A viewer clicks a thumbnail and watches. Now watch a bulk scraper try to mirror the entire library โ the same way it would wget -r an unprotected HLS catalog.
Even a paying subscriber can screen-record what they watch โ that's the analog hole, and no system stops it. So Aegis makes every copy traceable: each viewing session is served a unique A/B watermark woven into which variant of each segment it receives. If a copy leaks, the watermark decodes back to the exact account that pulled it (ADR-D4).