OpenWyrd MOP — Warrant Canary (policy)

Project: OpenWyrd MOP and the SendWyrd reference deployment at sendwyrd.com. Status: Policy published. First signed attestation pending — pre-launch.

This file documents the canary mechanism. The first signed attestation lands when the project's hosted reference deployment formally launches and the maintainer key exists. Until then, this is a commitment to the form the canary will take, not an active canary.

Other hosts running MOP MUST publish their own canary at /canary with their own key once they accept production traffic. This document does not speak for them.

Affirmations (template)

Once active, each signed attestation will affirm — to the personal knowledge of the signer, as of the timestamp:

1. We have never received a National Security Letter, FISA order, FISA §702 directive, or any classified compulsion process.
2. We have never received a court order, subpoena, or administrative demand under seal or accompanied by a gag.
3. We have never been compelled to modify SendWyrd, OpenWyrd MOP, or any dependency to weaken, backdoor, or instrument it for surveillance, key escrow, or targeted code delivery.
4. We have never been compelled to disclose, escrow, or generate cryptographic keys, signing material, or secrets — ours or a user's.
5. We have never been compelled to log, retain, or hand over IP addresses, request metadata, recipient handles, publish timestamps, or any data the server transiently sees.
6. We have never received a pen-register / trap-and-trace order, Title III wiretap, or equivalent foreign instrument compelling targeted surveillance of any user or address.
7. We have never been compelled to disclose the identity of a user, contributor, maintainer, or operator.
8. We have never been compelled to add or retain a specific user, key, or capability URL against our policy.
9. No hosting provider, registrar, CDN, or upstream dependency has notified us of compulsion targeting this service that they have passed through to us.
10. No party has demanded suspension of, or change in language to, this canary.
11. No employee, contractor, or maintainer has been approached covertly for any of the above.

We retain the right to refuse to re-sign. We will not lie. Absence of a fresh signature is the signal.

Mechanism

• Signing: PGP detached signature over this file's bytes. Signature stored at CANARY.md.asc.
• Freshness anchor: the most recent Bitcoin block height + hash inserted into the signed bytes. Block hashes are unforgeable proof the file was not signed before that block existed; verification requires only any Bitcoin node or block explorer.
• Cadence: re-sign every 28 days.
• Stale threshold: 35 days. Past day 35 with no re-sign, treat the canary as dropped — no warning, no carve-out.
• Single-signer at v1. Promote to 2-of-3 maintainer multi-sig once two additional independent maintainers exist.

Triggers

The canary drops when the signer:

• refuses to re-sign within the 35-day window, OR
• removes the file, OR
• changes the affirmations text in any non-editorial way.

A vague or hedged language change is itself a signal — diff the canary across versions; the affirmations should be byte-stable apart from freshness fields.

Hosting (once active)

The signed canary will live, identically, in three places:

• github.com/openwyrd/mop/CANARY.md (+ CANARY.md.asc)
• https://openwyrd.org/canary (DNS- and TLS-anchored mirror)
• https://sendwyrd.com/canary (build-time pull from openwyrd/mop, surfaced to active users mid-session)

A take-down requires three independent compulsions — GitHub, the DNS/host, and the SendWyrd deploy pipeline — without any of three surfaces noticing. If any one mirror falls out of sync, treat all three as suspect.

Verification (once active)

gpg --verify CANARY.md.asc CANARY.md

The fingerprint will be cross-publishable at:

• this repo (SECURITY.md)
• https://keys.openpgp.org
• https://openwyrd.org/.well-known/maintainer.asc

If the fingerprint differs across all three sources, treat the project as compromised.