# Signals and unknowns

Unknowns are first-class signals that capture gaps in identity, reachability,
or evidence mapping. They prevent silent false negatives.

Unknowns registry model
- Deterministic id based on type, scope, and evidence.
- Includes provenance, scope, unknown_type, evidence, and status.
- Stores confidence metrics and exposure hints.

Producers
- Scanner: unresolved symbols or missing mappings.
- Signals: runtime hits without graph linkage.
- SbomService: conflicting versions or hash mismatches.
- Policy: undecidable cases due to missing evidence.

Consumers
- Risk and reachability scoring uses unknowns pressure.
- Policy gates can block not_affected when unknowns are high.
- UI and CLI provide triage and suppression workflows.

Ranking and triage bands
- Unknowns are scored using popularity, exploit potential, uncertainty, centrality, and staleness.
- Bands: hot, warm, cold drive rescan cadence.

API sketch
- POST /unknowns/ingest for idempotent upserts.
- GET /unknowns with filters by artifact and status.
- POST /unknowns/{id}/triage to update status and labels.

Storage
- Append-only store with CAS references for large evidence blobs.
- Tenant isolation and schema versioning for replay.

Related references
- docs/signals/unknowns-registry.md
- docs/signals/unknowns-ranking.md
- docs/uncertainty/README.md
- docs2/signals/uncertainty.md
- docs2/signals/unknowns-ranking.md