Glossary
This page exists because OpsDNA’s vocabulary is layered: entity-model terms name who owns what, fund-accounting terms name what the money facts are, pipeline terms name how facts arrive, and runtime terms name how answers stay constrained — and the same word (say, “source event”) can mean different things at different layers. Each entry below gives the working definition and links to the page that owns the concept, so you can read any doc page without a full tour first.
The vocabularies relate roughly like this:
Many terms are literal identifiers you will meet in code — for example:
const operatingSourceEventId = `ose:bank:${version.id}` // OSE, deterministic id
type Money = bigint & { readonly [MoneyBrand]: void } // Money, branded bigintAlphabetized. Each entry links to the page that owns the concept.
Acceptance Lab
apps/acceptance-lab: a CLI that takes a declarative FundScenario (fund-as-data), runs a deterministic multi-period close on pglite, and produces Carta-shaped statements that tie against reconciliation identities. Byte-identical rebuilds are the platform’s determinism proof. → Acceptance Lab
accounting_entity
The optional 1:1 extension of a legal_entity that anchors its books (ledger → book → account → journal). One of three symmetric extensions alongside fund_vehicle and investor. → Entity Model
active-tenant header (x-opsdna-active-tenant)
An untrusted selection header forwarded by the portal when a user holds grants in multiple tenants. resolveTenant only honors it if it lands inside the server-verified grant set — it selects, it never authorizes. → Tenancy & RLS
AnswerRun / PolicyRun
Sealed audit records of a query-runtime execution. An AnswerRun binds the typed plan hash, permission decisions, resolved-step proof hashes, and registry version pins; a PolicyRun does the same for a standing DomainPolicy, with heavy invariants (plan hash must recompute, decisions must bind to resolved resources). → Policies & Workflows
Application / Trace / Row
The canonical-record trio (ADR-0001/0002): <Domain>Application is the runtime money-fact record (with application_hash, kind literal, closed diagnostics); <Domain>ApplicationTrace bundles a run’s applications with an applications_hash; <Domain>ApplicationRow is persistence’s narrowed projection, converted by adapter pairs with proven round-trip identity. → Application Records
Carry (accrual vs distribution)
Carried interest accrues every period on marks as a subledger-only net-zero inter-partner reallocation (never a GL P&L fact), while a carry distribution is a real GL fact. Venture profile: no preferred return, European whole-fund default, 100% clawback. → Accounting Foundations
DomainPolicy
A standing (persisted) query — activations plus a typed plan — that the runtime executes on triggers; model-proposed policies must carry a proposalRef. Executions are audited as PolicyRuns. → Policies & Workflows
Evidence graph
The schema family linking source documents → evidence spans (page/bbox/text) → extraction runs → extracted assertions → review decisions → answer citations. Every runtime answer and extracted fact cites into it. → Permissions & Evidence
Fair-value mark (fair_value_adjustment)
A first-class GL journal entry (never side data) carrying an ASC 820 level and evidence provenance; private-equity positions default to Level III. → Accounting Foundations
FORCE RLS
Postgres row-level security with FORCE so even the table owner is filtered. Nearly every app table (346 of 354) has it, keyed on the app.tenant_id GUC set by withTenantTransaction. The second of the two tenancy walls. → Roles & RLS
Freeze set
The set of identifiers that feed canonical hashes and idempotency keys (tenantId, accounting_entity_id, book_id, account_id, *SourceEventId, journalEntryId, …). CI lint forbids new surrogate ids inside hash builders — changing a member breaks deterministic replay. → Identifier Policy
Grant
The identity-schema record entitling a subject (persona: gp_team, lp, auditor, attorney, company_user) to a scope in a tenant. Zero active grants → /access-pending; grants drive tenant resolution Path B. → Portal Auth & Tenancy
Layer cake
The entity-model spine: tenant → organization → fund / legal_entity → (fund_vehicle | accounting_entity | investor→partner_account). Funds are thin groupings that own nothing; economics live at the vehicle level. Normative source: DATA-MODEL.md. → Entity Model
LSE — ledger_source_event
Step iii of the source→ledger pipeline: a posting-ready instruction in pure accounting terms (scope_id, event_type, amount_cents, dimensions) with its own supersede/reverse lifecycle. Produced from accepted OSEs — and from many other producers (fees, marks, manual JEs). → Domain Seams
Money
Branded bigint at scale 4 (packages/ledger/src/money.ts); ratios at scale 12. Half-even rounding, largest-remainder exact splits, no IEEE floats ever on a money path. → Ledger Kernel
OSE — operating_source_event
Step ii of the pipeline: the semantic, human-gated meaning of a source fact (candidate → accepted → rejected/superseded). Bank promotions mint them under deterministic ids ose:bank:${version.id}. Only accepted OSEs may cross the seam into LSEs. → Domain Seams
PCAP
Partner capital account (statement). Per-LP component balances are a projection layer over the GL + subledger — one row per partner/period/component with source provenance — never a second ledger. → Accounting Foundations
pglite lane
The default test substrate: in-memory WASM Postgres 18. Fast, but it silently passes things real Postgres rejects (EXECUTE grants, RLS FORCE, the identity-spine uuid rule) — those run in the separate real-Postgres integration lane. Green verify + red postgres integration CI job = a schema change slipped the pglite lane. → Testing
Policy IR
Economic terms stored as typed Effect-Schema payloads in vehicle_terms_versions.payload — the payload IS the intermediate representation. No compiled tables; engines decode → validate → lower at run time, pin what they consumed via calculation_run_terms_versions, and fail closed on unsupported shapes. → Policy IR
Posting plan
The ledger kernel’s typed compilation of a source event into balanced journal intent — rule-set id/version, allocator kind, allocations with rounding remainders, input/output hashes. → Ledger Kernel
proof_link vs ledger_item_evidence_link
Two provenance edges by design: proof_links is the general graph (any target, role + match status); ledger_item_evidence_links is the accounting overlay (always a journal line, adds amount_supported + confidence, composes via nullable proof_link_id). Bank path convention: create both. → Domain Seams
Query planner / typed query plan
The runtime’s single LLM trust boundary: a planner model emits untrusted candidates; deterministic resolution + a finite 15-operation algebra + plan validation + the permission engine produce an executable, hashable plan. → Query Runtime
SourceEvent (three of them)
Three distinct concepts share the phrase: (1) the pipeline tables operating_source_event / ledger_source_event; (2) the content-addressed envelope in packages/source-events (source-event:v1:<sha256>, registry-validated payloads); (3) the ledger’s sealed posting vocabulary SOURCE_EVENT_TYPES in packages/ledger. Never conflate them. → Domain Seams
Spine id
A deterministic uuid v5 identifier on the Lab-rebuildable entity spine: uuidv5(ns, tenant_id + ':' + entity_kind + ':' + stable_key) with an immutable stable key. Contrast with uuid v7 surrogates (operational tables) and content-hash ids (journal entries, allocations). → Identifier Policy
Tenant
The RLS perimeter and root of the layer cake (uuid v7). Deliberately decoupled from WorkOS organizations (ADR-0023); resolution to exactly one entitled tenant per request is Wall 1 of the security model. → Tenancy & RLS
verify (bun run verify)
The mandatory pre-push gate: build + typecheck + ~40 audit gates + full test suite (~3–8 min), mirroring CI’s build / typecheck / test job. It runs on pglite — see pglite lane for what it cannot catch. → Verify and CI
Wall 1 / Wall 2
The two independent tenancy walls (ADR-0033): Wall 1 = request-time tenant selection (resolveTenant, fail-closed); Wall 2 = Postgres enforcement (FORCE RLS on tenant_id). A bug in one is not a breach. → Tenancy & RLS
withTenantTransaction
The persistence helper that opens a transaction with the tenant context GUC set, so RLS applies to every statement inside. All tenant-scoped repository methods go through it. → Repositories