03 - Permit Contract Review

Verdict

Permit v2 has useful columns and constraints, but it is not an enforced authorization contract.

Good

Collection-scoped; expected_delta/max_rows/expires/mode/status/reason non-null; max_rows>=expected_delta; one open execute permit per collection; current open execute permits=0.

Blockers

Writer never compares permit expected_delta with live plan/call. plan_checksum nullable and unchecked. approved_by is free text; principal_ref/owner_ref nullable and unchecked. revoked_at ignored; invalid states allowed. Permit is not bound to run_id, plan version, Tier, reviewer decision, or source watermark. one_use=true conflicts with multi-batch. one_use=false can be reused by changing run_id. No lifecycle timestamp constraints or governed approval/owner FK.

Required Contract

Bind exact collection, approved plan version/checksum, expected total delta, source watermark, run ID, Tier, owner approval artifact, expiry, batch policy, and lifecycle. Runtime must lock and consume at run scope.