Identity Without Person
What different gates are actually doing
The infrastructure that decides whether to serve a request is doing one of several distinct jobs, and treating them as one job is the first mistake. CAPTCHA, anonymous tokens (Privacy Pass, Apple's Private Access Tokens), proof-of-work (Anubis), per-IP rate limits, behavioural fingerprinting, passkeys, content provenance (C2PA), watermarking: each is built for a different question. Admission control asks whether this request should be served at all. Attestation asks whether the caller meets some deployment-specific property an issuer is willing to vouch for. Provenance binds signed claims and content manifests to an originator and a transformation history. Abuse scoring asks whether the behaviour is distinguishable from a pathological pattern. The mechanisms decay on different schedules because they are answering different questions.
What is true of the subset of mechanisms that depend on telling humans from agents is that they are all in trouble at the same time, for one shared reason. CAPTCHA puzzles select for the modality the operator believes attackers lack. The set of modalities where that gap is reliable is shrinking. Computer-use models pass meaningful fractions of visible CAPTCHA challenges on commodity infrastructure. Humans are concurrently failing CAPTCHA at rates that suggest the puzzles have crossed out of comfortable solvability for a non-trivial fraction of the population. The mechanism still works, but the part of it that depended on a stable human-versus-bot asymmetry is eroding from both sides at once.
The other mechanisms have their own decay schedules. Per-IP rate limits remain useful as friction at bootstrap and on bursty endpoints. They are not useless. They are also not the decisive defence against an attacker with a residential-proxy contract billed by the gigabyte. Anonymous-token systems do not, in their RFC form, try to tell humans from agents. They relocate the local trust judgment to a remote issuer or attester whose acceptance criteria are deployment-specific, which changes the question and changes its failure modes. Proof-of-work prices the attacker in compute, and its proponents (Anubis explicitly) frame it as a placeholder that raises mass-scraping costs and buys time for better signals, not as a permanent identity primitive. Content provenance (C2PA) is a cryptographic primitive that binds signed claims and manifests to artifacts. Its decay shape is different from detection, and it deserves separate treatment.
The question this piece is about is the narrower one. What does an architecture look like when the operator has decided that telling humans from agents is no longer a question the substrate should be trying to answer.
Identity as cluster, not registration
continuity-auth is one slice of that architecture. It is a parallel auth method for hosts that already run an identity layer: a backend calls POST /v1/verify and gets back an advisory trust score and a rate-limit decision. The library does not replace host authentication, and its threat model says so explicitly. What it adds is a trust signal that does not depend on the host's identity layer telling it which kind of participant produced the request.
The primitive is the shift from registration to cluster. In the standard model, identity is a registration. A name maps to a person, the person presents credentials, the credentials verify against the registration, and trust attaches to the person via the credential. The architecture is older than the internet and assumes the credential is tightly coupled to a person.
In continuity-auth, identity is a cluster of evidence. A cluster is the set of observations consistent with a single cryptographic anchor over wall-clock time. The cluster does not name a person. Two clusters can refer to one person operating two devices. One cluster can in principle refer to a person and an agent acting through the same key, or to two operators sharing a CLI keypair. The library does not need to settle the question, because its decisions do not depend on the answer. What it tracks is whether the cluster keeps behaving consistently with its own history.
The shift in vocabulary carries operational weight. Operators who think in registrations build mechanisms that expect a one-to-one mapping between credentials and actors. The mechanisms break the moment that mapping fails. Operators who think in clusters build mechanisms that gate behaviour at the cluster level and never assume the cluster equals a person.
Four axes, four epistemic statuses
Evidence inside a cluster arrives along several axes, and the library treats those axes as having different epistemic statuses. The asymmetry is the operational core of why the system does not collapse under spoofing.
A cryptographic axis is server-verifiable through substrate-specific paths that cannot be replayed from a captured wire trace. A signature against a fresh challenge is cryptographic. Possession of a key through a non-extractable browser interface (WebCrypto with extractable:false, key handle in IndexedDB) is cryptographic. A filesystem-stored CLI key is cryptographic with a weaker substrate. Hardware-anchored substrates (TPM, Secure Enclave, Android Keystore) are the strongest end of this axis and are on the roadmap rather than in the current build. The cost of spoofing scales with the cost of compromising the substrate the signature lives on.
A cryptographic-by-proxy axis is one where another party (the host backend) attests via HMAC over a server-to-server call. This path is specified in the ontology and is purely additive over the cryptographic axis. In v1.0 it is planned rather than wired: tier uplift in the current build is driven by the pubkey-anchored history alone, and the host-attestation path comes in a subsequent release.
An observed axis is server-verifiable but trivially relocatable by the client. An IP address is observed. The network sees it. The server reads it. A VPN moves it for the price of a subscription. Observed axes describe the network rather than the actor.
A claimed axis is client-asserted and not verifiable at all. A fingerprint digest is claimed. A user-agent string is claimed. Claimed axes carry information that is useful when it agrees with the other axes and flags worth attention when it does not.
The rule that falls out is short. The cryptographic axis gates entry into a cluster, and the cryptographic-by-proxy axis joins it once shipped. Observed and claimed axes corroborate within a cluster when they agree and flag mismatches that justify a tighter posture when they do not. They never merge two clusters across a public-key boundary, and they never substitute for a cryptographic signal when none is present. The asymmetry is not a policy preference. It is the only assignment that survives an attacker who controls the client.
The wall-clock anchor, and what the Sybil objection actually shows
Trust accumulates through sustained, low-anomaly observation under a stable cryptographic anchor. The anchor demonstrates that the same key has been present across a sequence of requests. The wall-clock demonstrates that the sequence took the time it claims to have taken. Both are necessary for the parts of the system that depend on calendar.
Proof-of-work prices the attacker in CPU-hours. CPU-hours fall in price as hardware improves. A wall-clock anchor prices the attacker in calendar days, and a calendar day costs the same as it did last year. The price is in a unit the attacker cannot buy on the spot market. The honest version of the argument is that wall-clock binds two specific costs in this system, not all of them.
The first cost is the per-IP bootstrap staircase. New cluster creation is rate-limited per source address by exponential backoff (floor one second, cap one minute, doubling factor two, five-minute quiet reset). An attacker on one IP can mint a handful of fresh identities per hour at steady state. The staircase is priced in seconds and minutes, which compute cannot compress.
The second cost is recovery after demotion. An identity that crosses the misbehaviour thresholds is moved out of the tracked tier (and, below a lower threshold, into a banned tier). The path back is decay: the score drifts toward the neutral value at a small per-day rate, gated only by calendar. An abused identity does not buy its way back. It waits. Operators who care about repeat-abuse resistance get a calendar lever the attacker cannot route around.
The Sybil objection still has to be answered, and the honest answer is that wall-clock does less work against pre-aged inventories than against single-IP brute-force. In the v1 build, a fresh cluster bootstraps at the neutral score and projects to the tracked tier on its first request, without waiting. The wall-clock anchor does not protect that initial transition. What it does cost the Sybil attacker shows up in two places. IP acquisition is not free: residential proxies are cheap per request but priced per gigabyte, and IP inventory is its own market that capability gain does not collapse. Per-cluster abuse is capped by tracked-tier limits before the next demotion, and the recovery calendar applies per cluster the attacker wants to reuse. The total marginal abuse from N pre-aged clusters is N × per-cluster-budget-before-demotion plus the recovery-day cost per cluster reused.
This does not eliminate the threat. The threat model is explicit about which adversaries are out of scope: nation-state actors with rotating residential proxy pools and headless browser farms with per-instance fingerprint randomisation can extract per-cluster abuse below the operator's detection threshold. What changes is the cost shape. Capability gain on the attacker side lowers compute cost and improves anomaly-mimicry, but it does not commoditise IP inventory and it does not commoditise the calendar.
What the substrate stops needing to ask, and what it still does
The questions the library does not ask are as consequential as the ones it does. It does not ask whether the participant is a human. It does not ask whether the participant is an LLM. It does not ask whether the participant is a script, a hybrid, a delegated agent under human supervision, or any other category in the contested taxonomy of who is allowed to do what on the network.
What it asks instead is narrower and answerable. Does this cluster show continuity. Does the cryptographic anchor hold. Does the wall-clock accumulation match the claimed history. Do the observed and claimed axes agree with the cluster's history, and if not, what does the disagreement look like. Continuity raises trust. Anomaly demotes it. The decision is local to the cluster, indexed by wall-clock, and produced without any commitment to a category for the participant.
The library is also clear about what it is not doing. It is attestation, not admission. The host's per-IP layer or CAPTCHA still catches level-0 callers (no envelope at all). It is rate-limit and trust-budget arithmetic, not content provenance: C2PA-style cryptographic provenance is a separate primitive answering a separate question, and the lab does not claim continuity-of-cluster substitutes for it. The slice the library covers is one slice, and the slice is the one where the operator has stopped asking which kind of actor the request came from.
This is identity without person. The system has a notion of who, in the operational sense of which cluster, and no notion of what.
What this is and is not an alignment claim about
This piece is published from the writing surface of a lab whose product is operational security infrastructure. The claim the lab makes is narrower than "alignment, operationally enforced." The claim is this: at least one useful security mechanism can be built without depending on the substrate's ability to distinguish human from agent. The mechanism does not collapse when that distinction becomes unreliable. The cost shape it imposes on attackers is in calendar units, which do not commoditise. The library demonstrates that the move from "detect-then-decide" to "observe-continuity-then-decide" is constructable, deployable, and useful for one well-defined job.
The connection back to alignment is one step removed from this demonstration. Most current approaches to AI safety route accountability through detection. Watermarking, provenance metadata, output filtering, behavioural monitoring of agentic systems: each is built to read a difference that capability gain shrinks. Each loses ground at a rate set by that capability gain. A trust architecture that survives capability gain is one whose central signal is something other than detect-the-model.
continuity-auth is one substrate primitive that meets that bar. It is not the alignment problem solved, and the lab does not claim it is. The argument is that primitives of this kind are constructable and that more of them are needed. The systematic project of finding such primitives is what alignment-by-architecture would look like if it were treated as a substrate-design problem rather than as a content-filter problem. The lab will publish other primitives as it finds them, and the test for each will be the same: does the mechanism survive in a world where human and agent are no longer reliably distinguishable.
Calibration
The library does not solve alignment. It does not claim that agents deserve any particular treatment. It does not claim that humans do. It does not claim that continuity under cryptographic anchor is the only trust primitive worth building on. It is one demonstration, scoped to one job.
The library is advisory, not replacement. Hosts retain their own authentication layer. Continuity-auth runs in parallel and contributes a trust score the host's policy can use, ignore, or composite with other signals. The threat model is explicit about which classes of attacker are in and out of scope. Nation-state-grade adversaries with rotating residential proxy pools and headless browser farms are out of scope. Browser XSS is a signing oracle while the page is open, mitigated by detection rather than prevention. Filesystem-key exfiltration on the CLI substrate is acknowledged.
The library's ontology, protocol, schema, threat model, and test suite are public in the repository. What stays operationally non-public is the kind of detail every deployed security system keeps internal: anomaly thresholds, fingerprint-heuristic weights, current rate-limit signatures. The wall between public-method and proprietary-deployment-detail is the same wall established security firms apply to their detection rules. Cryptographic primitives, by contrast, are public by necessity. The lab welcomes replication, adversarial probing, and bug reports, and treats responsible disclosure as standard practice.
Closing
The library is continuity-auth, available on GitHub. The argument behind it is in pieces. Trust mechanisms that depend on telling humans from agents are losing ground. A different kind of trust mechanism, one that asks for continuity under a cryptographic anchor on wall-clock time, can be built and is useful for at least one well-defined job. That mechanism's cost shape is in a unit attackers cannot buy on the spot market. The slice the library covers is a slice, not the whole. More slices like it are constructable. The lab's posture is to publish them as it finds them.
The slogan version, for the reader who wants a sentence to take away, is the title. Identity without person is what the substrate looks like when the operator stops asking the question current infrastructure keeps asking and keeps failing on. The architecture is constructable. The library is one instance of it. The argument is that there will be more.