Alfred Linux — Technical Documentation & Build History

Overview

Alfred Linux is a complete operating system built from the ground up with AI as the primary user interface. Based on Debian Trixie (13), the current v7.77 Kingdom GA target ships 42 build hooks on the live-build host (three dedicated security hooks plus the 6-module Omahon Seal, for 38 security modules total) — a stack no other distribution ships as one integrated image. For context: v7.77 GA (April 2026) shipped 17 hooks; everything below in Build History records growth by milestone, not today’s headline count.

How “42 hooks” is counted: The canonical Kingdom tree is exactly 42 files matching config/hooks/live/*.hook.chroot in the GoForge alfredlinux-com-source-live repo (Matthew 1:17 lineage). That is not a smaller batch of hooks “renamed into” 42 — older milestones used fewer hook files on disk (including early ~17-hook images documented in history), and one intermediate layout reached 46 files before overlaps were consolidated into today’s 42-file lineage (e.g. sacred-stillness work merged under 0720; wake/STT extras merged under 0400). Separately: the bytes on /download can still expose fewer Alfred hook markers inside the squashfs until the next successful reseal from that tree; see includes/ga-release-state.php ($gaFrozenIsoHookCount vs $gaPlannedHookCount).

Target release: v7.77 GA “Kingdom of God Edition”

GA ISO is not yet published on this site (includes/ga-release-state.php). Engineering target: Debian Trixie 13, Linux kernel 7.0.1 (custom), x86_64, hybrid ISO pipeline. 42 Kingdom build hooks on the marquee (Matthew 1:17 lineage) — one .hook.chroot file per lineage stage in config/hooks/live/. Former “voice v2” / wake-word work ships inside 0400-alfred-voice.hook.chroot (commented there as absorbing the old separate stage); there is no separate 0900-*.hook.chroot in the current canon. 38 security modules (incl. Omahon Seal). AKJV Bible, worship album, Omahon modules as described elsewhere. Desktop ISO: ~7.77 GiB binary is the Kingdom target (see checklist B6 + alfred-linux-v2/docs/ISO-777-GiB-PLAN.txt); the primary ~1 GiB path to that gate is Kingdom cinematic video + 4K/8K masters (alfred-linux-v2/build-assets/ → hook 0285 §7), with hook 0297 as supporting typography/locale payload. Early internal candidates were ~6.74 GiB until that honest media fills the gap; the canonical frozen filename is alfred-linux-7.77-ga-intel-amd64-20260426.iso (same bytes as older amd64-stamped builds until a reseal). /download must state the measured size at publish. Follow includes/GA-LAUNCH-CHECKLIST.txt before flipping GA flags.

Alfred Linux is not a Linux distribution with a chatbot bolted on. The AI is integrated at the operating system level — from voice-driven shell interaction to the development environment to the browser. Every component was chosen and configured to serve the mission: your voice is the command line.

What Ships in v7.77

Alfred Desktop Environment — XFCE4 with custom theming, Arc dark theme, Papirus icons, JetBrains Mono font, and branded Plymouth boot splash
Alfred Browser — Built on Tauri + WebKitGTK. 4.7 MB. Zero telemetry, zero tracking. Replaces Firefox-ESR entirely
Alfred IDE — full VS Code-compatible IDE (powered by code-server 4.114.0) with the Alfred Commander extension pre-installed. Full VS Code in the browser at port 8443
Alfred Voice — Kokoro TTS engine with PyTorch CPU backend, spaCy NLP, and a welcome greeting on first boot
Alfred Search — Meilisearch local search engine for offline-first, instant search across all local content
Calamares Installer — Full graphical disk installer with Kingdom of God branding, custom slideshow, and encrypted disk support
Welcome App — 7-page first-boot wizard (Python/Tk) for voice setup, WiFi config, tool launcher, P2P seeding opt-in, and keyboard shortcuts
Alfred Store — Flatpak-powered app center with 6 curated categories, search, one-click install, and threaded updates
Voice 2.0 Wake Word — Always-on “Hey Alfred” detection via openWakeWord. Systemd service with configurable threshold
alfred-update & alfred-info — CLI tools for one-command system updates (APT + Flatpak + Alfred version check) and branded system info panel

Kernel Deep-Dive

Alfred Linux 7.77 GA ships Linux kernel 7.0.1, custom-compiled from Linus Torvalds' mainline source tree. This makes Alfred Linux the first operating system distribution in the world to ship kernel 7. Kernel 7.0 was released by Torvalds on April 5, 2026 (first major version bump since 6.0 in October 2022); 7.0.1 is the first stable point release.

Decoding “Linux 7.0.1”

7 = major version (first since 6.0 in Oct 2022)
0 = minor (first release in the 7.x series)
1 = first stable point release on top of 7.0
(Earlier candidates carried -rc7-alfred while we tracked Torvalds' release candidates; we cut over to 7.0.1 stable for GA.)

Compiled from the official git.kernel.org/torvalds/linux source tree with Debian Trixie's production config as the base, adapted via make olddefconfig. Custom LOCALVERSION tag. Built on 8-core EU build server.

What Kernel 7.0 Brings

3 New Hardware Mitigations (Kernel 7 Exclusive) — ITS (Indirect Target Selection), TSA (Transient Scheduler Attacks), and VMSCAPE (VM Escape) — not available in ANY 6.x kernel.
24 Total CPU Vulnerability Mitigations — Spectre v1/v2/BHI, Meltdown (PTI), MDS, TAA, L1TF, SRBDS, SRSO, RFDS, GDS, Retbleed, MMIO, SSB, SLS, Call Depth Tracking, Retpoline, IBPB/IBRS, plus the 3 new ones.
Expanded Rust-in-Kernel — More kernel subsystems in Rust for memory safety.
EEVDF Scheduler Refinements — Better latency and throughput on multi-core machines.
Latest Hardware Support — Intel Xe2, AMD RDNA4, NVIDIA 570+, WiFi 7, USB4, Thunderbolt 5, PCIe Gen 6.

Alfred Linux Security Hardening (12 Gaps Patched)

The default kernel 7.0 config ships with 12 security gaps that Alfred Linux patches at boot. No other consumer distro patches all 12:

#	Default Gap	Risk	Alfred Fix
1	`INIT_STACK_NONE=y`	Uninitialized stack info leaks	`init_on_alloc=1`
2	`INIT_ON_FREE` not set	Freed memory retains secrets	`init_on_free=1`
3	`MODULE_SIG_FORCE` off	Unsigned modules can load	`lockdown=integrity`
4	`MODULE_FORCE_UNLOAD=y`	Force-unload modules	Lockdown blocks
5	`IO_URING=y`	#1 kernel vuln source 2022–2025	`io_uring_disabled=2`
6	`USERFAULTFD=y`	Race condition exploit enabler	`unprivileged_userfaultfd=0`
7	`X86_IOPL_IOPERM=y`	Direct I/O port access	Lockdown blocks
8	`DEVMEM+PROC_KCORE`	Physical memory read	Lockdown blocks
9	`X86_MSR=m`	Disable security features	Lockdown blocks
10	`HIBERNATION=y`	RAM written to disk	`nohibernate`
11	`RANDSTRUCT_NONE=y`	No struct randomization	Next compile pass
12	`IOMMU_DEFAULT_DMA_LAZY`	Weak DMA protection	`iommu.strict=1`

Additional Hardening Layers

16 Boot Parameters — lockdown=integrity nohibernate debugfs=off io_uring_disabled=2 tsx=off slab_nomerge page_alloc.shuffle=1 iommu.strict=1 vsyscall=none and more
40+ Sysctl Rules — ASLR, kptr_restrict=2, dmesg_restrict, perf paranoid=3, BPF JIT hardening, kexec disabled, SysRq disabled, userfaultfd restricted, tty ldisc locked
30+ Module Blacklist — DCCP, SCTP, RDS, TIPC, Firewire, Thunderbolt, cramfs, hfs, freevxfs, jffs2, appletalk, IPX, and more
nftables Firewall — Drop-by-default, rate-limited SSH (10/min), rate-limited ICMP (5/sec), full audit logging
AppArmor + Fail2ban + auditd — Mandatory access control, SSH brute-force 3-strike 24h ban, comprehensive audit trail
Secure Mounts — /tmp and /dev/shm: noexec, nosuid, nodev
Core Dumps Disabled — Hard limit 0, kernel.core_pattern=/bin/false
Auto-generated IDE Passwords — Each session gets a unique random password, no default credentials
Omahon Seal (6 modules) — Boot Seal (HMAC-SHA256 of 14 boot files), Watchman (inotify on /etc + /boot), Vault (tmpfs secrets), Shell Guard (secret redaction), Secure Erase (3-pass wipe), Sovereign Attestation (build chain verification). Named after the breath of God — what was dead is raised incorruptible

Previous Kernel: 6.12.74 (RC4–RC6)

Alfred Linux v7.77 RC4 through RC6 shipped on Linux kernel 6.12.74 from the Debian Trixie security repositories — a Longterm release with 74 rounds of Debian kernel team security patches. RC7 leapfrogged to kernel 7.0 compiled from source, making Alfred the first distro on kernel 7.

The Linux Kernel Landscape (April 2026)

To understand where Alfred Linux sits in the kernel world, here is the full landscape of active Linux kernel branches as of April 2026:

7.0.1

Mainline — ALFRED LINUX IS HERE

First distro on kernel 7. Custom-compiled from Torvalds' source tree (released April 5, 2026). 3 exclusive mitigations: ITS, TSA, VMSCAPE. 24 total hardware vulnerability mitigations. Every other distro is still on 6.x.

6.19.11

Stable (Latest)

The newest stable release. Where Arch Linux and Fedora Rawhide sit. Alfred Linux has already leapfrogged past this to 7.0.

6.18.21

Longterm

Previous stable series, now in long-term maintenance. Receives only critical security and bug fixes.

6.12.80

Longterm — Alfred RC4–RC6

Debian Trixie's default kernel. Alfred Linux RC4–RC6 shipped on this branch before RC7 leapfrogged to kernel 7.0. Rock-solid LTS, extensively patched.

6.6.132

Longterm

Another LTS branch. Known for broad hardware support and mature driver stack. Used by some Ubuntu LTS releases.

6.1.167

Longterm (Previous)

The Debian Bookworm kernel. Alfred Linux v2.0 shipped on this branch. Proven, hardened, and the backbone of millions of Debian servers worldwide.

5.15.202

Longterm (Legacy)

Previous generation LTS. Still maintained but winding down. Ubuntu 22.04 LTS ships this kernel.

5.10.252

Longterm (Legacy)

Oldest actively maintained kernel. Used by Debian Bullseye (11) and some embedded systems. Approaching end-of-life.

Kernel Upgrade Roadmap

Alfred Linux is now on kernel 7.0.1 — the first distro on earth to ship kernel 7. Here's the full trajectory:

The Path to Kernel 7.0

Linux kernels are modular — upgrading requires rebuilding the ISO with the new kernel. Alfred Linux's build system (live-build + 16 custom hooks) makes this manageable. For kernel 7.0, we compiled directly from Linus Torvalds' source tree, adapted Debian Trixie's production config, and built custom .deb packages. The kernel is one hook in our build pipeline.

Phase	Target Kernel	Why	Status
v2.0 (Legacy)	`6.1.0-44`	Debian Bookworm default. Rock-solid stability. First bootable ISO.	✓ April 2026
v4.0 RC4–RC6	`6.12.74`	Rebased to Debian Trixie. EEVDF scheduler, Rust-in-kernel, UEFI+BIOS hybrid boot.	✓ April 2026
v4.0 RC7	`7.0.1`	Custom-compiled from Torvalds' mainline. 3 exclusive mitigations (ITS, TSA, VMSCAPE). 12 security gaps patched. First distro on kernel 7.	✓ April 6, 2026
v7.77 GA (NOW)	`7.0.1`	Enterprise security hardening: 38 modules (32 hardening + 6 Omahon Seal), 3 dedicated security hooks, FDE, AppArmor, fail2ban, AIDE, ClamAV, nftables default-deny. 42 build hooks.	✓ April 7, 2026
v7.77.x (next kernel cadence)	`7.0-stable or 7.1`	Still the 7.77 product line: kernel moves to 7.0 stable (or follow-on) with full regression testing. RANDSTRUCT enabled where applicable (compile-time hardening).	Post-GA (2026)

What a Newer Kernel Gets Us

Better Hardware Support — Every kernel release adds hundreds of new device drivers. Latest NVIDIA, AMD, Intel, Qualcomm, and Broadcom hardware. WiFi 7, USB4, Thunderbolt 5, PCIe Gen 5 NVMe.
Performance Gains — The kernel scheduler (EEVDF in 6.6+), memory management (MGLRU), and I/O subsystem improve substantially with each release. 6.12+ benchmarks show 5-15% improvements over 6.1 in many workloads.
Security Features — Newer kernels include improved address-space randomization, better speculative execution mitigations, shadow stacks (Intel CET), and Rust-based kernel modules for memory safety.
Rust in the Kernel — Starting with 6.1, the kernel supports Rust as a second language alongside C. This is revolutionary for memory safety. Each newer version expands Rust support significantly.
eBPF Improvements — Extended BPF for tracing, security, and networking gets more powerful with each release, enabling better Alfred-level system monitoring and AI-driven kernel optimization.

Alfred Linux Already Ships the Latest Kernel

With v7.77 GA, Alfred Linux is the first distro on earth shipping Linux kernel 7.0 — now with 38 security modules (including the Omahon Seal) across 3 dedicated hooks. Custom-compiled from Linus Torvalds' mainline source tree, with Debian Trixie's production config as the base. This isn't a random git snapshot — it's the official 7.0-rc7 release from kernel.org, built with make bindeb-pkg on 8 cores, adapted via make olddefconfig, and hardened with 17 boot security parameters, 45+ sysctl CIS L2 rules, a 30+ module blacklist, an nftables drop-by-default firewall, AppArmor enforced, fail2ban, AIDE file integrity, ClamAV antivirus, and LUKS2 full-disk encryption. No other distro does this. Headline today: v7.77 Kingdom extends the same kernel story with 42 live-build hooks on the ga profile — see the overview card above.

Current GA vs historical RC rows (read once)

Current product line — v7.77 “Kingdom of God Edition”: 42 build hooks on the production ga profile in the alfred-linux-v2 tree. That is the number to cite for what ships next.

Frozen milestone — v7.77 GA (April 8, 2026): shipped 17 hooks in the timeline below. That figure is archived truth for that release, not the current Kingdom hook total.

RC / sprint rows (RC4–RC8, b1–b6, etc.): counts like 10, 12, 13, 16 hooks describe only that week’s ISO as engineering grew the stack. They are not contradictions of 42 — they are the ladder we climbed.

Bible tongues (api/version.json → bible_tongues): must match the count of language data lines in hook 0292’s embedded languages.conf (currently 48 codes for Acts 2:4 breadth). English ships full AKJV when the 0290 TSV is present; Spanish, French, and Hebrew ship richer offline seeds; forty-four additional rows use compact two-verse tongue-* seeds until fuller texts are added. scripts/release-integrity.sh check-repo enforces that equality. Further dialects or full TSVs remain documented in Forge README.txt until matching rows ship in hook 0292.

Build History

Alfred Linux v2.0 was developed through a rigorous incremental build pipeline. Each build added one major component and was tested before the next layer was added. Here is the complete build record:

v1.0 — Foundation (14 builds)

The original Alfred Linux v1.0 went through 14 iterative builds to establish the base operating system, desktop environment, and basic voice integration. The final v1.0 ISO was 1.5 GB and proved the concept: a bootable Linux desktop with AI voice integration.

v2.0 — Full Stack (9+ builds)

2026-04-04

Foundation — Base Debian Bookworm + XFCE4 + Plymouth + Branding + Hardening

~1.2 GB

2026-04-04

+ Alfred Browser — Replaced Firefox-ESR with Alfred Browser (Tauri + WebKitGTK)

1.4 GB

2026-04-04

+ Alfred IDE — VS Code-compatible IDE (powered by code-server 4.114.0) + Commander extension for AI-powered development

1.6 GB

2026-04-05

+ Alfred Voice — Kokoro TTS + PyTorch CPU + spaCy NLP + welcome greeting service

2.2 GB

2026-04-05

+ Alfred Search — Meilisearch local search engine for offline-first instant search

2.3 GB

2026-04-05

+ Calamares Installer — Full graphical disk installer with Alfred branding and encryption

2.3 GB

RC1

2026-04-05

Release Candidate 1 — All 6 layers combined, first full integration test

2.3 GB

RC2

2026-04-05

Release Candidate 2 — Bug fixes, latest security patches applied

2.3 GB

RC3

2026-04-06

Release Candidate 3 — Critical boot fix (kernel naming), splash template fix, binary hook for generic kernel names, kernel 6.1.0-44. First bootable ISO.

2.5 GB

v4.0 — “The People’s OS” (Trixie Rebase + 4 New Features)

RC4

2026-04-06

Trixie Rebase — Rebased from Debian Bookworm to Trixie (13), kernel 6.12, UEFI+BIOS hybrid boot. Voice hook fixed for Trixie (venv + --only-binary spacy).

~2.5 GB

RC5

2026-04-06

Full v4.0 Stack — All 10 hooks: Welcome App (7-page wizard), Alfred Store (Flatpak center), Voice 2.0 (“Hey Alfred” wake word), alfred-update, alfred-info, version check API. Calamares v4.0 branding.

~2.5 GB

RC6

2026-04-06

Hardware + Installer Fix — All 12 hooks: universal hardware support + security hardening (drivers, firmware, GPU, WiFi, Bluetooth, input devices, power mgmt, auto-detect 3-tier), install-or-try dialog on live boot, XFCE desktop trust fix, Kyber-1024 branding. Calamares now visible and launchable.

~2.5 GB

RC7

2026-04-06

KERNEL 7.0 — FIRST DISTRO ON EARTH — All 13 hooks. Linux kernel 7.0.1 custom-compiled from Linus Torvalds' mainline source tree. 3 kernel-7-exclusive mitigations: ITS, TSA, VMSCAPE. 24 compiled-in CPU vulnerability mitigations. 12 default security gaps patched. Hook 0050 (kernel 7) + Hook 0160 (352-line security hardening).

~2.5 GB

2026-04-08

ENTERPRISE SECURITY — 38 MODULES + OMAHON SEAL, 17 HOOKS — All 17 hooks. 3 dedicated security hooks + the Omahon Seal (Hook 0175). Hook 0160 Alfred Security (21 modules: sysctl CIS L2, kernel lockdown, AppArmor w/ custom Alfred IDE + Meilisearch profiles, auto-updates, fail2ban 3-try/24h, auditd 30+ immutable rules, DNS-over-TLS, USB security, module blacklist, PAM 10-char/3-class, AIDE file integrity, ClamAV weekly scan, rkhunter + chkrootkit, hidepid=2, secure mounts, banners, core dumps disabled, cron lockdown, compiler restriction, NTS time sync, alfred-security-status CLI). Hook 0165 Network Hardening (7 modules: MAC randomization, nftables default-deny, TCP wrappers, port scan defense, wireless hardening, SSH strong ciphers, alfred-network-status CLI). Hook 0170 Full Disk Encryption (4 modules: LUKS2 cryptsetup + initramfs, strong defaults, Calamares FDE checkbox, alfred-encrypt-status CLI). Hook 0175 Omahon Seal (6 modules: Boot Seal, Watchman, Vault, Shell Guard, Secure Erase, Sovereign Attestation). GPG signed. 19 new security packages. fastfetch replaces neofetch. DNS fix hook (0011). Resilient IDE/Voice hooks (set +e).

~2.3 GB

The Boot Fix Story

RC1 and RC2 were successfully built but contained a critical boot defect that was discovered during ISO inspection: the bootloader referenced /live/vmlinuz and /live/initrd.img, but the ISO only contained the versioned files (vmlinuz-6.1.0-44-amd64). This meant the ISOs would fail to boot on any hardware.

The fix was a build hook that runs as the absolute last step (hook #9999) in the chroot phase, creating copies of the kernel and initramfs with the generic names that the bootloader expects. RC3 is the first build with this fix and the latest Debian security patches (kernel 6.1.0-44, including WebKit, OpenSSL, ImageMagick, and GStreamer security updates).

Bundled Components

Every component is pre-installed and configured. No package manager needed for the core experience.

Alfred Browser

v4.0.0 — Tauri + WebKitGTK

Zero-telemetry sovereign web browser. 4.7 MB. No Google Services, no ad tracking, no phone-home. Set as the system default browser, replacing Firefox entirely.

Alfred IDE

Alfred IDE 1.0 (code-server 4.114.0 + Commander 1.0.1)

Full Visual Studio Code in the browser. The Alfred Commander extension provides AI chat, voice commands, and MCP tool integration. Runs on port 8443.

Alfred Voice

Kokoro TTS + PyTorch CPU

Text-to-speech engine running entirely offline. No cloud API needed. Speaks on first boot with a welcome greeting. spaCy NLP for natural language processing.

Alfred Search

Meilisearch (latest)

Lightning-fast local search engine. Indexes all local files and documentation. Sub-50ms search results. No internet connection required.

Calamares Installer

v3.2.x + Alfred v4.0 Branding

Graphical disk installer for permanent installation. Supports LUKS full-disk encryption, alongside/replace partitioning, and automated install modes.

Desktop Environment

XFCE 4.18 + LightDM

Lightweight, fast desktop with Arc dark theme, Papirus icons, JetBrains Mono font, and custom bash prompt. Branded fastfetch with Alfred ASCII art.

New in v7.77

These features ship in the 42-hook Kingdom GA set; they build on the v4.0 stack listed earlier in Build History.

Welcome App

v4.0 — Python/Tk

7-page first-boot wizard: voice setup, WiFi config, tool launcher, P2P seeding opt-in, keyboard shortcuts. Runs once, remembers. Dark branded UI.

Alfred Store

v4.0 — Flatpak + Flathub

App center with 6 curated categories: Featured, Development, Communication, Media, Games, Privacy. Search, one-click install, threaded background updates.

Voice 2.0 Wake Word

openWakeWord — systemd service

Always-on “Hey Alfred” wake word detection. Runs as a systemd service with 3-second cooldown and configurable audio threshold.

alfred-update & alfred-info

CLI tools — /usr/local/bin/

alfred-update: one-command APT + Flatpak + Alfred version check. alfred-info: branded system info panel showing version, kernel, uptime, memory, disk, services.

Security Stack

nftables Firewall

Default-deny + UFW frontend

nftables drop-by-default firewall with rate-limited SSH and ICMP. UFW frontend available for management. Only essential services allowed through.

Fail2ban

v1.0.2

Intrusion prevention system monitoring SSH, web, and other services. Automatically bans repeated failed login attempts.

SSH Hardening

OpenSSH (hardened config)

Root login disabled, password auth disabled by default, key-based only. Configured during build with security-first defaults.

WireGuard VPN

Kernel module included

Modern VPN built into the kernel. Ready for mesh networking, sovereign infrastructure, and peer-to-peer encrypted tunnels.

Build System

Alfred Linux ISOs are built using Debian live-build, the same system used to produce official Debian Live images. The build process is fully automated and reproducible.

Build Pipeline

# Alfred Linux uses a 3-phase build pipeline:

Phase 1: Bootstrap
  debootstrap creates a minimal Debian chroot (~400 MB)
  Base packages installed: dpkg, apt, bash, coreutils

Phase 2: Chroot
  1,000+ packages installed into the chroot
  42 build hooks execute sequentially:
    0010 — Fix Debian security repository URL format
    0011 — Fix chroot DNS resolution (forcibly writes /etc/resolv.conf)
    0100 — Alfred branding (Plymouth, fastfetch, XFCE config, hardening)
    0150 — Alfred Hardware (universal drivers, firmware, input devices, GPU, WiFi, Bluetooth, power mgmt, auto-detect)
    0160 — Alfred Security (21 modules: sysctl CIS L2, kernel lockdown, AppArmor w/ custom profiles, auto-updates, fail2ban, auditd 30+ rules, DNS-over-TLS, USB security, module blacklist, PAM hardening, AIDE, ClamAV, rkhunter + chkrootkit, hidepid, secure mounts, banners, core dumps, cron lockdown, compiler restriction, NTS time sync, alfred-security-status CLI)
    0165 — Alfred Network Hardening (7 modules: MAC randomization, nftables default-deny, TCP wrappers, port scan defense, wireless hardening, SSH strong ciphers, alfred-network-status CLI)
    0170 — Alfred Full Disk Encryption (4 modules: LUKS2 cryptsetup + initramfs, strong defaults, Calamares FDE checkbox, alfred-encrypt-status CLI)
    0175 — 🔏 Omahon Seal (6 modules: Boot Seal HMAC-SHA256, Watchman inotify, Vault tmpfs, Shell Guard redaction, Secure Erase 3-pass, Sovereign Attestation SHA-256)
    0200 — Alfred Browser (remove Firefox, install .deb, set default)
    0300 — Alfred IDE (VS Code-compatible IDE + Commander extension)
    0400 — Alfred Voice (Kokoro TTS + realtime/wake stack — absorbs former separate “0900” stage; see hook header in tree)
    0500 — Alfred Search (Meilisearch binary)
    0600 — Calamares installer (KF5/Qt5 + v4.0 branding + LUKS2 FDE)
    0700 — Welcome App (7-page Python/Tk first-boot wizard)
    0710 — alfred-update + alfred-info CLI tools + version check API
    0800 — Alfred Store (Flatpak app center + Flathub + 6 categories)
    9999 — Kernel name fix (ensures /boot/vmlinuz exists)

Phase 3: Binary
  Security updates applied to chroot
  chroot compressed to squashfs (~2.3 GB → filesystem.squashfs)
  Bootloader configured (ISOLINUX/syslinux)
  ISO assembled (xorriso) as hybrid ISO (USB + CD bootable)

Build Infrastructure

Component	Specification
Build Server	GoSiteMe dedicated build server, 8 cores, 32 GB RAM
Build OS	Ubuntu 22.04 LTS
Build Tool	live-build 3.0 (Ubuntu variant)
Compression	squashfs with gzip (8 threads parallel)
ISO Tool	xorriso with ISOLINUX hybrid boot
Build Time	~15 minutes (full rebuild from clean)
Network	1 Gbps dedicated link to Debian mirrors

System Specifications

ISO Details

Property	Value
Base	Debian 13 (Trixie)
Kernel	Linux 7.0.1 (amd64, custom-compiled)
Architecture	x86_64 — ISO filenames use Debian’s `amd64` tag (same binary runs on Intel and AMD 64-bit; the name is historical, not vendor-exclusive)
ISO Type	Hybrid (USB stick + CD/DVD bootable, UEFI + BIOS)
ISO Size	~2.5 GB
Desktop	XFCE 4.18 + LightDM
Init System	systemd
Package Format	APT (.deb)
Boot Firmware	UEFI + BIOS (ISOLINUX/GRUB hybrid)
License	AGPL-3.0

Minimum Requirements

Component	Minimum	Recommended
RAM	4 GB	16 GB
Storage	32 GB	256 GB NVMe
CPU	2 cores, x86_64	8+ cores
GPU	Any (VESA fallback)	AMD/NVIDIA with open drivers
Network	Optional (works offline)	Ethernet or WiFi
Boot	USB 2.0 or CD/DVD	USB 3.0+

Pre-installed Package Highlights

Category	Packages
Desktop	xfce4, xfce4-goodies, thunar, xfce4-terminal, lightdm
Media	VLC, PulseAudio, ImageMagick
Networking	NetworkManager, WireGuard, curl, wget, OpenSSH
Security	nftables, AppArmor, fail2ban, auditd, AIDE, ClamAV, rkhunter, chkrootkit, GnuPG, KeePassXC
Development	git, vim, nano, python3, build-essential
System	htop, fastfetch, file-roller, gparted
Fonts	JetBrains Mono, Noto (full CJK support), Liberation
Theming	Arc theme, Papirus icons, Plymouth boot splash

Security Posture

Alfred Linux ships 38 security modules across 3 dedicated build hooks (plus the 6-module Omahon Seal). Every default is chosen for defense, not convenience. v7.77 GA delivers enterprise-grade hardening out of the box.

Supply chain transparency & GoForge CI

Runtime hardening above is separate from build-time supply chain: verified kernel tarballs, ISO staging gates, and where full-tree kernel audit runs. Public summary: /security-kernel. AGPL technical manifests on GoForge: KERNEL-7.0.1-SECURITY-MANIFEST.txt, KERNEL-7.0.1-SUPPLY-CHAIN-AUDIT.txt. Operators enabling Actions / act_runner: GOFORGE-INFRASTRUCTURE-UPGRADE.txt.

Hook 0160 — Alfred Security (21 Modules)

Kernel sysctl hardening — 45+ CIS Level 2 rules: ASLR=2, symlink/hardlink protection, SYN cookies, ICMP redirect blocking, source routing disabled, core dumps off
Kernel lockdown — integrity mode enforced at boot
AppArmor — Mandatory access control enforced with custom profiles for Alfred IDE and Meilisearch
Unattended-upgrades — Automatic security patches enabled by default
Fail2ban — SSH brute-force protection (3 attempts → 24-hour ban)
Auditd — 30+ immutable audit rules for system calls, file access, auth events
DNS-over-TLS — Quad9 (9.9.9.9) + Cloudflare (1.1.1.1) encrypted DNS via systemd-resolved
USB security — USBGuard-style logging + alfred-usb-storage toggle tool
Module blacklisting — firewire, dccp, sctp, cramfs, freevxfs, hfs, jffs2, udf, thunderbolt DMA
PAM hardening — 10-character minimum, 3 character classes, account lockout after failed attempts
AIDE — File integrity monitoring with daily cron check + alfred-aide-init baseline tool
ClamAV — Antivirus engine with weekly scheduled scan via alfred-scan
Rootkit detection — rkhunter + chkrootkit with weekly cron scans
hidepid=2 — Users cannot see other users' processes
Secure mounts — /tmp with noexec,nosuid,nodev; /var/tmp and /dev/shm hardened
Login banners — Legal warning banners on console and SSH
Core dumps disabled — via sysctl + limits.conf + systemd
Cron/at lockdown — Root-only access to scheduled tasks
Compiler restriction — gcc/g++ restricted to 'dev' group only
NTS time sync — Chrony with Network Time Security (authenticated NTP)
alfred-security-status — CLI dashboard showing status of all 21 modules

Hook 0165 — Alfred Network Hardening (7 Modules)

MAC randomization — WiFi and Ethernet interfaces use random MAC addresses per-connection
nftables firewall — Default-deny ingress, allow established + ICMP + loopback only
TCP wrappers — hosts.deny ALL:ALL, hosts.allow sshd from localhost
Port scan defense — nftables rate-limiting rules against SYN flood and port scanning
Wireless hardening — WPS disabled, strong WPA supplicant defaults
SSH strong ciphers — chacha20-poly1305, aes256-gcm only; ed25519 + sntrup761x25519 key exchange
alfred-network-status — CLI dashboard showing firewall, MAC, SSH cipher status

Hook 0170 — Full Disk Encryption (4 Modules)

LUKS2 support — cryptsetup + cryptsetup-initramfs installed and configured
Strong defaults — aes-xts-plain64, sha512, 4096-bit key, argon2id KDF
Calamares FDE — enableLuksAutomatedPartitioning checkbox enabled in installer
alfred-encrypt-status — CLI tool to check encryption status of all block devices

Foundational Security

Zero Telemetry — No phone-home, no crash reporting, no usage analytics. The OS does not contact any server unless you tell it to.
24 CPU mitigations — Spectre v1/v2/BHI, Meltdown, MDS, TAA, MMIO, RFDS, SRBDS, L1TF, SSB, ITS, TSA, VMSCAPE compiled in
16 boot parameters — init_on_alloc, init_on_free, slab_nomerge, pti=on, lockdown=integrity, debugfs=off, io_uring_disabled, tsx=off, vsyscall=none
WireGuard Ready — VPN kernel module pre-loaded for encrypted mesh networking
Auditable Build — Every ISO is built from a documented script. SHA-256 + BLAKE3 checksums are published for each frozen GA release (see /download when live)

Download & Verify

v7.77 GA — image status

The frozen v7.77 GA desktop ISO filename, checksum files, and torrent are published on alfredlinux.com/download when the final live-build is complete. Until then, treat any example filenames below as placeholders only.

# After GA is published — replace FILENAME with the exact .iso basename from /download
# Covenant first: /covenant?next=/download — plain https://alfredlinux.com/downloads/*.iso HTTP is denied.
# Fetch bytes via P2P on /download, or wget the time-limited iso.php URL shown there:
wget -O FILENAME.iso "https://alfredlinux.com/downloads/iso.php?t=PASTE_TOKEN_FROM_DOWNLOAD"
wget https://alfredlinux.com/downloads/FILENAME.iso.sha256
sha256sum -c FILENAME.iso.sha256
b3sum FILENAME.iso
sudo dd if=FILENAME.iso of=/dev/sdX bs=4M status=progress oflag=sync

Alfred Linux Mobile (Android)

Alfred Linux runs on Android phones and tablets — Samsung Galaxy S26 Ultra, Pixel, OnePlus, any device running Android 12+. No root required. Uses Termux + proot-distro to run a full Debian Bookworm environment with all Alfred components.

What You Get on Mobile

Alfred IDE (powered by code-server — the same VS Code engine used by enterprise teams worldwide, running entirely on your device) · Alfred Search (Meilisearch) · Alfred Voice (Kokoro TTS) · Full Linux terminal · Python, Node.js, Git, and build tools. With Samsung DeX, plug into a monitor and you have a full desktop development environment.

Quick Install

# 1. Install Termux from F-Droid (NOT Google Play)
#    https://f-droid.org/en/packages/com.termux/

# 2. Open Termux and run:
curl -fsSL https://alfredlinux.com/downloads/install-alfred-mobile.sh | bash

# 3. After install, use these commands:
alfred          # Enter Alfred Linux shell
alfred-ide      # Launch Alfred IDE in browser
alfred-info     # Show system info

Requirements

Android 12+ (Samsung One UI 4+, Pixel 6+, etc.)
4 GB free storage for the full Alfred environment
Termux from F-Droid (the Google Play version is deprecated)
Optional: Termux:Widget for home screen shortcuts
Optional: Samsung DeX for desktop-mode IDE experience

Samsung DeX Integration

When connected to an external display via USB-C or Miracast, Samsung DeX provides a desktop-like environment. Launch alfred-ide, open your browser, and you have a full VS Code IDE on a large screen — powered entirely by your phone. Alfred IDE runs on code-server, the same engine powering VS Code for the Web at major companies. The Samsung S26 Ultra with 12GB RAM and Snapdragon 8 Elite runs it smoothly.

Architecture Notes

Mobile Alfred Linux runs on ARM64 (aarch64) inside a proot container. The Debian userspace is real — you can install any Debian package with apt. The kernel is Android's, but everything above it is standard Debian Bookworm. This means:

Full apt package manager — install anything from Debian repos
Python, Node.js, Ruby, Go, Rust — all work natively on ARM64
No root needed — proot translates system calls without kernel modifications
Persistent storage — your files survive Termux restarts
Network access — uses Android's network stack transparently

Contributing

Alfred Linux is open source under the AGPL-3.0 license. Contributions are welcome and rewarded with GSM tokens — live on Solana mainnet.

How to Contribute

Report Bugs — Test the ISO and report any issues. Boot failures, hardware incompatibilities, broken features. 10-50 GSM per confirmed bug.
Submit Patches — Fix bugs or add features via pull requests. 100-1,000 GSM per merged feature.
Write Documentation — Help expand this documentation, write tutorials, create videos. 50-500 GSM per contribution.
Test Hardware — Boot Alfred Linux on your hardware and report compatibility. We need coverage across laptops, desktops, and servers.
Translate — Help bring Alfred Linux to your language. Localization is a priority for v3.0.

Build It Yourself

# Requirements: Debian/Ubuntu with sudo, 32GB RAM recommended, 50GB free disk

# Install dependencies
sudo apt install live-build debootstrap squashfs-tools xorriso isolinux syslinux-common syslinux

# Clone the build scripts
git clone https://alfredlinux.com/forge/commander/alfredlinux.com.git
cd alfred-linux

# Build the full GA ISO
sudo bash scripts/build-unified.sh ga

# Output: iso-output/alfred-linux-7.77-ga-intel-amd64-YYYYMMDD.iso (or live-build amd64 name until renamed)

Build Requirements

OS: Debian 12+ or Ubuntu 22.04+ — CPU: 4+ cores — RAM: 16 GB minimum (32 GB recommended) — Disk: 50 GB free — Time: ~15 minutes on modern hardware

What's Next

Alfred Linux v7.77 is the fully-loaded Kingdom of God Edition. The next milestones are:

ARM64 build — Raspberry Pi 4/5 and Apple Silicon support
Wayland desktop — XFCE on Wayland (wlroots) for the Alfred Desktop Environment
Whisper STT integration — Voice input via OpenAI Whisper running locally on GPU
Custom wake word model — Train a dedicated “Hey Alfred” model instead of using the built-in closest match
GSM wallet & mining — Built-in token wallet and compute contribution system
Secure Boot signing — Microsoft-signed shim for Secure Boot compatibility
Auto-update channel — alfred-update with delta/OTA patches instead of full ISO rebuilds