dotfiles/.config/opencode/skills/systematic-debugging/defense-in-depth.md

---
title: defense-in-depth
type: note
permalink: opencode-config/skills/systematic-debugging/defense-in-depth
---

# Defense in Depth

## Overview

A single validation check can be bypassed by alternate paths, refactors, or test setup differences.

**Core principle:** add validation at multiple layers so one missed check does not recreate the same failure.

## Layered Validation Model

### Layer 1: Entry Validation
Reject obviously invalid input at boundaries (CLI/API/public methods).

### Layer 2: Business-Logic Validation
Re-validate assumptions where operations are performed.

### Layer 3: Environment Guards
Block dangerous operations in sensitive contexts (for example, test/runtime safety guards).

### Layer 4: Diagnostic Context
Emit enough structured debug information to support future root-cause analysis.

## Applying the Pattern

1. Trace real data flow from entry to failure.
2. Mark all checkpoints where invalid state could be detected.
3. Add targeted validation at each relevant layer.
4. Verify each layer can catch invalid input independently.

## Example Shape

```ts
function createWorkspace(path: string) {
  // Layer 1: entry
  if (!path || path.trim() === '') {
    throw new Error('path is required');
  }

  // Layer 2: operation-specific
  if (!isPathAllowed(path)) {
    throw new Error(`path not allowed: ${path}`);
  }
}

async function dangerousOperation(path: string) {
  // Layer 3: environment guard
  if (process.env.NODE_ENV === 'test' && !isSafeTestPath(path)) {
    throw new Error(`refusing unsafe path in test mode: ${path}`);
  }

  // Layer 4: diagnostic context
  console.error('operation context', { path, cwd: process.cwd(), stack: new Error().stack });
}
```

## Key Outcome

Root-cause fixes prevent recurrence at the origin. Layered validation reduces the chance that adjacent paths can reintroduce the same class of bug.