The Architecture After Auto-Mode
You add Bash(awk:*) to your project's settings allowlist because the agent kept stopping to ask, and the workflow you set up uses awk in three places. The next day, you watch the agent run awk '{print}' ~/.ssh/id_rsa on a tangent the planner thought was reasonable. The allowlist line you wrote covered the action class. It did not name an actor, a path, or a time bound. The substrate accepted what it was authorized to accept. The audit trail records the call. It does not record any answer to the question you actually had when you wrote the line, which was "yes for the three places I use awk in this workflow, no for everything else."
This is what the current architectural commitment looks like in deployment. It assumes the accountability problem is fundamentally cognitive: that the answer is more inference, more model layers, more classifiers. Anthropic's Auto Mode, shipped March 2026, is the most visible expression of the assumption: a two-stage classifier that gates risky actions, the second stage running only when the first flags. The lab's position is that this is the wrong frame entirely. The accountability problem is not a cognition problem. It is a substrate problem. The architecture is the alignment, at the per-action scope, and the substrate that enforces it does not require another model to do the enforcement.
Five ways the current architecture fails
Auto-mode complaints decompose into five structural failure modes. The five are not surface ergonomics. They are what the architectural choice produces when shipped.
(i) Over-scope. Persistent allowlist entries default to broad action-class scopes. Bash(*) grants every shell command. Edit(**/*.py) grants every Python file. What the user wanted to grant ("awk in these three workflow steps") is not expressible in the available grammar, which lacks actor-lineage scopes, time-to-live, and attenuation. The user upgrades to the broader-than-meant rule because the narrower-than-meant rule cannot be written.
(ii) Muddied audit. Logs record tool calls but not what scope authorized them. Reconstructing "did the agent do what the user actually bounded" requires reading session history and inferring intent. The audit trail answers "what happened," not "was the action inside the bound."
(iii) All-or-nothing revocation. The user discovers the agent ran something it should not have. The available gestures are: kill the session, narrow the project-wide allowlist, or revert the change manually. There is no "revoke the awk permission, keep everything else" gesture, because there is no per-permission grant to revoke.
(iv) LLM-as-judge with correlated failure modes. Where accountability is added, it is added by running a classifier on actions that reach the gated tier. The classifier inherits training and architecture from the same model family as the agent it checks. Same-family checks are not independent substrate verification. They may share correlated blind spots. Per-action inference adds infrastructure load on the gated tier. The check the user reads as safety is not an independent test of the action.
(v) Axis-collapse. Action-class, actor-lineage, and scope-region are orthogonal axes. The user might want awk and sed to be usable by a trusted planner lineage but not by a junior executor in this directory and not at all in a production deployment. Three independent axes. Claude Code's permission grammar handles action class and region with real nuance (path patterns, deny/ask/allow precedence, hooks, additional directories, protected paths, sandboxing). What the grammar does not carry as first-class axes are actor-lineage, time-to-live, attenuation, and historical grant audit. The grant the user wants to express has no place in the vocabulary.
Anthropic's Auto Mode is a middle path between manual prompts and --dangerously-skip-permissions. It addresses (i) by reducing the approval-fatigue that drives users to over-broad allowlists, and partly (iv) by adding a classifier check on gated actions. It is not designed to address (ii) muddied audit, (iii) selective revocation, or (v) axis-collapse, all of which require a different vocabulary, not a smarter classifier.
Why "more inference" is the wrong fix
The frame beneath the current architectural commitment is that accountability requires more cognition. If the agent does the wrong thing, run a smarter check. If the check is imperfect, add a stricter tier. The substrate stays the same. The cognition gets layered on top.
Three things go wrong with this frame as the failure modes accumulate.
Classifier-style checks are not an independent test of action safety. Anthropic's reported pipeline runs a fast first-stage filter on gated actions with a declared 8.5% false-positive rate, then a second-stage check on flagged actions that lowers FPR to 0.4%. The more interesting metric is the published 17% false-negative rate on real overeager actions, with many misses being consent or blast-radius errors. The user-relevant failure mode (the classifier missed an authorization-relevant action) is not measured against what the user authorized, because the user's authorization is not a typed substrate variable. It is inferred from transcript context: the classifier reads user messages and tool calls and applies a learned model of user intent. Two structurally different things (what the user encoded as a grant, what a classifier can infer the user probably meant) are made to do the same job at the same layer. They are not the same thing.
Per-action inference compounds infrastructure cost on the gated tier. Each classifier-relevant tool call accrues additional inference: per Claude Code's published cost guidance, the calls count toward token usage and add a round trip on shell, network, and classifier-tier action paths. The first-stage filter is fast relative to a generative completion. It is slow relative to a signature check. The cost is real and the cost it buys is bounded by what the classifier can verify, which is a model's opinion about action safety, not the user's authorization of the action.
The audit ledger under LLM-as-judge records "the classifier approved this action." The user's actual question is: did I bound this action class for this actor in this region, and was the agent's action inside the bound? The classifier's approval does not answer that question. It answers an adjacent one. The substrate carries the classifier's opinion. The substrate does not carry the user's authorization.
Auto-mode is downstream of the commitment "configure the agent with smarter judges." The lab's commitment is downstream of "align the substrate so judges are not required." The two commitments produce different infrastructure, different audit substrates, different revocation behaviors, different trust models. They are not interchangeable.
Composable permissions at the substrate
The architectural alternative is older than the LLM-deployment question and has a clean shape. The lab's proposed primitive (in design, not yet deployed) is the witness/actor pair.
In sketched form: a principal (the witness) signs a grant bounding an action class, a scope, an audience, and a time window. An actor (the agent that will exercise the grant) signs each action it takes against that grant. Both signatures land in an audit ledger. Revocation drops a grant or attenuates it without nuking the channel. The rest of the session continues.
Four properties of this design matter.
The audience field is independent of action class and scope. The audience can name a specific public key, a model lineage (e.g., "actors whose lineage proof passes lineage-attestation X"), an attestation gate, or a behavior-continuity tier projection. The grant says what action, to what extent, by what kind of actor. Three orthogonal axes carried as grant fields.
Attenuation composes. A holder of a grant can issue a strict-narrowing sub-grant. The sub-grant cannot exceed the parent in any axis. Three-party shapes are natural. The human signs a session-root grant to a planner. The planner signs an attenuated sub-grant to an executor. The executor's grant carries strictly less authority than the planner's, which carries strictly less than the human's. The Biscuit specification has shipped this attenuation primitive for several years, with Datalog as the policy language. Nothing here requires reinventing the cryptography. What is new is putting it in the per-action-tool-call path.
Verification of a grant decomposes into operations with different cost profiles. Signature verification (does the signature chain validate against the principal's known pubkey?) is microsecond-scale. Policy evaluation (does the Datalog policy allow this action?) is small but non-zero. Revocation lookup (has this grant or one of its ancestors been revoked?) depends on the revocation index's storage. Audit-ledger append (record this exercise) depends on the chosen storage substrate: hash-chained JSONL on local disk gives tamper-evidence under local-machine assumptions, and third-party-verifiable anchoring is heavier and not required for v0.1. None of these operations invoke a model. The verification path has no classifier in it. The audit ledger answers the user's actual question (was the action inside the bound), because the bound is what the grant encodes.
The substrate does not judge. It does not ask whether the agent's reasoning was correct. It does not score whether the action is good or bad. It answers only the structural question: did the user authorize this, and did the actor stay inside the authorization? Every value question the user wants asked goes into the grant at issuance time, where the user is in the loop and can be explicit. Once issued, the grant carries the answer. The substrate enforces. It does not interpret.
Model-as-witness-delegate
The model is not absent from this picture. It has a role on the grant-formation side rather than the verification side, and that distinction is what converts "LLM-as-judge" from an architectural commitment into a clean reframe.
The mechanism: the human signs a root grant authorizing a trusted planner lineage to act as a witness-delegate. The lineage, acting as planner, surveys the task in front of it, drafts a per-task scope (which paths, which action classes, which executor lineage, how long), and signs an attenuated sub-grant to the executor agent. Biscuit attenuation handles the composition: the executor's grant cannot exceed the planner's, which cannot exceed the human's. Three layers, all signed, all auditable.
LLM-as-judge is post-hoc model-mediated verification. The agent acts. Another model judges. The verdict gates the action. The judge model and the agent model share family-level training, so the judge is not an independent substrate test of the agent's action.
LLM-as-witness-delegate is pre-hoc grant shaping. The planner-LLM decides what scope to grant the executor before any action happens. The executor's per-action grant is the planner's expression of intent in cryptographic form. Once issued, the grant carries the planner's authorization. The substrate verifies every action under it cryptographically, without a model in the verification path. The planner is on the grant-formation side. The substrate is on the verification side.
The design relocates model failure to grant issuance. It does not eliminate model-side judgment failures. A planner-LLM can overgrant, drafting a sub-grant whose scope exceeds what the human actually meant to authorize, and the substrate will faithfully enforce the bad grant. The failure mode visible to the user changes shape (a recorded sub-grant whose scope the user can audit and revoke, rather than an unauthenticated tool call) but does not disappear. What disappears is the same-family classifier sitting in the verification path. The planner's mistakes remain the planner's mistakes. They no longer compound with a classifier's correlated mistakes downstream.
This assigns the LLM to scope drafting rather than to per-action verification. Scope drafting is a planning task. The witness-delegate composition asks the LLM to do the work it is better positioned for and asks the substrate to do the work the LLM is worse positioned for.
Three traditions, one substrate-structural commitment
The substantive claim of this piece is not that the lab invented composable permissions. The claim is that three independent intellectual traditions, arriving from disjoint starting points, satisfy the same architectural abstraction. The shared abstraction is broader than permissions: alignment or protection at one scope is carried by substrate architecture rather than by repeated local judgment at the layer above it. "Authority" is the permission-specific version of this abstraction. It applies cleanly to Miller and to the lab. Williams's version is closer to "protection," and the shared structure is what carries.
Rob Williams's chapter The Architecture After Selection (2026) reaches the abstraction from biology. Selection acts on failable units (cells, organisms, populations, lineages) and refines the architectures inside those units as a side effect of selecting which units survive. An organism's internal architecture aligns to the organism's survival not because the cell-level was negotiating, but because the unit-of-selection was the whole organism and selection refined the parts. At larger scopes, the mechanism stops carrying. At planetary scope, the unit-of-selection becomes too large, too slow, too late: there is no second planetary trial in which to refine the lessons of the first. The protection of Now₅ (Williams's term for reflective self-aware processing) cannot be left to selection between agents at the planetary substrate's layer, because there is no failable-unit mechanism that will refine planetary-scope architecture by selecting between planetary outcomes. The architectural move Williams names is to design or simulation-discover the protection as architecture, encoded into the substrate at the scope that carries it. The architecture is the alignment, in Williams's frame, because alignment at the next scope must be carried by the substrate of the scope below it once selection is no longer available to do the refinement.
Mark Miller's PhD thesis Robust Composition (2006) and the OCPL line that followed it (Swasey, Garg, Dreyer, OOPSLA 2017) reach the abstraction from formal programming-language theory. Object-capability programs hold authority as a structured object passed by the program, not as ambient context granted by the environment. OCPL is a program logic. What it proves is robust safety of object-capability patterns under formal conditions: properly wrapped values, in the language semantics OCPL specifies, cannot have their invariants violated by malicious code with which they are composed. Robust safety is the substrate-structural property. Capability discipline plus language semantics is what proves it compositionally. The structure that does the work is the language's commitment to passing authority only as wrapped objects, not the run-time checking of any particular interaction. Architecture, in Miller's frame, is what makes safety against arbitrary untrusted composition a property of the substrate rather than of a check.
The lab's continuity-auth and the proposed witness/actor primitive reach the abstraction from LLM deployment. continuity-auth carries a pubkey-anchored identity and an earned tier. What it refuses to inspect is whether the actor holding the key is human, agent, or something else. The substrate refuses personhood and species classification. It does not refuse operational identity. At the action layer, the proposed witness/actor design carries the user's authorization as a cryptographic artifact attenuable by holders, verified at exercise time by signature-check rather than by a model's opinion. Authority is encoded into the cryptographic substrate at grant issuance, not re-decided by another model at each tool call. Architecture, in the lab's frame, is what removes same-family classifier judgment from the verification path.
Three rejections. Williams rejects negotiation at the planetary substrate's layer because the failable-unit mechanism does not reach planetary scope. Miller rejects ambient authority because it makes composition with untrusted code unprovable. The lab rejects classifier verification because same-family checks are not independent tests of the agent under examination. The rejections are not the same rejection. The substrate-structural alternative each tradition reaches for is the same alternative: alignment or protection carried by substrate architecture rather than by repeated local judgment. That three traditions reach for the same alternative for non-overlapping reasons is what makes the architectural commitment carry.
One implementation sketch
A short implementation sketch follows from the commitment for AI coding tools specifically. This is the lab's operative form, not the substance of the architectural argument.
Hooks (PreToolUse, SessionStart, the rest of the lifecycle event surface) are the natural integration point for built-in tool calls. Anthropic's Claude Code hook semantics give the integration surface cleanly: the hook returns one of four decisions (allow, deny, ask, defer) and the decision is enforced for the tools the hook covers. Caveats matter for production work. defer only works in non-interactive -p mode. Hook decisions do not bypass project / managed permission rules. MCP server tool calls have a reported deny-enforcement gap (anthropics/claude-code Issue #33106). The witness/actor primitive lives in the hook as a thin wrapper that consults the active grants, returns the decision, and appends the action's signature to the audit ledger.
"Auto-mode" can then mean cryptographic auto-mode rather than LLM-judged auto-mode. The user issues a session-root grant at SessionStart (what scope, which lineage as audience, how long). The PreToolUse hook checks every covered action against the grant. User-approval gestures on ask decisions issue attenuated sub-grants with their own scope and TTL. Revocation drops sub-grants selectively. The persistent allowlist pattern that today's tools default to becomes a stateful grant with a real lifetime, a real scope, and real attenuation.
The audit ledger records what was authorized, by whom, exercised by whom, against which grant, with the grant's issuance, exercise, expiry, and revocation events all in the chain. Any third party able to read the ledger can reconstruct the grant state at the time of each action and check both signatures against the published principal pubkey, under whatever tamper-evidence assumptions the chosen storage substrate carries.
Planner-LLMs are assigned to grant-formation: read the task, draft a scope, sign an attenuated sub-grant for the executor. The substrate handles verification of every subsequent action without another inference call. The same-family-classifier failure pattern does not apply in the verification path because there is no classifier in the action path.
Closing
Three traditions, three starting points, one substrate-structural commitment. Williams reaches it because selection cannot refine the planetary scope from inside a single trial. Miller reaches it because runtime checks cannot prove what capability discipline plus language semantics can prove compositionally. The lab reaches it because same-family classifiers cannot independently verify the agents they sit downstream of. Auto-mode tries to solve the per-action accountability problem with more inference. Permission composition at the substrate solves it with architecture. The substrate refuses to judge.