Trust is provable, not promised.

The cryptographic library exists. It runs the prototype at /seal and /unseal. It is held privately by the maintainer of record while the Phase 1 cryptographic audit is scheduled and conducted. Publication occurs at the close of Phase 1 — before any paid sealing, before any production custody. Until that publication, the doctrine of cryptographic incapacity is a commitment; on publication, it becomes a verifiable fact.

AION will not pretend to be open source while the source is private. The honest gap is recorded here so that the publication, when it occurs, can be dated against this statement.

• Sealing primitive

  AES-256-GCM authenticated encryption with Shamir’s Secret Sharing of the 256-bit key into seven shards, threshold four. Hundreds of lines under audit. The test suite will assert byte-level invariants over a corpus of named scenarios.

• Time-lock primitive

  A sequential SHA-256 hash chain with calibrated iteration count. The convergence test suite will prove that a longer lock genuinely consumes more wall-clock work and cannot be parallelized.

• Memory-layer primitive

  Argon2id key derivation over the normalized memory answer with a per-vault salt. The fixture suite will lock the contract before the implementation. The answer never leaves the user’s device; the network invariant is asserted by an end-to-end test that inspects every outbound request body.

• Convergence composition

  The primitive that composes the three reality-binding layers into one operation: time-lock first, Shamir combine second, AES-GCM decrypt third. A partial opening produces zero plaintext. The test suite is the doctrine, executable.

1. Clone the public repository when published. The clone runs on a clean machine without network and produces the same test pass.
2. Read the named test invariants. Each is a claim. Each assertion is the proof.
3. Open DevTools → Network on /seal/memory and /unseal/memory. No request will carry the plaintext or the memory answer. End-to-end tests assert this on every push.
4. Read the convergence test suite. Each test names which reality it is breaching and asserts the vault holds.

When AION ships installable clients, the build process will be deterministic and the artifact hashes published. A user with the same source and the same toolchain produces the same bytes. Reproducibility is the only honest answer to “is this binary actually the open-source code?”

Bitcoin survived multiple government bans, a custodial exchange’s collapse, the disappearance of its pseudonymous founder, and several attempted captures by forks because the protocol does not require any particular entity to continue. Tor survived blanket bans in regimes whose police could not enter the network. Signal survived a US grand-jury subpoena with a one-page response: “we do not have the data you are asking for.” AION inherits that pattern by design.

On publication, the cryptographic library is licensed under terms that permit forking, redistribution, and operation by anyone. If the current maintainer of record cannot continue under any pressure, the Cessation Protocol and Open Adoption rule make the next maintainer’s adoption frictionless. The trademark covenant binds every adopter to the doctrine; an operator who violates the doctrine loses the right to use the AION name, and any other operator may take it up.

The legal consequence is unusual and powerful: a court cannot order “AION” to do anything that the cryptographic primitives do not permit, because there is no AION-the-entity that could comply, and the AION-the-protocol can be re-instantiated anywhere by anyone the moment the current operator is enjoined. Banning AION in one jurisdiction does not affect AION in any other. The protocol is the team. The math is the authority. Every operator is replaceable, by design.