04 — The "count > 1" Governance-Relevance Rule (Branch D)

The user's principle: anything with count > 1 should generally come under governance coverage. Taken literally this floods the system (live proof: system_issues.template_gap already has 182,378 open rows — a naive per-instance rule would create that scale of governance noise). This doc hardens the principle into a precise, testable rule that captures the real intent (no un-owned multiplicity that affects shared truth) without over-governing.

---

4.1 The rule (M-DEF-10, proposed)

count > 1 is a governance candidacy trigger, never an automatic governance mandate. When the system contains more than one instance of a thing X, X's kind enters the coverage pipeline and is resolved by the shared-truth predicate and the grain rule. Multiplicity alone creates no owner requirement and no issue.

Formally, for a kind K with count(K) > 1:

GOVERNANCE_RELEVANT(K)  ⟺  shared_truth_reachable(K)
                            -- changing K's definition/vocabulary/membership/grouping
                            -- can change what another user/agent sees as truth,
                            -- or can authorize a mutation.

If GOVERNANCE_RELEVANT(K) is false → Class 0 (the instances are not governed; the exclusion of the kind is still a COUNCIL-owned list entry — exclusion is governed, never silent).

If true → K is governed, and the shape of its coverage is decided by which of three roles it plays:

Role of K	Coverage shape	What is governed	What is NOT individually governed
(a) K is a dimension — its members classify/count/group/pivot/order/display other objects	Axis (M-DEF-8) → an Axis Registry row (M-DEF-9)	the axis's vocabulary, grouping policy (ceilings/pin/threshold), owner-per-scope, issue path	each member value (inherits the axis's container coverage)
(b) K is an object — an instance can change truth/authority on its own	Governed object (its own coverage profile, M-DEF-2)	each instance's owner + risk-required links	—
(c) K is a child under a governed container — sharing the container's policy	Container inheritance (M-DEF-7, owner-link ONLY)	the container's owner (propagates)	each child (counted at container grain) — unless the child carries its OWN policy/action/route/exception, which is never inherited (anti-hiding)

---

4.2 The seven sub-decisions (mission §8)

1. What "count > 1" means. More than one instance of the same kind exists in any shared-truth scope — whether rows in a table, files on the host, routes in nginx, values in an axis vocabulary, or DOTs in a catalog. (One-off, single-user, single-session instances are count=1-per-scope and not multiplicity.)
2. When count>1 is governance-relevant. Iff shared_truth_reachable(K) — changing K can change shared truth or authorize a mutation. (Decided by predicate, not by table-ness.)
3. When count>1 is harmless/ephemeral. When K is single-user/session/agent-private, read-only against shared truth, with no approval/execution power → Class 0. (e.g. per-user pins, scratch files, comments, non-truth logs.)
4. When it becomes a registry/list/axis candidate. When K's members are used to classify/count/group/display other objects → the set is an axis/registry (governed once, as a registry), members inherit.
5. When it must become a governed object. When a single instance of K can independently change structure/classification/counting/display/execution/authority → K is a governed object class (own profile).
6. When it only inherits container coverage. When K is a child/leaf under a governed container and shares the container's policy with no independent authority → covered by owner-link inheritance, counted at container grain (Δtotal=0 on adding children).
7. When it needs its own policy/action coverage. When a child carries its own policy, action, route, or exception (even under a covered parent) → that policy/action/route/exception is a governed object in its own right; inheritance covers the owner-link only, never the risk-required links (M-DEF-7 anti-hiding; red-team #20/#28).

Anti-over-governance guards (so the rule does not flood):

• Multiplicity never emits an issue by itself — issues require a missing required link (M-DEF-5) at the governance grain (roots + non-inheriting + containers), then coalesced (Branch K: coalesce_key, cooldown, summary-vs-detail, emit ceiling). Live system_issues already carries coalesce_key+occurrence_count — the machinery exists.
• Class 0 is a first-class class with zero link requirements (M-DEF-1) — the rule explicitly carves out harmless multiplicity.
• Container-grain counting means 10⁶ children = 1 governance unit (M-DEF-7) — multiplicity at the leaf is invisible to the gate.

---

4.3 Decision procedure (one flow for any K)

count(K) > 1 ?
  └─ no  → not a multiplicity question (single instance: still test shared-truth if it can change truth)
  └─ yes → shared_truth_reachable(K) ?
            ├─ no  → CLASS 0 (record exclusion in COUNCIL-owned list; no owner, no issue)
            └─ yes → role of K ?
                     ├─ dimension (classifies/groups/counts others) → AXIS  → Axis Registry row (govern the SET once)
                     ├─ independent-authority object             → GOVERNED OBJECT (own profile)
                     └─ child under governed container            → INHERIT owner-link only
                                                                    └─ child has own policy/action/route/exception?
                                                                         └─ yes → that artifact = its OWN governed object (no inheritance of risk links)

---

4.4 Acceptance tests (mission §8 — all 11)

#	Input	Expected outcome	Why
1	2 personal browser preferences	Class 0, no owner, no issue	not shared-truth reachable; single-user (M-DEF-1)
2	2 local scratch files	Class 0, no owner, no issue	private, read-only vs shared truth
3	2 production API routes	Governed objects (SURFACE profile); each needs owner+route-registry presence; if absent → route_orphan/OWNER_GAP	a route renders shared truth / authorizes mutation (red-team #1/#32)
4	2 DOTs	Governed objects (DOT profile); each needs Đ35 registration + owner + (if mutating) paired_dot	executes against shared truth (red-team #10)
5	2 pivots	Axis + object: each pivot is a governed object (POLICY) and its group-by is an axis (Axis Registry row); grouping policy (ceiling ≤50) governed	pivot defines counting/display truth (red-team #2/#26)
6	2 IU axes	Axes → 2 Axis Registry rows (axis family = iu); members inherit; until registered → axis_unregistered (critical)	axes classify/count IU; not a hardcoded list (red-team #25)
7	2 labels	Axis (the label dimension) governed once via GOV-KG-SYS; the 2 label values inherit the dimension's coverage	label dim drives display/classification (red-team #27)
8	2 workflow designs	Governed objects (DOT/POLICY); owner GOV-MOW; each design's steps inherit container owner-link; a step with its own approval = own coverage	a workflow changes execution/automation (red-team #28)
9	2 event types	Governed objects (POLICY); each needs Đ45 registration before emit; unregistered emit → event_unregistered	events drive automation/notification truth (red-team #18/#35)
10	1,000,000 child rows under one governed registry	Δtotal_governed = 0; counted at the registry (container) grain; at most one container-level issue if the registry is uncovered; no per-row issue	M-DEF-7 owner-link inheritance + Branch-K coalesce; proven against live template_gap scale
11 (bonus)	A child row that carries its own approval flag under a covered parent	own APPROVAL_PATH_GAP despite the covered parent	anti-hiding (M-DEF-7; red-team #20)

Result: harmless multiplicity (tests 1–2, 10) produces zero governance load; truth/authority-bearing multiplicity (3–9, 11) is covered at the right grain; the 10⁶-row case is invisible to the gate. The rule captures the user's intent (no un-owned multiplicity that affects shared truth) while provably avoiding the flood.

---

4.5 Answers to Success-Target Q5–Q8

• Q5 (count>1 without flooding) → YES — candidacy trigger + shared-truth gate + grain + coalesce.
• Q6 (what is NOT governed) → YES — Class 0, defined by failing the shared-truth predicate; exclusion recorded in a COUNCIL-owned list.
• Q7 (container-grain vs object-grain) → YES — dimension/child = container-grain (axis/registry/inheritance); independent-authority instance = object-grain.
• Q8 (inheritance not hiding child gaps) → YES — owner-link-ONLY inheritance; risk-required links and any child-owned policy/action/route/exception are never inherited (test 11).