Architecture decisions
Decisions you can read.
The load-bearing choices behind FoundryOS — not a marketing brief, a public matrix you can hold us to.
Decision matrix
Twelve choices that define the product. Each row is keyed to an architecture decision record in the source tree.
Base OS
ADR-0004Debian Stable, frozen
Stability is the product; freshness lives in layers above.
Desktop
ADR-0003GNOME on Wayland only
One desktop keeps the build and test surface small.
Encryption
ADR-0011LUKS2 on by default
Opt-out during install — not an afterthought.
Secure Boot
ADR-0012Signed chain, MOK for DKMS
Works out of the box, including NVIDIA modules.
Rollback
ADR-0018In-house foundryos-rollback
Stock snapper rollback does not reconcile our /boot layout.
Self-preservation
ADR-0035apt cannot remove Core
A guard refuses transactions that would delete the desktop.
Self-heal
ADR-0037Boot-counting auto-rollback
Consecutive unhealthy boots route to last-known-good.
Updates
ADR-0005Security auto; features opt-in
Consent-gated version jumps; security fixes flow.
Freshness
ADR-0031Verified catalog + opt-in backports
Newer kernels and drivers only when proven on the base.
AI assist
ADR-0034Off by default, on-device
Nothing leaves the machine unless you deliberately enable it.
Default profile
ADR-0025Lean Core
Quality-of-life extras are opt-in, not preinstalled bloat.
Gaming
ADR-0046Non-goal
Focus stays on a stable, recoverable desktop.
Load-bearing ADRs
A short reading list — not the full ledger. Each card is the public summary of a sealed decision in the source tree.
Layering for freshness
The base stays frozen. Newer software lives in higher layers — Flatpak, containers, and a curated hardware overlay — so freshness never contaminates the foundation.
Encryption on by default
Full-disk LUKS2 is the installer default, with an opt-out. No keyfile is left on disk to weaken the unlock path.
Our own rollback engine
We ship foundryos-rollback instead of stock snapper rollback, so an external /boot stays paired with the root snapshot you restore.
apt can't delete your desktop
A self-preservation guard refuses any transaction — apt or offline-update — that would remove Core packages.
Self-healing boots
A boot-counting engine watches for trouble and can route consecutive unhealthy boots to the last-known-good snapshot.
AI is optional and local
The reasoner defaults to off. When enabled, it runs on-device or on your LAN, with redaction before anything is built.
Freshness is verified
A two-tier catalog: packages proven against the FoundryOS base, plus an explicit opt-in path for unrestricted backports.
Gaming is a non-goal
We dropped the gaming profile so Core stays lean and the product story stays honest.
This page is a curated public surface. The complete decision log — including superseded records and internal notes — ships with the public 1.0 source release as docs/DECISIONS.md. ADR numbers above are stable identifiers into that file.