Decision Matrix

Why Not Phreeli?

Phreeli launched December 2025 — only ~4 months old. Privacy Guides documented that their "Double-Blind Armadillo" marketing overstates the actual implementation. No long-term reliability track record. Nicholas Merrill (founder of Calyx Institute) has credibility, but the product isn't there yet for a critical verification line. Revisit in 12 months.

Cape — Activation Checklist

• Contact Cape enterprise sales Email enterprise@cape.co — confirm Legendary Pathway LLC registration (EIN 93-3911234). Ask about LLC business account, avoid SSN requirement.
  URGENT
• Buy a prepaid Visa gift card with cash Target/Walmart — $120 or higher. Use this to pay for Cape (they process via Stripe). Avoids personal card linkage to Cape account.
  HIGH
• Create Cape account at cape.co No name or address required at signup. Provide minimum information. Use Legendary Pathway LLC entity details if enterprise account is available.
  HIGH
• Download Cape app from Google Play Install on S26 Ultra. Do this AFTER completing privacy hardening (Part 3).
  MED
• Activate Cape eSIM via QR code Settings → Connections → SIM card manager → Add mobile plan. Label it "Verification". Set to calls + SMS only (not data).
  MED
• Activate two secondary SMS/MMS lines in Cape app These are free. Assign: Secondary Line A → banking institutions. Secondary Line B → crypto/brokerage. Primary line stays clean.
  MED
• Test bank SMS verification with Cape Line 1 Log in to each financial institution and verify a code arrives via Cape number. Document any rejections.
  MED
• Fallback plan if Cape business registration fails Buy a TracFone SIM (Verizon-backed) with cash at Walmart. ~$15/month. Verification-only line, no identity linkage if purchased with cash + gift card.
  LOW

Connectivity Hierarchy

Priority 1: Home Wi-Fi / Ethernet (cheapest, fastest)
Priority 2: Starlink Mini via Wi-Fi (travel, rural, boat)  → $50/mo
Priority 3: Cape LTE / AT&T cellular data                  → included in $99/mo
Fallback 4: Meshtastic LoRa mesh (text only)               → future build

LP Secure VoIP works identically over all of these.
S26 Ultra switches automatically — no manual action needed.

Purchase Checklist

• Order Starlink Mini at starlink.com Select Roam plan. Hardware: $249. New customer activation credit may reduce to $199 effective. Ship to any address.
  BUY
• Activate with Roam 100GB plan ($50/mo) Sufficient for VoIP + general use while traveling. 100GB priority data (doubled in 2026 from 50GB).
  HIGH
• Switch to Standby mode ($5/mo) when home In Starlink app: Manage → Pause / Standby. Reactivate instantly when traveling.
  MED
• Test LP Secure VoIP call over Starlink Make a test call via LP Secure PWA with only Starlink as the internet connection. Verify quality before field deployment.
  MED
• Get a 100W USB-C power bank for mobile Starlink Starlink Mini draws 25–40W. A 100W USB-C bank runs it 4–6 hours. Anker 737 or similar. Also powers the S26 Ultra simultaneously.
  LOW
• Apply for Starlink nonprofit discount (for Ministry orgs) M2M2 or Lex Liberorum Pax may qualify. Apply at starlink.com — could get hardware at reduced cost for ministry deployments.
  LOW

Phase A — Neutralize Perplexity & Galaxy AI

• Disable Galaxy AI cloud processing Settings → Advanced Features → Advanced Intelligence → toggle OFF at top level. If no master toggle: disable Circle to Search, Live Translate, Chat Assist, Note Assist, Transcript Assist, Photo Assist, Interpreter individually.
  FIRST
• Disable Bixby Settings → Apps → Bixby → Disable. Then: Settings → Advanced Features → Side Key → change long press to "Open app → Claude".
  FIRST
• Restrict Perplexity (cannot fully uninstall) Settings → Apps → Perplexity → App Info → Disable (if available). If grayed out: deny ALL permissions + Settings → Apps → Perplexity → Mobile data and Wi-Fi → disable both.
  FIRST
• Install Claude and set as default assistant Google Play → Claude → install. Then: Settings → Apps → Default Apps → Digital Assistant App → Claude. No third-party app needed — native Android path works.
  FIRST

Phase B — OS Privacy Settings

• Delete Advertising ID Settings → Privacy → Ads → Delete advertising ID. This removes the ID entirely (not just opt-out).
  HIGH
• Disable Samsung analytics/diagnostics Settings → Privacy → Samsung Privacy → disable Customization Service. Settings → General Management → Diagnostic data → disable.
  HIGH
• Restrict location to deny-all default Settings → Location → off. Settings → Location → Improve accuracy → Wi-Fi scanning: OFF, Bluetooth scanning: OFF. Grant location to navigation apps only when actively using.
  HIGH
• Lockdown all app permissions Settings → Privacy → Permission manager. Camera: deny all except Camera app. Microphone: deny all except Phone + LP Secure. Contacts, Files, Sensors: deny all third-party.
  HIGH
• Disable passive network tracking Bluetooth: off when not in use. NFC: off when not at payment terminal. Wi-Fi auto-connect: off. Settings → Connections → Wi-Fi → Intelligent Wi-Fi → disable all.
  HIGH
• Set Private DNS to Quad9 Settings → Connections → More connection settings → Private DNS → "Private DNS provider hostname" → dns.quad9.net. (Overridden by Mullvad when VPN is active.)
  MED
• Set up Android 16 Private Space Settings → Security and privacy → Private Space. Create with separate PIN. Install here: LP Secure PWA, Aegis, all banking apps, all crypto apps. Main profile = minimal.
  MED
• Disable Find My Mobile Settings → Biometrics and security → Find My Mobile → Off. Samsung can remotely track + wipe when enabled. Remote wipe isn't worth the tracking risk.
  MED

Phase C — Authentication

• Order 2× YubiKey 5C NFC from yubico.com ~$55 each = $110 total. One primary, one backup stored securely. USB-C for desktop + NFC tap for S26 Ultra (hold to center back of phone).
  BUY
• Install Aegis Authenticator F-Droid or Google Play. Open source, offline, no cloud sync. Set vault PIN. Enable encrypted backup → export to 1Password. Use for all TOTP codes.
  HIGH
• Register YubiKey on Google account + 1Password + LP portal Google: myaccount.google.com → Security → 2-Step Verification → Security key. Register the backup key too before relying on the primary.
  HIGH
• Set device unlock to strong alphanumeric passphrase Settings → Biometrics and security → Screen lock → Password (not PIN). Use a passphrase (4+ words or random 12+ char). Enable fingerprint as convenience layer.
  MED

Mullvad VPN Setup

• Create Mullvad account at mullvad.net No email required. You get a random account number. Write it in 1Password immediately — this IS your account, there's no recovery.
  FIRST
• Add 1–3 months credit via Monero/cash mullvad.net → Your account → Add time. Monero gets 10% discount. Mail cash option takes 1–2 weeks to credit.
  FIRST
• Install Mullvad Android app from Google Play Sign in with account number. Set protocol to WireGuard. Select server: "Fastest" or closest US city.
  HIGH
• Enable kill switch + block connections without VPN Mullvad app: Settings → Kill switch → On. Then: Android Settings → Connections → VPN → Mullvad gear → Always-on VPN + Block connections without VPN.
  HIGH
• Verify at mullvad.net/check while connected Open Chrome (with VPN on) → navigate to mullvad.net/check. Should show: "You are connected to Mullvad" and your real IP should NOT appear.
  HIGH
• Configure split tunnel exception for banking apps (if needed) Some banks block VPN IPs. If a banking app fails: Mullvad → Split tunneling → add that app as exception. Only add the minimum required.
  LOW

Twingate Setup (Business Access)

• Create Twingate account at twingate.com (free tier) Free: 5 users, 10 remote networks, 20 resources. Sufficient for all current LP infrastructure.
  HIGH
• Install Twingate connector on Hetzner VPS SSH into VPS (see 1Password: "Hetzner WatchBack Server") → install via Docker. Creates a secure relay — no inbound ports needed on the VPS.
  HIGH
Copy

docker run -d \
  --name twingate \
  --restart=always \
  --network=host \
  -e TWINGATE_ACCESS_TOKEN="[from Twingate dashboard]" \
  -e TWINGATE_REFRESH_TOKEN="[from Twingate dashboard]" \
  -e TWINGATE_NETWORK="[your-tenant].twingate.com" \
  -e TWINGATE_LOG_ANALYTICS=v2 \
  twingate/connector:1

• Add resources in Twingate dashboard Add: code-server (localhost:8080), Django admin (localhost:8000), MinIO console (localhost:9001), pgAdmin (if running). Each gets a private DNS alias.
  HIGH
• Install Twingate Android app + authenticate Google Play → Twingate. If Samsung browser launch issue: in Twingate settings → "Open links with" → Chrome. Disable Mullvad briefly for first auth if needed, then re-enable.
  MED
• Apply for Twingate MSP program at 3+ active clients twingate.com/msp or email partnerships@twingate.com. Expected MSP pricing: ~$3–4/user/month vs $5 retail. Apply when LP has 3+ paying clients using portal access.
  LATER

Deploy LP Secure VPN (Client Service)

• Deploy wg-easy (WireGuard) on Hetzner VPS Docker Compose on existing VPS (or new CX22 at ~€6/mo). Serves LP Secure VPN to clients. See VPN_ZTNA_Service_Model.md for full docker-compose.yml.
  MED
• Add vpn.legendarypathway.com DNS record Namecheap API → A record → VPS IP. Used by WireGuard clients to reach the VPN server endpoint.
  MED
• Add VPN add-on to Stripe product catalog $20/month add-on. Create in Stripe dashboard. Add price ID to LP portal Django settings.
  LATER

Setup 1 — code-server on Hetzner VPS (Primary)

• SSH into Hetzner VPS Credentials in 1Password: "Hetzner WatchBack Server". Command: ssh -i ~/.ssh/hetzner_legendaryos root@[VPS-IP]
  FIRST
• Install code-server on VPS Run the official installer. Takes ~2 minutes. Sets up at /usr/bin/code-server.
  FIRST
Copy

curl -fsSL https://code-server.dev/install.sh | sh

• Create code-server config and systemd service Creates config at ~/.config/code-server/config.yaml and systemd service for auto-start.
  FIRST
Copy

mkdir -p ~/.config/code-server
cat > ~/.config/code-server/config.yaml << 'EOF'
bind-addr: 127.0.0.1:8080
auth: password
password: CHANGE-THIS-USE-1PASSWORD
cert: false
EOF

systemctl enable --now code-server@root
systemctl status code-server@root

• Add code-server as Twingate resource (localhost:8080) In Twingate dashboard → Add Resource → "code-server" → address: 127.0.0.1:8080. No public URL needed — Twingate proxies it securely.
  HIGH
• Test: S26 Ultra → Twingate → Chrome → code-server → terminal → claude Connect Twingate → open Chrome → navigate to Twingate-proxied address → open terminal (Ctrl+`) → type: cd /opt/legendaryos && claude
  HIGH

Setup 2 — VS Code Remote Tunnel (Workstation File Tree)

• Start VS Code Remote Tunnel on Windows workstation In VS Code: Ctrl+Shift+P → "Remote Tunnels: Create Tunnel" OR via terminal: code tunnel --accept-server-license-terms. Authenticate with GitHub. Name it: legendary-os-workstation.
  HIGH
• Configure tunnel to auto-start on Windows login Task Scheduler → Create Basic Task → "VS Code Tunnel" → Trigger: At log on → Action: code.cmd tunnel --accept-server-license-terms
  MED
• Test: S26 Ultra → Chrome → vscode.dev → Connect to Tunnel → workstation Open Chrome → vscode.dev → hamburger menu → Open Remote → Connect to Tunnel → select "legendary-os-workstation". Can now browse F:\LegendaryPathwayOS\ from phone.
  MED

Persistent tmux Sessions on VPS

cat > /usr/local/bin/start-sessions.sh << 'EOF'
#!/bin/bash
if ! tmux has-session -t main 2>/dev/null; then
  tmux new-session -d -s main -n "claude"
  tmux new-window -t main -n "docker"
  tmux new-window -t main -n "logs"
  tmux send-keys -t main:claude "cd /opt/legendaryos && echo 'Ready. Run: claude'" Enter
fi
EOF
chmod +x /usr/local/bin/start-sessions.sh
(crontab -l 2>/dev/null; echo "@reboot /usr/local/bin/start-sessions.sh") | crontab -
/usr/local/bin/start-sessions.sh

Windows Workstation (SOURCE OF TRUTH)
F:\LegendaryPathwayOS\05_Obsidian_Vault\
│
├── SyncTrayzor (Syncthing for Windows — auto-starts on login)
│   └── Syncs TO → Hetzner VPS (always-on hub)
│                   /opt/obsidian-vault/
│                   └── Syncs TO → S26 Ultra
│                                   /sdcard/obsidian-vault/
│                                   (Syncthing-Fork app)

Changes on phone → sync to VPS → sync to workstation when it wakes.
VPS holds a copy + git hourly auto-commit for version history.

• Deploy Syncthing on Hetzner VPS (Docker) Creates an always-on relay hub. Vault syncs to/from here whenever either workstation or phone is online.
  HIGH
Copy

mkdir -p /opt/syncthing /opt/obsidian-vault
cat > /opt/syncthing/docker-compose.yml << 'EOF'
services:
  syncthing:
    image: syncthing/syncthing:latest
    container_name: syncthing
    hostname: legendaryos-vps
    network_mode: host
    volumes:
      - /opt/syncthing/config:/var/syncthing/config
      - /opt/obsidian-vault:/var/syncthing/obsidian-vault
    environment:
      - PUID=0
      - PGID=0
    restart: unless-stopped
EOF
cd /opt/syncthing && docker compose up -d
# Access UI via Twingate at http://localhost:8384

• Add Syncthing UI (localhost:8384) as Twingate resource Never expose port 8384 publicly. Access only via Twingate. Set auth credentials in Syncthing: Actions → Settings → GUI → username + password.
  HIGH
• Install SyncTrayzor on Windows workstation github.com/canton7/SyncTrayzor → download Windows installer. Configure to auto-start. Add folder: F:\LegendaryPathwayOS\05_Obsidian_Vault → Folder ID: obsidian-vault. Share with VPS device.
  HIGH
• Install Syncthing-Fork on S26 Ultra (Google Play) Search "Syncthing-Fork" by Catfriend1. NOT the official Syncthing app (deprecated May 2024). Pair with VPS device. Share obsidian-vault folder. Set path: /sdcard/obsidian-vault/
  HIGH
• Install Obsidian Android app → open vault at synced path Google Play → Obsidian → Open folder as vault → navigate to /sdcard/obsidian-vault/ → open. All 20+ org notes + plugins load.
  MED
• Set Syncthing-Fork to WiFi-only sync (cellular conservation) Syncthing-Fork → Settings → Sync only on WiFi. Prevents vault sync from consuming Cape's 50GB data cap.
  MED
• Set up hourly git auto-commit on VPS for vault backup Provides complete version history of all Obsidian notes. Runs only on VPS — no git client needed on phone.
  LOW
Copy

cd /opt/obsidian-vault && git init && git add -A
git commit -m "Initial vault snapshot"
# Add crontab: hourly auto-commit
(crontab -l 2>/dev/null; echo '0 * * * * cd /opt/obsidian-vault && git add -A && git commit -m "Auto: $(date +\%Y-\%m-\%d\ \%H:\%M)" 2>/dev/null || true') | crontab -

• Install F-Droid on S26 Ultra Download APK from f-droid.org. Enable "Install from unknown sources" for this one download (re-disable after). F-Droid is the package manager for open-source Android apps.
  FIRST
• Install Termux from F-Droid Open F-Droid → search Termux → install. Then open Termux and run the package setup below.
  FIRST
Copy

pkg update && pkg upgrade -y
pkg install openssh mosh tmux git curl wget nano -y
# Generate SSH key for this phone
ssh-keygen -t ed25519 -C "s26ultra-$(date +%Y%m%d)" -f ~/.ssh/id_ed25519_s26
# Display the public key to add to VPS
cat ~/.ssh/id_ed25519_s26.pub

• Add S26 public key to VPS authorized_keys SSH into VPS from desktop → echo "[paste public key]" >> ~/.ssh/authorized_keys. Now the phone can SSH into the VPS without a password.
  FIRST
• Install mosh on Hetzner VPS + open firewall ports mosh uses UDP for connection persistence (survives network switching). Open ports 60000-61000 UDP in Hetzner firewall + ufw if active.
  HIGH
Copy

apt install mosh -y
ufw allow 60000:61000/udp
# In Hetzner Cloud Console → Firewall → add UDP 60000-61000

• Create .bashrc aliases in Termux One-word commands to connect. Replace [VPS-IP] with IP from 1Password.
  HIGH
Copy

cat >> ~/.bashrc << 'EOF'
VPS_IP="[VPS-IP-FROM-1PASSWORD]"
VPS_KEY="$HOME/.ssh/id_ed25519_s26"
alias vps='mosh --ssh="ssh -i $VPS_KEY" root@$VPS_IP -- tmux attach -t main'
alias vpsnew='ssh -i $VPS_KEY root@$VPS_IP'
EOF
source ~/.bashrc
# Now just type: vps
# Connects to VPS, attaches to the persistent claude tmux session

• Store S26 private key backup in 1Password cat ~/.ssh/id_ed25519_s26 | base64 in Termux → copy output → 1Password → new secure note "S26 Ultra SSH Key (private)". If you get a new phone, this restores access.
  MED
• Test full stack: Termux → vps → tmux → claude Type: vps → connects → navigate to claude window (Ctrl+B then 1) → type: claude → Claude Code CLI running on VPS from your phone.
  HIGH

DeX Workflow

Pricing (Confirmed 2026-03-30)

Pending Platform Actions

• Create Stripe products for all 4 tiers Stripe dashboard → Products. Create: Privacy Core ($197/mo + $500 setup), Privacy Plus ($297/mo + $500 setup), Privacy Elite ($497/mo + $750 setup), Entity Shield ($297/mo + $1k setup). Record price IDs in Org_06/14_Tech_Data/Stripe/Products_Prices.md.
  HIGH
• Create ServiceCatalogItem records in WatchBack admin LP admin portal → ServiceCatalog → add each tier with Stripe price IDs. These items appear in the client onboarding flow.
  HIGH
• Create Lawless as Client #1 in the portal Admin → create ClientPrivacyProfile for oliver@legendarypathway.com with is_owner=True. Provision his personal Twilio communication number. This makes him the first client on his own platform.
  HIGH
• Populate Twilio Number Registry Record all active Twilio numbers in Org_06/14_Tech_Data/Twilio/Number_Registry.md — what number belongs to which purpose/client. Required for tracking as client count grows.
  MED
• Decision: Single Twilio account vs. subaccounts per org Current: single account under LP. As M2M2 and others go live, evaluate whether each org needs a subaccount. Document the decision in Privacy_Comms_Master_Reference.md.
  MED
• Deploy LP Secure VPN (wg-easy) on VPS See VPN + ZTNA section. This is the client-facing VPN add-on. Must be live before first Privacy Plus or Elite client activates.
  MED
• Set up ProtonVPN affiliate account proton.me/affiliate — earn 100% of monthly plan commissions + 40%+30% recurring on annual. Recommend to clients who prefer a commercial VPN over LP's managed offering.
  LOW