OpenFactory turns natural language into production-ready operating system images. Describe what you need, and the platform handles feature resolution, build orchestration, automated testing, and fleet deployment.
Pipeline
Click any stage to explore how it works.
Operators describe their target system in plain language. An AI agent interprets requirements and generates a structured recipe.
# User says:
"Build me a hardened server with
SSH, Docker, and monitoring."
# AI generates recipe:
{
"base": "ubuntu-24.04",
"features": ["ssh", "docker",
"monitoring"],
"security_level": "strict"
}
Enterprise Integration
Full device lifecycle as an interactive state machine — click any state to explore its transitions, ServiceNow integration, and GxP checkpoints.
AI-assisted recipe generation from natural language. Claude interprets the request, selects base image, features, services, users, and networking.
AI recipe generation, feature resolution, schema validation
Change Request auto-created with recipe details and conversation link
Verification Architecture
Cryptographic chain across Zone 1 (Immutable Base), Zone 2 (Persistent Overlay), Zone 3 (Ephemeral Runtime)
ZONE 1 — IMMUTABLE BASE
ZONE 2 — PERSISTENT OVERLAY
ZONE 3 — EPHEMERAL RUNTIME
Base SBOM generated
Per-file SHA-256 manifest of SquashFS
SquashFS whole-file hash
Recipe hash (deterministic JSON)
Package manifest (dpkg-query)
Test results from libvirt runner
Does not exist yet
Zone 2 manifest schema and constraint definitions ship with the ISO.
Does not exist yet
Zone 3 kernel-primitive constraint definitions ship with the ISO.
SquashFS verified on device
On-device hash compared against verification document.
Base SBOM confirmed intact.
Provisioning writes validated
Each value checked against constraints (subnet, regex, cert issuer, GPS range).
Overlay manifest assembled with hashes.
Empty
Ephemeral zone created at first boot.
No cryptographic state yet.
Base SBOM → combined SBOM
Verification document ID and SquashFS hash written into lockdown record.
Overlay manifest sealed
Zone 2 hash + manifest → signed lockdown record. Overlay remounted read-only.
Constraint baseline captured
Initial kernel-primitive readings: netlink, chrony, gpsd, sysfs, /proc.
Immutable, verified on demand
Re-verification API re-hashes all files and compares to verification document.
Boot integrity monitor reports changes.
dm-verity at every block read (target).
Locked & monitored continuously
Hash recomputed every 60s and compared against lockdown reference.
fanotify watches all Zone 2 paths for unauthorized writes.
Scheduled constraint re-evaluation.
Kernel primitives queried every 30s
netlink → IP addresses within subnet
chrony → NTP offset < 500ms
gpsd → GPS within deployment coords
sysfs → thermal within bounds
/proc → memory above threshold
Detected at boot or by network monitoring. Device physically accessed while offline.
Base image hash ≠ fleet registry
Device re-imaged with unknown OS, storage medium swapped, or SquashFS modified while device powered off.
Lockdown record missing or invalid.
Hardware IDs may not match fleet records (MAC, TPM key, serial number).
Overlay may have been modified, replaced, or belongs to a different device entirely.
Cannot be verified without valid lockdown.
Not yet created (device in boot sequence).
Unaffected
SquashFS is physically read-only. Base SBOM remains valid regardless of overlay zone violations.
Hash mismatch or unauthorized write.
Lockdown seal broken.
Device quarantined. Fleet notified.
Audit: path, timestamp, process ID.
Kernel state out of policy.
DHCP outside subnet, GPS drift, NTP desync, thermal exceedance.
RESPONSE: Quarantine → re-seal or factory reset
New base SBOM replaces old
New SquashFS written and verified against its verification document.
Old base SBOM archived for audit.
Migration pipeline runs.
Zone 2 snapshotted.
Whiteouts resolved against new base.
Schemas migrated to new version.
Constraints re-validated.
Wiped. New constraints from updated base image.
Out-of-Band Remediation Paths
Quarantined device (boot checks failed)
Device boots with minimal network stack. Reports violation to fleet API. Does not enter normal operation. Operator can: push verified image over network, trigger factory reset, or retrieve device for forensics.
Unknown device on network (no fleet registration)
Fleet controller detects unregistered MAC / DHCP lease on controlled subnet. Missing device heartbeat. Response: 802.1X port disable, quarantine VLAN isolation, or physical investigation.
Hardware swap detected (identifiers changed)
Known serial number reappears with different MAC or TPM key. Treated as physical tampering event.
Base image verified (or re-imaged)
For updates: new verification document active.
For out-of-band: verified image pushed, base SBOM restored from fleet registry.
Old records archived for audit trail.
New lockdown record written
Updated overlay manifest hash sealed.
Combined SBOM = base + migrated overlay.
For out-of-band: Zone 2 wiped (factory reset), device must be reprovisioned.
New baseline captured
Post-reboot kernel primitives validated against zone3-constraints.
New compliance snapshot recorded.
ZONE 1 — IMMUTABLE BASE
verification.json · squashfs-hashes.sha256
recipe_hash · dpkg-manifest · test results
Re-verification results · boot integrity logs
Boot-time identity check (base hash, HW IDs)
Created at build, verified at every boot, archived on update
ZONE 2 — PERSISTENT OVERLAY
overlay-manifest · combined-sbom.json
lockdown-record · constraint validation results
fanotify write logs · periodic hash checks
Lockdown record verified at boot
Sealed at deploy, monitored, re-sealed on update or recovery
ZONE 3 — EPHEMERAL RUNTIME
Kernel-primitive snapshots (30s intervals)
netlink, chrony, gpsd, sysfs, /proc readings
Constraint compliance results · violation alerts
Network anomaly detection (unknown devices)
Created at boot, monitored continuously, destroyed on update