A key, not a custodian.

A named officer can be compelled to act; open mathematics has no officer to summon, and a doctrine carried in open code and in the kit each family already holds does not die with the person who maintains it today. Bitcoin has been technically banned in jurisdictions whose courts could not identify a defendant. Tor has been declared illegal in regimes whose police could not enter the network. Signal has refused subpoenas with a one-page response that read, in effect, “we do not have what you are asking for.” The protocol pattern is resilient not because it evades the law but because its strength sits in open mathematics and in the kit each family already holds — not in any one operator whose continuity can be pressured. An operator can be reached; reaching one yields almost nothing, and the doctrine survives the reaching.

AION inherits that pattern. The cryptography is open source. Under the planned Phase 3 holder network, the seven sovereigns will be independent. The convergence doctrine is enforceable by any user with the public recovery toolkit. The maintainer of record is the temporary human at the keyboard — not the seat of power.

Today AION has one maintainer of record. The maintainer is to be identified to the protocol by a public signing key once that real key is published. That key will sign the warrant canary, each cryptographic-library release, the audit chain, and every policy change to the public Codex after the real key is generated and adopted. The public key will be published at /.well-known/aion-maintainer.asc only when that real maintainer key exists. Until that point, the route is intentionally unpublished and may return 404; AION will not publish a placeholder key or ask readers to trust a private fingerprint.

This is the Bitcoin pattern at the very beginning. Satoshi Nakamoto was a single maintainer with a single key for approximately the first eighteen months of Bitcoin’s operation. The protocol survived the maintainer’s disappearance because the maintainer was not the protocol. AION accepts the same risk and the same strength.

When and only when additional maintainers are added, the protocol moves from single-signature to threshold-signature under a published m-of-n schema. Every signature event names the schema in force at the moment of signing, so a reader auditing the canary or the release log can see exactly which keys signed and under what rule. Adding a maintainer requires a fresh canary, a public announcement, and a thirty-day cooling-off period during which existing users can refuse the change by remaining on the prior protocol version.

Removing a maintainer follows the same procedure in reverse, with the additional requirement that the removed maintainer’s key is published as revoked and that the next canary explicitly states the revocation. There is no mechanism by which a maintainer can be silently removed.

Naming a maintainer creates a target. The Pavel Durov detention in France in August 2024 is the textbook example: a named individual was held responsible for the alleged conduct of a platform’s users, in pre-trial detention, with the explicit purpose of compelling cooperation. AION does not pretend that the same risk does not exist for a vault designed to hold the most sensitive data of millions of people. The maintainer of record is identified to the protocol by a key. That key is verifiable. The human behind the key is identified publicly when, and only when, doing so does not increase the protocol’s attack surface.

This is not anonymity. It is operational security under a threat model that includes nation-state pressure on identified individuals. The cryptographic key is the identity. The human is the person at the keyboard. Both exist. Only the first is in scope for the protocol’s guarantees.

A board can be subpoenaed as a body. Officers can be personally enjoined, deposed, and held in contempt. A Foundation can be dissolved by court order in its domicile. The triple-lock structures described elsewhere in this Codex assume the existence of a corporate counterparty that a court could move against. They are real protections against acquisition, but they presume the company exists.

A signing key is not a custody key, and the architecture does not depend on resisting any order to produce it. A court may order its holder to surrender it; even surrendered, it decrypts no vault. It signs the warrant canary and authenticates the protocol — it does not unseal a single user’s secret. Production of the signing key is the production of nothing a surveillance authority can use. Whether any privilege limits the compelled production of a key is an unsettled question across jurisdictions; AION does not rely on it. It relies on the key being worthless to decrypt.

This is the same reason Tor relays are operated by volunteers without a Tor Foundation officer’s involvement, the same reason Bitcoin Core releases are signed by individual contributor keys without a Bitcoin board, and the same reason Signal’s subpoena response fits on one page. The durable thing is the open protocol and the mathematics; the maintainer is the human at the keyboard for now — accountable for what they do, and replaceable when they cannot continue.

If the maintainer of record cannot continue — for any reason, including death, incapacitation, legal compulsion, or voluntary retirement — the protocol enters Cessation. Cessation is not the death of AION; it is the public, legible end of one maintainer’s tenure and the open invitation for adoption by the next.

• The warrant canary stops. Its absence is the first public signal of cessation.
• The cryptographic library, being open source under a license that permits forking, becomes the public domain of the next adopter.
• Under the planned Phase 3 holder network, sovereign holders would execute pre-arranged independent withdrawal under their stewardship covenants. Existing vaults are mathematically unaffected — the threshold tolerates the loss of three sovereigns.
• The AION trademark, where pre-registered, becomes available for adoption by any successor maintainer willing to publish a fresh canary, accept the convergence doctrine, and assume the public obligations.
• Users with prior vaults retain access through the public recovery toolkit. The toolkit does not require the AION-the-Operator to remain in business. It requires only that the user (or the user’s heirs) hold the threshold of shards and the convergence requirements.

Anyone in any jurisdiction can adopt AION as the new maintainer of record by performing, in public, the following acts:

1. Forking the open-source cryptographic library and publishing a release signed by their own key.
2. Re-issuing the convergence covenant in writing, accepting the five immutable principles, the Sunset on Notice rule, and the Cessation Protocol.
3. Publishing the first warrant canary under the new maintainer key.
4. Negotiating stewardship covenants with at least seven sovereign holders willing to honor the protocol.
5. Assuming the AION trademark by good-faith use under the doctrine.

This procedure is published so that no one — including opponents of AION — can credibly claim that the protocol is the property of any particular operator. The protocol belongs to the doctrine. The doctrine belongs to anyone who accepts it.

AION today is operated by TechBantu IT Solutions, LLC(the “Operator” — see the Terms), with one maintainer of record at the keyboard, the cryptographic library (held privately pending the Phase 1 audit), the running prototype, and the Codex. A successor Foundation is planned but not yet formed; there is no board yet. Legal, privacy, security, and DMCA correspondence is received today at mail@sealedaion.com, which is monitored; the aion.foundation role addresses are reserved for that future entity and are not currently deliverable.

Pretending otherwise would be a violation of the Charter’s first principle. AION’s entire claim is that what is said is what is. So this is what is. The path from one maintainer to a Foundation is the next year of work and is tracked in the timeline. The protocol does not depend on the Foundation existing.