# Validation Layer

This folder contains **shape/type validation only**.

## Rule of Responsibility
- `validation/*`: syntax checks, required fields, allowed keys, and value types.
- `intermediate/*` and service modules: semantic checks (contradictions/conflicts/business rules).

Examples:
- Shape/type (validation): endpoint has `content` attrset, `port` is int, unknown keys are rejected.
- Semantic (kept outside): `force_ssl = true` with `port = 80`, duplicate routes on same host key, incompatible TLS groupings.

## Files
- `validation/endpoints.nix`
: Validates endpoint schema and content schema for `proxy` and `web`.
- `validation/auto_ssh.nix`
: Validates `devices`/`auto_ssh` shapes and remote port map structure.
- `validation/network_devices.nix`
: Validates local device shapes and DHCP reservation field shapes used by intermediate DHCP/DNS models.
- `validation/storage.nix`
: Validates storage config entry shapes consumed by intermediate storage derivation.
- `validation/secrets.nix`
: Validates keystore entry/reference shapes consumed by config modules before service migration.
- `validation/service/*`
: Validates service-backed config shapes consumed by service modules, such as `kiwix`, `qbittorrent`, and `continuwuity`.

## Usage Pattern
Import validators and run them first, then apply semantic checks locally.