What we have not received.

Many surveillance regimes attach gag orders to their demands — a National Security Letter under 18 U.S.C. § 2709 carries a non-disclosure obligation; a UK Technical Capability Notice forbids even acknowledging its existence; analogous regimes exist in Australia, China, and elsewhere. The First Amendment, Article 10 ECHR, and customary international free-expression law generally protect the affirmative right to stay silent about something one was never asked to do. They provide weaker protection for refusing to repeat a prior voluntary statement.

This page is therefore voluntary speech, asserted on a fixed cadence, by the AION maintainer of record, identifying each surveillance instrument that has not been used against AION. If any one of these statements becomes false, this page will not lie. The relevant line will be removed. The diff will be public.

As of 2026-05-03, the following are true. They are prepared for signature by the AION maintainer of record. Cryptographic attestation becomes verifiable only after the real maintainer public key is generated, adopted, and published.

1. I

   AION has not received a National Security Letter under 18 U.S.C. § 2709.

2. II

   AION has not received a Foreign Intelligence Surveillance Court order or directive.

3. III

   AION has not received a Technical Capability Notice or National Security Notice under the United Kingdom Investigatory Powers Act 2016 (Sections 253–254).

4. IV

   AION has not received a Technical Assistance Notice, Technical Capability Notice, or Technical Assistance Request under Australia's Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018.

5. V

   AION has not received a request under Article 28 of the People's Republic of China Cybersecurity Law (2017) to provide technical support for state security.

6. VI

   AION has not received a request under Russian Federal Law No. 374-FZ (the Yarovaya Law) to disclose encryption keys.

7. VII

   AION has not received a CLOUD Act warrant under 18 U.S.C. §§ 2701–2713 directed at user vault contents.

8. VIII

   AION has not received a European Production Order under Regulation (EU) 2023/1543.

9. IX

   AION has not received a binding direction under any draft, enacted, or proposed Chat Control regulation, including Regulation Proposal 2022/0155 (CSAM detection mandate).

10. X

    AION has not been subjected to any other secret order, gag order, non-disclosure obligation, or in-camera proceeding that prevents the maintainer of record from disclosing its existence.

11. XI

    The maintainer of record has not been compelled to compromise the convergence doctrine, weaken any cryptographic primitive, or introduce a backdoor in any form.

12. XII

    No backup, copy, or alternative path exists by which AION could read user vault plaintext if compelled. The architecture's incapacity is not a policy choice.

Issued:2026-05-03Next due:2026-06-03Schema:1-of-1 (single maintainer of record)Signature:Prepared for signature by the AION maintainer of record. The real maintainer public key is intentionally unpublished until generated and adopted; /.well-known/aion-maintainer.asc may return 404 while pending. AION will not publish a placeholder key or ask readers to trust a private fingerprint.

Today AION operates with one maintainer of record. The canary is prepared under a 1-of-1 schema, and becomes externally verifiable only after the maintainer public key is published. This is the Bitcoin pattern at the very beginning, and the Tor pattern in its first years: a single human at a keyboard, later identified to the protocol by a public key, publishing what is true.

A single signer cannot be subpoenaed in the way a board can be. A court can order the human to produce the key, but production of a public-mission signing key produces no decryption — the key signs the canary; it does not unwrap user vaults. A human ordered to sign a false canary commits fraud the moment they comply, which courts in the relevant jurisdictions are constitutionally restrained from ordering. The honest path remains: silence the canary by refusing to sign. Silence is the message.

When additional maintainers are added, the schema moves to threshold-signed under a published m-of-n rule. This page will state the schema in force at the moment of every signature so an auditor can replay history. See the Maintainer of Record doctrine for the full path.

The canary is published monthly. If a calendar month passes without a fresh signature, the canary is considered broken, regardless of the reason. A broken canary is indistinguishable, to a reader, from compromise. AION accepts that risk: the only way to silence a canary against the maintainer’s will is to interfere with the maintainer’s ability to publish — which is itself a public, datable event.

If the maintainer ever decides to retire this page, the retirement will itself be announced thirty days in advance, with stated reasoning. Silent retirement is not in the maintainer’s authority.

The canary is not the only consequence. Each AION sovereign holding operates under a stewardship covenant that the maintainer of record cannot waive: receipt of a binding compelled-decryption order, Technical Capability Notice, or equivalent directive against that holding triggers an automatic, irrevocable sunset of that holding within thirty days. The shard stored in that jurisdiction is removed from the active 4-of-7 reconstruction grid. The remaining six sovereigns continue. Existing vaults are mathematically unaffected — the threshold tolerates the loss of three.

The effect is structural: a sovereign that compels AION loses its placeas a custodian of civilizational infrastructure. The order achieves no decryption; it achieves only the sovereign’s removal from the grid. Filing the order is filing for sunset. This is recorded in the convergence covenant signed with each sovereign holder and is not a discretionary policy.

A warrant canary is a careful instrument, not a panacea. It cannot protect against demands AION has not yet been asked to cover. It cannot protect against compulsion that the maintainer falsely complies with. It cannot, in some readings of some jurisdictions, protect against a demand that the canary itself be maintained falsely. AION mitigates the third risk over time by moving to threshold-signing as the protocol grows; today, the mitigation is the smallness of the attack surface — the maintainer holds no decryption capability, so coercing the maintainer produces nothing of value to coerce for.

The canary does not relieve any reader of the obligation to read the rest of the legal pages — the Charter, Maintainer of Record, Transparency, Terms, and Privacy — or of the obligation to treat the cryptographic source code as the authoritative description of what AION can and cannot do. The canary is corroborating evidence. The architecture is the proof.

Every prior month’s canary is preserved in the AION source repository under aion-app/src/app/canary/ with an explicit changelog. A reader auditing for absence-of-statement can diff month-over-month and see exactly which line, if any, was removed and when. The diff is the legal record.

The first canary appears with this revision of the Codex Aionis (v0.3, 2026-05-03). All earlier dates are pre-canary; no inference can be drawn from their absence.