How SignalMesh thinks.

Every normalized signal records its source_id, source_name, the adapter version that produced it, the raw record type, and a normalized timestamp. Drilling into a signal surfaces the original observation when available.

Confidence is a 0–100 number that is distinct from severity. A high-severity signal can have low confidence (early reports) and a low-severity signal can have high confidence (a verified advisory). They occupy separate visual channels in the UI.

Watchlists support regions, companies, assets, routes, keywords, CVEs, and vendors. Matches are deterministic and recomputed on every snapshot.

A signal is only plotted on the map if it has valid coordinates from its source. CVEs, vendor advisories, and other non-geographic intelligence appear in dedicated panels — never invented onto arbitrary points.

Both raw observations and the normalized signal contract are retained. The normalized contract is what every page reads; the raw is what every audit trail points to.

Each source has a retention policy (hot / warm rollup / raw) and an ingest budget. Source health (online / degraded / offline) is derived from recent run status, warnings, and quarantine ratios — never assumed.