defense-in-depth-validation

# Defense-in-Depth Validation ## Overview When you fix a bug caused by invalid data, adding validation at one place feels sufficient. But that single check can be bypassed by different code paths, refactoring, or mocks. **Core principle:** Validate at EVERY layer data passes through. Make the bug structurally impossible. ## Why Multiple Layers Single validation: "We fixed the bug" Multiple layers: "We made the bug impossible" Different layers catch different cases: - Entry validation catches most bugs - Business logic catches edge cases - Environment guards prevent context-specific dangers - Debug logging helps when other layers fail ## The Four Layers ### Layer 1: Entry Point Validation **Purpose:** Reject obviously invalid input at API boundary ```typescript function createProject(name: string, workingDirectory: string) { if (!workingDirectory || workingDirectory.trim() === '') { throw new Error('workingDirectory cannot be empty'); } if (!existsSync(workingDirectory)) { throw new Error(`workingDirectory does not exist: ${workingDirectory}`); } if (!statSync(workingDirectory).isDirectory()) { throw new Error(`workingDirectory is not a directory: ${workingDirectory}`); } // ... proceed } ``` ### Layer 2: Business Logic Validation **Purpose:** Ensure data makes sense for this operation ```typescript function initializeWorkspace(projectDir: string, sessionId: string) { if (!projectDir) { throw new Error('projectDir required for workspa...