# The Gateway Install Readiness

This page is the public pre-launch install target until the open repository and installer are published.

## What must exist before the install CTA goes live

- Public repository with license, contribution guide, and security model.
- Supported hardware matrix for primary, embedded, portable, and appliance modes.
- Install guide for a clean Linux gateway.
- Safe-mode recovery notes for DNS, routing, firewall, and admin lockout.
- First-run wizard or CLI path for interface selection, DNS policy, and first route profile.
- Validation checklist for DNS forcing, route ownership, DNS ownership, fallback state, privacy posture, and leak checks.
- Upgrade and rollback notes.
- Redacted support bundle format.

## First install path

1. Choose deployment mode: primary gateway, embedded gateway, or portable gateway.
2. Map interfaces and confirm out-of-band admin access.
3. Bootstrap the gateway daemon and local UI.
4. Create a default device group and DNS policy.
5. Preview route ownership and fallback behavior.
6. Apply the first policy.
7. Run validation: connectivity, DNS trace, route trace, fallback state, and leak checks.
8. Save a known-good backup and rollback note.

## Before requesting review

- Name the current route owner, DNS owner, fallback owner, and final apply approver.
- State whether the review is advisory only or preparing for a bounded live install window.
- Document the current route, DNS, fallback, and policy state before the first install attempt.
- Confirm console, SSH, or local recovery access before changing DNS, routes, firewall state, or remote access.
- Keep a known-good rollback target or timestamp for policy, resolver, and transport state.
- Describe the intended privacy posture and what evidence will verify it after install.
- Review support/export boundaries before sharing diagnostics or granting remote access.

## Launch blocker

The install CTA should point to the public repository install guide only after the installer, recovery path, and hardware matrix have been verified on a fresh machine.