v0.2.0 — Foundation

v0.2.0 — Foundation

First public release of cre-agent-audit. Nine MIT-licensed governance patterns for AI in commercial real estate operations, built to a single design philosophy: durable artifacts, not slideware.

What this is

A reference architecture for AI-governance discipline inside CRE operating companies. Nine patterns covering DEFCON state, Sovereign Veto, hash-chained Audit Ledger, Autonomy Ladder A0→A4, Regulation Mapping, Shadow-Mode Rollout, Lease-Abstraction Provenance, Fair-Housing Pre-Flight Gate, and Tenant PII Data Residency. Two additional design ADRs (ADR-0010 audit-chain retention/privilege/discovery posture; ADR-0011 vendor-output adapter pattern) cover the layered policy and vendor-mediated AI surface.

Every pattern produces an artifact — code, ADR, audit-ledger entry, veto-config, control-description table, vendor-clause template — that survives outside the engagement that created it. Patterns are MIT-licensed, zero-runtime-dependency (stdlib only; YAML is author-time only via scripts/build_compliance_json.py), and mapped to primary-source regulatory citations.

The repo is meant to compound: fork it, ship it inside your stack, copy patterns into your own audit framework, cite the ADRs in your risk register. The patterns are non-proprietary; the implementation is yours.

Settled-liability anchors (primary-source verified)

The patterns are designed against three regulatory matters in the CRE-AI surface:

• In re Trans Union Rental Screening Solutions — joint FTC/CFPB consent orders, October 2023, $15M — FCRA § 607(b) accuracy in rental-screening reports
• Louis v. SafeRent Solutions, LLC, No. 1:22-cv-10800 (D. Mass.) — November 2024 — approximately $2.275M class settlement; settlement included a five-year score-use injunction on voucher-holder applicants
• U.S. v. RealPage, Inc. — filed August 23, 2024 by DOJ + 8 state AGs — ongoing civil antitrust litigation alleging algorithmic rent-coordination

Doctrinal foundation: Texas Dept. of Housing v. Inclusive Communities Project, 576 U.S. 519 (2015).

Install

git clone https://github.com/linus10x/cre-agent-audit.git
cd cre-agent-audit
pip install -e ".[dev]"
make verify                                            # full gate
python examples/02_tenant_screening_preflight/run.py   # demonstrates FHA-PROXY/VOUCHER/SOI/CRIM/DISPARATE

Cold-clone to verified output target: under 60 seconds (warm pip cache). See docs/REPRODUCE.md.

What's in v0.2.0

• 9 governance patterns + 142 unit tests + 89% branch coverage + ruff + mypy --strict clean
• Zero runtime dependencies (preserves parity with the sibling linus10x/finserv-agent-audit)
• 11 ADRs (9 pattern primitives + 2 layered policy ADRs)
• 9 per-pattern Control Description Tables (docs/controls/)
• Four-framework mapping matrix: NIST AI RMF × ISO/IEC 42001 × COSO ICAIR × Big-4 standard taxonomy (docs/MAPPING-MATRICES.md)
• 3 drop-in vendor-clause templates (docs/vendor-clauses/{screening,abstraction,pricing}.md)
• PE operating-partner due-diligence 10-question checklist (docs/PE_DUE_DILIGENCE.md)
• 90-day deployment cadence walkthrough framed as privileged engineering rails (examples/FIRST_90_DAYS.md)
• Three FINOS-format contributory control drafts with explicit non-endorsement provenance (governance-artifacts/)
• DISCLAIMER.md + LIMITATIONS.md + PRIOR-ART.md
• Sibling-parity files: CITATION.cff, CODE_OF_CONDUCT.md, ROADMAP.md, .pre-commit-config.yaml, .github/CODEOWNERS, FUNDING.yml, dependabot.yml, ISSUE_TEMPLATE, PR template

Sibling

Maps 1:1 with linus10x/finserv-agent-audit for financial-services workflows. One framework, two named verticals, one author.

Acknowledgements

NIST AI Risk Management Framework · Treasury Financial Services AI Risk Management Framework · FINOS AI Risk Initiative · Marcos López de Prado (named advisor on adjacent work) · Solon Barocas + Moritz Hardt + Arvind Narayanan (Fairness and Machine Learning foundational text) · Andrew Selbst + Danah Boyd + Sorelle Friedler + Suresh Venkatasubramanian + Janet Vertesi (Fairness and Abstraction in Sociotechnical Systems, FAT* 2019) · Margaret Mitchell et al. (Model Cards for Model Reporting) · Timnit Gebru et al. (Datasheets for Datasets) · Inioluwa Deborah Raji et al. (Closing the AI Accountability Gap).

Notice

This repository is a reference architecture, not legal, regulatory, audit, or fairness-testing advice. Regulatory characterizations are summaries; readers must consult qualified counsel for jurisdiction-specific compliance. No attorney-client relationship is formed by use of this repository. See DISCLAIMER.md.

What's next (v0.2.1 — adversarial-review follow-ups; target 2026-Q3)

• Implement MI-threshold learned-proxy detection in the Fair-Housing Pre-Flight Gate (v0.2.0 ships lexical-only with a bounded ADR-0008 claim)
• Pluggable persistence backend for the Audit Ledger
• RFC 3161 trusted-timestamp integration
• OpenTimestamps / Sigstore Rekor witness-anchor reference integration
• VendorScoreGate concrete implementation (v0.2.0 ships ADR-0011 design)
• Full negative-results / failure-mode appendix
• Named-GC reference quotes

See ROADMAP.md for the full v0.2.1 + v0.3 + v0.4 horizon.