasurer is a neighbor with a day job. Boards turn over, and the institutional memory leaves with them. Every financial control in that world is procedural: a policy in a binder, a second signature, a promise. The ledger records what happened. Nothing records what was prevented, or whether anyone was checking.

PART I

The ledger that records its refusals

every posting ONE DOOR
guard chain runs BEFORE commit
refusal = same evidence as approval
no decision = bypass  ← the invariant
scanner hunts orphans nightly
FIG. 1 — PART I SKETCH: THE CHOKE POINT.
ITERATION 0THE INDUSTRY DEFAULT
# iteration 0 — how every accounting system does it
def post_entry(entry):
    if entry.debits != entry.credits:
        raise ValidationError("unbalanced")
    entry.save()

This is validation. It works until you ask it the question it cannot answer: prove the check ran. A validator that is broken, bypassed, or commented out looks exactly like a validator that always passes. The ledger it produces is indistinguishable from a ledger produced with no controls at all. Auditors know this — it is why they sample transactions and interview staff. They are reconstructing, from the outside, evidence the system never kept.

ITERATION 1ONE DOOR
# iteration 1 — one door
class JournalEngine:
    def post_transaction(self, transaction_type, lines, ...):
        outcome = dispatcher.enforce_pre_persist(context)
        if outcome.blocked:
            raise PostingRefused(outcome.blocking_reason)
        entry = self._persist(lines)
        dispatcher.record_post_persist(context, entry.id)
        return entry

One posting interface. No code path creates a ledger entry except this one, and nothing gets past the dispatcher. The weakness is obvious: “no other code path” is a convention, and conventions do not survive a new hire, a migration script, or a Friday deploy. Iteration 1 built the door. It could not prove the walls existed.

ITERATION 2THE DECISION BECOMES A RECORD
# iteration 2 — the decision becomes a record
class EnforcementDecision(ImmutableModel):
    journal_entry = ForeignKey(JournalEntry, null=True)  # null when BLOCKED —
                                                         # the refusal persists even
                                                         # though the entry never did
    decision      = Choice("ALLOW", "BLOCK", "OVERRIDE", "ERROR")
    guard_results = JSON()   # every guard: outcome, reason codes, elapsed ms
    context       = JSON()   # the inputs, frozen at decision time

    def save(self, *args, **kwargs):
        if self._already_exists():
            raise Immutable("decisions are written once")

Now every decision — including every refusal — is a permanent record. A blocked transaction leaves the same quality of evidence as an approved one. The record cannot be edited afterward, by anyone, including us. But a record that is merely written can be quietly not-written. Iteration 2 still had the auditor’s problem: how do you detect the log line that never happened?

ITERATION 3MAKE SILENCE DETECTABLE
# iteration 3 — make silence detectable
# every posted entry must have exactly one confirming decision (db constraint),
# and a daily scan hunts for entries that have none:

def integrity_scan(hoa):
    orphans = JournalEntry.objects.exclude(
        enforcement_decisions__event_type="POST_PERSIST"
    )
    for entry in orphans:
        raise_finding(severity="CRITICAL", entry=entry)   # this pages someone

This is the inversion the whole design turns on. In most systems a missing log line is noise — invisible by definition. Here the schema makes absence visible: an entry with no decision is not an anomaly to shrug at, it is the precise signature of a bypass or a bug, and a scanner hunts for it every night. The doctrine is one sentence, and it sits in the docstrings of the production code: no decision logged = precise signal of bypass or bug. Silence is an alarm.

ITERATION 4OVERRIDES CONVERT, NEVER SKIP
# iteration 4 — guards are pure; overrides convert, never skip
for guard_id in guards_for(flow, transaction_type):   # deterministic chain per flow
    result = guard.evaluate(context)                  # pure: same inputs, same verdict
    if result.outcome == "FAIL":
        override = guard.check_override(context)
        if override and override.is_valid():
            result.outcome = "PASS"
            result.override_id = override.id          # the conversion is recorded
            decision = "OVERRIDE"                     # never silently ALLOW
            continue
        return BLOCK(guard_id, result)                # fast-fail

Fourteen guards run in production — balance, closed periods, fund segregation, trust segregation, subledger integrity, covenant evaluation, and the rest — each a pure function with no side effects. The registry that holds them is a static manifest checked by CI: guards cannot be renamed or removed silently, and a comment in the file states the design position outright — no rules engine by accident. No DSL, no dynamic loading.

The part that matters most is the override path. An override never skips the guard. The guard runs, fails, and the failure is preserved in the record. What the override changes is the outcome — and the conversion itself is evidence: which authority, which scope, which expiry, a use count — linked permanently to the decision it permitted. Emergency powers exist. They cannot be quiet.

ITERATION 5THE DECISION REMEMBERS ITS RULES
# iteration 5 — the decision remembers the rules it was decided under
snapshot = canonical_json(rules_in_force(hoa, today))   # guards, flows, policies
decision.policy_snapshot_hash = sha256(snapshot)        # snapshot stored once,
                                                        # keyed by its own hash

Rules change. Boards revise policies, thresholds move, guards get added. Without this, a decision from last March is evidence about rules nobody can reproduce. With it, every decision carries a fingerprint of the rule set in force the moment it ran, and the fingerprinted snapshot is stored under its own hash. Any decision, from any day, can be replayed against exactly the policy that judged it. The ledger of transactions gained a ledger of judgments. The ledger of judgments gained a ledger of laws.

EXAMINATION

What an examiner asks

Patent examination compresses to two questions, and they are the same questions a senior engineer asks: what is actually new here, and wouldn’t the obvious design do?

“Isn’t this a rules engine?”

A rules engine returns verdicts. Ask it in June what it decided in March — under which rule versions, on which inputs — and it has nothing to say. Here the decision is not a return value. It is an immutable record bound one-to-one to the artifact it authorized, carrying the inputs it saw and the hash of the rules that judged it.

“Isn’t this an audit log?”

An audit log is written by the code it monitors, after the fact, on a best-effort basis. Nothing notices a missing line. Here the record precedes the transaction, the transaction cannot exist through any other door, and a nightly scan treats a missing record as a critical finding. An audit log describes behavior. This constrains it.

“Wouldn’t any competent engineer combine the two?”

The obvious combination writes the decision inside the same database transaction as the entry — atomic, tidy, and wrong. Couple them, and a telemetry failure rolls back a valid financial transaction: the monitoring layer can now destroy the thing it monitors. The design that survived decouples them on purpose — a decision before the commit, a confirmation after, an explicit error record if the commit fails between them — and closes the resulting gap with detection instead of coupling. Accept a window; make the window observable. That trade was not on the shelf.

PART II

Law as data

The second filing applies the same discipline to a different substrate: not the association’s rules, but the state’s.

statute = a ROW, not a string
text frozen snapshot sha256
drift = hash compare, not research
amendment flag every dependent
fee caps live in corpus, not code
FIG. 2 — PART II SKETCH: DRIFT PROPAGATION.
ITERATION 0STRING ART
# iteration 0 — how legal content is published everywhere
html = "Under RCW 64.90.640, the association must deliver ..."

The citation is string art. When the legislature amends the section, this sentence does not know. Multiply by every article, every disclosure form, every fee cap hardcoded into every document generator, across fifty states that amend their statutes every session.

ITERATION 1THE CITATION BECOMES A ROW
# iteration 1 — the citation becomes a row
class Statute(Model):
    citation     = CharField(unique=True)    # "RCW 64.90.640"
    official_url = URLField()                # where the text of record lives
    status       = Choice("ACTIVE", "AMENDED", "REPEALED")

Statutes, case law, session laws, and regulations become first-class records with protected foreign keys — an authority cannot be deleted out from under the content that depends on it. Better. Still blind: the row knows the statute exists. It does not know when the text moves.

ITERATION 2THE TEXT BECOMES EVIDENCE
# iteration 2 — the text becomes evidence
class SourceSnapshot(ImmutableModel):
    statute       = ForeignKey(Statute, on_delete=PROTECT)
    snapshot_date = DateField()
    full_text     = TextField()          # frozen as of this date
    content_hash  = CharField()          # sha256 of normalized text

# drift detection is now one comparison:
drifted = hash(fetch(statute.official_url)) != latest_snapshot.content_hash

Frozen text, hashed, immutable — to update a snapshot, you take a new one. Detecting legislative drift stops being a research task and becomes a hash comparison.

ITERATION 3CHANGE PROPAGATES
# iteration 3 — change propagates to everything built on the old text
class LawChangeEvent(Model):
    previous_snapshot = ForeignKey(SourceSnapshot)
    new_snapshot      = ForeignKey(SourceSnapshot)

    def flag_affected_citations(self):
        return Citation.objects.filter(
            statute=self.statute, needs_reverification=False
        ).update(needs_reverification=True)

Every published claim that cites an authority is pinned to the snapshot it was verified against. One amendment in Olympia or Tallahassee flips a re-verification flag on every dependent artifact in a single sweep — articles, disclosure profiles, statutory thresholds. Nothing waits to be noticed. When a human resolves the flag, the fix becomes a dated, public revision record on the article itself. Citators tell a lawyer that the law changed. Nothing tells your published claims. This does.

ITERATION 4NUMBERS LIVE IN THE CORPUS
# iteration 4 — numbers live in the corpus, not the code
fee_cap = thresholds.get("TX_RC_FEE_CAP_CONDO")
# $375 — Tex. Prop. Code §82.157(f), as amended by SB 711 (2025),
# pinned to the statute snapshot it was verified against

The resale-certificate generator does not know the Texas fee cap. It knows where the cap lives. When the next legislature changes the number, a corpus row changes, every dependent artifact gets flagged, and the code does not ship a release. Ten compliance profiles across seven states run on this today. Underneath them: 548 statutes and 346 machine-verified statutory thresholds.

PART III

The form that refuses to guess

The third mechanism was published as a technical disclosure in April 2026. It answers the humblest question in the stack: how does a volunteer treasurer create a correct journal entry at 9 p.m. on a Tuesday?

user picks WHAT HAPPENED
sides = roles, not account numbers
can’t resolve a role? disable + say why
never guess the fund. never.
provenance survives the posting
FIG. 3 — PART III SKETCH: GUIDED ORIGINATION.
ITERATION 0THE FORM EVERY TREASURER FEARS
# iteration 0 — the form every volunteer treasurer fears
# Debit:  [ pick from the full chart of accounts ]
# Credit: [ pick from the full chart of accounts ]

The form assumes an accountant. Most treasurers are neighbors with day jobs. Every mis-picked cash account is a fund-segregation violation waiting for the guard chain to catch — the gate holds, but the person bounces off it.

ITERATION 1PATTERNS INSTEAD OF ACCOUNTS
# iteration 1 — patterns instead of accounts
PATTERNS = {
    "bank_fee":            {"debit": "EXP_BANK",  "credit": "CASH_OPER"},
    "interest_income":     {"debit": "CASH_OPER", "credit": "INC_INT"},
    "transfer_to_reserve": {"debit": "CASH_RESV", "credit": "CASH_OPER"},
    ...
}

The user picks what happened. The sides are role tokens, not account numbers, resolved per association against its own chart of accounts. No user ever selects a cash account — which retires an entire class of error, and an entire class of mischief.

ITERATION 2REFUSE RATHER THAN GUESS
# iteration 2 — refuse rather than guess
account = resolve(role=FUND_TO_CASH_ROLE[fund], hoa=hoa)
if account is None:
    disable_pattern(reason=MissingRole(role))   # named reason, fix-it link —
                                                # never a silent fallback to a
                                                # cash account in the wrong fund

entry.origination_pattern = pattern_key         # provenance survives the posting

Two decisions define the mechanism. First: when a role cannot be resolved for an association, the pattern is disabled and says exactly why. There is no fallback to an account that might belong to the wrong fund. The system would rather refuse than guess. Second: only patterns whose typed invariants can be fully satisfied from a form are allowed to post as typed transactions. The rest deliberately post as plain entries, with the pattern preserved as provenance — because fabricating a subledger reference to satisfy a validator is the exact shape of fraud the guards exist to catch.

And every entry the guided form produces walks through the same gate as everything else. Guided origination, mandatory enforcement. The three mechanisms meet at the choke point.

CLOSE

What this is for

None of this is specific to homeowner associations. The shape repeats anywhere you find segregated funds, fiduciary duty, statutory constraints, thin staffing, and outside parties who need proof instead of testimony: law-firm trust accounts, property-management escrow, special districts, unions, school activity funds, retirement-plan administration. CommunityPay’s position in its own market is deliberately narrow — serve the lenders, insurers, CPAs, and title companies who rely on the records; compete with none of them. The filings are what let the mechanism travel further than the company will: licensed into verticals we will never enter, relied on by institutions we will never compete with.

The scratch code is the argument. Each iteration exists because the previous one could not answer a question an auditor, an examiner, or a treasurer was going to ask. The system that resulted does not ask to be trusted. It keeps the receipts —

INTEGRITY SCANCOMPLETE · ORPHANS: 0

Every decision is logged — including the refusals.

PROVENANCE

ENFORCEMENT
Mandatory for every ledger posting since January 24, 2025; every journal entry since carries exactly one enforcement decision. 14 guards in production.
CORPUS
548 statutes spanning all 50 states, D.C., and a federal layer; 346 machine-verified statutory thresholds; 10 resale-certificate compliance profiles across 7 states.
FILINGS
Two non-provisional patent applications filed with the USPTO in April 2026; earliest priority filing April 2025. A third mechanism published as a technical disclosure, April 2026. Patent pending.
CODE
Excerpts above are abstracted from the production system — simplified names, real behavior.

REVISION HISTORY

This is a living post. Statutes cited here are tracked in the legal corpus; when one drifts, this article is flagged for re-verification and every substantive update appears in this history.