defense-in-depth
This skill promotes a multi-layer validation pattern where data is validated at every layer it passes through, making certain bug categories structurally impossible rather than just caught. It provides concrete examples and a four-layer framework for implementation.
Packaged view
This page reorganizes the original catalog entry around fit, installability, and workflow context first. The original raw source lives below.
Install command
npx @skill-hub/cli install lerianstudio-ring-defense-in-depth
Repository
Skill path: default/skills/defense-in-depth
This skill promotes a multi-layer validation pattern where data is validated at every layer it passes through, making certain bug categories structurally impossible rather than just caught. It provides concrete examples and a four-layer framework for implementation.
Open repositoryBest for
Primary workflow: Analyze Data & AI.
Technical facets: Full Stack, Data / AI.
Target audience: Software developers working on medium to large codebases where data flows through multiple layers, particularly those dealing with complex validation requirements.
License: Unknown.
Original source
Catalog source: SkillHub Club.
Repository owner: LerianStudio.
This is still a mirrored public skill entry. Review the repository before installing into production workflows.
What it helps with
- Install defense-in-depth into Claude Code, Codex CLI, Gemini CLI, or OpenCode workflows
- Review https://github.com/LerianStudio/ring before adding defense-in-depth to shared team environments
- Use defense-in-depth for development workflows
Works across
Favorites: 0.
Sub-skills: 0.
Aggregator: No.
Original source / Raw SKILL.md
---
name: defense-in-depth
description: |
Multi-layer validation pattern - validates data at EVERY layer it passes through
to make bugs structurally impossible, not just caught.
trigger: |
- Bug caused by invalid data reaching deep layers
- Single validation point can be bypassed
- Need to prevent bug category, not just instance
skip_when: |
- Validation already exists at all layers → check other issues
- Simple input validation sufficient → add single check
related:
complementary: [root-cause-tracing]
---
# Defense-in-Depth Validation
## Overview
When you fix a bug caused by invalid data, adding validation at one place feels sufficient. But that single check can be bypassed by different code paths, refactoring, or mocks.
**Core principle:** Validate at EVERY layer data passes through. Make the bug structurally impossible.
## Why Multiple Layers
Single validation: "We fixed the bug"
Multiple layers: "We made the bug impossible"
Different layers catch different cases:
- Entry validation catches most bugs
- Business logic catches edge cases
- Environment guards prevent context-specific dangers
- Debug logging helps when other layers fail
## The Four Layers
| Layer | Purpose | Example |
|-------|---------|---------|
| **1. Entry Point** | Reject invalid input at API boundary | `if (!workingDir \|\| !existsSync(workingDir)) throw new Error(...)` |
| **2. Business Logic** | Ensure data makes sense for operation | `if (!projectDir) throw new Error('projectDir required')` |
| **3. Environment Guards** | Prevent dangerous ops in contexts | `if (NODE_ENV === 'test' && !path.startsWith(tmpdir())) throw...` |
| **4. Debug Instrumentation** | Capture context for forensics | `logger.debug('About to git init', { directory, cwd, stack })` |
## Applying the Pattern
**Steps:** (1) Trace data flow (origin → error) (2) Map all checkpoints (3) Add validation at each layer (4) Test each layer (try to bypass layer 1, verify layer 2 catches it)
## Example
**Bug:** Empty `projectDir` caused `git init` in source code
**Flow:** Test setup (`''`) → `Project.create(name, '')` → `WorkspaceManager.createWorkspace('')` → `git init` in `process.cwd()`
**Layers added:** L1: `Project.create()` validates not empty/exists/writable | L2: `WorkspaceManager` validates not empty | L3: Refuse git init outside tmpdir in tests | L4: Stack trace logging
**Result:** 1847 tests passed, bug impossible to reproduce
## Key Insight
All four layers necessary - each caught bugs others missed: different code paths bypassed entry validation | mocks bypassed business logic | edge cases needed environment guards | debug logging identified structural misuse.
**Don't stop at one validation point.** Add checks at every layer.