FIX7 Control-Plane Immutability Design - Corrected

NOLOGIN qt001_cp_owner owns authority. Directus/PUBLIC/runtime roles have no control mutation or direct protected-target DML. Deterministic authority-scope closure replaces manual inventory. Sealed manifests are append-only.

Activation requires an envelope binding old/new hashes, exact add/retire/tombstone sets, impact evidence, exact active activation-policy quorum, independent principals, and artifact read-back. Operator alone cannot activate. Writer and activation serialize on one hash-bound control_epoch: writer holds shared transaction lock; activation takes exclusive lock and increments epoch, closing TOCTOU.

All privileged live changes run only through approved owner-credentialed Level-B DOT/migration pipeline.