By (limited) experiment it seems to me that the action 'PERMIT' is acceptable in access tables in smtpd restriction lists (e.g. smtpd_client_restrictions).
As far as I can tell it is undocumented in this context, but I think it is synonymous with 'OK' i.e. any subsequent tests in the same restriction list are skipped/ignored but subsequent restriction lists are processed (and could indeed give a REJECT action). One practical advantage of using PERMIT instead of OK: a single ip whitelist file can then be used both in postscreen_access_list (where the action 'OK' is not acceptable) and in an smtpd restriction list. Is this correct - or incorrect / unwise?