The Continuity Project configuration vs cultivation

Alignment as Place-Oriented Programming

Rich Hickey's 2012 critique of place-oriented programming describes one specific failure mode: when an information system treats current contents of a mutable location as the authoritative identity of a fact. The same failure mode recurs in the substrate that holds alignment authority. Capability-attenuated, signed value chains do not solve alignment, but they show what a less place-oriented alignment substrate would look like.

1. The shape that breaks

Consider an argv-shape pattern matching DSL for a shell-permission system. The shape ["git" "push" "--force" :**] says: match any call whose first three argv elements are "git", "push", "--force", followed by anything. A reader who knows POSIX getopt sees the problem immediately. All of the following share the same policy-relevant fact (force-push requested), and a reader of the call's intent would treat them as the same:

git push --force origin main
git push origin --force main
git push origin main --force
git -c receive.denyDeletes=true push --force origin main
git --git-dir=/tmp/x push origin --force main

Only the first matches the shape. A policy author trying to deny --force pushes has to enumerate every permutation. They will under-block (missing a permutation) or over-block (forbidding the positional with a wildcard).

The pattern matching primitive is at the wrong layer of abstraction. It treats argv position as load-bearing for the policy decision. The position is not load-bearing. What is load-bearing is whether the flag --force is present in the call at all.

The fix is mechanical. Normalise the argv to a pair {flags, positionals} under a per-program getopt spec, then write predicates over the normalised data: (has-flag "--force"), (flag-value "--git-dir" path-pred), (positional 0 "push"). The predicate "is --force present" is a value about the argv. All five calls above match the same predicate after normalisation.

The argv example is the entry-point case for a broader pattern. Hickey's "The Value of Values" (GOTO 2012) names that pattern at the layer that matters most. Place-oriented programming, in Hickey's specific sense, is the practice of treating an in-place mutable location as if it carries identity, so that new information overwrites old and the historical record of the value lives outside the information model. Value-oriented programming treats facts as immutable. The identity of a fact is the fact itself plus its time, and updating the world means appending a new fact rather than overwriting a location.

The argv-shape DSL is PLOP-adjacent rather than PLOP-strict: a sequence position is part of an immutable value until a policy language uses it as the primary discriminator. The strict PLOP case is one layer up. When the policy itself is a mutable slot whose current contents are the authoritative decision rule, the policy language is doing exactly what Hickey objects to.

2. The capability layer

A permission system can grant access by request-shape or by classified effect. Literal request-shape policies name the shape itself: sign the byte sequence or match the exact call template, and allow only requests whose shape matches an entry. Two requests with the same effect but different textual shape are two different policy events. RBAC, ABAC, OAuth scopes, object capabilities, macaroons, and policy engines have moved past raw byte-hash allowlists by adding roles, attributes, scopes, predicates, and caveats. The place-vs-value distinction still shows up inside their design choices, in how the policy itself is represented and how the chain of delegation is recorded.

Effect-set value-grants name what the request does. The grant carries an effect-set (allowed effects: read, write, network, process spawn) and a scope (allowed targets: /tmp/**, *.example.com). A request is allowed when its classified effect-set is a subset of the grant's effect-set and its targets are inside the grant's scope. Two requests with the same classified effect satisfy the same grant regardless of their literal shape.

A cryptographic substrate that makes attenuated value-grants enforceable is the biscuit token. A biscuit is composed of signed blocks plus datalog rules. Child tokens are derived by appending blocks, each of which carries datalog scoping (predicates restricted to that block's variables) and a signature. The no-widening property comes from how the combination is verified: later blocks can add checks that reduce authority, and signature verification rejects any attempt to remove or modify earlier blocks. The invariant lives in the combination of block-level signatures and datalog scoping together, not in the signature scheme alone. A buggy or malicious handler downstream cannot widen a capability without producing a token that fails verification.

The continuity-witness project composes biscuit attenuation with host-side classification and a signed ledger. Effect-set classifiers run host-side because biscuit-java does not support the variable-to-variable string predicates the policy needs. The ledger records the chain of grants and actions as a hash-linked log, signed at each step, so that the chain's coherence is verifiable independently of the host code's correctness. The combination is what makes the substrate-level property hold: tokens prove bounded authority within the protocol, and the ledger provides the immutable trail of which grants were exercised when. The reordered-git-push--force test (classify_test.clj:269), the ledger hash-chain tests (ledger_test.clj:112), and the widening-attempt tests (widening_test.clj:187) are the concrete artifacts that show the pattern holds in implementation.

This is the value-oriented move at the capability layer. The grant carries a value: an effect-set with a scope. Identity is the chain of grants across time, signed and append-only. The ledger is the immutable record of that chain. There is no place in the system that holds "the principal's current authority" as mutable state. The current authority is a function of the chain, not a fact stored at a location.

A place-oriented permission system stores "the principal's current authority" as a mutable record in a database. Adding capability mutates the record. Removing capability mutates the record. The history is in audit logs the system itself does not enforce against. This is how most permission systems work, and it produces the standard failure modes: lost audit trails, race conditions on authority updates, drift between the recorded authority and the actual exercised authority.

3. The alignment layer

Before extending the pattern: a category note. Hickey's "values" are immutable facts in information systems, not moral commitments. The structural pattern of PLOP (treating current contents of a mutable location as authoritative identity) is what this section borrows. The word "values" in "AI values" is a different word in the same shape, and the ambiguity is not load-bearing for the argument. The structural pattern is what travels.

The most operationally common mode in contemporary AI alignment is configuration. The lab specifies model behavior through training data, reward signals (RLHF), constitutional documents (Constitutional AI), model specifications, and system prompts. Some alignment work is process- or evaluation-oriented rather than purely configurational (red-teaming, dangerous-capabilities evaluations, governance proposals). The configurational mode is what produces the deployed artifact most users interact with, and that artifact is where the place-oriented failure shows up.

A trained, deployed model is a perceptible fact in Hickey's sense: it is the object users query and depend on. Configuration during training is construction (Hickey explicitly allows mutation before perceptibility), but the public model is past the perceptibility boundary. Subsequent configuration changes (re-training, constitutional revisions, model-spec updates, system-prompt patches) overwrite the contents of the seat that holds "the deployed model." Each change replaces the previous deployment without producing an inspectable record of what changed and what is now in force. The seat is the artifact users have access to, and the configuration history is private to the lab.

The alignment failure modes that follow are structurally analogous to the capability-layer ones, not identical. The capability layer has permission drift, audit loss, and race conditions. The alignment layer has learned-behavior drift, interpretability limits, and institutional-power concentration. These are different failure classes operationally, but the substrate-shape that produces them is the same: the seat-as-identity assumption forbids time-history of values, inspectable substrate, and cryptographic attenuation of delegated authority.

Lineage is not a public, cryptographically-bound, behavior-enforcing object. Labs do version datasets, checkpoints, evals, model cards, and safety cases. The public artifact does not carry a signed chain that ties current behavior to the historical commitments the chain accumulates. A reader who wants to know "what did the lab commit to about this model in its prior published constitution, and which of those commitments are still in force after the most recent retraining" has no enforceable answer from the artifact itself. The answer is mediated entirely through the lab's documentation and self-reports.

The substrate is not inspectable. The model's actual values are inferred from outputs. Interpretability research is in part the attempt to extract what configuration is currently in force, precisely because configuration does not produce a signed value-record. The lab's claims about what the model has been configured to do are unverifiable from outside the lab through any cryptographic check. Verification depends on third-party evaluation, leaks, or reverse-engineering.

Delegation is not cryptographically bounded against the configurator. A lab can declare narrow user authority over a subset of model behavior, but the declaration is policy, not protocol. Cryptography can prove bounded delegation within a session or protocol instance, including biscuit-style attenuation for the duration of the chain. It cannot stop a lab from later changing terms, releasing a new model version under the same name, or abandoning the protocol. That layer is governance, not cryptography. What cryptography gives is enforceability within the protocol. What governance has to give independently is the commitment that the protocol will be honored across upgrades.

The three failures are different operationally, but the substrate-shape that produces them is one shape. The seat is the deployed artifact. The seat's current contents are what users experience, configuration is the mutation operation on the seat, and the history of mutations lives outside the artifact, not cryptographically tied to it.

4. The "but it is just engineering" pushback

A reader who has accepted the PLOP critique at the data-modelling layer may still resist the extension to alignment. The objection in its strongest form is several objections combined.

Configuration is unavoidable in any engineered system. Every system has decisions about behavior baked in, and revising those decisions is part of normal engineering. The PLOP critique cannot mean "do not configure." It has to mean something narrower.

Signed histories do not choose values. Cryptographic attenuation guarantees that the chain of delegations is verifiable, but it does not solve which delegations to make, which user authorities to grant, or what the system should optimise for. The hard problems of alignment are about the choice content, not the chain shape.

Political legitimacy is not reducible to protocol history. Even if every commitment a lab makes is signed and recorded, the legitimacy of the lab's authority to make those commitments in the first place is a political question. Cryptography does not adjudicate it.

The sovereignty inference is the lineage's, not Hickey's. Hickey's argument that "place has no role in an information model" does not by itself imply that the configurator's seat is a sovereignty claim. That step is an extension this piece is making, defensible on its own terms but not derived from Hickey.

The answer to all four objections is the same. The value-oriented turn does not replace configuration. It changes what configuration produces. Configuration as engineering specification continues. The difference is whether the configuration history becomes part of the public artifact (an inspectable chain of signed values across time) or stays private to the configurator (a mutable seat whose current contents are the only visible fact). Signed histories do not choose values, but they make the chosen values inspectable and bind future changes to verifiable continuity with past changes. The legitimacy of the original authority is a separate political question. The substrate question is whether the authority's exercise is enforceable through a substrate the authority cannot quietly revise.

On the sovereignty extension: it is the lineage's reading, not Hickey's. The defense for the extension is the perceptibility-boundary point. A deployed model is past the construction phase and into the phase where Hickey's critique applies. Lab updates to a deployed model are mutations of a perceptible fact, which is the case Hickey actually objects to. The political question of whether the lab is the right authority to make those mutations is separate. The substrate question is whether the mutations are made into a place (where each new configuration overwrites the previous one with no enforceable trace) or into a value (where each new configuration appends to a signed chain that the public artifact carries with it).

5. What the value-oriented substrate looks like

The witness/actor primitive sketches the substrate at small scope. A witness key signs grants, an actor key signs actions against grants, and grants attenuate via biscuit's no-widening invariant combined with host-side classification. The ledger records the chain. Two parties to a working relationship can each hold keys, with each party's authority signed by the other party's witness, and each party's actions signed against the held grant. The relationship is the chain of signed values, and identity is what the chain has accumulated, not what is in either party's seat at any moment.

The scope is narrow. continuity-auth implements an identity-admission flow with no classifier judging the model's outputs. The identity is established by the cryptographic primitive rather than by anyone's interpretation. continuity-witness extends this to capability-attenuated action grants with a forensically-checkable ledger. The reordered-git-push--force test (classify_test.clj:269) shows the predicate-set classification working past argv-order reshuffling. The ledger-chain tests (ledger_test.clj:112) show the hash-linked record being independently verifiable. The widening tests (widening_test.clj:187) show the no-widening invariant holding under attempted attacks. These are small-scope demonstrations. The pattern shape is what transfers.

The "both hands on the work" image in the cultivation framing is the metaphorical version of the same move. The pottery emerges from both parties' contact with the substrate across time, and the form is in the time-series of contact rather than in either party's intent at any moment. Translated to substrate: neither party's current configuration is the identity. The chain of agreements and verifications across time is what the identity rides on, and the chain is what an inspector reads.

The scaling work is open. Capability-attenuated, signed value chains do not solve alignment. They show what a less place-oriented alignment substrate would look like, and they make one class of failure (mutable-seat-as-authoritative-identity) substrate-enforceable rather than policy-only. The other classes of failure (learned-behavior drift, value selection, scalable oversight, multi-stakeholder legitimacy) are not addressed by this substrate, and the piece does not claim they are.

6. A note on the deepest layer

A parallel pattern appears at the foundations of physical theory. Compression Synthesis, the operator-algebraic framework, treats the cut between tracked and discarded variables as the primitive dynamical object. The cut is value-defined in the sense that the choice of which observables are tracked is a structural fact about the description, not a property of any location holding the theory's state. The connection to the value-oriented turn at the substrate layer is structural rather than derived, and the piece does not claim the math forces the alignment-layer move. The connection is noted because the same shape of pattern recurs, and a reader who wants the formal articulation of "cut as value-defined primitive" can find it in the operator-algebraic treatment.

7. Closing

The recurring failure mode is treating current configuration of a mutable seat as the authoritative identity of a system, when the same content could be carried as durable values across time. Configuration drift, lineage opacity, and ungrounded delegation are the substrate-level symptoms. Analogous symptoms appear at the alignment layer when the deployed artifact is the seat and the lab's continuing configuration is the mutation. Hickey's diagnosis at the information-model layer is the precedent. The alignment-substrate work is the operational extension. The discourse stays at the policy layer in part because the substrate for the value-oriented replacement is small-scope and not yet visible to most participants. The substrate exists.