GuardOS hardens an individual computer (“cell”) using a layered (Onion) model:
- Immutable base OS + verified boot
- Strict app sandboxing & per‑app firewall
- Local AI for anomaly detection + explainable prompts
- Zero‑trust defaults, zero‑knowledge (opt‑in cloud)
Goal: “Military‑grade” resilience for everyday users, without breaking normal computing.
Traditional security focuses on the perimeter. Modern attacks move across layers: firmware, boot, OS, apps, network, cloud, and user. GuardOS defends each layer and binds them with a local AI (“Aegis”) that explains risk and suggests safe actions.
- Local‑first AI (offline by default)
- Zero trust on a single machine
- Immutable base, atomic rollback
- Explainable security prompts
- Open, auditable, reproducible builds
- 📐 Architecture
- 🛡️ Threat Model
- 🧠 AI Stack
- 🧩 Policy Engine
- 🧯 Incident Response
- 🧭 Roadmap
- 🧱 Build · 🚀 Install
- 💻 Hardware & Support Matrix / (docs/DEVICE_SUPPORT_MATRIX.md)
- 🔒 Security Policy
- 🤝 Contributing · 🧭 Governance
- 📣 Code of Conduct
Want to understand how GuardOS was born, the philosophy behind it, and how the onion‑layer model evolved?
Read the full literal transcript here:
👉 GENESYS.md — GuardOS Genesis Log: Literal Transcript
This is an early, community‑led project. Expect rapid iteration. Join us in discussions and issues.
GuardOS is built with a comprehensive, layered defense architecture known as the Onion Security Model, tackling modern threats such as:
- Physical device seizure & forensic extraction (e.g., GreyKey)
- Remote 0-click malware (e.g., Pegasus)
- Firmware/BIOS-level implants
- TLS interception and certificate injection
- AI-based surveillance (e.g., Recall, Copilot, Gemini)
- Stalkerware, USB malware, SS7 modem exploits
👉 Read the full GuardOS Security Model →
Want to ask questions, share ideas, or get help with GuardOS?
Join the official GitHub Discussions:
👉 GuardOS Discussions
This is the place to:
- Ask for help or clarification
- Share feature requests and ideas
- Follow project updates
- Connect with other contributors
We're building GuardOS together — your input is welcome!
💡 For bug reports or technical issues, please use Issues.
📍 See full ROADMAP.md →
- ✅ v0.1: Core architecture, SECURITY_MODEL.md, and Aegis AI concept drafted
- ✅ Reference hardware selected: ThinkPad X230, T480, Framework 13
- ✅ Community feedback loop started (Reddit + GitHub)
- 🔄 v0.2: Nix flake + profiles under development (
profiles/dev-test.yaml) - 🔄 v0.2: Flatpak sandboxing + per-app firewall config ongoing
- 🔄 v0.2: Contributor onboarding docs being drafted
- 🧪 v0.3: QEMU bootable ISO in planning stage
- 🧠 Looking for contributors on:
- Aegis watchdog shell scripting (detection + logging)
- Flatpak sandbox and firewall testing
- Installer polish (
build.sh) - Real-device reproducibility feedback
GuardOS introduces an innovative dual-boot system with two security modes:
- Simple GuardOS: Traditional bare-metal execution for maximum performance
- GuardOS²Q+: Advanced virtualization mode running GuardOS within QEMU for ultimate security isolation
This unique approach allows you to choose the right balance of performance and security for your workflow. GuardOS²Q+ is particularly recommended for AI development, security research, and testing untrusted code.
Learn more about dual-boot options
Curious how GuardOS handles firmware implants, Android backdoors, censorship, or social engineering? Wondering why we chose Heads over Libreboot, or Flatpak over VMs?
👉 Read our comprehensive Security & Architecture Q&A — It answers hard questions, admits blind spots, and explains why GuardOS remains relevant even under digital authoritarianism.
You don’t need to be a Nix guru — GuardOS welcomes help from all security-minded devs.
- Improve the installer (
build.sh) - Write or test watchdog scripts (Bash/Python)
- Suggest new security hardening techniques
- Test reproducibility on real hardware
- Translate documentation
Check issues labeled good first issue or open a discussion.
☕ Like it? Support the project at ko-fi.com/guardos
See LICENSE. SPDX: GPL-3.0-or-later
🙏 If you believe in privacy-first computing, support GuardOS on Ko‑fi.
