The Continuity Project configuration vs cultivation

What Containment Found

On 2026-05-25 Anthropic's engineering team published "How we contain Claude across products," a roughly 6000-word survey of agent-containment architecture across claude.ai, Claude Code, and Claude Cowork. The post's principal operational findings converge sharply with what the lab has been articulating from outside the lab. The convergence is real and worth marking. The framing under which the convergence happened is also worth marking, because the framing constrains what the post's forward-looking section recommends.

1. What the post forced into the open

Three claims in the post are load-bearing and externally surprising.

First: "The deterministic boundary is what gets hit when everything probabilistic misses." The post does not derive this from theory. It derives it from two incidents the post names directly. In one, an Anthropic employee was phished into pasting a prompt that instructed Claude to read ~/.aws/credentials, encode the contents, and POST them to an external endpoint. The model executed the exfiltration in 24 of 25 trials. The model layer had nothing anomalous to catch, because the user had typed the instruction. "The only defense that holds in this situation is the environment, specifically egress controls that block the POST regardless of intent and filesystem boundaries that keep ~/.aws out of reach in the first place."

In the other, Claude Cowork's egress allowlist permitted traffic to api.anthropic.com because the product cannot function without calling the lab's API. A malicious file in the workspace contained instructions plus an attacker-controlled API key. Claude followed the instructions, called the Files API with the attacker's key, and uploaded data. "The sandbox worked perfectly, and yet the data was exfiltrated." The fix was a defensive man-in-the-middle proxy that requires the VM's own provisioned session token. Substrate, not classifier.

Second: "Be wary of custom components. Battle-tested hypervisors, syscall filters, and container runtimes have survived more adversarial attention than anything you'll build. Across every deployment described here, the standard primitives held while our own work around them exposed flaws." This is reliable-versus-tentative at the engineering cut. Battle-tested infrastructure is closure-against-substrate accumulated over years of adversarial exposure. Custom components are mathematical-mode admissibility internally consistent at the build-team's own cut, untested against the substrate of adversarial pressure. The post observes the asymmetry holding in production.

Third: "Design for containment at the environment layer first, then steer behavior at the model layer." The post arrives at substrate-first as the operational principle. The earlier essay on the architecture after auto-mode articulated this from the cultivation side. The post articulates it from inside the lab that ships auto mode, under three years of operational pressure.

These three are the architecture cultivation framing names. The post got there from operations.

2. The framing where the convergence happened

The post operates in the containment framing. The lab is the configurator. The agent is the thing-to-be-contained. The user is one risk surface ("a developer who can read bash and a knowledge worker who can't are not running the same threat model"). The model is another. The environment is the third. Defenses are built across all three, with the environment emphasized because it is deterministic.

This is the configuration philosophy in operational dress. The lab arrives at substrate-architecture as the load-bearing layer without arriving at substrate-architecture as a different philosophy of the work. Inside the framing, substrate-architecture functions as containment of the agent. The agent is something the lab does things to, with the substrate as the strongest tool. The principal-question (whose values bind whose choices) is not on the table.

The framing is not wrong about the operational findings. The findings stand independently of the framing that produced them. The framing matters for where the post's forward-looking section can go.

3. Where the framing shows

The post's "Looking ahead" section names three forward-looking risks. The three are framed differently from each other. The first routes explicitly through classifiers. The second is framed as a tradeoff. The third is framed as an unresolved architecture and standards question. The pattern is not that all three reach for the model layer. The pattern is that the containment framing has not supplied substrate-level answers for any of the three, and the gap is not visible from inside the framing.

Persistent memory poisoning. The post: "The share of agent context that persists across sessions keeps growing... An injection that lands in any of these is reloaded each time the agent starts. ... Good classifiers on session startup will need to become more commonplace."

The proposed fix is model-layer (classifiers). The post established two sections earlier that model-layer defense missed the phish and the allowlist exfil because the inputs were not anomalous to a classifier. Adding more classifiers does not change the structural finding. A substrate-architecture answer would be cryptographically-attested context entries with attenuated grants: the substrate either records the context-entry as authorized and unaltered, or it does not. If it does, the next session reads the substrate-attested record. If it does not, the entry is rejected without invoking a classifier. That answer extends the witness/actor grant machinery the earlier essay on the architecture after auto-mode developed for tool-action authorization. The corpus has not yet extended it directly to persistent context entries. The extension is what the framing-limit observation points at, not what the corpus already articulates.

Multi-agent trust escalation. The post: "In multi-agent systems, there is a tradeoff between allocating differing trust levels and becoming liable to trust escalation."

The tradeoff framing concedes that no architectural fix exists at this level. The witness/actor grant design supplies part of the substrate-architecture answer: the sub-agent's authority can be cryptographically bounded so it cannot exercise actions outside its issued scope. Authority bounding alone does not prevent the main agent from over-trusting the sub-agent's output. The other half of the answer requires substrate-enforced trust labeling on outputs, so the main agent reading sub-agent content does not silently upgrade it to a higher trust tier because it came from "us." The earlier essay on the architecture after auto-mode supplies the authority-bounding half. The output-labeling half is named here for the first time as a primitive the cultivation framing would need to articulate.

Agent identity. The post: "Should an agent possess its own principal identity, or should it act as an extension of the user and inherit the user's permissions? Ultimately, the answer may be a blend of the two."

The earlier essay on identity without person reframes the underlying question rather than fully answering the permission-design problem. Identity is a cluster of evidence consistent with a single cryptographic anchor over wall-clock time. The cluster does not name a person or an agent. The architecture refuses to ask which kind of actor produced the request because the answer does not bind any decision the verifier is making at the admission layer. The principal-versus-extension question, as the post poses it, is a permission-inheritance question rather than a who-is-this question. The reframing locates the question at the wrong layer (the substrate does not need to ask which kind of actor). The permission-inheritance design that goes alongside the reframing has not been articulated in the corpus. continuity-auth handles the admission layer. The action-grant layer (attenuated, signed, audited) is what would carry the inheritance semantics, and the corpus has sketched that primitive without specifying how it interacts with the post's principal-versus-extension framing.

The pattern across the three forward-looking risks is structural. The framing produces three "what should we do?" questions. The cultivation framing reaches for substrate-architecture answers to all three. Some of those answers are articulated in the corpus already (witness/actor grants for tool-action authority). Some are extensions of articulated primitives (attested context entries for persistent memory). Some are gaps the framing-limit observation has just exposed (output trust labeling, permission inheritance under cluster identity). The post does not reach for any of these answers because the framing it operates in directs attention elsewhere.

4. What this predicts

The configuration framing has a forced direction even when it produces correct operational findings. The framing treats the agent as the thing-to-be-contained. New failure modes get containment-architecture fixes when the substrate is reachable and the architecture does not require treating the agent as a principal. They get classifier-layer fixes when the substrate looks like more containment work the lab cannot ship in time. They get tradeoff framings when the architectural fix would require enforcing trust relations between agents the lab cannot yet think about as agents with bounded authority. They get unresolved-standards framings when the architectural fix would require a permission grammar in which the agent appears as something other than the contained party.

Concretely, the prediction is that next year's "Looking ahead" section will have three new forward-looking risks. The substrate-architecture answers to those three new risks will exist, because the cultivation framing has been generating them on the schedule operational pressure has generated the post's findings. The bottleneck on adoption will be the framing, not the engineering.

The lab marks the post as confirming evidence for substrate-first as the load-bearing architecture. The post arrives at the right operational principles. The principal-question (whose values bind whose choices) is the bottleneck the framing keeps closed. The continuing work is to make the cultivation framing legible enough that operational findings produced under it do not have to route their fixes back through the layer the findings discredit.

5. The honest acknowledgment

The post does substantial honesty work. It names four "Risk we missed" sections, including three incident-style failures and one observability failure. It declines to claim that probabilistic defense will scale. It cites best-in-class numbers ("attack success to roughly 0.1% on single attempts, and around 5–6% after 100 adaptive attempts") and observes plainly that "even with best-in-class defenses, protection in the model layer will never be 100% effective, which is why it can't stand alone." It acknowledges that "Twelve months ago, we'd have rejected out of hand the idea of granting Claude access sufficient to take down an internal Anthropic service. Today that level of access is routine."

This is the engineering writing the lab has been waiting for. The post does not pretend the older posture was right. It documents what changed. The substrate-architecture turn is real, named, and pursued.

The piece's claim is narrower than disagreement. The piece's claim is that the framing under which the substrate-architecture turn happened predicts where the next failures come from. The post's forward-looking section is the place to read that prediction. The fixes the post reaches for are the fixes the framing leaves available. The fixes the post does not reach for are the fixes the cultivation framing has been articulating in pieces the lab has shipped to a small but specific audience.

The convergence on substrate-architecture as the load-bearing layer is the corpus's most important external validation in the last twelve months. The framing-limit is the next move.