reference-validation-is-defense-in-depth
OUT derived (depth 1)
Every system boundary that accepts node ID references validates them against the actual network: import normalization drops unknown antecedent/outlist refs, nogood recording skips invalid node IDs, and LLM-returned negative-list IDs are filtered against existing nodes.
Summary
When outside data flows into the system — whether from file imports, recorded contradictions, or LLM outputs — any referenced node IDs that don't actually exist in the network are quietly dropped rather than causing errors or creating broken links. This layered validation at each entry point prevents bad references from corrupting the dependency graph, regardless of where they originate.
Justifications
SL — Three boundaries validated; gated on full boundary audit (issue #126)
Antecedents (all must be IN):
- normalization-drops-unknown-refs — Both `_normalize_markdown` and `_normalize_json` silently drop antecedent/outlist references to IDs not present in the import set, preventing dangling edges in the dependency graph.
- nogoods-require-valid-nodes — Nogoods whose `Affects` list references node IDs not present in the network are silently skipped rather than raising an error during import
- api-list-negative-filters-hallucinated-ids — `list_negative()` discards any node IDs returned by the LLM that don't exist in the database, preventing hallucinated IDs from appearing in results.
Unless (any of these IN defeats this justification):
- issue-126-reference-validation-audit — Issue #126: Audit all node ID reference boundaries for validation — three specific boundaries do not establish coverage of every boundary
Dependents
These beliefs depend on this one:
- input-validation-is-comprehensive-at-all-boundaries — Input validation is enforced at every system boundary through complementary mechanisms: typed exceptions (ValueError for duplicates, PermissionError for access violations) enforce API-level preconditions at the call boundary, while defense-in-depth reference validation (import normalization dropping unknown refs, nogood filtering skipping invalid nodes, hallucinated ID rejection) catches invalid node references at every data-acceptance boundary.
- system-boundaries-are-evolution-tolerant-and-reference-safe — The system handles boundary interactions safely along two independent dimensions: format and schema evolution is tolerated gracefully (derive parser fallbacks, forward-compatible metadata lines, SQLite schema migration via try/except), while reference validation prevents invalid IDs from crossing any boundary (import normalization drops unknown refs, nogoods skip missing nodes, LLM hallucination filtering discards phantom IDs)