08 - BLOCKER 7: Permit Terminology Fix (operator_authorization vs blocked permit)

Codex finding

"permit" was used ambiguously for operator authorization, conflicting with the boundary that the QT001/admission permit must remain blocked. (Codex CHECK_C NEEDS_FIX; CHECK_J terminology.)

The fix - three separated terms (blueprint doc 07 §Terminology)

term	meaning	state under FIX7
operator_authorization (artifact operator_authorization_artifact)	permission for an OPERATOR to execute a migration/cutover package (PKG-E..H). Carries approved_package_sha256, reviewer/owner identity, authorization_scope, expiry/epoch, both-EXCEPT/read-back proof. NOT the blocked permit; opens NO QT001 apply/admission/REAL_RUN/Stage 2.6B; creates NO readiness gate.	required per package
qt001_backfill_permit (= birth/admission permit)	permission to run QT001 backfill/apply	BLOCKED
REAL_RUN_authority	permission to run real scale/capability execution	BLOCKED
QT001 apply authority	fn_dot_birth_qt001_apply / sp_dot_birth_qt001_apply	BLOCKED since Codex NOT_SAFE

Every PKG-E/F/G precondition now says operator_authorization, never "permit". The blocked-permit references (doc 03 G-17, doc 08, doc 05 standing block) are renamed qt001_backfill_permit. The sequencing diagram arrows now read [fresh Codex re-audit + operator_authorization].

G-NO-QT001-PERMIT-DURING-FIX7 (new): fails any FIX7 package (PKG-A..I) that opens, consumes, or depends on a qt001_backfill_permit, REAL_RUN authority, or QT001 apply authority, or that conflates operator_authorization with any of them.

Machine-checkable package-transition evidence (Codex MG-01 / CHECK_C)

A prose "a re-audit occurred" is insufficient. Each PKG-E/F/G transition consumes an operator_authorization carrying the approved-package hash, reviewer/owner identity, authorization scope, expiry/epoch, and a both-EXCEPT/read-back proof that the live package == the approved hash.

Law-citation correction (honest, preempts a Codex catch)

The governing law was read in full this pass (token-capped; via sliced subagent). Its actual §4G is "Surgical Drift Patch Allowance", which lists governance_change as a stop_without_asking_if hard-stop and states the allowance "does not permit governance change" — and the word "permit" never appears in the law (it uses AUTHOR_MODE_ONLY / OPERATOR_HANDOFF_MODE / §3.4 Authority Pack / §4J Operator Surface Rule). The prior blueprint paraphrase "§4G: governance change must be independently re-reviewed" was loose; the citation is corrected in doc 07 to the law's real text. The conclusion (PKG-F/PKG-G require an explicit stop + fresh re-audit gate, never a mechanical continuation) is exactly what §4G requires, so the gate stands and is now correctly grounded. operator_authorization is mapped to the law's OPERATOR_HANDOFF_MODE / Authority Pack concepts.

Self-check

PASS only if permit/operator_authorization are separated and the QT001 permit remains blocked → PASS. Three terms separated; operator_authorization grants package execution only; qt001_backfill_permit / REAL_RUN / QT001 apply remain BLOCKED; G-NO-QT001-PERMIT-DURING-FIX7 enforces the separation.