VFDS v1.0 — Veydrin Financial Data Standard

§ 1

Overview

VFDS defines the portable data format for household financial sovereignty and trust lifecycle data. It is a domain specialization of VODS (Veydrin Open Data Standard) and inherits its privacy contract, versioning conventions, and export envelope.

VFDS covers the full financial picture of an individual, household, or trust — including cash flow, net worth, debt, wealth holdings, insurance, goals, and the complete trust ownership hierarchy. All data is structured for offline-first, encrypted, local-only storage. No fields assume network connectivity or cloud persistence.

Conventions. The key words "MUST", "MUST NOT", "SHOULD", and "MAY" in this document follow RFC 2119 and RFC 8174, consistent with VODS v1.0.

Reference implementation. org.ninthstar.nemorith (Nemorith) by the Ninth Star Foundation is the reference implementation of VFDS v1.0.0. If you ship a VFDS-conforming export, open an issue on the protocols repository and we will list it here.

VODS Compliance

A VFDS export is a valid VODS document. The VODS envelope fields sit at the root level alongside the VFDS domain fields — the same pattern used by OHDS and OCEADS. VFDS does not use a payload wrapper.

VODS dependency. VFDS v1.0 requires VODS v1.0. The four VODS envelope fields (vods_version, export_id, export_date, export_mode) are required in every VFDS document. Their authoritative definition is in the VODS spec.

{
  // VODS envelope (required)
  "vods_version": "1.0",
  "export_id":   "f47ac10b-58cc-4372-a567-0e02b2c3d479",
  "export_date": "2026-03-11T00:00:00Z",
  "export_mode": "tracked",

  // VFDS root structure
  "vfds_version": "1.0.0",
  "exported_at": "2026-03-11T00:00:00Z",
  "app_version": "0.1.0",
  "vault": { },
  "flow": { },
  "position": { },
  "debt": { },
  "wealth": { },
  "protection": { },
  "goals": { },
  "milestones": [ ],
  "notifications": [ ],
  "settings": { }
}

Annotations (//) are shown for readability. Valid JSON does not permit comments.

Conventions

C1
All identifiers are UUIDs (string)
C2
All timestamps are ISO 8601 UTC (e.g. 2026-03-11T14:23:00Z)
C3
All monetary values are string decimal representations in the major currency unit (e.g., "10.50" for ten dollars and fifty cents, not 1050). Implementations MUST NOT use floating-point arithmetic for monetary calculations. Fiat currencies MUST preserve at least 2 decimal places; BTC MUST preserve 8. Using strings avoids IEEE 754 precision loss that affects every floating-point number system.
C4
Currency codes follow ISO 4217 (3-letter, uppercase)
C5
? suffix denotes optional/nullable fields
C6
Computed fields are derived at runtime and MUST NOT be persisted in exports
C7
Enum values are lowercase snake_case strings
C8
All interest_rate fields are string decimal representations of the annual percentage rate (APR) where "5.25" means 5.25% per year. Not a decimal fraction — "5.25", not "0.0525".

§ 2

Root Structure

{
  "vfds_version": "1.0.0",
  "exported_at": "<ISO 8601>",
  "app_version": "<string>",
  "vault": { },
  "flow": { },
  "position": { },
  "debt": { },
  "wealth": { },
  "protection": { },
  "goals": { },
  "milestones": [ ],
  "notifications": [ ],
  "settings": { }
}

Field	Type	Description
`vfds_version`	string	Spec version (semver)
`exported_at`	ISO 8601	Export timestamp
`app_version`	string	Nemorith build version
`vault`	object	Top-level vault container
`flow`	object	Cash flow layer
`position`	object	Net worth layer
`debt`	object	Debt management layer
`wealth`	object	Portfolio/holdings layer
`protection`	object	Insurance layer
`goals`	object	Financial goals layer
`milestones`	array	Cross-layer milestone records
`notifications`	array	Activity and audit log
`settings`	object	App preferences

Vault Flow Position Debt Wealth Protection Goals Milestones Notifications Settings

§ 3

Vault

The vault is the root container. All financial data, members, documents, and the ownership tree belong to a vault.

{
  "id": "<uuid>",
  "name": "<string>",
  "tier": "<VaultTier>",
  "base_currency_code": "<ISO 4217>",
  "trust_type": "<TrustType?>",
  "lifecycle_stage": "<LifecycleStage?>",
  "created_at": "<ISO 8601>",
  "updated_at": "<ISO 8601>",
  "members": [ ],
  "role_permissions": [ ],
  "documents": [ ],
  "ownership_entities": [ ]
}

Field	Type	Req?	Description
`id`	string	req	UUID
`name`	string	req	Display name
`tier`	VaultTier	req	Vault tier (see enum)
`base_currency_code`	string	req	ISO 4217 base currency
`trust_type`	TrustType?	trust tier	Trust subtype
`lifecycle_stage`	LifecycleStage?	trust tier	Current trust stage
`created_at`	ISO 8601	req	Creation timestamp
`updated_at`	ISO 8601	req	Last modified timestamp

Computed (do not export): is_trust — tier == "trust"; is_irrevocable — lifecycle_stage == "active_irrevocable"

VaultTier

Value	Description
`solo`	Single user, no household features
`household`	Multiple members, shared vault
`trust`	Full trust lifecycle enabled

TrustType (trust tier only)

Value
`living_trust`
`family_trust`
`business_trust`
`nonprofit_trust`

LifecycleStage (trust tier only)

Value	Description
`creation`	Vault established, roles defined, documents loading
`active_revocable`	Full edit rights, all layers live
`conversion`	In-progress conversion ceremony
`active_irrevocable`	Terms frozen, documents immutable (add only)
`succession`	Pre-staged handoff, quorum or date-based trigger
`legacy`	Successor Trustees active, Founder profile permanent
`continuance`	Beneficiary continuation trust with lineage link

Vault > Members

{
  "id": "<uuid>",
  "name": "<string>",
  "role": "<MemberRole>",
  "joined_at": "<ISO 8601>",
  "avatar_initials": "<string?>",
  "is_owner": false
}

Value	Layer Access	Notes
`trustor`	All layers	View-only after irrevocable conversion
`trustee`	All layers	Full admin within locked terms
`co_trustee`	All layers	Succession-capable, confirms conversion quorum
`partner`	All layers	Add transactions, manage own accounts
`steward`	Flow + Position summary	Own transactions only
`beneficiary`	Own allocation only	View-only
`observer`	Summary dashboard	Read-only
`successor_trustee`	All layers (dormant)	Full admin post-succession
`attorney`	Entity structure only	Observer-tier professional
`accountant`	Flow + Position	Observer-tier professional
`minor`	Own allocation only	Underage beneficiary, view-only with guardian oversight

Vault > Role Permissions

Role permissions define what each role can access per layer. Stored per vault to allow customization.

{
  "role": "<MemberRole>",
  "layer_permissions": {
    "flow": "<PermissionLevel>",
    "position": "<PermissionLevel>",
    "debt": "<PermissionLevel>",
    "wealth": "<PermissionLevel>",
    "protection": "<PermissionLevel>",
    "documents": "<PermissionLevel>",
    "milestones": "<PermissionLevel>",
    "members": "<PermissionLevel>",
    "settings": "<PermissionLevel>",
    "trust_lifecycle": "<PermissionLevel>"
  },
  "can_invite_members": false,
  "can_export_data": false,
  "can_initiate_conversion": false,
  "can_trigger_succession": false,
  "can_modify_roles": false
}

PermissionLevel: none | read_only | read_write | admin

Vault > Documents

Encrypted document references. File content is never included in a VFDS export — only metadata. Actual files remain in the encrypted local vault.

{
  "id": "<uuid>",
  "name": "<string>",
  "category": "<DocumentCategory>",
  "size_bytes": 0,
  "notes": "<string?>",
  "added_at": "<ISO 8601>",
  "expires_at": "<ISO 8601?>",
  "is_locked": false
}

Vault > Ownership Entities

The ownership map is a self-referential tree. Each entity may have a parent_id pointing to another entity in the same array. Entities with parent_id: null are root nodes. The tree is infinitely nestable.

{
  "id": "<uuid>",
  "name": "<string>",
  "type": "<EntityType>",
  "parent_id": "<uuid?>",
  "value": "0.00",
  "currency_code": "<ISO 4217?>",
  "notes": "<string?>",
  "created_at": "<ISO 8601>"
}

Trust (root, parent_id: null) ├── LLC (parent_id: trust.id) │ ├── Brokerage (parent_id: llc.id) → wealth.holdings │ └── Real Estate (parent_id: llc.id) → position.assets ├── Bank Account (parent_id: trust.id) └── Beneficiary (parent_id: trust.id)

§ 4

Data Layers

VFDS organizes financial data into seven primary layers beneath the vault container. Each layer is independently versioned within the root structure.

§ 4.1

Flow Layer

Cash flow tracking — transactions, budget categories, recurring items, and bill reminders.

Transactions

{
  "id": "<uuid>",
  "description": "<string>",
  "amount": "0.00",
  "currency_code": "<ISO 4217>",
  "type": "<TransactionType>",
  "category_id": "<uuid?>",
  "date": "<ISO 8601>",
  "member_id": "<uuid?>",
  "created_at": "<ISO 8601>"
}

TransactionType: income | expense

Receipts

{
  "id": "<uuid>",
  "image_path": "<string>",
  "captured_at": "<ISO 8601>",
  "amount": "0.00",
  "merchant": "<string?>",
  "category": "<string?>",
  "notes": "<string?>",
  "linked_transaction_id": "<uuid?>",
  "currency_code": "<ISO 4217>",
  "ocr_text": "<string?>"
}

Subscriptions

{
  "id": "<uuid>",
  "name": "<string>",
  "monthly_cost": "0.00",
  "currency_code": "<ISO 4217>",
  "category": "<string?>",
  "frequency": "<RecurringFrequency>",
  "next_due_date": "<ISO 8601?>",
  "icon": "<string?>",
  "is_active": true,
  "created_at": "<ISO 8601>"
}

Donations

{
  "id": "<uuid>",
  "organization": "<string>",
  "amount": "0.00",
  "currency_code": "<ISO 4217>",
  "frequency": "<RecurringFrequency?>",
  "icon": "<string?>",
  "recurring": false,
  "created_at": "<ISO 8601>"
}

Budget Categories

{
  "id": "<uuid>",
  "name": "<string>",
  "budgeted": "0.00",
  "spent": "0.00",
  "rollover": false,
  "currency_code": "<ISO 4217>",
  "icon": "<string?>",
  "color": "<string?>"
}

Note on spent. The spent field is a period-total snapshot captured at export time. Unlike computed display fields (C6), it is an explicit data point that the importing application needs to restore budget state. It is permitted in exports.

Note on icon and color. These are implementation-specific display hints. icon SHOULD be a string identifier (e.g., Material icon name like "restaurant"). color SHOULD be a hex string (e.g., "#FF5722"). Importing applications that do not recognize these values MAY substitute defaults.

Computed (do not export): remaining — budgeted - spent; percent_used — 0.0 – 1.0; is_over_budget — spent > budgeted

Recurring Transactions

{
  "id": "<uuid>",
  "name": "<string>",
  "amount": "0.00",
  "currency_code": "<ISO 4217>",
  "is_income": false,
  "frequency": "<RecurringFrequency>",
  "category": "<string>",
  "next_due_date": "<ISO 8601>",
  "is_active": true
}

RecurringFrequency: weekly | biweekly | monthly | quarterly | yearly

Bill Reminders

{
  "id": "<uuid>",
  "name": "<string>",
  "amount": "0.00",
  "currency_code": "<ISO 4217>",
  "frequency": "<BillFrequency>",
  "due_day": 1,
  "autopay": false,
  "category": "<string?>",
  "is_active": true,
  "created_at": "<ISO 8601>"
}

§ 4.2

Position Layer

Net worth snapshot — assets, liabilities, and historical snapshots.

Assets

{
  "id": "<uuid>",
  "name": "<string>",
  "type": "<AssetType>",
  "value": "0.00",
  "loan_balance": "0.00",
  "currency_code": "<ISO 4217>",
  "ownership_entity_id": "<uuid?>",
  "last_updated": "<ISO 8601>"
}

Liabilities

{
  "id": "<uuid>",
  "name": "<string>",
  "type": "<LiabilityType>",
  "balance": "0.00",
  "interest_rate": "0.00",
  "minimum_payment": "0.00",
  "currency_code": "<ISO 4217>",
  "debt_account_id": "<uuid?>",
  "last_updated": "<ISO 8601>"
}

Net Worth Snapshots

{
  "id": "<uuid>",
  "net_worth": "0.00",
  "total_assets": "0.00",
  "total_liabilities": "0.00",
  "recorded_at": "<ISO 8601>"
}

§ 4.3

Debt Layer

Debt payoff engine — accounts and active strategy selection.

{
  "accounts": [
    {
      "id": "<uuid>",
      "name": "<string>",
      "debt_type": "<DebtType>",
      "balance": "0.00",
      "interest_rate": "0.00",
      "minimum_payment": "0.00",
      "credit_limit": "0.00",
      "due_day": 1,
      "is_revolving": false,
      "currency_code": "<ISO 4217>"
    }
  ],
  "payoff_strategy": "<DebtPayoffStrategy>"
}

DebtPayoffStrategy: avalanche | snowball | custom

Cross-reference. debt.accounts records are the same underlying debts as position.liabilities. The position layer tracks them as liability snapshot records; the debt layer tracks them as active payoff accounts. Implementations SHOULD treat them as parallel views of the same data, not duplicate records.

§ 4.4

Wealth Layer

Portfolio holdings — all asset classes with current valuation.

{
  "id": "<uuid>",
  "name": "<string>",
  "ticker": "<string?>",
  "asset_class": "<AssetClass>",
  "shares": "0.00",
  "price_per_share": "0.00",
  "cost_basis": "0.00",
  "currency_code": "<ISO 4217>",
  "ownership_entity_id": "<uuid?>",
  "dividend_per_share": "0.00",
  "dividend_frequency": "<DividendFrequency?>",
  "notes": "<string?>"
}

DividendFrequency: monthly | quarterly | semiannual | annual | irregular

Watchlist

{
  "id": "<uuid>",
  "ticker": "<string>",
  "name": "<string>",
  "sector": "<string?>",
  "price_target": "0.00",
  "current_price": "0.00",
  "currency_code": "<ISO 4217>",
  "price_updated_at": "<ISO 8601?>",
  "notes": "<string?>",
  "added_at": "<ISO 8601>"
}

Computed (do not export): market_value — shares × price_per_share; gain_loss — market_value - cost_basis; gain_loss_percent — (gain_loss / cost_basis) × 100

§ 4.5

Protection Layer

Insurance policy inventory and coverage gap tracking.

{
  "id": "<uuid>",
  "provider": "<string>",
  "type": "<InsuranceType>",
  "premium": "0.00",
  "premium_frequency": "monthly",
  "coverage_amount": "0.00",
  "deductible": "0.00",
  "currency_code": "<ISO 4217>",
  "ownership_entity_id": "<uuid?>",
  "renewal_date": "<ISO 8601?>"
}

Beneficiary Designations

{
  "id": "<uuid>",
  "account_name": "<string>",
  "account_type": "<string>",
  "beneficiary": "<string>",
  "allocation": "<string>",
  "tier": "<BeneficiaryTier>",
  "last_reviewed": "<ISO 8601?>",
  "issue": "<string?>",
  "created_at": "<ISO 8601>"
}

BeneficiaryTier: primary | contingent

§ 4.6

Goals Layer

Financial goals with progress tracking.

{
  "id": "<uuid>",
  "name": "<string>",
  "target_amount": "0.00",
  "current_amount": "0.00",
  "currency_code": "<ISO 4217>",
  "category": "<GoalCategory>",
  "deadline": "<ISO 8601?>",
  "created_at": "<ISO 8601>",
  "is_completed": false
}

Life Events

{
  "id": "<uuid>",
  "name": "<string>",
  "target_date": "<ISO 8601?>",
  "estimated_cost": "0.00",
  "current_saved": "0.00",
  "currency_code": "<ISO 4217>",
  "icon": "<string?>",
  "color": "<string?>",
  "active": true,
  "created_at": "<ISO 8601>"
}

§ 4.7

Milestones

Cross-layer milestone records. May reference net worth targets, savings goals, or lifecycle events.

{
  "id": "<uuid>",
  "title": "<string>",
  "description": "<string>",
  "target_amount": "0.00",
  "current_amount": "0.00",
  "target_date": "<ISO 8601?>",
  "status": "<MilestoneStatus>",
  "currency_code": "<ISO 4217>"
}

MilestoneStatus: upcoming | in_progress | achieved

§ 4.8

Notifications / Audit Log

Activity log and in-app notification records.

{
  "id": "<uuid>",
  "title": "<string>",
  "body": "<string>",
  "type": "<NotificationType>",
  "created_at": "<ISO 8601>",
  "is_read": false,
  "route": "<string?>"
}

NotificationType: info | warning | milestone | security | sync

§ 4.9

Settings

App-level preferences. Exported for cross-device restore. Not vault-specific.

Field	Type	Default	Description
`base_currency_code`	string	`"USD"`	ISO 4217 default display currency
`show_currency_symbols`	bool	`true`	Show/hide currency symbols in UI
`compact_large_numbers`	bool	`false`	Format large numbers as `$1.2M`
`biometrics_enabled`	bool	`false`	Biometric authentication
`prevent_screenshots`	bool	`true`	FLAG_SECURE screen protection
`auto_lock_seconds`	int	`60`	Auto-lock timer in seconds. `0` = immediate. `-1` = never

§ 5

Cross-References

#	From	To	Mechanism
1	`vault.ownership_entities`	self	`parent_id → id` (recursive tree)
2	`vault.ownership_entities` (brokerage)	`wealth.holdings`	`holding.ownership_entity_id → entity.id`
3	`vault.ownership_entities` (real_estate, bank_account)	`position.assets`	`asset.ownership_entity_id → entity.id`
4	`vault.members`	`vault.role_permissions`	`role` field links permission set
5	`flow.transactions.category_id`	`flow.budget_categories.id`	direct UUID reference
6	`debt.accounts`	`position.liabilities`	`liability.debt_account_id → debt_account.id`
7	`protection.policies`	`vault.ownership_entities` (insurance)	`policy.ownership_entity_id → entity.id`
8	`vault.documents`	vault lifecycle	`is_locked` becomes `true` on `active_irrevocable` transition
9	`milestones`	`position.net_worth_snapshots`	milestone amounts track net worth targets
10	`goals.financial_goals`	`position.assets`	savings goals feed asset value records

§ 6

Currency Reference

Static reference data. Not user data — not exported in VFDS payloads. Embedded in app.

Code	Name	Symbol
`USD`	US Dollar	$
`EUR`	Euro	€
`GBP`	British Pound	£
`JPY`	Japanese Yen	¥
`CAD`	Canadian Dollar	CA$
`AUD`	Australian Dollar	A$
`CHF`	Swiss Franc	CHF
`CNY`	Chinese Yuan	¥
`INR`	Indian Rupee	₹
`MXN`	Mexican Peso	MX$
`BRL`	Brazilian Real	R$
`KRW`	South Korean Won	₩
`NGN`	Nigerian Naira	₦
`ZAR`	South African Rand	R
`GHS`	Ghanaian Cedi	₵
`BTC`	Bitcoin	₿

Note: BTC is not ISO 4217. It is included for practical use. Implementations MUST handle BTC's 8 decimal places (decimal_places: 8).

§ 7

Document Bundle Format (.vfds-bundle)

A .vfds-bundle file is a ZIP archive. A standard VFDS export (vfds.json) contains document metadata only — file contents are never embedded in the JSON payload. For full backup, restore, and migration including actual document files, implementations MUST produce a VFDS Bundle.

Structure

myexport.vfds-bundle ├── vfds.json — standard VFDS export ├── documents/ │ ├── <document-uuid>.enc — AES-256-GCM encrypted file │ └── ... └── bundle_manifest.json — bundle metadata

bundle_manifest.json

{
  "bundle_version": "1.0.0",
  "vfds_version": "1.0.0",
  "created_at": "<ISO 8601>",
  "vault_id": "<uuid>",
  "vault_name": "<string>",
  "document_count": 0,
  "total_encrypted_bytes": 0,
  "encryption": {
    "algorithm": "AES-256-GCM",
    "kdf": "PBKDF2-SHA512",
    "iterations": 310000,
    "salt": "<base64>",
    "iv_per_file": true
  }
}

File Encryption

Each document is encrypted independently:

<document-uuid>.enc ├── [12 bytes] — random IV (GCM nonce) ├── [N bytes] — AES-256-GCM ciphertext └── [16 bytes] — GCM authentication tag

The encryption key is derived from a user-supplied passphrase via PBKDF2-SHA512 using the salt stored in bundle_manifest.json. The same key covers all files in the bundle. The passphrase is never stored.

Bundle-level encryption (optional). Implementations MAY additionally encrypt the entire ZIP archive with a second passphrase. When applied, the file extension SHOULD be .vfds-bundle.enc. Per-file encryption of the documents/ folder is sufficient for most use cases. Bundle-level encryption is recommended only for high-threat exports such as attorney handoff or succession transfer.

Import / Restore Rules

I1
Validate document count. bundle_manifest.document_count MUST match the number of .enc files present — abort if mismatch.
I2
Parse before import. Validate vfds.json against the declared vfds_version before importing any data.
I3
Decrypt with verification. Decrypt each .enc file using the passphrase-derived key — if any file fails GCM tag verification, abort the entire import and surface the error.
I4
Match by UUID. Match each decrypted file to its corresponding vault.documents record by UUID.
I5
Warn on partial export. Warn the user if vault.documents references UUIDs with no corresponding .enc file.
I6
Never silently drop documents. Surface every mismatch to the user.

Suggested UX Labels

Action	Label
Export data only	"Export Financial Data" → saves `vfds.json`
Export data + documents	"Full Backup" → saves `.vfds-bundle`
Import data only	"Restore from Export"
Import full backup	"Restore Full Backup"
Transfer to new device	"Transfer Vault" → full bundle, prompts for passphrase

§ 8

Privacy Notes

A machine-readable schema for automated validation is available at vfds-v1.0.schema.json.

P1
No document contents in exports. Document file contents are never included in VFDS exports — only metadata.
P2
PII sensitivity. Member names and financial values are sensitive PII — exports MUST be encrypted in transit and at rest.
P3
No silent transmission. VFDS exports MUST NOT be sent to any server without explicit user action.
P4
No computed field persistence. Computed fields are derived at runtime and MUST NOT be persisted or exported.
P5
VODS privacy contract. This standard inherits the VODS privacy contract in full.

§ 9

Conformance Rules

An application claims VFDS v1.0 conformance by satisfying all VODS v1.0 conformance rules (see VODS spec §6) and the following VFDS-specific rules. A machine-readable schema is available at vfds-v1.0.schema.json.

Producer conformance

An application producing VFDS exports MUST satisfy:

F1
VFDS version declared. Every export includes vfds_version with the spec version used.
F2
VODS envelope present. Every export includes the four required VODS fields (vods_version, export_id, export_date, export_mode) at the root level alongside the VFDS fields.
F3
Vault required. Every export includes a non-empty vault object with at minimum id, name, tier, base_currency_code, created_at, and updated_at.
F4
Monetary values as strings. All monetary values are serialized as string decimals per C3. No floating-point numbers for money.
F5
Interest rates as APR strings. All interest_rate fields are string decimals representing annual percentage rate per C8.
F6
No computed fields. Computed values (net worth, gain/loss, percentages, remaining budget) MUST NOT appear in exports per C6.
F7
No document contents. Document file contents are never included in the JSON export — only metadata. Actual files go in a .vfds-bundle if needed.
F8
Cross-references valid. All UUID references (category_id, ownership_entity_id, debt_account_id, member_id, parent_id) MUST point to records that exist within the same export.
F9
Anonymization honoured. In anonymous mode, all member names, vault names, and entity names MUST be redacted or pseudonymized. In tracked mode, stable pseudonyms per VODS §3.

Consumer conformance

An application importing VFDS data MUST satisfy:

F10
Version check. Validate vfds_version before processing. Reject documents with an unsupported major version.
F11
Unknown fields preserved. Fields not recognized by the consumer SHOULD be preserved on re-export, not silently dropped.
F12
Bundle validation. When importing a .vfds-bundle, validate the manifest, verify document count, and verify GCM authentication tags before processing per I1–I6.
F13
No silent transmission. Imported data MUST NOT be sent to any server without explicit user action.

§ 10

Versioning

VFDS follows semantic versioning:

Patch

x.y.Z

Clarifications, corrected descriptions, no schema changes

Minor

x.Y.0

Additive field or enum additions, backward compatible

Major

X.0.0

Breaking changes to field names, types, or structure

Implementations MUST store the vfds_version on export and validate it on import. Unknown fields SHOULD be preserved, not discarded, to support forward compatibility.

§ 11

Totals (v1.0.0)

Metric	Count
Model classes	28
Enums	28
Settings state class	1
Cross-references	10
Individual fields	~160
Nested layers under root	7

§ 12

Security Considerations

VFDS inherits the security considerations defined in VODS §8. The following are specific to financial data.

Threat model

VFDS documents contain highly sensitive financial information — account balances, debt details, net worth, insurance policies, trust instruments, and estate succession data. Adversaries include unauthorized household members, lost or stolen devices, compromised backup storage, malicious import files, and succession disputes. Implementations MUST treat all VFDS data as confidential by default.

Bundle encryption

The .vfds-bundle format uses AES-256-GCM with PBKDF2-SHA512 key derivation. Implementations SHOULD enforce a minimum passphrase strength (12+ characters or equivalent entropy). Passphrases MUST NOT be stored. The salt and nonce MUST be generated from a cryptographically secure random source.

Authorization enforcement

The role_permissions model defines access levels (none, read, write, admin) per member per layer. These are advisory in the export format — implementations MUST enforce them at the application layer. Exported data MUST NOT include layers the exporting user does not have read access to.

Input validation

Consumers importing VFDS data MUST validate bundle_manifest.json integrity before processing. Free-text fields (description, notes, body) MUST be sanitized before rendering. Implementations SHOULD enforce maximum document counts per bundle and reject bundles exceeding reasonable size limits.

Computed field prohibition

Convention C6 prohibits computed fields in exports. Implementations MUST NOT persist derived values (net worth, loss rates, progress percentages) in exported data — they MUST be recalculated on import.

§ 13

Glossary

Financial and trust terminology used in this specification. Implementers who are not financial professionals should reference this section when building VFDS-conforming applications.

Term	Definition
APR	Annual Percentage Rate. The yearly interest rate charged on a debt, not accounting for compounding. All `interest_rate` fields in VFDS use APR (C8).
Avalanche method	Debt payoff strategy that prioritizes the account with the highest interest rate first, minimizing total interest paid.
Beneficiary	A person or entity designated to receive benefits from a trust, insurance policy, or other financial arrangement.
Conversion ceremony	The process of converting a revocable trust to irrevocable status. Freezes the trust terms and makes documents immutable (add-only).
Cost basis	The original purchase price of an asset, used to calculate capital gains or losses when the asset is sold.
Custodian	A financial institution that holds and safeguards assets on behalf of the owner (e.g., a brokerage holding stocks).
Entity tree	The self-referential ownership hierarchy in `vault.ownership_entities`. Each entity may have a `parent_id` forming an N-ary tree (e.g., Trust → LLC → Brokerage).
Irrevocable trust	A trust whose terms cannot be modified or revoked by the trustor after conversion. Assets placed in an irrevocable trust are generally removed from the trustor's taxable estate.
Layer	One of the seven data sections beneath the vault: flow, position, debt, wealth, protection, goals, milestones. Each layer covers a distinct aspect of the financial picture.
Net worth	Total assets minus total liabilities at a point in time. Tracked in `position.net_worth_snapshots`.
Quorum	The minimum number of authorized members (typically co-trustees) required to approve a trust lifecycle transition such as succession.
Revocable trust	A trust that can be modified or dissolved by the trustor during their lifetime. The default starting state for living trusts in VFDS.
Snowball method	Debt payoff strategy that prioritizes the account with the smallest balance first, providing psychological momentum through quick wins.
Succession	The transfer of trust management from the current trustee(s) to designated successor trustees, typically triggered by incapacity or death.
Trustee	The person or entity responsible for managing a trust's assets according to its terms. Has fiduciary duty to the beneficiaries.
Trustor	The person who creates and funds a trust. Also called a grantor or settlor in legal contexts.
Vault	The root container in VFDS. All financial data, members, documents, and the ownership tree belong to a single vault. A vault operates at one of three tiers: solo, household, or trust.
Vault tier	The operational mode of a vault. `solo` for single users, `household` for shared family finances, `trust` for full trust lifecycle management.

§ 14

Normative References

VFDS inherits all normative references from VODS §9. The following additional references apply.

Reference	Title	Relevance
ISO 4217	Currency Codes	Convention C4 — all currency codes are 3-letter ISO 4217.
NIST SP 800-38D	AES-GCM	Per-file encryption in `.vfds-bundle` documents.
RFC 8018	PKCS #5: Password-Based Cryptography (PBKDF2)	Key derivation for bundle encryption passphrase.
PKZIP APPNOTE	ZIP File Format Specification	`.vfds-bundle` is a ZIP archive.

§ 15

Changelog

Version	Date	Changes
`1.0.0`	2026-03	Initial draft — vault hierarchy, seven financial layers (flow, position, debt, wealth, protection, goals, milestones), ownership entity tree, encrypted document bundles, trust lifecycle model.