chore(scaffold): initial SilverMetal program scaffold

Cross-platform privacy-hardening program. Two-layer product: - SilverLABS Application Stack (cross-platform spine) - Platform Hardening Profiles (per-OS, tier-honest) Platforms: Linux (Debian/Kicksecure), Android (Pixel/Samsung/Moto/generic), Windows (LTSC IoT), macOS (profile), iOS (MDM profile). Each flavour has both a preflashed hardware SKU path and a self-apply "harden your existing device" path. Includes umbrella docs (README + threat-model, design-principles, platform-matrix, roadmap, trust-model), per-platform and per-stack- component README stubs, .gitignore, LICENSE. Linux v1 ships first; Stack v1 = Browser + VPN + Sync. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-25 03:11:48 +01:00
commit 7d5f9cc246
23 changed files with 1381 additions and 0 deletions
--- a/stack/duress/README.md
+++ b/stack/duress/README.md
@@ -0,0 +1,37 @@
+# SilverDuress
+
+**Status**: v1.1 (planning)
+
+Duress password / panic-wipe / anti-coercion. The "I am being forced to unlock this device" feature.
+
+## What it does
+
+- **Duress password**: an alternate password that, when entered, *appears to unlock normally* but actually triggers a configured action
+- **Panic-wipe**: secure erasure of encrypted volumes / keys
+- **Decoy unlock**: opens a clean profile / sandbox containing decoy data
+- **Silent alert**: optional outbound signal to trusted contact / SilverLABS service that duress was activated
+
+User configures which behaviours apply.
+
+## Per-platform implementation
+
+| Platform | Mechanism | Strength |
+|---|---|---|
+| **Linux** | PAM module — duress passphrase wipes LUKS keys / drops to decoy profile | Strong |
+| **Android (Pixel ROM)** | Inherited from GrapheneOS duress PIN | Strong |
+| **Android (other)** | Best-effort: app-level duress action when SilverLABS Stack apps are unlocked with duress credential | Moderate |
+| **Windows** | Group Policy + scheduled task triggered by duress credential entry; BitLocker key destruction | Moderate (closed kernel limits us) |
+| **macOS** | Configuration profile + login script; FileVault key destruction on duress | Moderate |
+| **iOS** | OS-provided erase-after-failed-attempts (Apple primitive); Stack-app-level duress where feasible | Limited (we cannot run code at unlock) |
+
+The per-platform table is shown to users in the SilverDuress setup UI so they understand what's possible on their device.
+
+## Non-goals
+
+- Not a "tracking your stolen phone" feature — different product, different threat model
+- Not a "remote wipe" service — that requires constant network and trust in the wipe operator. We may offer it later, but v1.1 is local-only.
+
+## Risks we acknowledge
+
+- A sufficiently sophisticated adversary may forensically recover from a partial wipe — we use cryptographic erasure (destroy the key, not the data) which is robust against this
+- A coerced user may be unable to remember to use the duress password — we document this clearly in the setup UI; this is a fundamental limitation, not a SilverMetal-specific one