11 — Noise & Scale Control (Branch K)

Hardening that prevents the coverage scanner from becoming the noise it was built to detect. At 10⁸ objects, a naive detector emits millions of issues and buries the real islands. These are the law-level anti-spam obligations (mechanism in Đ45/Đ31). Builds on H3 (cooldown/escalation/suppression) and G7 (emit ceiling).

11.1 Aggregation rules

• Aggregate at the governance grain (doc 09 §9.1): inheriting children roll up under their container. A container with 10⁶ uncovered inheriting children produces one container-level issue, not 10⁶.
• Summary-by-class: per scan, per (issue_type × owner × phase), emit one summary issue carrying a count + sample, not N detail issues.
• Roll-up islands: multiple objects under one local-governance island roll into one island_detected with the island as the subject (D3).

11.2 Dedupe (coalesce) keys

• Every issue carries a coalesce_key = stable hash of (issue_type, subject_grain, root_cause). Re-detecting the same condition updates the existing open issue (bumps last-seen, count), never opens a duplicate. (Reuses the live idempotent coalesce_key pattern.)
• Shared namespace with birth-orphan (M-DEF-4): a birth-orphan and a governance-orphan for the same root cause share the coalesce namespace so they cannot both be open.

11.3 Severity rules

• Severity is computed from gap_type × profile (M-DEF-5): authority-critical link missing on a mutating object → critical; authority link non-critical → high; descriptive link → warning; info is not emitted as an issue.
• Only critical/high block (doc 09 §9.4). Warnings are deadline-tracked TARGETs, not blockers — so the gate is not held hostage by cosmetic gaps.

11.4 Cooldown & escalation

• Cooldown: an issue that re-fires within its cooldown window does not re-notify (it updates silently). Default cooldown scales with severity (critical: short; warning: long).
• Age escalation: a warning open past its deadline (default 30 days, OQ-F3/H3) escalates to high; an unresolved high past its deadline escalates to critical + notifies the escalation owner.
• Escalation routing: escalations go to the accountable owner of the affected scope, then to GOV-COUNCIL (owner-of-last-resort) if unowned.

11.5 Suppression (only with approval)

• Suppression of an issue/class is itself a governed exception (Class 7, doc 08): it requires approval, a TTL, a replacement plan, and is visible. There is no silent mute.
• A suppressed class still counts in the identity (as approved_exceptions if object-level, or as a tracked suppression if class-level) — suppression hides the notification, never the count.

11.6 Summary vs detail issue

Tier	When	Content
summary issue	default per scan per class	count, severity histogram, top-N sample, drilldown ref
detail issue	for non-inheriting objects (policy/axis/DOT/route/exception/law/event/IU-op)	full per-object record — these are individually important and never aggregated away
drilldown (on demand)	user opens the summary in Registries-Pivot	expands to the full member list via pivot, not via emitting N issues

Rule: detail issues only for non-inheriting classes (bounded count); inheriting children get summary + drilldown.

11.7 No per-row issue for inherited children

The scanner MUST NOT emit a per-row issue for an inherited child whose only gap is its container's gap. The container gets one issue; children are reached by drilldown. (This is the single most important anti-spam rule — it is what makes 10⁸ safe.)

Exception: a child with its own authority-critical gap (e.g. a child policy missing its own approval path, red-team #20/#28) gets its own detail issue — because that gap is not the container's, and aggregating it would hide it. The anti-spam rule and the anti-hiding rule are reconciled exactly here: aggregate inherited-from-parent gaps; surface child-own authority gaps.

11.8 Stale-scan policy

• A scan that cannot reach a ground-truth source marks affected objects stale_unverifiable (bounded, doc 09 §9.5) — it does not emit them as orphans (that would be false noise).
• A stale scan result (older than freshness threshold) is not used for gating; the gate fails closed with scan_stale (so stale ≠ green).
• Growing stale_unverifiable is itself one anomaly issue (scan_coverage_degraded), not N.

11.9 Emit ceiling (the unknown-cardinality backstop)

• A hard per-scan emit ceiling caps total issues/events emitted in one scan (G7). If a scan would exceed it (e.g. an unknown high-cardinality condition — red-team #19/#36), it emits the ceiling's worth + one scan_anomaly ("emit ceiling hit, N suppressed, drilldown ref") instead of flooding.
• The ceiling is a COUNCIL-owned governed threshold row, not a literal (G4).

11.10 Sampling rules

• When a class exceeds a sampling threshold, the summary carries a representative sample (top-N by severity + recency), and the full set is reachable by drilldown — never emitted as issues.
• Sampling is disclosed in the summary ("showing 50 of 12,400") — no silent truncation (a silently truncated list reads as "all covered" when it isn't).

11.11 The two failure modes this prevents

Failure	Prevented by
flood (1M duplicate issues, alarm fatigue, real islands hidden)	grain aggregation + coalesce keys + summary-by-class + no-per-row + emit ceiling + sampling
silence (gaps hidden by over-aggregation or silent mute)	detail issues for non-inheriting classes + child-own-gap surfacing + suppression-is-governed + disclosed sampling + stale-fails-closed

The design walks the line: aggregate the cheap/inherited, surface the dangerous/individual, disclose what's sampled, fail closed on stale.

Branch-K verdict

Noise/scale control is hardened to grain aggregation + coalesce dedup + severity-only-blocking + cooldown/age-escalation + governed (never silent) suppression + summary/detail/drilldown tiers + no-per-row-for-inherited (with child-own-gap exception) + stale-fails-closed + COUNCIL-owned emit ceiling + disclosed sampling. This satisfies mission §14 and questions 8/9 and reconciles anti-spam with anti-hiding at the exact seam (§11.7).