Household Money/Finance Stack — Sovereign (vSOV-H-2.0)

Layer: Household Segment: Money / Finance Base: Bitcoin-only Posture: adversarial / self-custodied

0. Precedence & Frame

This module zooms into one slice of the Sovereign Stack map: Layer = Household, Module = Money / Finance. It assumes there are one or more adults who share daily life, share expenses, and plan together over years—not just roommates splitting rent.

The Household layer sits between the Individual stacks and everything above (business, community, citadel). It must give the household real shared power without erasing the sovereignty of the individuals inside it.

Orientation Read this as a design template for how a household can structure its Bitcoin flows, reserves, and decision-making. It doesn’t tell you what to invest in; it tells you where sats live, who can move them, and what happens when people or tools fail.

Layer: Household (tight trust, shared life, low churn).
Segment: Money / Finance only.

Precedence rule Household architecture cannot override individual invariants. Household pools are explicit, policy-defined pools—not a sponge that slowly absorbs everyone’s personal reserves “because we’re family”.

1. Household Law-Core (Non-Negotiables)

These are the household’s hard rules. If they’re broken, you’re no longer running this stack; you’re running something else. You can still choose to break them, but it should be a conscious decision.

Bitcoin-only reserves at the core (on-chain UTXOs + explicitly bounded LN working balances).
Self-custody default; custodians (including LN custody/federations) are capped rails, never treasury.
Shared spending authority is explicit: who, what, limits, thresholds.
No silent layer-mixing: personal deep reserves never “blend” into household pools without a labeled, intentional move.
Descriptors + PSBT are the coordination fabric for all serious wallets.
Fee/pinning reality is encoded per tier (no magic thinking about “cheap forever”).
Any dual-control design includes an escape hatch (timelock recovery or modeled third key).
Complexity is bounded by the least-technical adult (design cannot exceed the weakest operator).
No household-core leverage/yield/rehypothecation without explicit multi-party consent and isolation into a separate risk bucket.
External obligations (fiat/legal) are modeled as adversarial claims that can force liquidation.

Mental model This section is the constitution for household money. The rest of the document (tiers, roles, tools) are the code that implements it.

2. Core Objects: Tiers, Masks, Roles

Before touching tools, you need the objects the household works with: capital tiers (what money is for), masks (how it appears to the outside), and roles (who actually does what).

Capital Tiers

Same idea as Individual cold/warm/hot, but now sized for the whole household.

H0The Hearth

Daily operating capital (high velocity).
Capped and replaceable.
Think “checking account + petty cash” level.

H1The Citadel Wall

Buffer (months of expenses, shocks).
Low churn, guarded access.
Where most “household savings” live.

H2The Seed / Relic

Deep time reserve (migration/inheritance).
Near-zero churn.
Aligned with long-term relocation / generational moves.

Household Masks (appearance of flows)

Masks here are the household-level face to the outside world, mirroring the individual Public/Ghost/Sacred concept but applied to shared funds.

H-PublicVisible flows

Regulated / mainstream-facing sources.
Audit-friendly history (if needed).
Good for rent, taxes, formal bills.

H-GhostPrivate flows

P2P / non-KYC oriented sources.
Parallel resilience build (off-radar household capacity).

H-SacredHardened reserve

Mapped to H2.
Never touches institutional rails.
Designed to be boring and invisible from the outside.

Functional Roles

These are functions, not personalities. One person can hold multiple roles, but the roles themselves are clearly defined.

Enforcer

Security boundary, veto, script policy, key guardianship.
Cannot override written rules by “feel” or in the heat of the moment.

Selector

Priorities, funding choices, value alignment.
Cannot unilaterally raid reserves.

Fractal rhyme At Individual layer you have Masks A/B/C. At Household layer you get H-Public/H-Ghost/H-Sacred overlaying H0/H1/H2. Same pattern, different scale.

3. Wallet & Key Topology

Tiers/masks/roles are the idea. Topology is the concrete map: which wallets exist, who can sign, and how failure is handled.

H0 — Hearth

Everything that needs to move often: groceries, transport, small emergencies. This is where most mistakes are allowed to happen by design.

H0aAllowance rail

Single-sig hot or LN wallet per adult / spending role.
Tiny cap per person; trivial to top up, trivial to lose.
Designed to be survivably compromisable (phone theft ≠ life-ending).

H0bBills wallet

Guarded structure for recurring major bills.
Either 2-of-3 (A + B + small recovery) or 2-of-2 with a timelocked recovery branch.
Loss of one phone or device is a nuisance, not systemic failure.

H1 — Citadel Wall

The main household savings / buffer. Harder to move, harder to mess up.

Default: threshold multisig with redundancy (e.g., 2-of-3: A, B, Recovery key R).
Alternate: policy wallet with an active cooperative branch plus a delayed recovery branch (timelock).
Design target: no unilateral drain; no permanent freeze.

H2 — Seed / Relic

Long-horizon reserve that assumes people will die, move, fall out, and change.

Conservative multisig + timelocked recovery encoded as descriptors.
Simple, widely-supported scripts; avoids exotic “fancy” constructions.
Heir/guardian paths are pre-encoded; future migration by heirs is expected, not optional.

How to use this Draw this section as boxes and arrows for your own household. Every wallet you actually use should map cleanly to H0/H1/H2 and H-Public/H-Ghost/H-Sacred.

4. Fee & Mempool Doctrine

Fees and mempool behavior are not “nerd details”; they decide when you can move money and when you can’t. Each tier has different tolerance for being stuck.

H0Working rail

Can tolerate occasional stuck transactions.
Fallback rail exists (LN/alt payment path or small custodial float).

H1Buffer

Must be spendable during fee spikes (within reason).
At least one route to bump/reissue without requiring both adults online at once.

H2Rare moves

Minimize mempool exposure (move rarely, but deliberately).
When moved: over-provision fees to avoid repeated pinning attempts.

Lightning boundary Lightning is working capital for H0/H1 only. H2 never lives in LN form.

5. Privacy & Telemetry

At the household level, privacy is less about “being invisible” and more about not creating a single obvious graph that mixes every family member, every income source, and every long-term reserve.

Baseline: no address reuse; avoid unnecessary multi-input merges; never merge personal deep reserves into household pools.
Advanced tools are gated: Payjoin/coinjoin/reusable identifiers are optional tactics, not structural dependencies.
Camouflage doctrine: not every ritual event maps to an on-chain signature; H2 remains inert and boring.

Simple rule If you cannot explain why two UTXOs belong together, don’t spend them together.

6. Node & Network Posture

The household node is the shared truth appliance. It answers: “What is Bitcoin right now?” and “Did this payment actually exist?”

Household full node is the truth source; significant balances are verified locally.
Prefer privacy transports (Tor/I2P); track encrypted P2P transport when mature.
Eclipse/peer manipulation is treated as a finance risk, not just a technical curiosity.

Fractal link Individual stacks can still run their own nodes. The household node is the shared layer they may plug into, not a single point of control.

7. Fiat, Credit, Law

Even in a Bitcoin-first household, there are still fiat-denominated demands: rent, taxes, debt, court orders, child support, medical bills. These act as external claims on future BTC.

Recurring obligations (rent, support, care, tax, debt) are modeled as forced-seller triggers.
H1 sizing explicitly covers these claims to prevent panic liquidation.
Legal attack classes are mitigated by slow, documented treasury formation and pre-written separation-mode rules.

Design goal The household should rarely be in a position where a court letter or landlord text forces you to dump BTC at the worst possible time.

8. Human Adversaries

The hardest problems are not protocols; they’re people. Household design has to assume that moods change, addictions appear, and secrets leak.

Non-cooperation

H0 stays functional via caps + allowance rails.
H1/H2 include independent recovery paths (no permanent deadlock).

Addiction / degen

Household core cannot be pledged/yielded without explicit consent.
Risk lives in an isolated wallet, not in H0/H1/H2.

Info leakage

Kids trained in discretion about “where the money lives.”
Physical storage looks boring (no obvious “treasure boxes”).

Assumption Trust is a starting state, not a permanent guarantee. The stack should survive even if cooperation temporarily collapses.

9. Extended Family Support

Many households support parents, siblings, or others. This needs to be budgeted and bounded, not an endless drain.

Small help: H0 (ad-hoc gifts, one-off support).
Recurring help: defined H1 sub-pool with caps and review cadence.
H2 is not a bailout reservoir for extended family.

10. Heirs & Succession

“What happens if we’re gone?” is not a philosophical question here; it’s a design requirement encoded in scripts and documents.

Distribution is not strictly equal-by-blood; weight competence, alignment, and risk tolerance.
Heirs receive intent + reconstruction instructions; they are expected to migrate to their own stacks.

Outcome The household doesn’t become a permanent holding company. It’s a staging ground for future individual and citadel stacks.

11. Modes

Modes are predefined “how we behave now” states. When the situation changes, you don’t invent a plan from scratch; you switch mode.

Harmony

H0 normal flow (allowances, bills, day-to-day).
H1 rarely touched except for planned moves.
H2 fed from surplus and major wins.

Strain

More ledger/label transparency between adults.
No structural changes without documented agreement.

Fracture

Invoke separation rules encoded in wallet policy.
Migrate coins into fresh individual setups per pre-written plan.

Siege / Succession

Keys routed away from vulnerable identities or locations.
Timelocks/guardians activate per policy (death, incapacity, forced exile).

Practice Modes are only real if everyone in the household knows what they mean and can describe their own behavior in each mode.

12. Node-Factory

The Household is not just a consumer of Bitcoin. It’s a node-factory for sovereign individuals.

Capped small wallet (BTC/LN) + backups for each emerging node.
Run a small node together; learn “we verify our own money.”
Minor signer in a training multisig; PSBT practice with low stakes.
Spin out an individual stack integrated with, not subordinate to, the household.

Goal The household should export sovereign adults, not produce permanent dependents.

13. Migration Phases

Most households already have messy fiat systems. Migration is not “flip a switch”, it’s a sequence.

Map existing flows (observe first; write down what already happens).
Parallelize small H0 categories in BTC while legacy fiat continues.
Build H1 buffer in BTC; begin making decisions from a BTC-denominated mental frame.
Encode H2 deep cold + scripts + inheritance + roles/modes/rituals.

Reality It’s normal for fiat and BTC to coexist for a while. The key is that BTC structure is designed on purpose instead of emerging by accident.

14. Rituals & Audits

Rituals are scheduled “we stop and look” moments. They keep the stack from drifting into mythology.

Monthly

Check H0/H1/H2 caps + balances.
Confirm UTXO separation by tier/mask.
Node health: disk, uptime, peers, backups.

Quarterly

PSBT drill: construct, sign, verify on a small amount.
Fee bump / pinning drill for one test transaction.
Descriptor/watch-only verification from a fresh environment.

Yearly

Full recovery rehearsal: assume primary coordinator lost.
Signer inventory: confirm actual physical locations.
Obligation mapping update: new debts, taxes, dependents.

Minimum viable ritual If nobody in the household can remember the last time you ran a drill, the stack is running on hope, not design.

Addendum A — Household Implementation Layer

This addendum connects the law-core and objects to concrete, day-to-day “which wallet does what” decisions, without yet naming specific apps.

Invariants (restated operationally)Household non-negotiables

No third-party default freeze/deny/observe surfaces for core funds.
Bitcoin-only treasury: everything else is counterparty/telemetry risk dressed as convenience.
Property boundaries are explicit: household funds are policy-defined funds with named authorities and exit rules.
Ban single points of failure: person/device/vendor/jurisdiction/cloud monoculture is unacceptable.

Balance-sheet topology (separate buckets)

Think of this as the household’s internal balance sheet: three main BTC buckets with different rules.

Household Treasury Vault

Long-horizon reserves.
Multisig / policy wallet.
Slow ceremony, deliberate moves only.

Household Operating Wallet

Bills + recurring spend.
Guarded multisig with lighter ceremony.
Limited balance relative to H1/H2.

Household LN Working Capital

Small, hot, expendable.
Self-hosted node.
Frequent rotation and rebalancing.

Per-adult sovereign wallets inside the household

Each adult retains personal hot spending + personal cold savings.
Household stack must interoperate with (not absorb) individual stacks.

Governance: authorities, permissions, failure routing

Here we map roles to keys so that responsibility is not just verbal, but cryptographically enforced.

Functional authorities (mapped to keys)

Spenders: day-to-day operating moves within limits.
Guardians: required co-signers for treasury moves.
Recoverers: catastrophe recovery without unilateral drain.
Auditors: watch-only visibility + labeling; no spend power.

Default household-robust policies

Small households: 2-of-3 (two adults + independent recovery).
Larger/higher stakes: 3-of-5 (two adults + geo-separated backups + break-glass).
Policy wallets with timelocks for dead-man / inheritance routing.

Exit clause (separation/divorce) is part of the wallet policy

Assume trust can invert instantly; treasury and operating policies are independent.
Labeling + accounting must make commingling avoidable and provable.

Addendum B — Portability Standards (No Tool Lock-in)

This section defines the standards that keep you free to change tools without redoing your entire architecture.

DescriptorsWallet definitions

First-class wallet structure primitive.
Enables migration without vendor permission.

PSBTOffline signing

Multi-device workflows.
Airgapped signing without seed exposure.

LabelsAccounting semantics

Label export/import preserves household meaning.
Prevents accidental merges that destroy privacy.

Portability rule If you can’t migrate the treasury with descriptors + PSBT + labels, it isn’t sovereign—it's a vendor lease.

Addendum C — Storage & Signing Architecture

This is the hardware/software side of “who holds keys” and how they’re used. The goal is diversity without chaos.

Signer requirements (household-grade)

PSBT support, on-device address verification, predictable backups.
Firmware verification story that can be audited (build reproducibility or comparable integrity model).
Signer diversity rule: at least two distinct vendors + two distinct update paths (anti-monoculture).

Signer set (example diversity basket)

Coldcard + BitBox02 + Passport/Jade (choose based on your licensing tolerance).
Keep keys physically separated (multisig defeated by co-location).

Coordinator requirement

Single canonical desktop coordinator for multisig orchestration + PSBT creation.
Secondary coordinator optional as a continuity tool, not as daily surface.

Inheritance / timelocked recovery

Use policy wallets designed around timelocked recovery routes for structured succession.
Goal: recovery path without vendor involvement; hostile signer does not imply drainability.

Addendum D — Node Backbone & License Reality

Node distributions and UIs are often packaged and licensed in different ways. This section treats them as shells around a core, not the core itself.

Base layer (household “truth appliance”)

Full node validation + mempool + fee estimation under your control.
Prefer Tor-reachable interfaces and network segmentation.

Node-in-a-box distributions (policy note)

Convenience layers may be license-restricted.
Treat restricted-license distros as UX shells, not as sovereign foundations (FOSS purity matters).

Backends + explorer (privacy boundary)

Private wallet backend (Electrum server class) prevents leaking your UTXO set to third parties.
Self-hosted explorer prevents transaction-lookups becoming telemetry.

Addendum E — Lightning Layer (Household Rules + App Risk)

Lightning is where UX is great and risk is higher. Household policy must treat LN as working capital only.

Core rule

Lightning is household working capital, not savings.
Exposure is capped; rotate frequently; assume failure modes.

Known trap class

Hosted LN convenience patterns create rug/freeze surfaces.
Household must keep a self-hosted LN path that does not depend on a third party’s uptime or policy.

Mobile distribution risk

Assume app-store availability can change by jurisdiction.
Operational requirement: if one mobile LN client disappears, the household can still receive/pay via node + alternative clients.

Addendum F — Acquisition Rails (P2P + Hygiene Pipeline)

“How does BTC enter the household?” is as important as where it sits. This section covers rails and the hygiene pipeline between “just bought” and “deeply stored”.

P2P rails

Decentralized P2P exchange patterns (desktop-first).
LN-centric P2P patterns that use escrow/bond mechanics (requires operator understanding).

Household rule: hygiene pipeline

P2P coins do not go straight into the Treasury Vault.
They traverse a labeled, controlled pipeline before deep storage.

Addendum G — Privacy Pipeline (Tool-Plural + Enforcement Climate)

This extends the earlier privacy section by assuming that specific tools can disappear or be criminalized. The household’s privacy posture should survive that.

Baseline (non-negotiable)

Labels everywhere so household provenance and pool boundaries survive over time.
Coin control as a daily discipline; accidental merges are treated as stack damage.

Payjoin class

Used primarily for merchant payment patterns that resist naive heuristics.
Receiver-side implementation can be self-hosted; sender-side support is opportunistic.

Coinjoin reality

Prefer decentralized coinjoin designs if used.
Assume enforcement pressure; the privacy stack must be plural (discipline + payjoin + optional decentralized coinjoin), not a single tool dependency.

Doctrine Privacy tools may disappear or be attacked; household privacy must still function when any single tool is removed.

Addendum H — Accounting / Budget / Shared Expenses

This is the money meaning layer: how the household decides what each sat is “for”, and how that meaning survives wallet/tool changes.

BudgetEnvelope cashflow UI

Local-first budgeting surface.
Optional self-hosted sync.

BooksDurable audit trail

Double-entry bookkeeping tools.
Household “internal truth” separate from banks.

SplitShared expenses

Self-hosted shared expense tracker (for pods/roommates).
Not required for tight households; optional when needed.

Rule: budgeting UI and accounting ledger are separable

Do not force one tool to be both the planner and the auditor.
Labels/UTXO pools map to internal categories so “meaning” survives wallet migration.

Addendum I — Operational Playbooks (Drills)

Drills turn the stack from a diagram into something that can actually survive bad days. Each drill is a small, repeatable scenario.

Signer loss drill

One signer gone; treasury still controllable.
Recovery route is exercised, not theoretical.

Compromise drill

Assume one signer is hostile.
Treasury is not drainable under that assumption.

Death / incapacity drill

Recovery path activates without vendor involvement.
Heirs can reconstruct with descriptors + instructions.

Separation drill

Operating wallet can be settled cleanly.
Treasury policy prevents unilateral seizure.

Mobile deletion drill

Wallet app disappears; household can still receive/pay via node + alternative clients.

Hosted service rug drill

A third-party rail goes dark; no core funds trapped.

Label portability drill

Export/import labels across coordinators so household accounting meaning survives tool changes.

Addendum J — Stack Killers (Failure Points)

This is the adversarial checklist: ways the household stack can silently degrade into “we trust an app and hope”.

Physical/key failures

Key co-location defeats multisig.
Vendor monoculture creates correlated supply-chain risk.

Human failures

One spouse “handles everything” = centralized failure disguised as trust.
No drill culture = vibes, not a stack.

Custodial convenience failures

Hosted LN, hosted backups, “family accounts” with default third-party control.
Any rail that can freeze/deny/observe by default is an adversary surface.

Semantic failures

No labels leads to accidental merges, privacy loss, and broken accounting.
Tool dependencies that cannot be migrated without permission are hidden custody.

Appendix — One-to-One Tool Map (Household)

Vault / TreasuryH1/H2 reserve surface

Signers: diverse-vendor set (avoid monoculture).
Coordinator: one canonical desktop orchestrator; secondary for continuity.
Policy: timelocked recovery route for succession and dead-man recovery.

OperatingShared bills

Same signer/coordinator family as treasury (to reduce cognitive load).
Lower balance, lower ceremony, explicit spend limits.

LightningWorking capital

Self-hosted LN node.
Remote control client.
Assume mobile distribution volatility; keep alternate paths.

AcquisitionP2P rails

Desktop P2P exchange pattern.
LN-centric P2P pattern with escrow/bond mechanics.
Coins enter via labeled hygiene pipeline before deep storage.

AccountingInternal truth

Local-first budgeting UI.
Self-hosted or local bookkeeping ledger.
Optional shared expense splitter.

Node UIOptional

Convenience distributions are treated as shells if licenses restrict sovereignty.
Foundation remains: full node validation + private backend + local verification.

Stack survival The household stack survives tool churn because the standards (descriptors / PSBT / labels) and the topology are the real substrate.