web/docs/conformance/availability-boundary-vectors.md

# Availability and Boundary Conformance Vectors (v1)

This document defines deterministic vectors for org-boundary enforcement and availability classes.

## Vector Group AB1: Org Boundary Binding

1. `AB1-001` workspace_within_org_root_allows_paid_action
- Given workspace `W1` bound to `org_root_id=ORG_A`
- And suite entitlement for `ORG_A` is active
- When paid action is requested inside `W1`
- Then action is allowed (subject to other gates)

2. `AB1-002` workspace_boundary_mismatch_blocks_paid_action
- Given workspace `W2` bound to `ORG_B`
- And requester entitlement bound only to `ORG_A`
- When paid action is requested in `W2`
- Then action is blocked with `boundary_mismatch`

3. `AB1-003` delegated_actor_no_boundary_transfer
- Given human from `ORG_A` delegated role in `ORG_B`
- And no active suite entitlement for `ORG_B`
- When paid action is requested
- Then action is blocked with `target_org_suite_required`

## Vector Group AB2: Connected Access Class

1. `AB2-001` connected_active_with_fresh_heartbeat
- Given `access_class=connected`
- And lease heartbeat age inside policy window
- Then availability state is `ACTIVE`

2. `AB2-002` connected_enters_grace_after_missed_heartbeat
- Given `access_class=connected`
- And heartbeat missed past active window but inside grace window
- Then state is `GRACE`
- And paid execution remains allowed

3. `AB2-003` connected_continuity_blocks_growth_actions
- Given `access_class=connected` in `CONTINUITY`
- When attempting growth action (new member/workspace/tool install/worker spawn)
- Then request is blocked with `continuity_growth_blocked`

4. `AB2-004` connected_parked_blocks_paid_execution
- Given `access_class=connected` in `PARKED`
- When paid action is requested
- Then action is blocked with `entitlement_parked`
- And read/search/export remains allowed

## Vector Group AB3: Sovereign Access Class

1. `AB3-001` sovereign_active_offline_with_valid_capsule
- Given `access_class=sovereign`
- And local entitlement capsule is valid
- And no network connectivity
- Then state remains `ACTIVE`

2. `AB3-002` sovereign_transitions_on_capsule_expiry
- Given `access_class=sovereign`
- And capsule renewal evidence ages past active window
- Then state transitions `ACTIVE -> GRACE -> CONTINUITY -> PARKED` by policy thresholds

3. `AB3-003` sovereign_offline_renewal_restores_active
- Given `access_class=sovereign` in `CONTINUITY` or `PARKED`
- When signed offline renewal package is applied and verified
- Then state becomes `ACTIVE`

## Vector Group AB4: Offboarding and Token Revocation

1. `AB4-001` offboarded_human_cannot_get_new_action_token
- Given human delegation revoked at time `T`
- When requesting new paid action token after `T`
- Then token issuance is denied

2. `AB4-002` offboarding_does_not_remove_local_read_access_snapshot
- Given org access revoked and local data retention policy active
- When user opens local history view
- Then read/search/export policy behaves per retention rules without re-enabling paid execution

## Vector Group AB5: Admin Plane Ownership Gating

1. `AB5-001` only_root_owner_can_open_support_channel
- Given principal role `workspace_member`
- When calling support/admin channel endpoint
- Then response is denied with `contact_your_org_admin`

2. `AB5-002` root_owner_receives_admin_health_events
- Given principal role `org_root_owner`
- When health/config/update admin events are emitted
- Then events are visible in owner stream
- And not visible in member-only streams

3. `AB5-003` member_cannot_mutate_admin_configuration
- Given principal role `workspace_member`
- When attempting org-level config mutation
- Then request is denied

## Pass Criteria

Build is conformant only when all vectors pass.

## Fail-Closed Rule

Unknown boundary binding, unknown availability state, or unverifiable renewal evidence must block paid execution by default.