SilverLABS/SilverMetal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
acd3ebe7f2f4aef2842e68edfa70860474915417
SilverMetal/docs/roadmap.md
SysAdmin acd3ebe7f2 docs(chat): adopt existing SilverVPN.Client.Chat as SilverChat — promote to v1 
Inspection of ../SilverVPN/clients/SilverVPN.Client.Chat reveals a mature,
production-grade SilverChat implementation:

- Cross-platform MAUI client (Windows / macOS / Android / iOS)
- 13 ViewModels + 13 Views — feature-complete UX (contacts, conversations,
  group chat, invites, safety numbers, settings, login)
- Signal Protocol crypto: Double Ratchet, X3DH (PreKey + Identity stores),
  Safety Numbers, encrypted attachments
- VpnChatTransport — chat carried over the SilverVPN tunnel itself,
  eliminating third-party metadata exposure
- Server-side already in SilverVPN.Api: ChatHub (SignalR), ChatController,
  ChatAttachmentController, ContactsController
- Windows MSI installer wired (installer/silverchat/SilverChat.wxs)

Decision: adopt-as-is, do not duplicate. SilverChat is more advanced than
the v1.1 plan (which considered Matrix / Signal-fork) — three wins:
1. Signal Protocol natively, not a tentative fork
2. Chat over the VPN tunnel — better metadata hygiene
3. Cross-platform on day one

Changes:
- stack/chat/README.md rewritten as integration pointer (mirror of stack/vpn/)
- stack/README.md status table updated; SilverChat promoted v1.1 → v1
- docs/roadmap.md: new milestone 1.9 (Chat integration into Linux v1);
  Phase 1.1 alignment-review milestone removed (resolved by this finding);
  remaining 1.1 milestones renumbered
- root README.md: Stack table + Status table updated

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-25 03:38:45 +01:00

137 lines
7.8 KiB
Markdown
Raw Blame History

# Roadmap
Milestone-driven, no calendar dates (those slip; milestone gates don't). Each milestone has a definition of done. We don't move on until the previous milestone is met.
The two product lines (**SilverMetal OS** and **SilverMetal Enhanced**) share the same roadmap because they share the SilverLABS Application Stack and the same supporting infrastructure. They diverge in delivery format only.
## Phase 0 — Foundation (current)
**Goal**: get the architecture, threat model, and product principles documented and reviewed before writing OS code.
| # | Milestone | Done when |
|---|---|---|
| 0.1 | Repo scaffold | Directory tree + per-platform stubs + per-stack stubs in place |
| 0.2 | Umbrella docs | `README.md` + `docs/{threat-model,design-principles,platform-matrix,roadmap,trust-model}.md` complete and reviewed |
| 0.3 | Gitea repo created and pushed | `SilverLABS/SilverMetal` exists on `git.silverlabs.uk` with this scaffold |
| 0.4 | Naming framework + repo alignment locked | OS / Enhanced naming applied; SilverApple deprecation noted; SilverVPN integration scope defined |
**Status**: complete.
---
## Phase 1 — SilverMetal OS — Linux v1 (the MVP)
**Goal**: ship a public alpha ISO that passes our own hardening verification. This is the reference implementation; the patterns established here flow to other flavours.
| # | Milestone | Done when |
|---|---|---|
| 1.1 | Kicksecure fork builds reproducibly | `live-build` produces identical SHA256 across two clean builds |
| 1.2 | Hardening overlay applied | KSPP audit passes; Lynis ≥ 90 in CI; AppArmor strict profiles loaded |
| 1.3 | hardened_malloc integrated as system allocator | Verified active for user sessions; no regressions |
| 1.4 | Telemetry-leak test green | tcpdump on fresh-install idle for 30 min — zero packets to MS/Google/Apple/Mozilla/Canonical/Debian/analytics endpoints |
| 1.5 | LUKS2 + TPM2 PCR-bound install via Calamares | End-to-end: install → reboot → TPM unlock → desktop. Tamper test correctly falls back to passphrase |
| 1.6 | SilverBrowser v1 integrated (ungoogled-chromium rebrand) | Default browser, no Google services, fingerprint defences validated |
| 1.7 | SilverVPN integrated into image | Existing `SilverLABS/SilverVPN` Linux client + tunnel service preinstalled, always-on default; kill-switch verified |
| 1.8 | SilverSync v1 integrated (Nextcloud backbone, client-side encryption) | Contacts/calendar/files sync end-to-end; server cannot read content |
| 1.9 | SilverChat integrated into image | Existing `SilverVPN.Client.Chat` packaged for Linux and integrated; SignalR hub reachable; first message sent and received over VPN tunnel transport |
| 1.10 | Update server + signing ceremony complete | First signed update delivered through alpha channel; rollback verified |
| 1.11 | Public alpha ISO + SBOM + build attestation published | Download page live; reproducible-build instructions documented |
| 1.12 | External privacy-engineering review | One independent reviewer (Kicksecure / Whonix community) signs off on threat-model fidelity |
| 1.13 | Hardware SKU pilot batch | 10 preflashed Coreboot-supported laptops shipped and validated |
**Exit criteria for Phase 1**: alpha is publicly downloadable, all verification gates green, hardware SKU available for purchase.
---
## Phase 1.1 — Stack expansion
**Goal**: complete the SilverLABS Application Stack so v1.1 ships with the full suite.
> **Note**: SilverChat was originally a Phase 1.1 milestone but has been **promoted to Phase 1** (milestone 1.9) — the existing `SilverVPN.Client.Chat` implementation is production-grade (Signal Protocol over VPN transport) and ready to integrate now.
| # | Milestone | Done when |
|---|---|---|
| 1.1.1 | SilverDuress v1 | Linux PAM module + Android duress PIN + iOS Shortcuts/MDM trigger + Windows Group Policy + macOS profile — all verified |
| 1.1.2 | SilverKeys v1 | Bitwarden-derived client + SilverSync backend; per-platform clients |
| 1.1.3 | Atomic root experiment | ostree-based variant builds; v1.2 candidate if successful |
---
## Phase 2 — SilverMetal OS — Droid (Pixel + Samsung + Motorola)
**Goal**: ship the three ROM-level Android tiers.
| # | Milestone | Done when |
|---|---|---|
| 2.1 | OS — Pixel ROM (GrapheneOS-fork) | Builds, signs, OTA-updates from our infrastructure; Stack preinstalled; verified boot rooted in our key |
| 2.2 | OS — Samsung (LineageOS-fork on unlocked-bootloader models) | Supported model list published; ROM + Stack overlay |
| 2.3 | OS — Motorola (DivestOS/LineageOS) | Supported model list published; ROM + Stack overlay |
| 2.4 | Pixel preflashed pilot | 10 preflashed units shipped |
| 2.5 | Motorola preflashed pilot | 10 preflashed units shipped |
---
## Phase 3 — SilverMetal Enhanced (the four hardening packages)
**Goal**: ship Enhanced packages for Windows, macOS, iOS, and generic Android.
The four Enhanced flavours can be developed largely in parallel since they share the SilverLABS Stack and don't depend on each other.
### 3W — Enhanced — Windows
| # | Milestone | Done when |
|---|---|---|
| 3W.1 | LTSC IoT base licensed and acquired | License path documented |
| 3W.2 | Hardening installer (PowerShell/EXE) | Applies Group Policy, AppLocker, Defender ASR, removes Edge/Cortana/Store, blocks telemetry hosts |
| 3W.3 | Stack ports for Windows | SilverBrowser/Sync/etc. native Windows builds, signed with our cert. SilverVPN MAUI Windows client integrated |
| 3W.4 | BitLocker + TPM enforcement automated | Installer ensures BitLocker enabled with TPM-bound recovery |
| 3W.5 | Windows hardware SKU pilot | Preflashed Coreboot-laptop variant with Windows + Enhanced (10 units) |
| 3W.6 | Telemetry-leak test for Windows | 30-min idle on hardened install — minimum-feasible Microsoft contact, documented |
### 3M — Enhanced — macOS
| # | Milestone | Done when |
|---|---|---|
| 3M.1 | macOS configuration profile | Signed `.mobileconfig` enforces FileVault, disables analytics/Siri, configures firewall |
| 3M.2 | macOS setup script | Idempotent script applies non-MDM hardening |
| 3M.3 | Stack ports for macOS | Universal binaries, notarised, signed |
### 3I — Enhanced — iOS (supersedes SilverApple)
| # | Milestone | Done when |
|---|---|---|
| 3I.1 | Migrate / fold any usable assets from `SilverLABS/SilverApple` | Inventory of SilverApple done; reusable parts moved into `ios/`; SilverApple repo archived |
| 3I.2 | iOS MDM profile | Signed `.mobileconfig` for personal MDM or Apple Configurator |
| 3I.3 | Stack ports for iOS | App Store releases (Browser may face Apple WebKit constraints — fall back if needed) |
| 3I.4 | Apple setup guide | Step-by-step published guide complementing the profiles |
### 3A — Enhanced — Android (generic)
| # | Milestone | Done when |
|---|---|---|
| 3A.1 | Generic Android profile installer | "Harden my Android" — Stack apps + work-profile hardening config |
| 3A.2 | Compatibility test matrix | Runs cleanly on Android 13+ across Samsung locked, OnePlus, Xiaomi, OEMs we don't have ROMs for |
---
## Phase 4 — Hardening / immutability / Tor sibling
**Goal**: post-MVP improvements; not blocking earlier phases.
- Atomic / immutable Linux variant (ostree)
- dm-verity-protected `/`
- Tor-by-default sibling product
- ARM64 / Apple Silicon Linux variant
- Coreboot tooling improvements / additional reference hardware
---
## Cross-cutting workstreams (always-on)
- **Security advisories** — vulnerability response process from Phase 1.10 onward
- **External audits** — annual or per-major-release third-party review
- **Documentation** — every phase's gate includes documentation update
- **Community / support** — issue tracker, support channels, response SLOs
## Phase entry/exit philosophy
- We do not start a phase until the previous one's exit criteria are met
- Cross-cutting workstreams run in parallel
- A failing verification gate blocks the phase, full stop — no shipping with known regressions
Reference in New Issue View Git Blame Copy Permalink