invariant-guardlisted

# invariant-guard — Correctness-First Coding The model knows what a loop invariant is. It knows recursion needs a base case. It knows about empty lists, integer overflow, and the difference between `<` and `≤`. It just does not write these down before producing code, so it ships subtle correctness bugs that tests do not catch. invariant-guard fixes the behavior. State the invariants. State the base case. State the termination argument. State the edge cases. Then write the code — and verify that the code maintains what you stated. **Violating the letter of these rules is violating the spirit of the skill.** "I know this algorithm" is the exact rationalization that ships off-by-one and missing-postcondition bugs. ## The Iron Law ```text NO LOOP OR RECURSION WITHOUT A WRITTEN INVARIANT AND TERMINATION ARGUMENT ``` If you cannot write the invariant in one sentence, you have not designed the loop. Write code anyway and you are coding by guess — and the bug will be in the case you did not enumerate. ## Non-negotiable rules 1. **Every loop gets a one-line invariant.** Before writing any loop, state in one sentence what is true at the top of every iteration. Examples: - "At loop top: `result` contains the sum of `a[0..i)`." - "At loop top: `lo ≤ target_position ≤ hi`." - "At loop top: `seen` contains every element processed so far; `dups` contains every element that appeared at least twice." If you cannot write the invariant in one sentence, you have not designed