PATTERN Cited by 2 sources

Harden ingestion of internal config

Apply the same input-validation discipline to internally- generated configuration files that you apply to user-submitted input. Treat every input to a hot-path module as untrusted regardless of provenance.

The pattern

At the module boundary that loads a config file / feature file / rule set:

1. Validate size / dimensions. Byte count, row count, feature count, rule count — whatever the downstream preallocated buffer is sized for. See concepts/feature-file-size-limit / concepts/preallocated-memory-budget.
2. Validate shape / schema. Types, required fields, value ranges, enumerated sets.
3. Validate cross-field invariants. Relationships the downstream logic depends on.
4. On violation: fail open. Log, alert, and serve the previous known-good version. See concepts/fail-open-vs-fail-closed.
5. Never load directly into the preallocated buffer. Validate on a staging copy; swap pointers only on validation success.

Why it's load-bearing

The generator and the consumer usually live on different teams, with implicit coupling through the config payload. Three systems removed, a correct migration in system X (e.g., ClickHouse permissions) can shift the shape of a payload generated by system Y and consumed by system Z. Neither X's team nor Y's nor Z's catches it at review time.

Captured explicitly as a concept: concepts/internally-generated-untrusted-input.

Canonical instance

sources/2025-11-18-cloudflare-outage-on-november-18-2025 — a correct ClickHouse permission migration caused the feature- file generator to emit a file with doubled rows. The Bot Management FL2 module's .unwrap() bounds-check panicked; every request 5xx'd. Cloudflare's stated #1 remediation:

Hardening ingestion of Cloudflare-generated configuration files in the same way we would for user-generated input.

Compositional companions

• patterns/progressive-configuration-rollout — bounds how fast bad config reaches the fleet.
• patterns/global-feature-killswitch — orthogonal fast-off lever when ingestion discipline failed.
• patterns/fast-rollback — revert path once bad config is identified.

These four patterns compose into a defense-in-depth posture for rapid-response configuration delivery at scale.

Seen in

• sources/2026-05-01-cloudflare-code-orange-fail-small-complete — shipped-as-Codex-rule instance. Cloudflare's Code Orange programme codified this pattern as an explicit engineering- rule — "Services MUST validate that upstream dependencies are in an expected state before processing" — enforced via AI code review on every MR across the entire codebase (systems/cloudflare-codex + patterns/codex-enforced-via-ai-code-review). Moves the pattern from stated remediation to institutional- memory-backed enforcement at the merge-request altitude. Paired with concepts/fail-stale as the preferred ingest- validation-failure default (use last-known-good rather than fail open).
• sources/2025-11-18-cloudflare-outage-on-november-18-2025 — canonical wiki instance (as stated remediation, not yet deployed).

Related

• concepts/internally-generated-untrusted-input
• concepts/feature-file-size-limit
• concepts/preallocated-memory-budget
• concepts/fail-open-vs-fail-closed
• concepts/fail-stale
• concepts/database-permission-migration-risk
• patterns/progressive-configuration-rollout
• patterns/global-feature-killswitch
• patterns/fast-rollback
• systems/cloudflare-codex
• patterns/codex-enforced-via-ai-code-review