A protocol, not a company.

A company can be acquired, sued, gagged, dissolved, taxed, regulated, deplatformed, debanked, or arrested through a named officer. A protocol cannot. Bitcoin has been technically banned in jurisdictions whose courts could not identify a defendant. Tor has been declared illegal in regimes whose police could not enter the network. Signal has refused subpoenas with a one-page response that read, in effect, “we do not have what you are asking for.” The protocol pattern is the strongest legal posture in the modern surveillance era because it does not place the strength in any one entity that can be moved against.

AION inherits that pattern. The cryptography is open source. The seven sovereigns are independent. The convergence doctrine is enforceable by any user with the public recovery toolkit. The maintainer of record is the temporary human at the keyboard — not the seat of power.

Today AION has one maintainer of record. The maintainer is to be identified to the protocol by a public signing key once that real key is published. That key will sign the warrant canary, each cryptographic-library release, the audit chain, and every policy change to the public Codex after the real key is generated and adopted. The public key will be published at /.well-known/aion-maintainer.asc only when that real maintainer key exists. Until that point, the route is intentionally unpublished and may return 404; AION will not publish a placeholder key or ask readers to trust a private fingerprint.

This is the Bitcoin pattern at the very beginning. Satoshi Nakamoto was a single maintainer with a single key for approximately the first eighteen months of Bitcoin’s operation. The protocol survived the maintainer’s disappearance because the maintainer was not the protocol. AION accepts the same risk and the same strength.

When and only when additional maintainers are added, the protocol moves from single-signature to threshold-signature under a published m-of-n schema. Every signature event names the schema in force at the moment of signing, so a reader auditing the canary or the release log can see exactly which keys signed and under what rule. Adding a maintainer requires a fresh canary, a public announcement, and a thirty-day cooling-off period during which existing users can refuse the change by remaining on the prior protocol version.

Removing a maintainer follows the same procedure in reverse, with the additional requirement that the removed maintainer’s key is published as revoked and that the next canary explicitly states the revocation. There is no mechanism by which a maintainer can be silently removed.

Naming a maintainer creates a target. The Pavel Durov detention in France in August 2024 is the textbook example: a named individual was held responsible for the alleged conduct of a platform’s users, in pre-trial detention, with the explicit purpose of compelling cooperation. AION does not pretend that the same risk does not exist for a vault designed to hold the most sensitive data of millions of people. The maintainer of record is identified to the protocol by a key. That key is verifiable. The human behind the key is identified publicly when, and only when, doing so does not increase the protocol’s attack surface.

This is not anonymity. It is operational security under a threat model that includes nation-state pressure on identified individuals. The cryptographic key is the identity. The human is the person at the keyboard. Both exist. Only the first is in scope for the protocol’s guarantees.

A board can be subpoenaed as a body. Officers can be personally enjoined, deposed, and held in contempt. A Foundation can be dissolved by court order in its domicile. The triple-lock structures described elsewhere in this Codex assume the existence of a corporate counterparty that a court could move against. They are real protections against acquisition, but they presume the company exists.

A single key cannot be subpoenaed in the same sense. A court can order the holder of the key to produce the key, but the holder can credibly refuse on Fifth Amendment grounds (US), Article 6 ECHR grounds (Europe), and the analogous protections elsewhere — and even if the holder complied, possession of the key produces no decryption, because the key signs the canary and the protocol but does not decrypt user vaults. The key is a public-mission signature, not a custody key. Production of the signing key is the production of nothing of value to a surveillance authority.

This is the same reason Tor relays are operated by volunteers without a Tor Foundation officer’s involvement, the same reason Bitcoin Core releases are signed by individual contributor keys without a Bitcoin board, and the same reason Signal’s subpoena response fits on one page. The protocol is the entity. The maintainer is the operator at the present moment.

If the maintainer of record cannot continue — for any reason, including death, incapacitation, legal compulsion, or voluntary retirement — the protocol enters Cessation. Cessation is not the death of AION; it is the public, legible end of one maintainer’s tenure and the open invitation for adoption by the next.

• The warrant canary stops. Its absence is the first public signal of cessation.
• The cryptographic library, being open source under a license that permits forking, becomes the public domain of the next adopter.
• Sovereign holders execute pre-arranged independent withdrawal under their stewardship covenants. Existing vaults are mathematically unaffected — the threshold tolerates the loss of three sovereigns.
• The AION trademark, where pre-registered, becomes available for adoption by any successor maintainer willing to publish a fresh canary, accept the convergence doctrine, and assume the public obligations.
• Users with prior vaults retain access through the public recovery toolkit. The toolkit does not require the AION-the-operator to remain in business. It requires only that the user (or the user’s heirs) hold the threshold of shards and the convergence requirements.

Anyone in any jurisdiction can adopt AION as the new maintainer of record by performing, in public, the following acts:

1. Forking the open-source cryptographic library and publishing a release signed by their own key.
2. Re-issuing the convergence covenant in writing, accepting the five immutable principles, the Sunset on Notice rule, and the Cessation Protocol.
3. Publishing the first warrant canary under the new maintainer key.
4. Negotiating stewardship covenants with at least seven sovereign holders willing to honor the protocol.
5. Assuming the AION trademark by good-faith use under the doctrine.

This procedure is published so that no one — including opponents of AION — can credibly claim that the protocol is the property of any particular operator. The protocol belongs to the doctrine. The doctrine belongs to anyone who accepts it.

AION today is one maintainer of record, the cryptographic library (held privately pending the Phase 1 audit), the running prototype, and the Codex. There is no Foundation yet. There is no board. The emails referenced in the legal pages (privacy@sealedaion.com, security@sealedaion.com, etc.) are published on sealedaion.com; email forwarding may still propagate after MX setup. Until routing is verified, mail may not be received — AION would rather show that gap honestly than invent a channel.

Pretending otherwise would be a violation of the Charter’s first principle. AION’s entire claim is that what is said is what is. So this is what is. The path from one maintainer to a Foundation is the next year of work and is tracked in the timeline. The protocol does not depend on the Foundation existing.