Thirty-five attacks. Twelve legal instruments. Six honest gaps.

Each attack is mapped to the realities it must defeat. An attack that breaks a single layer is not a vault break. An attack that breaks every layer simultaneously is. The Threat Model exists to find the second kind, and to write the hardening that splits it back into the first.

• Gap APhase 3

  Holder coerced under torture may enter the real password

  Patch: Behavioral duress detection and a duress answer slot

• Gap BPhase 2

  Pre-2027 vaults vulnerable to harvest-now-decrypt-later

  Patch: Mandatory post-quantum migration by end of 2026

• Gap CPhase 2

  Trustees picked from a single community fail together

  Patch: Trustee Diversification Score across family / work / faith / profession

• Gap DPhase 1

  Pre-sealing identity-theft race

  Patch: Seven-day Sealing Activation Window

• Gap EPhase 3

  Cognitive-decline manipulation in elderly holders

  Patch: Trusted Observer framework with mandatory cooling-off

• Gap FToday (covenant) · Day Zero (triple-lock at incorporation)

  Hostile acquisition or charter subversion

  Patch: Trademark covenant + Cessation Protocol + Open Adoption (live today); triple-lock corporate governance layered on when a Foundation is constituted

The cryptographic threat model is not the entire threat model. Surveillance regimes have built a parallel apparatus of legal instruments to compel what cryptography prevents. The table below is the audit of those instruments and the Charter consequence of each.

• National Security Letter (US, 18 U.S.C. § 2709)

  Compelled disclosure of subscriber information with a non-disclosure obligation. Issued without judicial review.

  Defense: AION holds no data sufficient to identify a vault from a subscriber. The NSL line in the warrant canary records the absence; receipt removes the line and triggers Self-Detonation in the receiving entity.

• Foreign Intelligence Surveillance Court directive (US, 50 U.S.C. § 1881a)

  Compelled assistance to acquire foreign-intelligence data. Long-running directives possible.

  Defense: AION cannot assist in the acquisition of plaintext it does not hold. The cryptographic force majeure framework applies. Architectural Sunset on Notice if the directive demands a backdoor.

• CLOUD Act warrant (US, 18 U.S.C. §§ 2701–2713)

  Extraterritorial reach over data held by US-headquartered providers, including data physically stored abroad.

  Defense: AION operates as a protocol with no US-headquartered doctrine-controlling entity. Where a US holding exists, it holds one shard insufficient to reconstruct any vault. A CLOUD Act warrant for that shard surfaces only ciphertext fragments.

• UK Technical Capability Notice (Investigatory Powers Act 2016, ss. 253–254)

  Compels a provider to maintain or develop a technical capability to provide assistance with surveillance — including, in 2024–2025 practice, weakening of end-to-end encryption.

  Defense: The architecture cannot satisfy a TCN without ceasing to be itself. The UK holding sunsets on receipt. Apple withdrew Advanced Data Protection from the UK in 2025 in a related matter; AION’s response is the inverse — the holding withdraws, the feature stays.

• EU Production Order (Regulation (EU) 2023/1543)

  Cross-border production of electronic evidence within the EU, with shortened timelines.

  Defense: AION pleads cryptographic incapacity for plaintext requests. For ciphertext requests, the order is evaluated under the issuing state’s law; the encrypted blob is producible because it is meaningless without keys AION cannot supply.

• EU Chat Control (Regulation Proposal 2022/0155)

  Mandates client-side scanning of encrypted communications under a child-protection rationale. Effectively a backdoor in every covered client.

  Defense: AION treats client-side scanning as a backdoor. The seal/unseal flows do not call any scanning subsystem. A binding directive triggers Sunset on Notice for the affected EU holding and Self-Detonation for the EU operating entity. The doctrine continues from the Successor Entity.

• Australia Assistance and Access Act 2018 (Telecommunications and Other Legislation Amendment)

  Authorizes Technical Assistance Notices, Technical Capability Notices, and Technical Assistance Requests against Australian-connected providers.

  Defense: Where an Australian holding exists, Sunset on Notice applies on first directive. AION does not currently designate an Australian holding, partly for this reason.

• PRC Cybersecurity Law (2017), Article 28

  Network operators must provide technical support and assistance for state-security investigations.

  Defense: AION does not operate under PRC jurisdiction and does not designate a PRC holding. The architecture treats this regime as out-of-scope by design.

• Russian Federal Law No. 374-FZ (Yarovaya, 2016)

  Requires disclosure of encryption keys on demand and retention of traffic content.

  Defense: AION cannot disclose keys it does not hold. A Russian holding (none currently designated) would sunset on first directive.

• MLAT abuse (Mutual Legal Assistance Treaty mechanisms)

  A jurisdiction without direct authority over AION uses an MLAT to compel a partner jurisdiction with such authority to issue process.

  Defense: The Terms forbid plaintiffs from invoking foreign discovery vehicles. Where compulsion proceeds nonetheless, the directly-served sovereign is evaluated under that sovereign’s rules; if the MLAT-routed request demands a backdoor, Sunset on Notice applies.

• Anti-SLAPP-evading civil discovery (28 U.S.C. § 1782, Hague Evidence Convention)

  Civil-discovery vehicles used to extract operational information from AION’s subprocessors or sovereign holders.

  Defense: The maintainer of record avails AION of the applicable anti-SLAPP regime (Cal. CCP § 425.16; EU Anti-SLAPP Directive (Directive (EU) 2024/1069); UK provisions; analogous regimes) at the earliest procedural moment, seeking dismissal, costs, and fees.

• Personal compulsion of the maintainer (cf. Pavel Durov / Telegram, France 2024)

  Pre-trial detention or charges against a named individual operator in lieu of authority over the protocol.

  Defense: The maintainer of record holds no decryption capability and no authority to amend the convergence doctrine. Coercing the maintainer produces nothing of value to coerce for. The Cessation Protocol and Open Adoption arrangements ensure operational continuity from a successor maintainer in any jurisdiction if the current maintainer is detained.

Each instrument is a public statute or proposal. AION’s response to each is published in the Transparency doctrine, the Charter’s Sunset on Notice and Self-Detonation Clauses, and the standing posture of the warrant canary.

Gap F is the most urgent because it can only be partly retrofitted. Today AION operates as a protocol with a trademark covenant, a Cessation Protocol, and an Open Adoption rule — these are live and require no corporate entity. They prevent a hostile actor from operating under the AION name while violating the doctrine.

When a Foundation is constituted, the corporate triple-lock is layered on top: Foundation IP separation, multi-class voting on doctrinal matters, and a Golden Share with veto rights. Combined with the Cessation Protocol, the structure ensures that even a successful acquisition of a future operating company produces a successor maintainer in a different jurisdiction rather than a compromised AION.

This is not a feature. It is the shape of the protocol — and, when the Foundation is filed, the shape of the company.

AION’s priority hardenings are cross-library cryptographic verification, threshold signing for production deploys, the open-source recovery toolkit shipped from day one, the public transparency report, local-only biometrics with zero-knowledge attestations, the No-Override Channels attestation, the trademark covenant and Cessation Protocol (with the corporate triple-lock layered on at Foundation incorporation), the seven-day sealing activation window, and the multi-standard cryptographic stack.

Each is described, where it is shipping, in the relevant public chapter. There is no “real” threat model hidden elsewhere. This page is the threat model.

A threat model is not a guarantee. It is the best honest map of the attack surface as the engineers and reviewers see it today. New realities — new compute, new biology, new geopolitics, new statutes — will surface attacks not yet in the catalogue. The right response is to keep updating the model in public, not to stop publishing it.