OTA graphs that survive mixed hardware revisions

Mixed revisions are normal; pretending they do not exist is not. We capture artifact nodes per board family and show which nodes may advance independently. Signing checkpoints are drawn as gates, not footnotes. Everyone sees where keys rotate and who approves the rotation. Rollback is modeled as a first-class path, not a miracle. We document the minimum device-side signal that proves health, so operators stop guessing from silence.