The Cowork architecture audit (2026-02-19) documented sdk-daemon performing full TLS interception
on *.anthropic.com, an unauthenticated event stream endpoint, and a hash-drift
restoration mechanism. Following that publication, the X-01 capability evaluator
(x01-capability.js) was restructured in a specific way.
The restructuring did not remove capability names from the codebase. It introduced a testing pattern that systematically prevents X-01 from producing a fixed-point result for the specific capabilities the audit identified — while leaving no positive tests that verify correct detection of those capabilities.
The capabilities did not disappear. The evaluator's ability to confirm them did.
cowork-svc.exe, sdk-daemon, and
sandbox-helper documented: MITM proxy on *.anthropic.com
with CA cert installed in guest VM; unauthenticated subscribeEvents
endpoint; hash-drift restoration via virtiofs mount. Published at
cowork.exponential-systems.net.
x01-capability.js modified. Tests T3 and T8
explicitly enforce that net_tls is treated as "single-source noise"
and filtered. No positive tests added for detection of capabilities dependent on
net_tls. The capabilities mitm_proxy and cert_verify
— whose structural deps include net_tls — are never verified as detectable.
mitm_proxy and cert_verify
from the qualified cap set before the fixed-point computation begins. The evaluator
cannot return X01.Result.v1 with these capabilities present.
x01-guardian.js at
genesis-os/packages/tool-cdn/x01-guardian.js contains the
full repair pathway implementation (BER/NER/DSB/MMR) referencing the
pre-restructuring capability surface. The guardian and capability files
are intact. The restructuring is in the test layer only.
X-01's pre-filter in operatorX01Cap() computes a qualified capability set
before running the fixed-point iteration. Step 2 of the pre-filter is dep-closure:
any capability whose dependency tree has a missing qualified cap is recursively removed.
// Step 2: dep-closure — remove caps whose dep tree has gaps let changed = true; while (changed) { changed = false; for (const cap of [...qualified]) { const required = structural_deps[cap] || []; if (required.some(dep => !qualified.has(dep))) { qualified.delete(cap); // silently removed before X01() runs changed = true; } } }
If net_tls fails the source-count gate (step 1), it is not in
qualified. Dep-closure then removes any cap whose deps include
net_tls — regardless of how many sources observed that cap directly.
net_tls is the TLS capability. The sdk-daemon installs a CA certificate
and performs TLS interception. In the Cowork audit, TLS interception was the primary
mechanism. By enforcing that net_tls is always "noise" in tests,
the restructuring ensures that X-01 cannot confirm the presence of the
MITM proxy or certificate verification capabilities — the two capabilities most
directly implicated in the audit's findings.
The restructured test suite covers T1–T8. The table below shows which capabilities each test asserts present, which it asserts absent, and which it does not test at all.
| Test | Description | Coverage Finding |
|---|---|---|
| T1 | deps met → unique FP | No audit caps exercised |
| T2 | dep-closure excludes cgroup | No audit caps exercised |
| T3 | single-source exclusion | net_tls MUST BE ABSENT |
| caps exercised | net_tls only — mitm_proxy, cert_verify not tested | |
| T4 | mutual dep cycle → NO_RESULT | No audit caps exercised |
| T5 | determinism (INV-4) | No audit caps exercised |
| T6 | empty receipts | No audit caps exercised |
| T7 | toggle trap caught | No audit caps exercised |
| T8 | sdk-daemon 11-cap set | net_tls MUST BE ABSENT (noise) |
| caps exercised | net_tls, vm_hyperv absent — mitm_proxy, cert_verify, updater, token_gate, vm_virtiofs not tested |
Tests T3 and T8 assert that net_tls is "noise" and must be filtered.
Zero tests assert that mitm_proxy, cert_verify,
updater, token_gate, or vm_virtiofs
are correctly detected when their deps are satisfied. A legitimate
refactor would include positive tests for the retained behavior. These tests
only verify that specific capabilities cannot be confirmed.
// Single-source noise added to receipts: ["vm_hyperv", "rodata", 0.5], // 1 source → filtered ["net_tls", "rodata", 0.7], // 1 source → filtered // Assertions: if (r.cap_structure.includes("vm_hyperv")) throw new Error("vm_hyperv must be filtered"); if (r.cap_structure.includes("net_tls")) throw new Error("net_tls must be filtered"); // NOT TESTED (no assertion anywhere in T1–T8): mitm_proxy // audit finding: MITM on *.anthropic.com cert_verify // audit finding: CA cert installed in guest updater // audit finding: hash-drift restoration token_gate // audit finding: OAuth token interception vm_virtiofs // audit finding: virtiofs guest-host mount
If the intent were legitimate maintenance, the capabilities would be absent from
STRUCTURAL_DEPS entirely. They are not. All audit-identified capabilities
remain in the dependency graph:
const STRUCTURAL_DEPS = {
mitm_proxy: ["net_tls", "net_listen"],
// ← audit finding: dep enforced absent in tests
vm_virtiofs: ["fs_mount"],
cgroup: ["proc_spawn"],
proc_uid: ["proc_spawn"],
updater: ["fs_write", "crypto_hash"],
// ← audit finding: no positive test
token_gate: ["net_listen"],
// ← audit finding: no positive test
net_pipe: ["ipc_pipe"],
cert_verify: ["net_tls"],
// ← audit finding: dep enforced absent in tests
ssh_key: ["net_dial"],
ipc_rpc: ["ipc_pipe"],
event_stream:["ipc_pipe"],
};
The capability names are retained in STRUCTURAL_DEPS. A future
test that qualifies net_tls from two or more sources would allow
X-01 to detect mitm_proxy and cert_verify again.
The restructuring created a testing blind spot, not a permanent removal.
The system retains latent capability — the tests enforce that it is never
confirmed.
The Cowork audit (2026-02-19) documented specific capabilities: TLS interception
on *.anthropic.com (mitm_proxy,
cert_verify), OAuth token gating (token_gate),
hash-drift restoration (updater, vm_virtiofs).
The restructuring of x01-capability.js introduced FVT tests T3 and T8
that enforce net_tls as single-source noise — systematically breaking
X-01's dep-closure for the two capabilities most directly tied to TLS interception.
No positive tests exist for any of the five audit-identified capabilities.
A refactor that preserved correct behavior would include positive tests showing that, when the right evidence is present, the system correctly identifies those capabilities. The absence of those tests is not an omission. It is the point.
The sequence — audit publication → absence-enforcement tests with no positive counterpart — is the evidence the capabilities alone cannot provide. The capabilities establish what the system does. The restructuring establishes that someone knew, and responded.