Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.inkwell.finance/llms.txt

Use this file to discover all available pages before exploring further.

CONFIDENTIAL & PROPRIETARY © 2026 Inkwell Finance, Inc. All Rights Reserved. This document is for informational purposes only and does not constitute legal, tax, or investment advice, nor an offer to sell or a solicitation to buy any security or other financial instrument. Any examples, structures, or flows described here are design intent only and may change.
Pre-alpha vs production. Pages that describe “the operator holds the session-to-ephemeral-key mapping” describe today’s single-operator implementation. Production Dagon will distribute this custody across an Ika 2PC-MPC dWallet network — no single “operator” entity will hold the mapping, and no unilateral disclosure (lawful or otherwise) will be possible without the network agreeing. The two-party composition described here is strengthened, not weakened, by the migration. See Design Philosophy for the full decentralization roadmap.
Selective disclosure is a positive property: the venue is engineered so that, in normal operation, identity is protected from the public, the counterparty, and the operator itself — and in the abnormal case of a valid compelled process, identity becomes resolvable through the cooperation of two specific parties. The frame is ProtonMail, not Tornado. ProtonMail encrypts every mail at rest; it cannot read its users’ mail in normal operation; it complies with valid Swiss court orders by surrendering what it has. The system is legitimate precisely because encryption is default and disclosure is scoped.

What is protected

In normal operation, these parties cannot see these things:
ObserverCannot see
Public (chain observer)Order contents, identities, fills
Counterparty in the same batchWho the counterparty is
OperatorAny individual order; any user identity beyond a session key
Credential issuerAny order activity at all

What is disclosable

Under a valid compelled process (a court order served on both the operator and the credential issuer):
  • The operator produces the session-to-ephemeral-key mapping for a named time window.
  • The credential issuer produces the credential-to-PII mapping for the named participant.
  • Joined, these resolve one specific user’s activity.
The process produces one user, not the book. The tape remains opaque for every other participant.

Why two parties

A single-party disclosure surface is a single point of compromise. A rogue query, a breached DB, or an overbroad warrant against one entity pulls out the whole tape. Two-party composition requires that both parties be compelled simultaneously and both comply. In practice this means:
  • The warrant must name both parties.
  • Both parties must be under the jurisdiction of the issuing court (or served through mutual legal assistance).
  • Neither party alone can be coerced into unilateral disclosure — the information simply isn’t there.
See: Two-party composition for the cryptographic shape.

Scope

The selective-disclosure claim is scoped to process that reaches both the operator and the credential issuer through lawful channels. The instruments in scope are:
  • US federal grand jury subpoenas (Fed. R. Crim. P. 17).
  • US administrative subpoenas within counsel-confirmed authority (OFAC, FinCEN, SEC / CFTC where applicable).
  • Mutual Legal Assistance routed through DOJ OIA or direct treaty.
  • EU national-authority production orders under the European Investigation Order (Directive 2014/41/EU) and national transpositions.
  • Court orders in US, EU Member States, UK, Switzerland.
Out of scope: civil discovery not yet authorized by a court, and informal law-enforcement requests without court order. Users in jurisdictions whose courts cannot reach both parties through MLAT should assume the disclosure path is slower, not that it is absent. Users in jurisdictions whose own local legal process is hostile to them should not assume Dagon shields them from that process — the design protects against passive surveillance and single-party breach, not against a US (or partner-jurisdiction) court honoring a foreign MLAT request.

Not a privacy absolute

Dagon does not promise “never by leak” or “never by breach.” Those phrasings are unfalsifiable and therefore dishonest. What is provable is the shape of the disclosure path:
  • Normal operation: no identity visible to any single party.
  • Compromise of one party: no identity surfaced (the other party still holds its half).
  • Compelled process against both: one named user is resolved.
That shape is stronger than the current TradFi norm (single-party unilateral compliance) and weaker than a pure mixer (non-compliant by design). It is the legitimate middle.