All skills
Skillintermediate

Evolution Metrics Reference

This document explains each structural metric the graph-evolution skill tracks and why it matters for security analysis.

Claude Code Knowledge Pack7/10/2026

Overview

Evolution Metrics Reference

This document explains each structural metric the graph-evolution skill tracks and why it matters for security analysis.

Contents

  • Node changes (added, removed, modified)
  • Edge changes (added, removed)
  • Complexity evolution
  • Attack surface changes
  • Blast radius shifts
  • Taint propagation changes
  • Privilege boundary changes

Node Changes

Added Nodes

New functions, methods, classes, or modules introduced between snapshots.

Security relevance:

  • New code has no review history and may lack test coverage
  • New public functions expand the attack surface
  • New classes may introduce state management complexity

Triage: Cross-reference added nodes against the after graph's entrypoints subgraph. Added nodes that are entrypoint-reachable get highest review priority.

Removed Nodes

Functions, methods, or classes deleted between snapshots.

Security relevance:

  • Removed validation functions may indicate weakened security controls
  • Removed error handlers can expose unhandled edge cases
  • Dead code removal is generally positive (reduces attack surface)

Triage: Check if removed nodes had privilege_boundary or taint_propagation annotations. If so, verify the security function was replaced, not just deleted.

Modified Nodes

Nodes present in both snapshots whose properties changed. Tracked properties:

PropertyWhat ChangedSecurity Concern
cyclomatic_complexityControl flow complexityHigher CC = more paths to test
parametersFunction signatureNew params may accept untrusted input
return_typeReturn type annotationType changes can break callers
line_spanLines of codeSignificant growth may indicate added logic

Edge Changes

Added Edges

New call relationships between functions.

Security relevance:

  • New calls from untrusted entrypoints to sensitive functions create attack paths that did not previously exist
  • New inherits or implements edges can change polymorphic dispatch
  • Cross-module calls may violate existing trust boundaries

Triage: For each added calls edge, check if source is in the tainted subgraph and target handles sensitive operations.

Removed Edges

Call relationships that no longer exist.

Security relevance:

  • Removed validation calls may mean input is no longer checked
  • Removed authorization calls can create privilege escalation
  • Usually benign during refactoring, but verify removed edges between security-relevant nodes

Complexity Evolution

Tracks per-node cyclomatic complexity changes between snapshots.

Thresholds:

CC DeltaSignificance
+1 to +3Minor — likely a new branch or error check
+4 to +9Moderate — new logic paths need test coverage
+10 or moreMajor — function is becoming difficult to reason about
NegativePositive — simplification usually reduces bug surface

Aggregate signals:

  • Mean CC increase across all modified nodes indicates codebase is growing more complex
  • Functions that crossed the CC > 10 threshold are new fuzzing candidates (per the genotoxic skill's criteria)

Attack Surface Changes

Derived from the entrypoints subgraph.

New entrypoints: Nodes that appear in the after entrypoints but not before. Each new entrypoint is a new way external input reaches the system.

Removed entrypoints: Nodes that were entrypoints in before but not after. Usually positive (reduced surface), but verify the functionality wasn't just moved.

Trust level changes: Compare entrypoint trust levels between snapshots. A function changing from trusted_internal to untrusted_external is a significant security event.


Blast Radius Shifts

Derived from the high_blast_radius subgraph (nodes with 10+ downstream dependents).

New high-blast nodes: Nodes that entered high_blast_radius in after. These now affect many downstream functions — bugs here have wide impact.

Reduced blast radius: Nodes that left high_blast_radius. Usually positive (decoupling), but verify the downstream functions weren't orphaned.


Taint Propagation Changes

Derived from the tainted subgraph (nodes reachable from untrusted entrypoints).

Newly tainted: Nodes that entered tainted in after. These can now be reached by untrusted input and must validate their inputs.

De-tainted: Nodes that left tainted. Usually means a trust boundary was added or an entrypoint was removed.

Critical combination: Nodes that are both newly tainted AND had their CC increase. These are the highest-priority review targets.


Privilege Boundary Changes

Derived from the privilege_boundary subgraph (edges where trust levels change).

New boundary crossings: Functions that appeared on a privilege boundary. These are points where trust transitions happen — common vulnerability locations.

Removed boundaries: Privilege boundaries that disappeared. Could mean trust was flattened (potentially unsafe) or that the boundary moved (needs verification).