Fixes T6741. This allows Almanac services to be locked from the CLI. Locked services (and their bindings, interfaces and devices) can not be edited. This serves two similar use cases:

• For normal installs, you can protect cluster configuration from an attacker who compromises an account (or generally harden services which are intended to be difficult to edit).
• For Phacility, we can lock externally-managed instance cluster configuration without having to pull any spooky tricks.

• Locked and unlocked services.
• Verified locking a service locks connected properties, bindings, binding properties, interfaces, devices, and device properties.