// Make the bad state impossible · lesson 07

Validation gates, or rejecting the bad state before it lands

Between the model's output and the thing that output could damage, put a gate. A checkpoint that inspects what the model produced, measures it against the rules that must hold, and refuses to pass it through if it fails. The model can be as wrong as it wants on the other side of that gate, because nothing wrong gets past it. This is how you get a hard guarantee out of a soft, probabilistic source: you don't make the source reliable, you make the thing after it uncompromising.

The key property is that the gate fails closed. When something is off, when a value is out of range, an invariant is violated, a required field is missing, the safe default is to reject and stop, not to wave it through and hope. A gate that fails open, that passes questionable output when it's unsure, is worse than no gate, because it gives you the feeling of protection with none of the substance. A real gate treats "I'm not sure this is safe" as identical to "this is not safe," because in the situations gates exist for, those two are the same.

Why gate the output instead of trusting the generation?

Because generation and validation are different jobs, and you want them done by different things. The model generates, which is creative, fast, and fallible. The gate validates, which is mechanical, boring, and certain. Asking the model to also be its own gate is asking the creative, fallible process to reliably catch its own creative, fallible mistakes, which is the self-verification trap from the last track. A separate gate, deterministic code that knows the invariants, has no ego in the output being right and no blind spot shared with the thing that made it. It just checks, and rejects, every time, on rules that don't bend.

Where gates earn their place

At every boundary where wrong output could do real harm. Before a value is written to the database, before a payment is submitted, before a message goes out, before a permission is granted. The gate sits at the edge of the blast radius, the last thing between a bad value and the damage it would do, and it's deterministic on purpose, because the whole point is that it does the same correct check every single time regardless of what the model was thinking.

The takeaway: put a deterministic, fail-closed gate between the model and anything it could damage, because a separate check that rejects on doubt turns a fallible generator into a safe system without needing the generator to be perfect.