09 — Governance Coverage & Anarchy Detection (Branch I)

Branch I. How governance automatically covers "things that are governance" — axes, nodes, relations, assignments, UI projections — without a local island and without a noise explosion. Verdict: RECOMMENDED — coverage triggers on born+active/UI-visible; the GCOS scanner + collection_registry.coverage_* + meta_catalog discover new/unregistered axes; candidates are governed as input-quality only; issues coalesce at governance-grain with a decaying verdict.

---

09.0 Principle

A thing becomes a governance object when it can change shared truth and is born + active / UI-visible. Until then it is a candidate governed only as input quality (it must not become a governance orphan — implementation-index doc 33). Coverage is discovered, not declared: the scanner finds axis-bearing surfaces and checks each is registered + owned + covered.

09.1 When each thing becomes governed

Thing	Becomes governed when…	Governed-as
Axis	inserted into axis_registry and lifecycle_status='active'	full (owner, coverage rule, issue path, APR-gated edits)
Topic node	taxonomy.status='active' + born	full
Relation/edge	status='active' + provenance present	covered via its endpoints' axes
Assignment	axis_assignment.zone='approved'	covered; candidate/quarantine = input-quality only
UI projection	a view/screen exposes an axis	the axis must be registered+owned, else axis_unregistered
Candidate (any)	—	input-quality only; never a governance orphan

09.2 How the scanner discovers new axis / topic / UI projection

Reuse the GCOS machinery (implementation-index docs 31–44) + live registries:

• meta_catalog (169) — registry-of-registries with orphan_count/actual_count/baseline_count: a new axis-shaped table or registry surfaces as a catalog entry or an orphan delta.
• collection_registry (166) — coverage_status/coverage_scope_status/coverage_review_owner: every collection carries a coverage verdict (BIRTH_REQUIRED / DEFERRED / EXEMPT pattern).
• GCOS candidate scan — dirty-group incremental scan over Birth (birth_registry cursor-tail) finds newly-born objects (incl. new topic nodes) needing coverage.
• Axis-surface sweep — a DOT enumerates axis-bearing surfaces (taxonomy facets, pivot definitions, envelope axes, any *_axis*/tag-bag column, any UI view) and checks each against axis_registry.

09.3 Detecting an unregistered axis (the critical gap type)

Per M-DEF-9 / open-axis model:

• an axis-bearing surface absent from axis_registry → axis_unregistered (critical);
• the Axis Registry itself absent → inventory_gap (critical) — this is the current live state (doc 01 G2);
• an axis with no accountable owner → axis_owner_gap (high);
• an axis whose vocabulary has no owning registry → axis_vocab_unowned (high) / classification-island;
• an axis with grouping/threshold literals instead of governed rows → axis_grouping_island (high);
• a hardcoded axis list in the UI → hardcode_violation (#37). Detection uses the same six-layer scanner as for objects (no special path per axis).

09.4 Detecting a local island (dissolving the IU island)

The canonical island is IU (hardening doc 03 §3.1): no governance_registry row owns information_unit; dot_iu_command_catalog (54) parallels constitutional dot_tools; 0 approval_requests reference IU; IU-private audit; IU event types not wired to the central detector. Island detectors:

• object/axis with assignments/edges but no owner in governance_registry/responsibility_scope → *_object_orphan;
• a parallel command catalog / private audit / private event family not registered centrally → island finding;
• a born+UI-visible thing whose mutations bypass the central APR (approval_requests) → governance-bypass island. Resolution path: register owner (OP-B/SB-2), route mutations through central APR (migrate IU review_decision_id to a governed adapter then to Đ32 — C-4), wire IU events into the central detector, fold dot_iu_command_catalog under dot_tools visibility.

09.5 Coverage for candidate vs active vs UI-visible

• Candidate / provisional / quarantine: governed only as input quality (is it well-formed? has provenance? within dictionary?). A bad candidate raises an input-quality issue, never a governance-orphan issue (implementation-index doc 33 "L0 gate"). This is what prevents 770k+ entity_labels / 1M+ birth rows from each demanding full governance.
• Active / born / UI-visible: full coverage — owner, coverage rule, APR-gated edits, integrity invariants, issue path.
• The verdict is a decaying snapshot keyed by (candidate_key, snapshot, ruleset_version, scan_time) (SB-10) — "checked" is never a forever-boolean; it expires and re-scans, fail-closed on staleness for high-risk.

09.6 Issues / events raised (and where)

• Issues: system_issues (buckets like thiếu_quan_hệ/sai_lệch_dữ_liệu) + new governance issue types: axis_unregistered, inventory_gap, axis_owner_gap, axis_vocab_unowned, axis_grouping_island, iu_object_orphan, reconstruction_integrity_fail, containment_cycle, topic_overlap, wrong_topic, unratified_exception, governance_island.
• Events: the governance event domain must be registered before emit (Điều 45) in event_type_registry — currently 0 governance event types (doc 01). Severity is computed (not stored literal); coalesced at governance-grain (one issue per object/axis/coalesce-key, not per row).

09.7 Avoiding noise explosion

• Coalesce at governance-grain (issue_signature in approval_requests; coalesce-key in system_issues) — N defective rows → 1 issue.
• Candidate ≠ mandate — a candidate's existence raises input-quality only, not a coverage demand.
• Materiality threshold — a configured severity floor (charter "signal, not noise"; reg-style materiality) filters the digest.
• Decaying verdict — re-scan only dirty groups (SB-10 incremental), not the whole 1M-row Birth every pass.
• Count>1 = candidacy, not mandate — multiple matches flag for review, they do not auto-create.
• Register-before-emit + heartbeat — no event storms; silent-gap detection instead of polling spam.

09.8 Owner map for axis/topic coverage (to ratify, SB-2/OP-B)

policy → GOV-COUNCIL; substrate/vocabulary (KG/taxonomy/vector) → GOV-KG-SYS; integrity/coverage/health → GOV-SIV; execution → GOV-DOT; render → GOV-MOUT (interim COUNCIL delegation, TTL-bounded); family law → GOV-NRM-SYS. The Axis Registry itself is a POLICY/REGISTRY object owned by GOV-COUNCIL.

09.9 Verdict

RECOMMENDED. Coverage is automatic and discovered: born+active/UI ⇒ governed; candidate ⇒ input-quality only; the scanner finds unregistered axes (axis_unregistered/inventory_gap) and islands (the IU island first), raising coalesced, materiality-filtered, decaying issues on the central substrate (system_issues/governance event domain). No new scanner is invented — the GCOS six-layer scanner is reused; the only new inputs are the axis issue types and the axis_registry it checks against.