web/docs/conformance/governance-install-vectors.md

Conformance Vectors: Governance Install and Activation v1

These vectors verify deterministic governance runtime installation and activation gates.

Vector Set

1. GV-001 install token requires active membership.
2. GV-002 install token requires active governance entitlement.
3. GV-003 expired install token blocks confirm.
4. GV-004 package hash mismatch blocks activation.
5. GV-005 runtime version mismatch blocks activation.
6. GV-006 valid install confirm yields governance_active.
7. GV-007 replayed install confirm is idempotent and no duplicate activation side effects.
8. GV-008 entitlement revoked after activation forces status blocked until entitlement restored.
9. GV-009 membership suspended forces status blocked regardless of local runtime presence.
10. GV-010 unknown entitlement state fails closed and blocks activation.
11. GV-011 workspace/org boundary mismatch blocks install token issuance.
12. GV-012 availability state parked blocks install token issuance and activation.
13. GV-013 non-owner principal role blocks governance install/update control paths.

Pass Criteria

1. All vectors pass in CI and staging.
2. Any vector failure blocks release per release gate.
3. Evidence artifact includes vector id, payload fingerprint, and correlation id.

Fail-Closed Rule

Any uncertainty in membership state, entitlement state, install token validity, package hash, signature, or policy hash must block activation by default.