ed3dai/defense-in-depth
plugins/ed3d-house-style/skills/defense-in-depth/SKILL.md
Use when invalid data causes failures deep in execution - validates at every layer data passes through to make bugs structurally impossible rather than temporarily fixed
$ install --global
skillsauthnpx skillsauth add ed3dai/ed3d-plugins-testing defense-in-depthInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 17, 2026, 2:54 AM120.4s1 file scanned
SKILL.md
- name:
- defense-in-depth
- description:
- Use when invalid data causes failures deep in execution - validates at every layer data passes through to make bugs structurally impossible rather than temporarily fixed
- user-invocable:
- false
Defense-in-Depth Validation
Overview
When you fix a bug caused by invalid data, adding validation at one place feels sufficient. But that single check can be bypassed by different code paths, refactoring, or mocks.
Core principle: Validate at EVERY layer data passes through. Make the bug structurally impossible.
When to Use
Use when:
- Invalid data caused a bug deep in the call stack
- Data crosses system boundaries (API → service → storage)
- Multiple code paths can reach the same vulnerable code
- Tests mock intermediate layers (bypassing validation)
Don't use when:
- Pure internal function with single caller (validate at caller)
- Data already validated by framework/library you trust
- Adding validation would duplicate identical checks at adjacent layers
The Four Layers
Layer 1: Entry Point Validation
Purpose: Reject invalid input at API/system boundary
function createProject(name: string, workingDirectory: string) {
if (!workingDirectory?.trim()) {
throw new Error('workingDirectory cannot be empty');
}
if (!existsSync(workingDirectory)) {
throw new Error(`workingDirectory does not exist: ${workingDirectory}`);
}
// ... proceed
}
When needed: Always. This is your first line of defense.
Layer 2: Business Logic Validation
Purpose: Ensure data makes sense for this specific operation
function initializeWorkspace(projectDir: string, sessionId: string) {
if (!projectDir) {
throw new Error('projectDir required for workspace initialization');
}
// ... proceed
}
When needed: When business rules differ from entry validation, or when mocks might bypass Layer 1.
Layer 3: Environment Guards
Purpose: Prevent dangerous operations in specific contexts
async function gitInit(directory: string) {
if (process.env.NODE_ENV === 'test') {
const normalized = normalize(resolve(directory));
if (!normalized.startsWith(tmpdir())) {
throw new Error(`Refusing git init outside temp dir in tests: ${directory}`);
}
}
// ... proceed
}
When needed: When operation is destructive/irreversible, especially in test environments.
Layer 4: Debug Instrumentation
Purpose: Capture context for forensics when other layers fail
async function gitInit(directory: string) {
logger.debug('git init', { directory, cwd: process.cwd(), stack: new Error().stack });
// ... proceed
}
When needed: When debugging is difficult, or when you need to trace how bad data arrived.
Decision Heuristic
| Situation | Layers Needed | |-----------|---------------| | Public API, simple validation | 1 only | | Data crosses multiple services | 1 + 2 | | Destructive operations (delete, init, write) | 1 + 2 + 3 | | Chasing a hard-to-reproduce bug | 1 + 2 + 3 + 4 | | Tests mock intermediate layers | At minimum: 1 + 3 |
Applying the Pattern
When you find a bug caused by invalid data:
- Trace the data flow - Where does the bad value originate? Where is it used?
- Map checkpoints - List every function/layer the data passes through
- Decide which layers - Use heuristic above
- Add validation - Entry → business → environment → debug
- Test each layer - Verify Layer 2 catches what bypasses Layer 1
Quick Reference
| Layer | Question It Answers | Typical Check | |-------|---------------------|---------------| | Entry | Is input valid? | Non-empty, exists, correct type | | Business | Does it make sense here? | Required for this operation, within bounds | | Environment | Is this safe in this context? | Not in prod, inside temp dir, etc. | | Debug | How did we get here? | Log stack, cwd, inputs |
Common Mistakes
| Mistake | Fix | |---------|-----| | One validation point, call it done | Add at least entry + business layers | | Identical checks at adjacent layers | Make each layer check something different | | Environment guards only in prod | Add them in test too (prevent test pollution) | | Skipping debug logging | Add it during the bug hunt, keep it | | Validation but no useful error message | Include the bad value and expected format |
Key Insight
During testing, each layer catches bugs the others miss:
- Different code paths bypass entry validation
- Mocks bypass business logic checks
- Edge cases need environment guards
- Debug logging identifies structural misuse
Don't stop at one validation point. The bug isn't fixed until it's impossible.
Related Skills
ed3dai/review-session
development
VerifiedTrustedCommunity
Use when the user wants to review a Claude Code session for quality — analyzes the current session (or a specified transcript path) for prompting effectiveness, agent performance, and environment gaps, producing actionable recommendations
5SKILL.mdUpdated Jun 17, 2026
ed3dai/review-recent-sessions
development
VerifiedTrustedCommunity
Use when the user wants to review their recent Claude Code sessions for patterns — analyzes the last N sessions (default 5) in the current project, dispatching parallel reviewers per session, then synthesizing cross-session findings
5SKILL.mdUpdated Jun 17, 2026
ed3dai/export-session-as-markdown
tools
VerifiedTrustedCommunity
Use when the user wants to export a Claude Code session transcript as a readable Markdown file — converts the current session (or a specified transcript path) into GitHub-flavored Markdown with metadata header, collapsible tool results, and thinking blocks
5SKILL.mdUpdated Jun 17, 2026
ed3dai/researching-on-the-internet
development
VerifiedTrustedCommunity
Use when planning features and need current API docs, library patterns, or external knowledge; when testing hypotheses about technology choices or claims; when verifying assumptions before design decisions - gathers well-sourced, current information from the internet to inform technical decisions
5SKILL.mdUpdated Jun 17, 2026