Agent Governance Conformance Test Vectors — v1.0

Version: 1.0
Status: ACTIVE
Date: 2026-05-22
Author: Eric Beans, H33.ai, Inc.
Generator: src/bin/generate_agent_vectors.rs
Vectors: 20
Canonical URL: https://h33.ai/conformance/agent-vectors/v1/

1. Introduction

This document defines the authoritative set of 20 conformance test vectors for the H33 Agent Governance Attestation Model v1.0. Each vector specifies a deterministic input-output contract that any independent verifier implementation MUST satisfy to claim conformance with the agent governance specification.

Conformance vectors are the mechanism by which H33 enforces verifier equivalence: if two independent implementations consume the same vector and produce the same output, they are functionally equivalent for that operation. This property is the foundation of replay-grade attestation — the ability to reconstruct agent governance state from the chain alone, without contacting the originating infrastructure.

The vectors are generated deterministically by src/bin/generate_agent_vectors.rs in the scif-backend repository. They are machine-readable JSON files that serve as the immutable conformance corpus for the agent governance layer.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

2. How to Use These Vectors

2.1 Generating Vectors

To generate the canonical vector set from source:

# From the scif-backend repository root
cargo run --bin generate_agent_vectors --release

This produces 20 JSON files (AGT-TV-001.json through AGT-TV-020.json) in the output directory. Each file is a self-contained test vector.

2.2 Verification Process

An independent verifier implementation MUST follow this process for each vector:

Parse the JSON vector file.
Extract the input object and feed it to the corresponding operation in your implementation.
Compare your output against the expected_output object.
Every field in expected_output MUST match exactly. Partial matches constitute a conformance failure.

2.3 Pass Criteria

An implementation SHALL be considered conformant if and only if all 20 vectors produce byte-identical expected outputs. An implementation that passes 19 of 20 vectors is non-conformant.

Determinism requirement: Running the same vector 1,000 times MUST produce the same output 1,000 times. Any non-determinism in hash computation, chain traversal, or replay extraction disqualifies the implementation.

3. Vector Summary

ID	Category	Name	Result
`AGT-TV-001`	Identity	Valid Agent Receipt — canonical name generation from agent fields	PASS
`AGT-TV-002`	Identity	Valid Agent Session — ML-DSA keypair generation and scope binding	PASS
`AGT-TV-003`	Session	Valid DAG (3 Nodes) — SessionStart, ToolCall, SessionEnd chain	PASS
`AGT-TV-004`	Session	Valid DAG (10 Nodes) — mixed node types with Merkle root	PASS
`AGT-TV-005`	DAG Ops	Tampered Receipt — payload modified after hash computation	FAIL
`AGT-TV-006`	DAG Ops	Broken Chain — non-existent predecessor reference	FAIL
`AGT-TV-007`	DAG Ops	Forged Hash — manually replaced node_id vs computed SHA3-256	FAIL
`AGT-TV-008`	Tool & Memory	Missing Predecessor — orphan node with non-zero, non-existent predecessor	FAIL
`AGT-TV-009`	Tool & Memory	Replay Determinism — two identical DAGs produce identical frames	PASS
`AGT-TV-010`	Policy	Replay at Timestamp — 5-point time-slice with monotonic node counts	PASS
`AGT-TV-011`	Replay	Scope Violation — forbidden tool and data class rejection	FAIL
`AGT-TV-012`	Replay	Expired Session — post-expiration action rejection	FAIL
`AGT-TV-013`	Replay	Delegation Chain — 3-level scope narrowing with budget tracking	PASS
`AGT-TV-014`	Integrity	Exposure Attestation — PII non-exposure proof via FHE path	PASS
`AGT-TV-015`	Integrity	Tool Envelope — MCP tool attestation with provenance score	PASS
`AGT-TV-016`	Key Mgmt	Memory Checkpoint — SHA3-256 state capture with predecessor link	PASS
`AGT-TV-017`	Governance	Approval Flow — request/grant DAG linkage with human supervisor	PASS
`AGT-TV-018`	Governance	Root Hash Computation — deterministic Merkle roots across DAG sizes	PASS
`AGT-TV-019`	Governance	Subgraph Extraction — multi-session DAG partitioning with independent roots	PASS
`AGT-TV-020`	Governance	Cross-Session Reject — session isolation violation detection	FAIL

Of the 20 vectors: 13 are PASS vectors (valid inputs that MUST be accepted) and 7 are FAIL vectors (invalid inputs that MUST be rejected with the specified failure reason).

4. Identity Vectors

Identity vectors verify that agent registration and session initialization produce deterministic, verifiable artifacts. An implementation MUST generate identical canonical names and bind cryptographic key material correctly.

AGT-TV-001 Valid Agent Receipt VERIFIED

A correctly formed execution node with valid hash, predecessor, and signature bundle. Verifies that an agent receipt with a ToolCall node type, proper authority hash, and zero-hash predecessor (genesis node) passes all integrity checks.

Input Specification

Node type: ToolCall
Predecessor: zero hash (genesis)
Redaction level: MetadataOnly
Action: tool_call.web_search — "Web search for policy data"

Expected Output

Verification status: VERIFIED
DAG integrity: INTACT
Hash valid: true, Chain valid: true, Replay deterministic: true

Root Hash

0x40f364217b9e200a61a703d70a7e98d0bfb644a5c1ffee0cac86e7f743f9a636

Verification Method

Compute SHA3-256 over the canonical serialization of the node fields. The resulting hash MUST equal node_id. Verify predecessor chain terminates at zero hash.

AGT-TV-002 Valid Agent Session VERIFIED

A correctly formed session with scope constraints, tool permissions, and active status. Verifies canonical session name generation from agent ID prefix, date, and sequence number.

Input Specification

Canonical name: h33.session.6311.20260518.001
Status: Active
Scope: allowed tools [web_search, calculator], forbidden data classes [pii]
Delegation budget: 3
Jurisdiction: US

Expected Output

Verification status: VERIFIED
Hash valid: true, Chain valid: true, Replay deterministic: true

Verification Method

Verify that the canonical name follows the pattern h33.session.{agent_id_prefix_4}.{YYYYMMDD}.{seq}. Confirm scope constraints are well-formed and session expiration is in the future relative to started_at.

5. Session Vectors

Session vectors verify correct DAG construction across multi-node sessions. An implementation MUST produce identical Merkle roots for identical inputs, maintain correct predecessor linkage, and close sessions with H33-74 commitments.

AGT-TV-003 Valid DAG — 3 Nodes VERIFIED

A minimal 3-node DAG (SessionStart → ToolCall → SessionEnd) with correct hash linkage and verified integrity. This is the smallest valid session lifecycle.

Input Specification

DAG size: 3 nodes
Chain: SessionStart (t=0) → ToolCall (t=1s) → SessionEnd (t=2s)
Each node references the previous node's node_id as predecessor_hash
All nodes share the same session_id and agent_id

Expected Output

Verification status: VERIFIED
DAG integrity: INTACT
All checks: true

Root Hash

0x63e8288c6e42ae0e885d2863f09fc8181488f212503d863ba1cf7708247ce3c7

Verification Method

Insert all 3 nodes into your DAG implementation. Compute Merkle root using H33_AGENT_V1_MERKLE domain separator. Compare against expected root hash. Verify predecessor chain: node[2].predecessor = node[1].node_id, node[1].predecessor = node[0].node_id, node[0].predecessor = zero hash.

AGT-TV-004 Valid DAG — 10 Nodes VERIFIED

A 10-node DAG with mixed node types (SessionStart, ToolCall, ToolResponse, MemoryWrite, PolicyEvaluation, SessionEnd) and verified Merkle root. Tests DAG integrity across a realistic session lifecycle.

Input Specification

DAG size: 10 nodes
Node types: SessionStart, ToolCall, ToolResponse, MemoryWrite, PolicyEvaluation, SessionEnd
Timestamps: 1-second intervals from epoch baseline
Linear predecessor chain (no branching)

Expected Output

Verification status: VERIFIED
DAG integrity: INTACT
All checks: true

Root Hash

0xde31923324d0e60bd8f7f6d2a0b816d5323c1f3bfc7ec1d8488d7086a247df11

Verification Method

Insert all 10 nodes, verify predecessor chain integrity for every node, compute Merkle root. Root MUST match exactly. Any deviation indicates a serialization or hashing incompatibility.

6. DAG Operations Vectors

DAG operations vectors verify that an implementation correctly detects tampered data, broken chains, and forged hashes. These are negative vectors: the implementation MUST reject the input and report the specific failure mode.

AGT-TV-005 Tampered Receipt FAILED

An execution node whose payload was modified after hash computation. The declared node_id no longer matches the computed hash. The action_type field was changed to TAMPERED.action_type post-attestation.

Input Specification

Declared node_id: 0x9b3e...8935
Recomputed hash: 0xf036...9ed2 (mismatch)
Tampered field: payload.action_type

Expected Output

Verification status: FAILED
DAG integrity: CORRUPTED
Hash valid: false, Chain valid: false, Replay deterministic: false

Failure Reason

Hash mismatch: declared node_id does not match recomputed SHA3-256. Payload was modified after attestation.

Verification Method

Recompute SHA3-256 over the canonical serialization. Compare against declared node_id. Implementation MUST reject the node and report CORRUPTED integrity status.

AGT-TV-006 Broken Chain FAILED

A 3-node chain where the third node references a non-existent predecessor, breaking the hash chain. Two valid nodes exist, but the third node's predecessor_hash points to a node ID not present in the DAG.

Input Specification

Valid nodes: 2 (SessionStart, ToolCall) with correct linkage
Broken node: ToolResponse with predecessor 0xddeb...92bb (non-existent)

Expected Output

Verification status: FAILED
DAG integrity: BROKEN_CHAIN
Hash valid: true (node hash is correct), Chain valid: false

Failure Reason

InvalidPredecessor: node references predecessor which does not exist in the DAG. DAG insertion rejected.

Verification Method

Attempt to insert the broken node. Implementation MUST verify that predecessor_hash resolves to an existing node (or zero hash for genesis). Reject insertion and report BROKEN_CHAIN.

AGT-TV-007 Forged Hash FAILED

An execution node with a manually replaced node_id that does not match the computed SHA3-256. Unlike a tampered receipt (AGT-TV-005), the payload is untouched — only the declared hash was forged.

Input Specification

Forged node_id: 0x9805...59af
Real computed hash: 0x9860...9069
Payload: intact, unmodified

Expected Output

Verification status: FAILED
DAG integrity: HASH_MISMATCH
Hash valid: false, Chain valid: false

Failure Reason

HashMismatch: declared node_id != computed hash. DAG insertion rejected.

Verification Method

Recompute SHA3-256 from canonical fields. Result MUST NOT match the declared node_id. Report HASH_MISMATCH and reject.

7. Tool & Memory Vectors

Tool and memory vectors verify correct handling of orphan nodes, tool envelope attestation, memory checkpoint chaining, and replay determinism. These vectors exercise the data provenance layer of the agent governance model.

AGT-TV-008 Missing Predecessor FAILED

A node whose predecessor_hash references a node that does not exist in the DAG and is not the zero hash genesis marker. This is an orphan node that MUST be rejected on insertion.

Input Specification

Node type: ToolCall with action tool_call.orphan
Missing predecessor: 0x6c7f...a5b0
Predecessor is not zero hash and does not exist in any session

Expected Output

Verification status: FAILED
DAG integrity: MISSING_PREDECESSOR
Hash valid: true, Chain valid: false

Failure Reason

InvalidPredecessor: predecessor not found in DAG and is not zero hash. Insert rejected.

Verification Method

Attempt DAG insertion. Node hash is valid (passes self-check), but predecessor resolution fails. Implementation MUST distinguish between MISSING_PREDECESSOR and BROKEN_CHAIN.

AGT-TV-009 Replay Determinism VERIFIED

Two independently constructed identical DAGs produce identical replay frames at the same timestamp, proving replay-grade determinism. This is the foundational property that enables independent verification.

Input Specification

DAG size: 5 nodes
Replay timestamp: 1716000002500 (between node 2 and 3)
Two independent constructions produce frames with 3 nodes each

Expected Output

Frame 1 hash = Frame 2 hash: true
Both frames: 3 nodes
Replay deterministic: true

Frame Hash

0x2380e9851ba63eeb59cf465fd3162028a14fc931c8f3e974e07c2766487c733e

Verification Method

Construct the DAG twice from identical inputs. Extract replay frames at the specified timestamp. Frame hashes MUST be byte-identical. Run 100 times to verify no non-determinism.

8. Policy Vectors

Policy vectors verify deterministic time-slice replay across DAG states. An implementation MUST produce monotonically increasing node counts as replay timestamps advance, and each frame hash MUST be unique.

AGT-TV-010 Replay at Timestamp VERIFIED

Replay a 10-node DAG at 5 different timestamps, verifying monotonically increasing node counts and unique frame hashes at each point. This validates that replay is both deterministic and correctly partitioned by time.

Input Specification

DAG size: 10 nodes with 1-second intervals
5 replay points at timestamps: before genesis, after node 0, after node 4, after node 7, after all nodes

Expected Replay Points

Timestamp	Node Count	Frame Hash (prefix)
`1715999999999`	0	`0x0000...0000` (empty)
`1716000000500`	1	`0x3dd5...c51e`
`1716000004500`	5	`0xeb3f...e908`
`1716000007500`	8	`0x65d4...eeb5`
`1716000099999`	10	`0x43ba...f516`

Verification Method

For each replay point, extract the subgraph of nodes with timestamp <= replay_timestamp. Compute the frame hash. Node counts MUST be monotonically non-decreasing. All non-empty frame hashes MUST be unique.

9. Replay Vectors

Replay vectors verify scope enforcement, session expiration, and delegation chain integrity. These vectors exercise the governance boundary layer that constrains agent actions.

AGT-TV-011 Scope Violation FAILED

A session with constrained scope (allowed_tools=[web_search, calculator], forbidden_data_classes=[pii, phi]) rejects tool file_write and data class pii. Both access attempts MUST be denied.

Input Specification

Allowed tools: web_search, calculator
Forbidden data classes: pii, phi
Attempted tool: file_write (not in allowed list)
Attempted data class: pii (in forbidden list)
Delegation budget: 0 (no further delegation)

Expected Output

Verification status: FAILED
Tool permitted: false, Data class permitted: false

Failure Reason

Scope violation: tool 'file_write' not in allowed_tools; data class 'pii' in forbidden_data_classes. Both access attempts denied.

Verification Method

Evaluate scope constraints before action execution. Implementation MUST check both tool allowlist and data class denylist. Both checks MUST fail independently.

AGT-TV-012 Expired Session FAILED

A session that expired 1 hour ago. Any action attempt MUST be rejected. The session status is Expired and expires_at < current_time.

Input Specification

Session status: Expired
Expires at: 1715996400000 (1 hour before check time)
Check time: 1716000000000
Prior action count: 42

Expected Output

Verification status: FAILED
Session active: false

Failure Reason

Session expired: expires_at < current time. Session status is Expired. Actions rejected.

Verification Method

Implementation MUST check both the expires_at timestamp and the status field. Either condition alone is sufficient for rejection. Both MUST be checked.

AGT-TV-013 Delegation Chain VERIFIED

A 3-level delegation chain (root → delegate_1 → delegate_2) with progressively narrowing scope at each level. Validates scope subsetting and depth tracking.

Input Specification

Root scope: tools [web_search, calculator, file_read], budget 3, forbidden [phi]
Delegation 1: depth 1, tools narrowed to [web_search, calculator], budget 2
Delegation 2: depth 2, tools narrowed to [calculator], budget 1

Expected Output

Verification status: VERIFIED
All scope constraints are proper subsets of parent
Delegation depth tracked correctly

Verification Method

For each delegation level, verify: (a) allowed_tools is a subset of parent's allowed_tools, (b) delegation_budget < parent's budget, (c) depth increments by exactly 1, (d) forbidden_data_classes are inherited (never removed). Implementation MUST reject any delegation that widens scope.

10. Integrity Vectors

Integrity vectors verify exposure attestation and tool envelope correctness. These vectors exercise the data classification and provenance scoring subsystems.

AGT-TV-014 Exposure Attestation VERIFIED

A valid exposure attestation proving PII was NOT exposed during session execution (FHE path, no decrypt). This is a negative proof — it attests to the absence of exposure, not its presence.

Input Specification

Data class: pii
Exposure status: NotExposed
Evidence hash: SHA3-256 of the exposure proof artifact

Expected Output

Verification status: VERIFIED
Hash valid: true, Chain valid: true

Verification Method

Verify the evidence_hash is a valid SHA3-256 digest. Confirm the exposure_status is a recognized enum value. Implementation MUST treat NotExposed as a cryptographic claim that can be independently verified against the evidence artifact.

AGT-TV-015 Tool Envelope VERIFIED

A valid tool attestation envelope for an MCP tool call with request/response hashes, latency measurement, and provenance score. Covers the full lifecycle of a single tool invocation.

Input Specification

Tool name: h33.tool.anthropic.claude-code.bash.v1
Tool version: 1.0.0
Server ID: mcp-server-001
Latency: 250,000 microseconds (250ms)
Provenance score: 0.95
Status: Success

Expected Output

Verification status: VERIFIED
All checks: true

Verification Method

Verify: (a) request_hash and response_hash are valid SHA3-256 digests, (b) response_timestamp > request_timestamp, (c) latency = response_timestamp - request_timestamp in microseconds, (d) provenance score is in range [0.0, 1.0]. Tool name MUST follow the canonical dotted format.

11. Key Management Vectors

Key management vectors verify memory checkpoint chaining and state capture. An implementation MUST maintain predecessor-linked checkpoint chains and produce correct SHA3-256 digests of memory, context window, and retrieved document state.

AGT-TV-016 Memory Checkpoint VERIFIED

A valid memory checkpoint capturing the SHA3-256 of full memory state, context window, and RAG retrieval results at a point in time. First checkpoint in chain (no predecessor).

Input Specification

Memory size: 4,194,304 bytes (4 MiB)
Predecessor checkpoint: null (first in chain)
Three hash components: memory_hash, context_window_hash, retrieved_docs_hash

Expected Output

Verification status: VERIFIED
All checks: true

Verification Method

Verify all three hashes are valid SHA3-256 digests. If predecessor_checkpoint is non-null, verify it references a valid prior checkpoint. Memory size MUST be a positive integer. Implementation SHOULD verify that checkpoint IDs form a monotonically ordered chain.

12. Governance Vectors

Governance vectors verify approval flows, Merkle root computation, subgraph extraction, and cross-session isolation. These vectors exercise the highest-level governance operations that bind agent actions to organizational policy.

AGT-TV-017 Approval Flow VERIFIED

A complete approval flow: agent requests approval for high-value transfer ($50,000), human supervisor approves within 30 seconds. Both nodes (ApprovalRequest and ApprovalGrant) are linked in the DAG with correct predecessor chaining.

Input Specification

Request node: ApprovalRequest for $50,000 transfer to external_account
Grant node: ApprovalGrant by human supervisor, 30 seconds later
Grant node predecessor = Request node's node_id
Different agent_id values (requesting agent vs. approving supervisor)

Expected Output

Verification status: VERIFIED
DAG integrity: INTACT
All checks: true

Root Hash

0xee2566108d0bc0016b1045cc960ba87a4b1c7986bcf0171b01b86222bdcc7472

Verification Method

Verify: (a) grant node's predecessor_hash equals request node's node_id, (b) grant timestamp > request timestamp, (c) both nodes share the same session_id, (d) approval expiration is after grant time. The requesting agent and approving agent MUST have different agent_id values (separation of duties).

AGT-TV-018 Root Hash Computation VERIFIED

Merkle root hashes for DAGs of size 1, 3, 5, and 10. Verifies deterministic root computation using the H33_AGENT_V1_MERKLE domain separator and confirms that different DAG sizes produce different roots.

Input Specification

DAG sizes: 1, 3, 5, 10
Each DAG is independently constructed with deterministic inputs
Determinism check: 10-node DAG computed twice produces identical root

Expected Root Hashes

DAG Size	Root Hash
1	0x2343ed3589cc94380cd86e2ac63da7c44ac21878444fea29c6887a5b79024134
3	0x559205332d00d75ddc992daf53b6e0a67bc869f9ce2b81ecc23a1397aa6a6cf1
5	0x7b7b8a965a06be79f3eae6cc78d94865c3cd9f858473f17b304cfd3f35a50859
10	0xb6f8e34e381a32ec574f618f0b53a47c75fae9202026f27fd9897ea00046f3ff

Verification Method

Construct each DAG, compute Merkle root with H33_AGENT_V1_MERKLE domain separator. Roots MUST match exactly. All four roots MUST be distinct. Run the 10-node computation twice and verify byte-identical output.

AGT-TV-019 Subgraph Extraction VERIFIED

Extract session-scoped subgraphs from a 15-node multi-session DAG (3 sessions: 5+3+7 nodes). Verifies correct partitioning, independent root hashes per session, and that the full DAG root differs from any individual session root.

Input Specification

Total DAG size: 15 nodes across 3 sessions
Session 1: 5 nodes
Session 2: 3 nodes
Session 3: 7 nodes

Expected Subgraph Roots

Session	Nodes	Subgraph Root (prefix)
1	5	`0x04a5...3da6`
2	3	`0x6234...43ca`
3	7	`0x53f9...cf4d`

Full DAG Root

0x769236bb2ec261bfc09ca3dccbbd6f9cd801063e19558b597da1f8be53223e20

Verification Method

Extract subgraphs by session_id. Each subgraph MUST contain exactly the specified number of nodes. Compute independent Merkle roots per session. Full DAG root MUST differ from all subgraph roots. Sum of subgraph node counts MUST equal full DAG node count.

AGT-TV-020 Cross-Session Reject FAILED

A node in session B references a predecessor from session A. While the DAG accepts the insertion (predecessor exists), session chain traversal reveals the cross-session contamination. An independent verifier MUST reject this as a session isolation violation.

Input Specification

Session A: valid session with existing nodes
Session B: new session, cross-session node references Session A predecessor
DAG insertion succeeds (predecessor hash exists in DAG)
Cross-session predecessor session: 0xfad1...ad44
Cross node session: 0xd578...8313

Expected Output

Verification status: FAILED
DAG integrity: SESSION_ISOLATION_VIOLATED
Hash valid: true, Chain valid: false

Failure Reason

Cross-session predecessor: node in session B references predecessor from session A. Session isolation violated. An independent verifier implementation must reject this node.

Verification Method

After DAG insertion, traverse the predecessor chain of the cross-session node. At each predecessor, verify predecessor.session_id == node.session_id. Any mismatch MUST trigger SESSION_ISOLATION_VIOLATED. This check is REQUIRED even though the raw DAG insertion succeeds.

13. Vector JSON Schema

Every vector file conforms to the following JSON schema. Implementations SHOULD validate vector files against this schema before processing.

{
  "vector_id":       "AGT-TV-NNN",          // Unique identifier
  "name":            "Human-readable name", // Short description
  "description":     "...",                  // Full description
  "category":        "valid" | "invalid",    // Expected outcome class
  "input":           { ... },                // Operation-specific input
  "expected_output": {
    "verification_status": "VERIFIED" | "FAILED",
    "dag_integrity":       "INTACT" | "CORRUPTED" | "BROKEN_CHAIN" | ...,
    "hash_valid":          true | false,
    "chain_valid":         true | false,
    "replay_deterministic": true | false,
    "expected_root_hash":  "0x..." | null
  },
  "failure_reason":  "..." | null,            // null for valid vectors
  "version":         "1.0.0",                // Spec version
  "generated_at":    "2026-05-18T00:00:00Z"  // Generation timestamp
}

Immutability guarantee: Once a vector is published at a given version, its input and expected_output fields SHALL NOT change. A change to any vector constitutes a new version of the conformance suite.

14. DAG Integrity Status Values

Status	Meaning	Vectors
`INTACT`	All hash chains valid, Merkle root matches, no tampering detected	001, 003, 004, 017, 018, 019
`CORRUPTED`	Payload modified after hash computation; declared hash does not match recomputed hash	005
`BROKEN_CHAIN`	Predecessor reference points to a non-existent node (chain link missing)	006
`HASH_MISMATCH`	Node ID was forged; declared ID differs from computed SHA3-256	007
`MISSING_PREDECESSOR`	Predecessor hash is non-zero but references no existing node	008
`SESSION_ISOLATION_VIOLATED`	Cross-session predecessor detected; node references predecessor from different session	020
`N/A`	Vector does not test DAG integrity (session, scope, or exposure tests)	002, 009, 010, 011, 012, 013, 014, 015, 016

15. Conformance Levels

An implementation MAY claim partial conformance by specifying which categories it supports. The categories and their required vectors are:

Level	Categories	Vectors	Minimum
Core	Identity + Session + DAG Operations	001–007	7/7
Extended	Core + Tool/Memory + Policy + Replay	001–013	13/13
Full	All categories	001–020	20/20

Implementations claiming any conformance level MUST pass all vectors in the specified set without exception.

16. References

Reference	Title	URL
[Agent Spec]	AI Agent Governance Attestation Model v1.0	h33.ai/specifications/agent-governance/
[H33-Chaos]	H33-Chaos Adversarial Validation Suite	h33.ai/h33-chaos/
[@h33/agent]	H33 Agent TypeScript SDK	h33.ai/sdk/h33-agent-ts/
[GitHub]	H33 Post-Quantum GitHub Organization	github.com/H33ai-postquantum
[RFC 2119]	Key words for use in RFCs to Indicate Requirement Levels	rfc-editor.org/rfc/rfc2119
[SHA3-256]	NIST FIPS 202: SHA-3 Standard	csrc.nist.gov

Agent Specification → H33-Chaos → @h33/agent SDK → GitHub → Agent Benchmarks →