Fordan — Product Definition

One-liner

Fordan is a local-first tool that opens any archive or encrypted file and re-encrypts it into whatever format you need — without ever modifying the source.

---

Source → Sink

Everything in Fordan is a Source (something it can open and read) or a Sink (a format it can encrypt/package into). The engine streams entries from any source into any sink.

• Open (sources): ZIP & AES-ZIP, tar/.tar.gz/.tar.xz, 7z, age, GPG/PGP, NTFS/FAT disk images, plain files & folders.
• Encrypt to (sinks): age, GPG/PGP, AES-256 ZIP, or the native Fordan .sec/vault (AES-256-GCM or XChaCha20-Poly1305).
• Extract = encrypted/archive source → plain folder. Convert = format A → format B.
• The source is opened read-only and is never modified, moved, or deleted.

Cross-platform: a package made on one OS opens on the others. Local-first: keys and plaintext never leave your machine.

---

Target User

Anyone who needs to open something they were handed (an archive, an encrypted bundle, an old disk image) and hand it onward in a format the recipient can actually open — a freelancer, a developer, someone moving data between machines. Not a sysadmin or enterprise IT team; just someone who wants their files unlocked and re-secured, safely and offline.

Job-to-be-done: "Open this thing regardless of its format, re-encrypt the parts I care about into the format I need, and let me be certain I didn't touch the original."

---

The Vault

The Fordan vault is:

• Portable — a self-contained directory (or single archive) you can copy to any machine.
• Cross-platform — a vault created on Linux opens correctly on macOS and Windows, and vice versa. No OS-specific path separators, extended attributes, or encoding assumptions.
• Versioned — every vault header carries a MAGIC bytes + VERSION field so future readers can detect format mismatches.
• Encrypted at rest — contents are protected with a vetted authenticated cipher (ChaCha20-Poly1305 or AES-GCM); the key is derived with Argon2.

---

MVP Feature Set

What Fordan v0.1 ships:

1. Scanner — read-only walk of an NTFS (and FAT32) volume; list files, directories, sizes, timestamps. No writes to the source.
2. Browser — interactive (TUI or CLI subcommand) file tree viewer over the scanned volume.
3. Importer — copy selected files into the vault. Source disk is checksummed before and after; the importer asserts the checksum is unchanged.
4. Encryptor — encrypt the imported files into the vault format.
5. Verifier — decrypt and compare every encrypted artifact against its stored checksum to prove byte-identity.
6. Recover — export decrypted files from the vault back to the local filesystem.

---

Scope Fence — What We Are NOT Building in MVP

• No FUSE / WinFsp mount — we do not expose the vault or source disk as a mounted filesystem. Read-only walk + explicit import only.
• No file classifier — no ML-based deduplication, MIME sniffing pipeline, or "smart" content analysis.
• No BitLocker or FileVault support — encrypted source volumes are not in scope. If the source is locked, the user must unlock it first with OS tools.
• No B2B / enterprise console — no multi-user vaults, no RBAC, no audit log export to SIEM, no admin dashboard.
• No cloud sync — the vault is local. Syncing to S3/Backblaze/etc. is a future concern; the core library will have no network dependency.
• No GUI desktop app — MVP is CLI + optional TUI. An Electron/Tauri wrapper is a stretch goal.
• No streaming import from network shares — local (USB/internal) drives only for v0.1.

---

Definition of Done (MVP)

The single acceptance gate for v0.1 is the g70 end-to-end test:

scan → read-only NTFS browse → import → encrypt → recover byte-identical → source untouched

In detail:

1. Mount a test NTFS image read-only.
2. Scan and browse it; confirm no writes occurred (checksum the image before and after scanning).
3. Import a known set of files into a fresh vault.
4. Encrypt the vault.
5. Recover all files from the encrypted vault to a temp directory.
6. Assert byte-for-byte identity between recovered files and the originals.
7. Assert the source image checksum is unchanged.

If g70 passes in CI on Linux and macOS, v0.1 ships.

---

Non-goals (forever, not just MVP)

• Forensic chain-of-custody logging (we are not a legal evidence tool).
• Ransomware recovery / data-carving from corrupted partitions.
• Multi-terabyte streaming backup (we target rescue of selective files, not full-disk imaging).
• Key escrow or account-based key recovery.

---

Project Name

Fordan — from the Welsh/Old English word for "to put away safely". The name signals preservation, not transformation.