readouts / measured truths - open a row

What it touches. What it never will.

Plain statements about disks, firmware, and the warnings Windows will show you. Where the truth is uncomfortable - unsigned scripts, manual Bluetooth re-pairing - it is printed here rather than hidden.

One removable USB stick, sector by sector, with the Ubuntu 26.04 live image. After the write, the raw bytes on the stick are re-hashed and must equal the ISO hash - a mismatch marks the write FAILED. A durable approval artifact (operator, disk number, serial, timestamp, image hash) is written before the first byte.

Internal disks, recovery partitions, and the Windows boot/system disk. Preflight lists them as protected; the writer refuses them outright. There is no internal-disk automation in this release, and none arrives without its own gated stage.

BitLocker is reported, never managed - save your recovery key off-device before any boot work. Secure Boot is reported, never changed. Boot order, BCD, and firmware variables are read-only: enumerated, never edited. Bluetooth input is detected and flagged - pairing keys do not migrate, so have a wired or 2.4 GHz keyboard ready before rebooting.

The bundle is plain unsigned PowerShell. SmartScreen will warn you, and it should - there is no EXE and no signing certificate yet. In exchange, every script is readable text: open it in an editor before you run it.

Get-FileHash outos-easy-installer-mvp1.cmd -Algorithm SHA256

House rule: a thing is proven only when fresh command output or a hardware run says so. Proven on hardware: the guarded CLI write path - exact serial gate, all refusals, raw post-write hash verify. Code written but not hardware-proven: the GUI write path. Not guaranteed: one-click boot on every PC, Bluetooth pairing migration.