Skip to content

SecAI-Hub/SecAI_OS

BranchesTags

Repository files navigation

SecAI OS

CI License: Apache-2.0 Fedora 42 uBlue

Bootable local-first AI OS with sealed runtime, model quarantine pipeline, airlock egress controls, encrypted vault, and private Tor-routed search.

Built on uBlue (Fedora Atomic / Silverblue). All AI compute -- inference and generation -- stays on-device. Network egress is denied by default. GPU auto-detected at first boot.

+-------------------+     +-------------------+     +-------------------+
|  A) Base OS       | --> |  B) Acquisition   | --> |  C) Quarantine    |
|  immutable image  |     |  dirty net /      |     |  7-stage pipeline |
|  signed updates   |     |  allowlist only   |     |  fully automatic  |
+-------------------+     +-------------------+     +--------+----------+
                                                             |
                          +-------------------+     +--------v----------+
                          |  E) Airlock       | <-- |  D) Runtime       |
                          |  sanitized egress |     |  sealed inference |
                          |  (optional)       |     |  no internet      |
                          +-------------------+     +-------------------+

Who This Is For

  • Privacy-conscious AI users who want LLM and image generation without cloud services
  • Security researchers evaluating model supply-chain risks
  • Air-gapped environments that need AI inference with no internet dependency
  • Organizations requiring auditable, policy-enforced AI workstations

What Makes It Different

  • Default-deny egress -- The runtime has no internet unless explicitly enabled via the airlock.
  • Supply-chain distrust -- Models are untrusted until they pass a 7-stage quarantine pipeline (source, format, integrity, provenance, static scan, behavioral test, diffusion scan).
  • Hands-off security -- All scanning, verification, and promotion happens automatically. Users never run security tools manually.
  • Deterministic policy -- Promotion to "trusted" is rule-based (signatures, hashes, scans, tests), not ad-hoc.
  • Short-lived workers -- No swap, tmpfs for temp data, inference workers restart between sessions.
  • 20+ defense layers -- From UEFI Secure Boot and TPM2 to seccomp-BPF, Landlock, canary files, and 3-level emergency wipe.

Quickstart

Install (Fedora Atomic)

# Rebase to unsigned image first
sudo rpm-ostree rebase ostree-unverified-registry:ghcr.io/sec_ai/secai_os:latest
sudo systemctl reboot

# Then rebase to signed image
sudo rpm-ostree rebase ostree-image-signed:docker://ghcr.io/sec_ai/secai_os:latest
sudo systemctl reboot

# Set up encrypted vault
sudo /usr/libexec/secure-ai/setup-vault.sh /dev/sdX

See docs/install/ for detailed guides: bare metal | virtual machine | development

Get Your First Model

Open http://127.0.0.1:8480, go to Models, and click Download on any model in the catalog. The 7-stage quarantine pipeline runs automatically. Once promoted, the model is ready to use.

Or via CLI:

sudo cp your-model.gguf /var/lib/secure-ai/quarantine/incoming/
journalctl -u secure-ai-quarantine-watcher -f  # watch pipeline

Architecture

Services

Service Port Language Purpose
Registry 8470 Go Trusted artifact manifest, read-only model store
Tool Firewall 8475 Go Policy-gated tool invocation gateway
Web UI 8480 Python Chat, image/video generation, model management
Airlock 8490 Go Sanitized egress proxy (disabled by default)
Inference Worker 8465 llama.cpp LLM inference (CUDA / ROCm / Vulkan / Metal / CPU)
Diffusion Worker 8455 Python Image and video generation
Quarantine -- Python 7-stage verify, scan, and promote pipeline
Search Mediator 8485 Python Tor-routed web search with PII stripping
SearXNG 8888 Python Self-hosted metasearch (privacy-respecting engines)
Tor 9050 C Anonymous SOCKS5 proxy

See docs/architecture.md for design decisions and service dependencies. Per-service docs: registry | tool-firewall | airlock | quarantine | search-mediator

7-Stage Quarantine Pipeline

Every model passes through the same fully automatic pipeline:

Stage Name What It Does
1 Source Policy Verifies origin against allowlist
2 Format Gate Validates headers, rejects unsafe formats (pickle, .pt, .bin)
3 Integrity Check SHA-256 hash pinning verification
4 Provenance Cosign signature verification
5 Static Scan ModelScan + entropy analysis + gguf-guard (weight-level anomaly detection)
6 Behavioral Test 22 adversarial prompts across 10 attack categories (LLM only)
7 Diffusion Scan Config integrity, symlink detection (diffusion only)

Security Model

Defense Layers

Layer Mechanism
Boot Immutable OS (rpm-ostree), cosign-verified updates, greenboot auto-rollback
Secure Boot UEFI Secure Boot + MOK signing, TPM2 vault key sealing (PCR 0,2,4,7)
Kernel IOMMU forced, ASLR, slab_nomerge, init_on_alloc/free, lockdown=confidentiality
Memory Swap/zswap disabled, core dumps discarded, mlock for secrets, TEE detection
Network nftables default-deny egress, DNS rate-limited, traffic analysis countermeasures
Filesystem Encrypted vault (LUKS2/AES-256/Argon2id), restrictive permissions, fs-verity
Models 7-stage quarantine pipeline with gguf-guard deep integrity scanning
Tools Default-deny policy, path allowlisting, traversal protection, rate limiting
Egress Airlock disabled by default, PII/credential scanning, destination allowlist
Search Tor-routed, differential privacy (decoy queries, k-anonymity), injection detection
Audit Hash-chained tamper-evident logs with periodic verification
Auth Scrypt passphrase hashing, rate-limited login, session management
Vault Auto-lock after 30 min idle, TPM2-sealed keys
Services Systemd sandboxing: ProtectSystem, PrivateNetwork, seccomp-bpf, Landlock
GPU Vendor-specific DeviceAllow, PrivateNetwork on all workers
Clipboard VM clipboard agents disabled, auto-clear every 60s
Tripwire Canary files in sensitive dirs, inotify real-time monitoring
Emergency 3-level panic (lock / wipe keys / full wipe) with passphrase gates
Updates Cosign-verified rpm-ostree, staged workflow, greenboot auto-rollback

See docs/threat-model.md for threat classes, residual risks, and security invariants. See docs/security-status.md for implementation status of all 30 milestones.

Verify Image Signatures

cosign verify --key cosign.pub ghcr.io/sec_ai/secai_os:latest

Hardware Support

GPU is auto-detected at first boot. No manual configuration needed.

Vendor GPUs Backend LLM Diffusion
NVIDIA RTX 5090/5080/4090/4080/3090/3080 CUDA Full offload Full offload
AMD RX 7900 XTX/XT, RX 7800/7700, RDNA/CDNA ROCm (HIP) Full offload Full offload
Intel Arc A770/A750/A580, Arc B-series XPU (oneAPI) Via Vulkan Via IPEX
Apple M4/M3/M2/M1 (Pro/Max/Ultra) Metal / MPS Full offload MPS acceleration
CPU x86_64 (AVX2/AVX-512), ARM64 (NEON) CPU Optimized Functional

Minimum: 16 GB RAM, 8 GB VRAM, 64 GB storage. See docs/compatibility-matrix.md for detailed specs.

Configuration

All config lives in /etc/secure-ai/ (baked into the image, read-only at runtime):

File Purpose
config/appliance.yaml Mode, paths, inference/diffusion settings, service binds
policy/policy.yaml Tool firewall, airlock, quarantine stages, search settings
policy/models.lock.yaml Pinned model hashes (supply-chain verification)
policy/sources.allowlist.yaml Trusted model sources

See docs/policy-schema.md for full schema reference. See examples/sample-policy.yaml for annotated example.

Documentation

Document Description
Architecture System design, zones, data flow, service dependencies
Threat Model Threat classes, invariants, residual risks
API Reference HTTP API for all services
Policy Schema Full policy.yaml schema reference
Security Status Implementation status of all 30 milestones
Test Matrix Test coverage: 620+ tests across Go, Python, shell
Compatibility Matrix GPU, VM, and hardware support
Security Test Matrix Security feature test coverage
FAQ Common questions
Glossary Key terms and concepts
Non-Goals What SecAI OS does NOT try to do

Component Docs

Component Description
Registry Trusted artifact manifest and model store
Tool Firewall Policy-gated tool invocation
Airlock Sanitized egress proxy
Quarantine 7-stage scanning pipeline
Search Mediator Tor-routed web search

Install Guides

Guide Description
Bare Metal Fresh install on dedicated hardware
Virtual Machine VirtualBox, VMware, KVM/QEMU
Development Local dev without OS rebase

Examples

Example Description
Import a GGUF Model Safe model import walkthrough
Quarantine Promotion Full pipeline walkthrough
Run Fully Offline Air-gapped operation
Enable Web Search Tor-routed search setup
Vault Management Lock, unlock, keepalive
Recover from Failed Update Rollback and recovery
VM vs Bare Metal Comparison and tradeoffs
Add Model Source Allowlist a new source

Machine-Readable

Resource Description
OpenAPI Spec OpenAPI 3.0 for all HTTP APIs
Policy Schema JSON Schema for policy.yaml
Appliance Schema JSON Schema for appliance.yaml
Service Diagram Mermaid dependency diagram
llms.txt LLM-friendly project summary
llms-full.txt Extended LLM-friendly reference

Using the Appliance

Web Interface

Open http://127.0.0.1:8480:

  • Chat -- LLM interaction with optional Tor-routed web search
  • Models -- Browse catalog, one-click download, import, verify hashes
  • Generate -- Text-to-image, image-to-image, text-to-video with diffusion models
  • Security -- Service health, Secure Boot/TPM2 status, audit chain, emergency panic
  • Updates -- Staged update workflow (check / stage / apply / rollback)
  • Settings -- Vault lock/unlock, passphrase change, session management

Emergency Panic

sudo securectl panic 1                          # Lock (reversible)
sudo securectl panic 2 --confirm "passphrase"   # Wipe keys
sudo securectl panic 3 --confirm "passphrase"   # Full wipe (DATA UNRECOVERABLE)

Also available via Web UI (Security page) and API (POST /api/emergency/panic).

Vault Management

curl http://127.0.0.1:8480/api/vault/status         # Check status
curl -X POST http://127.0.0.1:8480/api/vault/lock    # Lock
curl -X POST http://127.0.0.1:8480/api/vault/unlock \ # Unlock
  -H 'Content-Type: application/json' \
  -d '{"passphrase": "your-passphrase"}'

Web Search (Tor-Routed, Optional)

# Enable in policy, then start the search stack
sudo systemctl start secure-ai-tor secure-ai-searxng secure-ai-search-mediator

Privacy: Tor-routed, PII stripped, injection detection, differential privacy (decoy queries), audit logged. See examples/enable-web-search.md.

Running Tests

# Go tests (26 total)
cd services/registry && go test -v -race ./...
cd services/tool-firewall && go test -v -race ./...
cd services/airlock && go test -v -race ./...

# Python tests (620+ total)
pip install pytest flask requests pyyaml
python -m pytest tests/ -v

# Shell script linting
shellcheck files/system/usr/libexec/secure-ai/*.sh files/scripts/*.sh

See docs/test-matrix.md for full breakdown.

Roadmap

All 30 milestones (click to expand)
  • M0 -- Threat model, dataflow, invariants, policy files
  • M1 -- Bootable OS, encrypted vault, GPU drivers
  • M2 -- Trusted Registry, hash pinning, cosign verification
  • M3 -- 7-stage quarantine pipeline
  • M4 -- Tool Firewall, default-deny policy
  • M5 -- Online Airlock, sanitization
  • M6 -- Systemd sandboxing, kernel hardening, nftables
  • M7 -- CI/CD, Go/Python tests, shellcheck
  • M8 -- Image/video generation, diffusion worker
  • M9 -- Multi-GPU support (NVIDIA/AMD/Intel/Apple)
  • M10 -- Tor-routed search, SearXNG, PII stripping
  • M11 -- VM support, OVA/QCOW2 builds
  • M12 -- Model integrity monitoring
  • M13 -- Tamper-evident audit logs
  • M14 -- Local passphrase auth
  • M15 -- Vault auto-lock
  • M16 -- Seccomp-BPF + Landlock process isolation
  • M17 -- Secure Boot + TPM2 measured boot
  • M18 -- Memory protection (swap/zswap/core dumps/mlock/TEE)
  • M19 -- Traffic analysis protection
  • M20 -- Differential privacy for search
  • M21 -- Clipboard isolation
  • M22 -- Canary/tripwire system
  • M23 -- Emergency wipe (3-level panic)
  • M24 -- Update verification + auto-rollback
  • M25 -- UI polish + security hardening
  • M26 -- Fail-closed pipeline, service auth, CSRF, supply chain pinning
  • M27 -- Enhanced scanners, provenance manifests, fs-verity
  • M28 -- Weight distribution fingerprinting
  • M29 -- Garak LLM vulnerability scanner
  • M30 -- gguf-guard deep GGUF integrity scanner

Project Structure

recipes/                BlueBuild recipe (image definition)
files/
  system/
    etc/secure-ai/      Policy and config files baked into image
    etc/nftables/        Firewall rules (default-deny egress)
    usr/lib/systemd/     Systemd service units (sandboxed)
    usr/libexec/         Helper scripts (firstboot, vault, securectl, canary)
services/
  registry/             Go -- Trusted Registry
  tool-firewall/        Go -- Policy engine + tool gateway
  airlock/              Go -- Online egress proxy
  quarantine/           Python -- 7-stage verification + scanning pipeline
  diffusion-worker/     Python -- Image/video generation
  search-mediator/      Python -- Tor-routed web search
  ui/                   Python/Flask -- Web UI
tests/                  620+ Python tests, 26 Go tests
docs/                   Architecture, API, threat model, install guides
schemas/                OpenAPI spec, JSON Schema for config files
examples/               Task-oriented walkthroughs

Contributing

See CONTRIBUTING.md for local dev setup, coding standards, and PR rules.

Security

See SECURITY.md for vulnerability reporting and threat boundaries.

License

Apache License 2.0

About

Bootable local-first AI OS with sealed runtime, model quarantine pipeline, airlock egress controls, encrypted vault, and private Tor-routed search.

github.com/SecAI-Hub/SecAI_OS/blob/main/docs/architecture.md

Topics

privacy tor fedora-atomic ai-security defense-in-depth secure-ai supply-chain-security searxng llama-cpp local-llm ublue private-ai air-gapped-ai model-scanning

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

v0.1.0 — Initial Release Latest
Mar 9, 2026

Packages

 
 
 

Contributors

Languages