Defense in Depth with Layered Mechanisms (Principle)
- Entity ID:
ent-20260423-c003d1000003 - Type:
decision - Scope:
private - Status:
active
Description
Design principle #3. Answers 'Single safety boundary, or multiple overlapping ones using different techniques?' Claude Code stacks seven independent safety layers (tool pre-filter, deny-first rules, mode constraints, ML auto-mode classifier, shell sandbox, non-restoration of session permissions on resume, hook-based interception). Serves Safety, Authority, and Reliability.
Key claims
- Seven independent safety layers must all be passed for a tool to execute
- Defense-in-depth only works when safety layers have independent failure modes
Relations
- Safety, Security, and Privacy (Value) --[motivates]--> Defense in Depth with Layered Mechanisms (Principle)
- Defense in Depth with Layered Mechanisms (Principle) --[instantiated_by]--> Permission Pipeline
- Safety-Posture Decision --[answered_by]--> Defense in Depth with Layered Mechanisms (Principle)