Community Layer Money/Finance — vSOV-COMM-M3.2

• Membership changes are normal.
• Trust is uneven; assume mixed incentives.
• Governance churn is inevitable (signers vanish, roles rotate).

Translation: design for people moving, burning out, or disappearing. The money system must survive that, not freeze because someone is “busy.”

• Communities fail via capture, artifacts, and coercion.
• “Better ideology” does not fix bad finance primitives.

Translation: politics, vibes, and good intentions cannot save a treasury that is structurally easy to hijack or accidentally leak.

• Routine spend
• Low balance
• Frequent movement

This is the working cash drawer: small, hot, and expendable.

• Aid payouts
• Privacy-critical
• Recipient safety dominates reporting choices

This is where mutual aid and vulnerable recipients are served. Privacy beats “maximum visible transparency.”

• Mission-bound funds
• Dissolvable by completion or timeout

Funds locked to a specific project with clear completion or refund rules.

• Continuity buffer
• Rare movement
• High ceremony

The long-term survival pool. Movement is slow, multi-reviewed, and logged.

• Short-lived pool
• Auto-dissolve after event

Temporary funds for a specific event. Reconciled and closed immediately afterwards.

• Bounties for sovereignty skills
• Turns aid into capability when possible

Used to pay for skills, hardware, and setups that increase future autonomy (e.g. nodes, multisig, ops training).

• Funds decentralization under stress
• Governed like reserve-tier assets

Reserved for clean splits when the community needs to fork peacefully.

• Builds unsigned tx / PSBT from approved proposal.
• No signing authority required.

They turn the agreed manifest into a PSBT. They are not trusted to move funds.

• Threshold set that approves by signing.
• Must verify outputs against the manifest (not trust the constructor).

They hold key material. Their job is to check that the PSBT matches the manifest, then sign.

• Watch-only verification + internal ledger.
• Public aggregate reporting.
• Cannot be the same humans signing the spend they audited.

They reconcile UTXOs, ledgers, and public reports. They never sign spends they themselves audit.

• Capped hot spend + frequent sweep, or small 2-of-3 if needed.
• Design for fast replacement; tolerate loss.

If this gets drained, it should hurt but not kill the community.

• 3-of-5 or 4-of-7.
• Signer diversity: no single household controls quorum.

Focus on preventing collusion and coercion for vulnerable recipients.

• 2-of-3 (project lead + finance signer + neutral signer).
• Plus timeout dissolution path.

Enough friction to avoid misuse, but not so much that the project stalls when one person moves.

• 4-of-7 or 5-of-9.
• Rare movement; conservative scripts; heavy ceremony.

Treated like the community’s spine: slow to move, hard to capture.

• Small budget; churn acceptable but still thresholded.
• Budget structure designed for frequent payout cadence.

Designed for lots of small, frequent outputs to build capacity.

• Govern like C3 (it funds decentralization under stress).

Must remain neutral and robust enough to support clean exit paths.

• Fixed cadence (e.g., annual) + event triggers: move, conflict, compromise, inactivity.
• Rotation is normal operations, not “scandal response.”

People stepping off signer duty is expected and pre-planned, not a sign of failure.

• If signer unreachable past defined window: enter Re-Key Mode.
• Migration PSBT from old descriptor-policy to new policy.
• Remaining quorum signs migration; old policy is retired.

Disappearance is handled like a routine maintenance script, not a crisis.

• Eligible for normal bucket routing.
• Still labeled by bucket intent.

Typical member donations and direct receipts that match policy.

• May only enter the declared bucket.
• Cannot be repurposed via “operational convenience.”

Funds given “for X only” are technically and procedurally bound to X.

• Quarantine only.
• No merges into C3/C6. Ever by default.

Anything suspicious or unrequested lives in a separate quarantine zone, never mixed into core reserves.

• Private descriptors (never leave signer-secure handling).
• PSBT drafts (never sprayed across chat/email).
• Label/metadata exports (sensitive; never public reporting material).

Treat these as you would seeds or hardware wallets. They are not “just configuration.”

• One canonical store per artifact class.
• Strict versioning (no ambiguous “latest.psbt”).
• Retention limits: keep final tx + manifest + approvals; purge drafts.
• Watch-only/audit uses public descriptors only.

The community should always be able to answer “where is the real manifest/descriptor kept, and how is it rotated?”

• Tolerate stuck tx.
• Keep balances small.
• Reissue fast.

If something jams here, just cancel and re-route; the risk is bounded by design.

• Bias reliability.
• Avoid interactive fee games when possible.
• Keep fee authority ready.

Aid payouts should not be at the mercy of fee pinning games.

• Rare moves.
• Deliberate overpay beats coordination under duress.

For core reserves and fork funds, overpaying once is cheaper than trying to coordinate fee bumps under attack.

• Settlement + reserves + escrow.
• Default for C3/C6.

The base reality for community money. Everything else is built on top.

• High-frequency small payments.
• Hard-capped.
• Offers/BOLT12: invoicing improvement, still a rail.

LN is for fast, small flows, not for storing the community’s future.

• Used only when operationally mature for the group.
• Never a structural dependency.

Privacy upgrade when the team can actually operate it, not a default that breaks base workflows.

• Allowed only as C0/C1 rail by default.
• Mandatory exit drill to self-custody rails.
• No C3/C6 storage unless explicitly accepted as policy exception.

Treated like a community checking account with clear exit drills, never as a core savings layer without explicit decision.

• Churn exceeds X% per period
• Signer availability below Y%
• Emergency pathway used > N per window
• Donor concentration exceeds Z%
• Unresolved controversy exceeds defined time windows

When these metrics trip, a split is considered structurally justified, no matter who is “right” in a debate.

• How C3 reserves split
• How earmarked funds route
• Quarantine remains quarantine (no washing via split)

The routing is defined in advance, so no one can weaponize split design when tensions are highest.

• Fast
• Small
• Capped

Short-term help to get someone through an acute situation.

• Routed through C5 bounties
• Builds competence (verification, ops)

Whenever possible, help is expressed as training, tools, or setups that increase future independence.

• Requires escalated tiers
• Explicit renewal
• Cannot silently grow

Long-term support is possible but must be intentionally renewed and clearly budgeted, not quietly expanded.

• Reconcile → dissolve immediately.

• Dissolve on completion or timeout (refund/migrate per charter).

Short-lived funds resolve quickly; any leftover sats are routed by pre-written rules.

• Dissolve by pre-committed rules without doxxing recipients.

• Dissolve only via structural-tier threshold + final aggregate report.

Even if the community ends, the last moves from reserves and duress funds are structured and visible at an aggregate level.

• Bitcoin Core v30.2 as baseline validation engine.
• Policy: treasury never depends on someone else’s node or browser explorers.
• Upgrade constraint: treat wallet migrations as hazardous until 30.2+ and backups exist (per your hazard note).

The community’s node is the only source of truth for balances and history, not random websites.

• Pick exactly one indexer spine: Fulcrum or electrs.
• All community wallets connect only to the community indexer (optionally over Tor).
• Goal: eliminate third-party wallet metadata leakage.

This keeps address lookups, balances, and labels inside the community’s infrastructure, not sprayed across public infrastructure.

• Specter Desktop: Core-first multisig control plane; PSBT/HWI oriented.
• Sparrow Wallet: operator-grade workstation; strong coin control + PSBT flows.

At least one coordinator is used as the “control room” for the treasury.

• Standardize on HWI as the “external signer” driver path where applicable.
• Reduce weirdness: fewer divergent driver stacks → fewer failure modes.

The fewer custom integrations, the fewer surprises during a crisis.

• BTCPay Server as the self-hosted payment surface.
• Function: accept BTC, issue receipts, execute payouts, integrate PSBT where needed.

BTCPay is the public-facing front door: donations, event tickets, dues, and simple payouts all come through here.

• BTCPay Payjoin as an optional improvement for donations/dues where operationally appropriate.
• Protocol base: BIP78 reference (as per your prior mapping style).

When the community is ready, Payjoin hides simple “A pays B” patterns on-chain for better privacy.

• Plaintext double-entry accounting toolchain (Beancount-class) with auditable review.
• Reconcile: (a) on-chain UTXO set per bucket, (b) BTCPay receipts/payouts, (c) any fiat expenses if they exist.

The accounting file is the high-level mirror of the UTXO reality, not an independent source of truth.

• Members can verify without treasury doxxing.
• Publish periodic aggregate balance/flow statements.
• Provide view-only descriptors/xpubs only to designated auditors.
• Prefer aggregate proofs over address-by-address theater.

Transparency is about verifiable claims, not about exposing everyone’s exact financial footprint.

• Metal backups for each signing key, distributed across jurisdictions/trust zones.
• Separate: key material vs passphrases vs signer device vs descriptor/policy record.

Losing one element (device, passphrase, backup) should not destroy the treasury; attackers should need more than one element to steal it.

• Multisig recovery is not “just the seeds.”
• Preserve: descriptors, quorum rules, derivations, script type, and policy metadata with redundancy.

Without the policy (descriptors and script details), seeds alone may be useless. Policy backups are treated as critical infrastructure.