DEV Community

Cover image for Authority Placement: Control Layers and Enforcement Boundaries
Abubakar
Abubakar

Posted on

Authority Placement: Control Layers and Enforcement Boundaries

#api #architecture #backend #systemdesign

Context

A Kong gateway plugin was implemented to reject API requests violating a contract rule (len(values) ≤ n) before they reach upstream services. Enforcement is placed at the gateway layer, preventing invalid requests from entering downstream execution paths.

The Principle

In distributed systems, enforcement can occur at multiple layers. The critical distinction is whether enforcement prevents execution or reports failure after the fact.

A control layer is one where invalid actions are stopped before execution. This differs from validation layers, which detect violations after the action has been attempted and report the failure.

The invariant: Enforcement placed after execution is reporting, not control.
Control answers: "May this action proceed?"
Validation answers: "Was this action invalid?"

These questions are not interchangeable. Systems that conflate them accumulate hidden failure modes.
This reflects an upstream control-layer denial pattern, where authority is exercised before execution rather than delegated to downstream validation.

Where This Pattern Holds

This pattern applies when:

  • The contract is decidable at the boundary. The gateway has sufficient information to make the enforcement decision without calling downstream services.
  • Prevention is cheaper than cleanup. Stopping an invalid request costs less than processing it through multiple layers, then rolling back or handling exceptions.
  • Authority must be explicit. The system requires auditable proof that invalid actions were denied before execution, not discovered during execution.

Where This Pattern Breaks

This pattern fails when:

  • The rule requires downstream context. If enforcement depends on database state, current load, or business logic deep in the application, the gateway cannot make the decision.
  • The contract is dynamic per-request. User-specific limits, learned rules, or contextual constraints require more than static configuration at the gateway.
  • Upstream services disagree about constraints. When the gateway enforces one limit but downstream services can handle more, the control layer creates artificial restrictions.

Trade-Off

Moving enforcement upstream trades flexibility for authority. The gateway becomes a hard boundary. It prevents invalid actions but cannot negotiate, adapt, or reason about context. This is acceptable when contracts are simple and universal. It becomes a liability when contracts are complex and contextual.

The common mistake is not choosing one approach over the other, but assuming downstream validation provides the same guarantees as upstream control.

Reference: Contract Gate (Kong)

Top comments (0)