# Uncertainty and entropy

Uncertainty captures missing or untrusted evidence as first-class signals.
It prevents silent false negatives and feeds risk scoring and policy gates.

Core states (examples)
- U1: MissingSymbolResolution
- U2: MissingPurl
- U3: UntrustedAdvisory
- U4: Unknown (no analysis yet)

Tiers and scoring
- Tiers group states by entropy ranges.
- The aggregate tier is the maximum severity present.
- Risk score adds an entropy-based modifier.

Policy guidance
- High uncertainty blocks not_affected claims.
- Lower tiers allow decisions with caveats.
- Remediation hints are attached to findings.

Determinism rules
- Stable ordering of uncertainty states.
- UTC timestamps and fixed precision for entropy values.
- Canonical JSON for hashing and replay.

Related references
- docs/uncertainty/README.md
- docs/reachability/lattice.md
- docs/policy/dsl.md