web/docs/conformance/availability-boundary-vectors.md

Availability and Boundary Conformance Vectors (v1)

This document defines deterministic vectors for org-boundary enforcement and availability classes.

Vector Group AB1: Org Boundary Binding

1. AB1-001 workspace_within_org_root_allows_paid_action

• Given workspace W1 bound to org_root_id=ORG_A
• And suite entitlement for ORG_A is active
• When paid action is requested inside W1
• Then action is allowed (subject to other gates)

2. AB1-002 workspace_boundary_mismatch_blocks_paid_action

• Given workspace W2 bound to ORG_B
• And requester entitlement bound only to ORG_A
• When paid action is requested in W2
• Then action is blocked with boundary_mismatch

3. AB1-003 delegated_actor_no_boundary_transfer

• Given human from ORG_A delegated role in ORG_B
• And no active suite entitlement for ORG_B
• When paid action is requested
• Then action is blocked with target_org_suite_required

Vector Group AB2: Connected Access Class

1. AB2-001 connected_active_with_fresh_heartbeat

• Given access_class=connected
• And lease heartbeat age inside policy window
• Then availability state is ACTIVE

2. AB2-002 connected_enters_grace_after_missed_heartbeat

• Given access_class=connected
• And heartbeat missed past active window but inside grace window
• Then state is GRACE
• And paid execution remains allowed

3. AB2-003 connected_continuity_blocks_growth_actions

• Given access_class=connected in CONTINUITY
• When attempting growth action (new member/workspace/tool install/worker spawn)
• Then request is blocked with continuity_growth_blocked

4. AB2-004 connected_parked_blocks_paid_execution

• Given access_class=connected in PARKED
• When paid action is requested
• Then action is blocked with entitlement_parked
• And read/search/export remains allowed

Vector Group AB3: Sovereign Access Class

1. AB3-001 sovereign_active_offline_with_valid_capsule

• Given access_class=sovereign
• And local entitlement capsule is valid
• And no network connectivity
• Then state remains ACTIVE

2. AB3-002 sovereign_transitions_on_capsule_expiry

• Given access_class=sovereign
• And capsule renewal evidence ages past active window
• Then state transitions ACTIVE -> GRACE -> CONTINUITY -> PARKED by policy thresholds

3. AB3-003 sovereign_offline_renewal_restores_active

• Given access_class=sovereign in CONTINUITY or PARKED
• When signed offline renewal package is applied and verified
• Then state becomes ACTIVE

Vector Group AB4: Offboarding and Token Revocation

1. AB4-001 offboarded_human_cannot_get_new_action_token

• Given human delegation revoked at time T
• When requesting new paid action token after T
• Then token issuance is denied

2. AB4-002 offboarding_does_not_remove_local_read_access_snapshot

• Given org access revoked and local data retention policy active
• When user opens local history view
• Then read/search/export policy behaves per retention rules without re-enabling paid execution

Vector Group AB5: Admin Plane Ownership Gating

1. AB5-001 only_root_owner_can_open_support_channel

• Given principal role workspace_member
• When calling support/admin channel endpoint
• Then response is denied with contact_your_org_admin

2. AB5-002 root_owner_receives_admin_health_events

• Given principal role org_root_owner
• When health/config/update admin events are emitted
• Then events are visible in owner stream
• And not visible in member-only streams

3. AB5-003 member_cannot_mutate_admin_configuration

• Given principal role workspace_member
• When attempting org-level config mutation
• Then request is denied

Pass Criteria

Build is conformant only when all vectors pass.

Fail-Closed Rule

Unknown boundary binding, unknown availability state, or unverifiable renewal evidence must block paid execution by default.