Telemetry-prior categorization for cred/namespace defaults (opt-in, catalog densification)

[hanwencheng]

Context

R4 enhancement from the onboarding / auto-distribution spec (docs/plan/web-flow/onboarding-classifier-distribution.md §2, §3). When a cred/namespace is categorized, a telemetry prior ("most tenants categorize service X as Y") pre-selects the default the master confirms — shrinking the ask.

Parent: #207.

Scope

• Opt-in only (off by default; a convenience, not load-bearing for availability or correctness).
• Catalog densification ONLY — the aggregate carries entity → category priors (e.g. stripe → payments), the shared catalog layer. It MUST NOT carry per-tenant grants (who-denied-what). Same split as public MCC codes vs. a card's private limits (docs(plan): classifier-service — NL → deterministic authorization for the fleet (#147) #178 §8.1 "catalog ≠ policy").
• k-anonymous aggregate; no PII; feeds the catalog's tier-0 priors (docs(plan): classifier-service — NL → deterministic authorization for the fleet (#147) #178 §8.1 cascade).

Work

• Opt-in toggle in parent-control + daemon config.
• Aggregate pipeline: collect (entity, confirmed-category) events from consenting tenants → k-anon aggregate → catalog prior.
• Wire the prior into the cred/namespace categorize default (the value the master sees pre-selected).
• Privacy review + threat-model note (the central-classify posture, docs(plan): classifier-service — NL → deterministic authorization for the fleet (#147) #178 §6.11).

Invariant

The grant graph (per-tenant policy) is NEVER an input. Only entity → category facts are aggregated.