06 — G3c: Grant / ownership issuer — minimal C1-scoped path

1. Gap confirmed live

• governance_build_authorization table exists, 0 grants.
• apr_action_types.authorize_build_step = "Issue an L3 governance_build_authorization grant for exactly one build step", risk_level=high, handler_ref=unimplemented.
• Local grep -rl "authorize_build_step\|governance_build_authorization" dot/bin = 0 → no DOT mints grants. New minimal issuer required.

2. Staged minimal issuer — dot-c1-grant-issue

Artifact: staged-artifacts/scripts/dot-c1-grant-issue. Not a general authorization system — hard scope-locked:

• Scope lock: mints only scope=DOT_C1_VOCAB_BUILD@DRYRUN-NS:dot:c1:vocab (constant in the script, not a parameter).
• Manifest-bound: requires --manifest-hash (the cser-v1 digest emitted by a prior DOT_C1_VOCAB_BUILD dry-run); refuses without it (exit 2). A later different hash is rejected downstream as manifest_not_authorized.
• Single-active guard: refuses (exit 3) if a draft|active grant for the scope already exists — revoke first.
• Single-use / lease: single_use:true, lease_ttl:PT2H, status:draft, revocable:true. Consumption flips to consumed (CAS); reuse → REJECT_AUTH_ALREADY_CONSUMED.

3. Plan-bound + reject matrix (per macro §3.5)

Grant payload payloads/governance_build_authorization_grant.json (GBA-C1-DRYRUN-0001) carries plan_ref → this package's W-plan, rollback_plan_ref → DOT_C1_ROLLBACK_CHECK, and the fail-closed reject_on set: no_authorization, grant_scope_too_broad, grant_scope_mismatch, authorization_expired, authorization_revoked, REJECT_AUTH_ALREADY_CONSUMED, manifest_not_authorized, action_superset.

4. Ownership

Ownership via assign_governance_owner / assign_axis_owner (both handler_ref=unimplemented in apr_action_types) binds the C1 collection + DOTs to the owner principal; delegate_authority is TTL-bounded. Staged, not issued (same unimplemented-handler constraint as the issuer).

5. Lifecycle / birth / rollback for the new issuer DOT

Same DOT lifecycle as §04: born (dot-species-register) → admitted (ledger) → registered (patched registrar --only-prefix dot-c1-, it is DOT_C1_GRANT_ISSUE) → paired DOT-HEALTH-DOT → retire via dot-entity-retire. Rollback of a minted grant: PATCH status=revoked.

6. Honest constraint (per macro §3.5 / §5.6)

Issuing the grant DOT-100% needs either (a) this dot-c1-grant-issue DOT born+registered, or (b) an operator-run governed migration. The authorize_build_step handler is unimplemented today, so no grant can be minted by an existing runnable handler — this stages the smallest lawful issuer. 0 grants minted this turn.

7. Verdict

G3c = minimal C1-scoped issuer path PROVEN (staged). Manifest-bound, single-use, lease/expiry/revocation, full reject matrix, rollback. No general authz system. 0 executed.