# Roadmap Milestone-driven, no calendar dates (those slip; milestone gates don't). Each milestone has a definition of done. We don't move on until the previous milestone is met. ## Phase 0 — Foundation (current) **Goal**: get the architecture, threat model, and product principles documented and reviewed before writing OS code. | # | Milestone | Done when | |---|---|---| | 0.1 | Repo scaffold | Directory tree + per-platform stubs + per-stack stubs in place | | 0.2 | Umbrella docs | `README.md` + `docs/{threat-model,design-principles,platform-matrix,roadmap,trust-model}.md` complete and reviewed | | 0.3 | Gitea repo created and pushed | `SilverLABS/SilverMetal` exists on `git.silverlabs.uk` with this scaffold | **Status**: in progress (this commit completes 0.1–0.3). --- ## Phase 1 — SilverMetal Linux v1 (the MVP) **Goal**: ship a public alpha ISO that passes our own hardening verification. This is the reference implementation; the patterns established here flow to other platforms. | # | Milestone | Done when | |---|---|---| | 1.1 | Kicksecure fork builds reproducibly | `live-build` produces identical SHA256 across two clean builds | | 1.2 | Hardening overlay applied | KSPP audit passes; Lynis ≥ 90 in CI; AppArmor strict profiles loaded | | 1.3 | hardened_malloc integrated as system allocator | Verified active for user sessions; no regressions | | 1.4 | Telemetry-leak test green | tcpdump on fresh-install idle for 30 min — zero packets to MS/Google/Apple/Mozilla/Canonical/Debian/analytics endpoints | | 1.5 | LUKS2 + TPM2 PCR-bound install via Calamares | End-to-end: install → reboot → TPM unlock → desktop. Tamper test correctly falls back to passphrase | | 1.6 | SilverBrowser v1 integrated (ungoogled-chromium rebrand) | Default browser, no Google services, fingerprint defences validated | | 1.7 | SilverVPN v1 integrated (WireGuard backbone) | Always-on default; kill-switch verified; account-number signup flow works | | 1.8 | SilverSync v1 integrated (Nextcloud backbone, client-side encryption) | Contacts/calendar/files sync end-to-end; server cannot read content | | 1.9 | Update server + signing ceremony complete | First signed update delivered through alpha channel; rollback verified | | 1.10 | Public alpha ISO + SBOM + build attestation published | Download page live; reproducible-build instructions documented | | 1.11 | External privacy-engineering review | One independent reviewer (Kicksecure / Whonix community) signs off on threat-model fidelity | | 1.12 | Hardware SKU pilot batch | 10 preflashed Coreboot-supported laptops shipped and validated | **Exit criteria for Phase 1**: alpha is publicly downloadable, all verification gates green, hardware SKU available for purchase. --- ## Phase 1.1 — Stack expansion **Goal**: complete the SilverLABS Application Stack so v1.1 ships with the full suite. | # | Milestone | Done when | |---|---|---| | 1.1.1 | SilverChat v1 (Matrix-based) | Homeserver running; iOS/Android/Linux/Windows/Mac clients functional; account-number onboarding | | 1.1.2 | SilverDuress v1 | Linux PAM module + Android duress PIN + iOS Shortcuts/MDM trigger + Windows Group Policy + macOS profile — all verified | | 1.1.3 | SilverKeys v1 | Bitwarden-derived client + SilverSync backend; per-platform clients | | 1.1.4 | Atomic root experiment | ostree-based variant builds; v1.2 candidate if successful | --- ## Phase 2 — SilverMetal Droid **Goal**: ship Android coverage across all four tiers (Pixel flagship, Samsung, Motorola, generic profile). | # | Milestone | Done when | |---|---|---| | 2.1 | Pixel flagship ROM (GrapheneOS-fork) | Builds, signs, OTA-updates from our infrastructure; Stack preinstalled; verified boot rooted in our key | | 2.2 | Samsung tier (LineageOS-fork on unlocked-bootloader models) | Supported model list published; ROM + Stack overlay | | 2.3 | Motorola tier (DivestOS/LineageOS) | Supported model list published; ROM + Stack overlay | | 2.4 | Generic Android profile | "Harden my Android" installer: Stack apps + work-profile hardening config; works on Android 13+ | | 2.5 | Android hardware SKU pilot | Pixel preflashed batch (10 units) + Moto preflashed batch (10 units) | --- ## Phase 3 — SilverMetal Windows **Goal**: ship the Windows hardening installer for users locked into Windows. | # | Milestone | Done when | |---|---|---| | 3.1 | LTSC IoT base evaluated and licensed for our use | License path documented; base image acquired | | 3.2 | Hardening installer (PowerShell/EXE) | Applies Group Policy, AppLocker, Defender ASR, removes Edge/Cortana/Store, blocks telemetry hosts | | 3.3 | Stack ports for Windows | SilverBrowser/VPN/Sync/etc. native Windows builds, signed with our cert | | 3.4 | BitLocker + TPM enforcement automated | Installer ensures BitLocker enabled with TPM-bound recovery | | 3.5 | Windows hardware SKU pilot | Preflashed Coreboot-laptop variant with Windows + SilverMetal hardening (10 units) | | 3.6 | Telemetry-leak test for Windows | 30-min idle on hardened install — minimal Microsoft contact, documented (we cannot reach zero on Windows; we publish what remains) | --- ## Phase 4 — Apple platforms (macOS + iOS profiles) **Goal**: ship signed configuration profiles, setup scripts, curated app guidance, and Stack ports for Apple platforms. | # | Milestone | Done when | |---|---|---| | 4.1 | macOS configuration profile | Signed `.mobileconfig` enforces FileVault, disables analytics/Siri, configures firewall | | 4.2 | macOS setup script | Idempotent script applies non-MDM hardening (default app changes, etc.) | | 4.3 | Stack ports for macOS | Universal binaries, notarised, signed with our Apple Developer cert | | 4.4 | iOS MDM profile | Signed `.mobileconfig` for users with personal MDM (or via free Apple Configurator) | | 4.5 | Stack ports for iOS | App Store releases (Browser may face Apple review constraints — fall back to webkit-based with our defaults) | | 4.6 | Apple setup guide | Step-by-step published guide complementing the profiles | --- ## Phase 5 — Hardening / immutability / Tor sibling **Goal**: post-MVP improvements; not blocking earlier phases. - Atomic / immutable Linux variant (ostree) - dm-verity-protected `/` - Tor-by-default sibling product (SilverMetal Onion or similar) - ARM64 / Apple Silicon Linux variant - Coreboot tooling improvements / additional reference hardware --- ## Cross-cutting workstreams (always-on) These run in parallel with phases: - **Security advisories** — vulnerability response process from Phase 1.10 onward; signed advisories - **External audits** — annual or per-major-release third-party security review - **Documentation** — every phase's gate includes documentation update - **Community / support** — issue tracker, support channels, response SLOs ## Phase entry/exit philosophy - We do not start a phase until the previous one's exit criteria are met - We *can* run cross-cutting workstreams in parallel - A failing verification gate blocks the phase, full stop — no shipping with known regressions