readouts / measured truths - open a row
What it touches. What it never will.
Plain statements about disks, firmware, and the warnings Windows will show you. Where the truth is uncomfortable - unsigned scripts, manual Bluetooth re-pairing - it is printed here rather than hidden.
One removable USB stick, sector by sector, with the Ubuntu 26.04 live image. After the write, the raw bytes on the stick are re-hashed and must equal the ISO hash - a mismatch marks the write FAILED. A durable approval artifact (operator, disk number, serial, timestamp, image hash) is written before the first byte.
Internal disks, recovery partitions, and the Windows boot/system disk. Preflight lists them as protected; the writer refuses them outright. There is no internal-disk automation in this release, and none arrives without its own gated stage.
BitLocker is reported, never managed - save your recovery key off-device before any boot work. Secure Boot is reported, never changed. Boot order, BCD, and firmware variables are read-only: enumerated, never edited. Bluetooth input is detected and flagged - pairing keys do not migrate, so have a wired or 2.4 GHz keyboard ready before rebooting.
The bundle is plain unsigned PowerShell. SmartScreen will warn you, and it should - there is no EXE and no signing certificate yet. In exchange, every script is readable text: open it in an editor before you run it.
Get-FileHash outos-easy-installer-mvp1.cmd -Algorithm SHA256House rule: a thing is proven only when fresh command output or a hardware run says so. Proven on hardware: the guarded CLI write path - exact serial gate, all refusals, raw post-write hash verify. Code written but not hardware-proven: the GUI write path. Not guaranteed: one-click boot on every PC, Bluetooth pairing migration.