it dovetails with our invariant: Chitos never emits 'proven-safe' (absence is not a safety claim). That handles the "don't trust a green light" half; the coverage denominator you're pointing at is the other half.
How we mean to express the denominator: we model the attack surface as an enumerable space ā reachable entry points Ć parameters/sinks Ć vuln classes. Then every 'not demonstrated' can carry coverage = exercised nodes / modeled nodes, per phase and per class. e.g. "exercised N% of the modeled SQLi surface; the unreached region has this shape."
Candidly: today Chitos emits the numerator (what fired) and the invariant (no proven-safe). The modeled-surface denominator (coverage %) is what we're building toward. And we'd flag the deeper limit ā it's coverage against the surface we modeled, not the true surface; unknown-unknowns still escape, so the denominator is itself a function of the model, and we'd label it as such.
Genuinely keen on your take on modeling the surface ā that's what decides whether the denominator means anything.