Global Validation

Implement comprehensive validation with server-side enforcement, client-side UX feedback, early input validation, specific error messages, allowlists over blocklists, type checking, input sanitization, and business rule validation. Use this skill when validating user input in web forms (React Hook Form, Vue forms, HTML forms), validating data received through API endpoints (tRPC procedures, REST endpoints, GraphQL resolvers), implementing validation schemas using tools like Zod, Yup, Joi, class-validator, validator.js, or built-in validators, checking data types and formats like email addresses, phone numbers, dates, URLs, UUIDs, JSON, or custom patterns with regex, sanitizing user input to prevent injection attacks (SQL injection, XSS, command injection), validating file uploads (file type, size, content), or validating business rules and domain constraints at the appropriate application layers (API layer, service layer, database layer). Use this when always implementing server-side validation for security and data integrity in API routes, tRPC procedures, or server-side form handlers and never trusting client-side validation alone as it can be easily bypassed by attackers using browser DevTools or API clients like curl or Postman, adding client-side validation using HTML5 validation attributes (required, pattern, min, max, type="email") or JavaScript validation libraries (Zod, Yup, React Hook Form, Vuelidate) to provide immediate user feedback and improve user experience by catching errors before form submission while duplicating all validation checks on the server side for security, validating input parameters and data as early as possible in the request lifecycle (at the top of API route handlers, at the tRPC procedure input, at the controller entry point) and rejecting invalid data immediately with clear error messages (400 Bad Request with field-specific errors) before any processing, database queries, or side effects occur to fail fast and prevent wasted processing, providing clear, field-specific error messages that help users understand what went wrong and exactly how to correct their input (like "Email must be a valid email address" or "Password must be at least 8 characters with one uppercase letter, one number, and one special character") instead of generic error messages like "Invalid input" that frustrate users, using allowlists (defining exactly what input is acceptable like specific enum values, allowed file extensions, valid URL patterns) rather than blocklists (trying to block every possible invalid input which is error-prone and incomplete) for more secure, maintainable, and comprehensive validation, systematically checking data types (string, number, boolean, array, object), formats using regex or validation libraries (email format, phone format, ISO date format, URL format, UUID format), numeric ranges (min, max, positive, integer), string lengths (minLength, maxLength), array constraints (minItems, maxItems, unique items), and required fields for completeness to ensure data meets all constraints before processing, sanitizing user input to prevent injection attacks including SQL injection by always using parameterized queries or ORM methods never string concatenation, XSS attacks by escaping HTML output in templates and using Content Security Policy headers, command injection by avoiding shell execution with user input or using safe alternatives, and path traversal by validating file paths, validating business rules and domain-specific constraints that go beyond data format validation (like checking sufficient account balance before charging, ensuring start date is before end date, verifying user has permission to access the resource, ensuring unique email addresses across accounts) at the appropriate application layer such as service layer, domain models, or custom validators, applying validation consistently across all data entry points including web forms, REST API endpoints, tRPC procedures, GraphQL mutations, background job inputs, webhook handlers, and file uploads to ensure no unvalidated data enters the system through any vector, using validation schema libraries like Zod (`z.object({ email: z.string().email(), age: z.number().min(18) })`), Yup, or Joi to define reusable, type-safe validation rules that can be shared between client and server reducing duplication and ensuring consistency, returning validation errors in a structured, consistent format (like `{ field: "email", message: "Invalid email format" }`) with field names and specific error messages that frontend code can parse and display next to the relevant form fields for better user experience, validating file uploads by checking MIME type, file extension, file size limits, and potentially scanning file contents to prevent malicious file uploads, using TypeScript types or runtime type checking to ensure data matches expected shapes and catch type mismatches early, validating environment variables and configuration at application startup using Zod or similar tools to fail fast if configuration is invalid rather than failing later with confusing errors, and implementing custom validation functions for complex business rules that can't be expressed with simple schema validators (like "user can only create 5 projects on free plan" or "discount code is only valid for first-time users").