From 0a0075ce66ed83893d8542424fb074ff213b2b68 Mon Sep 17 00:00:00 2001 From: SysAdmin Date: Sat, 25 Apr 2026 03:30:45 +0100 Subject: [PATCH] docs(naming): adopt OS / Enhanced product-line framing + align with existing repos MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two product lines, named to make scope obvious to buyers: - πŸ”’ SilverMetal OS β€” we ship the operating system or ROM (Linux, Pixel, Samsung-unlocked, Motorola-unlocked) - πŸ›‘οΈ SilverMetal Enhanced β€” we harden the OS the device already runs (Windows, macOS, iOS, generic Android) Repo alignment: - SilverVPN already exists as a SilverLABS product (server + MAUI client + Linux client + tunnel service). stack/vpn/ is now an integration pointer rather than a re-scaffold; per-platform READMEs reference it. - SilverApple is deprecated; SilverMetal Enhanced β€” iOS supersedes it. Migration step added as roadmap milestone 3I.1. - SilverDROID name clash explicitly noted as unrelated (it's the SilverSHELL AppStore Android client, not an Android ROM). - SilverChat may overlap with SilverVPN.Client.Chat; alignment decision added as roadmap milestone 1.1.1. Roadmap restructured: phases now track the OS/Enhanced split. Platform matrix re-sectioned and decision flowchart updated. README rewritten around the two-product-line framing. Co-Authored-By: Claude Opus 4.7 (1M context) --- README.md | 90 +++++++++++++++------------ android/README.md | 56 ++++++++++------- docs/platform-matrix.md | 135 ++++++++++++++++++++++------------------ docs/roadmap.md | 95 +++++++++++++++------------- ios/README.md | 27 +++++--- linux/README.md | 7 ++- macos/README.md | 12 ++-- stack/README.md | 32 +++++----- stack/vpn/README.md | 76 +++++++++++++--------- windows/README.md | 10 ++- 10 files changed, 316 insertions(+), 224 deletions(-) diff --git a/README.md b/README.md index 3f2a89e..ea40ded 100644 --- a/README.md +++ b/README.md @@ -2,72 +2,84 @@ > **Privacy-hardened devices for users who want their privacy back β€” on whatever platform they have.** -SilverMetal is SilverLABS' cross-platform privacy-hardening program. We don't believe in "one true OS" β€” we believe in meeting users on the platform they actually use, and giving them the strongest hardening that platform physically allows. Honestly labelled, no marketing fluff. +SilverMetal is SilverLABS' cross-platform privacy-hardening program. We don't believe in "one true OS" β€” we meet users on the platform they actually use, and give them the strongest hardening that platform physically allows. Honestly labelled, no marketing fluff. -## What you get +## Two product lines -Every SilverMetal device β€” whether you bought one preflashed or you're hardening your own β€” ships two layers: +The SilverMetal program ships two distinct product lines, named to make their scope obvious to buyers: -1. **The SilverLABS Stack** β€” a suite of cross-platform privacy apps that replace the cloud services your device normally talks to (Google, Apple, Microsoft): - - **SilverBrowser** β€” de-Googled, telemetry-free, fingerprint-resistant - - **SilverVPN** β€” always-on, no-logs, our own infrastructure - - **SilverSync** β€” private replacement for iCloud / Google Drive / OneDrive - - **SilverChat** β€” end-to-end encrypted messenger *(v1.1)* - - **SilverDuress** β€” duress password / panic-wipe *(v1.1)* - - **SilverKeys** β€” zero-knowledge password manager *(v1.1)* +### πŸ”’ SilverMetal OS +**We ship the operating system or ROM.** Full kernel-level control, our verified-boot key, our update channel. Strongest possible hardening. -2. **A Platform Hardening Profile** β€” OS-level changes tailored to what your platform allows: - - On **Linux** we ship a full custom OS - - On **Android** we ship a custom ROM (or a profile, depending on your device) - - On **Windows** we ship an installer that transforms LTSC IoT into a hardened build - - On **macOS** and **iOS** we ship signed configuration profiles + setup scripts +- **SilverMetal OS β€” Linux** *(Debian/Kicksecure-based ISO)* β€” Tier A +- **SilverMetal OS β€” Pixel** *(GrapheneOS-fork ROM)* β€” Tier B +- **SilverMetal OS β€” Samsung** *(LineageOS-fork ROM, unlocked-bootloader models)* β€” Tier C +- **SilverMetal OS β€” Motorola** *(DivestOS/LineageOS-fork ROM)* β€” Tier C + +### πŸ›‘οΈ SilverMetal Enhanced +**We harden the OS your device already runs.** Configuration profiles, hardening installers, the SilverLABS Application Stack. For users who can't or won't replace their OS. + +- **SilverMetal Enhanced β€” Windows** *(LTSC IoT installer + hardening + Stack)* β€” Tier C +- **SilverMetal Enhanced β€” macOS** *(signed config profile + setup script + Stack)* β€” Tier C-D +- **SilverMetal Enhanced β€” iOS** *(MDM profile + Stack)* β€” Tier D +- **SilverMetal Enhanced β€” Android** *(generic profile + Stack on existing Android)* β€” Tier D + +Tiers explained in [`docs/platform-matrix.md`](docs/platform-matrix.md). + +## What every SilverMetal device gets + +Both lines ship the **SilverLABS Application Stack** β€” a suite of cross-platform privacy apps that replace the cloud services your device normally talks to (Google, Apple, Microsoft): + +| Component | Status | Purpose | +|---|---|---| +| **SilverBrowser** | v1 (Linux MVP) | De-Googled, telemetry-free, fingerprint-resistant browser | +| **SilverVPN** | **Existing** β€” see [`SilverLABS/SilverVPN`](https://git.silverlabs.uk/SilverLABS/SilverVPN) | Always-on, no-logs VPN with our own infrastructure | +| **SilverSync** | v1 (Linux MVP) | Private replacement for iCloud / Google Drive / OneDrive | +| **SilverChat** | v1.1 (may overlap with `SilverVPN.Client.Chat`) | E2EE messenger | +| **SilverDuress** | v1.1 | Duress password / panic-wipe / anti-coercion | +| **SilverKeys** | v1.1 | Zero-knowledge password + 2FA manager | ## Two ways to get SilverMetal +Every flavour β€” OS or Enhanced β€” supports both buyer modes: + ### "I'm choosing a new device" -Buy a **preflashed SilverMetal SKU** β€” a Pixel with SilverMetal Droid, a Coreboot laptop with SilverMetal Linux, etc. We've done all the work; it arrives ready. +Buy a **preflashed SilverMetal SKU**. We've done all the work; it arrives ready. ### "I already own a device and want to harden it" -Download the **free SilverLABS Stack** + the **hardening profile / installer / ROM** for your existing platform. Apply it yourself. Same software, same hardening, no hardware lock-in. - -Every platform supports both modes. Nothing is premium-only; nothing is DIY-only. - -## Platform matrix - -| Platform | Hardening tier | What ships | Best for | -|---|---|---|---| -| **SilverMetal Linux** | A β€” full control | Custom Debian/Kicksecure-based ISO | Maximum privacy; users whose work is browser/office/dev/comms | -| **SilverMetal Droid (Pixel)** | B β€” verified boot ours | GrapheneOS-based ROM | "Secure phone" buyers, journalists, high-risk users | -| **SilverMetal Droid (Samsung / Motorola)** | C β€” varies | LineageOS/DivestOS-based ROM where supported, profile + stack elsewhere | Users with existing non-Pixel Android | -| **SilverMetal Droid (generic)** | D β€” app + profile only | Stack install + work-profile hardening | "I have an Android, harden it" | -| **SilverMetal Windows** | C β€” config layer | LTSC IoT installer + Stack + Group Policy hardening | Users locked into Windows-only software | -| **SilverMetal macOS** | C-D β€” config + Stack | Signed config profile + setup script + Stack | Mac-committed users | -| **SilverMetal iOS** | D β€” profile + curated apps | MDM profile + Stack from App Store | iPhone users wanting maximum-feasible hardening | - -For honest pros/cons of each, see [`docs/platform-matrix.md`](docs/platform-matrix.md). +Download the **free SilverLABS Stack** + the **SilverMetal OS or Enhanced package** for your platform. Apply it yourself. Same software, same hardening, no hardware lock-in. ## Status | Component | Status | |---|---| -| Documentation + roadmap | **In progress** (this scaffold) | -| SilverMetal Linux v1 | Planning β†’ milestone 2 (build pipeline) | -| SilverLABS Stack v1 (Browser + VPN + Sync) | Planning | -| Other platforms | Planning, post-Linux v1 | +| Documentation + roadmap | Initial scaffold complete | +| SilverMetal OS β€” Linux v1 | Phase 1 β€” moving to milestone 1.1 (build pipeline) | +| SilverLABS Stack v1 (Browser + Sync) | Planning | +| SilverVPN | Existing product, integration into v1 ISO planned | +| Other OS/Enhanced flavours | Planning, post-Linux v1 | See [`docs/roadmap.md`](docs/roadmap.md) for the milestone-driven plan. +## Related repositories + +| Repo | Relationship | +|---|---| +| [`SilverLABS/SilverVPN`](https://git.silverlabs.uk/SilverLABS/SilverVPN) | The VPN component of the SilverLABS Stack β€” already in production. SilverMetal integrates it; does not re-implement it | +| [`SilverLABS/SilverApple`](https://git.silverlabs.uk/SilverLABS/SilverApple) | **Deprecated.** Earlier iOS-hardening prototype, superseded by *SilverMetal Enhanced β€” iOS* | +| [`SilverLABS/SilverDROID`](https://git.silverlabs.uk/SilverLABS/SilverDROID) | Unrelated (SilverSHELL AppStore Android client). Name is similar but scope is different | + ## Documentation - [`docs/threat-model.md`](docs/threat-model.md) β€” who we defend against, who we don't - [`docs/design-principles.md`](docs/design-principles.md) β€” privacy-by-default, verifiability, honesty -- [`docs/platform-matrix.md`](docs/platform-matrix.md) β€” what each platform can and cannot deliver +- [`docs/platform-matrix.md`](docs/platform-matrix.md) β€” full per-platform pros/cons - [`docs/roadmap.md`](docs/roadmap.md) β€” milestones, ship order, scope - [`docs/trust-model.md`](docs/trust-model.md) β€” signing keys, reproducible builds, governance ## License -Components carry their own licenses (most are GPL/MIT/Apache-derived from upstream forks). See individual directories. +Components carry their own licenses (most are GPL/MIT/Apache-derived from upstream forks). Original SilverLABS-authored glue code is AGPL-3.0-or-later. See [`LICENSE`](LICENSE). ## SilverLABS diff --git a/android/README.md b/android/README.md index 419e511..6b58d6e 100644 --- a/android/README.md +++ b/android/README.md @@ -1,45 +1,55 @@ -# SilverMetal Droid +# SilverMetal β€” Android **Status**: Phase 2 (planning, post-Linux v1) -Android coverage across four tiers. See [`../docs/platform-matrix.md`](../docs/platform-matrix.md) for honest per-tier pros/cons. +Android coverage spans **both** SilverMetal product lines: -## Tiers +- πŸ”’ **SilverMetal OS** for devices where we ship a custom ROM (Pixel, Samsung-unlocked, Motorola-unlocked) +- πŸ›‘οΈ **SilverMetal Enhanced** for users keeping their existing Android (any vendor, no bootloader unlock required) -### SilverMetal Droid Flagship β€” Pixel (Tier B) -GrapheneOS-fork on Pixel hardware. Verified boot we control, hardened kernel, app sandboxing enforced. Full SilverLABS Stack preinstalled. +See [`../docs/platform-matrix.md`](../docs/platform-matrix.md) for honest per-tier pros/cons. -### SilverMetal Droid Galaxy β€” Samsung (Tier C) -LineageOS / DivestOS-fork on Samsung models with unlockable bootloaders. Stack overlay on locked-bootloader models. +## Sub-flavours -### SilverMetal Droid Moto β€” Motorola (Tier C) -DivestOS / LineageOS-fork on supported Motorola models. Stack overlay everywhere. +### πŸ”’ SilverMetal OS β€” Pixel (Tier B) +GrapheneOS-fork on Pixel hardware. Verified boot we control, hardened kernel, app sandboxing enforced. Full SilverLABS Stack preinstalled. **Phase 2.1.** -### SilverMetal Droid Profile β€” generic (Tier D) -"Harden my existing Android" β€” full SilverLABS Stack + work-profile-based hardening config. Runs on any Android 13+ without bootloader changes. +### πŸ”’ SilverMetal OS β€” Samsung (Tier C) +LineageOS / DivestOS-fork on Samsung models with unlockable bootloaders. **Phase 2.2.** + +### πŸ”’ SilverMetal OS β€” Motorola (Tier C) +DivestOS / LineageOS-fork on supported Motorola models. **Phase 2.3.** + +### πŸ›‘οΈ SilverMetal Enhanced β€” Android (Tier D) +For users keeping their existing OEM Android (Samsung locked-bootloader, OnePlus, Xiaomi, hand-me-downs, etc.). Stack apps + work-profile-based hardening config; no bootloader changes, no warranty void. **Phase 3A.** ## Directory layout -To be populated in Phase 2. Initial structure planned: +To be populated as each sub-flavour is built. Initial structure planned: ``` android/ -β”œβ”€β”€ flagship/ # Pixel / GrapheneOS-fork build config -β”œβ”€β”€ galaxy/ # Samsung ROM build configs -β”œβ”€β”€ moto/ # Motorola ROM build configs -β”œβ”€β”€ profile/ # Generic profile installer + work-profile config -└── shared/ # Common build infra, signing, OTA +β”œβ”€β”€ os-pixel/ # πŸ”’ GrapheneOS-fork build config (Phase 2.1) +β”œβ”€β”€ os-samsung/ # πŸ”’ Samsung ROM build configs (Phase 2.2) +β”œβ”€β”€ os-motorola/ # πŸ”’ Motorola ROM build configs (Phase 2.3) +β”œβ”€β”€ enhanced/ # πŸ›‘οΈ Generic profile installer + work-profile config (Phase 3A) +└── shared/ # Common build infra, signing, OTA ``` -## Verification gates (per-tier) +## Verification gates -- ROM tiers: verified boot rooted in our key (Pixel only); reproducible builds; OTA signed and rollback-tested -- Profile tier: Stack apps installed and functional; work-profile isolation verified -- All tiers: telemetry-leak test (no Google services contact unless explicitly opted in by user) +- **OS tiers**: verified boot rooted in our key (Pixel only); reproducible builds; OTA signed and rollback-tested +- **Enhanced tier**: Stack apps installed and functional; work-profile isolation verified; no bootloader changes detected +- **All tiers**: telemetry-leak test (no Google services contact unless explicitly opted in by user); SilverVPN integrated as default VPN ## Upstream we depend on -- **GrapheneOS** β€” Pixel flagship base -- **LineageOS** β€” Samsung / Motorola base +- **GrapheneOS** β€” Pixel OS base +- **LineageOS** β€” Samsung / Motorola OS base - **DivestOS** β€” additional hardening patches - **AOSP** β€” root upstream +- **`SilverLABS/SilverVPN`** β€” MAUI Android client (existing) + +## Note on naming + +The existing repo `SilverLABS/SilverDROID` (SilverSHELL AppStore Android client) is unrelated to this Android flavour despite the similar name. They serve different products. diff --git a/docs/platform-matrix.md b/docs/platform-matrix.md index 2559a0f..19bd25c 100644 --- a/docs/platform-matrix.md +++ b/docs/platform-matrix.md @@ -2,8 +2,17 @@ The honest per-platform capability and pros/cons table. This is what a buyer sees on each product page so they can choose based on their actual constraint. +## The two product lines + +| Line | What it means | When you'd buy it | +|---|---|---| +| **πŸ”’ SilverMetal OS** | We ship the OS or ROM | You're choosing a device with privacy as a priority, or you're willing to replace your existing OS | +| **πŸ›‘οΈ SilverMetal Enhanced** | We harden the OS your device already runs | You can't or don't want to replace your OS β€” corporate device, iPhone, or you're staying on Windows | + ## Hardening tiers +Independent of product line, each platform has a tier reflecting how deep our hardening can physically reach: + | Tier | What it means | |---|---| | **A β€” Fully controllable** | We own the kernel, boot chain, MAC framework, and update infrastructure | @@ -13,20 +22,27 @@ The honest per-platform capability and pros/cons table. This is what a buyer see ## Capability summary -| Platform | Tier | Deliverable | Stack support | +### SilverMetal OS (we ship the OS/ROM) + +| Platform | Tier | Deliverable | Stack | |---|---|---|---| -| SilverMetal Linux | A | Custom Debian/Kicksecure-based ISO | Full, native | -| SilverMetal Droid (Pixel) | B | GrapheneOS-fork ROM | Full, native | -| SilverMetal Droid (Samsung) | C | LineageOS-fork ROM where bootloader unlocks; profile + Stack elsewhere | Full where ROM, Stack-only otherwise | -| SilverMetal Droid (Motorola) | C | DivestOS/LineageOS-fork ROM on supported models | Full where supported | -| SilverMetal Droid (generic) | D | "Harden any Android" β€” Stack + work-profile config | Stack + config only | -| SilverMetal Windows | C | LTSC IoT installer + hardening + Stack | Full (Stack apps run native) | -| SilverMetal macOS | C-D | Signed config profile + setup script + Stack | Full (Stack apps run native) | -| SilverMetal iOS | D | MDM profile + Stack from App Store | Full (Stack apps via App Store) | +| **OS β€” Linux** | A | Custom Debian/Kicksecure-based ISO | Full, native | +| **OS β€” Pixel** | B | GrapheneOS-fork ROM | Full, native | +| **OS β€” Samsung** | C | LineageOS-fork ROM (unlocked-bootloader models) | Full, native | +| **OS β€” Motorola** | C | DivestOS/LineageOS-fork ROM (supported models) | Full, native | + +### SilverMetal Enhanced (we harden the OS in place) + +| Platform | Tier | Deliverable | Stack | +|---|---|---|---| +| **Enhanced β€” Windows** | C | LTSC IoT installer + hardening + Stack | Full (Stack apps run native) | +| **Enhanced β€” macOS** | C-D | Signed config profile + setup script + Stack | Full (Stack apps run native) | +| **Enhanced β€” iOS** | D | MDM profile + Stack from App Store | Full (Stack apps via App Store) | +| **Enhanced β€” Android** | D | "Harden your existing Android" β€” Stack + work-profile config | Stack + config only | ## Per-platform pros / cons -### SilverMetal Linux (Tier A) +### πŸ”’ SilverMetal OS β€” Linux (Tier A) **Reference setup. The strongest possible SilverMetal device.** **Pros** @@ -44,11 +60,11 @@ The honest per-platform capability and pros/cons table. This is what a buyer see - Some games, particularly anti-cheat-protected titles, will not run - Hardware compatibility needs checking before purchase (Coreboot SKUs are best-supported) -**Best for**: users whose work is browser + email + office docs + dev + comms; anyone who would otherwise install Linux themselves; the maximum-privacy buyer. +**Best for**: maximum-privacy buyer; anyone whose work is browser + email + office docs + dev + comms. --- -### SilverMetal Droid β€” Pixel flagship (Tier B) +### πŸ”’ SilverMetal OS β€” Pixel (Tier B) **The secure-phone flagship. GrapheneOS-tier engineering.** **Pros** @@ -64,30 +80,29 @@ The honest per-platform capability and pros/cons table. This is what a buyer see - Some banking apps and corporate apps refuse to run on non-Play-Integrity devices (workaround: sandboxed Play, but breaks the airtight model) - Not all carriers support all Pixel models cleanly -**Best for**: the "secure phone" buyer, journalists, activists, anyone who would otherwise buy an Encrochat-style rebadged phone but wants real engineering. +**Best for**: the "secure phone" buyer; journalists, activists; anyone who would otherwise buy an Encrochat-style rebadged phone but wants real engineering. --- -### SilverMetal Droid β€” Samsung (Tier C) -**For users on Samsung hardware. Variable depending on model and region.** +### πŸ”’ SilverMetal OS β€” Samsung (Tier C) +**For users on Samsung hardware with unlockable bootloader.** **Pros** - Wide hardware availability and price range -- LineageOS / DivestOS fork for unlocked-bootloader regions gives most of the benefit -- Knox security layer is genuinely capable on locked models -- Full SilverLABS Stack supported either way +- LineageOS / DivestOS fork on unlocked-bootloader regions delivers most of the benefit +- Knox security layer is genuinely capable (when bootloader is unlocked, Knox is tripped β€” accept this trade) **Cons** -- Many Samsung models β€” especially US-carrier models β€” have permanently locked bootloaders; we cannot replace the OS +- Many Samsung models β€” especially US-carrier models β€” have permanently locked bootloaders; SilverMetal OS β€” Samsung is not available on those (use Enhanced β€” Android instead) - Even on unlocked bootloader, we lose verified boot rooting back to our key -- Knox tripped flag is permanent; some Samsung features (Samsung Pay, Knox-protected work apps) may stop working +- Knox tripped flag is permanent; some Samsung features (Samsung Pay, Knox-protected work apps) stop working -**Best for**: existing Samsung owners; buyers wanting a non-Pixel Android with strong-enough hardening. +**Best for**: Samsung owners who want real ROM-level hardening and accept the Knox trade-off. --- -### SilverMetal Droid β€” Motorola (Tier C) -**For users on Motorola hardware. Best Android option after Pixel for unlocked-bootloader hardening.** +### πŸ”’ SilverMetal OS β€” Motorola (Tier C) +**For users on Motorola hardware. Best ROM option after Pixel for unlocked-bootloader hardening.** **Pros** - Many Moto models support bootloader unlock cleanly @@ -104,26 +119,7 @@ The honest per-platform capability and pros/cons table. This is what a buyer see --- -### SilverMetal Droid β€” Generic / "harden my existing Android" (Tier D) -**For users who already own an Android and won't / can't replace the ROM.** - -**Pros** -- Works on virtually any Android 13+ device -- Full SilverLABS Stack runs (Browser, VPN, Sync, etc.) -- Work-profile-based isolation contains tracking apps in a managed sandbox -- No bootloader unlock required; no warranty void - -**Cons** -- We do not control the OS β€” Google + your OEM still do -- Verified boot is your OEM's, not ours -- Telemetry from OS-level Google services cannot be fully blocked without a ROM swap -- Honest tier label: D, weakest Android tier - -**Best for**: existing Android owners who want privacy improvements without buying new hardware or unlocking their bootloader. - ---- - -### SilverMetal Windows (Tier C) +### πŸ›‘οΈ SilverMetal Enhanced β€” Windows (Tier C) **For users locked into Windows-only software.** **Pros** @@ -145,7 +141,7 @@ The honest per-platform capability and pros/cons table. This is what a buyer see --- -### SilverMetal macOS (Tier C-D) +### πŸ›‘οΈ SilverMetal Enhanced β€” macOS (Tier C-D) **For Mac-committed users.** **Pros** @@ -166,7 +162,7 @@ The honest per-platform capability and pros/cons table. This is what a buyer see --- -### SilverMetal iOS (Tier D) +### πŸ›‘οΈ SilverMetal Enhanced β€” iOS (Tier D) **For iPhone users.** **Pros** @@ -182,27 +178,46 @@ The honest per-platform capability and pros/cons table. This is what a buyer see - Configuration profile + MDM applies; cannot modify iOS itself - Honest tier label: D, weakest tier in the family β€” *we say this in marketing* -**Best for**: users whose threat model is commercial surveillance (not state-actor targeting) and who need to stay on iPhone for personal/work reasons. +**Best for**: users whose threat model is commercial surveillance (not state-actor targeting) and who need to stay on iPhone. + +--- + +### πŸ›‘οΈ SilverMetal Enhanced β€” Android (Tier D) +**For users who already own an Android (any vendor) and won't / can't replace the ROM.** + +**Pros** +- Works on virtually any Android 13+ device β€” Samsung locked-bootloader models, OEMs we don't have ROMs for, hand-me-down phones +- Full SilverLABS Stack runs (Browser, VPN, Sync, etc.) +- Work-profile-based isolation contains tracking apps in a managed sandbox +- No bootloader unlock required; no warranty void + +**Cons** +- We do not control the OS β€” Google + your OEM still do +- Verified boot is your OEM's, not ours +- Telemetry from OS-level Google services cannot be fully blocked without a ROM swap +- Honest tier label: D, weakest Android tier β€” *we say this in marketing* + +**Best for**: existing Android owners who want privacy improvements without buying new hardware or unlocking their bootloader. ## Decision flowchart ``` -Does the user need maximum privacy and is software-flexible? - β†’ SilverMetal Linux +Are you choosing a new device, or hardening one you already own? -Does the user need a phone, primarily? - β†’ Pixel? β†’ SilverMetal Droid Flagship - β†’ Samsung/Motorola with unlocked bootloader? β†’ matching ROM tier - β†’ iPhone or locked Android? β†’ corresponding profile tier +CHOOSING NEW + Need maximum privacy and software-flexible? β†’ πŸ”’ SilverMetal OS β€” Linux + Need a phone, primarily? + Pixel ok? β†’ πŸ”’ SilverMetal OS β€” Pixel + Samsung (unlocked bootloader region)? β†’ πŸ”’ SilverMetal OS β€” Samsung + Motorola (supported model)? β†’ πŸ”’ SilverMetal OS β€” Motorola + Want iPhone? β†’ πŸ›‘οΈ SilverMetal Enhanced β€” iOS -Does the user need Windows-only software? - β†’ SilverMetal Windows - -Is the user Mac-committed? - β†’ SilverMetal macOS - -Does the user already own a device they're keeping? - β†’ The corresponding "profile" or "harden existing" tier +ALREADY OWN A DEVICE + Windows machine you keep? β†’ πŸ›‘οΈ SilverMetal Enhanced β€” Windows + Mac you keep? β†’ πŸ›‘οΈ SilverMetal Enhanced β€” macOS + iPhone you keep? β†’ πŸ›‘οΈ SilverMetal Enhanced β€” iOS + Android you keep (any model)? β†’ πŸ›‘οΈ SilverMetal Enhanced β€” Android + Linux laptop you'd convert? β†’ πŸ”’ SilverMetal OS β€” Linux (re-install) ``` We do not push users between tiers. We tell them what each can deliver and let them choose. diff --git a/docs/roadmap.md b/docs/roadmap.md index d55c5b3..695575c 100644 --- a/docs/roadmap.md +++ b/docs/roadmap.md @@ -2,6 +2,8 @@ Milestone-driven, no calendar dates (those slip; milestone gates don't). Each milestone has a definition of done. We don't move on until the previous milestone is met. +The two product lines (**SilverMetal OS** and **SilverMetal Enhanced**) share the same roadmap because they share the SilverLABS Application Stack and the same supporting infrastructure. They diverge in delivery format only. + ## Phase 0 β€” Foundation (current) **Goal**: get the architecture, threat model, and product principles documented and reviewed before writing OS code. @@ -11,14 +13,15 @@ Milestone-driven, no calendar dates (those slip; milestone gates don't). Each mi | 0.1 | Repo scaffold | Directory tree + per-platform stubs + per-stack stubs in place | | 0.2 | Umbrella docs | `README.md` + `docs/{threat-model,design-principles,platform-matrix,roadmap,trust-model}.md` complete and reviewed | | 0.3 | Gitea repo created and pushed | `SilverLABS/SilverMetal` exists on `git.silverlabs.uk` with this scaffold | +| 0.4 | Naming framework + repo alignment locked | OS / Enhanced naming applied; SilverApple deprecation noted; SilverVPN integration scope defined | -**Status**: in progress (this commit completes 0.1–0.3). +**Status**: complete. --- -## Phase 1 β€” SilverMetal Linux v1 (the MVP) +## Phase 1 β€” SilverMetal OS β€” Linux v1 (the MVP) -**Goal**: ship a public alpha ISO that passes our own hardening verification. This is the reference implementation; the patterns established here flow to other platforms. +**Goal**: ship a public alpha ISO that passes our own hardening verification. This is the reference implementation; the patterns established here flow to other flavours. | # | Milestone | Done when | |---|---|---| @@ -28,7 +31,7 @@ Milestone-driven, no calendar dates (those slip; milestone gates don't). Each mi | 1.4 | Telemetry-leak test green | tcpdump on fresh-install idle for 30 min β€” zero packets to MS/Google/Apple/Mozilla/Canonical/Debian/analytics endpoints | | 1.5 | LUKS2 + TPM2 PCR-bound install via Calamares | End-to-end: install β†’ reboot β†’ TPM unlock β†’ desktop. Tamper test correctly falls back to passphrase | | 1.6 | SilverBrowser v1 integrated (ungoogled-chromium rebrand) | Default browser, no Google services, fingerprint defences validated | -| 1.7 | SilverVPN v1 integrated (WireGuard backbone) | Always-on default; kill-switch verified; account-number signup flow works | +| 1.7 | SilverVPN integrated into image | Existing `SilverLABS/SilverVPN` Linux client + tunnel service preinstalled, always-on default; kill-switch verified | | 1.8 | SilverSync v1 integrated (Nextcloud backbone, client-side encryption) | Contacts/calendar/files sync end-to-end; server cannot read content | | 1.9 | Update server + signing ceremony complete | First signed update delivered through alpha channel; rollback verified | | 1.10 | Public alpha ISO + SBOM + build attestation published | Download page live; reproducible-build instructions documented | @@ -45,64 +48,74 @@ Milestone-driven, no calendar dates (those slip; milestone gates don't). Each mi | # | Milestone | Done when | |---|---|---| -| 1.1.1 | SilverChat v1 (Matrix-based) | Homeserver running; iOS/Android/Linux/Windows/Mac clients functional; account-number onboarding | -| 1.1.2 | SilverDuress v1 | Linux PAM module + Android duress PIN + iOS Shortcuts/MDM trigger + Windows Group Policy + macOS profile β€” all verified | -| 1.1.3 | SilverKeys v1 | Bitwarden-derived client + SilverSync backend; per-platform clients | -| 1.1.4 | Atomic root experiment | ostree-based variant builds; v1.2 candidate if successful | +| 1.1.1 | SilverChat v1 β€” alignment review | Decide whether to pull `SilverVPN.Client.Chat` in, fork it, or scope SilverChat as a separate effort. Outcome documented in `docs/decisions/` | +| 1.1.2 | SilverChat v1 client + homeserver | Cross-platform clients functional; account-number onboarding | +| 1.1.3 | SilverDuress v1 | Linux PAM module + Android duress PIN + iOS Shortcuts/MDM trigger + Windows Group Policy + macOS profile β€” all verified | +| 1.1.4 | SilverKeys v1 | Bitwarden-derived client + SilverSync backend; per-platform clients | +| 1.1.5 | Atomic root experiment | ostree-based variant builds; v1.2 candidate if successful | --- -## Phase 2 β€” SilverMetal Droid +## Phase 2 β€” SilverMetal OS β€” Droid (Pixel + Samsung + Motorola) -**Goal**: ship Android coverage across all four tiers (Pixel flagship, Samsung, Motorola, generic profile). +**Goal**: ship the three ROM-level Android tiers. | # | Milestone | Done when | |---|---|---| -| 2.1 | Pixel flagship ROM (GrapheneOS-fork) | Builds, signs, OTA-updates from our infrastructure; Stack preinstalled; verified boot rooted in our key | -| 2.2 | Samsung tier (LineageOS-fork on unlocked-bootloader models) | Supported model list published; ROM + Stack overlay | -| 2.3 | Motorola tier (DivestOS/LineageOS) | Supported model list published; ROM + Stack overlay | -| 2.4 | Generic Android profile | "Harden my Android" installer: Stack apps + work-profile hardening config; works on Android 13+ | -| 2.5 | Android hardware SKU pilot | Pixel preflashed batch (10 units) + Moto preflashed batch (10 units) | +| 2.1 | OS β€” Pixel ROM (GrapheneOS-fork) | Builds, signs, OTA-updates from our infrastructure; Stack preinstalled; verified boot rooted in our key | +| 2.2 | OS β€” Samsung (LineageOS-fork on unlocked-bootloader models) | Supported model list published; ROM + Stack overlay | +| 2.3 | OS β€” Motorola (DivestOS/LineageOS) | Supported model list published; ROM + Stack overlay | +| 2.4 | Pixel preflashed pilot | 10 preflashed units shipped | +| 2.5 | Motorola preflashed pilot | 10 preflashed units shipped | --- -## Phase 3 β€” SilverMetal Windows +## Phase 3 β€” SilverMetal Enhanced (the four hardening packages) -**Goal**: ship the Windows hardening installer for users locked into Windows. +**Goal**: ship Enhanced packages for Windows, macOS, iOS, and generic Android. +The four Enhanced flavours can be developed largely in parallel since they share the SilverLABS Stack and don't depend on each other. + +### 3W β€” Enhanced β€” Windows | # | Milestone | Done when | |---|---|---| -| 3.1 | LTSC IoT base evaluated and licensed for our use | License path documented; base image acquired | -| 3.2 | Hardening installer (PowerShell/EXE) | Applies Group Policy, AppLocker, Defender ASR, removes Edge/Cortana/Store, blocks telemetry hosts | -| 3.3 | Stack ports for Windows | SilverBrowser/VPN/Sync/etc. native Windows builds, signed with our cert | -| 3.4 | BitLocker + TPM enforcement automated | Installer ensures BitLocker enabled with TPM-bound recovery | -| 3.5 | Windows hardware SKU pilot | Preflashed Coreboot-laptop variant with Windows + SilverMetal hardening (10 units) | -| 3.6 | Telemetry-leak test for Windows | 30-min idle on hardened install β€” minimal Microsoft contact, documented (we cannot reach zero on Windows; we publish what remains) | - ---- - -## Phase 4 β€” Apple platforms (macOS + iOS profiles) - -**Goal**: ship signed configuration profiles, setup scripts, curated app guidance, and Stack ports for Apple platforms. +| 3W.1 | LTSC IoT base licensed and acquired | License path documented | +| 3W.2 | Hardening installer (PowerShell/EXE) | Applies Group Policy, AppLocker, Defender ASR, removes Edge/Cortana/Store, blocks telemetry hosts | +| 3W.3 | Stack ports for Windows | SilverBrowser/Sync/etc. native Windows builds, signed with our cert. SilverVPN MAUI Windows client integrated | +| 3W.4 | BitLocker + TPM enforcement automated | Installer ensures BitLocker enabled with TPM-bound recovery | +| 3W.5 | Windows hardware SKU pilot | Preflashed Coreboot-laptop variant with Windows + Enhanced (10 units) | +| 3W.6 | Telemetry-leak test for Windows | 30-min idle on hardened install β€” minimum-feasible Microsoft contact, documented | +### 3M β€” Enhanced β€” macOS | # | Milestone | Done when | |---|---|---| -| 4.1 | macOS configuration profile | Signed `.mobileconfig` enforces FileVault, disables analytics/Siri, configures firewall | -| 4.2 | macOS setup script | Idempotent script applies non-MDM hardening (default app changes, etc.) | -| 4.3 | Stack ports for macOS | Universal binaries, notarised, signed with our Apple Developer cert | -| 4.4 | iOS MDM profile | Signed `.mobileconfig` for users with personal MDM (or via free Apple Configurator) | -| 4.5 | Stack ports for iOS | App Store releases (Browser may face Apple review constraints β€” fall back to webkit-based with our defaults) | -| 4.6 | Apple setup guide | Step-by-step published guide complementing the profiles | +| 3M.1 | macOS configuration profile | Signed `.mobileconfig` enforces FileVault, disables analytics/Siri, configures firewall | +| 3M.2 | macOS setup script | Idempotent script applies non-MDM hardening | +| 3M.3 | Stack ports for macOS | Universal binaries, notarised, signed | + +### 3I β€” Enhanced β€” iOS (supersedes SilverApple) +| # | Milestone | Done when | +|---|---|---| +| 3I.1 | Migrate / fold any usable assets from `SilverLABS/SilverApple` | Inventory of SilverApple done; reusable parts moved into `ios/`; SilverApple repo archived | +| 3I.2 | iOS MDM profile | Signed `.mobileconfig` for personal MDM or Apple Configurator | +| 3I.3 | Stack ports for iOS | App Store releases (Browser may face Apple WebKit constraints β€” fall back if needed) | +| 3I.4 | Apple setup guide | Step-by-step published guide complementing the profiles | + +### 3A β€” Enhanced β€” Android (generic) +| # | Milestone | Done when | +|---|---|---| +| 3A.1 | Generic Android profile installer | "Harden my Android" β€” Stack apps + work-profile hardening config | +| 3A.2 | Compatibility test matrix | Runs cleanly on Android 13+ across Samsung locked, OnePlus, Xiaomi, OEMs we don't have ROMs for | --- -## Phase 5 β€” Hardening / immutability / Tor sibling +## Phase 4 β€” Hardening / immutability / Tor sibling **Goal**: post-MVP improvements; not blocking earlier phases. - Atomic / immutable Linux variant (ostree) - dm-verity-protected `/` -- Tor-by-default sibling product (SilverMetal Onion or similar) +- Tor-by-default sibling product - ARM64 / Apple Silicon Linux variant - Coreboot tooling improvements / additional reference hardware @@ -110,15 +123,13 @@ Milestone-driven, no calendar dates (those slip; milestone gates don't). Each mi ## Cross-cutting workstreams (always-on) -These run in parallel with phases: - -- **Security advisories** β€” vulnerability response process from Phase 1.10 onward; signed advisories -- **External audits** β€” annual or per-major-release third-party security review +- **Security advisories** β€” vulnerability response process from Phase 1.10 onward +- **External audits** β€” annual or per-major-release third-party review - **Documentation** β€” every phase's gate includes documentation update - **Community / support** β€” issue tracker, support channels, response SLOs ## Phase entry/exit philosophy - We do not start a phase until the previous one's exit criteria are met -- We *can* run cross-cutting workstreams in parallel +- Cross-cutting workstreams run in parallel - A failing verification gate blocks the phase, full stop β€” no shipping with known regressions diff --git a/ios/README.md b/ios/README.md index 68bdf97..8bcff54 100644 --- a/ios/README.md +++ b/ios/README.md @@ -1,8 +1,18 @@ -# SilverMetal iOS +# SilverMetal Enhanced β€” iOS -**Status**: Phase 4 (planning, post-Windows v1) +**Status**: Phase 3I (planning, post-Linux v1) -Tier D β€” profile-layer only. Weakest tier in the family; labelled as such. We cannot modify iOS; we ship MDM profiles, App Store apps, and a setup guide. +πŸ›‘οΈ **SilverMetal Enhanced product line** β€” we harden iOS in place. We cannot modify iOS itself. + +Tier D β€” profile-layer only. Weakest tier in the family; labelled as such. We ship MDM profiles, App Store apps, and a setup guide. + +## Supersedes SilverApple + +This flavour replaces the earlier prototype [`SilverLABS/SilverApple`](https://git.silverlabs.uk/SilverLABS/SilverApple) ("Privacy-first iOS hardening suite"). Per Phase 3I.1 of the roadmap: + +- Inventory SilverApple's existing artefacts (MDM enrolment flow, SilverVPN onboarding, CalDAV/CardDAV setup) +- Migrate any reusable parts into this directory +- Archive the SilverApple repo on Gitea once migration is complete ## Scope (v1) @@ -14,7 +24,7 @@ Tier D β€” profile-layer only. Weakest tier in the family; labelled as such. We - Default-app changes where iOS 18+ allows (Browser, Mail, etc.) - Stack ports via App Store: - SilverBrowser (subject to Apple WebKit constraints β€” fall back to a hardened-defaults wrapper if pure custom engine is forbidden) - - SilverVPN (NetworkExtension API) + - SilverVPN β€” already exists as a MAUI-based App Store candidate via [`SilverLABS/SilverVPN`](https://git.silverlabs.uk/SilverLABS/SilverVPN) - SilverSync (file/contact/calendar/photos providers) - SilverChat (post-v1.1) - SilverKeys (post-v1.1) @@ -32,13 +42,14 @@ Tier D β€” profile-layer only. Weakest tier in the family; labelled as such. We ## Directory layout -To be populated in Phase 4: +To be populated in Phase 3I: ``` ios/ -β”œβ”€β”€ profile/ # .mobileconfig sources, signing -β”œβ”€β”€ stack/ # iOS-specific Stack app builds (Xcode projects) -└── docs/ # setup guide, recommended apps, threat-tier disclaimer +β”œβ”€β”€ profile/ # .mobileconfig sources, signing +β”œβ”€β”€ stack/ # iOS-specific Stack app builds (Xcode projects) +β”œβ”€β”€ from-silverapple/ # migrated artefacts from the deprecated SilverApple repo +└── docs/ # setup guide, recommended apps, threat-tier disclaimer ``` ## Verification gates diff --git a/linux/README.md b/linux/README.md index 845fd0a..def8784 100644 --- a/linux/README.md +++ b/linux/README.md @@ -1,7 +1,9 @@ -# SilverMetal Linux +# SilverMetal OS β€” Linux **Status**: Phase 1 (planning) β†’ moving to milestone 1.1 (reproducible Kicksecure fork build) +πŸ”’ **SilverMetal OS product line** β€” we ship the operating system. + The reference SilverMetal flavour. Tier A β€” full kernel-level hardening, verified boot we control, Debian/Kicksecure-based. ## Scope (v1) @@ -19,6 +21,8 @@ See [`../docs/roadmap.md`](../docs/roadmap.md) Phase 1. - nftables default-deny inbound, encrypted DNS, SilverVPN always-on default - Zero upstream telemetry β€” verified by integration test - SilverBrowser default (ungoogled-chromium-rebranded v1) +- SilverVPN integrated from existing [`SilverLABS/SilverVPN`](https://git.silverlabs.uk/SilverLABS/SilverVPN) (Linux client + tunnel service) +- SilverSync v1 (Nextcloud-backed, client-side encryption) - A/B updates with rollback, signed by our keys - Optional amnesic session mode @@ -65,3 +69,4 @@ linux/ - **GrapheneOS hardened_malloc** β€” allocator - **KSPP** β€” kernel config authority - **secureblue** β€” reference for v1.1 immutable design +- **`SilverLABS/SilverVPN`** β€” VPN client + tunnel service (existing, integrated) diff --git a/macos/README.md b/macos/README.md index c958027..3a7a056 100644 --- a/macos/README.md +++ b/macos/README.md @@ -1,8 +1,10 @@ -# SilverMetal macOS +# SilverMetal Enhanced β€” macOS -**Status**: Phase 4 (planning, post-Windows v1) +**Status**: Phase 3M (planning, post-Linux v1) -Tier C-D β€” signed configuration profile + setup script + Stack ports. We cannot modify macOS; we configure everything Apple exposes. +πŸ›‘οΈ **SilverMetal Enhanced product line** β€” we harden macOS in place. Apple's signed boot chain prevents an OS replacement. + +Tier C-D β€” signed configuration profile + setup script + Stack ports. We configure everything Apple exposes. ## Scope (v1) @@ -14,6 +16,7 @@ Tier C-D β€” signed configuration profile + setup script + Stack ports. We canno - Enables Lockdown Mode (per-user opt-in guidance) - Idempotent setup script for non-MDM hardening (default-app changes, Safariβ†’SilverBrowser, etc.) - Stack ports for macOS (universal binaries, notarised, signed) +- SilverVPN MAUI macOS client from existing [`SilverLABS/SilverVPN`](https://git.silverlabs.uk/SilverLABS/SilverVPN) - Setup guide for hardware-key 2FA, anti-forensics ## Out of scope @@ -24,7 +27,7 @@ Tier C-D β€” signed configuration profile + setup script + Stack ports. We canno ## Directory layout -To be populated in Phase 4: +To be populated in Phase 3M: ``` macos/ @@ -46,3 +49,4 @@ macos/ - **Apple macOS** β€” base, unmodified - **macOS Privacy Guide / privacy.sexy** β€” reference for hardening configs - **Lockdown Mode** β€” Apple-provided, documented and enabled +- **`SilverLABS/SilverVPN`** β€” MAUI macOS client (existing) diff --git a/stack/README.md b/stack/README.md index 139d743..3cab79f 100644 --- a/stack/README.md +++ b/stack/README.md @@ -1,16 +1,16 @@ # SilverLABS Application Stack -The cross-platform spine of SilverMetal. These apps replace the cloud services your device normally talks to. Same brand, same account, same data on every platform. +The cross-platform spine of SilverMetal. These apps replace the cloud services your device normally talks to. Same brand, same account, same data on every platform β€” whether the user picked a πŸ”’ SilverMetal OS flavour or a πŸ›‘οΈ SilverMetal Enhanced flavour. ## Components | Component | Status | Purpose | |---|---|---| | [`browser/`](browser/) β€” **SilverBrowser** | v1 (Linux MVP) | De-Googled, telemetry-free browser | -| [`vpn/`](vpn/) β€” **SilverVPN** | v1 (Linux MVP) | Always-on, no-logs VPN with our infrastructure | +| [`vpn/`](vpn/) β€” **SilverVPN** | **Existing** β€” see [`SilverLABS/SilverVPN`](https://git.silverlabs.uk/SilverLABS/SilverVPN). This directory tracks integration only | Always-on, no-logs VPN with our infrastructure | | [`sync/`](sync/) β€” **SilverSync** | v1 (Linux MVP) | Private replacement for iCloud/Google/OneDrive | -| [`chat/`](chat/) β€” **SilverChat** | v1.1 | E2EE messenger | -| [`duress/`](duress/) β€” **SilverDuress** | v1.1 | Duress password / panic-wipe / anti-coercion | +| [`chat/`](chat/) β€” **SilverChat** | v1.1 β€” *may overlap with `SilverVPN.Client.Chat`; alignment decision pending* | E2EE messenger | +| [`duress/`](duress/) β€” **SilverDuress** | v1.1 | Duress password / panic-wipe | | [`keys/`](keys/) β€” **SilverKeys** | v1.1 | Zero-knowledge password + 2FA manager | | [`shared/`](shared/) β€” common code | ongoing | Account SDK, crypto primitives, branding | @@ -23,29 +23,29 @@ Users get a **SilverLABS account number** (Mullvad-style β€” random, no email, n Each app is built natively per platform β€” no Electron sprawl where avoidable: - **Linux**: native `.deb` + Flatpak -- **Android**: native APK / AAB +- **Android**: native APK / AAB (or MAUI where SilverVPN already provides it) - **Windows**: native MSI / EXE (signed) - **macOS**: universal binary `.pkg` (notarised) - **iOS**: App Store -Where a single codebase (e.g., Tauri / Rust core) lets us hit multiple platforms with a thin native UI shell, we use it. We avoid Electron unless the cost of native is unjustifiable. +Where a single codebase (e.g., MAUI as SilverVPN already does, or Tauri/Rust core for Browser/Sync/Keys) lets us hit multiple platforms with thin native UI shells, we use it. We avoid Electron unless the cost of native is unjustifiable. ## v1 ship order +For SilverMetal OS β€” Linux v1: + 1. **SilverBrowser** β€” ungoogled-chromium-derived, our defaults, our update channel -2. **SilverVPN** β€” WireGuard-based, our exit nodes, account-number signup -3. **SilverSync** β€” Nextcloud-backed (server side), client-side encryption, native clients +2. **SilverVPN** integration β€” existing product, integrated into our ISO with always-on defaults and kill-switch +3. **SilverSync** β€” Nextcloud-backed (server side), client-side encryption, native Linux client -These three ship with SilverMetal Linux v1. - -v1.1 adds Chat, Duress, Keys. +These three ship with SilverMetal OS β€” Linux v1. v1.1 adds Chat, Duress, Keys. ## Server side -The Stack server components live in separate repositories under `SilverLABS/`: -- `silver-vpn-infra` β€” WireGuard exit-node infrastructure (Terraform / Ansible) -- `silver-sync-server` β€” Nextcloud + Radicale + BaΓ―kal stack -- `silver-chat-homeserver` β€” Matrix Synapse / Dendrite -- `silver-account` β€” account-number issuance + auth gateway +Server components live in separate repositories: +- `SilverLABS/SilverVPN` β€” already exists; includes server stack +- `SilverLABS/silver-sync-server` *(to be created)* β€” Nextcloud + Radicale + BaΓ―kal stack +- `SilverLABS/silver-chat-homeserver` *(to be created OR may live under SilverVPN)* β€” depends on v1.1.1 alignment decision +- `SilverLABS/silver-account` *(to be created)* β€” account-number issuance + auth gateway Self-hostable counterparts are documented for users who don't want to use SilverLABS infrastructure. diff --git a/stack/vpn/README.md b/stack/vpn/README.md index 96d8f66..a3f1f44 100644 --- a/stack/vpn/README.md +++ b/stack/vpn/README.md @@ -1,40 +1,60 @@ -# SilverVPN +# SilverVPN β€” Integration Pointer -**Status**: v1 (Linux MVP) β€” planning +> **The SilverVPN component already exists as a separate, in-production SilverLABS product.** +> This directory does not re-implement it; it tracks the integration of the existing SilverVPN into SilverMetal OS images and Enhanced packages. -Always-on VPN with no logs, run on SilverLABS infrastructure. Mullvad-style account-number signup (no email, no name). +## Where SilverVPN lives -## v1 approach +[`SilverLABS/SilverVPN`](https://git.silverlabs.uk/SilverLABS/SilverVPN) β€” local checkout typically at `../SilverVPN/`. -- **Protocol**: WireGuard. Period. (Battle-tested, tiny attack surface, performant.) -- **Account**: random 16-digit account number; no email, no PII -- **Payment**: separate channel (SilverDotPay / crypto / payment processor) with no link back to account number -- **Exit nodes**: SilverLABS-operated initially; geographically diverse -- **Kill-switch**: enforced at firewall layer (nftables on Linux, NetworkExtension content filters on Apple) -- **DNS**: encrypted DNS through tunnel; no DNS leaks -- **Per-device keys**: each device gets its own WireGuard key; revoke per-device +The product includes: +- `.NET 9` server stack: API, admin dashboard, web client, Docker images +- `SilverVPN.Client.Maui` β€” cross-platform native client (Windows, macOS, Android, iOS) +- `SilverVPN.Client.Linux` β€” dedicated Linux client +- `SilverVPN.Client.Web` / `SilverVPN.Client.Web.Host` β€” browser-based client +- `SilverVPN.TunnelService` / `SilverVPN.TunnelService.Linux` β€” tunnel daemon +- `SilverVPN.Tunnel.Shared` β€” shared tunnel code +- `libbox-bridge` β€” sing-box / sing-tun integration layer +- Debian packaging (`build-deb.sh`, `debian/`) +- OpenWrt support (`openwrt/`) +- Production releases ongoing -## Server-side +## SilverMetal's responsibility -Lives in `SilverLABS/silver-vpn-infra` (separate repo). This repo holds the **client** code only. +This directory tracks **integration**, not development. Integration tasks per platform: -## What we do not do +### SilverMetal OS β€” Linux +- [ ] Include `silvervpn` `.deb` (built from `../SilverVPN/build-deb.sh`) in `linux/packages/include.list` +- [ ] Bundle `SilverVPN.TunnelService.Linux` as a default systemd service +- [ ] Configure SilverVPN to be **always-on by default** with our exit nodes preconfigured +- [ ] Verify nftables kill-switch coexists with the SilverVPN tunnel service +- [ ] Validate DNS through tunnel (no leaks) +- [ ] Auto-launch `SilverVPN.Client.Linux` on first login for account-number entry -- We do not log connection metadata beyond what is operationally required (typically just real-time peer state, not retained) -- We do not bundle ad-blocking β€” that's the browser's job, not the VPN's -- We do not bundle tracker-blocking heuristics in the VPN β€” that risks false positives that break sites -- We do not run a "free tier" with a different infrastructure β€” paid users and free users (if any) get the same server quality +### SilverMetal OS β€” Pixel / Samsung / Motorola +- [ ] Bundle SilverVPN MAUI client APK into ROM build (or system app) +- [ ] Configure as default VPN provider via Android `VpnService` +- [ ] Always-on VPN enforced at OS level (`Settings > VPN > Always-on`) -## Per-platform clients +### SilverMetal Enhanced β€” Windows +- [ ] Bundle MAUI Windows client into hardening installer +- [ ] Set up auto-start on boot +- [ ] Kill-switch enforced via Windows Filtering Platform rules -- **Linux**: GTK + native daemon (`silvervpn-daemon` running as systemd service) -- **Android**: VpnService-based, native UI -- **Windows**: WireGuard tunnel service + tray UI (signed) -- **macOS**: NetworkExtension, signed and notarised -- **iOS**: NetworkExtension via App Store +### SilverMetal Enhanced β€” macOS +- [ ] Bundle MAUI macOS client into setup `.pkg` +- [ ] NetworkExtension content filter for kill-switch -## Verification +### SilverMetal Enhanced β€” iOS +- [ ] SilverVPN App Store listing referenced in iOS setup guide +- [ ] MDM profile pre-configures SilverVPN as default -- Kill-switch test: disconnect upstream, verify zero packets leak -- DNS-leak test: capture DNS during tunnel-up; all queries must traverse the tunnel -- Reconnect test: WAN flap, verify reconnect without temporary leak +### SilverMetal Enhanced β€” Android (generic) +- [ ] SilverVPN MAUI APK referenced as required install in profile +- [ ] Work-profile config sets it as system VPN + +## Coordination + +Changes that affect SilverMetal integration (e.g., `silvervpn` package layout, default endpoints, account-number CLI) should be flagged in this directory's CHANGELOG (to be created when first integration milestone starts) so the SilverMetal build pipeline can react. + +Cross-repo issues that touch both projects should be opened in whichever repo owns the change, with a back-reference in the other. diff --git a/windows/README.md b/windows/README.md index 8c7f773..2307189 100644 --- a/windows/README.md +++ b/windows/README.md @@ -1,6 +1,8 @@ -# SilverMetal Windows +# SilverMetal Enhanced β€” Windows -**Status**: Phase 3 (planning, post-Linux v1) +**Status**: Phase 3W (planning, post-Linux v1) + +πŸ›‘οΈ **SilverMetal Enhanced product line** β€” we harden Windows in place; we do not ship a custom Windows kernel (Microsoft does not permit that). Tier C β€” config-layer hardening only. Honest positioning: we cannot modify the Windows kernel or boot chain; we turn every dial Microsoft exposes. @@ -16,6 +18,7 @@ LTSC IoT-based installer that transforms a vanilla Windows install into a Silver - Telemetry blocked at hosts file + service + GP layers - Edge / Chrome replaced with SilverBrowser default - Full SilverLABS Stack preinstalled (native Windows builds) +- SilverVPN MAUI Windows client integrated from existing [`SilverLABS/SilverVPN`](https://git.silverlabs.uk/SilverLABS/SilverVPN) ## Out of scope @@ -25,7 +28,7 @@ LTSC IoT-based installer that transforms a vanilla Windows install into a Silver ## Directory layout -To be populated in Phase 3. Initial structure planned: +To be populated in Phase 3W. Initial structure planned: ``` windows/ @@ -49,3 +52,4 @@ windows/ - **Windows 11 IoT Enterprise LTSC** β€” base OS (licensed) - **AtlasOS / ReviOS / privacy.sexy** β€” reference for hardening configs - **Chris Titus Tech / O&O ShutUp10** β€” reference for telemetry blocking +- **`SilverLABS/SilverVPN`** β€” MAUI Windows client (existing)