Skip to content

Architecture decisions

Decisions you can read.

The load-bearing choices behind FoundryOS — not a marketing brief, a public matrix you can hold us to.

Decision matrix

Twelve choices that define the product. Each row is keyed to an architecture decision record in the source tree.

Base OS

ADR-0004

Debian Stable, frozen

Stability is the product; freshness lives in layers above.

Desktop

ADR-0003

GNOME on Wayland only

One desktop keeps the build and test surface small.

Encryption

ADR-0011

LUKS2 on by default

Opt-out during install — not an afterthought.

Secure Boot

ADR-0012

Signed chain, MOK for DKMS

Works out of the box, including NVIDIA modules.

Rollback

ADR-0018

In-house foundryos-rollback

Stock snapper rollback does not reconcile our /boot layout.

Self-preservation

ADR-0035

apt cannot remove Core

A guard refuses transactions that would delete the desktop.

Self-heal

ADR-0037

Boot-counting auto-rollback

Consecutive unhealthy boots route to last-known-good.

Updates

ADR-0005

Security auto; features opt-in

Consent-gated version jumps; security fixes flow.

Freshness

ADR-0031

Verified catalog + opt-in backports

Newer kernels and drivers only when proven on the base.

AI assist

ADR-0034

Off by default, on-device

Nothing leaves the machine unless you deliberately enable it.

Default profile

ADR-0025

Lean Core

Quality-of-life extras are opt-in, not preinstalled bloat.

Gaming

ADR-0046

Non-goal

Focus stays on a stable, recoverable desktop.

Load-bearing ADRs

A short reading list — not the full ledger. Each card is the public summary of a sealed decision in the source tree.

ADR-0004

Layering for freshness

The base stays frozen. Newer software lives in higher layers — Flatpak, containers, and a curated hardware overlay — so freshness never contaminates the foundation.

ADR-0011

Encryption on by default

Full-disk LUKS2 is the installer default, with an opt-out. No keyfile is left on disk to weaken the unlock path.

ADR-0018

Our own rollback engine

We ship foundryos-rollback instead of stock snapper rollback, so an external /boot stays paired with the root snapshot you restore.

ADR-0035

apt can't delete your desktop

A self-preservation guard refuses any transaction — apt or offline-update — that would remove Core packages.

ADR-0037

Self-healing boots

A boot-counting engine watches for trouble and can route consecutive unhealthy boots to the last-known-good snapshot.

ADR-0034

AI is optional and local

The reasoner defaults to off. When enabled, it runs on-device or on your LAN, with redaction before anything is built.

ADR-0031

Freshness is verified

A two-tier catalog: packages proven against the FoundryOS base, plus an explicit opt-in path for unrestricted backports.

ADR-0046

Gaming is a non-goal

We dropped the gaming profile so Core stays lean and the product story stays honest.

This page is a curated public surface. The complete decision log — including superseded records and internal notes — ships with the public 1.0 source release as docs/DECISIONS.md. ADR numbers above are stable identifiers into that file.