docs(naming): adopt OS / Enhanced product-line framing + align with existing repos

Two product lines, named to make scope obvious to buyers: - 🔒 SilverMetal OS — we ship the operating system or ROM (Linux, Pixel, Samsung-unlocked, Motorola-unlocked) - 🛡️ SilverMetal Enhanced — we harden the OS the device already runs (Windows, macOS, iOS, generic Android) Repo alignment: - SilverVPN already exists as a SilverLABS product (server + MAUI client + Linux client + tunnel service). stack/vpn/ is now an integration pointer rather than a re-scaffold; per-platform READMEs reference it. - SilverApple is deprecated; SilverMetal Enhanced — iOS supersedes it. Migration step added as roadmap milestone 3I.1. - SilverDROID name clash explicitly noted as unrelated (it's the SilverSHELL AppStore Android client, not an Android ROM). - SilverChat may overlap with SilverVPN.Client.Chat; alignment decision added as roadmap milestone 1.1.1. Roadmap restructured: phases now track the OS/Enhanced split. Platform matrix re-sectioned and decision flowchart updated. README rewritten around the two-product-line framing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-25 03:30:45 +01:00
parent 7d5f9cc246
commit 0a0075ce66
10 changed files with 316 additions and 224 deletions
--- a/README.md
+++ b/README.md
@@ -2,72 +2,84 @@
 > **Privacy-hardened devices for users who want their privacy back — on whatever platform they have.**
-SilverMetal is SilverLABS' cross-platform privacy-hardening program. We don't believe in "one true OS" — we believe in meeting users on the platform they actually use, and giving them the strongest hardening that platform physically allows. Honestly labelled, no marketing fluff.
+SilverMetal is SilverLABS' cross-platform privacy-hardening program. We don't believe in "one true OS" — we meet users on the platform they actually use, and give them the strongest hardening that platform physically allows. Honestly labelled, no marketing fluff.
-## What you get
+## Two product lines
-Every SilverMetal device — whether you bought one preflashed or you're hardening your own — ships two layers:
+The SilverMetal program ships two distinct product lines, named to make their scope obvious to buyers:
-1. **The SilverLABS Stack** — a suite of cross-platform privacy apps that replace the cloud services your device normally talks to (Google, Apple, Microsoft):
+### 🔒 SilverMetal OS
-   - **SilverBrowser** — de-Googled, telemetry-free, fingerprint-resistant
+**We ship the operating system or ROM.** Full kernel-level control, our verified-boot key, our update channel. Strongest possible hardening.
   - **SilverVPN** — always-on, no-logs, our own infrastructure
   - **SilverSync** — private replacement for iCloud / Google Drive / OneDrive
   - **SilverChat** — end-to-end encrypted messenger *(v1.1)*
   - **SilverDuress** — duress password / panic-wipe *(v1.1)*
   - **SilverKeys** — zero-knowledge password manager *(v1.1)*
-2. **A Platform Hardening Profile** — OS-level changes tailored to what your platform allows:
+- **SilverMetal OS — Linux** *(Debian/Kicksecure-based ISO)* — Tier A
-   - On **Linux** we ship a full custom OS
+- **SilverMetal OS — Pixel** *(GrapheneOS-fork ROM)* — Tier B
-   - On **Android** we ship a custom ROM (or a profile, depending on your device)
+- **SilverMetal OS — Samsung** *(LineageOS-fork ROM, unlocked-bootloader models)* — Tier C
-   - On **Windows** we ship an installer that transforms LTSC IoT into a hardened build
+- **SilverMetal OS — Motorola** *(DivestOS/LineageOS-fork ROM)* — Tier C
-   - On **macOS** and **iOS** we ship signed configuration profiles + setup scripts
+
 ### 🛡️ SilverMetal Enhanced
 **We harden the OS your device already runs.** Configuration profiles, hardening installers, the SilverLABS Application Stack. For users who can't or won't replace their OS.
 - **SilverMetal Enhanced — Windows** *(LTSC IoT installer + hardening + Stack)* — Tier C
 - **SilverMetal Enhanced — macOS** *(signed config profile + setup script + Stack)* — Tier C-D
 - **SilverMetal Enhanced — iOS** *(MDM profile + Stack)* — Tier D
 - **SilverMetal Enhanced — Android** *(generic profile + Stack on existing Android)* — Tier D
 Tiers explained in [`docs/platform-matrix.md`](docs/platform-matrix.md).
 ## What every SilverMetal device gets
 Both lines ship the **SilverLABS Application Stack** — a suite of cross-platform privacy apps that replace the cloud services your device normally talks to (Google, Apple, Microsoft):
 | Component | Status | Purpose |
 |---|---|---|
 | **SilverBrowser** | v1 (Linux MVP) | De-Googled, telemetry-free, fingerprint-resistant browser |
 | **SilverVPN** | **Existing** — see [`SilverLABS/SilverVPN`](https://git.silverlabs.uk/SilverLABS/SilverVPN) | Always-on, no-logs VPN with our own infrastructure |
 | **SilverSync** | v1 (Linux MVP) | Private replacement for iCloud / Google Drive / OneDrive |
 | **SilverChat** | v1.1 (may overlap with `SilverVPN.Client.Chat`) | E2EE messenger |
 | **SilverDuress** | v1.1 | Duress password / panic-wipe / anti-coercion |
 | **SilverKeys** | v1.1 | Zero-knowledge password + 2FA manager |
 ## Two ways to get SilverMetal
 Every flavour — OS or Enhanced — supports both buyer modes:
 ### "I'm choosing a new device"
-Buy a **preflashed SilverMetal SKU** — a Pixel with SilverMetal Droid, a Coreboot laptop with SilverMetal Linux, etc. We've done all the work; it arrives ready.
+Buy a **preflashed SilverMetal SKU**. We've done all the work; it arrives ready.
 ### "I already own a device and want to harden it"
-Download the **free SilverLABS Stack** + the **hardening profile / installer / ROM** for your existing platform. Apply it yourself. Same software, same hardening, no hardware lock-in.
+Download the **free SilverLABS Stack** + the **SilverMetal OS or Enhanced package** for your platform. Apply it yourself. Same software, same hardening, no hardware lock-in.
 Every platform supports both modes. Nothing is premium-only; nothing is DIY-only.
 ## Platform matrix
 | Platform | Hardening tier | What ships | Best for |
 |---|---|---|---|
 | **SilverMetal Linux** | A — full control | Custom Debian/Kicksecure-based ISO | Maximum privacy; users whose work is browser/office/dev/comms |
 | **SilverMetal Droid (Pixel)** | B — verified boot ours | GrapheneOS-based ROM | "Secure phone" buyers, journalists, high-risk users |
 | **SilverMetal Droid (Samsung / Motorola)** | C — varies | LineageOS/DivestOS-based ROM where supported, profile + stack elsewhere | Users with existing non-Pixel Android |
 | **SilverMetal Droid (generic)** | D — app + profile only | Stack install + work-profile hardening | "I have an Android, harden it" |
 | **SilverMetal Windows** | C — config layer | LTSC IoT installer + Stack + Group Policy hardening | Users locked into Windows-only software |
 | **SilverMetal macOS** | C-D — config + Stack | Signed config profile + setup script + Stack | Mac-committed users |
 | **SilverMetal iOS** | D — profile + curated apps | MDM profile + Stack from App Store | iPhone users wanting maximum-feasible hardening |
 For honest pros/cons of each, see [`docs/platform-matrix.md`](docs/platform-matrix.md).
 ## Status
 | Component | Status |
 |---|---|
-| Documentation + roadmap | **In progress** (this scaffold) |
+| Documentation + roadmap | Initial scaffold complete |
-| SilverMetal Linux v1 | Planning → milestone 2 (build pipeline) |
+| SilverMetal OS — Linux v1 | Phase 1 — moving to milestone 1.1 (build pipeline) |
-| SilverLABS Stack v1 (Browser + VPN + Sync) | Planning |
+| SilverLABS Stack v1 (Browser + Sync) | Planning |
-| Other platforms | Planning, post-Linux v1 |
+| SilverVPN | Existing product, integration into v1 ISO planned |
 | Other OS/Enhanced flavours | Planning, post-Linux v1 |
 See [`docs/roadmap.md`](docs/roadmap.md) for the milestone-driven plan.
 ## Related repositories
 | Repo | Relationship |
 |---|---|
 | [`SilverLABS/SilverVPN`](https://git.silverlabs.uk/SilverLABS/SilverVPN) | The VPN component of the SilverLABS Stack — already in production. SilverMetal integrates it; does not re-implement it |
 | [`SilverLABS/SilverApple`](https://git.silverlabs.uk/SilverLABS/SilverApple) | **Deprecated.** Earlier iOS-hardening prototype, superseded by *SilverMetal Enhanced — iOS* |
 | [`SilverLABS/SilverDROID`](https://git.silverlabs.uk/SilverLABS/SilverDROID) | Unrelated (SilverSHELL AppStore Android client). Name is similar but scope is different |
 ## Documentation
 - [`docs/threat-model.md`](docs/threat-model.md) — who we defend against, who we don't
 - [`docs/design-principles.md`](docs/design-principles.md) — privacy-by-default, verifiability, honesty
- [`docs/platform-matrix.md`](docs/platform-matrix.md) — what each platform can and cannot deliver
+- [`docs/platform-matrix.md`](docs/platform-matrix.md) — full per-platform pros/cons
 - [`docs/roadmap.md`](docs/roadmap.md) — milestones, ship order, scope
 - [`docs/trust-model.md`](docs/trust-model.md) — signing keys, reproducible builds, governance
 ## License
-Components carry their own licenses (most are GPL/MIT/Apache-derived from upstream forks). See individual directories.
+Components carry their own licenses (most are GPL/MIT/Apache-derived from upstream forks). Original SilverLABS-authored glue code is AGPL-3.0-or-later. See [`LICENSE`](LICENSE).
 ## SilverLABS
--- a/android/README.md
+++ b/android/README.md
@@ -1,45 +1,55 @@
-# SilverMetal Droid
+# SilverMetal — Android
 **Status**: Phase 2 (planning, post-Linux v1)
-Android coverage across four tiers. See [`../docs/platform-matrix.md`](../docs/platform-matrix.md) for honest per-tier pros/cons.
+Android coverage spans **both** SilverMetal product lines:
-## Tiers
+- 🔒 **SilverMetal OS** for devices where we ship a custom ROM (Pixel, Samsung-unlocked, Motorola-unlocked)
 - 🛡️ **SilverMetal Enhanced** for users keeping their existing Android (any vendor, no bootloader unlock required)
-### SilverMetal Droid Flagship — Pixel (Tier B)
+See [`../docs/platform-matrix.md`](../docs/platform-matrix.md) for honest per-tier pros/cons.
 GrapheneOS-fork on Pixel hardware. Verified boot we control, hardened kernel, app sandboxing enforced. Full SilverLABS Stack preinstalled.
-### SilverMetal Droid Galaxy — Samsung (Tier C)
+## Sub-flavours
 LineageOS / DivestOS-fork on Samsung models with unlockable bootloaders. Stack overlay on locked-bootloader models.
-### SilverMetal Droid Moto — Motorola (Tier C)
+### 🔒 SilverMetal OS — Pixel (Tier B)
-DivestOS / LineageOS-fork on supported Motorola models. Stack overlay everywhere.
+GrapheneOS-fork on Pixel hardware. Verified boot we control, hardened kernel, app sandboxing enforced. Full SilverLABS Stack preinstalled. **Phase 2.1.**
-### SilverMetal Droid Profile — generic (Tier D)
+### 🔒 SilverMetal OS — Samsung (Tier C)
-"Harden my existing Android" — full SilverLABS Stack + work-profile-based hardening config. Runs on any Android 13+ without bootloader changes.
+LineageOS / DivestOS-fork on Samsung models with unlockable bootloaders. **Phase 2.2.**
 ### 🔒 SilverMetal OS — Motorola (Tier C)
 DivestOS / LineageOS-fork on supported Motorola models. **Phase 2.3.**
 ### 🛡️ SilverMetal Enhanced — Android (Tier D)
 For users keeping their existing OEM Android (Samsung locked-bootloader, OnePlus, Xiaomi, hand-me-downs, etc.). Stack apps + work-profile-based hardening config; no bootloader changes, no warranty void. **Phase 3A.**
 ## Directory layout
-To be populated in Phase 2. Initial structure planned:
+To be populated as each sub-flavour is built. Initial structure planned:
 ```
 android/
-├── flagship/      # Pixel / GrapheneOS-fork build config
+├── os-pixel/        # 🔒 GrapheneOS-fork build config (Phase 2.1)
-├── galaxy/        # Samsung ROM build configs
+├── os-samsung/      # 🔒 Samsung ROM build configs (Phase 2.2)
-├── moto/          # Motorola ROM build configs
+├── os-motorola/     # 🔒 Motorola ROM build configs (Phase 2.3)
-├── profile/       # Generic profile installer + work-profile config
+├── enhanced/        # 🛡️ Generic profile installer + work-profile config (Phase 3A)
-└── shared/        # Common build infra, signing, OTA
+└── shared/          # Common build infra, signing, OTA
 ```
-## Verification gates (per-tier)
+## Verification gates
- ROM tiers: verified boot rooted in our key (Pixel only); reproducible builds; OTA signed and rollback-tested
+- **OS tiers**: verified boot rooted in our key (Pixel only); reproducible builds; OTA signed and rollback-tested
- Profile tier: Stack apps installed and functional; work-profile isolation verified
+- **Enhanced tier**: Stack apps installed and functional; work-profile isolation verified; no bootloader changes detected
- All tiers: telemetry-leak test (no Google services contact unless explicitly opted in by user)
+- **All tiers**: telemetry-leak test (no Google services contact unless explicitly opted in by user); SilverVPN integrated as default VPN
 ## Upstream we depend on
- **GrapheneOS** — Pixel flagship base
+- **GrapheneOS** — Pixel OS base
- **LineageOS** — Samsung / Motorola base
+- **LineageOS** — Samsung / Motorola OS base
 - **DivestOS** — additional hardening patches
 - **AOSP** — root upstream
 - **`SilverLABS/SilverVPN`** — MAUI Android client (existing)
 ## Note on naming
 The existing repo `SilverLABS/SilverDROID` (SilverSHELL AppStore Android client) is unrelated to this Android flavour despite the similar name. They serve different products.
--- a/docs/platform-matrix.md
+++ b/docs/platform-matrix.md
@@ -2,8 +2,17 @@
 The honest per-platform capability and pros/cons table. This is what a buyer sees on each product page so they can choose based on their actual constraint.
 ## The two product lines
 | Line | What it means | When you'd buy it |
 |---|---|---|
 | **🔒 SilverMetal OS** | We ship the OS or ROM | You're choosing a device with privacy as a priority, or you're willing to replace your existing OS |
 | **🛡️ SilverMetal Enhanced** | We harden the OS your device already runs | You can't or don't want to replace your OS — corporate device, iPhone, or you're staying on Windows |
 ## Hardening tiers
 Independent of product line, each platform has a tier reflecting how deep our hardening can physically reach:
 | Tier | What it means |
 |---|---|
 | **A — Fully controllable** | We own the kernel, boot chain, MAC framework, and update infrastructure |
@@ -13,20 +22,27 @@ The honest per-platform capability and pros/cons table. This is what a buyer see
 ## Capability summary
-| Platform | Tier | Deliverable | Stack support |
+### SilverMetal OS (we ship the OS/ROM)
 | Platform | Tier | Deliverable | Stack |
 |---|---|---|---|
-| SilverMetal Linux | A | Custom Debian/Kicksecure-based ISO | Full, native |
+| **OS — Linux** | A | Custom Debian/Kicksecure-based ISO | Full, native |
-| SilverMetal Droid (Pixel) | B | GrapheneOS-fork ROM | Full, native |
+| **OS — Pixel** | B | GrapheneOS-fork ROM | Full, native |
-| SilverMetal Droid (Samsung) | C | LineageOS-fork ROM where bootloader unlocks; profile + Stack elsewhere | Full where ROM, Stack-only otherwise |
+| **OS — Samsung** | C | LineageOS-fork ROM (unlocked-bootloader models) | Full, native |
-| SilverMetal Droid (Motorola) | C | DivestOS/LineageOS-fork ROM on supported models | Full where supported |
+| **OS — Motorola** | C | DivestOS/LineageOS-fork ROM (supported models) | Full, native |
-| SilverMetal Droid (generic) | D | "Harden any Android" — Stack + work-profile config | Stack + config only |
+
-| SilverMetal Windows | C | LTSC IoT installer + hardening + Stack | Full (Stack apps run native) |
+### SilverMetal Enhanced (we harden the OS in place)
-| SilverMetal macOS | C-D | Signed config profile + setup script + Stack | Full (Stack apps run native) |
+
-| SilverMetal iOS | D | MDM profile + Stack from App Store | Full (Stack apps via App Store) |
+| Platform | Tier | Deliverable | Stack |
 |---|---|---|---|
 | **Enhanced — Windows** | C | LTSC IoT installer + hardening + Stack | Full (Stack apps run native) |
 | **Enhanced — macOS** | C-D | Signed config profile + setup script + Stack | Full (Stack apps run native) |
 | **Enhanced — iOS** | D | MDM profile + Stack from App Store | Full (Stack apps via App Store) |
 | **Enhanced — Android** | D | "Harden your existing Android" — Stack + work-profile config | Stack + config only |
 ## Per-platform pros / cons
-### SilverMetal Linux (Tier A)
+### 🔒 SilverMetal OS — Linux (Tier A)
 **Reference setup. The strongest possible SilverMetal device.**
 **Pros**
@@ -44,11 +60,11 @@ The honest per-platform capability and pros/cons table. This is what a buyer see
 - Some games, particularly anti-cheat-protected titles, will not run
 - Hardware compatibility needs checking before purchase (Coreboot SKUs are best-supported)
-**Best for**: users whose work is browser + email + office docs + dev + comms; anyone who would otherwise install Linux themselves; the maximum-privacy buyer.
+**Best for**: maximum-privacy buyer; anyone whose work is browser + email + office docs + dev + comms.
 ---
-### SilverMetal Droid — Pixel flagship (Tier B)
+### 🔒 SilverMetal OS — Pixel (Tier B)
 **The secure-phone flagship. GrapheneOS-tier engineering.**
 **Pros**
@@ -64,30 +80,29 @@ The honest per-platform capability and pros/cons table. This is what a buyer see
 - Some banking apps and corporate apps refuse to run on non-Play-Integrity devices (workaround: sandboxed Play, but breaks the airtight model)
 - Not all carriers support all Pixel models cleanly
-**Best for**: the "secure phone" buyer, journalists, activists, anyone who would otherwise buy an Encrochat-style rebadged phone but wants real engineering.
+**Best for**: the "secure phone" buyer; journalists, activists; anyone who would otherwise buy an Encrochat-style rebadged phone but wants real engineering.
 ---
-### SilverMetal Droid — Samsung (Tier C)
+### 🔒 SilverMetal OS — Samsung (Tier C)
-**For users on Samsung hardware. Variable depending on model and region.**
+**For users on Samsung hardware with unlockable bootloader.**
 **Pros**
 - Wide hardware availability and price range
- LineageOS / DivestOS fork for unlocked-bootloader regions gives most of the benefit
+- LineageOS / DivestOS fork on unlocked-bootloader regions delivers most of the benefit
- Knox security layer is genuinely capable on locked models
+- Knox security layer is genuinely capable (when bootloader is unlocked, Knox is tripped — accept this trade)
 - Full SilverLABS Stack supported either way
 **Cons**
- Many Samsung models — especially US-carrier models — have permanently locked bootloaders; we cannot replace the OS
+- Many Samsung models — especially US-carrier models — have permanently locked bootloaders; SilverMetal OS — Samsung is not available on those (use Enhanced — Android instead)
 - Even on unlocked bootloader, we lose verified boot rooting back to our key
- Knox tripped flag is permanent; some Samsung features (Samsung Pay, Knox-protected work apps) may stop working
+- Knox tripped flag is permanent; some Samsung features (Samsung Pay, Knox-protected work apps) stop working
-**Best for**: existing Samsung owners; buyers wanting a non-Pixel Android with strong-enough hardening.
+**Best for**: Samsung owners who want real ROM-level hardening and accept the Knox trade-off.
 ---
-### SilverMetal Droid — Motorola (Tier C)
+### 🔒 SilverMetal OS — Motorola (Tier C)
-**For users on Motorola hardware. Best Android option after Pixel for unlocked-bootloader hardening.**
+**For users on Motorola hardware. Best ROM option after Pixel for unlocked-bootloader hardening.**
 **Pros**
 - Many Moto models support bootloader unlock cleanly
@@ -104,26 +119,7 @@ The honest per-platform capability and pros/cons table. This is what a buyer see
 ---
-### SilverMetal Droid — Generic / "harden my existing Android" (Tier D)
+### 🛡️ SilverMetal Enhanced — Windows (Tier C)
 **For users who already own an Android and won't / can't replace the ROM.**
 **Pros**
 - Works on virtually any Android 13+ device
 - Full SilverLABS Stack runs (Browser, VPN, Sync, etc.)
 - Work-profile-based isolation contains tracking apps in a managed sandbox
 - No bootloader unlock required; no warranty void
 **Cons**
 - We do not control the OS — Google + your OEM still do
 - Verified boot is your OEM's, not ours
 - Telemetry from OS-level Google services cannot be fully blocked without a ROM swap
 - Honest tier label: D, weakest Android tier
 **Best for**: existing Android owners who want privacy improvements without buying new hardware or unlocking their bootloader.
 ---
 ### SilverMetal Windows (Tier C)
 **For users locked into Windows-only software.**
 **Pros**
@@ -145,7 +141,7 @@ The honest per-platform capability and pros/cons table. This is what a buyer see
 ---
-### SilverMetal macOS (Tier C-D)
+### 🛡️ SilverMetal Enhanced — macOS (Tier C-D)
 **For Mac-committed users.**
 **Pros**
@@ -166,7 +162,7 @@ The honest per-platform capability and pros/cons table. This is what a buyer see
 ---
-### SilverMetal iOS (Tier D)
+### 🛡️ SilverMetal Enhanced — iOS (Tier D)
 **For iPhone users.**
 **Pros**
@@ -182,27 +178,46 @@ The honest per-platform capability and pros/cons table. This is what a buyer see
 - Configuration profile + MDM applies; cannot modify iOS itself
 - Honest tier label: D, weakest tier in the family — *we say this in marketing*
-**Best for**: users whose threat model is commercial surveillance (not state-actor targeting) and who need to stay on iPhone for personal/work reasons.
+**Best for**: users whose threat model is commercial surveillance (not state-actor targeting) and who need to stay on iPhone.
 ---
 ### 🛡️ SilverMetal Enhanced — Android (Tier D)
 **For users who already own an Android (any vendor) and won't / can't replace the ROM.**
 **Pros**
 - Works on virtually any Android 13+ device — Samsung locked-bootloader models, OEMs we don't have ROMs for, hand-me-down phones
 - Full SilverLABS Stack runs (Browser, VPN, Sync, etc.)
 - Work-profile-based isolation contains tracking apps in a managed sandbox
 - No bootloader unlock required; no warranty void
 **Cons**
 - We do not control the OS — Google + your OEM still do
 - Verified boot is your OEM's, not ours
 - Telemetry from OS-level Google services cannot be fully blocked without a ROM swap
 - Honest tier label: D, weakest Android tier — *we say this in marketing*
 **Best for**: existing Android owners who want privacy improvements without buying new hardware or unlocking their bootloader.
 ## Decision flowchart
 ```
-Does the user need maximum privacy and is software-flexible?
+Are you choosing a new device, or hardening one you already own?
  → SilverMetal Linux
-Does the user need a phone, primarily?
+CHOOSING NEW
-  → Pixel? → SilverMetal Droid Flagship
+  Need maximum privacy and software-flexible?       → 🔒 SilverMetal OS — Linux
-  → Samsung/Motorola with unlocked bootloader? → matching ROM tier
+  Need a phone, primarily?
-  → iPhone or locked Android? → corresponding profile tier
+    Pixel ok?                                       → 🔒 SilverMetal OS — Pixel
    Samsung (unlocked bootloader region)?           → 🔒 SilverMetal OS — Samsung
    Motorola (supported model)?                     → 🔒 SilverMetal OS — Motorola
    Want iPhone?                                    → 🛡️ SilverMetal Enhanced — iOS
-Does the user need Windows-only software?
+ALREADY OWN A DEVICE
-  → SilverMetal Windows
+  Windows machine you keep?                          → 🛡️ SilverMetal Enhanced — Windows
-
+  Mac you keep?                                      → 🛡️ SilverMetal Enhanced — macOS
-Is the user Mac-committed?
+  iPhone you keep?                                   → 🛡️ SilverMetal Enhanced — iOS
-  → SilverMetal macOS
+  Android you keep (any model)?                      → 🛡️ SilverMetal Enhanced — Android
-
+  Linux laptop you'd convert?                        → 🔒 SilverMetal OS — Linux (re-install)
 Does the user already own a device they're keeping?
  → The corresponding "profile" or "harden existing" tier
 ```
 We do not push users between tiers. We tell them what each can deliver and let them choose.
--- a/docs/roadmap.md
+++ b/docs/roadmap.md
@@ -2,6 +2,8 @@
 Milestone-driven, no calendar dates (those slip; milestone gates don't). Each milestone has a definition of done. We don't move on until the previous milestone is met.
 The two product lines (**SilverMetal OS** and **SilverMetal Enhanced**) share the same roadmap because they share the SilverLABS Application Stack and the same supporting infrastructure. They diverge in delivery format only.
 ## Phase 0 — Foundation (current)
 **Goal**: get the architecture, threat model, and product principles documented and reviewed before writing OS code.
@@ -11,14 +13,15 @@ Milestone-driven, no calendar dates (those slip; milestone gates don't). Each mi
 | 0.1 | Repo scaffold | Directory tree + per-platform stubs + per-stack stubs in place |
 | 0.2 | Umbrella docs | `README.md` + `docs/{threat-model,design-principles,platform-matrix,roadmap,trust-model}.md` complete and reviewed |
 | 0.3 | Gitea repo created and pushed | `SilverLABS/SilverMetal` exists on `git.silverlabs.uk` with this scaffold |
 | 0.4 | Naming framework + repo alignment locked | OS / Enhanced naming applied; SilverApple deprecation noted; SilverVPN integration scope defined |
-**Status**: in progress (this commit completes 0.1–0.3).
+**Status**: complete.
 ---
-## Phase 1 — SilverMetal Linux v1 (the MVP)
+## Phase 1 — SilverMetal OS — Linux v1 (the MVP)
-**Goal**: ship a public alpha ISO that passes our own hardening verification. This is the reference implementation; the patterns established here flow to other platforms.
+**Goal**: ship a public alpha ISO that passes our own hardening verification. This is the reference implementation; the patterns established here flow to other flavours.
 | # | Milestone | Done when |
 |---|---|---|
@@ -28,7 +31,7 @@ Milestone-driven, no calendar dates (those slip; milestone gates don't). Each mi
 | 1.4 | Telemetry-leak test green | tcpdump on fresh-install idle for 30 min — zero packets to MS/Google/Apple/Mozilla/Canonical/Debian/analytics endpoints |
 | 1.5 | LUKS2 + TPM2 PCR-bound install via Calamares | End-to-end: install → reboot → TPM unlock → desktop. Tamper test correctly falls back to passphrase |
 | 1.6 | SilverBrowser v1 integrated (ungoogled-chromium rebrand) | Default browser, no Google services, fingerprint defences validated |
-| 1.7 | SilverVPN v1 integrated (WireGuard backbone) | Always-on default; kill-switch verified; account-number signup flow works |
+| 1.7 | SilverVPN integrated into image | Existing `SilverLABS/SilverVPN` Linux client + tunnel service preinstalled, always-on default; kill-switch verified |
 | 1.8 | SilverSync v1 integrated (Nextcloud backbone, client-side encryption) | Contacts/calendar/files sync end-to-end; server cannot read content |
 | 1.9 | Update server + signing ceremony complete | First signed update delivered through alpha channel; rollback verified |
 | 1.10 | Public alpha ISO + SBOM + build attestation published | Download page live; reproducible-build instructions documented |
@@ -45,64 +48,74 @@ Milestone-driven, no calendar dates (those slip; milestone gates don't). Each mi
 | # | Milestone | Done when |
 |---|---|---|
-| 1.1.1 | SilverChat v1 (Matrix-based) | Homeserver running; iOS/Android/Linux/Windows/Mac clients functional; account-number onboarding |
+| 1.1.1 | SilverChat v1 — alignment review | Decide whether to pull `SilverVPN.Client.Chat` in, fork it, or scope SilverChat as a separate effort. Outcome documented in `docs/decisions/` |
-| 1.1.2 | SilverDuress v1 | Linux PAM module + Android duress PIN + iOS Shortcuts/MDM trigger + Windows Group Policy + macOS profile — all verified |
+| 1.1.2 | SilverChat v1 client + homeserver | Cross-platform clients functional; account-number onboarding |
-| 1.1.3 | SilverKeys v1 | Bitwarden-derived client + SilverSync backend; per-platform clients |
+| 1.1.3 | SilverDuress v1 | Linux PAM module + Android duress PIN + iOS Shortcuts/MDM trigger + Windows Group Policy + macOS profile — all verified |
-| 1.1.4 | Atomic root experiment | ostree-based variant builds; v1.2 candidate if successful |
+| 1.1.4 | SilverKeys v1 | Bitwarden-derived client + SilverSync backend; per-platform clients |
 | 1.1.5 | Atomic root experiment | ostree-based variant builds; v1.2 candidate if successful |
 ---
-## Phase 2 — SilverMetal Droid
+## Phase 2 — SilverMetal OS — Droid (Pixel + Samsung + Motorola)
-**Goal**: ship Android coverage across all four tiers (Pixel flagship, Samsung, Motorola, generic profile).
+**Goal**: ship the three ROM-level Android tiers.
 | # | Milestone | Done when |
 |---|---|---|
-| 2.1 | Pixel flagship ROM (GrapheneOS-fork) | Builds, signs, OTA-updates from our infrastructure; Stack preinstalled; verified boot rooted in our key |
+| 2.1 | OS — Pixel ROM (GrapheneOS-fork) | Builds, signs, OTA-updates from our infrastructure; Stack preinstalled; verified boot rooted in our key |
-| 2.2 | Samsung tier (LineageOS-fork on unlocked-bootloader models) | Supported model list published; ROM + Stack overlay |
+| 2.2 | OS — Samsung (LineageOS-fork on unlocked-bootloader models) | Supported model list published; ROM + Stack overlay |
-| 2.3 | Motorola tier (DivestOS/LineageOS) | Supported model list published; ROM + Stack overlay |
+| 2.3 | OS — Motorola (DivestOS/LineageOS) | Supported model list published; ROM + Stack overlay |
-| 2.4 | Generic Android profile | "Harden my Android" installer: Stack apps + work-profile hardening config; works on Android 13+ |
+| 2.4 | Pixel preflashed pilot | 10 preflashed units shipped |
-| 2.5 | Android hardware SKU pilot | Pixel preflashed batch (10 units) + Moto preflashed batch (10 units) |
+| 2.5 | Motorola preflashed pilot | 10 preflashed units shipped |
 ---
-## Phase 3 — SilverMetal Windows
+## Phase 3 — SilverMetal Enhanced (the four hardening packages)
-**Goal**: ship the Windows hardening installer for users locked into Windows.
+**Goal**: ship Enhanced packages for Windows, macOS, iOS, and generic Android.
 The four Enhanced flavours can be developed largely in parallel since they share the SilverLABS Stack and don't depend on each other.
 ### 3W — Enhanced — Windows
 | # | Milestone | Done when |
 |---|---|---|
-| 3.1 | LTSC IoT base evaluated and licensed for our use | License path documented; base image acquired |
+| 3W.1 | LTSC IoT base licensed and acquired | License path documented |
-| 3.2 | Hardening installer (PowerShell/EXE) | Applies Group Policy, AppLocker, Defender ASR, removes Edge/Cortana/Store, blocks telemetry hosts |
+| 3W.2 | Hardening installer (PowerShell/EXE) | Applies Group Policy, AppLocker, Defender ASR, removes Edge/Cortana/Store, blocks telemetry hosts |
-| 3.3 | Stack ports for Windows | SilverBrowser/VPN/Sync/etc. native Windows builds, signed with our cert |
+| 3W.3 | Stack ports for Windows | SilverBrowser/Sync/etc. native Windows builds, signed with our cert. SilverVPN MAUI Windows client integrated |
-| 3.4 | BitLocker + TPM enforcement automated | Installer ensures BitLocker enabled with TPM-bound recovery |
+| 3W.4 | BitLocker + TPM enforcement automated | Installer ensures BitLocker enabled with TPM-bound recovery |
-| 3.5 | Windows hardware SKU pilot | Preflashed Coreboot-laptop variant with Windows + SilverMetal hardening (10 units) |
+| 3W.5 | Windows hardware SKU pilot | Preflashed Coreboot-laptop variant with Windows + Enhanced (10 units) |
-| 3.6 | Telemetry-leak test for Windows | 30-min idle on hardened install — minimal Microsoft contact, documented (we cannot reach zero on Windows; we publish what remains) |
+| 3W.6 | Telemetry-leak test for Windows | 30-min idle on hardened install — minimum-feasible Microsoft contact, documented |
 ---
 ## Phase 4 — Apple platforms (macOS + iOS profiles)
 **Goal**: ship signed configuration profiles, setup scripts, curated app guidance, and Stack ports for Apple platforms.
 ### 3M — Enhanced — macOS
 | # | Milestone | Done when |
 |---|---|---|
-| 4.1 | macOS configuration profile | Signed `.mobileconfig` enforces FileVault, disables analytics/Siri, configures firewall |
+| 3M.1 | macOS configuration profile | Signed `.mobileconfig` enforces FileVault, disables analytics/Siri, configures firewall |
-| 4.2 | macOS setup script | Idempotent script applies non-MDM hardening (default app changes, etc.) |
+| 3M.2 | macOS setup script | Idempotent script applies non-MDM hardening |
-| 4.3 | Stack ports for macOS | Universal binaries, notarised, signed with our Apple Developer cert |
+| 3M.3 | Stack ports for macOS | Universal binaries, notarised, signed |
-| 4.4 | iOS MDM profile | Signed `.mobileconfig` for users with personal MDM (or via free Apple Configurator) |
+
-| 4.5 | Stack ports for iOS | App Store releases (Browser may face Apple review constraints — fall back to webkit-based with our defaults) |
+### 3I — Enhanced — iOS (supersedes SilverApple)
-| 4.6 | Apple setup guide | Step-by-step published guide complementing the profiles |
+| # | Milestone | Done when |
 |---|---|---|
 | 3I.1 | Migrate / fold any usable assets from `SilverLABS/SilverApple` | Inventory of SilverApple done; reusable parts moved into `ios/`; SilverApple repo archived |
 | 3I.2 | iOS MDM profile | Signed `.mobileconfig` for personal MDM or Apple Configurator |
 | 3I.3 | Stack ports for iOS | App Store releases (Browser may face Apple WebKit constraints — fall back if needed) |
 | 3I.4 | Apple setup guide | Step-by-step published guide complementing the profiles |
 ### 3A — Enhanced — Android (generic)
 | # | Milestone | Done when |
 |---|---|---|
 | 3A.1 | Generic Android profile installer | "Harden my Android" — Stack apps + work-profile hardening config |
 | 3A.2 | Compatibility test matrix | Runs cleanly on Android 13+ across Samsung locked, OnePlus, Xiaomi, OEMs we don't have ROMs for |
 ---
-## Phase 5 — Hardening / immutability / Tor sibling
+## Phase 4 — Hardening / immutability / Tor sibling
 **Goal**: post-MVP improvements; not blocking earlier phases.
 - Atomic / immutable Linux variant (ostree)
 - dm-verity-protected `/`
- Tor-by-default sibling product (SilverMetal Onion or similar)
+- Tor-by-default sibling product
 - ARM64 / Apple Silicon Linux variant
 - Coreboot tooling improvements / additional reference hardware
@@ -110,15 +123,13 @@ Milestone-driven, no calendar dates (those slip; milestone gates don't). Each mi
 ## Cross-cutting workstreams (always-on)
-These run in parallel with phases:
+- **Security advisories** — vulnerability response process from Phase 1.10 onward
-
+- **External audits** — annual or per-major-release third-party review
 - **Security advisories** — vulnerability response process from Phase 1.10 onward; signed advisories
 - **External audits** — annual or per-major-release third-party security review
 - **Documentation** — every phase's gate includes documentation update
 - **Community / support** — issue tracker, support channels, response SLOs
 ## Phase entry/exit philosophy
 - We do not start a phase until the previous one's exit criteria are met
- We *can* run cross-cutting workstreams in parallel
+- Cross-cutting workstreams run in parallel
 - A failing verification gate blocks the phase, full stop — no shipping with known regressions
--- a/ios/README.md
+++ b/ios/README.md
@@ -1,8 +1,18 @@
-# SilverMetal iOS
+# SilverMetal Enhanced — iOS
-**Status**: Phase 4 (planning, post-Windows v1)
+**Status**: Phase 3I (planning, post-Linux v1)
-Tier D — profile-layer only. Weakest tier in the family; labelled as such. We cannot modify iOS; we ship MDM profiles, App Store apps, and a setup guide.
+🛡️ **SilverMetal Enhanced product line** — we harden iOS in place. We cannot modify iOS itself.
 Tier D — profile-layer only. Weakest tier in the family; labelled as such. We ship MDM profiles, App Store apps, and a setup guide.
 ## Supersedes SilverApple
 This flavour replaces the earlier prototype [`SilverLABS/SilverApple`](https://git.silverlabs.uk/SilverLABS/SilverApple) ("Privacy-first iOS hardening suite"). Per Phase 3I.1 of the roadmap:
 - Inventory SilverApple's existing artefacts (MDM enrolment flow, SilverVPN onboarding, CalDAV/CardDAV setup)
 - Migrate any reusable parts into this directory
 - Archive the SilverApple repo on Gitea once migration is complete
 ## Scope (v1)
@@ -14,7 +24,7 @@ Tier D — profile-layer only. Weakest tier in the family; labelled as such. We
  - Default-app changes where iOS 18+ allows (Browser, Mail, etc.)
 - Stack ports via App Store:
  - SilverBrowser (subject to Apple WebKit constraints — fall back to a hardened-defaults wrapper if pure custom engine is forbidden)
-  - SilverVPN (NetworkExtension API)
+  - SilverVPN — already exists as a MAUI-based App Store candidate via [`SilverLABS/SilverVPN`](https://git.silverlabs.uk/SilverLABS/SilverVPN)
  - SilverSync (file/contact/calendar/photos providers)
  - SilverChat (post-v1.1)
  - SilverKeys (post-v1.1)
@@ -32,13 +42,14 @@ Tier D — profile-layer only. Weakest tier in the family; labelled as such. We
 ## Directory layout
-To be populated in Phase 4:
+To be populated in Phase 3I:
 ```
 ios/
-├── profile/         # .mobileconfig sources, signing
+├── profile/           # .mobileconfig sources, signing
-├── stack/           # iOS-specific Stack app builds (Xcode projects)
+├── stack/             # iOS-specific Stack app builds (Xcode projects)
-└── docs/            # setup guide, recommended apps, threat-tier disclaimer
+├── from-silverapple/  # migrated artefacts from the deprecated SilverApple repo
 └── docs/              # setup guide, recommended apps, threat-tier disclaimer
 ```
 ## Verification gates
--- a/linux/README.md
+++ b/linux/README.md
@@ -1,7 +1,9 @@
-# SilverMetal Linux
+# SilverMetal OS — Linux
 **Status**: Phase 1 (planning) → moving to milestone 1.1 (reproducible Kicksecure fork build)
 🔒 **SilverMetal OS product line** — we ship the operating system.
 The reference SilverMetal flavour. Tier A — full kernel-level hardening, verified boot we control, Debian/Kicksecure-based.
 ## Scope (v1)
@@ -19,6 +21,8 @@ See [`../docs/roadmap.md`](../docs/roadmap.md) Phase 1.
 - nftables default-deny inbound, encrypted DNS, SilverVPN always-on default
 - Zero upstream telemetry — verified by integration test
 - SilverBrowser default (ungoogled-chromium-rebranded v1)
 - SilverVPN integrated from existing [`SilverLABS/SilverVPN`](https://git.silverlabs.uk/SilverLABS/SilverVPN) (Linux client + tunnel service)
 - SilverSync v1 (Nextcloud-backed, client-side encryption)
 - A/B updates with rollback, signed by our keys
 - Optional amnesic session mode
@@ -65,3 +69,4 @@ linux/
 - **GrapheneOS hardened_malloc** — allocator
 - **KSPP** — kernel config authority
 - **secureblue** — reference for v1.1 immutable design
 - **`SilverLABS/SilverVPN`** — VPN client + tunnel service (existing, integrated)
--- a/macos/README.md
+++ b/macos/README.md
@@ -1,8 +1,10 @@
-# SilverMetal macOS
+# SilverMetal Enhanced — macOS
-**Status**: Phase 4 (planning, post-Windows v1)
+**Status**: Phase 3M (planning, post-Linux v1)
-Tier C-D — signed configuration profile + setup script + Stack ports. We cannot modify macOS; we configure everything Apple exposes.
+🛡️ **SilverMetal Enhanced product line** — we harden macOS in place. Apple's signed boot chain prevents an OS replacement.
 Tier C-D — signed configuration profile + setup script + Stack ports. We configure everything Apple exposes.
 ## Scope (v1)
@@ -14,6 +16,7 @@ Tier C-D — signed configuration profile + setup script + Stack ports. We canno
  - Enables Lockdown Mode (per-user opt-in guidance)
 - Idempotent setup script for non-MDM hardening (default-app changes, Safari→SilverBrowser, etc.)
 - Stack ports for macOS (universal binaries, notarised, signed)
 - SilverVPN MAUI macOS client from existing [`SilverLABS/SilverVPN`](https://git.silverlabs.uk/SilverLABS/SilverVPN)
 - Setup guide for hardware-key 2FA, anti-forensics
 ## Out of scope
@@ -24,7 +27,7 @@ Tier C-D — signed configuration profile + setup script + Stack ports. We canno
 ## Directory layout
-To be populated in Phase 4:
+To be populated in Phase 3M:
 ```
 macos/
@@ -46,3 +49,4 @@ macos/
 - **Apple macOS** — base, unmodified
 - **macOS Privacy Guide / privacy.sexy** — reference for hardening configs
 - **Lockdown Mode** — Apple-provided, documented and enabled
 - **`SilverLABS/SilverVPN`** — MAUI macOS client (existing)
--- a/stack/README.md
+++ b/stack/README.md
@@ -1,16 +1,16 @@
 # SilverLABS Application Stack
-The cross-platform spine of SilverMetal. These apps replace the cloud services your device normally talks to. Same brand, same account, same data on every platform.
+The cross-platform spine of SilverMetal. These apps replace the cloud services your device normally talks to. Same brand, same account, same data on every platform — whether the user picked a 🔒 SilverMetal OS flavour or a 🛡️ SilverMetal Enhanced flavour.
 ## Components
 | Component | Status | Purpose |
 |---|---|---|
 | [`browser/`](browser/) — **SilverBrowser** | v1 (Linux MVP) | De-Googled, telemetry-free browser |
-| [`vpn/`](vpn/) — **SilverVPN** | v1 (Linux MVP) | Always-on, no-logs VPN with our infrastructure |
+| [`vpn/`](vpn/) — **SilverVPN** | **Existing** — see [`SilverLABS/SilverVPN`](https://git.silverlabs.uk/SilverLABS/SilverVPN). This directory tracks integration only | Always-on, no-logs VPN with our infrastructure |
 | [`sync/`](sync/) — **SilverSync** | v1 (Linux MVP) | Private replacement for iCloud/Google/OneDrive |
-| [`chat/`](chat/) — **SilverChat** | v1.1 | E2EE messenger |
+| [`chat/`](chat/) — **SilverChat** | v1.1 — *may overlap with `SilverVPN.Client.Chat`; alignment decision pending* | E2EE messenger |
-| [`duress/`](duress/) — **SilverDuress** | v1.1 | Duress password / panic-wipe / anti-coercion |
+| [`duress/`](duress/) — **SilverDuress** | v1.1 | Duress password / panic-wipe |
 | [`keys/`](keys/) — **SilverKeys** | v1.1 | Zero-knowledge password + 2FA manager |
 | [`shared/`](shared/) — common code | ongoing | Account SDK, crypto primitives, branding |
@@ -23,29 +23,29 @@ Users get a **SilverLABS account number** (Mullvad-style — random, no email, n
 Each app is built natively per platform — no Electron sprawl where avoidable:
 - **Linux**: native `.deb` + Flatpak
- **Android**: native APK / AAB
+- **Android**: native APK / AAB (or MAUI where SilverVPN already provides it)
 - **Windows**: native MSI / EXE (signed)
 - **macOS**: universal binary `.pkg` (notarised)
 - **iOS**: App Store
-Where a single codebase (e.g., Tauri / Rust core) lets us hit multiple platforms with a thin native UI shell, we use it. We avoid Electron unless the cost of native is unjustifiable.
+Where a single codebase (e.g., MAUI as SilverVPN already does, or Tauri/Rust core for Browser/Sync/Keys) lets us hit multiple platforms with thin native UI shells, we use it. We avoid Electron unless the cost of native is unjustifiable.
 ## v1 ship order
 For SilverMetal OS — Linux v1:
 1. **SilverBrowser** — ungoogled-chromium-derived, our defaults, our update channel
-2. **SilverVPN** — WireGuard-based, our exit nodes, account-number signup
+2. **SilverVPN** integration — existing product, integrated into our ISO with always-on defaults and kill-switch
-3. **SilverSync** — Nextcloud-backed (server side), client-side encryption, native clients
+3. **SilverSync** — Nextcloud-backed (server side), client-side encryption, native Linux client
-These three ship with SilverMetal Linux v1.
+These three ship with SilverMetal OS — Linux v1. v1.1 adds Chat, Duress, Keys.
 v1.1 adds Chat, Duress, Keys.
 ## Server side
-The Stack server components live in separate repositories under `SilverLABS/`:
+Server components live in separate repositories:
- `silver-vpn-infra` — WireGuard exit-node infrastructure (Terraform / Ansible)
+- `SilverLABS/SilverVPN` — already exists; includes server stack
- `silver-sync-server` — Nextcloud + Radicale + Baïkal stack
+- `SilverLABS/silver-sync-server` *(to be created)* — Nextcloud + Radicale + Baïkal stack
- `silver-chat-homeserver` — Matrix Synapse / Dendrite
+- `SilverLABS/silver-chat-homeserver` *(to be created OR may live under SilverVPN)* — depends on v1.1.1 alignment decision
- `silver-account` — account-number issuance + auth gateway
+- `SilverLABS/silver-account` *(to be created)* — account-number issuance + auth gateway
 Self-hostable counterparts are documented for users who don't want to use SilverLABS infrastructure.
--- a/stack/vpn/README.md
+++ b/stack/vpn/README.md
@@ -1,40 +1,60 @@
-# SilverVPN
+# SilverVPN — Integration Pointer
-**Status**: v1 (Linux MVP) — planning
+> **The SilverVPN component already exists as a separate, in-production SilverLABS product.**
 > This directory does not re-implement it; it tracks the integration of the existing SilverVPN into SilverMetal OS images and Enhanced packages.
-Always-on VPN with no logs, run on SilverLABS infrastructure. Mullvad-style account-number signup (no email, no name).
+## Where SilverVPN lives
-## v1 approach
+[`SilverLABS/SilverVPN`](https://git.silverlabs.uk/SilverLABS/SilverVPN) — local checkout typically at `../SilverVPN/`.
- **Protocol**: WireGuard. Period. (Battle-tested, tiny attack surface, performant.)
+The product includes:
- **Account**: random 16-digit account number; no email, no PII
+- `.NET 9` server stack: API, admin dashboard, web client, Docker images
- **Payment**: separate channel (SilverDotPay / crypto / payment processor) with no link back to account number
+- `SilverVPN.Client.Maui` — cross-platform native client (Windows, macOS, Android, iOS)
- **Exit nodes**: SilverLABS-operated initially; geographically diverse
+- `SilverVPN.Client.Linux` — dedicated Linux client
- **Kill-switch**: enforced at firewall layer (nftables on Linux, NetworkExtension content filters on Apple)
+- `SilverVPN.Client.Web` / `SilverVPN.Client.Web.Host` — browser-based client
- **DNS**: encrypted DNS through tunnel; no DNS leaks
+- `SilverVPN.TunnelService` / `SilverVPN.TunnelService.Linux` — tunnel daemon
- **Per-device keys**: each device gets its own WireGuard key; revoke per-device
+- `SilverVPN.Tunnel.Shared` — shared tunnel code
 - `libbox-bridge` — sing-box / sing-tun integration layer
 - Debian packaging (`build-deb.sh`, `debian/`)
 - OpenWrt support (`openwrt/`)
 - Production releases ongoing
-## Server-side
+## SilverMetal's responsibility
-Lives in `SilverLABS/silver-vpn-infra` (separate repo). This repo holds the **client** code only.
+This directory tracks **integration**, not development. Integration tasks per platform:
-## What we do not do
+### SilverMetal OS — Linux
 - [ ] Include `silvervpn` `.deb` (built from `../SilverVPN/build-deb.sh`) in `linux/packages/include.list`
 - [ ] Bundle `SilverVPN.TunnelService.Linux` as a default systemd service
 - [ ] Configure SilverVPN to be **always-on by default** with our exit nodes preconfigured
 - [ ] Verify nftables kill-switch coexists with the SilverVPN tunnel service
 - [ ] Validate DNS through tunnel (no leaks)
 - [ ] Auto-launch `SilverVPN.Client.Linux` on first login for account-number entry
- We do not log connection metadata beyond what is operationally required (typically just real-time peer state, not retained)
+### SilverMetal OS — Pixel / Samsung / Motorola
- We do not bundle ad-blocking — that's the browser's job, not the VPN's
+- [ ] Bundle SilverVPN MAUI client APK into ROM build (or system app)
- We do not bundle tracker-blocking heuristics in the VPN — that risks false positives that break sites
+- [ ] Configure as default VPN provider via Android `VpnService`
- We do not run a "free tier" with a different infrastructure — paid users and free users (if any) get the same server quality
+- [ ] Always-on VPN enforced at OS level (`Settings > VPN > Always-on`)
-## Per-platform clients
+### SilverMetal Enhanced — Windows
 - [ ] Bundle MAUI Windows client into hardening installer
 - [ ] Set up auto-start on boot
 - [ ] Kill-switch enforced via Windows Filtering Platform rules
- **Linux**: GTK + native daemon (`silvervpn-daemon` running as systemd service)
+### SilverMetal Enhanced — macOS
- **Android**: VpnService-based, native UI
+- [ ] Bundle MAUI macOS client into setup `.pkg`
- **Windows**: WireGuard tunnel service + tray UI (signed)
+- [ ] NetworkExtension content filter for kill-switch
 - **macOS**: NetworkExtension, signed and notarised
 - **iOS**: NetworkExtension via App Store
-## Verification
+### SilverMetal Enhanced — iOS
 - [ ] SilverVPN App Store listing referenced in iOS setup guide
 - [ ] MDM profile pre-configures SilverVPN as default
- Kill-switch test: disconnect upstream, verify zero packets leak
+### SilverMetal Enhanced — Android (generic)
- DNS-leak test: capture DNS during tunnel-up; all queries must traverse the tunnel
+- [ ] SilverVPN MAUI APK referenced as required install in profile
- Reconnect test: WAN flap, verify reconnect without temporary leak
+- [ ] Work-profile config sets it as system VPN
 ## Coordination
 Changes that affect SilverMetal integration (e.g., `silvervpn` package layout, default endpoints, account-number CLI) should be flagged in this directory's CHANGELOG (to be created when first integration milestone starts) so the SilverMetal build pipeline can react.
 Cross-repo issues that touch both projects should be opened in whichever repo owns the change, with a back-reference in the other.
--- a/windows/README.md
+++ b/windows/README.md
@@ -1,6 +1,8 @@
-# SilverMetal Windows
+# SilverMetal Enhanced — Windows
-**Status**: Phase 3 (planning, post-Linux v1)
+**Status**: Phase 3W (planning, post-Linux v1)
 🛡️ **SilverMetal Enhanced product line** — we harden Windows in place; we do not ship a custom Windows kernel (Microsoft does not permit that).
 Tier C — config-layer hardening only. Honest positioning: we cannot modify the Windows kernel or boot chain; we turn every dial Microsoft exposes.
@@ -16,6 +18,7 @@ LTSC IoT-based installer that transforms a vanilla Windows install into a Silver
 - Telemetry blocked at hosts file + service + GP layers
 - Edge / Chrome replaced with SilverBrowser default
 - Full SilverLABS Stack preinstalled (native Windows builds)
 - SilverVPN MAUI Windows client integrated from existing [`SilverLABS/SilverVPN`](https://git.silverlabs.uk/SilverLABS/SilverVPN)
 ## Out of scope
@@ -25,7 +28,7 @@ LTSC IoT-based installer that transforms a vanilla Windows install into a Silver
 ## Directory layout
-To be populated in Phase 3. Initial structure planned:
+To be populated in Phase 3W. Initial structure planned:
 ```
 windows/
@@ -49,3 +52,4 @@ windows/
 - **Windows 11 IoT Enterprise LTSC** — base OS (licensed)
 - **AtlasOS / ReviOS / privacy.sexy** — reference for hardening configs
 - **Chris Titus Tech / O&O ShutUp10** — reference for telemetry blocking
 - **`SilverLABS/SilverVPN`** — MAUI Windows client (existing)