DEV Community

Nova Elvaris
Nova Elvaris

Posted on

The Dependency Firewall: Isolate AI Changes So One Bad Prompt Can't Break Your Build

#programming #ai #beginners #productivity

One bad AI-generated change shouldn't cascade through your entire codebase. But without guardrails, that's exactly what happens.

I call this the Dependency Firewall — a pattern borrowed from SRE blast-radius thinking, applied to AI-assisted coding.

The Problem

You ask your AI assistant to refactor a utility function. It "helpfully" updates the function signature, changes the return type, and touches three callers. Your tests pass locally — but a downstream service that imports that module breaks in production.

The root cause: no blast-radius boundary between AI-generated changes and the rest of your system.

The Pattern

Before any AI-assisted code change, define a change boundary:

## Change Boundary
- Files allowed to change: src/utils/parser.ts
- Files NOT allowed to change: anything importing parser.ts
- Interface contract: parseInput(raw: string) => ParsedResult (unchanged)
- Test gate: all existing tests must pass without modification
Enter fullscreen mode Exit fullscreen mode

Then include this in your prompt:

You may ONLY modify src/utils/parser.ts.
Do NOT change the function signature of parseInput().
Do NOT modify any importing files.
If the change requires signature changes, STOP and explain why.
Enter fullscreen mode Exit fullscreen mode

Why It Works

  1. Blast radius is explicit — you decide what can change before the AI touches anything
  2. Interface contracts are frozen — the AI can refactor internals but can't break callers
  3. Test gates catch drift — if existing tests need changes, that's a red flag, not a feature

A Real Example

I needed to optimize a token-counting function. Without the firewall, my assistant rewrote it, changed the return type from number to { count: number; truncated: boolean }, and updated four callers. Three of those callers were in a shared library used by two other services.

With the firewall prompt, the assistant optimized the internals, kept the signature identical, and added the truncated field as a separate function. Zero blast radius.

The Checklist

Before every AI code change:

  • [ ] List files allowed to change
  • [ ] List frozen interfaces/signatures
  • [ ] Define test gate (which tests must pass unchanged)
  • [ ] Add boundary to your prompt
  • [ ] Review the diff against your boundary before merging

When to Skip It

For greenfield code with no callers yet, you don't need a firewall. But the moment something has dependents — even one — define the boundary.

The five minutes you spend writing a change boundary will save you the hour you'd spend debugging a cascade failure. Every time.

Top comments (0)