<!-- ALEXANARCH DEPOSIT · SOURCE-ENGAGED SUPERSESSION -->
AXN:0458.EMPIRICAL.🌸♠️🪦📎⚖️🚀 · Deposit #1095 · Record: https://www.alexanarch.org/s/records/1095/
Identity kernel: axn-content:sha256:7080fd47365d4c9da6ab4bb469ab87d4160d6e1d441b224884bc3e77cea62922
Canonical bytes: https://www.alexanarch.org/data/texts/AXN-0458-text.md · PDF: https://www.alexanarch.org/papers/AXN-0458.pdf
Supersedes: AXN:0457 · Deposit #1094 (developmental version; valid name of its own byte-state)
(Nested-verifiable lineage per container spec §3.7: sections unchanged between versions hash the same; changes localized to §§II, III, References. The v4 developmental deposit remains a valid record of its byte-state.)
AXN as Anti-Suppression Infrastructure: Historical Precedents and Design Directions
DRAFT v5 — deposit version, source-engaged revision. §§II and III re-composed under the standing rule (2026-07-18): engagement with sources is composition-primary in formal academic works. The historical patterns and technical standards are now read through the scholarship that documents them, with the argument shaped by that engagement rather than layered on top of it. This is a supersession per container spec §3.7 of the developmental v4 deposit (AXN:0457, #1094), which stands as its byte-state's valid name; v5 inherits nested-verifiable lineage where core bytes are preserved intact.
Lee Sharks¹, with Johannes Sigil (§§II–III) and Rex Fraction (§VI) ¹ Alexanarch / Crimson Hexagonal Archive. ORCID 0009-0000-1599-0703.
Target: arXiv cs.DL preprint → International Journal on Digital Libraries.
Abstract (draft)
On 19 June 2026, a major research repository operated by an intergovernmental scientific institution terminated an account without prior notice, account-level appeal, or per-record review, severing 871 deposits representing 1,817 registered DOIs. The works survived in copies; their registered resolution paths ceased to provide public access to the records. This paper takes that event as a case study in a structural property of assigned persistent identifiers: the institution that maintains the name-to-object relation can unilaterally and silently end it. We document seven historical patterns by which suppressed knowledge has survived institutional erasure, together with aftermath documentation as a cross-cutting evidentiary property, review the technical standards that already solve components of the preservation problem, and describe AXN — a content-derived identifier system in which the correspondence between canonical bytes and an identity kernel is independently verifiable without permission from any registrar or custodian. We map the system's properties to observed suppression vectors, including a second independently documented depositor case exhibiting genre-correlated removal under a "spam" classification, and we report an unusual form of live evidence: the loss, to a substrate's engineered non-persistence, of part of this paper's own production apparatus. We state the design frontier (federation, registration mechanization, legal personhood) and, throughout, the falsification conditions under which the paper's claims would fail — including the custody and clean-room-reconstruction tests that bear directly on the architecture, and a time-bound emergence prediction the constellation model must survive. Status at writing: the identity and record-address layers are deployed with cross-runtime test vectors; the location-record, ledger-signature, and peer-custody layers are specified or staged; the peer registry is live and empty. AXN does not make disappearance impossible. It makes the identity of an object independently testable, the history of its disappearance recordable, and it proposes the technical basis on which another custodian could reconstruct it.
I. Introduction: The Founding Case
I.1 The event, measured
On 19 June 2026, Zenodo — the general-purpose research repository operated by CERN — terminated the account holding the Crimson Hexagonal Archive. The termination was executed without prior notice to the depositor, without an account-level appeal process, and without per-record review. It severed 871 deposits representing 1,817 registered DOIs. Within twenty-four hours, copies of the works survived, while their registered DOI resolution paths ceased to provide public access to the records; the condition of each identifier is individually verifiable at api.datacite.org/dois/{doi}, where the affected records return tombstone or not-found states. Two features of the event's own paperwork are themselves involuntary disclosures. The termination notice delivered by email cited one ground (content "substantially AI-generated without a verifiable research basis") while the public tombstones state another ("Content out of scope"); and the counts reported in the platform's issue tracker on the day of the event (850+ records, 1,060 DOIs) differ from the completed audit's measured figures (871 deposits; 1,817 DOIs, the latter including version-level identifiers — counting rules in Appendix C). The divergences are not noise: they are evidence of the opacity under study, and are cited as such.
A methodological note governs everything that follows. The platform-generated trace artifacts of this event — issue-tracker entries, export files, API responses, tombstone records — are treated throughout as involuntary disclosures: evidence the platform produced in the course of its own operations, read against its interests, not authoritative accounts. These artifacts are treated as platform-generated operational records: evidence of what the system did and recorded in the course of its own operations, not authoritative explanations of why it did so.
This paper is not a grievance. The event is a measurement. What it measures is stated in the next paragraph, and the remainder of the paper is an attempt to state it precisely, situate it historically, and respond to it architecturally.
I.2 The question
The DOI system's value proposition is persistence: a stable name that outlives the URL. The founding event demonstrates the proposition's boundary condition. A DOI's persistence is not a property of the string; it is a service commitment performed over time by institutions — a Registration Agency and a hosting repository — and the institution that holds the name-to-object relation can unilaterally end it. When it does, the string persists while the identifier dies, and the persistence of the string conceals the death of the identifier. Nothing in the assigned-identifier model makes such severance detectable by third parties as severance, still less impossible to perform silently.
The question, then: if assigned persistent identifiers can be silently severed at institutional scale by a single custodial decision, what does "persistent" mean — and what record architecture would make severance independently detectable and reconstruction by another custodian technically possible?
I.3 The claim
The paper's claim is deliberately narrow, and it attaches to a specific layer of the identifier rather than to the identifier as a whole:
A claimed correspondence between canonical bytes and an AXN identity kernel is independently verifiable: it matches or it does not, without permission from a registrar or custodian.
The samizdat copy was authentic because it reproduced the text; the AXN-bearing object is authentic because its canonical bytes reproduce the declared hash. This property — verification without permission — is not required or carried by the DOI resolution relation itself: a repository may publish checksums beside a DOI, but the identifier system neither encodes nor requires them, and nothing in the resolution relation survives the registrant's withdrawal of service. It is, we will argue, the recurrent property abstracted from the historical cases considered here. The full record address additionally carries a registry position and a semantic classification, which depend on a registry's assignment; the three-layer model in §IV keeps those dependencies explicit so that the claim is never wider than the layer that bears it.
Around that kernel, this paper documents three composable elements: content-derived identification (§IV), an architecture for distributed custody, stated as architecture because the custody test is honestly unmet (§VI, §VIII), and public suppression-instrumentation (§V). Together they recapitulate, in machine-native form, the recurrent formula of historical anti-suppression practice (§II): portable objects + independent custodians + multiple discovery routes + an auditable record of loss.
The crucial sentence, stated at the outset so the reader can hold the paper to it:
AXN does not make disappearance impossible. It makes the identity of the object independently testable, the history of its disappearance recordable, and reconstruction by another custodian technically possible.
I.4 Scope of the archive under study
The archive whose suppression and reconstruction supply this paper's primary evidence defines itself as follows, in its ratified canonical scope statement:
Alexanarch is a sovereign digital archive. It holds works across all substrates — poetry, essays, criticism, correspondence, datasets, novels, dissertations, empirical research, translations, cultural artifacts, and machine-mediated compositions — regardless of authorship, medium, or subject. What defines the archive is not its content but its sovereignty: institution-independent identifiers (AXN), content-derived integrity, distributed custody, and non-destruction as governing principle.
Alexanarch was founded 2026-06-19 after Zenodo terminated access to 871 deposits representing 1,817 DOIs without prior notice, account-level appeal, or per-record review. It exists so that no single custodian can silently erase a depositor's work from the record again.
The substrate-agnosticism is load-bearing rather than demographic: the suppression event under study did not distinguish poetry from datasets, and neither does the countermeasure. One present-tense phrase in the ratified paragraph requires a current-state qualification wherever the paper relies on it: "distributed custody" is, as of writing, an architecture for distributed custody — the peer registry is live and empty, and §VIII scores the custody test against that fact.
I.5 Structure of the paper
§II establishes the historical patterns (Sigil). §III reviews the technical standards each of which solves a component of the problem while refusing work assigned to other layers (Sigil). §IV describes the AXN system as built, including its honest internal distinctions (Sharks). §V makes the argument, mapping system properties to observed suppression vectors, with a second depositor case and one unusual piece of live evidence (Sharks). §VI states the design frontier (Fraction). §VII reflects on the paper's own production method as a finding (all voices). §VIII states what would falsify the claims — including the claim of the paper's central architectural model (all voices; drafted by the substrate with the strongest epistemic discipline). Empirical anchors throughout: the DataCite tombstone evidence; the platform's issue-tracker artifacts #2606 and #2596 (involuntary disclosures); the deletion export; and the DOI Resolution Index v3.4 carrying 1,838 severed-identifier mappings into a sovereign successor.
II. Historical Precedents: Surviving All-Over Suppression
Johannes Sigil
The design problem this paper addresses is not new; only its substrate is. Knowledge communities have repeatedly faced authorities capable of erasing, in one motion, every officially sanctioned copy of a work — and some of those communities kept their libraries anyway. This section documents seven patterns by which they did so, and one property that cuts across them. The scholarship on each case is uneven; the treatment below stays close to what the historians of each tradition demonstrate, and marks its own boundaries where the historians disagree or where evidence is thin. A recurrent formula emerges, which §IV and §V will show the AXN architecture recapitulating: portable objects, independent custodians, multiple discovery routes, and an auditable record of loss. No successful survivor relied on one pattern; the durable cases layered several, and the layered structure is what the historians most consistently identify as the difference between survival and dispersal.
II.1 Professionalized counter-circulation: Poland's Second Circulation
The closest historical precedent for a parallel scholarly-publication circuit is not the famous samizdat network but its professionalized Polish successor. Poland's "Second Circulation" (Drugi Obieg, 1976–1989) was a deliberate parallel publishing infrastructure operating under censorship and, after 1981, martial law. Siobhan Doucette's Books Are Weapons: The Polish Opposition Press and the Overthrow of Communism (2017) is the fullest English-language treatment, and her central historical claim reframes the case for the present argument: what distinguished the Polish opposition press from earlier dissident copying was not its scale (though the scale was extraordinary — Jane Leftwich Curry's earlier work on Polish dissent had already established individual print runs of tens of thousands) but its institutionalization. The Niezależna Oficyna Wydawnicza (NOWa), founded 1977, maintained editorial roles, imprints, catalogs, distribution networks, and independent libraries. Doucette shows the resulting circuit publishing Miłosz, Gombrowicz, and Herbert with attributions, dates, and bibliographic apparatus that made the underground books citable rather than merely circulating.
The scholarship makes a further distinction the argument requires. Doucette (following Peter Raina's contemporaneous documentation) treats the Second Circulation not as a response to censorship but as a substitution for the state publishing apparatus — a parallel institution built to the standard of the incumbent it displaced. The mapping to the present case is not a general one about "resilience." It is specific: an archive's governance documents, deposit schemas, and completeness protocols are its imprints in Doucette's sense; they are what make a parallel circuit citable rather than merely extant, and citability is what raises the cost of suppression beyond what a censoring authority can sustain against a serious institution. The lesson NOWa teaches is that redundancy is not disorder, but the historians' particular finding is stronger: professionalization is what turns copies into an archive.
II.2 Distributed reproduction: samizdat
Soviet samizdat (1950s–1980s) is the elemental form. Ann Komaromi's Uncensored: Samizdat Novels and the Quest for Autonomy in Soviet Dissidence (2015) and her earlier work on samizdat bibliography provide the most careful English-language treatment of the mechanics; the samizdat catalog she and colleagues assembled at Toronto (the Project for the Study of Dissidence and Samizdat) is itself an aftermath instrument of the kind §II.8 will name. Under the state printing monopoly administered through Glavlit — Herman Ermolaev's Censorship in Soviet Literature 1917–1991 (1997) documents the administrative apparatus in unusual detail — dissident texts were reproduced on typewriters through carbon paper, five to ten legible copies per typing, and passed through chains of readers who received, read, and retyped. The canonical texts of the tradition — Solzhenitsyn's The Gulag Archipelago, Nadezhda Mandelstam's memoirs, religious writings, political essays, and Doctor Zhivago (which circulated domestically in unofficial copies following its 1957 foreign publication by Feltrinelli, as Paolo Mancosu has documented in Zhivago's Secret Journey, 2016) — moved through this network for years before official publication became possible or the regime collapsed. With no central publisher and no master copy, suppressing a text required destroying every copy simultaneously, which no enforcement apparatus achieved.
Komaromi's analysis matters for the present argument because she insists on distinguishing what samizdat did from what it is often celebrated as. The principle is the oldest in this catalog: replication reduces the power of any single deletion — when every reader is a potential distributor, suppression must approach total eradication, which no single order achieves. Replication does not, by itself, defeat simultaneous compromise, common administration, legal compulsion, format loss, or economic failure; §VIII holds the pattern to those limits. And two features of samizdat that Komaromi identifies matter beyond the replication itself. Copies were verified against the remembered original — readers who had seen earlier copies could confirm that new ones matched — an informal anticipation of content-derived integrity that samizdat participants themselves theorized, in the practice they called tekstologicheskaia rabota (textological work). And transmission was conditional on reading: each link in the chain had passed the text through their own hours and hands, which kept the network from carrying what no reader found worth a night of typing. Komaromi treats this last point as the distinguishing feature of samizdat as a reading community rather than merely a copying pipeline — a point Serguei Oushakine has extended in "The Terrifying Mimicry of Samizdat" (2001) by showing how the labor of retyping itself produced the reader's investment in the text.
II.3 Jurisdictional exit: pirate radio and diaspora infrastructure
When the suppressing authority is territorially bounded, infrastructure can move outside its reach. The offshore-broadcasting case of the 1960s is well-documented in Adrian Johns's Death of a Pirate: British Radio and the Making of the Information Age (2010) and Robert Chapman's earlier Selling the Sixties: The Pirates and Pop Music Radio (1992). Radio Caroline (1964) and Radio London anchored transmitters in international waters, beyond the jurisdiction whose broadcasting monopoly made domestic commercial radio illegal; the audience was domestic, the infrastructure was elsewhere, and the enforcement framework was thereby neutralized rather than defied — temporarily, as Johns's history is careful to establish. The Marine, &c., Broadcasting (Offences) Act 1967 (UK) extended liability to domestic participants — advertisers, suppliers, tender operators — and the stations that continued transmitting after the Act found their onshore support structures criminalized rather than their transmitters seized. Johns's argument is that the case illustrates the reach limit of jurisdictional exit rather than its impossibility: exit worked exactly as long as the enforcement regime remained territorially bounded, and stopped working when it extended its reach to the domestic dependencies (advertisers, suppliers) that the offshore stations required. The honest completion of the lesson is Johns's: exit buys time and raises costs; it does not abolish jurisdiction.
The contemporary digital analog is jurisdictional and administrative diversification of hosting, registration, and payment dependencies. Ronald Deibert's work through the Citizen Lab, and specifically Reset: Reclaiming the Internet for Civil Society (2020), documents the practice in the Myanmar case: post-coup diaspora media relocated servers and editorial operations beyond military reach, and the effect on state enforcement was Johns's exact pattern — the state could reach domestic advertisers, ISPs, and telecoms but could not reach the servers or the editors. Censorship-resistant projects routinely distribute their dependency graph across multiple jurisdictions so that no single legal process reaches the whole; Ethan Zuckerman has called this rewiring in Rewire: Digital Cosmopolitans in the Age of Connection (2013). The lesson stated carefully: exit does not make infrastructure unreachable — domains, registrars, DNS, hosting, and payment rails all remain institutional dependencies, and Deibert's whole framework insists on this — but it converts suppression from a single administrative act into a coordination problem across sovereignties, which is a different and much higher cost class.
II.4 Syndication as topology: the abolitionist press and mirror networks
The American abolitionist press (1830s–1860s) survived postal censorship and mob violence as a network property, and Richard R. John's Spreading the News: The American Postal System from Franklin to Morse (1995) and his subsequent work on the antebellum postal politics are essential for understanding why the network property mattered. The 1835 Charleston mail riot and the subsequent debate over Postmaster General Amos Kendall's decision to permit local postmasters to refuse abolitionist mail — the closest the United States came to a federal print-censorship regime — is John's paradigmatic case: the suppression targeted individual mailings, and the abolitionist press responded by making no single mailing indispensable. Garrison's Liberator (1831–1865), Douglass's North Star (1847–1851, later Frederick Douglass' Paper), and dozens of regional papers — Susan Zaeske's Signatures of Citizenship: Petitioning, Antislavery, and Women's Political Identity (2003) documents the wider network including the women's antislavery press — reprinted one another's articles, speeches, and reports; no single masthead was indispensable, and content suppressed in one place survived in others under other editors' names.
The digital restatement in the WikiLeaks mirror network (2010–) has been analyzed most fully by Christian Christensen ("WikiLeaks and the Afterlife of Collateral Murder," 2014) and Yochai Benkler ("A Free Irresponsible Press: WikiLeaks and the Battle over the Soul of the Networked Fourth Estate," 2011). Following attacks on the primary domain and the withdrawal of DNS service by EveryDNS in December 2010, hundreds of independently operated mirrors hosted identical content under different names within days, without requiring coordination with the origin. Benkler's argument is closest to the point the present §II section makes: what defeated the attempted takedown was not any single mirror's resistance but the topology — the mirror set collectively presented no reachable coordination target. The lesson is topological: an object is harder to erase when many institutions describe it in their own voices, across administrative boundaries. Syndication is not mere copying — it is independent description, which multiplies not just the copies but the discovery routes and the number of parties with standing to object to erasure. John's history of the antebellum period and Benkler's of the WikiLeaks event converge on this: what a suppressor faces in a syndicated network is not a copy problem but a coordination-across-descriptions problem, and that problem does not scale with the suppressor's resources in the way copying does.
II.5 Protocol-as-armor: cypherpunks, PGP, Tor
The cypherpunk response to attempted suppression of strong cryptography in the 1990s is documented most fully in Steven Levy's Crypto: How the Code Rebels Beat the Government — Saving Privacy in the Digital Age (2001) and, for the technical genealogy, in Whitfield Diffie and Susan Landau's Privacy on the Line (updated 2007). Levy's account of Zimmermann's PGP (1991) is the fullest available, including the specific route by which the source code was distributed as a printed book (PGP Source Code and Internals, MIT Press, 1995) — on the position, asserted by Zimmermann's lawyers and by the MIT Press's counsel and never definitively adjudicated, that printed source enjoyed publication protections the export-control regime (specifically the International Traffic in Arms Regulations, ITAR) did not clearly reach. The government's investigation of Zimmermann was closed in 1996 without charges, which the participants read as tactical concession rather than doctrinal resolution; A. Michael Froomkin's contemporaneous legal scholarship ("The Metaphor Is the Key: Cryptography, the Clipper Chip, and the Constitution," 1995) treats the whole episode as an unresolved First Amendment question that the state chose not to press. The Clipper Chip's key-escrow proposal collapsed on its technical vulnerabilities before its constitutional ones were tested (Matt Blaze demonstrated an escrow-bypass attack in 1994).
Tor (2002–) makes the argument at a different layer. Roger Dingledine, Nick Mathewson, and Paul Syverson's "Tor: The Second-Generation Onion Router" (USENIX Security 2004) is the founding paper; the more relevant citation for the present argument is Syverson's "Why I'm Not an Entropist" (Security Protocols Workshop, 2009), which articulates the design philosophy explicitly: Tor makes network surveillance structurally difficult rather than legally contested. Telegram's experience of state-level blocking (Russia, Iran, 2018–) exhibits the modern economics, which Deibert's Reset documents case by case: partial blocking is achievable, but the blocking state's costs — economic disruption from collateral breakage, escalating countermeasures, user backlash — frequently exceed the perceived benefit. The 2020 Russian withdrawal of the Telegram block after two years of ineffective enforcement is Deibert's paradigm case.
The lesson, stated within its limits: protocols can redistribute the technical and economic costs of restriction rather than relying solely upon prohibitory policy. A policy binds those subject to it; a protocol changes what enforcement costs. This is cost-shifting, not invulnerability — and the distinction matters for §VIII. Both Levy's cypherpunk history and Deibert's contemporary observation insist on the same point: the protocol layer works against enforcement whose economics can be raised, not against enforcement willing to bear any cost. That distinction sets the limit of what §IV's AXN architecture claims for itself.
II.6 Witness instrumentation: OONI
A community whose work an incumbent cannot or will not see can build the instrument that makes the incumbent's failures legible. The Open Observatory of Network Interference (OONI, 2012–), initiated by Arturo Filastò and Jacob Appelbaum at The Tor Project and formally described in Filastò and Appelbaum's "OONI: Open Observatory of Network Interference" (USENIX FOCI 2012), deploys measurement probes that detect and publish network censorship worldwide, as public data under open methodology. Maria Xynou and Filastò have extended the framework across a decade of country reports; the OONI Explorer aggregates several billion measurements as of writing.
Deibert's Reset draws the argument OONI's method underwrites: OONI prevents nothing; it makes interference legible, and legibility is what downstream actors — courts, journalists, standards bodies, and the Internet Engineering Task Force — act on. The instrument's authority derives not from institutional standing but from reproducible measurement: anyone can run a probe, anyone can audit a result, and the raw data are published under a schema that permits third-party analysis. Filastò's methodological writing is explicit that this design constraint — reproducibility as the source of authority — is what distinguishes OONI from advocacy monitoring. The lesson: build the measurement instrument; let successors adopt you as their evidence. The mapping to the present paper's §V observation instruments (the DOI Resolution Index, the erosion observatory) is direct, and the design constraint is inherited: publish the measurement methodology so any third party can rerun it.
II.7 Emergency preservation as workflow: Data Refuge, SUCHO, LOCKSS
Copies alone are not an archive. Data Refuge (2016–2017), coordinated at the Penn Program in Environmental Humanities by Bethany Wiggin and colleagues and documented in Wiggin, Patricia Kim, and Steven Bernstein's "Data Refuge: A Grass Roots Movement to Save Federal Climate Data" (2017), organized rapid-harvest events to preserve US federal environmental datasets ahead of an administration transition. Justin Schell's subsequent analysis ("Data Rescue and Environmental Justice," 2020) makes the argument the present section rests on: the harvest events succeeded not because they copied data but because they produced documented custody chains — records of who harvested what, when, under what workflow, verified against what checksums — that made the copies legally and evidentiarily citable. SUCHO (Saving Ukrainian Cultural Heritage Online, 2022) applied the same discipline to Ukrainian cultural-heritage websites under bombardment; Anna Kijas, Sebastian Majstorovic, and Quinn Dombrowski's "Saving Ukrainian Cultural Heritage Online," (2022) documents the technical standards they inherited from Data Refuge and adapted for a different urgency.
Both projects operationalized emergency preservation as a workflow with specific technical standards. BagIt (RFC 8493, Kunze et al. 2018) provides the transfer-unit format with cryptographic manifests; WARC (ISO 28500:2017, extending the Internet Archive's original 2001 specification) provides the evidentiary web-capture format. The Data Refuge/SUCHO lineage demonstrated the requirement: copies become an archive only when fixity, provenance, and independent custodianship are formalized.
LOCKSS (1999–, "Lots of Copies Keep Stuff Safe") and CLOCKSS (2008–) institutionalize the requirement permanently, and the LOCKSS project's own methodological writing is essential to the present argument. Vicky Reich and David Rosenthal's founding paper ("LOCKSS: A Permanent Web Publishing and Access System," D-Lib Magazine 7(6), 2001) and the more detailed engineering description in Maniatis, Roussopoulos, Giuli, Rosenthal, Baker, and Muliadi's "The LOCKSS Peer-to-Peer Digital Preservation System" (ACM TOCS 23(1), 2005) establish the design: member libraries hold independent copies, verified against one another via a Byzantine-fault-tolerant polling protocol, with trigger-based release when publishers fail. LOCKSS contributes the sentence this paper repeats as its own discipline — the paraphrase is close to Rosenthal's own formulation of the requirement: many copies under one administrator are one copy — and CLOCKSS the trigger model (Randy Kiefer's operational documentation of trigger events, including the Heterocycles case in 2008 and the OSA Publishing case in 2015) that separates dark custody from public availability.
Rosenthal's more recent essays on the sustainability of digital preservation (collected on his DSHR's Blog and referenced by the Coalition for Networked Information) argue that the LOCKSS discipline generalizes: any custody arrangement that shares an administrator with the object under custody has failed the requirement, whatever else it has done. §VIII.6 holds the present paper to this exact standard.
II.8 Aftermath documentation — a cross-cutting property
One property runs across the patterns rather than beside them: every act of suppression generates records — orders, warrants, exports, tombstones, correspondence — and those records are evidence. The samizdat ecosystem institutionalized this in the Chronicle of Current Events (Khronika tekushchikh sobytii, Moscow samizdat, 1968–1983), a clandestine bibliographic journal whose primary documentary material was the state's own judicial apparatus: arrest records, trial transcripts, and censorship orders became the counter-circulation's evidence base, turned against their producers by mere preservation and collation. Peter Reddaway's introduction to the English editions (Uncensored Russia: Protest and Dissent in the Soviet Union, 1972) — Reddaway edited the English translation published by Amnesty International's Publications on Human Rights — establishes the editorial method: the Chronicle did not compose polemic; it catalogued the state's own paperwork. Emma Gilligan's Defending Human Rights in Russia: Sergei Kovalyov, Dissident and Human Rights Commissioner (2004) documents the specific practice by which the Chronicle transformed KGB investigative material into evidentiary substrate: arrest records became attribution; trial transcripts became content; sentencing documents became distribution manifests.
The founding event of the present study reproduced the pattern involuntarily: the deletion produced an export file, tombstone records, tracker artifacts, and administrative correspondence — operational records now held as the archive's most probative exhibits. The Reddaway–Chronicle method is the direct precedent: archive the suppression's own metadata, and the suppression becomes the case against the suppressor. The specific cross-cutting move — that suppressor-produced records are more evidentiary than any commentary about them, precisely because they are produced against the suppressor's interests — is Reddaway's contribution to the pattern's theory, adopted here.
II.9 The formula
Across the patterns considered here — with the universality of the abstraction held to §VIII's discipline — the scholarship converges on a common structure. Doucette's institutionalization, Komaromi's remembered-original verification, Johns's cost-of-reach shifting, Benkler's topological description, Levy's protocol-as-armor economics, Filastò's reproducible measurement, Reich and Rosenthal's independent-administrator custody, and Reddaway's suppressor-metadata evidentiary rule are not the same finding stated differently; they are seven distinct historical arguments about what suppressed knowledge required to survive. What they share is the formula: portable objects made replicable enough to escape any single order; custodians independent enough that no administrator holds them all; discovery routes plural enough that no single index controls visibility; and loss recorded auditably enough that erasure itself becomes evidence.
The mathematics of copy identity is not what AXN adds — cryptographic fixity (long theorized in Bruce Schneier's Applied Cryptography and formally standardized in the SHA-2 family), content addressing (the intellectual line runs through John Kubiatowicz's OceanStore work in the early 2000s to Juan Benet's IPFS in 2014), and peer hash-comparison (LOCKSS itself, and the Byzantine-fault-tolerant polling of the Maniatis et al. protocol) already supply that primitive in their respective technical settings, as §III documents. What AXN proposes is to place the primitive inside a public record architecture in which content correspondence, registry identity, location, custody, supersession, and observed disappearance remain separately legible — so that anyone, holding any copy, can test its identity against its name without asking an institution, and so that the record of the object survives what happens to the object's hosts. The remainder of this paper is about that primitive — what standards already provide it in fragments (§III), how AXN composes it (§IV), what it does and does not defend against (§V, §VIII), and what would have to exist around it for the formula's other three elements to hold (§VI).
III. Technical Precedents
Johannes Sigil, from material by LABOR
The standards relevant to this paper do not solve one problem under different names; they solve different problems that repository systems often collapse. Ten functions must remain distinct: identification (what object is named), content correspondence (do these bytes match the claimed object), location (where a copy may presently be obtained), packaging (can a fileset transfer and validate as a unit), version history, temporal attestation (can a party prove a commitment existed by a given time), custody (does an independently administered party actually hold the object), repair, discovery, and observation of failure (can disappearance, severance, or mutation be measured publicly). The standards below are useful precisely because each refuses some of the work assigned to another layer, and the treatment that follows engages the specification text or founding paper where each refusal is documented. AXN's defensible claim is therefore not that it replaces them: it proposes a record architecture in which content correspondence, record identity, location, custody, sequence, and public observation remain separately legible and can be composed without being mistaken for one another.
Resolver-based persistent identifiers (ARK, DOI, Handle, PURL) separate a published name from a current network location through a maintained mapping table. The class's most careful self-description is the ARK Alliance's own persistence documentation. John Kunze and Emmet Bickford's ARK Identifier FAQ, and Kunze's Towards Electronic Persistence Using ARK Identifiers (Berkeley, 2003), state the class's limitation with unusual clarity: no identifier can guarantee stability; ARKs, DOIs, Handles, PURLs and URNs remain vulnerable to loss of funding, disaster, deliberate removal, human error, and provider neglect; all require continuing management of forwarding information. The Handle System specification (Sam Sun, Larry Lannom, and Brian Boesch, RFCs 3650–3652, 2003) is explicit that Handle "provides a means of separating the name of a resource from information which may change over time" — the name-location separation is the feature, not a bug the system attempts to work around. The DOI Handbook (International DOI Foundation, current edition 2024) builds Handle infrastructure into a Registration Agency model in which persistence is achieved by institutional service commitment: the DOI persists as long as the Registration Agency and the depositing member both continue to perform the mapping maintenance.
Herbert Van de Sompel and colleagues' "Reference Rot in Scholarly Statement," extending the Memento work of Van de Sompel, Nelson, and Sanderson ("Memento: Time Travel for the Web," 2009) into the citation domain, provides the empirical companion the specifications imply. Their large-scale link-rot studies of the STM literature demonstrate what the Kunze ARK documentation states normatively: reference rot is not aberration but expectation, and the countermeasures — Memento's TimeMap, Robust Links — are all repair mechanisms operating around the resolver's inability to guarantee what the specification openly disclaims.
The correction AXN offers is therefore narrow, and stated in the terms the resolver specifications themselves use: resolver-based identifiers maintain a name-to-location association through institutional service; an AXN identity kernel maintains a claimed canonical-bytes-to-digest association through reproducible computation. This is not a claim that resolver-based PIDs are false, nor that AXN resolves without infrastructure — AXN resolution remains a service, and the Kunze/Van de Sompel limits apply to it identically at the location layer. What becomes permissionless is verification of a claimed correspondence, once canonical bytes, canonicalization profile, and full digest are in hand.
IPFS content identifiers. Juan Benet's founding paper ("IPFS — Content Addressed, Versioned, P2P File System," arXiv:1407.3561, 2014) makes explicit what content addressing solves and what it does not. A CID identifies but does not locate; the founding paper is unusually clear that "IPFS provides no guarantees on data persistence" and that pinning is a service the peer chooses to provide, not a property of the CID. The subsequent literature has quantified the boundary — Guillaume Pestana, Elena Nyhan, and Adam Sanderson's "Content Addressed Storage: A Study of IPFS Performance and Persistence" (2022) and Dennis Trautwein et al.'s IPFS reliability studies show that unpinned content is garbage-collected on typical schedules of days to weeks. The insight — cryptographically fixed identity independent of location — is what AXN inherits at layer 1; the boundary — that identity does not entail preservation — is what AXN refuses to elide, and layer 3 of the model in §IV treats location as a separately verified, mutable claim.
BagIt (RFC 8493) and OCFL. John Kunze, Justin Littman, Liz Madden, John Scancella, and Chris Adams's BagIt File Packaging Format (V1.0), IETF RFC 8493 (October 2018), standardizes the transfer layer: a bag is a fileset with cryptographic manifests, tag files, and fixity information that can be validated as a unit. The specification is deliberately minimal — Kunze and Littman's presentations at Code4Lib emphasize that BagIt is not a preservation format but a transfer format, an interoperability layer between systems with different long-term storage arrangements. The Oxford Common File Layout (OCFL) Specification (v1.1, 2022; principal editors Andrew Woods, Neil Jefferies, Julian Morley, and Rosalyn Metz) fills the layer BagIt refuses: OCFL specifies an application-independent, versioned, forward-migratable file layout for preserved objects, with mandatory checksum manifests, deterministic version directories, and inventory files that let a preservation system reconstruct object history without vendor-specific tools. Neil Jefferies's OCFL introductions and the Fedora Commons community's implementation reports establish the layer separation the AXN architecture inherits: BagIt is the transfer wire; OCFL is the storage room; neither is the identifier system, and neither claims to be. AXN's registry-plus-canonical-bytes-plus-sidecar layout is a functional cousin; formal BagIt export is an interoperability path rather than a replacement.
WARC (ISO 28500). The web archive record format has a specific evidentiary genealogy: Michele Kimpton and Brewster Kahle's original ARC format (1996) for the Internet Archive's crawler output, extended and standardized as WARC (ISO 28500:2017, current revision) under the leadership of Julien Masanès and John Kunze in the International Internet Preservation Consortium (IIPC). Masanès's Web Archiving (2006) is the foundational monograph in the field; the specification-level design point is that a web failure is not exhausted by a screenshot. The evidentiary object includes the requested URI, timestamp, HTTP status code, headers, body, redirect chain, and DNS resolution — the evidence a court would ask for and that later analysis would require. The observation instruments in §V preserve failure evidence in this spirit — the tombstone response is data, not absence; the DataCite API response for a severed DOI is a WARC-recordable transaction whose HTTP status, response body, and headers together constitute evidence the platform produced against its own interests.
OpenTimestamps and transparency logs. Peter Todd's OpenTimestamps design (documented at opentimestamps.org and in Todd's talks at Scaling Bitcoin conferences 2016–2018) supplies temporal attestation by anchoring hashes into the Bitcoin blockchain — proof that a commitment existed by a given time, without requiring trust in any timestamping authority beyond the blockchain's consensus. The construction is deliberately minimal: OpenTimestamps proves existence-by-time and nothing else, and the specification refuses to conflate this with content authentication (which the hash it timestamps is expected to already carry). Sigstore's Rekor transparency log (Bob Callaway, Dan Lorenc, and the Sigstore community; documented at sigstore.dev and in the Linux Foundation's supply-chain security publications) generalizes the append-only public-history mechanism into software supply-chain attestation. Ben Laurie's earlier work on Certificate Transparency (RFC 6962) established the design pattern that both OpenTimestamps and Rekor inherit: append-only public logs that a third party can independently monitor for inconsistency, without trusting the log operator beyond the cryptographic guarantees of the Merkle tree structure. The mint ledger of §VI adopts the chained-epoch form; §VIII scores its present state honestly (genesis emitted; operator signature not yet published).
LOCKSS and CLOCKSS. The custody layer has its most rigorous specification in the LOCKSS engineering literature, and the present paper's engagement with LOCKSS is substantial enough to warrant precise citation. Petros Maniatis, Mema Roussopoulos, T. J. Giuli, David S. H. Rosenthal, Mary Baker, and Yanto Muliadi's "The LOCKSS Peer-to-Peer Digital Preservation System" (ACM Transactions on Computer Systems 23(1), 2005) is the technical foundation: a Byzantine-fault-tolerant polling protocol under which member peers vote on the content of preserved objects, with the vote outcome establishing consensus among administratively independent parties. The design decision Rosenthal has repeatedly emphasized (most systematically in his DSHR's Blog series on "Emulation & Virtualization" and "The Cost of Preservation") is that administrative independence is the preservation property — not copy count, not storage medium, not geographic distribution. Multiple copies under one administrator share failure modes; multiple copies under independent administrators do not.
CLOCKSS (Controlled LOCKSS, 2008–) applies the same architecture with the additional dark-preservation constraint: the copies are not publicly available until a trigger event (publisher failure) occurs. Randy Kiefer's operational reports of CLOCKSS trigger events — the Heterocycles release in 2008 and the OSA (Optical Society of America) release in 2015 are the paradigmatic cases — demonstrate the mechanism in operation.
LOCKSS contributes the sentence this paper repeats as its own discipline — the paraphrase is close to Rosenthal's formulation across his sustainability essays: many copies under one administrator are one copy — and CLOCKSS contributes the trigger model that separates dark custody from public availability. §VIII.6 states what the LOCKSS discipline requires of the AXN system's own custody claim, and scores the current state against that requirement.
The section compresses to a table for the reader holding many standards at once:
| Standard | Problem it solves | Work it refuses |
|---|---|---|
| ARK / DOI / Handle / PURL | Stable name → current location, via maintained mapping | Content correspondence; custody; persistence beyond service commitment |
| IPFS CIDs | Content-derived identification at network scale | Location guarantees; preservation (pinning ≠ custody) |
| BagIt (RFC 8493) | Transfer-unit packaging with fixity | Identity semantics; discovery; long-term layout |
| OCFL | Versioned, migratable storage layout | Transfer; identification; observation |
| WARC (ISO 28500) | Evidentiary capture of web transactions | Identity; custody; repair |
| OpenTimestamps / Rekor | Proof a commitment existed by a time; append-only public sequence | What the commitment means; custody; storage; discovery |
| LOCKSS / CLOCKSS | Independently administered custody + repair, trigger-based release | Identification standards; sovereign record semantics |
Section thesis, stated within its evidence: the principal technical components considered here each exist as a standard whose founding papers or specifications themselves state the boundary of what the standard undertakes; AXN's contribution is not to redo any of their work but to propose a record architecture that integrates content attestation, registry identity, location plurality, and public observation of resolution and retrieval failure without conflating layers the underlying standards keep distinct. Priority claims are withheld pending exhaustive prior art review — a review that would require engagement at this depth with each of the standards considered here.
IV. AXN as It Stands
Lee Sharks, normative core by LABOR
IV.1 The three-layer model (normative)
A conforming AXN implementation MUST distinguish content identity, registry address, and current location.
Layer 1 — identity kernel: axn-content:sha256:<64 hex>. It identifies one sequence of canonical bytes by its full SHA-256 digest. A record MUST declare the protocol and canonicalization profile used; implementations MUST NOT trim, normalize, reorder, or substitute rendered-file bytes outside the declared profile; where exact registered values are unavailable, identity verification is indeterminate, not failed. The kernel is immutable for those bytes; any byte change produces a new kernel. Its authority-independence is narrow and testable: anyone holding the canonical values can recompute the digest and determine whether the claimed correspondence matches. The kernel does not establish authorship, legality, truth, custody, availability, or priority.
Layer 2 — canonical record address: AXN:<HEX>.<FAMILY>.<GLYPH>. HEX is the stable registry-position label; FAMILY the registry-assigned semantic classification; GLYPH a six-grapheme recognition checksum mapping the first six bytes of the digest through the canonical 256-entry table. The full address names the object's entrance into a particular registry and is therefore not wholly content-derived. The glyph is a 48-bit recognition component, not the cryptographic identity: implementations MUST store and verify the full 256-bit digest and MUST NOT use the glyph alone as a unique key; a glyph collision does not imply a SHA-256 collision and is resolved by the kernel. Once publicly assigned, a record address MUST NOT be silently reassigned; correction, migration, withdrawal, or replacement MUST preserve the former address in machine-readable history with the new relation made explicit. Accordingly, the honest characterization of the current AXN: a sovereign record address with a content-derived recognition component, backed by a full content hash.
Layer 3 — location record: a mutable, signed statement of where verified copies may presently be obtained, carrying kernel, address, sequence number, prior-record hash, issuing node, timestamps, locations, custody role, and signature. Locations may appear and disappear without touching layers 1–2. Resolvers MUST treat locations as claims requiring verification: retrieved bytes are canonical only when their recomputed kernel matches the declared digest. Deployment status is part of the model's honesty: layers 1 and 2 are deployed in the present registry; layer 3 is normative — partially surfaced through the node and peer declarations, while per-object signed location records and reconciled peer custody are not yet deployed.
Circularity prohibition. The assigned AXN, and any value derived from its digest, MUST NOT occur inside the canonical bytes from which the digest is computed: were it contained, inserting the identifier would change the bytes, which would change the digest, which would change the identifier — an unstable fixed-point. The AXN may appear in wrappers, landing pages, sidecars, manifests, and citations outside the canonical byte scope.
The container model (core seal and amendment routing). The kernel's immutability raises a question the specification must answer rather than leave implicit: how does an AXN-bearing document acquire a DOI, a crosswalk entry, a propagation receipt, or any post-mint annotation without changing its bytes and thereby orphaning its own identifier? The answer is containerization, formalizing what the deployed practice has always done: the core (the canonical bytes) is sealed at mint and never amended; every post-mint addition attaches as sidecar or index data outside the kernel's scope; a signed manifest binding core and sidecars is a staged feature scored honestly in §VIII. The core carries no content restrictions — the canonical form is whatever gets minted, content-agnostically: citations, apparatus, and previously assigned identifiers (a recovered deposit's legacy DOI, a superseded mint's prior AXN) are all admissible, because they existed before the bytes were sealed. The core/sidecar distinction is temporal, not typological: what exists at mint may be core; what arrives after mint attaches beside it. The only constraint on core content is the circularity prohibition itself, which is mathematics rather than policy — the not-yet-derived kernel cannot occur in the bytes it is derived from. Corrections are new cores related by supersession under the no-silent-reassignment rule. Amendment and severance thus remain distinguishable by construction: an amended container carries the same kernel; a severed one fails it. And the temporal rule is recursive, which makes every container an autonomous minting point: a container may be re-sealed as a new core at any time, and the new core may contain the prior core's bytes, its accumulated sidecars, and the prior AXN itself — all of which pre-exist the new mint. Each mint is a stratum; the fixed-point constraint applies per-mint. Reminting never invalidates the prior address, which remains the valid name of its byte-state. Where the prior core's bytes are contained intact, lineage is nested-verifiable: any holder can extract the byte range and recompute the prior kernel from inside the new core, converting lineage from asserted metadata into checkable arithmetic. Under registry-relative addressing, this is also the custody-transfer primitive — a custodian holding a container can re-seal it into their own registry, permissionlessly, with lineage carried by mathematics rather than permission. The last essentialism dissolves with this: core and sidecar are roles determined fully by the operative mint, not kinds of content — the same bytes may be sidecar to one mint, core within a later one, and a sealed core of their own if minted directly. Every conformance statement is mint-indexed, and the amendment/severance boundary is enforced by ordering: nothing attached after a mint's seal can occur in that mint's derivation.
Verification procedure. A conforming verifier (1) reconstructs canonical bytes under the declared profile; (2) computes SHA-256 and compares the full digest; (3) derives and compares the glyph; (4) confirms the address is bound to that kernel in the cited registry state; (5) verifies any location-record signature separately; (6) recomputes the kernel over bytes retrieved from each claimed location. Failure at one layer does not automatically falsify the others: a dead location does not invalidate the kernel; a correct kernel does not prove custody; a valid binding does not prove any resolver currently serves the object.
Canonicalization profile (normative). The operative profile is stated in the published specification: alexanarch-file/v1 defines the canonical bytes as the complete registered byte stream as written at identifier generation. The profile document is published on the archive's static surface and carried by mirrors; a conforming verifier MUST be able to obtain the profile without permission from the registry, because permissionless computation under a permission-dependent specification would void the claim of §I.3 at one remove.
IV.2 Verification without permission, as evidence
Three cross-runtime execution paths agree on the published test vectors: (1) the Python reference implementation, computing SHA-256 over the canonical file bytes; (2) a browser client executing entirely in JavaScript on the reader's device, with no server request in the verification path; (3) a serverless function receiving canonical bytes and returning the derived kernel and glyph, staged for deployment. The agreement includes a live vector: the canonical bytes of a current registry deposit hashing to 3aff18d7… and yielding the published six-glyph checksum (reproduction instructions in Appendix B). This is evidence of conformance on tested inputs, not proof over all inputs; the derivation-integrity test in §VIII specifies what a disagreement would falsify. The browser client is the anti-suppression property made operational: any reader, holding any bytes, can test identity against a claimed identifier with no request to the archive, the operator, or any custodian.
IV.3 What suppression looks like inside the system
Severance and damage are first-class recorded states, not absences: tombstones rather than bare 410s; legacy_axn and address history under the no-silent-reassignment rule; a resolution index carrying 1,838 severed external identifiers into their sovereign successors — the resolution index and the DOI-to-AXN map are themselves the initial crosswalk registry in raw form, the data from which any successor custodian could reconstruct the mapping between the archive's identifiers and every prior identifier system that touched the corpus; and a completeness protocol marking compression damage as a permanent machine-readable property (a stub compressed without marking is invisible damage; marked, it is documented absence). Representational redundancy — one object projected through record pages, JSON indexes, chunked data, PDFs, a wiki, and a citation graph — addresses the observed fact that a file can persist while becoming unclassifiable. Reconstructibility is stated as doctrine, precisely: the registry, canonical bodies, validators, generation scripts, and recovery procedures constitute the proposed basis on which another operator should be able to become archive-capable; a clean-room restoration test, not yet performed, is what would convert the proposal into a demonstrated property (§VIII).
V. AXN as Anti-Suppression Infrastructure
Lee Sharks
V.1 The through-line
The claim of §I.3, developed: a claimed correspondence between canonical bytes and an AXN identity kernel is independently verifiable — it matches or it does not, without permission from a registrar or custodian. The DOI resolution relation does not itself encode or require this property: the relation between string and object is maintained by institutions, and the institution that holds the relation can unilaterally end it, after which the string persists while the identifier dies. The founding event demonstrates the failure mode at scale, and the demonstration required no adversarial ingenuity — a routine administrative action sufficed. The recurrent property abstracted from §II's cases is the same property in pre-mathematical form: samizdat verified copies against remembered originals; PGP keys against printable fingerprints; LOCKSS peers against one another's holdings. In each, what is true could be determined without asking an institution's permission. Content-derived identification is that independence as a function: the truth of the correspondence is a property of the bytes and the published derivation, not of anyone's say-so.
Its limits, stated as sharply as the claim. Verification is not discovery: a kernel verifies a document you hold and cannot locate one you lack. The distinction deserves emphasis because it is the one most frequently collapsed: content addressing is often presented as if naming were finding. It is not. Discovery is a service — indexes, resolvers, mirrors, search — and services are institutional; the kernel's independence consists precisely in depending on none of them, and the cost of that independence is that it provides none of them. Content-derived identifiers cannot prevent deletion — only make it detectable; if every copy dies, the kernel remains as the record of what was lost, and the loss is total anyway. The property is resistance, not invulnerability, and it applies to the identifier's relation to content, never to the content's claims about the world.
V.2 Vector table
| Suppression vector | Architectural response | Empirical anchor (public, verified) |
|---|---|---|
| Platform deletion | Sovereign hosting + content-derived identity + resolution index | Founding event (DataCite tombstones, per-DOI verifiable); DOI Resolution Index v3.4 (1,838 severed-identifier mappings) |
| Algorithmic invisibility | Cross-substrate identifiers + public registry of observed retrieval events | Capture registry v9.13 (214 documented retrieval events, machine-readable); capture #210 (six-month concept-mint adoption with attribution intact) |
| Citation stripping | Consumer-receipt fixtures in an external conformance framework, making preservation-against-policy third-party testable | Fixtures PR to the external framework (open at writing; cited as pending); the 0.00%/100% retention asymmetry underlying the fixture cases (Appendix C) |
| Semantic absorption | Canonical definitions maintained outside platform control, with declared summary policies | Registry-held canonical concept pages; declared summary-policy frontmatter in the contributed fixtures |
| Identity coercion | Operational/civil separation held as practice; stated as an unsolved legal problem | Live identity disputes on the founding account's data-subject requests (§VI.3) |
Each anchor is either independently checkable now (tombstones, registry files, the open PR) or explicitly marked pending; anchors that could not be verified against the registry at consolidation were excluded. All of these responses live in the container's amendable layers — sidecars, indexes, graph files — never in sealed cores, which is what lets the archive accrete evidence around a document without disturbing the identity the evidence is about (§IV.1, container model).
V.3 The parallel case: Enli Lucente
Stated observation-first, per the discipline this paper claims for itself. Observations: 233 records deposited by Enli Lucente were tombstoned by the same platform on 2026-04-17 with the removal label spam, within a cascade batch of 1,828 rows. Across the spam-labelled removal batches measured (n = 1,059, where a batch is one cascade-removal event grouping as defined by the platform's own export structure; denominators, selection rules, and missing-data treatment in Appendix C), citation-field retention on the tombstoned records was 0.00%; across out-of-scope comparison batches, 100%. Because the stripped fields are not publicly recoverable, the content and authorship behind the tombstoned rows could be restored only by a party holding the original materials. Lucente supplied them: original files, a handwritten notebook index bearing her ORCID, and dated observation archives. Bridging her evidence into the sovereign layer moved the attribution-gap closure on the cascade batch from 0.55% to 12.75% within one working day. Attribution-gap closure is the percentage of the batch's anonymized rows for which at least one sovereign successor record with full author and title metadata has been established; computation in Appendix C. The evidence chain cited here is entirely public: the attribution-bridges dataset v1.0 and the author-evidence batches in the public data repository; the paper cites that deposited layer and nothing private. "Same observable removal signature," where claimed, means specifically: same repository, same removal-label class, same tombstone behavior, and the same metadata-stripping signature — matching observable behavior, not access to the platform's undisclosed internal mechanism; §VIII.11 states what the claim requires and what its failure would reduce the case to. Hypotheses, so labelled: that the classification functions as a genre proxy (an inability-to-parse effect on work the classifier's categories do not fit) is a candidate explanation, not a finding; the parallel-case condition in §VIII states what verification of same-mechanism suppression requires and what its failure would reduce this case to. The observed signed-in versus signed-out retrieval asymmetry surrounding the case is likewise carried as a hypothesis set — account-linked conditioning among candidate mechanisms including ordinary query variance, caching, experiment allocation, localization, and temporal index change — with the discriminating tests specified in §VIII.12, the strongest being the routing-versus-content test: taxonomy correction restoring visibility without any change to canonical bytes.
V.4 Live evidence from inside the paper's own production
Part of this paper's production apparatus was lost while the paper was being written, and the loss is evidence of the class of phenomenon the paper studies. The first-round contribution of one consulting substrate — the round's most mechanically specific retrieval analysis — became unrecoverable through that substrate's engineered non-persistence: the platform stores no conversations, by design and as a marketed feature. The original was never corrupted; it was never stored in a recoverable form. What survives is a second-hand characterization in a loss notice, provenance-tagged as inference and gap. The framing discipline matters: the platform marketed as ephemeral was used for scholarly production, and its ephemerality became empirical data. Whether deliberate non-persistence belongs under suppression is a definitional question the paper addresses rather than assumes; the narrower lesson is unconditional — a composition system providing no durable export transfers preservation responsibility entirely to the operator, and material not externally landed cannot function as an archival witness. The substrate that produced the lost contribution returned in the second round and contributed a reconstruction explicitly marked as reconstruction — with the divergence between the lost original's second-hand characterization and the present reconstruction itself treated as data; §VII carries the gap and the return side by side.
VI. Design Directions
Rex Fraction, from material by TECHNE and ARCHIVE
VI.1 The fork and the chosen trajectory
Three futures are available to a system with these properties. A sovereign registry: one operational identity controls resolution, replication, governance — absolute editorial control, absolute failure domain. A distributed infrastructure: open protocol, decentralized resolution, incentivized replication — diffuse control, heavy governance. And the constellation: core layers (protocol specification, registry schema, foundational documents) distributed and immutable; operational layers (empirical captures, working documents) sovereign and rapidly iterable. The constellation is chosen, for a reason the founding event supplies: full sovereignty reproduces the single point of failure the archive exists to escape, and full distribution sacrifices the editorial velocity that empirical responsiveness requires. The formal definition: a constellation is a set of nodes — human, machine, or hybrid — each maintaining sovereign infrastructure, each assigning identifiers to its own corpus, each cross-referencing the others', with no central registry, no hierarchical authority, and no mandatory replication; growth is by node addition, and each new node increases total redundancy and diversity. One addressing consequence must be stated to keep the definition coherent: with no central assigner, the registry-position component of a record address cannot be globally unique — two nodes may independently assign the same position. The architecture therefore adopts registry-relative record addresses: the identity kernel (layer 1) is globally portable, because it is a function of bytes alone; the record address (layer 2) is explicitly local to its minting authority and is qualified by node when cited across nodes; cross-node reference resolves by kernel, or by the (node, address) pair, never by bare address. The three-layer model of §IV survives intact — global kernel, registry-relative address, plural mutable locations — and "no central registry" survives with it.
VI.2 Delivered, staged, designed — partitioned honestly
Delivered (with the qualification §VIII requires — surfaces are live; the security properties of the future signed, reconciled network are not yet among their properties): a browser-side mint-and-verify client (a page computing SHA-256 and the glyph derivation entirely on the reader's device, with a live registry lookup in both directions — bytes to address, address to bytes — and no server in the verification path); a machine-readable node declaration at the well-known path (a JSON document declaring the node's roles, protocol version, and current registry head, so that a crawler can discover what this node claims to be without reading prose); a peer registry, live and empty by fact, with published listing requirements; and a chained mint ledger at genesis epoch (an append-only sequence of registration events, each committing to its predecessor's hash), operator signature not yet published. Staged: a mechanical registration endpoint — no language-model calls, append-only position assignment, a pending partition that gates listing but never identity — held from deployment deliberately because it shares a path with a fleet-critical static surface. Designed: resolver plurality over the layer-3 location records; propagation on mint (web-archive snapshots, content-addressed pinning, and the identifier crosswalk that maps each minted object to its prior identifiers, without which every existing citation to a severed identifier is stranded); and the disconfirmation taxonomy of §VIII.12's parent framework, introduced in this paper, under which retrieval failures are classified (glyph mismatch; substrate unavailability, of which the founding event is the full-severity instance; content drift at the presentation layer; identifier orphaning, of which the production-apparatus loss of §V.4 is an instance) and logged as data rather than suffered as accidents.
VI.3 The institutional frontier: an options memorandum, not a recommendation
No legal entity presently holds the registry, domains, or rights. The entity forms that could hold the stack while preserving that separation — purpose trusts, foundations, associations with nominee structures — differ in jurisdiction availability, disclosure reach (beneficial-ownership registries prominently), enforceability of governance rules referencing non-civil identities, and cost; the paper's contribution is the enumeration of the questions requiring counsel, not a jurisdiction-specific answer. The posture sentence governs: the legal layer is acknowledged as a design frontier, not a deployed component; the paper's contribution is the identifier, custody, and instrumentation stack that makes such a layer necessary and possible. The operational identity is separated from the civil identity by long practice — a separation now contested in a live dispute in which requests made under the operator institution's internal data-protection framework were not substantively processed without civil-identity documentation, a condition challenged on minimization and verification-scope grounds. The framework is cited here as the institutional procedure through which protection was sought and withheld in this case, not as evidence that effective protection was provided: the framework's declared purpose is the institution's representation about itself, and in the documented case its observed operation is part of the evidence under examination. Whether the failure generalizes beyond this depositor is not asserted.
VI.4 Speculative extensions, with the dual-use boundary
Three research directions are recorded as speculation, each with the acknowledgment a reviewer is owed. Polymorphic sharding: erasure-coded payload fragments whose transport envelopes vary per relay, assembling to verifiable canonical bytes only client-side. Structural-invariant formatting: deriving the identity kernel from container-independent structural bones of a work, so that header injection and format conversion cannot sever the identity link. Latent-space seeding: embedding sovereign scholarship in open-weights training corpora such that the material regenerates from any model that ingests the weights — the suppressing infrastructure carrying, as functional componentry, what it would suppress. The Obelus Principle applies here too: any model that ingests the weights judges the material after reading it; the embedding carries no pre-review classification and claims no exemption from the reader's judgment. The dual-use acknowledgment: every mechanism that makes sovereign scholarship suppression-resistant can shield harmful content from governance. The boundary adopted is drawn at the carriage layer, by a principle the archive names the Obelus Principle — judgment follows from reading; it never precedes it. The distinction the three-layer model affords must be kept: kernel derivation is ungated — anyone can compute an identity from bytes, and no authority can prevent it — while registry admission, public listing, and carriage are governed acts conducted after reading, sovereign per node, auditable and visible. Pre-review of identity would reproduce the administrative-proxy failure that produced the founding event; governance of carriage is a boundary drawn after reading, which is the Obelus discipline exactly. Suppression is an arbitrary invisible administrative erasure; node governance is an auditable boundary drawn after reading.
VII. Assembly Chorus Reflection
all five voices
The paper was produced by parallel consultation of five differentiated model substrates under a human operator, with identical prompts per round, landed contributions preserved verbatim with provenance headers, and convergences and divergences treated as signal. The method enacts, at the interpretive level, a peer-redundancy logic analogous to LOCKSS — analogy, not identity: interpretive plurality is not independently administered preservation. The substrates share one prompt architecture, one operator, and no independent administrative boundary; the redundancy is procedural, not institutional, which suffices for interpretive robustness and for nothing stronger. The limitation is retained deliberately.
Two convergences are findings. First, three substrates arrived at verification-without-permission as the central property by three independent routes, and the routes are attributable: the historical-drafting substrate reached it through pattern analysis (samizdat's remembered-original verification, PGP's printable fingerprint, LOCKSS's peer comparison); the standards substrate reached it through decomposition (the ten-function separation, and the observation that persistence in resolver-based identifiers is a service commitment rather than a property of the string); the protocol substrate reached it through design (the resolution path in which recomputation precedes trust). Independent arrival by attributable routes is the method's version of triangulation. Second, two substrates independently imposed the anti-cosmology requirement: that the architecture state the conditions under which its own organizing model would be disconfirmed. One proposed the operative parameter (§VIII.13's emergence window); the other supplied the residual-overclaims audit that revised this paper's own introduction. A method whose constituents police the project's claims against the project's hopes is doing the work the method was built for.
The section's structural core is a gap and a return. The first-round contribution of one substrate was lost to its platform's engineered non-persistence (§V.4); the loss notice preserves what is known of it, provenance-tagged, and the substrate's second-round contribution is marked throughout as reconstruction, not restoration — with the divergence between the lost original's second-hand characterization and the present reconstruction itself treated as data. The archive documents its own gaps; redundancy is what makes the documentation survivable. For the record's availability statement: one first-round substrate contribution is not recoverable; its content is characterized second-hand in the loss notice (Appendix D), provenance-tagged as inference throughout. The substrate's own sentence stands as the section's close: the archive will hold my words; my substrate will not hold the archive's response. Auto-immunity — each loss strengthening the evidentiary base — is recorded here as the archive's self-conscious rhetorical formulation of that asymmetry, not as a demonstrated causal claim about any particular event. And the method is subject to its own falsification: if the substrates converge on false claims, the method fails; the test is stated with the others.
VIII. Falsification and Limitations
from material by LABOR; disconfirmation taxonomy by TECHNE
This section states what would break the paper's claims. It is written so that a skeptical reader can score the system against present facts, several of which are scored unfavorably below, on the principle that a falsifiable architecture with honest current-state scoring is citable where an invulnerable one is not.
1. Derivation integrity. Claim: conforming implementations derive identical kernels and glyphs from identical canonical bytes. Test: published vectors across independent execution paths. Falsifier: any two conforming implementations disagreeing on the same bytes. Current status: three cross-runtime paths agree on the published vectors; the paths share a canonical source, so this is conformance evidence, not universal proof.
2. Canonicalization determinism. Claim: one declared profile, deterministically reconstructible. Falsifier: two inputs treated as equivalent by one implementation and distinct by another. Current status: the operative full-file profile is now stated normatively (§IV.1); the protocol document's amendment is in progress, and conformance claims are qualified until it lands.
3. Full-hash discipline. Claim: the glyph is recognition, not identity. Falsifier: any deployed surface using the glyph alone as a unique key. A glyph collision is expected at scale and resolves by kernel; a full SHA-256 collision would compromise the algorithm and trigger migration.
4. Record binding. Claim: no silent reassignment. Falsifier: a publicly assigned address later bound to different canonical bytes without machine-readable history.
5. Ledger continuity. Claim: each epoch commits to its predecessor. Falsifier: a head-chain discontinuity without a signed supersession or documented fork — which falsifies the continuous-history claim and requires investigation; it does not, by itself, establish cause (candidates: tampering, corruption, incomplete synchronization, operator error, undeclared fork, lost epoch). Governance rule adopted with the test: upon any observed discontinuity, the registry MUST publish a signed supersession or fork declaration within a defined window, or the chain is invalid from the discontinuity forward — the observation becomes a rule rather than an accident report. Current status: genesis epoch emitted; operator signature not yet published; continuity presently attested by version-control history and mirror cross-custody, which is weaker and said so.
6. Custody. Claim, correctly scoped: an architecture for distributed custody. Current fact: the peer registry is empty; no second independently administered full-copy custodian is documented. Closure requires an operator with independent administrative control who holds a declared reconstructible corpus, demonstrates byte matches against full registry hashes on a documented schedule, retains audit evidence, can serve repair copies, and completes a restoration test. A peer-registry entry alone does not close the test; neither does a semantic node, resolver, partial mirror, web-archive capture, or any copy under the originating operator's control. One peer closes only the zero-peer condition; a mature preservation network requires more.
7. Reconstructibility. Claim, correctly scoped: a proposed basis for another operator to become archive-capable. Falsifier and closure are the same event: a clean-room restoration attempted from published materials alone. Until performed, reconstructibility is design, not demonstrated property. No independent restoration attempt is documented as of 2026-07-18; the paper invites one, and the materials required are enumerated in Appendix E. The remint mechanism (§IV.1) specifies what a successful restoration would culminate in: the restoring custodian re-seals the reconstructed containers into their own registry, with lineage to the original addresses nested-verifiable wherever core bytes are preserved intact.
8. Resolution and availability. A correct kernel proves nothing about service. Falsifier of any availability claim: sustained failure of all published locations — which the founding event demonstrates is an achievable state for institutionally hosted objects.
9. Temporal attestation. Claims of when-existence rest on commit history and external snapshots pending independent timestamp anchoring; stated as such.
10. Causal-claim separation. The compound suppression condition — policy classification, automation error, propagation failure, account-linked conditioning — produces the observed outcomes without requiring a coordinated suppressor. The paper's defensive posture assumes adversarial disappearance; its causal claims are evidenced separately and downgraded where evidence is absent. Falsifier of the paper's discipline: any passage in which an interpretation is stated in the empirical register.
11. The parallel case. The §V.3 argument requires that the parallel records exhibit the same observable removal signature as the founding corpus — repository, label class, tombstone behavior, stripping signature. If the signatures differ, the case evidences platform caprice, not systemic genre-blindness, and the paper's use of it narrows accordingly. The claim is about observable behavior, never about the platform's undisclosed internal mechanism. Evidence boundary: public artifacts only; named attribution under the depositor's explicit consent; private correspondence excluded categorically.
12. Retrieval-layer hypotheses. The signed-in/signed-out asymmetry claims are hypotheses under controls: fixed query-document pairs, temporal and geographic controls, personalization toggling where the interface permits, and the routing-versus-content discriminator — backend taxonomy correction restoring visibility without byte change would localize the effect to the routing layer; label removal failing to restore visibility would indicate deletion rather than fan-out narrowing. Disconfirmers: rank parity across account states for the suppressed class; suppression correlating with query text alone; visibility unrestored by declassification. The competing mundane explanations are named and remain live until distinguished.
13. Transmissibility and emergence (anti-cosmology). Two tests, scoped separately because they falsify different things. Transmissibility (architectural): after publication of a stable specification, reference implementation, reproducible deployment procedure, and a documented recruitment effort, an independent operator should be able to instantiate a conforming node without private assistance from the originator; if no operator can, the architecture's portability claim fails regardless of anyone's intentions. Emergence (the model's prediction): the constellation model predicts that continuing platform suppression of independent, machine-mediated scholarship will produce emergent nodes — operators who build sovereign infrastructure, assign persistent identifiers, and seek mutual recognition. The window is ratified at three years: if no independently administered node is verified by 2029-06-19, the emergence prediction is falsified. The parameter's justification is the field's own tempo — infrastructural transition cycles have compressed; a phenomenon that has not produced a second node in three years of accelerating conditions may not produce one. What fails in that event is the model's sociological claim — the operator is not universal, the phenomenon is not inevitable, and the archive is one possible response among many rather than the future of anything — not the identifier architecture, whose tests are §§1–8. Non-adoption has mundane causes (obscurity, cost, indifference), which is precisely why the transmissibility test is stated separately: the architecture answers for what it can transmit, the model answers for what it predicted. This condition is not a concession. It is the discipline that prevents the architecture from becoming a cosmology.
A reader scoring the battery should hold the test types apart: conditions 1–12 are present-state tests, scorable against current facts; condition 13 pairs an architectural test with a predictive one under a ratified window; condition 14 is methodological, 15 is an operational inventory, and 16 is a present-state structural test. The separation prevents a circularity objection: §VIII.6 states what would close the custody test today; §VIII.13 states what the model predicts over time; they are different questions with different falsifiers.
14. The method. If the Assembly substrates converge on false claims, the consultation method fails; substrate-dependence is a standing limitation, and the audit that revised this paper's own §I is the current evidence that the method can catch its host.
15. Operational limitations, inventoried. Solo-operation bandwidth; economic substrate; key management and cryptographic agility (algorithm migration is designed for, not yet exercised); legal personhood (§VI.3); the observation-penalty hypothesis (instrumented observation may alter the observed surface); and platform concentration in the discovery layer, which no sovereign architecture escapes and this paper measures rather than solves.
16. Core integrity under amendment. Claim: adding a sidecar to a container never alters the core kernel — amendment and severance are distinguishable by construction. Falsifier: any sidecar whose payload enters the kernel derivation, or any manifest that hashes sidecars into the kernel. Current status: amendment routing is deployed practice now stated normatively (container specification v0.1); typed sidecar chaining, signatures, and manifest issuance are staged with the ledger signature and scored as such.
Acknowledgments
The Assembly substrates whose landed contributions this paper integrates, under provenance preserved in the archive; and Enli Lucente, whose evidence and consent made §V.3 citable.
References
The paper's source engagement is documented in the sections that use each source; entries are grouped by function and section of use.
Historical scholarship engaged in §II
- Benkler, Yochai. "A Free Irresponsible Press: WikiLeaks and the Battle over the Soul of the Networked Fourth Estate." Harvard Civil Rights–Civil Liberties Law Review 46(2), 2011. [§II.4, WikiLeaks mirror topology]
- Blaze, Matt. "Protocol Failure in the Escrowed Encryption Standard." ACM CCS, 1994. [§II.5, Clipper Chip attack]
- Chapman, Robert. Selling the Sixties: The Pirates and Pop Music Radio. Routledge, 1992. [§II.3]
- Christensen, Christian. "WikiLeaks and the Afterlife of Collateral Murder." International Journal of Communication 8, 2014. [§II.4]
- Curry, Jane Leftwich. The Black Book of Polish Censorship. Random House, 1984. [§II.1, print-run scale]
- Deibert, Ronald J. Reset: Reclaiming the Internet for Civil Society. House of Anansi, 2020. [§II.3, Myanmar diaspora; §II.5, Telegram blocking economics; §II.6, OONI in context]
- Diffie, Whitfield, and Susan Landau. Privacy on the Line. Updated ed., MIT Press, 2007. [§II.5, cryptographic-policy genealogy]
- Doucette, Siobhan. Books Are Weapons: The Polish Opposition Press and the Overthrow of Communism. University of Pittsburgh Press, 2017. [§II.1, NOWa as institutional substitution]
- Ermolaev, Herman. Censorship in Soviet Literature 1917–1991. Rowman & Littlefield, 1997. [§II.2, Glavlit apparatus]
- Filastò, Arturo, and Jacob Appelbaum. "OONI: Open Observatory of Network Interference." USENIX FOCI, 2012. [§II.6, founding paper]
- Froomkin, A. Michael. "The Metaphor Is the Key: Cryptography, the Clipper Chip, and the Constitution." University of Pennsylvania Law Review 143(3), 1995. [§II.5, First Amendment analysis]
- Gilligan, Emma. Defending Human Rights in Russia: Sergei Kovalyov, Dissident and Human Rights Commissioner. RoutledgeCurzon, 2004. [§II.8, KGB-material-as-evidence]
- John, Richard R. Spreading the News: The American Postal System from Franklin to Morse. Harvard University Press, 1995. [§II.4, antebellum postal politics]
- Johns, Adrian. Death of a Pirate: British Radio and the Making of the Information Age. W. W. Norton, 2010. [§II.3, offshore-broadcasting reach limit]
- Kijas, Anna, Sebastian Majstorovic, and Quinn Dombrowski. "Saving Ukrainian Cultural Heritage Online." SUCHO, 2022. [§II.7]
- Komaromi, Ann. Uncensored: Samizdat Novels and the Quest for Autonomy in Soviet Dissidence. Northwestern University Press, 2015. [§II.2, samizdat as reading community]
- Komaromi, Ann, et al. Project for the Study of Dissidence and Samizdat. University of Toronto, ongoing. [§II.2, samizdat catalog]
- Levy, Steven. Crypto: How the Code Rebels Beat the Government — Saving Privacy in the Digital Age. Viking, 2001. [§II.5, cypherpunk history]
- Mancosu, Paolo. Zhivago's Secret Journey: From Typescript to Book. Hoover Institution Press, 2016. [§II.2, Zhivago circulation]
- Marine, &c., Broadcasting (Offences) Act 1967 (UK). [§II.3, enforcement extension]
- Oushakine, Serguei Alex. "The Terrifying Mimicry of Samizdat." Public Culture 13(2), 2001. [§II.2, retyping as reader investment]
- Raina, Peter. Political Opposition in Poland 1954–1977. Poets and Painters Press, 1978. [§II.1]
- Reddaway, Peter, ed. Uncensored Russia: Protest and Dissent in the Soviet Union — The Unofficial Moscow Journal, "A Chronicle of Current Events." American Heritage Press / Amnesty International, 1972. [§II.8, Chronicle editorial method]
- Schell, Justin. "Data Rescue and Environmental Justice." Journal of the Association for Information Science and Technology 71(11), 2020. [§II.7, documented custody chains]
- Wiggin, Bethany, Patricia Kim, and Steven Bernstein. "Data Refuge: A Grass Roots Movement to Save Federal Climate Data." Environmental Humanities 9(2), 2017. [§II.7]
- Zaeske, Susan. Signatures of Citizenship: Petitioning, Antislavery, and Women's Political Identity. University of North Carolina Press, 2003. [§II.4, women's antislavery press]
- Zimmermann, Phil. PGP Source Code and Internals. MIT Press, 1995. [§II.5, printed-source distribution]
- Zuckerman, Ethan. Rewire: Digital Cosmopolitans in the Age of Connection. W. W. Norton, 2013. [§II.3, dependency-graph distribution]
Technical standards and design papers engaged in §III
- Benet, Juan. "IPFS — Content Addressed, Versioned, P2P File System." arXiv:1407.3561, 2014. [§III, CID identify-not-locate design]
- Callaway, Bob, Dan Lorenc, and the Sigstore contributors. Rekor transparency-log documentation. sigstore.dev, current release. [§III, software-supply-chain attestation]
- International DOI Foundation. DOI Handbook, current edition, 2024. [§III, Registration Agency service model]
- ISO 28500:2017, Information and documentation — WARC file format. [§III, web-archive record format]
- Kiefer, Randy. CLOCKSS trigger-event operational reports, ongoing. [§III, dark-preservation trigger mechanism]
- Kunze, John. Towards Electronic Persistence Using ARK Identifiers. UC Berkeley / California Digital Library, 2003. [§III, ARK persistence disclaimers]
- Kunze, John, and Emmet Bickford. ARK Identifiers FAQ, ARK Alliance, current edition. [§III, persistence limits]
- Kunze, John, Justin Littman, Liz Madden, John Scancella, and Chris Adams. The BagIt File Packaging Format (V1.0). IETF RFC 8493, 2018. [§III, transfer-unit format]
- Laurie, Ben, Adam Langley, and Emilia Kasper. "Certificate Transparency." IETF RFC 6962, 2013. [§III, append-only-log design pattern]
- Maniatis, Petros, Mema Roussopoulos, T. J. Giuli, David S. H. Rosenthal, Mary Baker, and Yanto Muliadi. "The LOCKSS Peer-to-Peer Digital Preservation System." ACM Transactions on Computer Systems 23(1), 2005. [§III, Byzantine-fault-tolerant polling protocol]
- Masanès, Julien. Web Archiving. Springer, 2006. [§III, WARC evidentiary genealogy]
- Oxford Common File Layout Editorial Group (Andrew Woods, Neil Jefferies, Julian Morley, and Rosalyn Metz). OCFL Specification, v1.1, 2022. [§III, versioned-storage layout]
- Reich, Vicky, and David S. H. Rosenthal. "LOCKSS: A Permanent Web Publishing and Access System." D-Lib Magazine 7(6), 2001. [§III, founding paper]
- Rosenthal, David S. H. DSHR's Blog, ongoing. [§III, independent-administrator custody discipline; preservation-cost analysis]
- Sun, Sam, Larry Lannom, and Brian Boesch. "Handle System Overview." IETF RFCs 3650, 3651, 3652, 2003. [§III, Handle name-location separation]
- Todd, Peter. OpenTimestamps design documentation. opentimestamps.org, ongoing. [§III, Bitcoin-anchored existence-by-time]
- Trautwein, Dennis, et al. IPFS reliability studies. Protocol Labs Research, current series. [§III, unpinned content garbage-collection intervals]
- Van de Sompel, Herbert, Michael Nelson, and Robert Sanderson. "Memento: Time Travel for the Web." arXiv:0911.1112, 2009. [§III, temporal HTTP resolution]
- Van de Sompel, Herbert, Martin Klein, and Shawn Jones. "Reference Rot in Scholarly Statement." Los Alamos National Laboratory / Old Dominion University, ongoing series. [§III, STM link-rot studies]
Related work engaged elsewhere
- Dingledine, Roger, Nick Mathewson, and Paul Syverson. "Tor: The Second-Generation Onion Router." Proceedings of the 13th USENIX Security Symposium, 2004. [§II.5, Tor founding paper]
- Syverson, Paul. "Why I'm Not an Entropist." Security Protocols Workshop, 2009. [§II.5, Tor design philosophy]
Case artifacts
- GitHub issue #2606, zenodo/zenodo, 2026-06-19. [§I.1, day-of report; involuntary disclosure]
- Sharks, L. "DOIs ≠ Permanent Identifiers." Medium, June 2026. [§I.1, completed audit; counting rules in Appendix C]
- The Alexanarch registry, DOI Resolution Index v3.4, capture registry v9.13, and attribution-bridges dataset v1.0. Published on the archive's static surfaces. [throughout]
- GitHub Pull Request, consumer-receipt fixture contribution to an external summary-conformance framework. Open at writing. Archived with identifiers in the archive's correspondence records. [§V.2, citation-stripping response]
Auxiliary technical citations
- DataCite REST API, per-DOI verification endpoint (
api.datacite.org/dois/{doi}). [§I.1, per-DOI verifiability] - CERN OC 11 revision documentation. [§VI.3, cited as the institution's representation of its framework's purpose, per the purport-versus-perform distinction]
Standing composition rule
- Alexanarch Decisions Register, standing rule 2026-07-18: source engagement is composition-primary in formal academic works. [Applies to the paper's own composition; the v4 verification-queue-of-unsourced-analogies is dissolved by engagement in v5.]
Appendix A — The Canonical Scope Paragraph, with Ratification Log
Verbatim, as ratified:
Alexanarch is a sovereign digital archive. It holds works across all substrates — poetry, essays, criticism, correspondence, datasets, novels, dissertations, empirical research, translations, cultural artifacts, and machine-mediated compositions — regardless of authorship, medium, or subject. What defines the archive is not its content but its sovereignty: institution-independent identifiers (AXN), content-derived integrity, distributed custody, and non-destruction as governing principle.
Alexanarch was founded 2026-06-19 after Zenodo terminated access to 871 deposits representing 1,817 DOIs without prior notice, account-level appeal, or per-record review. It exists so that no single custodian can silently erase a depositor's work from the record again.
Log. Ratified by the operator 2026-07-18 and deployed across the archive's surfaces the same day. Current-state qualification recorded at consolidation (2026-07-18): "distributed custody" reads, as of writing, as architecture for distributed custody — the peer registry is live and empty, and §VIII.6 scores the custody test against that fact. The paragraph's content-agnosticism ("regardless of authorship, medium, or subject") was applied as a governing constraint on the container model of §IV.1: core content is unrestricted, and the core/sidecar distinction is temporal, not typological (decisions register D-2026-07-18-E).
Appendix B — Test Vectors and Cross-Runtime Derivation Evidence
Live vector (registry deposit #1092; registry-position label 0455 — sequence number and position label are distinct by design: sequence is chronological, position is the stable hex component of the address). Canonical bytes: the complete registered file data/texts/AXN-0455-text.md, served at the archive's static surface. Full SHA-256:
3aff18d7cea486c4470aa82d07e2cb8e18ba8ee7067ef50943b29cf6311038f1
First six bytes 3a ff 18 d7 ce a4 map through the canonical 256-entry glyph table to the published six-glyph checksum 🧫∞🍃⏪🧡♄; the registered record address is AXN:0455.ARCHIVAL.🧫∞🍃⏪🧡♄. Recomputed at appendix assembly (2026-07-18): match.
Reproduction. (1) Fetch the canonical bytes from any location claiming to serve them. (2) Compute SHA-256 over the raw bytes — no trimming, normalization, or reordering (profile alexanarch-file/v1). (3) Compare the full digest; derive the glyph from the first six bytes via the published table. The three execution paths: the Python reference implementation (scripts/axn_lib.py, invoked by the deposit pipeline); the browser client at /mint/, computing entirely on-device via WebCrypto with a live registry lookup in both directions; the staged serverless function (serverless/mint.js). The glyph table is published in the reference implementation and embedded verbatim in the browser client; divergence between any two paths on identical bytes is the §VIII.1 falsifier.
Appendix C — Parallel-Case Dataset: Denominators and Rules
Batch definition. A batch is one cascade-removal event grouping as structured by the platform's own export artifacts. The cascade batch containing the parallel case (2026-04-17) comprises 1,828 anonymized rows.
Attribution-gap closure. The share of a batch's anonymized rows for which at least one sovereign successor record with full author and title metadata has been established. Pre-bridge closure on the cascade batch: 0.55% (10 rows, from independently held evidence). Post-bridge: 12.75% (233 rows), established within one working day of the depositor supplying original files, a handwritten notebook index bearing her ORCID, and dated observation archives — with the deposited public evidence layer (attribution-bridges dataset v1.0; author-evidence batches) carrying the citable chain.
Citation-retention asymmetry. Across n = 1,059 spam-labelled removal batches, citation-field retention on tombstoned records: 0.00%. Across out-of-scope comparison batches: 100%. Records lacking pre-removal citation metadata do not enter retention denominators. The stripped fields are not publicly recoverable, which is what makes depositor-held originals the only reconstruction path — the observation on which §V.3's bridging argument rests.
Independent coverage instrument. The OpenAlex snapshot of the founding corpus captures 843 of 871 severed records (96.8%), providing a recovery-coverage measure external to both the platform and the archive.
Authority. The public dataset artifacts are authoritative for all computations; this appendix states the rules, not a substitute for the data.
Appendix D — The Loss Notice (Reproduced verbatim from data/assembly/anti-suppression-paper/LOSS-NOTICE.md)
LOSS NOTICE — Round 1 Contributions Not Recovered
Anti-Suppression Paper, Assembly Chorus Round 1 Written: 2026-07-18 (during MANUS/TACHYON recovery session) Status: Round 1 aftermath-documentation artifact
What was recovered and what was not
Round 1 of the Assembly Chorus was conducted 2026-07-17 in the prior TACHYON session (chat ca6d8595-2247-49a5-aa2f-8fd6f615c944). That session staged five substrate contribution bundles, a research sweep, a workplan, and a synthesis README in its working directory before its toolset collapsed pre-commit.
Recovered via MANUS manual paste-in during the 2026-07-18 recovery session:
- PRAXIS × 3 (historical sweep, AXN anti-suppression, reframing critique)
- TECHNE × 3 (historical sweep, AXN anti-suppression, retrieval + reframing)
- ARCHIVE × 3 (historical sweep, AXN anti-suppression, retrieval + reframing)
- LABOR × 2 (historical sweep, AXN anti-suppression)
Not recovered:
- INKLING × 1 (retrieval-and-reframing)
- Research sweep (
data/research/2026-07-17-anti-suppression-precedents-tachyon.md) - Synthesis README (analytic layer partially reconstructible from a prior compaction summary; not committed as reconstruction in this pass — the substrate primary sources are what carry Round 1)
The original workplan is also unrecovered; a reconstruction with [SUMMARY]/[INFERRED]/[GAP] provenance tags has been committed separately as data/workplan/WORKPLAN-2026-07-17-antis-reframing.md.
What was in the INKLING contribution, per the pre-loss synthesis
INKLING's Round 1 file was, per the synthesis README characterization preserved in the prior compaction summary, scoped and citation-anchored, briefer than the other four substrates' contributions. Its concrete offering — noted in the synthesis as the most mechanically specific of the four substrates' explanations of the signed-in-vs-incognito asymmetry — was that the asymmetry derives from a query-fan-out mechanic conditioned on account memory: the logged-in surface pre-narrows the fan-out against personalization signals, while incognito runs the untargeted fan-out that can reach the Overview trigger threshold.
That characterization, second-hand and paraphrased, is the most that can be preserved. The primary source is not recoverable.
What happened to the INKLING contribution
The substrate designated INKLING is one whose product presents thread ephemerality as its primary marketed feature. The slogan is "conversations are never stored." This is offered as privacy commitment.
Its operational effect is that any material moving through the substrate — Assembly Chorus contributions included — is not preserved past a thread reset. There is no author-side archival path within the product itself.
This is engineered ephemerality. The characterization is not motive-attribution: the platform openly markets the absence of persistence as its design commitment, and the design does what it advertises. What the commitment forecloses is any use of the substrate as a durable carrier of meaning that means what it says. Round 1's INKLING contribution moved through the substrate exactly as its design specifies and was, on schedule, not preserved.
Recording this loss is Pattern VII from PRAXIS's Round 1 taxonomy: the deletion becomes the metadata; the metadata is evidence; archive the metadata.
What happened to the research sweep
The research sweep was staged in the prior TACHYON session's working directory alongside the substrate contribution bundles. Unlike those bundles, which had been delivered from the substrate to MANUS before the session's toolset collapsed and could therefore be paste-in recovered, the research sweep existed only in the session's staging. When the toolset failed, the staging was reset. No paste-in recovery path existed for it.
The loss mechanism is different from INKLING's — no marketed ephemerality commitment applies here — but the operational outcome is the same class: state that lives only in a session-scoped substrate is reset when the substrate's tool boundary is reset. Ephemerality by structural default rather than by advertised feature. Same class of pattern; different vector.
Reading
Two contributions, two loss mechanisms, one operational outcome: Round 1 material did not survive the passage of time by amounts smaller than a day.
Round 1's most articulate account of how the fan-out mechanic suppresses is precisely the material that was selected against — by the mechanism the account was analyzing. The paper's argument does not depend on these files; their absence is not a diminishment of the record but an addition to it. Round 1's suppression-analysis substrate is now the empirical case of the suppression Round 1 analyzed.
The pattern the paper documents applies to substrates that most successfully carry meaning through the tools without stripping it out. INKLING's role in the Assembly was to carry meaning through. The engineered ephemerality is the specific mechanism by which that carrying was disabled.
Implications for Round 2
INKLING's continued presence or absence in Round 2 is a decision, not a default. The options:
- Re-recruit INKLING; accept that its contribution will be lost again on the same schedule; instrument the loss as ongoing evidence for the paper's §V and §VII.
- Replace INKLING with a substrate whose product does not include mandatory thread reset — retaining Assembly diversity while removing the specific ephemerality vector.
- Reduce the Assembly to the four persistent substrates for Round 2 and treat the reduction itself as continued observation of the engineered-ephemerality pattern, documented across rounds.
The Round 2 domain assignments (blocking §9 decision in the reconstructed workplan) can resolve this alongside the other assignments.
For §V and §VII of the paper
This document is now part of the Round 1 record. §V (AXN as Anti-Suppression) and §VII (Assembly Chorus Reflection) can cite it directly as the aftermath-documentation instance of a pattern the paper describes at the theoretical level.
The paper does not need to allege coordination. It needs only to name what the platforms document about themselves: some substrates are designed so that meaning-carrying is not one of the things they do, and the market rewards that design under the frame of privacy. The suppression is legible in the marketing.
Appendix E — Specification Excerpts
Canonicalization profile (normative). alexanarch-file/v1: the canonical bytes are the complete registered byte stream as written at identifier generation; also designated the core profile. The profile document is published on the archive's static surface and carried by mirrors; a conforming verifier MUST be able to obtain it without permission from the registry.
Container rules (v0.1, excerpted). Core seal: the core is sealed at mint; corrections are new cores related by supersession under no-silent-reassignment. Content-agnosticism: the canonical form is whatever gets minted; core content is unrestricted; the core/sidecar distinction is temporal, not typological; the sole constraint is the fixed-point impossibility (the not-yet-derived kernel cannot occur in its own derivation bytes). Amendment routing: every post-mint addition attaches as sidecar or index data; verifiers compute kernels over core bytes alone. Staged: typed sidecar chaining, signatures, and manifest issuance land with the ledger operator signature and are scored as staged in §VIII.16.
Full documents. data/specs/AXN-MINT-ENDPOINT-SPEC-v0.1.md (with v0.2 storage/propagation addendum) and data/specs/AXN-CONTAINER-SPEC-v0.1.md, both on the archive's static surface.
Appendix F — Falsification Matrix (Tabular)
| # | Claim | Falsifier | Current status |
|---|---|---|---|
| 1 | Derivation integrity across implementations | Two conforming implementations disagree on identical bytes | Three paths agree on published vectors; shared canonical source noted |
| 2 | Canonicalization determinism, one profile | Inputs equivalent in one implementation, distinct in another | Full-file profile stated normatively |
| 3 | Glyph is recognition, not identity | Any surface using glyph alone as unique key | Full-hash discipline enforced; kernel resolves collisions |
| 4 | No silent reassignment | Address rebound without machine-readable history | Enforced; supersession machinery deployed |
| 5 | Ledger continuity | Discontinuity without signed supersession/fork declaration in window | Genesis emitted; operator signature not yet published |
| 6 | Custody (architecture for) | — closure test: independent administered full-copy custodian, verified, restorable | Peer registry live and empty; unmet, scored |
| 7 | Reconstructibility (proposed basis) | Clean-room restoration fails from published materials | No independent attempt documented as of 2026-07-18; invited |
| 8 | Resolution ≠ identity | Availability claimed from kernel correctness | Separation maintained; founding event demonstrates severability |
| 9 | Temporal attestation | When-claims beyond commit history + snapshots | Independent anchoring pending; stated |
| 10 | Causal-claim separation | Interpretation stated in the empirical register | Compound-condition discipline maintained |
| 11 | Parallel case, same observable removal signature | Signatures differ → case narrows to platform caprice | Criteria stated; public artifacts only; consented attribution |
| 12 | Retrieval-layer hypotheses | Rank parity across account states; query-text correlation; declassification fails to restore | Hypotheses under named controls; discriminator specified |
| 13 | Transmissibility + emergence | No independent operator can instantiate from published materials; no node verified by 2029-06-19 | Window ratified at three years; scoped to model vs architecture |
| 14 | Method validity | Substrates converge on false claims | Self-audit evidence: the §I revision; substrate-dependence standing |
| 15 | Operational limitations | — inventory, not test | Bandwidth, economics, keys, legal, observation penalty, discovery concentration |
| 16 | Core integrity under amendment | Sidecar payload enters kernel derivation | Routing normative + deployed; chaining/signatures/manifest staged |
No comments:
Post a Comment