AeThex-OS/docs/AETHEX_OS_SPECIFICATION.md

AeThex OS — Operating System Specification (Device Layer)

A bootable Linux-based operating system for AeThex hardware and developer devices. This document defines scope, architecture, security posture, release process, and supported targets.

---

0. Document Control

Property	Value
Owner	AeThex Corporation - Platform Engineering
Status	Draft
Version	0.1.0
Last Updated	January 6, 2026
Repository	AeThex-Corporation/AeThex-OS

Changelog

Date	Version	Changes
2026-01-06	0.1.0	Initial specification document created

---

1. Definition and Scope

AeThex OS is a bootable operating system for AeThex devices and developer hardware. It is a device-layer system responsible for boot, drivers, security posture, persistence, and local execution.

AeThex OS is not AeThex Platform. Platform refers to AeThex services, APIs, identity systems, and applications that can run on multiple operating systems (including AeThex OS).

AeThex OS is not AeThex Ecosystem. Ecosystem refers to the organizational, community, and product universe surrounding AeThex.

Scope of this document: kernel/boot, installation, persistence, base distro strategy, default stack, security model, build/release.

What AeThex OS Is

• A complete bootable Linux distribution based on Ubuntu LTS
• Device-layer operating system managing boot, drivers, security, and local execution
• Hardware abstraction layer providing consistent platform for AeThex applications
• Foundation for kiosk, embedded, and specialized device deployments
• Reference implementation for AeThex Platform integration at OS level

What AeThex OS Is Not

• ❌ Not a web service or cloud platform
• ❌ Not AeThex Platform (services, APIs, identity)
• ❌ Not AeThex Ecosystem (organization, governance, community)
• ❌ Not an application framework or development SDK
• ❌ Not responsible for multi-tenant SaaS operations

Relationship to Other Layers

┌─────────────────────────────────────────────┐
│        AeThex Ecosystem (Organization)       │
│  Governance • Community • Business Model     │
└─────────────────────────────────────────────┘
                     ↑
┌─────────────────────────────────────────────┐
│       AeThex Platform (Services Layer)       │
│  APIs • Identity • Applications • Marketplace│
└─────────────────────────────────────────────┘
                     ↑
┌─────────────────────────────────────────────┐
│     AeThex OS (Device/Operating System)      │ ← THIS DOCUMENT
│  Kernel • Boot • Drivers • Security • Local  │
└─────────────────────────────────────────────┘
                     ↑
┌─────────────────────────────────────────────┐
│              Hardware Layer                  │
│  PC • Handheld • Embedded • Dev Devices      │
└─────────────────────────────────────────────┘

---

2. Product Intent

Target Users (Personas)

1. System Integrator

   • Deploys AeThex OS on custom hardware
   • Needs reliable, reproducible boot process
   • Values hardware compatibility matrix

2. Kiosk/Embedded Developer

   • Runs single-purpose AeThex applications
   • Needs locked-down, auto-booting system
   • Values persistence and recovery options

3. Internal Developer

   • Tests AeThex Platform integration
   • Needs quick iteration on OS features
   • Values live boot with persistence

4. Power User

   • Wants full AeThex experience on dedicated hardware
   • Needs dual-boot or full installation
   • Values performance and customization

Primary Use Cases

• ✅ Kiosk Mode: Auto-boot to AeThex application in fullscreen
• ✅ Development Device: Live USB with persistent storage for testing
• ✅ Embedded Hardware: Custom device running AeThex OS as primary OS
• ✅ Demo/Trade Show: Portable live system showcasing AeThex Platform

Non-Goals

• ❌ General-purpose desktop OS competing with Ubuntu/Fedora
• ❌ Server OS for cloud deployment (use containerized Platform instead)
• ❌ Mobile phone OS (see separate mobile builds)
• ❌ Real-time OS or mission-critical industrial control

Design Principles

1. Stability over bleeding-edge: LTS base, conservative updates
2. Minimal by design: Only OS essentials, Platform apps separate
3. Reproducible builds: ISO builds identical given same inputs
4. Security-first: Encryption defaults, secure boot ready
5. Hardware compatibility: Broad x86_64 and ARM64 support

---

3. Supported Targets

Hardware Classes

Class	Description	Status
PC (x86_64)	Standard desktop/laptop hardware	✅ Stable
Handheld (x86_64)	Steam Deck, AYANEO, GPD devices	🔄 Testing
ARM64 SBC	Raspberry Pi 4/5, other dev boards	🔄 Planned
Embedded x86	Intel NUC, Mini-ITX kiosk systems	✅ Stable
Development Phone	Prototype via Capacitor/Tauri	🔄 Testing

CPU Architectures

Architecture	Support Level	Notes
x86_64 (amd64)	✅ Tier 1	Primary target, fully tested
arm64 (aarch64)	🔄 Tier 2	Planned for Pi and handheld devices
armhf	❌ Not supported	Legacy 32-bit ARM
i386	❌ Not supported	Legacy 32-bit x86

GPU/Display Expectations

• Minimum: VESA/framebuffer console (text mode)
• Recommended: OpenGL 3.3+ or Vulkan 1.1+ for desktop UI
• Tested: Intel integrated, AMD, NVIDIA (nouveau/proprietary)
• Wayland: Preferred, X11 fallback available

Minimum Specifications

Component	Minimum	Recommended
CPU	2 cores, 1.5 GHz	4 cores, 2.5 GHz+
RAM	2 GB	4 GB+
Storage	16 GB	32 GB+ (SSD preferred)
Network	None (offline mode)	Ethernet or WiFi
Display	1024×768	1920×1080+

---

4. Base Distribution Strategy

Upstream Base

Ubuntu 24.04 LTS (Noble Numbat)

Rationale:

• 5-year support cycle (until April 2029)
• Large hardware compatibility database
• Well-documented debootstrap process
• Familiar to developers
• Strong security update process

Alternative Evaluated:

• Debian Stable: Longer support, but slower hardware enablement
• Arch: Rolling release incompatible with stability goals
• Fedora: Too short support cycle (13 months)

Release Channel Model

Channel	Base	Update Frequency	Stability	Audience
Stable	Ubuntu LTS	Security only	Highest	Production deployments
Beta	Ubuntu LTS + backports	Monthly	Medium	Early adopters, testing
Nightly	Rolling from main branch	Daily	Lowest	Developers only

Update Mechanism

Current (v0.1): Manual ISO re-flash

• Simple, deterministic
• No state corruption risk
• Good for embedded/kiosk

Planned (v0.5): Image-based updates

• OSTree or similar atomic update system
• Rollback on failure
• OTA updates for connected devices

Not Planned: Traditional package-based updates (apt)

• Too complex for managed appliance model
• State drift over time
• Harder to reproduce issues

---

5. Boot and Installation

Bootloaders

GRUB 2 (UEFI mode)

• EFI boot for modern systems
• Secure Boot ready (signature pending)
• Branded boot menu with AeThex theme

ISOLINUX (Legacy/ISO boot)

• BIOS boot compatibility
• Used for live USB creation
• Fallback for older hardware

Current Status: Both bootloaders configured and working (see Appendix A)

Boot Modes

┌─────────────────────────────────────────┐
│          AeThex OS Boot Flow            │
└─────────────────────────────────────────┘

Power On
    ↓
BIOS/UEFI Firmware
    ↓
Bootloader (GRUB/ISOLINUX)
    ↓
┌─────────────────┬─────────────────┬──────────────┐
│   Live Mode     │  Installed Mode │  Safe Mode   │
│  (read-only)    │  (read-write)   │ (nomodeset)  │
└─────────────────┴─────────────────┴──────────────┘

Live Boot

Technology: Casper-style live boot (Ubuntu standard)

• Boots from ISO/USB without installation
• SquashFS compressed root filesystem
• Optional persistence overlay (see Persistence Model)
• RAM-based temporary filesystem changes

Use Cases:

• Demo systems
• Development/testing
• Hardware compatibility testing
• Recovery environment

Persistence Model

Casper Persistent Mode (v0.1 implementation)

• Creates casper-rw file on USB boot media
• Stores user changes across reboots
• Configurable size (default: 4 GB)
• Lives alongside live ISO

Limitations:

• File-based, can corrupt on unclean shutdown
• Limited to FAT32 size constraints (4 GB max file)
• Not suitable for production use

Future: OverlayFS Persistent (v0.5 planned)

• Dedicated partition for persistence
• More robust, no file size limits
• Better performance

Full Installation (v1.0 planned)

• Traditional partitioned install to disk
• Full read-write system
• Standard Linux filesystem layout

Installation Modes

Mode	Status	Description
Live Only	✅ v0.1	No installation, run from USB
Live + Persistence	✅ v0.1	Save changes to USB
Automated Install	🔄 v0.5	One-click install to disk
Manual Install	🔄 v1.0	Partition control, dual-boot

Recovery Mode

Safe Mode (nomodeset)

• Disables GPU acceleration
• Uses VESA framebuffer
• For hardware compatibility issues
• Accessible from boot menu

Future Recovery Shell:

• Minimal busybox environment
• Filesystem repair tools
• Backup/restore utilities

---

6. Filesystem and Persistence

Partition Layout (Full Install, v1.0)

/dev/sda1   512 MB   EFI System Partition (FAT32)
/dev/sda2    32 GB   Root filesystem (ext4, read-only)
/dev/sda3     8 GB   /home (ext4, encrypted)
/dev/sda4   <rest>   /data (ext4, encrypted, user data)

Rationale:

• Separate /home allows root OS updates without data loss
• /data for AeThex Platform application data
• Read-only root prevents accidental system corruption

Encryption Policy

Partition	Encryption	Key Management
EFI	❌ None	Required by spec
Root	❌ None	Integrity via dm-verity (future)
/home	✅ LUKS2	User password
/data	✅ LUKS2	TPM 2.0 + recovery key

Backup/Restore Strategy

v0.1 (Live Mode):

• Manual file copy from persistence overlay
• No automatic backup

v0.5 (Installed Mode):

• /home and /data snapshot via Btrfs subvolumes
• Daily incremental backups
• User-initiated full backup to external media

v1.0:

• Optional cloud sync integration (via AeThex Platform)
• Encrypted backup archives

User State Portability

Goal: User can move AeThex OS installation between devices

Implementation (v1.0):

• User profile stored in /home/aethex/.aethex-profile
• Configuration synced via AeThex Platform (optional)
• Device-agnostic settings (no hardware-specific config in user dir)

---

7. System Architecture

Kernel Strategy

Base: Ubuntu mainline kernel (6.8+ for 24.04 LTS)

Customization Level: Minimal

• Use Ubuntu kernel configs
• Add kernel modules for specific hardware as needed
• No custom patches (upstream everything)

Update Policy:

• Follow Ubuntu kernel updates for LTS (HWE stack)
• Security updates within 48 hours
• Major version bumps only with LTS point releases

Init System

systemd (Ubuntu default)

• Standard for modern Linux distributions
• Well-documented, widely supported
• Integrated with security features (systemd-homed, etc.)

Services Layout

systemd
├── multi-user.target (default)
│   ├── NetworkManager.service
│   ├── systemd-resolved.service
│   ├── aethex-session-manager.service (custom)
│   └── dbus.service
│
├── graphical.target
│   ├── lightdm.service (display manager)
│   └── aethex-desktop.service (custom)
│
└── emergency.target (recovery)

Custom Services:

• aethex-session-manager.service: Manages AeThex Platform connection
• aethex-desktop.service: Launches AeThex desktop environment
• aethex-mobile-server.service: Mobile app server (if applicable)

Hardware Abstraction Plan

Current: Linux kernel + standard drivers

• udev for device management
• Mesa for GPU (open-source)
• PipeWire for audio
• NetworkManager for networking

Future (v1.0): AeThex HAL (Hardware Abstraction Layer)

• Unified API for sensor access (for handheld devices)
• Battery/power management hooks
• Device-specific calibration (controllers, displays)

Logging/Telemetry Approach

Logging:

• systemd journal (local only)
• Rotated daily, 7-day retention
• No external shipping by default

Telemetry (opt-in, v1.0):

• Anonymous hardware compatibility reports
• Crash dumps (with user consent)
• Sent to AeThex Platform telemetry endpoint
• Full transparency: user can inspect before sending

Privacy:

• No telemetry in live mode
• Installed mode: opt-in during setup
• User can disable anytime
• No personal data collected

---

8. Security Model

Threat Model

What we defend against:

• ✅ Unauthorized local access (disk encryption)
• ✅ Network-based attacks (firewall, minimal services)
• ✅ Malicious applications (sandboxing, future)
• ✅ Boot-time tampering (secure boot, future)

What we do NOT defend against:

• ❌ State-level adversaries (not a hardened OS)
• ❌ Physical access with unlimited time (evil maid attacks)
• ❌ Side-channel attacks (Spectre/Meltdown mitigations via kernel)

Risk Tolerance: Standard consumer/developer device security

Secure Boot Posture

Current (v0.1): Not enabled

• GRUB unsigned, boots on any UEFI system
• Development phase, signing infrastructure not ready

Planned (v0.5):

• Sign GRUB bootloader with AeThex key
• Sign kernel with Ubuntu key (already done)
• Enroll AeThex key in UEFI (user action required)

Challenge: Balance security with user control (no Microsoft-style lockdown)

Encryption Defaults

Data Type	Default	Rationale
Live mode	❌ None	Temporary, no persistent data
/home	✅ LUKS2	User documents, SSH keys, etc.
/data	✅ LUKS2	AeThex app data, sensitive
Root	❌ None	Public OS files, verified via checksum

Key Derivation: Argon2id (LUKS2 default)

App Sandboxing Model

Current (v0.1): None

• Applications run as user, standard Linux permissions
• No mandatory access control (AppArmor disabled for simplicity)

Planned (v0.5):

• Flatpak for third-party apps (sandboxed by default)
• AppArmor profiles for AeThex system services
• Restrict network access per-app

v1.0:

• Wayland isolates GUI apps (no X11 keylogging)
• Seccomp filters for system calls
• Landlock LSM for filesystem isolation

Secrets Management

User Secrets:

• SSH keys: ~/.ssh/ (encrypted via /home)
• GPG keys: ~/.gnupg/ (encrypted via /home)
• Browser passwords: Firefox/Chrome stores (encrypted via /home)

System Secrets:

• No hardcoded API keys in OS image
• AeThex Platform credentials: stored in /data/aethex-platform/ (encrypted)
• TPM 2.0 for sealing disk encryption keys (v1.0)

Patch Management SLAs

Severity	SLA	Delivery
Critical (RCE, privilege escalation)	24 hours	Nightly + Beta + Stable
High (DoS, info leak)	7 days	Beta + Stable
Medium	30 days	Beta (next cycle)
Low	Best-effort	Nightly only

Process:

1. Ubuntu security team publishes advisory
2. AeThex validates patch (automated tests)
3. Publish updated ISO + OTA (v0.5+)
4. Notify users via AeThex Platform (if connected)

---

9. Networking and Identity (OS Layer)

Network Manager Standard

NetworkManager (Ubuntu default)

• GUI: nm-applet (system tray)
• CLI: nmcli, nmtui
• Supports: Ethernet, WiFi, VPN, mobile broadband

Configuration:

• System connections: /etc/NetworkManager/system-connections/
• User connections: stored per-user in encrypted /home
• Default: DHCP for Ethernet/WiFi

VPN Support

Built-in:

• OpenVPN (via network-manager-openvpn)
• WireGuard (via network-manager-wireguard)
• IPSec (via network-manager-strongswan)

AeThex-Specific (v1.0):

• Optional AeThex VPN integration (if Platform provides VPN)
• Zero-config connection to AeThex network
• Requires user opt-in

Optional AeThex Identity Hooks (Strict Boundary)

Design Principle: OS does NOT require AeThex Platform

Optional Integration:

• User can link OS installation to AeThex Passport (identity)
• Benefits:
  • Cloud sync of settings/preferences
  • Remote device management (wipe, lock)
  • Marketplace app delivery
• Mechanism:
  • Separate aethex-platform-agent package (not installed by default)
  • User installs and authenticates via browser OAuth flow

Boundary:

• OS boots and functions fully offline
• No telemetry without opt-in
• No "phone home" by default

Device Enrollment Concept (If Any)

v1.0 (Optional):

• Organizational device enrollment (for enterprise)
• MDM-style management via AeThex Platform
• Policies:
  • Force encryption
  • Require VPN for network access
  • Push applications
  • Remote wipe
• User-owned devices: enrollment optional
• Organization-owned devices: enrollment enforced via setup wizard

---

10. Default Software Stack (OS Only)

Desktop Environment (or Headless)

Current (v0.1):

• Xfce 4.18 (lightweight, stable)
• LightDM (display manager, auto-login)
• Firefox (kiosk mode for AeThex Platform access)

Rationale:

• Xfce: Low resource usage, works on old hardware
• Not GNOME: Too heavy, complex dependencies
• Not KDE Plasma: Also heavy, overkill for kiosk use

Future (v1.0):

• Custom AeThex DE based on React (similar to Tauri app)
• Wayland compositor (wlroots-based)
• Minimal window management, focuses on AeThex apps

Core Utilities

Category	Package	Purpose
File Manager	Thunar (Xfce default)	Browse /home, /data
Terminal	xfce4-terminal	CLI access
Text Editor	Mousepad	Quick edits, logs
Archive Manager	file-roller	.zip, .tar.gz
Image Viewer	ristretto	PNG/JPEG preview
PDF Viewer	evince	Documentation
Network Tools	NetworkManager, nmcli	WiFi setup

Not Included:

• ❌ LibreOffice (too heavy, use web apps)
• ❌ Email client (use webmail)
• ❌ Media players (use web-based)

Developer Tooling Baseline

Included by default:

• git (version control)
• curl, wget (API testing)
• nodejs 20.x, npm (for AeThex Platform apps)
• python3 (system tools, scripting)
• vim / nano (CLI editing)
• ssh, scp (remote access)

Not Included (user installs):

• Compilers (gcc, rust, go)
• IDEs (VSCode, etc.)
• Docker/Podman (use AeThex Platform containers)

Drivers and Firmware Approach

Strategy: Use Ubuntu's hardware enablement

• linux-firmware package (comprehensive)
• Automatic driver detection via ubuntu-drivers
• Proprietary drivers opt-in (NVIDIA, WiFi)

Custom Additions (v1.0):

• Handheld device drivers (Steam Deck controls, etc.)
• AeThex-specific hardware support (if custom devices)

---

11. AeThex OS UX/Branding

Boot Branding

GRUB Theme:

• Location: /boot/grub/themes/aethex/
• Colors: Dark background, AeThex cyan/green accents
• Logo: AeThex logo (PNG, 256×256)
• See: configs/grub/grub.cfg

ISOLINUX (Live Boot):

• Text-mode menu
• AeThex ASCII art header
• Cyan text on black background

Login/Lock Screen

LightDM Theme (v0.1):

• Default Ubuntu theme (temporary)
• Auto-login to aethex user (kiosk mode)

Custom Theme (v0.5):

• Full-screen AeThex branding
• Minimal login form
• Optional: QR code for mobile authentication

Default Wallpaper/Theme Constraints

Wallpaper:

• Dark theme (black or dark gray)
• Subtle AeThex logo in corner
• No distracting imagery (focus on apps)

GTK/Qt Theme:

• Dark mode preferred
• Accent color: AeThex cyan (#00FFCC)
• System fonts: Ubuntu Sans / Roboto

Device Naming Conventions

Hostname Pattern:

aethex-<type>-<random>

Examples:

• aethex-desktop-a3f9
• aethex-kiosk-7b21
• aethex-dev-c4d8

Benefits:

• Easily identify AeThex devices on network
• Random suffix prevents enumeration
• Type prefix for troubleshooting

---

12. Build System and Release Engineering

Build Pipeline (CI)

Current: GitLab CI (.gitlab-ci.yml)

Stages:

1. Validate: Check dependencies, lint scripts
2. Build Client: npm run build (Vite)
3. Build ISO: script/build-linux-iso.sh (requires root, Docker)
4. Test ISO: Boot in QEMU, smoke tests
5. Publish Artifacts: Upload ISO to GitLab releases

Build Environment:

• Docker image: ubuntu:24.04
• Build time: ~60-90 minutes
• Disk usage: ~10 GB

Security:

• Build server: trusted GitLab runners only
• No third-party code execution
• Reproducible builds (same input = same output)

Artifact Outputs

Artifact	Format	Use Case
Live ISO	.iso (hybrid)	USB flash, CD/DVD, VM
IMG (future)	.img (raw disk)	Direct dd to device
OTA (future)	.ostree or .delta	Incremental updates

Signing Keys + Key Custody

Current (v0.1): No signing

• ISOs are unsigned
• No chain of trust

Planned (v0.5):

• Code Signing Key: RSA 4096-bit, ECDSA P-384 backup
• Usage: Sign GRUB, kernel modules, ISOs
• Custody:
  • Master key: Hardware security module (HSM) or YubiKey
  • Build key: Derived, stored in CI secrets
  • Revocation: Published to AeThex Platform
• Verification: Users can check ISO signature with public key

Versioning Scheme

Format: MAJOR.MINOR.PATCH-TAG

Examples:

• 0.1.0-dev (initial dev preview)
• 0.5.0-beta (beta testing)
• 1.0.0 (stable release)
• 1.0.1 (security patch)

Semantic Versioning:

• MAJOR: Breaking changes (new install required)
• MINOR: New features (backward compatible)
• PATCH: Bug fixes, security updates
• TAG: dev, beta, rc1, (none for stable)

Release Checklist

Before Release:

• All CI tests pass
• Manual boot test on 3+ hardware types
• Security audit (no hardcoded secrets)
• Changelog updated
• Version bumped in all configs
• ISO signed (v0.5+)

Release Day:

• Tag Git commit: git tag v1.0.0
• Trigger CI build
• Download artifacts, verify signature
• Upload to CDN / release page
• Announce on AeThex Platform / Discord
• Update documentation

Post-Release:

• Monitor for critical bugs
• Prepare hotfix process
• Collect user feedback

---

13. Testing and QA

Hardware Test Matrix

Tier 1 (Must Pass):

• Generic x86_64 PC (Intel CPU, integrated graphics)
• AMD CPU + AMD GPU
• NVIDIA GPU (nouveau driver)

Tier 2 (Should Pass):

• Steam Deck (handheld)
• Raspberry Pi 4 (ARM64)
• UEFI only (no BIOS)

Tier 3 (Nice to Have):

• Legacy BIOS only
• High-DPI display (4K)
• Multi-monitor setup

Automated Tests

Boot Tests (QEMU):

• Boot to login screen (30s timeout)
• Auto-login to desktop (60s timeout)
• Network connectivity (ping 1.1.1.1)
• AeThex service running (check systemd status)

Unit Tests:

• Build scripts: syntax validation
• Config files: schema validation
• Systemd units: systemd-analyze verify

Integration Tests (v0.5):

• Install to disk (automated Ansible)
• Reboot, verify persistence
• Apply updates, verify rollback

Smoke Test Procedure

Manual Checklist (15 minutes):

1. Boot from USB
2. Select "AeThex Linux" from menu
3. Desktop loads within 60 seconds
4. WiFi connects to known network
5. Firefox launches AeThex Platform
6. Terminal opens, uname -a works
7. File manager browses /home
8. Audio plays (speaker-test)
9. Reboot, persistence works (created file survives)
10. Shutdown completes cleanly

Regression Policy

Definition: Any test that passed in previous release

Process:

1. All Tier 1 hardware must pass smoke tests
2. Any regression blocks release
3. If unfixable, document as known issue
4. Known issues printed during boot (motd)

Escape Hatch:

• Critical security fix: release with known regression
• Document workaround
• Fix in next patch release (within 7 days)

---

14. Governance and Contribution (OS Repo)

Repository Structure

AeThex-OS/
├── client/                 # Web UI (React/Vite)
├── server/                 # Backend (Node.js)
├── shared/                 # DB schema (Drizzle)
├── migrations/             # DB migrations
├── os/                     # OS-specific files
│   ├── base/               # Base system configs
│   ├── runtimes/           # Language runtimes
│   └── shell/              # Default shell configs
├── configs/                # Bootloader, systemd
│   ├── grub/
│   ├── systemd/
│   └── lightdm/
├── script/                 # Build scripts
│   └── build-linux-iso.sh
├── docs/                   # Documentation
│   └── AETHEX_OS_SPECIFICATION.md  # ← This doc
└── .gitlab-ci.yml          # CI/CD

Branch Policy

Branch	Purpose	Protected	CI
main	Stable, releasable	✅ Yes	Full tests
develop	Integration branch	✅ Yes	Full tests
feature/*	New features	❌ No	Basic tests
hotfix/*	Security fixes	❌ No	Full tests

Rules:

• main: Require 1 approver, all tests pass
• No force-push to main or develop
• Hotfixes: can merge to main with post-review

PR Standards

Required:

• Descriptive title (50 chars max)
• Linked issue or rationale
• Tests pass (CI green)
• No merge conflicts
• Signed commits (v0.5+)

Review Criteria:

• Security: No hardcoded secrets
• Style: Follow existing conventions
• Docs: Update if changing behavior
• Breaking changes: Require version bump

Security Reporting

Private Disclosure:

• Email: security@aethex.com (create this!)
• GPG key: Published on website
• Response SLA: 48 hours

Process:

1. Researcher reports vuln privately
2. AeThex confirms and triages (24h)
3. Fix developed in private branch
4. Coordinated disclosure (usually 90 days)
5. Credit to researcher in changelog

Licensing

AeThex OS Codebase:

• License: MIT (permissive)
• Rationale: Allow commercial use, forks, modifications

Third-Party Components:

• Ubuntu: Various (GPL, LGPL, MIT)
• Kernel: GPL-2.0
• Systemd: LGPL-2.1+
• Xfce: GPL-2.0+

Compliance:

• All licenses compatible with MIT
• No "copyleft" requirement for AeThex OS itself
• Redistributors must comply with upstream licenses

---

15. Roadmap

v0.1 — Dev Preview (Current)

Status: ✅ Complete (January 2026)

Features:

• Live USB boot (x86_64)
• Casper persistence
• Xfce desktop environment
• Firefox kiosk mode
• AeThex mobile server integration
• GitLab CI build pipeline
• GRUB and ISOLINUX configs

Known Limitations:

• No installation to disk
• No secure boot
• No encryption
• Manual flash only (no OTA)

v0.5 — Pilot (Q2 2026)

Goal: Production-ready for kiosk/embedded use

Features:

• Automated install to disk
• LUKS2 encryption (/home, /data)
• Signed bootloader (code signing)
• OTA updates (OSTree or similar)
• Custom AeThex DE (React-based)
• ARM64 support (Raspberry Pi)
• Handheld device support (Steam Deck)
• Improved boot time (<20s to desktop)

Testing:

• 10+ pilot deployments
• 3+ hardware types
• 30-day stability target

v1.0 — Stable (Q4 2026)

Goal: General availability for all use cases

Features:

• Dual-boot support (Windows/Mac alongside)
• Full installer UI (graphical)
• AeThex Platform agent (opt-in)
• Device enrollment (MDM for enterprise)
• TPM 2.0 integration (disk encryption keys)
• AppArmor + Flatpak sandboxing
• Custom hardware HAL (for AeThex devices)
• Wayland compositor (AeThex DE)
• Multi-user support (currently single-user)

Success Criteria:

• 100+ active installations
• <5 critical bugs in 90 days
• 5-year support commitment

Stretch Goals (v2.0+)

Advanced Features:

• Immutable root filesystem (dm-verity)
• A/B partition updates (Android-style)
• Remote attestation (prove OS integrity)
• Containerized apps only (no native packages)
• Zero-trust network access (BeyondCorp model)
• Offline AI assistant (local LLM)

---

Appendix A: Current Boot Menu Configs (Known Working)

GRUB Configuration

File: configs/grub/grub.cfg

# GRUB Customization Configuration
# AeThex Linux Bootloader Theme

# Menu colors (terminal format)
set menu_color_normal=white/black
set menu_color_highlight=black/light-gray

# Timeout in seconds
set timeout=5
set timeout_style=menu

# Default boot option
set default=0

# Display settings
set gfxmode=auto
set gfxpayload=keep
terminal_output gfxterm

# Load video modules
insmod all_video
insmod gfxterm
insmod png
insmod jpeg

# Load theme if available
if [ -f /boot/grub/themes/aethex/theme.txt ]; then
  set theme=/boot/grub/themes/aethex/theme.txt
fi

# Boot menu entries
menuentry "AeThex Linux" {
    set gfxpayload=keep
    linux /boot/vmlinuz root=UUID=ROOTFS_UUID ro quiet splash
    initrd /boot/initrd.img
}

menuentry "AeThex Linux (Recovery Mode)" {
    linux /boot/vmlinuz root=UUID=ROOTFS_UUID ro recovery nomodeset
    initrd /boot/initrd.img
}

menuentry "Memory Test (memtest86+)" {
    linux16 /boot/memtest86+.bin
}

menuentry "Reboot" {
    reboot
}

menuentry "Shutdown" {
    halt
}

Notes:

• ROOTFS_UUID replaced during build with actual partition UUID
• quiet splash hides boot messages (remove for debugging)
• nomodeset in recovery mode disables GPU acceleration

ISOLINUX Configuration

File: configs/isolinux/isolinux.cfg (to be created)

DEFAULT vesamenu.c32
TIMEOUT 50
PROMPT 0

MENU TITLE AeThex OS Boot Menu
MENU BACKGROUND splash.png
MENU COLOR screen 37;40 #80ffffff #00000000 std
MENU COLOR border 30;44 #ffffffff #00000000 std
MENU COLOR title 1;36;44 #ff00ffcc #00000000 std
MENU COLOR sel 7;37;40 #ff000000 #ff00ffcc all
MENU COLOR unsel 37;44 #ffffffff #00000000 std

LABEL live
    MENU LABEL AeThex OS (Live Mode)
    KERNEL /casper/vmlinuz
    APPEND initrd=/casper/initrd boot=casper quiet splash ---

LABEL persistent
    MENU LABEL AeThex OS (Persistent Mode)
    KERNEL /casper/vmlinuz
    APPEND initrd=/casper/initrd boot=casper persistent quiet splash ---

LABEL safe
    MENU LABEL AeThex OS (Safe Mode - nomodeset)
    KERNEL /casper/vmlinuz
    APPEND initrd=/casper/initrd boot=casper nomodeset ---

LABEL memtest
    MENU LABEL Memory Test (memtest86+)
    KERNEL /boot/memtest86+.bin

LABEL hd
    MENU LABEL Boot from Hard Disk
    LOCALBOOT 0x80

Notes:

• vesamenu.c32 provides graphical menu
• TIMEOUT 50 = 5 seconds (deciseconds)
• splash.png should be 640×480, 256 colors
• persistent option creates casper-rw file on USB

---

Appendix B: Glossary

Term	Definition
AeThex OS	Device-layer operating system (kernel, boot, drivers)
AeThex Platform	Services layer (APIs, identity, applications)
AeThex Ecosystem	Organizational universe (governance, community, business)
AeThex Passport	User identity system (part of Platform, not OS)
Casper	Ubuntu's live boot technology (SquashFS + overlay)
Live Mode	Boot from USB without installation
Persistence	Saving changes across reboots in live mode
ISO	Disk image format (bootable CD/DVD/USB)
GRUB	Bootloader for UEFI systems
ISOLINUX	Bootloader for BIOS/legacy systems
LUKS	Linux Unified Key Setup (disk encryption)
systemd	Init system and service manager
Xfce	Lightweight desktop environment
LightDM	Display manager (login screen)
debootstrap	Tool to create minimal Debian/Ubuntu system
SquashFS	Compressed read-only filesystem (for live boot)
OTA	Over-the-air updates (remote software updates)
HAL	Hardware Abstraction Layer
TPM	Trusted Platform Module (hardware security chip)
Secure Boot	UEFI feature to verify bootloader signatures
MDM	Mobile Device Management (enterprise device control)

---

Appendix C: Related Documents

Document	Purpose	Location
Platform Specification	AeThex Platform APIs, services	docs/AETHEX_PLATFORM_SPEC.md
Ecosystem Overview	Org structure, governance, ethics	docs/AETHEX_ECOSYSTEM_OVERVIEW.md
Linux Quickstart	How to build/test AeThex OS	LINUX_QUICKSTART.md
ISO Build Guide	Detailed build instructions	ISO_BUILD_FIXED.md
Desktop/Mobile Setup	Tauri and Capacitor builds	DESKTOP_MOBILE_SETUP.md

---

Document Maintenance

Review Cycle: Quarterly (every 3 months)

Next Review: April 6, 2026

Maintainers:

• Lead: Platform Engineering Team
• Contributors: Open to community PRs

Feedback:

• GitHub Issues: Technical questions
• Discord: #aethex-os-dev channel
• Email: os-team@aethex.com

---

Document Version: 0.1.0
Last Updated: January 6, 2026
Status: Draft — Ready for Team Review
Next Action: Pilot deployment planning (v0.5 roadmap)

---

This document is the single source of truth for AeThex OS (device layer). For Platform or Ecosystem questions, see related documents in Appendix C.