Use when invalid data causes failures deep in execution, requiring validation at multiple system layers - validates at every layer data passes through using Shannon validation gates to make bugs structurally impossible with quantitative coverage tracking
When invalid data causes failures deep in execution, this skill adds validation at every layer data passes through. It uses five-layer defense (entry, business logic, environment guards, validation gates, debug instrumentation) with quantitative coverage tracking to make bugs structurally impossible.
/plugin marketplace add krzemienski/shannon-framework/plugin install shannon@shannon-frameworkThis skill inherits all available tools. When active, it can use any tool Claude has access to.
When you fix a bug caused by invalid data, adding validation at one place feels sufficient. But that single check can be bypassed by different code paths, refactoring, or mocks.
Core principle: Validate at EVERY layer data passes through. Make the bug structurally impossible.
Single validation: "We fixed the bug" Multiple layers: "We made the bug impossible"
Different layers catch different cases:
Shannon extends Superpowers' 4-layer model with validation gates integration.
Purpose: Reject obviously invalid input at API boundary
function createProject(name: string, workingDirectory: string) {
if (!workingDirectory || workingDirectory.trim() === '') {
throw new Error('workingDirectory cannot be empty');
}
if (!existsSync(workingDirectory)) {
throw new Error(`workingDirectory does not exist: ${workingDirectory}`);
}
if (!statSync(workingDirectory).isDirectory()) {
throw new Error(`workingDirectory is not a directory: ${workingDirectory}`);
}
// ... proceed
}
Purpose: Ensure data makes sense for this operation
function initializeWorkspace(projectDir: string, sessionId: string) {
if (!projectDir) {
throw new Error('projectDir required for workspace initialization');
}
// ... proceed
}
Purpose: Prevent dangerous operations in specific contexts
async function gitInit(directory: string) {
// In tests, refuse git init outside temp directories
if (process.env.NODE_ENV === 'test') {
const normalized = normalize(resolve(directory));
const tmpDir = normalize(resolve(tmpdir()));
if (!normalized.startsWith(tmpDir)) {
throw new Error(
`Refusing git init outside temp dir during tests: ${directory}`
);
}
}
// ... proceed
}
Purpose: Run Shannon's 3-tier validation at critical checkpoints
async function deployFeature(feature: Feature) {
// Shannon's 3-tier validation
const gates = await runValidationGates(feature);
// Tier 1: Flow validation
if (!gates.tier1.pass) {
throw new Error(`Flow validation failed: ${gates.tier1.errors}`);
}
// Tier 2: Artifact validation
if (!gates.tier2.pass) {
throw new Error(`Artifact validation failed: ${gates.tier2.errors}`);
}
// Tier 3: Functional validation (NO MOCKS)
if (!gates.tier3.pass) {
throw new Error(`Functional validation failed: ${gates.tier3.errors}`);
}
// All gates passed, proceed with deployment
// ... proceed
}
Purpose: Capture context for forensics and Serena learning
async function gitInit(directory: string) {
const stack = new Error().stack;
// Shannon: Save to Serena for pattern analysis
await serena.write_memory(`operations/git_init/${Date.now()}`, {
operation: 'git_init',
directory,
cwd: process.cwd(),
env: process.env.NODE_ENV,
stack_depth: stack.split('\n').length,
timestamp: new Date().toISOString()
});
logger.debug('About to git init', {
directory,
cwd: process.cwd(),
stack,
});
// ... proceed
}
When you find a bug:
Trace the data flow (use root-cause-tracing skill)
Map all checkpoints
Add validation at each layer
Test each layer
Bug: Empty projectDir caused git init in source code
Data flow:
Project.create(name, '')WorkspaceManager.createWorkspace('')git init runs in process.cwd()Five layers added (Shannon enhancement):
Project.create() validates not empty/exists/writableWorkspaceManager validates projectDir not emptyWorktreeManager refuses git init outside tmpdir in testsResult: All 1847 tests passed, bug impossible to reproduce
Shannon tracking:
defense_coverage = {
"bug_id": "empty_projectDir",
"layers_added": 5,
"coverage": {
"entry_point": True,
"business_logic": True,
"environment_guards": True,
"validation_gates": True,
"instrumentation": True
},
"tests_passed": "1847/1847",
"bug_reproducible": False,
"timestamp": ISO_timestamp
}
serena.write_memory("defense/coverage/empty_projectDir", defense_coverage)
At critical checkpoints, run Shannon's 3-tier validation:
async function criticalOperation(data: unknown) {
// Layer 1: Entry validation
validateInput(data);
// Layer 2: Business validation
validateBusinessRules(data);
// Layer 3: Environment guards
if (process.env.NODE_ENV === 'production') {
requireProductionChecks(data);
}
// Layer 4: Shannon validation gates
const gates = await runValidationGates({
tier1: () => checkFlow(data),
tier2: () => checkArtifacts(data),
tier3: () => checkFunctional(data) // NO MOCKS
});
if (!gates.allPass) {
throw new ValidationError('Gates failed', gates.failures);
}
// Layer 5: Instrumentation
await logToSerena('criticalOperation', { data, gates });
// Now safe to proceed
// ...
}
Shannon requirement: Track defense coverage quantitatively:
# After adding defense layers
coverage_metrics = {
"total_layers": 5,
"layers_implemented": {
"entry_point": True,
"business_logic": True,
"environment_guards": True,
"validation_gates": True,
"instrumentation": True
},
"coverage_percentage": 100.0, # 5/5 layers
"test_verification": {
"bypass_attempts": 5,
"all_caught": True,
"layer_effectiveness": {
"layer1_catches": 3, # 60% of bypass attempts
"layer2_catches": 1, # 20%
"layer3_catches": 1, # 20%
"layer4_catches": 0, # All caught before gates
"layer5_detected": 5 # 100% logged
}
}
}
serena.write_memory("defense/metrics/{feature_id}", coverage_metrics)
Shannon learns which patterns work:
# Query historical defense implementations
defense_history = serena.query_memory("defense/metrics/*")
# Analyze effectiveness
analysis = {
"total_defenses": len(defense_history),
"avg_layers": average([d["total_layers"] for d in defense_history]),
"most_effective_layer": "entry_point", # Catches 65% on average
"least_bypassed": "validation_gates", # Never bypassed
"recommendation": "Always implement layer 4 (gates) for critical operations"
}
# Use this to guide future defense implementations
All five layers were necessary. During testing, each layer caught bugs the others missed:
Don't stop at one validation point. Add checks at every layer.
This skill works with:
Shannon integration:
After adding defense layers:
One layer = fixed the bug. Five layers = made it impossible.
Shannon's quantitative tracking + validation gates makes defense-in-depth measurable and verifiable.
Not "seems solid" - proven solid through multi-layer verification.
This skill should be used when the user asks to "create a slash command", "add a command", "write a custom command", "define command arguments", "use command frontmatter", "organize commands", "create command with file references", "interactive command", "use AskUserQuestion in command", or needs guidance on slash command structure, YAML frontmatter fields, dynamic arguments, bash execution in commands, user interaction patterns, or command development best practices for Claude Code.
This skill should be used when the user asks to "create an agent", "add an agent", "write a subagent", "agent frontmatter", "when to use description", "agent examples", "agent tools", "agent colors", "autonomous agent", or needs guidance on agent structure, system prompts, triggering conditions, or agent development best practices for Claude Code plugins.
This skill should be used when the user asks to "create a hook", "add a PreToolUse/PostToolUse/Stop hook", "validate tool use", "implement prompt-based hooks", "use ${CLAUDE_PLUGIN_ROOT}", "set up event-driven automation", "block dangerous commands", or mentions hook events (PreToolUse, PostToolUse, Stop, SubagentStop, SessionStart, SessionEnd, UserPromptSubmit, PreCompact, Notification). Provides comprehensive guidance for creating and implementing Claude Code plugin hooks with focus on advanced prompt-based hooks API.