SilverLABS/SilverMetal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(scaffold): initial SilverMetal program scaffold

Browse Source 
Cross-platform privacy-hardening program. Two-layer product:
- SilverLABS Application Stack (cross-platform spine)
- Platform Hardening Profiles (per-OS, tier-honest)

Platforms: Linux (Debian/Kicksecure), Android (Pixel/Samsung/Moto/generic),
Windows (LTSC IoT), macOS (profile), iOS (MDM profile). Each flavour has
both a preflashed hardware SKU path and a self-apply "harden your existing
device" path.

Includes umbrella docs (README + threat-model, design-principles,
platform-matrix, roadmap, trust-model), per-platform and per-stack-
component README stubs, .gitignore, LICENSE.

Linux v1 ships first; Stack v1 = Browser + VPN + Sync.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
SysAdmin
2026-04-25 03:11:48 +01:00
commit 7d5f9cc246
23 changed files with 1381 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
stack/README.md Normal file
View File

@@ -0,0 +1,51 @@
# SilverLABS Application Stack
The cross-platform spine of SilverMetal. These apps replace the cloud services your device normally talks to. Same brand, same account, same data on every platform.
## Components
| Component | Status | Purpose |
|---|---|---|
| [`browser/`](browser/) — **SilverBrowser** | v1 (Linux MVP) | De-Googled, telemetry-free browser |
| [`vpn/`](vpn/) — **SilverVPN** | v1 (Linux MVP) | Always-on, no-logs VPN with our infrastructure |
| [`sync/`](sync/) — **SilverSync** | v1 (Linux MVP) | Private replacement for iCloud/Google/OneDrive |
| [`chat/`](chat/) — **SilverChat** | v1.1 | E2EE messenger |
| [`duress/`](duress/) — **SilverDuress** | v1.1 | Duress password / panic-wipe / anti-coercion |
| [`keys/`](keys/) — **SilverKeys** | v1.1 | Zero-knowledge password + 2FA manager |
| [`shared/`](shared/) — common code | ongoing | Account SDK, crypto primitives, branding |
## Account model
Users get a **SilverLABS account number** (Mullvad-style — random, no email, no name). One account → all Stack apps. Payment is processed separately (SilverDotPay / cryptocurrency option) with no link back to the account number.
## Cross-platform build philosophy
Each app is built natively per platform — no Electron sprawl where avoidable:
- **Linux**: native `.deb` + Flatpak
- **Android**: native APK / AAB
- **Windows**: native MSI / EXE (signed)
- **macOS**: universal binary `.pkg` (notarised)
- **iOS**: App Store
Where a single codebase (e.g., Tauri / Rust core) lets us hit multiple platforms with a thin native UI shell, we use it. We avoid Electron unless the cost of native is unjustifiable.
## v1 ship order
1. **SilverBrowser** — ungoogled-chromium-derived, our defaults, our update channel
2. **SilverVPN** — WireGuard-based, our exit nodes, account-number signup
3. **SilverSync** — Nextcloud-backed (server side), client-side encryption, native clients
These three ship with SilverMetal Linux v1.
v1.1 adds Chat, Duress, Keys.
## Server side
The Stack server components live in separate repositories under `SilverLABS/`:
- `silver-vpn-infra` — WireGuard exit-node infrastructure (Terraform / Ansible)
- `silver-sync-server` — Nextcloud + Radicale + Baïkal stack
- `silver-chat-homeserver` — Matrix Synapse / Dendrite
- `silver-account` — account-number issuance + auth gateway
Self-hostable counterparts are documented for users who don't want to use SilverLABS infrastructure.

43
stack/browser/README.md Normal file
View File

@@ -0,0 +1,43 @@
# SilverBrowser
**Status**: v1 (Linux MVP) — planning
A de-Googled, telemetry-free, fingerprint-resistant browser. Ships as the default on every SilverMetal platform.
## v1 approach
Rebrand of **ungoogled-chromium** with our defaults baked in:
- All Google-services calls stripped (already done by ungoogled-chromium upstream)
- Update channel pointed at our infrastructure
- DNS-over-HTTPS to our resolver default
- WebRTC IP leak prevention enabled
- Strict referrer policy
- Aggressive third-party cookie + tracker blocking via uBlock Origin preinstalled and pinned
- Search engine: privacy-respecting default (DuckDuckGo / Brave Search), Google removed
- No telemetry, no auto-update phone-home, no field trials
- New-tab page = blank or SilverLABS-branded local page (no remote fetch)
## v2 direction (post-MVP)
Evaluate forking Mullvad Browser instead, or maintaining our own Firefox / Gecko fork. Decision criteria:
- Maintenance burden vs. feature gap
- Anti-fingerprinting rigour (Mullvad/Tor leads here)
- Compatibility with mainstream sites users need
## What this is **not**
- Not a Tor browser — that's a separate use case
- Not a "dark web browser" — that framing is wrong; this is a daily-driver browser with privacy defaults
- Not a Brave fork — Brave's BAT/Rewards model is incompatible with our principles
## Per-platform builds
- **Linux**: `.deb` + Flatpak
- **Android**: APK based on Bromite-successor patches (Cromite or similar)
- **Windows**: MSI, signed
- **macOS**: notarised `.pkg`
- **iOS**: webkit-shell with our defaults — Apple does not permit non-WebKit engines on iOS today
## Repository
Build configs and patch sets land here. Upstream is tracked as a submodule or pinned tarball.

32
stack/chat/README.md Normal file
View File

@@ -0,0 +1,32 @@
# SilverChat
**Status**: v1.1 (planning)
End-to-end encrypted messenger. Ships post-MVP.
## Approach (tentative — to be finalised before v1.1)
Two candidate paths:
1. **Matrix-based** — Synapse or Dendrite homeserver, custom client per platform. Pros: federated, mature, large existing ecosystem. Cons: metadata leakage in federation, complex protocol.
2. **Signal-protocol-based** — fork the Signal codebase, run own server. Pros: gold-standard cryptography, simpler client. Cons: forking the Signal protocol is socially fraught; less feature-rich than Matrix.
Decision documented in `docs/decisions/` once made.
## Non-negotiables
- Account-number-based identity (not phone, not email)
- E2EE by default, no opt-out
- Self-hostable server
- No telemetry from client
- Forward secrecy
- Backup keys remain on user devices
## Per-platform clients
To be defined post-decision. Likely Tauri-based or per-platform-native depending on protocol choice.
## Out of scope (for now)
- Voice/video calling — v1.2+
- Group sizes >100 — Matrix supports, but we may cap at 100 for v1.1 simplicity

37
stack/duress/README.md Normal file
View File

@@ -0,0 +1,37 @@
# SilverDuress
**Status**: v1.1 (planning)
Duress password / panic-wipe / anti-coercion. The "I am being forced to unlock this device" feature.
## What it does
- **Duress password**: an alternate password that, when entered, *appears to unlock normally* but actually triggers a configured action
- **Panic-wipe**: secure erasure of encrypted volumes / keys
- **Decoy unlock**: opens a clean profile / sandbox containing decoy data
- **Silent alert**: optional outbound signal to trusted contact / SilverLABS service that duress was activated
User configures which behaviours apply.
## Per-platform implementation
| Platform | Mechanism | Strength |
|---|---|---|
| **Linux** | PAM module — duress passphrase wipes LUKS keys / drops to decoy profile | Strong |
| **Android (Pixel ROM)** | Inherited from GrapheneOS duress PIN | Strong |
| **Android (other)** | Best-effort: app-level duress action when SilverLABS Stack apps are unlocked with duress credential | Moderate |
| **Windows** | Group Policy + scheduled task triggered by duress credential entry; BitLocker key destruction | Moderate (closed kernel limits us) |
| **macOS** | Configuration profile + login script; FileVault key destruction on duress | Moderate |
| **iOS** | OS-provided erase-after-failed-attempts (Apple primitive); Stack-app-level duress where feasible | Limited (we cannot run code at unlock) |
The per-platform table is shown to users in the SilverDuress setup UI so they understand what's possible on their device.
## Non-goals
- Not a "tracking your stolen phone" feature — different product, different threat model
- Not a "remote wipe" service — that requires constant network and trust in the wipe operator. We may offer it later, but v1.1 is local-only.
## Risks we acknowledge
- A sufficiently sophisticated adversary may forensically recover from a partial wipe — we use cryptographic erasure (destroy the key, not the data) which is robust against this
- A coerced user may be unable to remember to use the duress password — we document this clearly in the setup UI; this is a fundamental limitation, not a SilverMetal-specific one

41
stack/keys/README.md Normal file
View File

@@ -0,0 +1,41 @@
# SilverKeys
**Status**: v1.1 (planning)
Zero-knowledge password + 2FA + key manager. Synced via SilverSync.
## Approach (tentative — to be finalised)
Most likely **fork Bitwarden** (server + clients are open source, mature, well-audited) and:
- Replace the account model with our SilverLABS account number
- Replace the server with one running on SilverSync infrastructure
- Strip telemetry / phone-home in clients
- Re-skin to SilverMetal branding
Alternative: lightweight KeePassXC-derived client with our own sync layer. Simpler but less feature-rich.
## Non-negotiables
- Zero-knowledge: server cannot read vault content
- Argon2id KDF for master password
- Multi-device sync via SilverSync
- TOTP / WebAuthn / hardware-key (YubiKey) support
- Open source clients
- No telemetry
## Per-platform clients
- **Linux**: native (Tauri / Rust) or web-app
- **Android**: Bitwarden-fork rebranded
- **Windows**: Bitwarden-fork rebranded
- **macOS**: Bitwarden-fork rebranded
- **iOS**: Bitwarden-fork rebranded
- **Browser extension**: SilverBrowser-bundled by default; available for non-SilverBrowser too
## Migration
Bitwarden vault import works out-of-the-box with the fork. Documented procedures for migration from:
- 1Password
- LastPass
- Chrome / Safari / Firefox saved passwords
- KeePassXC

20
stack/shared/README.md Normal file
View File

@@ -0,0 +1,20 @@
# Stack — Shared
Common code shared across SilverLABS Stack components:
- **Account SDK** — SilverLABS account-number issuance, auth, session management
- **Crypto primitives** — vetted wrappers for Argon2id, AES-GCM, ChaCha20-Poly1305, X25519, Ed25519
- **Branding tokens** — fonts, logos, colours, design tokens
- **Update client** — common update-check + signature-verify code reused by all Stack apps
To be populated as each Stack component reaches a point where shared code makes sense (typically v1 → v1.1 transition).
## Language / runtime choice
Default to **Rust** for shared crypto and account SDK code, with bindings/bridges per platform language:
- Kotlin / Java for Android
- Swift / Obj-C for Apple platforms
- C# for Windows native integration where required
- TypeScript bindings for browser extensions / web UI
Rust gives memory safety, performance, and a single source of truth for the security-critical parts.

52
stack/sync/README.md Normal file
View File

@@ -0,0 +1,52 @@
# SilverSync
**Status**: v1 (Linux MVP) — planning
A private replacement for iCloud / Google Drive / OneDrive. Contacts, calendar, files, photos, notes — synced across all your SilverMetal devices, encrypted client-side, zero-knowledge to the server.
## v1 scope
- **Contacts** — CardDAV
- **Calendar** — CalDAV
- **Files** — WebDAV with client-side encryption (E2EE)
- **Photos** — file-based, with client-side encryption
v1.1 adds Notes, Tasks.
## Server side
Lives in `SilverLABS/silver-sync-server` (separate repo). Stack:
- **Nextcloud** for files / photos (with E2EE app)
- **Radicale** or **Baïkal** for CardDAV / CalDAV
- Behind SilverVPN by default for transport-layer privacy
- Self-hostable — the same stack runs on a user's home server
## Client-side encryption
- Files: each file encrypted with a per-file content key; content keys wrapped with a user-derived master key (Argon2id from passphrase + account number)
- Server stores only ciphertext + opaque metadata
- Server cannot read filenames in their entirety (filename encryption mode in Nextcloud E2EE)
- Master key never leaves the device
## Per-platform clients
- **Linux**: GNOME / Plasma evolution, native CardDAV/CalDAV via existing tooling; Nextcloud client for files
- **Android**: DAVx⁵ (CardDAV/CalDAV) + Nextcloud Android client (rebranded)
- **Windows**: Nextcloud Windows client (rebranded) + Outlook integration
- **macOS**: Nextcloud macOS client (rebranded) + native Calendar/Contacts integration
- **iOS**: Nextcloud iOS app (rebranded) + iOS native CardDAV/CalDAV providers
## What this is not
- Not a "free Google replacement for everyone" — server costs are real, paid tier funds them
- Not a CDN — files sync between user's devices, not at internet scale
- Not a backup product — this is sync; backup is a separate concern (offer integration with restic/borg later)
## Migration
Documented procedures for users coming from:
- iCloud → SilverSync
- Google → SilverSync
- OneDrive → SilverSync
These guides are critical for onboarding and live in `docs/` of this directory once the client ships.

40
stack/vpn/README.md Normal file
View File

@@ -0,0 +1,40 @@
# SilverVPN
**Status**: v1 (Linux MVP) — planning
Always-on VPN with no logs, run on SilverLABS infrastructure. Mullvad-style account-number signup (no email, no name).
## v1 approach
- **Protocol**: WireGuard. Period. (Battle-tested, tiny attack surface, performant.)
- **Account**: random 16-digit account number; no email, no PII
- **Payment**: separate channel (SilverDotPay / crypto / payment processor) with no link back to account number
- **Exit nodes**: SilverLABS-operated initially; geographically diverse
- **Kill-switch**: enforced at firewall layer (nftables on Linux, NetworkExtension content filters on Apple)
- **DNS**: encrypted DNS through tunnel; no DNS leaks
- **Per-device keys**: each device gets its own WireGuard key; revoke per-device
## Server-side
Lives in `SilverLABS/silver-vpn-infra` (separate repo). This repo holds the **client** code only.
## What we do not do
- We do not log connection metadata beyond what is operationally required (typically just real-time peer state, not retained)
- We do not bundle ad-blocking — that's the browser's job, not the VPN's
- We do not bundle tracker-blocking heuristics in the VPN — that risks false positives that break sites
- We do not run a "free tier" with a different infrastructure — paid users and free users (if any) get the same server quality
## Per-platform clients
- **Linux**: GTK + native daemon (`silvervpn-daemon` running as systemd service)
- **Android**: VpnService-based, native UI
- **Windows**: WireGuard tunnel service + tray UI (signed)
- **macOS**: NetworkExtension, signed and notarised
- **iOS**: NetworkExtension via App Store
## Verification
- Kill-switch test: disconnect upstream, verify zero packets leak
- DNS-leak test: capture DNS during tunnel-up; all queries must traverse the tunnel
- Reconnect test: WAN flap, verify reconnect without temporary leak