The latest articles on Forem by Bala Paranj (@bala_paranj_059d338e44e7e). https://forem.com/bala_paranj_059d338e44e7e https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3862804%2F7ea6c560-63cb-4daf-a713-450532280b0a.jpg https://forem.com/bala_paranj_059d338e44e7e en Bala Paranj Thu, 09 Apr 2026 12:00:37 +0000 https://forem.com/bala_paranj_059d338e44e7e/one-test-file-that-prevents-all-architecture-regressions-1k95 https://forem.com/bala_paranj_059d338e44e7e/one-test-file-that-prevents-all-architecture-regressions-1k95 <p>Every team talks about hexagonal architecture. Almost no team enforces it.</p> <p>You draw the dependency diagram: <code>core/</code> never imports <code>adapters/</code>. <code>adapters/</code> never imports <code>cmd/</code>. Everyone nods. Then a developer in a hurry adds <code>import "internal/adapters/output"</code> inside a core package because they need a JSON helper. The code review approves it because the reviewer is focused on the feature logic, not the import list.</p> <p>Six months later, <code>core/</code> imports from 4 adapter packages and nobody remembers when it started.</p> <p>I wrote one test file that makes this impossible.</p> <h2> The Test </h2> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">TestCoreNeverImportsAdapters</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">forbidden</span> <span class="o">:=</span> <span class="p">[]</span><span class="kt">string</span><span class="p">{</span> <span class="s">"github.com/myapp/internal/adapters/"</span><span class="p">,</span> <span class="s">"github.com/myapp/internal/cli/"</span><span class="p">,</span> <span class="s">"github.com/myapp/cmd/"</span><span class="p">,</span> <span class="s">"os/exec"</span><span class="p">,</span> <span class="p">}</span> <span class="n">corePackages</span> <span class="o">:=</span> <span class="n">discoverPackages</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="s">"internal/core/"</span><span class="p">)</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">pkg</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">corePackages</span> <span class="p">{</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">imp</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">pkg</span><span class="o">.</span><span class="n">Imports</span> <span class="p">{</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">banned</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">forbidden</span> <span class="p">{</span> <span class="k">if</span> <span class="n">strings</span><span class="o">.</span><span class="n">HasPrefix</span><span class="p">(</span><span class="n">imp</span><span class="p">,</span> <span class="n">banned</span><span class="p">)</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"core package %s imports forbidden %s"</span><span class="p">,</span> <span class="n">pkg</span><span class="o">.</span><span class="n">Name</span><span class="p">,</span> <span class="n">imp</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>It walks every Go file in <code>internal/core/</code>, extracts the import list, and fails if any import matches a forbidden prefix. That's it.</p> <h2> What It Catches </h2> <h3> Real violation: os/exec in core </h3> <p>When I added an E2E test runner to <code>internal/core/enginetest/</code>, the test immediately caught it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>core test isolation violation: internal/core/enginetest/e2e_test.go: imports os/exec </code></pre> </div> <p><code>os/exec</code> is an infrastructure dependency — it invokes external processes. It doesn't belong in core, even in test files. The E2E runner was moved to <code>e2e/</code> at the repo root.</p> <p>Without this test, the import would have stayed. It compiled fine. No reviewer would have caught it because <code>os/exec</code> in a test file looks reasonable.</p> <h3> Real violation: adapter type in port interface </h3> <p>A port interface in <code>app/contracts/</code> accepted an adapter type as a parameter:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// BEFORE: Port contaminated with adapter type</span> <span class="k">type</span> <span class="n">EvaluationLoader</span> <span class="k">interface</span> <span class="p">{</span> <span class="n">Load</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">path</span> <span class="kt">string</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">adapters</span><span class="o">.</span><span class="n">Evaluation</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>The test caught the import of <code>adapters/</code> from the <code>app/</code> layer. The fix: the port returns a domain type, and the adapter converts at the boundary.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// AFTER: Port uses only domain types</span> <span class="k">type</span> <span class="n">EvaluationLoader</span> <span class="k">interface</span> <span class="p">{</span> <span class="n">Load</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">path</span> <span class="kt">string</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">report</span><span class="o">.</span><span class="n">Assessment</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h2> Why Code Reviews Aren't Enough </h2> <p>Code reviews catch architecture violations about 80% of the time. The other 20%:</p> <ul> <li>The reviewer is focused on the feature logic, not import lists</li> <li>The PR has 40 files and the violation is in file 37</li> <li>The import looks reasonable in context ("I just need this one helper")</li> <li>The reviewer doesn't know the architecture rules because they're in a wiki nobody reads</li> </ul> <p>A test catches violations <strong>100% of the time</strong>. It runs in CI on every push. It doesn't get tired, distracted, or rushed.</p> <h2> How to Build It </h2> <h3> Step 1: Define your layers </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>internal/ core/ → NEVER imports adapters, app, cmd, os/exec app/ → NEVER imports adapters, cmd adapters/ → May import core, app cli/ → May import anything cmd/ → May import anything </code></pre> </div> <h3> Step 2: Discover packages programmatically </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">discoverPackages</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">,</span> <span class="n">root</span> <span class="kt">string</span><span class="p">)</span> <span class="p">[]</span><span class="n">PackageInfo</span> <span class="p">{</span> <span class="k">var</span> <span class="n">packages</span> <span class="p">[]</span><span class="n">PackageInfo</span> <span class="n">filepath</span><span class="o">.</span><span class="n">WalkDir</span><span class="p">(</span><span class="n">root</span><span class="p">,</span> <span class="k">func</span><span class="p">(</span><span class="n">path</span> <span class="kt">string</span><span class="p">,</span> <span class="n">d</span> <span class="n">fs</span><span class="o">.</span><span class="n">DirEntry</span><span class="p">,</span> <span class="n">err</span> <span class="kt">error</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="k">if</span> <span class="o">!</span><span class="n">d</span><span class="o">.</span><span class="n">IsDir</span><span class="p">()</span> <span class="o">&amp;&amp;</span> <span class="n">strings</span><span class="o">.</span><span class="n">HasSuffix</span><span class="p">(</span><span class="n">path</span><span class="p">,</span> <span class="s">".go"</span><span class="p">)</span> <span class="p">{</span> <span class="n">imports</span> <span class="o">:=</span> <span class="n">extractImports</span><span class="p">(</span><span class="n">path</span><span class="p">)</span> <span class="n">packages</span> <span class="o">=</span> <span class="nb">append</span><span class="p">(</span><span class="n">packages</span><span class="p">,</span> <span class="n">PackageInfo</span><span class="p">{</span> <span class="n">Path</span><span class="o">:</span> <span class="n">path</span><span class="p">,</span> <span class="n">Imports</span><span class="o">:</span> <span class="n">imports</span><span class="p">,</span> <span class="p">})</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">})</span> <span class="k">return</span> <span class="n">packages</span> <span class="p">}</span> </code></pre> </div> <h3> Step 3: Check every import against the forbidden list </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">pkg</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">corePackages</span> <span class="p">{</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">imp</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">pkg</span><span class="o">.</span><span class="n">Imports</span> <span class="p">{</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">banned</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">forbidden</span> <span class="p">{</span> <span class="k">if</span> <span class="n">strings</span><span class="o">.</span><span class="n">HasPrefix</span><span class="p">(</span><span class="n">imp</span><span class="p">,</span> <span class="n">banned</span><span class="p">)</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"%s imports forbidden %s"</span><span class="p">,</span> <span class="n">pkg</span><span class="o">.</span><span class="n">Path</span><span class="p">,</span> <span class="n">imp</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Step 4: Run it in CI </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Architecture check</span> <span class="na">run</span><span class="pi">:</span> <span class="s">go test ./internal/app/ -run TestCoreNeverImportsAdapters</span> </code></pre> </div> <h2> The ROI </h2> <p>This test is the most leveraged single commit in the codebase.</p> <p>Over 4 months and 60 refactorings, every structural change had to pass this test. When we merged <code>internal/infra/</code> into <code>internal/adapters/</code>, the test verified no core packages imported the old path. When we moved types between layers, the test verified the dependency direction.</p> <p>Without it, the hexagonal boundaries would have eroded under the pressure of daily development. With it, the architecture is <strong>mechanically guaranteed</strong>.</p> <p>The test took 30 minutes to write. It has prevented more regressions than any refactoring in the catalog.</p> <h2> What It Doesn't Catch </h2> <ul> <li> <strong>Logic violations</strong>: A function in <code>core/</code> that formats CLI output text. The import is legal (<code>fmt</code>), but the responsibility is wrong. This still needs code review.</li> <li> <strong>Interface design</strong>: A port with 10 methods (ISP violation). The import direction is correct but the interface is too fat. This needs design review.</li> <li> <strong>Naming</strong>: A core package named <code>utils</code> instead of a domain concept. The architecture is fine but discoverability suffers.</li> </ul> <p>The fitness function enforces the <strong>structural</strong> rules. Design and naming still need human judgment. But by automating the structural check, you free up code review time to focus on the things that require judgment.</p> <p><em>Checkout the code in my open source project <a href="https://github.com/sufield/stave" rel="noopener noreferrer">Stave</a>. The architecture fitness function has been running in CI since January 2026 and has caught 4 violations that would have been missed in code review.</em></p> Bala Paranj Wed, 08 Apr 2026 14:36:36 +0000 https://forem.com/bala_paranj_059d338e44e7e/accept-interfaces-return-structs-5-patterns-from-a-go-cli-2agm https://forem.com/bala_paranj_059d338e44e7e/accept-interfaces-return-structs-5-patterns-from-a-go-cli-2agm <p>"Accept interfaces, return structs" is the most quoted Go proverb and the least applied. Most Go codebases do the opposite: they define interfaces at the implementation site, accept concrete types, and return interfaces.</p> <p>Over 60 refactorings, I applied this proverb in 5 distinct ways. Each one solved a different coupling problem, but they all followed the same rule: <strong>the consumer defines the interface, the producer returns the concrete type</strong>.</p> <h2> Pattern 1: Decouple a Component from Its Container </h2> <h3> The Problem </h3> <p>Evaluation strategies had a back-pointer to the concrete <code>Runner</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// BEFORE: Strategy depends on the concrete Runner type</span> <span class="k">type</span> <span class="n">unsafeStateStrategy</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">runner</span> <span class="o">*</span><span class="n">Runner</span> <span class="c">// ← concrete dependency</span> <span class="n">ctl</span> <span class="o">*</span><span class="n">policy</span><span class="o">.</span><span class="n">ControlDefinition</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">s</span> <span class="o">*</span><span class="n">unsafeStateStrategy</span><span class="p">)</span> <span class="n">Evaluate</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">asset</span><span class="o">.</span><span class="n">Timeline</span><span class="p">,</span> <span class="n">now</span> <span class="n">time</span><span class="o">.</span><span class="n">Time</span><span class="p">)</span> <span class="p">(</span><span class="n">Row</span><span class="p">,</span> <span class="p">[]</span><span class="o">*</span><span class="n">Finding</span><span class="p">)</span> <span class="p">{</span> <span class="n">maxUnsafe</span> <span class="o">:=</span> <span class="n">s</span><span class="o">.</span><span class="n">runner</span><span class="o">.</span><span class="n">getMaxUnsafeDurationForControl</span><span class="p">(</span><span class="n">s</span><span class="o">.</span><span class="n">ctl</span><span class="p">)</span> <span class="n">logger</span> <span class="o">:=</span> <span class="n">s</span><span class="o">.</span><span class="n">runner</span><span class="o">.</span><span class="n">Logger</span> <span class="n">parser</span> <span class="o">:=</span> <span class="n">s</span><span class="o">.</span><span class="n">runner</span><span class="o">.</span><span class="n">PredicateParser</span> <span class="c">// ...</span> <span class="p">}</span> </code></pre> </div> <p>The strategy needed 4 things from the Runner: a max-unsafe duration, a logger, a gap threshold, and a predicate parser. But it depended on the <em>entire</em> <code>Runner</code> type — all 12 fields, all methods, the full dependency graph.</p> <p>Testing a strategy meant constructing a full <code>Runner</code> with all its dependencies, even though the strategy only used 4 of them.</p> <h3> The Fix </h3> <p>Define a narrow interface <strong>at the consumer</strong> (the strategy), not at the producer (the Runner):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// AFTER: Strategy depends on a 4-method interface it defines</span> <span class="k">type</span> <span class="n">strategyDeps</span> <span class="k">interface</span> <span class="p">{</span> <span class="n">slaThresholdFor</span><span class="p">(</span><span class="n">ctl</span> <span class="o">*</span><span class="n">policy</span><span class="o">.</span><span class="n">ControlDefinition</span><span class="p">)</span> <span class="n">time</span><span class="o">.</span><span class="n">Duration</span> <span class="n">continuityLimit</span><span class="p">()</span> <span class="n">time</span><span class="o">.</span><span class="n">Duration</span> <span class="n">logger</span><span class="p">()</span> <span class="o">*</span><span class="n">slog</span><span class="o">.</span><span class="n">Logger</span> <span class="n">predicateParser</span><span class="p">()</span> <span class="n">policy</span><span class="o">.</span><span class="n">PredicateParser</span> <span class="p">}</span> <span class="k">type</span> <span class="n">unsafeStateStrategy</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">deps</span> <span class="n">strategyDeps</span> <span class="c">// ← interface, not concrete type</span> <span class="n">ctl</span> <span class="o">*</span><span class="n">policy</span><span class="o">.</span><span class="n">ControlDefinition</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">s</span> <span class="o">*</span><span class="n">unsafeStateStrategy</span><span class="p">)</span> <span class="n">Evaluate</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">asset</span><span class="o">.</span><span class="n">ExposureLifecycle</span><span class="p">,</span> <span class="n">now</span> <span class="n">time</span><span class="o">.</span><span class="n">Time</span><span class="p">)</span> <span class="p">(</span><span class="n">ResourceCheck</span><span class="p">,</span> <span class="p">[]</span><span class="o">*</span><span class="n">Finding</span><span class="p">)</span> <span class="p">{</span> <span class="n">maxUnsafe</span> <span class="o">:=</span> <span class="n">s</span><span class="o">.</span><span class="n">deps</span><span class="o">.</span><span class="n">slaThresholdFor</span><span class="p">(</span><span class="n">s</span><span class="o">.</span><span class="n">ctl</span><span class="p">)</span> <span class="c">// ...</span> <span class="p">}</span> </code></pre> </div> <p>The <code>Runner</code> (now <code>Assessor</code>) satisfies the interface implicitly — no <code>implements</code> keyword:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Runner/Assessor satisfies strategyDeps without declaring it</span> <span class="k">func</span> <span class="p">(</span><span class="n">a</span> <span class="o">*</span><span class="n">Assessor</span><span class="p">)</span> <span class="n">slaThresholdFor</span><span class="p">(</span><span class="n">ctl</span> <span class="o">*</span><span class="n">policy</span><span class="o">.</span><span class="n">ControlDefinition</span><span class="p">)</span> <span class="n">time</span><span class="o">.</span><span class="n">Duration</span> <span class="p">{</span> <span class="k">return</span> <span class="n">ctl</span><span class="o">.</span><span class="n">EffectiveMaxUnsafeDuration</span><span class="p">(</span><span class="n">a</span><span class="o">.</span><span class="n">SLAThreshold</span><span class="p">)</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">a</span> <span class="o">*</span><span class="n">Assessor</span><span class="p">)</span> <span class="n">continuityLimit</span><span class="p">()</span> <span class="n">time</span><span class="o">.</span><span class="n">Duration</span> <span class="p">{</span> <span class="k">return</span> <span class="n">a</span><span class="o">.</span><span class="n">ContinuityLimit</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">a</span> <span class="o">*</span><span class="n">Assessor</span><span class="p">)</span> <span class="n">logger</span><span class="p">()</span> <span class="o">*</span><span class="n">slog</span><span class="o">.</span><span class="n">Logger</span> <span class="p">{</span> <span class="k">return</span> <span class="n">a</span><span class="o">.</span><span class="n">Logger</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">a</span> <span class="o">*</span><span class="n">Assessor</span><span class="p">)</span> <span class="n">predicateParser</span><span class="p">()</span> <span class="n">policy</span><span class="o">.</span><span class="n">PredicateParser</span> <span class="p">{</span> <span class="k">return</span> <span class="n">a</span><span class="o">.</span><span class="n">PredicateParser</span> <span class="p">}</span> </code></pre> </div> <p>Testing a strategy now requires a 4-method mock, not a 12-field constructor:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Test: mock only what the strategy needs</span> <span class="k">type</span> <span class="n">mockDeps</span> <span class="k">struct</span><span class="p">{}</span> <span class="k">func</span> <span class="p">(</span><span class="n">m</span> <span class="n">mockDeps</span><span class="p">)</span> <span class="n">slaThresholdFor</span><span class="p">(</span><span class="n">_</span> <span class="o">*</span><span class="n">policy</span><span class="o">.</span><span class="n">ControlDefinition</span><span class="p">)</span> <span class="n">time</span><span class="o">.</span><span class="n">Duration</span> <span class="p">{</span> <span class="k">return</span> <span class="m">24</span> <span class="o">*</span> <span class="n">time</span><span class="o">.</span><span class="n">Hour</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">m</span> <span class="n">mockDeps</span><span class="p">)</span> <span class="n">continuityLimit</span><span class="p">()</span> <span class="n">time</span><span class="o">.</span><span class="n">Duration</span> <span class="p">{</span> <span class="k">return</span> <span class="m">12</span> <span class="o">*</span> <span class="n">time</span><span class="o">.</span><span class="n">Hour</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">m</span> <span class="n">mockDeps</span><span class="p">)</span> <span class="n">logger</span><span class="p">()</span> <span class="o">*</span><span class="n">slog</span><span class="o">.</span><span class="n">Logger</span> <span class="p">{</span> <span class="k">return</span> <span class="n">slog</span><span class="o">.</span><span class="n">Default</span><span class="p">()</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">m</span> <span class="n">mockDeps</span><span class="p">)</span> <span class="n">predicateParser</span><span class="p">()</span> <span class="n">policy</span><span class="o">.</span><span class="n">PredicateParser</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p>After the refactor, strategies went from untestable (coupled to Runner) to independently testable.</p> <h2> Pattern 2: Slim a Fat Interface </h2> <h3> The Problem </h3> <p>The <code>Control</code> interface had 8 methods:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// BEFORE: Fat interface — every implementor must provide 8 methods</span> <span class="k">type</span> <span class="n">Control</span> <span class="k">interface</span> <span class="p">{</span> <span class="n">ID</span><span class="p">()</span> <span class="n">kernel</span><span class="o">.</span><span class="n">ControlID</span> <span class="n">Description</span><span class="p">()</span> <span class="kt">string</span> <span class="n">Severity</span><span class="p">()</span> <span class="n">Severity</span> <span class="n">ComplianceProfiles</span><span class="p">()</span> <span class="p">[]</span><span class="kt">string</span> <span class="n">ComplianceRefs</span><span class="p">()</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="kt">string</span> <span class="n">ProfileRationale</span><span class="p">(</span><span class="n">profile</span> <span class="kt">string</span><span class="p">)</span> <span class="kt">string</span> <span class="n">ProfileSeverityOverride</span><span class="p">(</span><span class="n">profile</span> <span class="kt">string</span><span class="p">)</span> <span class="n">Severity</span> <span class="n">Evaluate</span><span class="p">(</span><span class="n">snap</span> <span class="n">asset</span><span class="o">.</span><span class="n">Snapshot</span><span class="p">)</span> <span class="n">Result</span> <span class="p">}</span> </code></pre> </div> <p>Every control implementation had to provide 7 getter methods that all did the same thing: return a field from a <code>Definition</code> struct. The getters were boilerplate — 14 lines per control, identical across all 14 controls.</p> <h3> The Fix </h3> <p>Slim to 2 methods. Return a struct for the metadata:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// AFTER: 2-method interface — return struct for metadata</span> <span class="k">type</span> <span class="n">Control</span> <span class="k">interface</span> <span class="p">{</span> <span class="n">Def</span><span class="p">()</span> <span class="n">Definition</span> <span class="c">// ← returns struct, not 7 methods</span> <span class="n">Evaluate</span><span class="p">(</span><span class="n">snap</span> <span class="n">asset</span><span class="o">.</span><span class="n">Snapshot</span><span class="p">)</span> <span class="n">Result</span> <span class="p">}</span> </code></pre> </div> <p>The <code>Definition</code> struct carries all the metadata:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">Definition</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">id</span> <span class="n">kernel</span><span class="o">.</span><span class="n">ControlID</span> <span class="n">description</span> <span class="kt">string</span> <span class="n">severity</span> <span class="n">Severity</span> <span class="n">complianceProfiles</span> <span class="p">[]</span><span class="kt">string</span> <span class="n">complianceRefs</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="kt">string</span> <span class="c">// ...</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">d</span> <span class="n">Definition</span><span class="p">)</span> <span class="n">ID</span><span class="p">()</span> <span class="n">kernel</span><span class="o">.</span><span class="n">ControlID</span> <span class="p">{</span> <span class="k">return</span> <span class="n">d</span><span class="o">.</span><span class="n">id</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">d</span> <span class="n">Definition</span><span class="p">)</span> <span class="n">Severity</span><span class="p">()</span> <span class="n">Severity</span> <span class="p">{</span> <span class="k">return</span> <span class="n">d</span><span class="o">.</span><span class="n">severity</span> <span class="p">}</span> <span class="c">// ... accessor methods on the struct, not the interface</span> </code></pre> </div> <p>Callers changed from <code>ctrl.ID()</code> to <code>ctrl.Def().ID()</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// BEFORE</span> <span class="n">controlID</span> <span class="o">:=</span> <span class="n">ctrl</span><span class="o">.</span><span class="n">ID</span><span class="p">()</span> <span class="n">severity</span> <span class="o">:=</span> <span class="n">ctrl</span><span class="o">.</span><span class="n">Severity</span><span class="p">()</span> <span class="n">refs</span> <span class="o">:=</span> <span class="n">ctrl</span><span class="o">.</span><span class="n">ComplianceRefs</span><span class="p">()</span> <span class="c">// AFTER</span> <span class="n">controlID</span> <span class="o">:=</span> <span class="n">ctrl</span><span class="o">.</span><span class="n">Def</span><span class="p">()</span><span class="o">.</span><span class="n">ID</span><span class="p">()</span> <span class="n">severity</span> <span class="o">:=</span> <span class="n">ctrl</span><span class="o">.</span><span class="n">Def</span><span class="p">()</span><span class="o">.</span><span class="n">Severity</span><span class="p">()</span> <span class="n">refs</span> <span class="o">:=</span> <span class="n">ctrl</span><span class="o">.</span><span class="n">Def</span><span class="p">()</span><span class="o">.</span><span class="n">ComplianceRefs</span><span class="p">()</span> </code></pre> </div> <p>One extra <code>.Def()</code> call. But the interface dropped from 8 methods to 2. New controls only implement <code>Evaluate</code> — the metadata comes from the <code>Definition</code> struct built with functional options:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Construction with functional options — no method boilerplate</span> <span class="k">type</span> <span class="n">accessBlockPublic</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Definition</span> <span class="p">}</span> <span class="k">func</span> <span class="n">init</span><span class="p">()</span> <span class="p">{</span> <span class="n">ControlRegistry</span><span class="o">.</span><span class="n">MustRegister</span><span class="p">(</span><span class="o">&amp;</span><span class="n">accessBlockPublic</span><span class="p">{</span> <span class="n">Definition</span><span class="o">:</span> <span class="n">NewDefinition</span><span class="p">(</span> <span class="n">WithID</span><span class="p">(</span><span class="s">"CTL.S3.CONTROLS.001"</span><span class="p">),</span> <span class="n">WithSeverity</span><span class="p">(</span><span class="n">Critical</span><span class="p">),</span> <span class="n">WithComplianceRef</span><span class="p">(</span><span class="s">"hipaa"</span><span class="p">,</span> <span class="s">"§164.312(a)(1)"</span><span class="p">),</span> <span class="p">),</span> <span class="p">})</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">ctl</span> <span class="o">*</span><span class="n">accessBlockPublic</span><span class="p">)</span> <span class="n">Evaluate</span><span class="p">(</span><span class="n">snap</span> <span class="n">asset</span><span class="o">.</span><span class="n">Snapshot</span><span class="p">)</span> <span class="n">Result</span> <span class="p">{</span> <span class="c">// Only the evaluation logic — no getter boilerplate</span> <span class="p">}</span> </code></pre> </div> <p>After the refactor — 14 controls lost 7 boilerplate methods each.</p> <h2> Pattern 3: Port Interfaces with Domain-Only Types </h2> <h3> The Problem </h3> <p>A port interface in <code>app/contracts</code> imported a type from <code>internal/core/evaluation/remediation</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// BEFORE: Port contaminated with business logic package</span> <span class="k">package</span> <span class="n">contracts</span> <span class="k">import</span> <span class="s">"github.com/sufield/stave/internal/core/evaluation/remediation"</span> <span class="k">type</span> <span class="n">EnrichedResult</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Findings</span> <span class="p">[]</span><span class="n">remediation</span><span class="o">.</span><span class="n">Finding</span> <span class="c">// ← port imports domain implementation</span> <span class="p">}</span> </code></pre> </div> <p>The port (in the <code>app</code> layer) depended on a specific domain package. Adapters that implemented the port had to import <code>remediation</code> even if they only needed the finding's ID and severity. The dependency arrow pointed inward (correct direction) but the coupling was too tight.</p> <h3> The Fix </h3> <p>Define a boundary type in the port package using only types the port already imports:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// AFTER: Port uses its own boundary type</span> <span class="k">package</span> <span class="n">contracts</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"github.com/sufield/stave/internal/core/evaluation"</span> <span class="n">policy</span> <span class="s">"github.com/sufield/stave/internal/core/controldef"</span> <span class="p">)</span> <span class="k">type</span> <span class="n">EnrichedFinding</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Finding</span> <span class="n">evaluation</span><span class="o">.</span><span class="n">Finding</span> <span class="n">Remediation</span> <span class="n">policy</span><span class="o">.</span><span class="n">RemediationSpec</span> <span class="p">}</span> <span class="k">type</span> <span class="n">EnrichedResult</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Findings</span> <span class="p">[]</span><span class="n">EnrichedFinding</span> <span class="c">// ← uses only types already in contracts</span> <span class="p">}</span> </code></pre> </div> <p>The enrichment pipeline maps at the boundary:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Boundary conversion in the app layer</span> <span class="k">func</span> <span class="n">enrich</span><span class="p">(</span><span class="n">findings</span> <span class="p">[]</span><span class="n">remediation</span><span class="o">.</span><span class="n">Finding</span><span class="p">)</span> <span class="p">[]</span><span class="n">contracts</span><span class="o">.</span><span class="n">EnrichedFinding</span> <span class="p">{</span> <span class="n">result</span> <span class="o">:=</span> <span class="nb">make</span><span class="p">([]</span><span class="n">contracts</span><span class="o">.</span><span class="n">EnrichedFinding</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">findings</span><span class="p">))</span> <span class="k">for</span> <span class="n">i</span><span class="p">,</span> <span class="n">f</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">findings</span> <span class="p">{</span> <span class="n">result</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">=</span> <span class="n">contracts</span><span class="o">.</span><span class="n">EnrichedFinding</span><span class="p">{</span> <span class="n">Finding</span><span class="o">:</span> <span class="n">f</span><span class="o">.</span><span class="n">Finding</span><span class="p">,</span> <span class="n">Remediation</span><span class="o">:</span> <span class="n">f</span><span class="o">.</span><span class="n">RemediationSpec</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="n">result</span> <span class="p">}</span> </code></pre> </div> <p>Adapters convert back to <code>remediation.Finding</code> only when they need the full type — via local <code>toRemediationFindings</code> helpers.</p> <p>After the refactor — port boundary no longer imports business logic packages.</p> <h2> Pattern 4: One-Method Interfaces at the Boundary </h2> <h3> The Problem </h3> <p>Infrastructure capabilities were injected as concrete function types or large interfaces:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// BEFORE: Bare function type mixed with other concerns</span> <span class="k">type</span> <span class="n">Runner</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Logger</span> <span class="o">*</span><span class="n">slog</span><span class="o">.</span><span class="n">Logger</span> <span class="n">Clock</span> <span class="k">func</span><span class="p">()</span> <span class="n">time</span><span class="o">.</span><span class="n">Time</span> <span class="c">// ← bare function, no testability signal</span> <span class="n">Hasher</span> <span class="k">func</span><span class="p">([]</span><span class="kt">byte</span><span class="p">)</span> <span class="kt">string</span> <span class="c">// ← bare function</span> <span class="n">Controls</span> <span class="p">[]</span><span class="n">ControlDefinition</span> <span class="n">MaxUnsafe</span> <span class="n">time</span><span class="o">.</span><span class="n">Duration</span> <span class="p">}</span> </code></pre> </div> <p><code>func() time.Time</code> is technically an interface with one method — but it has no name, no documentation, and no discoverable implementations.</p> <h3> The Fix </h3> <p>Named one-method interfaces in a <code>ports</code> package:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// AFTER: Named interfaces with concrete implementations</span> <span class="k">package</span> <span class="n">ports</span> <span class="k">type</span> <span class="n">Clock</span> <span class="k">interface</span> <span class="p">{</span> <span class="n">Now</span><span class="p">()</span> <span class="n">time</span><span class="o">.</span><span class="n">Time</span> <span class="p">}</span> <span class="k">type</span> <span class="n">RealClock</span> <span class="k">struct</span><span class="p">{}</span> <span class="k">func</span> <span class="p">(</span><span class="n">RealClock</span><span class="p">)</span> <span class="n">Now</span><span class="p">()</span> <span class="n">time</span><span class="o">.</span><span class="n">Time</span> <span class="p">{</span> <span class="k">return</span> <span class="n">time</span><span class="o">.</span><span class="n">Now</span><span class="p">()</span><span class="o">.</span><span class="n">UTC</span><span class="p">()</span> <span class="p">}</span> <span class="k">type</span> <span class="n">FixedClock</span> <span class="n">time</span><span class="o">.</span><span class="n">Time</span> <span class="k">func</span> <span class="p">(</span><span class="n">f</span> <span class="n">FixedClock</span><span class="p">)</span> <span class="n">Now</span><span class="p">()</span> <span class="n">time</span><span class="o">.</span><span class="n">Time</span> <span class="p">{</span> <span class="k">return</span> <span class="n">time</span><span class="o">.</span><span class="n">Time</span><span class="p">(</span><span class="n">f</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">Digester</span> <span class="k">interface</span> <span class="p">{</span> <span class="n">Digest</span><span class="p">(</span><span class="n">components</span> <span class="p">[]</span><span class="kt">string</span><span class="p">,</span> <span class="n">sep</span> <span class="kt">byte</span><span class="p">)</span> <span class="n">kernel</span><span class="o">.</span><span class="n">Digest</span> <span class="p">}</span> <span class="k">type</span> <span class="n">Verifier</span> <span class="k">interface</span> <span class="p">{</span> <span class="n">Verify</span><span class="p">(</span><span class="n">data</span> <span class="p">[]</span><span class="kt">byte</span><span class="p">,</span> <span class="n">sig</span> <span class="n">kernel</span><span class="o">.</span><span class="n">Signature</span><span class="p">)</span> <span class="kt">error</span> <span class="p">}</span> </code></pre> </div> <p>The consumer declares the dependency as a named interface:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">Assessor</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Clock</span> <span class="n">ports</span><span class="o">.</span><span class="n">Clock</span> <span class="c">// ← named interface, not func() time.Time</span> <span class="n">Hasher</span> <span class="n">ports</span><span class="o">.</span><span class="n">Digester</span> <span class="c">// ← named interface, not func([]byte) string</span> <span class="p">}</span> </code></pre> </div> <p>Testing uses the provided implementations — no mocking framework needed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Test: deterministic time</span> <span class="n">assessor</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">Assessor</span><span class="p">{</span> <span class="n">Clock</span><span class="o">:</span> <span class="n">ports</span><span class="o">.</span><span class="n">FixedClock</span><span class="p">(</span><span class="n">time</span><span class="o">.</span><span class="n">Date</span><span class="p">(</span><span class="m">2026</span><span class="p">,</span> <span class="m">1</span><span class="p">,</span> <span class="m">15</span><span class="p">,</span> <span class="m">0</span><span class="p">,</span> <span class="m">0</span><span class="p">,</span> <span class="m">0</span><span class="p">,</span> <span class="m">0</span><span class="p">,</span> <span class="n">time</span><span class="o">.</span><span class="n">UTC</span><span class="p">)),</span> <span class="p">}</span> </code></pre> </div> <p>Each interface has exactly one method. Go's implicit interface satisfaction means any type with a <code>Now() time.Time</code> method satisfies <code>Clock</code> — including <code>FixedClock</code>, <code>RealClock</code>, or any test stub.</p> <h2> Pattern 5: Remove Unnecessary Interface Threading </h2> <h3> The Problem </h3> <p>An <code>IdentityGenerator</code> interface was threaded through 4 levels of the call stack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// BEFORE: Interface threaded through entire chain</span> <span class="k">func</span> <span class="n">NewPlanner</span><span class="p">(</span><span class="n">idGen</span> <span class="n">ports</span><span class="o">.</span><span class="n">IdentityGenerator</span><span class="p">)</span> <span class="o">*</span><span class="n">Planner</span> <span class="p">{</span> <span class="o">...</span> <span class="p">}</span> <span class="k">func</span> <span class="n">NewMapper</span><span class="p">(</span><span class="n">idGen</span> <span class="n">ports</span><span class="o">.</span><span class="n">IdentityGenerator</span><span class="p">)</span> <span class="o">*</span><span class="n">Mapper</span> <span class="p">{</span> <span class="o">...</span> <span class="p">}</span> <span class="k">type</span> <span class="n">publicExposurePlanner</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">idGen</span> <span class="n">ports</span><span class="o">.</span><span class="n">IdentityGenerator</span> <span class="c">// ← carried but used once at the end</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">p</span> <span class="o">*</span><span class="n">publicExposurePlanner</span><span class="p">)</span> <span class="n">Plan</span><span class="p">(</span><span class="n">findings</span> <span class="p">[]</span><span class="n">Finding</span><span class="p">)</span> <span class="p">[]</span><span class="n">RemediationPlan</span> <span class="p">{</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">f</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">findings</span> <span class="p">{</span> <span class="n">plan</span> <span class="o">:=</span> <span class="n">RemediationPlan</span><span class="p">{</span> <span class="n">ID</span><span class="o">:</span> <span class="n">p</span><span class="o">.</span><span class="n">idGen</span><span class="o">.</span><span class="n">GenerateID</span><span class="p">(</span><span class="s">"plan"</span><span class="p">,</span> <span class="kt">string</span><span class="p">(</span><span class="n">f</span><span class="o">.</span><span class="n">ControlID</span><span class="p">),</span> <span class="kt">string</span><span class="p">(</span><span class="n">f</span><span class="o">.</span><span class="n">AssetID</span><span class="p">)),</span> <span class="c">// ...</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The ID generator was injected into the Planner, carried through the Mapper, and used at one point: generating plan IDs. Four constructors accepted it. Four structs stored it. One call site used it.</p> <h3> The Fix </h3> <p>Generate IDs at the boundary, not inside the domain:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// AFTER: Domain logic is pure — IDs assigned at boundary</span> <span class="k">func</span> <span class="p">(</span><span class="n">p</span> <span class="o">*</span><span class="n">publicExposurePlanner</span><span class="p">)</span> <span class="n">Plan</span><span class="p">(</span><span class="n">findings</span> <span class="p">[]</span><span class="n">Finding</span><span class="p">)</span> <span class="p">[]</span><span class="n">RemediationPlan</span> <span class="p">{</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">f</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">findings</span> <span class="p">{</span> <span class="n">plan</span> <span class="o">:=</span> <span class="n">RemediationPlan</span><span class="p">{</span> <span class="n">ID</span><span class="o">:</span> <span class="s">""</span><span class="p">,</span> <span class="c">// ← empty, assigned later at boundary</span> <span class="c">// ...</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c">// Boundary function assigns IDs after domain logic completes</span> <span class="k">func</span> <span class="n">AssignPlanIDs</span><span class="p">(</span><span class="n">gen</span> <span class="n">ports</span><span class="o">.</span><span class="n">IdentityGenerator</span><span class="p">,</span> <span class="n">plans</span> <span class="p">[]</span><span class="n">RemediationPlan</span><span class="p">)</span> <span class="p">{</span> <span class="k">for</span> <span class="n">i</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">plans</span> <span class="p">{</span> <span class="n">plans</span><span class="p">[</span><span class="n">i</span><span class="p">]</span><span class="o">.</span><span class="n">ID</span> <span class="o">=</span> <span class="n">gen</span><span class="o">.</span><span class="n">GenerateID</span><span class="p">(</span><span class="s">"plan"</span><span class="p">,</span> <span class="o">...</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The Planner and Mapper are now pure domain types with no infrastructure dependencies. <code>AssignPlanIDs</code> is called once at the boundary after enrichment. The interface is accepted at the boundary, not threaded through the domain.</p> <p>After the refactor — removed <code>IdentityGenerator</code> from 4 constructors and 4 struct fields.</p> <h2> The Rules </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Rule</th> <th>Before</th> <th>After</th> </tr> </thead> <tbody> <tr> <td><strong>Consumer defines the interface</strong></td> <td>Strategy imports <code>*Runner</code> </td> <td>Strategy defines <code>strategyDeps</code> (4 methods)</td> </tr> <tr> <td><strong>Return structs, not interfaces</strong></td> <td> <code>Control</code> interface with 8 methods</td> <td> <code>Def()</code> returns <code>Definition</code> struct</td> </tr> <tr> <td><strong>Ports use only domain types</strong></td> <td>Port imports <code>remediation.Finding</code> </td> <td>Port defines <code>EnrichedFinding</code> boundary type</td> </tr> <tr> <td><strong>Name your one-method interfaces</strong></td> <td><code>func() time.Time</code></td> <td> <code>ports.Clock</code> with <code>Now() time.Time</code> </td> </tr> <tr> <td><strong>Don't thread interfaces through domain</strong></td> <td> <code>IdentityGenerator</code> in 4 constructors</td> <td> <code>AssignPlanIDs</code> at boundary</td> </tr> </tbody> </table></div> <h2> How to Find Violations </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Fat interfaces (more than 3 methods)</span> <span class="nb">grep</span> <span class="nt">-rn</span> <span class="s1">'type.*interface {'</span> <span class="nt">--include</span><span class="o">=</span><span class="s1">'*.go'</span> <span class="nt">-A</span> 10 | <span class="nb">grep</span> <span class="nt">-c</span> <span class="s1">'func\b'</span> | <span class="nb">sort</span> <span class="nt">-rn</span> <span class="c"># Concrete type dependencies that should be interfaces</span> <span class="nb">grep</span> <span class="nt">-rn</span> <span class="s1">'\*Runner\|\*Engine\|\*Service'</span> <span class="nt">--include</span><span class="o">=</span><span class="s1">'*.go'</span> | <span class="nb">grep</span> <span class="s1">'struct {'</span> | <span class="nb">grep</span> <span class="nt">-v</span> <span class="s1">'_test.go'</span> <span class="c"># Interface threading (same interface in multiple constructors)</span> <span class="nb">grep</span> <span class="nt">-rn</span> <span class="s1">'ports\.'</span> <span class="nt">--include</span><span class="o">=</span><span class="s1">'*.go'</span> | <span class="nb">grep</span> <span class="s1">'func New'</span> | <span class="nb">sort</span> <span class="c"># Port contamination (ports importing implementation packages)</span> <span class="nb">grep</span> <span class="nt">-rn</span> <span class="s1">'import'</span> internal/app/contracts/ <span class="nt">--include</span><span class="o">=</span><span class="s1">'*.go'</span> | <span class="nb">grep</span> <span class="nt">-v</span> <span class="s1">'core/\|kernel\|asset'</span> </code></pre> </div> <p>The last command finds port packages importing implementation packages — the signal for Pattern 3.</p> <h2> The Payoff </h2> <p>Before these refactorings, testing the evaluation engine required constructing the full <code>Runner</code> with 12 fields. After, testing a strategy requires a 4-method mock. Testing the Planner requires no mocks at all — it's a pure function.</p> <p>The interface count went <em>down</em>, not up. Fat interfaces were slimmed. Unnecessary interfaces were removed. The remaining interfaces are small (1-4 methods), defined at the consumer, and satisfied implicitly.</p> <p>That's the Go way: interfaces should be discovered, not designed.</p> <p><em>These 5 patterns were applied across 60 refactorings in <a href="https://github.com/sufield/stave" rel="noopener noreferrer">Stave</a>, an offline configuration safety evaluator.</em></p> architecture codequality go softwareengineering Bala Paranj Tue, 07 Apr 2026 13:29:34 +0000 https://forem.com/bala_paranj_059d338e44e7e/designing-errors-out-of-your-go-cli-36in https://forem.com/bala_paranj_059d338e44e7e/designing-errors-out-of-your-go-cli-36in <p>Most Go CLIs have too many error checks. Not because error handling is wrong — because the errors themselves are wrong.</p> <p>I read the Power of Go Tools by John Arundel. Based on his book, I audited a 50,000-line Go CLI for functions that return errors unnecessarily. The result: 10 functions refactored, 50+ <code>if err != nil</code> checks eliminated, and the remaining error checks now mean something.</p> <p>This is John Ousterhout's philosophy from <em>A Philosophy of Software Design</em>: don't handle errors better — <strong>design them out of existence</strong>.</p> <h2> The Four Patterns </h2> <p>I searched for four specific anti-patterns:</p> <ol> <li> <strong>Idempotent No-ops</strong> — returning an error for a state that already matches the desired outcome</li> <li> <strong>Empty-Set Errors</strong> — returning an error when a slice is empty instead of treating it as "no work to do"</li> <li> <strong>Recoverable Internals</strong> — returning an error when the function could make a sensible default decision</li> <li> <strong>Crash-Only Candidates</strong> — returning an error from initialization code where failure is truly fatal</li> </ol> <p>Here's what I found and how I fixed each one.</p> <h2> Pattern 1: Idempotent No-ops </h2> <h3> The temp file cleanup </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// BEFORE: returns error if temp file is already gone</span> <span class="k">func</span> <span class="n">IsDirectoryWritable</span><span class="p">(</span><span class="n">dir</span> <span class="kt">string</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="n">f</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">CreateTemp</span><span class="p">(</span><span class="n">dir</span><span class="p">,</span> <span class="s">".stave-write-check-*"</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">err</span> <span class="p">}</span> <span class="n">path</span> <span class="o">:=</span> <span class="n">f</span><span class="o">.</span><span class="n">Name</span><span class="p">()</span> <span class="n">_</span> <span class="o">=</span> <span class="n">f</span><span class="o">.</span><span class="n">Close</span><span class="p">()</span> <span class="k">return</span> <span class="n">os</span><span class="o">.</span><span class="n">Remove</span><span class="p">(</span><span class="n">path</span><span class="p">)</span> <span class="c">// ← why does this error matter?</span> <span class="p">}</span> </code></pre> </div> <p>The function's job is to check if a directory is writable. If <code>os.Remove</code> fails because the temp file is already gone, the check already passed. The post-condition is met.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// AFTER: cleanup errors are irrelevant</span> <span class="k">func</span> <span class="n">IsDirectoryWritable</span><span class="p">(</span><span class="n">dir</span> <span class="kt">string</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="n">f</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">CreateTemp</span><span class="p">(</span><span class="n">dir</span><span class="p">,</span> <span class="s">".stave-write-check-*"</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">err</span> <span class="p">}</span> <span class="n">path</span> <span class="o">:=</span> <span class="n">f</span><span class="o">.</span><span class="n">Name</span><span class="p">()</span> <span class="n">_</span> <span class="o">=</span> <span class="n">f</span><span class="o">.</span><span class="n">Close</span><span class="p">()</span> <span class="n">_</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">Remove</span><span class="p">(</span><span class="n">path</span><span class="p">)</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p><strong>Rule</strong>: If the post-condition is satisfied, the function succeeds. Period.</p> <h2> Pattern 2: Empty-Set Safety </h2> <h3> The empty registry </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// BEFORE: empty registry is treated as an error</span> <span class="k">func</span> <span class="n">NewIndex</span><span class="p">(</span><span class="n">data</span> <span class="p">[]</span><span class="kt">byte</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">Index</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">var</span> <span class="n">idx</span> <span class="n">registryIndex</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">yaml</span><span class="o">.</span><span class="n">Unmarshal</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">idx</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">err</span> <span class="p">}</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">idx</span><span class="o">.</span><span class="n">Packs</span><span class="p">)</span> <span class="o">==</span> <span class="m">0</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">ErrEmptyRegistry</span> <span class="c">// ← is zero packs really an error?</span> <span class="p">}</span> <span class="c">// ...</span> <span class="p">}</span> </code></pre> </div> <p>An empty registry means "no packs enabled." That's a valid state — the caller already checks <code>len(packs)</code> before iterating. The error just forces every caller to handle a case that isn't exceptional.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// AFTER: empty registry is a valid zero-work state</span> <span class="k">func</span> <span class="n">NewIndex</span><span class="p">(</span><span class="n">data</span> <span class="p">[]</span><span class="kt">byte</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">Index</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">var</span> <span class="n">idx</span> <span class="n">registryIndex</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">yaml</span><span class="o">.</span><span class="n">Unmarshal</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">idx</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">err</span> <span class="p">}</span> <span class="c">// Zero packs is valid — the registry simply has nothing enabled.</span> <span class="n">r</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">Index</span><span class="p">{</span> <span class="n">version</span><span class="o">:</span> <span class="n">strings</span><span class="o">.</span><span class="n">TrimSpace</span><span class="p">(</span><span class="n">idx</span><span class="o">.</span><span class="n">Version</span><span class="p">),</span> <span class="c">// ...</span> <span class="p">}</span> <span class="c">// ...</span> <span class="p">}</span> </code></pre> </div> <p><strong>Rule</strong>: If an empty input means "nothing to do," the function should succeed with a zero-value result, not fail.</p> <h3> The empty predicate </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// BEFORE: empty expression is an error</span> <span class="k">if</span> <span class="n">expr</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="k">return</span> <span class="n">CompiledPredicate</span><span class="p">{},</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"predicate produced empty expression"</span><span class="p">)</span> <span class="p">}</span> <span class="c">// AFTER: empty predicate = always-pass (no rules = compliant)</span> <span class="k">if</span> <span class="n">expr</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="n">expr</span> <span class="o">=</span> <span class="s">"true"</span> <span class="p">}</span> </code></pre> </div> <p>An empty predicate in a security tool means "no rules defined for this control." That's not an error — it's compliance by default.</p> <h2> Pattern 3: Recoverable Internals </h2> <h3> The nil dependency </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// BEFORE: nil loader is a fatal error</span> <span class="k">func</span> <span class="n">ListSnapshotFilesFlat</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">dir</span> <span class="kt">string</span><span class="p">,</span> <span class="n">opts</span> <span class="n">ScannerOptions</span><span class="p">)</span> <span class="p">([]</span><span class="n">SnapshotFile</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="n">opts</span><span class="o">.</span><span class="n">MetadataLoader</span> <span class="o">==</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">errMetadataLoaderRequired</span> <span class="p">}</span> <span class="c">// ...</span> <span class="p">}</span> </code></pre> </div> <p>The <code>MetadataLoader</code> extracts timestamps from snapshot files. If it's nil, there's a perfectly good fallback: use the file's modification time.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// AFTER: nil loader falls back to filesystem metadata</span> <span class="k">if</span> <span class="n">opts</span><span class="o">.</span><span class="n">MetadataLoader</span> <span class="o">==</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">opts</span><span class="o">.</span><span class="n">MetadataLoader</span> <span class="o">=</span> <span class="k">func</span><span class="p">(</span><span class="n">filePath</span><span class="p">,</span> <span class="n">_</span> <span class="kt">string</span><span class="p">)</span> <span class="p">(</span><span class="n">time</span><span class="o">.</span><span class="n">Time</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">fi</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">Stat</span><span class="p">(</span><span class="n">filePath</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">time</span><span class="o">.</span><span class="n">Time</span><span class="p">{},</span> <span class="n">err</span> <span class="p">}</span> <span class="k">return</span> <span class="n">fi</span><span class="o">.</span><span class="n">ModTime</span><span class="p">(),</span> <span class="no">nil</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Rule</strong>: If a sensible default exists, use it instead of forcing the caller to provide a value they probably don't care about.</p> <h3> The zero time </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// BEFORE: zero time is rejected</span> <span class="k">func</span> <span class="n">NewActiveWindow</span><span class="p">(</span><span class="n">openedAt</span> <span class="n">time</span><span class="o">.</span><span class="n">Time</span><span class="p">)</span> <span class="p">(</span><span class="n">ExposureWindow</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="n">openedAt</span><span class="o">.</span><span class="n">IsZero</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="n">ExposureWindow</span><span class="p">{},</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"opened_at is required"</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="n">ExposureWindow</span><span class="p">{</span><span class="n">openedAt</span><span class="o">:</span> <span class="n">openedAt</span><span class="p">,</span> <span class="n">active</span><span class="o">:</span> <span class="no">true</span><span class="p">},</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p>A zero time means "not specified." The window should still be created — the caller can check <code>w.OpenedAt().IsZero()</code> if they care. Most don't.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// AFTER: zero time is accepted — callers check if they care</span> <span class="k">func</span> <span class="n">NewActiveWindow</span><span class="p">(</span><span class="n">openedAt</span> <span class="n">time</span><span class="o">.</span><span class="n">Time</span><span class="p">)</span> <span class="n">ExposureWindow</span> <span class="p">{</span> <span class="k">return</span> <span class="n">ExposureWindow</span><span class="p">{</span><span class="n">openedAt</span><span class="o">:</span> <span class="n">openedAt</span><span class="p">,</span> <span class="n">active</span><span class="o">:</span> <span class="no">true</span><span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This one removed error checks from <strong>30+ call sites</strong>. Most were already using <code>tl, _ := NewActiveWindow(...)</code> — the Go equivalent of saying "I know this error doesn't matter."</p> <h2> Pattern 4: Crash-Only Candidates </h2> <h3> The programming error </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// BEFORE: returns error that no caller can recover from</span> <span class="k">func</span> <span class="n">NewExposureLifecycle</span><span class="p">(</span><span class="n">a</span> <span class="n">Asset</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">ExposureLifecycle</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="n">a</span><span class="o">.</span><span class="n">ID</span><span class="o">.</span><span class="n">IsEmpty</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"asset ID must not be empty"</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="o">&amp;</span><span class="n">ExposureLifecycle</span><span class="p">{</span><span class="n">ID</span><span class="o">:</span> <span class="n">a</span><span class="o">.</span><span class="n">ID</span><span class="p">,</span> <span class="n">asset</span><span class="o">:</span> <span class="n">a</span><span class="p">},</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p>An empty asset ID is a programming error at the call site — the caller constructed the asset. If the ID is empty, there's a bug upstream. No caller can meaningfully recover from this. They all either <code>t.Fatal(err)</code> in tests or propagate it up the stack until someone logs it and exits.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// AFTER: panic on contract violation</span> <span class="k">func</span> <span class="n">NewExposureLifecycle</span><span class="p">(</span><span class="n">a</span> <span class="n">Asset</span><span class="p">)</span> <span class="o">*</span><span class="n">ExposureLifecycle</span> <span class="p">{</span> <span class="k">if</span> <span class="n">a</span><span class="o">.</span><span class="n">ID</span><span class="o">.</span><span class="n">IsEmpty</span><span class="p">()</span> <span class="p">{</span> <span class="nb">panic</span><span class="p">(</span><span class="s">"contract violated: NewExposureLifecycle requires non-empty asset ID"</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="o">&amp;</span><span class="n">ExposureLifecycle</span><span class="p">{</span><span class="n">ID</span><span class="o">:</span> <span class="n">a</span><span class="o">.</span><span class="n">ID</span><span class="p">,</span> <span class="n">asset</span><span class="o">:</span> <span class="n">a</span><span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This matches the <code>checkContracts()</code> pattern already used in the same file for internal state validation. It eliminated error-check boilerplate from <strong>40+ call sites</strong>.</p> <p><strong>Rule</strong>: If the error means "you have a bug," use <code>panic</code>. If the error means "the user gave bad input," return an error. Don't conflate programming errors with operational errors.</p> <h2> The Impact </h2> <p>Before:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>10 functions returning errors 50+ if err != nil checks across the codebase Many callers using tl, _ := ... (ignoring the error anyway) </code></pre> </div> <p>After:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>10 functions with clear contracts 50+ fewer error checks Every remaining if err != nil represents a truly exceptional event </code></pre> </div> <h2> How to Find These in Your CLI </h2> <p>Search for these patterns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Functions where callers ignore the error</span> <span class="nb">grep</span> <span class="nt">-rn</span> <span class="s1">', _ :='</span> <span class="nt">--include</span><span class="o">=</span><span class="s1">'*.go'</span> | <span class="nb">grep</span> <span class="nt">-v</span> vendor/ | <span class="nb">sort</span> | <span class="nb">uniq</span> <span class="nt">-c</span> | <span class="nb">sort</span> <span class="nt">-rn</span> <span class="c"># Empty-set errors</span> <span class="nb">grep</span> <span class="nt">-rn</span> <span class="s1">'len(.*) == 0'</span> <span class="nt">--include</span><span class="o">=</span><span class="s1">'*.go'</span> | <span class="nb">grep</span> <span class="s1">'Errorf\|errors.New'</span> <span class="c"># Existing panic patterns (your team already uses crash-only where appropriate)</span> <span class="nb">grep</span> <span class="nt">-rn</span> <span class="s1">'panic('</span> <span class="nt">--include</span><span class="o">=</span><span class="s1">'*.go'</span> | <span class="nb">grep</span> <span class="nt">-v</span> vendor/ | <span class="nb">grep</span> <span class="nt">-v</span> _test.go </code></pre> </div> <p>The first command is the most revealing. If you see 40 call sites ignoring an error, the error shouldn't exist.</p> <h2> When NOT to Do This </h2> <ul> <li> <strong>User input boundaries</strong>: Always validate and return errors for user-supplied data</li> <li> <strong>Network/IO operations</strong>: These fail for real external reasons</li> <li> <strong>Cross-package contracts</strong>: If the caller is in a different package, errors are the right contract</li> <li> <strong>Data integrity</strong>: Schema validation, hash mismatches, malformed input — these are real errors</li> </ul> <p>The goal isn't to eliminate error handling. It's to make every <code>if err != nil</code> mean something. When a developer sees an error check, they should know it represents a truly exceptional event — not a no-op, not an empty set, not a sensible default, and not a programming bug.</p> <p><em>These refactorings were applied to <a href="https://github.com/sufield/stave" rel="noopener noreferrer">Stave</a>, an offline configuration safety evaluator.</em></p> cli codequality design go Bala Paranj Mon, 06 Apr 2026 12:26:51 +0000 https://forem.com/bala_paranj_059d338e44e7e/why-the-capital-one-breach-wasnt-about-one-misconfiguration-5gdd https://forem.com/bala_paranj_059d338e44e7e/why-the-capital-one-breach-wasnt-about-one-misconfiguration-5gdd <p>In 2019, a former AWS employee exploited a server-side request forgery (SSRF) vulnerability in Capital One's web application firewall. The breach exposed over 100 million customer records.</p> <p>But here's the thing security scanners missed: <strong>no single misconfiguration caused the breach.</strong></p> <p>It was the <em>correlation</em> of three weak signals that produced a critical finding:</p> <ol> <li>An SSRF vulnerability in the WAF configuration</li> <li>An overly permissive IAM role attached to the compromised instance</li> <li>Unencrypted S3 buckets containing sensitive customer data</li> </ol> <p>Each finding alone? Low to medium severity. Together? A $190 million breach.</p> <h2> The Problem with Flat Scanners </h2> <p>Most cloud security tools evaluate configurations in isolation. They produce a flat list of findings:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>WARN S3 bucket has public access enabled WARN IAM role has overly broad permissions INFO Server-side encryption not enabled </code></pre> </div> <p>Three warnings. No critical alert. The tool did its job — it found each misconfiguration. But it missed the <em>compound risk</em> because it never correlated the signals.</p> <p>This is the fundamental gap: <strong>a scanner that evaluates one configuration at a time cannot reason about the interaction between configurations.</strong></p> <h2> Introducing Stave </h2> <p><a href="https://github.com/sufield/stave" rel="noopener noreferrer">Stave</a> is an offline configuration safety evaluator. It takes two inputs — security controls written in YAML and observation snapshots of your cloud infrastructure — and produces a deterministic security assessment. No agents, no API keys, no network access required. It runs entirely on local data, which makes it suitable for air-gapped environments and audit-sensitive workflows.</p> <p>The examples below use Stave's control language to illustrate how compound predicate evaluation closes the signal correlation gap.</p> <h2> Signal Correlation: The Missing Primitive </h2> <p>What security teams actually need is a way to express compound conditions — predicates that fire only when multiple weak signals appear together on the same asset:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">id</span><span class="pi">:</span> <span class="s">CTL.S3.EXPOSURE.COMPOUND.001</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Unencrypted Public Bucket with Broad IAM Access</span> <span class="na">description</span><span class="pi">:</span> <span class="pi">&gt;</span> <span class="s">S3 bucket is publicly accessible, lacks encryption, and is</span> <span class="s">accessible by an overly permissive IAM role. This combination</span> <span class="s">creates a high-severity data exfiltration risk.</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">critical</span> <span class="na">unsafe_predicate</span><span class="pi">:</span> <span class="na">all</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">field</span><span class="pi">:</span> <span class="s">public_access</span> <span class="na">op</span><span class="pi">:</span> <span class="s">eq</span> <span class="na">value</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">field</span><span class="pi">:</span> <span class="s">server_side_encryption</span> <span class="na">op</span><span class="pi">:</span> <span class="s">eq</span> <span class="na">value</span><span class="pi">:</span> <span class="kc">false</span> <span class="pi">-</span> <span class="na">field</span><span class="pi">:</span> <span class="s">iam_role_scope</span> <span class="na">op</span><span class="pi">:</span> <span class="s">eq</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">overly_permissive"</span> </code></pre> </div> <p>The <code>all</code> combinator is the key. This control only fires when <strong>every condition is true simultaneously.</strong> Three medium-severity signals become one critical finding because the predicate explicitly models the compound risk.</p> <h2> How Compound Predicates Work </h2> <p>The evaluation model supports two combinators:</p> <p><strong><code>all</code></strong> — Every condition must be true (logical AND). Use this for compound risk scenarios where the danger comes from the intersection of weak signals.</p> <p><strong><code>any</code></strong> — At least one condition must be true (logical OR). Use this for detection breadth where multiple indicators point to the same root cause.</p> <p>These nest arbitrarily:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">unsafe_predicate</span><span class="pi">:</span> <span class="na">all</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">field</span><span class="pi">:</span> <span class="s">public_access</span> <span class="na">op</span><span class="pi">:</span> <span class="s">eq</span> <span class="na">value</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">any</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">field</span><span class="pi">:</span> <span class="s">server_side_encryption</span> <span class="na">op</span><span class="pi">:</span> <span class="s">eq</span> <span class="na">value</span><span class="pi">:</span> <span class="kc">false</span> <span class="pi">-</span> <span class="na">field</span><span class="pi">:</span> <span class="s">kms_key_id</span> <span class="na">op</span><span class="pi">:</span> <span class="s">missing</span> </code></pre> </div> <p>This reads: "The bucket is publicly accessible AND (encryption is disabled OR no KMS key is configured)." Two different paths to the same compound risk.</p> <h2> Adding Time as a Correlation Axis </h2> <p>Here's where it gets interesting. A misconfiguration that appeared 2 hours ago is different from one that's been open for 90 days.</p> <p>If your evaluation engine tracks <em>when</em> a configuration became unsafe — not just <em>whether</em> it's unsafe — you gain a temporal correlation axis:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">Finding</span><span class="pi">:</span> <span class="s">CTL.S3.PUBLIC.001</span> <span class="s">Asset</span><span class="err">:</span> <span class="s">patient-records-bucket</span> <span class="s">First unsafe</span><span class="err">:</span> <span class="s">2026-01-01T00:00:00Z</span> <span class="s">Duration</span><span class="err">:</span> <span class="s">2160 hours (90 days)</span> <span class="s">SLA threshold</span><span class="err">:</span> <span class="s">168 hours (7 days)</span> <span class="s">Status</span><span class="err">:</span> <span class="s">NON_COMPLIANT</span> </code></pre> </div> <p>The same <code>public_access: true</code> finding has radically different severity depending on duration. A bucket that went public 2 hours ago during a deploy is an incident. A bucket that's been public for 90 days is a governance failure.</p> <p>This requires <strong>observation snapshots</strong> — point-in-time captures of configuration state. With at least two snapshots, you can compute:</p> <ul> <li>When the unsafe state first appeared</li> <li>How long it has persisted</li> <li>Whether it's a new regression or a chronic drift</li> <li>Whether it exceeds the team's SLA threshold</li> </ul> <h2> The Three Correlation Dimensions </h2> <p>Putting it together, configuration risk is a function of three dimensions:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Dimension</th> <th>Question</th> <th>Signal</th> </tr> </thead> <tbody> <tr> <td><strong>Predicate</strong></td> <td>What combination of fields is unsafe?</td> <td>Compound <code>all</code>/<code>any</code> conditions</td> </tr> <tr> <td><strong>Temporal</strong></td> <td>How long has it been unsafe?</td> <td>Duration vs SLA threshold</td> </tr> <tr> <td><strong>Contextual</strong></td> <td>What else is true about this asset?</td> <td>Cross-field correlation</td> </tr> </tbody> </table></div> <p>A flat scanner only covers the first dimension — and only one field at a time. Adding predicate composition catches Capital One-style compound risks. Adding temporal tracking catches chronic drift that compliance teams care about.</p> <h2> What This Looks Like in Practice </h2> <p>Given two observation snapshots of an S3 bucket captured a week apart, and a set of controls with compound predicates, the evaluation produces:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"kind"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ASSESSMENT"</span><span class="p">,</span><span class="w"> </span><span class="nl">"summary"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"total_assets"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"violations"</span><span class="p">:</span><span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"NON_COMPLIANT"</span><span class="p">,</span><span class="w"> </span><span class="nl">"findings"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"control_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"CTL.S3.PUBLIC.001"</span><span class="p">,</span><span class="w"> </span><span class="nl">"asset_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"patient-records-bucket"</span><span class="p">,</span><span class="w"> </span><span class="nl">"evidence"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"first_unsafe_at"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-01-01T00:00:00Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"unsafe_duration_hours"</span><span class="p">:</span><span class="w"> </span><span class="mi">336</span><span class="p">,</span><span class="w"> </span><span class="nl">"threshold_hours"</span><span class="p">:</span><span class="w"> </span><span class="mi">168</span><span class="p">,</span><span class="w"> </span><span class="nl">"temporal_risk"</span><span class="p">:</span><span class="w"> </span><span class="s2">"SLA_EXCEEDED"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The output is machine-readable JSON. Teams pipe it into their SIEM, Splunk, or ticketing system. The <code>evidence</code> block provides the temporal proof that auditors need — not just "this is misconfigured" but "this has been misconfigured for 336 hours, exceeding your 168-hour SLA."</p> <h2> The Remediation Attestation </h2> <p>After fixing the findings, teams need proof that the fix worked. A before/after comparison produces an attestation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"kind"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ATTESTATION"</span><span class="p">,</span><span class="w"> </span><span class="nl">"summary"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"previous_violations"</span><span class="p">:</span><span class="w"> </span><span class="mi">3</span><span class="p">,</span><span class="w"> </span><span class="nl">"current_violations"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nl">"remediated"</span><span class="p">:</span><span class="w"> </span><span class="mi">3</span><span class="p">,</span><span class="w"> </span><span class="nl">"open"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nl">"regressions"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Zero regressions. Three remediated. This is the artifact that goes into the compliance record — formal proof that the compound risk was identified and resolved.</p> <h2> Building This Into Your Security Pipeline </h2> <p>The design decisions:</p> <ol> <li><p><strong>Controls are data, not code.</strong> Express compound predicates in YAML/JSON, not in Go/Python functions. This lets security teams author and review controls without touching the evaluation engine.</p></li> <li><p><strong>Observations are snapshots, not streams.</strong> Capture configuration state at discrete points in time. Two snapshots a week is enough for SLA tracking. This works offline and doesn't require agent installation.</p></li> <li><p><strong>The evaluation engine is deterministic.</strong> Given the same controls, observations, and timestamp, the output is byte-identical. This matters for audit reproducibility.</p></li> <li><p><strong>Separate the assessment from the remediation.</strong> The engine produces findings. A separate step verifies the fix. These are different artifacts with different schemas because they answer different questions.</p></li> </ol> <h2> Conclusion </h2> <p>The Capital One breach wasn't caused by one misconfiguration. It was caused by the <em>correlation</em> of three. Most security tools would have flagged each one individually. None would have flagged the compound risk.</p> <p>If your configuration evaluation can express <code>all</code>/<code>any</code> predicate composition, track temporal duration against SLA thresholds, and produce machine-readable evidence — you're not just scanning. You're doing security assessment.</p> <p>The difference matters when the auditor asks: "How long was this configuration unsafe, and what else was true at the same time?"</p> <p><em>This article describes the evaluation model behind <a href="https://github.com/sufield/stave" rel="noopener noreferrer">Stave</a>, an offline configuration safety evaluator that uses compound predicate composition and temporal tracking to produce security assessments and remediation attestations.</em></p> aws cloud cybersecurity security