From flows
Use when invalid data causes failures deep in execution, requiring validation at multiple system layers - validates at every layer data passes through to make bugs structurally impossible
How this skill is triggered — by the user, by Claude, or both
Slash command
/flows:defense-in-depthThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
When you fix a bug caused by invalid data, adding validation at one place feels sufficient. But that single check can be bypassed by different code paths, refactoring, or mocks.
When you fix a bug caused by invalid data, adding validation at one place feels sufficient. But that single check can be bypassed by different code paths, refactoring, or mocks.
Core principle: Validate at EVERY layer data passes through. Make the bug structurally impossible.
Single validation: "We fixed the bug" Multiple layers: "We made the bug impossible"
Different layers catch different cases:
For each layer, dispatch Explore agent with thoroughness: "very thorough"
Layer 1 - Entry Point Discovery:
Use Task tool:
# Invoke Task tool with:
subagent_type = "Explore"
model = "haiku"
prompt = """
Explore to find all entry points for [feature/module]:
1. API endpoints, route handlers, CLI commands
2. Event handlers, message queue consumers
3. Public class methods, exported functions
4. Form inputs, user interactions
Return: All entry points with file paths and signatures
**CRITICAL:** Do NOT create temporary files (/tmp, docs/, etc).
Aggregate all findings in memory and return complete report in your final message.
All results must appear in function_results - no file creation.
Thoroughness: very thorough
"""
Consuming Layer 1 Results (Entry Points):
After Task tool returns, entry point discovery report appears in function_results.
Read and extract:
Use for: Implementing validation at EVERY entry point found. No entry point missed.
Layer 2 - Business Logic Discovery:
# Invoke Task tool with:
subagent_type = "Explore"
model = "haiku"
prompt = """
Explore to find business logic validation points:
1. Service methods, domain logic functions
2. State transition validations
3. Business rule enforcement locations
4. Data consistency checks
Return: Business logic locations requiring validation
**CRITICAL:** Do NOT create temporary files (/tmp, docs/, etc).
Aggregate all findings in memory and return complete report in your final message.
All results must appear in function_results - no file creation.
Thoroughness: very thorough
"""
Consuming Layer 2 Results (Business Logic):
After Task tool returns, business logic validation points appear in function_results.
Read and extract:
Use for: Implementing validation at EVERY business logic point found.
Layer 3 - Environment Discovery:
# Invoke Task tool with:
subagent_type = "Explore"
model = "haiku"
prompt = """
Explore to find environment interaction points:
1. Database queries, ORM operations
2. External API calls, HTTP clients
3. File system operations
4. Cache access, session management
Return: All boundary points with external systems
**CRITICAL:** Do NOT create temporary files (/tmp, docs/, etc).
Aggregate all findings in memory and return complete report in your final message.
All results must appear in function_results - no file creation.
Thoroughness: very thorough
"""
Consuming Layer 3 Results (Environment):
After Task tool returns, environment interaction points appear in function_results.
Read and extract:
Use for: Implementing validation at EVERY boundary point found. Complete coverage ensured.
Use findings to:
Purpose: Reject obviously invalid input at API boundary
function createProject(name: string, workingDirectory: string) {
if (!workingDirectory || workingDirectory.trim() === '') {
throw new Error('workingDirectory cannot be empty');
}
if (!existsSync(workingDirectory)) {
throw new Error(`workingDirectory does not exist: ${workingDirectory}`);
}
if (!statSync(workingDirectory).isDirectory()) {
throw new Error(`workingDirectory is not a directory: ${workingDirectory}`);
}
// ... proceed
}
Purpose: Ensure data makes sense for this operation
function initializeWorkspace(projectDir: string, sessionId: string) {
if (!projectDir) {
throw new Error('projectDir required for workspace initialization');
}
// ... proceed
}
Purpose: Prevent dangerous operations in specific contexts
async function gitInit(directory: string) {
// In tests, refuse git init outside temp directories
if (process.env.NODE_ENV === 'test') {
const normalized = normalize(resolve(directory));
const tmpDir = normalize(resolve(tmpdir()));
if (!normalized.startsWith(tmpDir)) {
throw new Error(
`Refusing git init outside temp dir during tests: ${directory}`
);
}
}
// ... proceed
}
Purpose: Capture context for forensics
async function gitInit(directory: string) {
const stack = new Error().stack;
logger.debug('About to git init', {
directory,
cwd: process.cwd(),
stack,
});
// ... proceed
}
When you find a bug:
Bug: Empty projectDir caused git init in source code
Data flow:
Project.create(name, '')WorkspaceManager.createWorkspace('')git init runs in process.cwd()Four layers added:
Project.create() validates not empty/exists/writableWorkspaceManager validates projectDir not emptyWorktreeManager refuses git init outside tmpdir in testsResult: All 1847 tests passed, bug impossible to reproduce
All four layers were necessary. During testing, each layer caught bugs the others missed:
Don't stop at one validation point. Add checks at every layer.
npx claudepluginhub anvanvan/flowsCreates structured, bite-sized implementation plans from specs or requirements before writing code. Useful for breaking down multi-step tasks into testable steps with file structure and task boundaries.