Skip to Content
ConceptsGlossary

Glossary

This page exists because OpsDNA’s vocabulary is layered: entity-model terms name who owns what, fund-accounting terms name what the money facts are, pipeline terms name how facts arrive, and runtime terms name how answers stay constrained — and the same word (say, “source event”) can mean different things at different layers. Each entry below gives the working definition and links to the page that owns the concept, so you can read any doc page without a full tour first.

The vocabularies relate roughly like this:

Many terms are literal identifiers you will meet in code — for example:

const operatingSourceEventId = `ose:bank:${version.id}` // OSE, deterministic id type Money = bigint & { readonly [MoneyBrand]: void } // Money, branded bigint

Alphabetized. Each entry links to the page that owns the concept.

Acceptance Lab

apps/acceptance-lab: a CLI that takes a declarative FundScenario (fund-as-data), runs a deterministic multi-period close on pglite, and produces Carta-shaped statements that tie against reconciliation identities. Byte-identical rebuilds are the platform’s determinism proof. → Acceptance Lab

accounting_entity

The optional 1:1 extension of a legal_entity that anchors its books (ledger → book → account → journal). One of three symmetric extensions alongside fund_vehicle and investor. → Entity Model

active-tenant header (x-opsdna-active-tenant)

An untrusted selection header forwarded by the portal when a user holds grants in multiple tenants. resolveTenant only honors it if it lands inside the server-verified grant set — it selects, it never authorizes. → Tenancy & RLS

AnswerRun / PolicyRun

Sealed audit records of a query-runtime execution. An AnswerRun binds the typed plan hash, permission decisions, resolved-step proof hashes, and registry version pins; a PolicyRun does the same for a standing DomainPolicy, with heavy invariants (plan hash must recompute, decisions must bind to resolved resources). → Policies & Workflows

Application / Trace / Row

The canonical-record trio (ADR-0001/0002): <Domain>Application is the runtime money-fact record (with application_hash, kind literal, closed diagnostics); <Domain>ApplicationTrace bundles a run’s applications with an applications_hash; <Domain>ApplicationRow is persistence’s narrowed projection, converted by adapter pairs with proven round-trip identity. → Application Records

Carry (accrual vs distribution)

Carried interest accrues every period on marks as a subledger-only net-zero inter-partner reallocation (never a GL P&L fact), while a carry distribution is a real GL fact. Venture profile: no preferred return, European whole-fund default, 100% clawback. → Accounting Foundations

DomainPolicy

A standing (persisted) query — activations plus a typed plan — that the runtime executes on triggers; model-proposed policies must carry a proposalRef. Executions are audited as PolicyRuns. → Policies & Workflows

Evidence graph

The schema family linking source documents → evidence spans (page/bbox/text) → extraction runs → extracted assertions → review decisions → answer citations. Every runtime answer and extracted fact cites into it. → Permissions & Evidence

Fair-value mark (fair_value_adjustment)

A first-class GL journal entry (never side data) carrying an ASC 820 level and evidence provenance; private-equity positions default to Level III. → Accounting Foundations

FORCE RLS

Postgres row-level security with FORCE so even the table owner is filtered. Nearly every app table (346 of 354) has it, keyed on the app.tenant_id GUC set by withTenantTransaction. The second of the two tenancy walls. → Roles & RLS

Freeze set

The set of identifiers that feed canonical hashes and idempotency keys (tenantId, accounting_entity_id, book_id, account_id, *SourceEventId, journalEntryId, …). CI lint forbids new surrogate ids inside hash builders — changing a member breaks deterministic replay. → Identifier Policy

Grant

The identity-schema record entitling a subject (persona: gp_team, lp, auditor, attorney, company_user) to a scope in a tenant. Zero active grants → /access-pending; grants drive tenant resolution Path B. → Portal Auth & Tenancy

Layer cake

The entity-model spine: tenant → organization → fund / legal_entity → (fund_vehicle | accounting_entity | investor→partner_account). Funds are thin groupings that own nothing; economics live at the vehicle level. Normative source: DATA-MODEL.md. → Entity Model

LSE — ledger_source_event

Step iii of the source→ledger pipeline: a posting-ready instruction in pure accounting terms (scope_id, event_type, amount_cents, dimensions) with its own supersede/reverse lifecycle. Produced from accepted OSEs — and from many other producers (fees, marks, manual JEs). → Domain Seams

Money

Branded bigint at scale 4 (packages/ledger/src/money.ts); ratios at scale 12. Half-even rounding, largest-remainder exact splits, no IEEE floats ever on a money path. → Ledger Kernel

OSE — operating_source_event

Step ii of the pipeline: the semantic, human-gated meaning of a source fact (candidate → accepted → rejected/superseded). Bank promotions mint them under deterministic ids ose:bank:${version.id}. Only accepted OSEs may cross the seam into LSEs. → Domain Seams

PCAP

Partner capital account (statement). Per-LP component balances are a projection layer over the GL + subledger — one row per partner/period/component with source provenance — never a second ledger. → Accounting Foundations

pglite lane

The default test substrate: in-memory WASM Postgres 18. Fast, but it silently passes things real Postgres rejects (EXECUTE grants, RLS FORCE, the identity-spine uuid rule) — those run in the separate real-Postgres integration lane. Green verify + red postgres integration CI job = a schema change slipped the pglite lane. → Testing

Policy IR

Economic terms stored as typed Effect-Schema payloads in vehicle_terms_versions.payload — the payload IS the intermediate representation. No compiled tables; engines decode → validate → lower at run time, pin what they consumed via calculation_run_terms_versions, and fail closed on unsupported shapes. → Policy IR

Posting plan

The ledger kernel’s typed compilation of a source event into balanced journal intent — rule-set id/version, allocator kind, allocations with rounding remainders, input/output hashes. → Ledger Kernel

Two provenance edges by design: proof_links is the general graph (any target, role + match status); ledger_item_evidence_links is the accounting overlay (always a journal line, adds amount_supported + confidence, composes via nullable proof_link_id). Bank path convention: create both. → Domain Seams

Query planner / typed query plan

The runtime’s single LLM trust boundary: a planner model emits untrusted candidates; deterministic resolution + a finite 15-operation algebra + plan validation + the permission engine produce an executable, hashable plan. → Query Runtime

SourceEvent (three of them)

Three distinct concepts share the phrase: (1) the pipeline tables operating_source_event / ledger_source_event; (2) the content-addressed envelope in packages/source-events (source-event:v1:<sha256>, registry-validated payloads); (3) the ledger’s sealed posting vocabulary SOURCE_EVENT_TYPES in packages/ledger. Never conflate them. → Domain Seams

Spine id

A deterministic uuid v5 identifier on the Lab-rebuildable entity spine: uuidv5(ns, tenant_id + ':' + entity_kind + ':' + stable_key) with an immutable stable key. Contrast with uuid v7 surrogates (operational tables) and content-hash ids (journal entries, allocations). → Identifier Policy

Tenant

The RLS perimeter and root of the layer cake (uuid v7). Deliberately decoupled from WorkOS organizations (ADR-0023); resolution to exactly one entitled tenant per request is Wall 1 of the security model. → Tenancy & RLS

verify (bun run verify)

The mandatory pre-push gate: build + typecheck + ~40 audit gates + full test suite (~3–8 min), mirroring CI’s build / typecheck / test job. It runs on pglite — see pglite lane for what it cannot catch. → Verify and CI

Wall 1 / Wall 2

The two independent tenancy walls (ADR-0033): Wall 1 = request-time tenant selection (resolveTenant, fail-closed); Wall 2 = Postgres enforcement (FORCE RLS on tenant_id). A bug in one is not a breach. → Tenancy & RLS

withTenantTransaction

The persistence helper that opens a transaction with the tenant context GUC set, so RLS applies to every statement inside. All tenant-scoped repository methods go through it. → Repositories

Last updated on