领域建模指南：避免原始类型痴迷、解析而非验证、使无效状态无法表示

domain-modeling by jwilger/agent-skills

91 周安装量

2 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/jwilger/agent-skills --skill domain-modeling

方法论软件工程代码规范

🇨🇳中文介绍

领域建模

价值： 沟通 —— 领域类型让代码用业务语言说话。它们将隐性知识转化为显性的、编译器验证的契约，人类和 AI 都能据此进行推理。

目的

教授如何构建丰富的领域模型，在编译时而非运行时防止错误。涵盖原始类型痴迷检测、解析而非验证、使无效状态无法表示以及语义类型设计。对于任何代码审查或设计任务都独立有用，并为 TDD 循环中的领域审查检查提供原则。

实践

避免原始类型痴迷

不要为领域概念使用原始类型（String、int、number）。创建能表达业务含义的类型。

应该这样做：

fn transfer(from: AccountId, to: AccountId, amount: Money) -> Result<Receipt, TransferError>

不应该这样做：

fn transfer(from: String, to: String, amount: i64) -> Result<(), String>

审查代码时，标记出每个参数、字段或返回类型中原始类型表示领域概念的情况。修复方法是使用在构造时进行验证的新类型或值对象。

布尔值作为状态的反模式： 一个名称描述领域状态（already_exists、、、）的字段，是一个编码为原始类型的状态机。今天的两个状态明天可能变成三个，而布尔值无法表示第三个状态。

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

解析，而非验证

在边界处验证。内部使用强类型。绝不重新验证类型已保证有效的数据。

在系统边界（用户输入、API 响应）接受原始输入。
将其解析为在构造时强制有效性的领域类型。
将领域类型传递到系统中。无需进一步验证。

# 边界：将原始输入解析为领域类型

email = Email(raw_input)  # 如果无效则抛出异常

# 内部：信任该类型
def send_welcome(email: Email) -> None:
    # 无需验证 —— Email 保证了有效性

如果你在业务逻辑深处发现验证逻辑，它应该属于构造边界。

使无效状态无法表示

使用类型系统使非法组合无法构造。

问题 —— 布尔标志创建无效组合：

struct User { email: Option<String>, email_verified: bool }
# 可能出现 email_verified=true 而 email=None 的情况

解决方案 —— 在类型中编码状态：

enum User {
    Unverified { email: Email },
    Verified { email: Email, verified_at: Timestamp },
}

审查代码时，问：“这个类型能否表示一个在领域中无意义的状态？” 如果是，重新设计它。

语义类型优于结构类型

根据类型在领域中的“身份”命名，而非根据其构成。

错误（结构型）	正确（语义型）
`NonEmptyString`	`UserName`
`PositiveInteger`	`OrderQuantity`
`ValidatedEmail`	`CustomerEmail`

测试方法是：如果两个字段具有相同的结构类型，编译器无法捕获你交换它们的情况。语义类型可以防止这种情况。

// 错误：title 和 name 都是 NonEmptyString —— 可互换
{ title: NonEmptyString, name: NonEmptyString }

// 正确：不同的类型在编译时捕获混淆
{ title: UserTitle, name: UserName }

结构类型作为构建块很有用，语义类型将其包装起来。语义类型增加了领域身份；结构类型提供了可重用的验证。

标识符使用新类型

每个标识符都有自己的类型。绝不要为 ID 使用原始 String 或 int。

struct AccountId(Uuid);
struct UserId(Uuid);

// 编译器捕获：transfer(user_id, account_id) 将无法编译
fn transfer(from: AccountId, to: AccountId, user: UserId) -> Result<(), Error>

符合人体工程学的转换

使构造经过验证且提取容易。

构造（输入）： 始终通过验证性构造函数。没有从原始类型的自动转换。
提取（输出）： 提供 Display、AsRef、Into 或等效功能，使类型易于使用。取出内部值应该是微不足道的。

绝不要提供从原始类型的自动转换 —— 这会绕过验证并破坏“解析而非验证”原则。

使用枚举配合穷尽的 match/switch 以确保处理所有情况。绝不要为领域状态使用兜底的默认情况 —— 它会默默地吞掉新的变体。

审查代码时（无论是在 TDD 循环中还是独立审查），你有权拒绝违反这些原则的设计。行使此权力时：

陈述具体的违规行为（例如，“原始类型痴迷：email 是 String，应该是 Email 类型”）。
提出替代方案，并附带具体的类型定义。
用一句话解释其影响。
如果对方不同意，进行实质性讨论，最多两轮。然后上报给人类。

不要为了避免冲突而放弃有效的领域关切。不要默默地接受违反这些原则的设计。

独立模式 ：建议性。代理遵循领域建模原则作为约定。
TDD 领域审查（链式） ：建议性。否决是自我执行的：代理必须在其工作违反这些原则时拒绝自己的工作，其严格程度如同另一个代理在审查。
TDD 领域审查（子代理） ：门控性。领域否决会阻止阶段进展。审查代理可以拒绝交接。

不要默默地接受违反这些原则的设计：[RP] —— 如果人类明确覆盖，记录覆盖行为及其违反的原则。

否决权 —— “不要退让” ：不要为了避免升级的摩擦而合理化掉一个有效的关切。这并不意味着拒绝参与反驳。如果反驳确实有说服力 —— 原则在此不适用 —— 更新你的评估。如果你因为升级不方便而退让，那就是违规。
布尔值作为状态 vs. 条件 ：测试方法是：这个布尔值是否代表领域关心的状态转换（例如，激活/未激活，开放/关闭）？如果是，使用枚举。如果它确实回答一个没有领域状态含义的是/否问题（例如，“这个计算结果是正的吗？”），布尔值是可以的。如有疑问，使用枚举 —— 一个小枚举的成本低于一个默默积累领域含义的布尔值的成本。

应用领域建模原则后，验证：

没有为领域概念使用原始类型（String、int、number）
没有使用布尔字段编码领域状态（为状态机使用枚举）
所有标识符都使用新类型包装器，而非原始类型
无效状态无法表示（没有矛盾的字段组合）
验证发生在构造边界，而非业务逻辑深处
类型根据领域含义（语义）命名，而非结构
具有相同底层类型的两个字段不能被意外交换
枚举匹配是穷尽的，没有针对领域状态的兜底默认情况

如果任何标准未满足，在继续之前创建或完善领域类型。

此技能可独立工作。对于增强的工作流，它与以下集成：

tdd： 领域审查是 TDD 循环中的强制检查点。此技能提供审查所依据的原则。
code-review： 领域完整性是三级审查的第 3 阶段。此技能定义了要查找的内容。
architecture-decisions： 架构模式（事件溯源、CQRS、六边形）影响领域边界的划分。

缺少依赖项？使用以下命令安装：

npx skills add jwilger/agent-skills --skill tdd

🇺🇸English

Domain Modeling

Value: Communication -- domain types make code speak the language of the business. They turn implicit knowledge into explicit, compiler-verified contracts that humans and AI can reason about.

Purpose

Teaches how to build rich domain models that prevent bugs at compile time rather than catching them at runtime. Covers primitive obsession detection, parse-don't-validate, making invalid states unrepresentable, and semantic type design. Independently useful for any code review or design task, and provides the principles that domain review checks for in the TDD cycle.

Practices

Avoid Primitive Obsession

Do not use raw primitives (String, int, number) for domain concepts. Create types that express business meaning.

Do:

fn transfer(from: AccountId, to: AccountId, amount: Money) -> Result<Receipt, TransferError>

Do not:

fn transfer(from: String, to: String, amount: i64) -> Result<(), String>

When reviewing code, flag every parameter, field, or return type where a primitive represents a domain concept. The fix is a newtype or value object that validates on construction.

Bool-as-state anti-pattern: A bool field whose name describes a domain state (already_exists, is_initialized, is_published, has_been_reviewed) is a state machine encoded as a primitive. Two states today become three tomorrow, and the bool cannot represent the third.

// BAD: bool encodes a two-state machine as a primitive
struct Article { is_published: bool }

// GOOD: enum names the states and extends safely
enum ArticleState { Draft, Published, Archived }

Flag any bool field that answers "what state is this in?" rather than "is this condition true?" The fix is an enum whose variants name the domain states. This check is distinct from "make invalid states unrepresentable" -- that rule catches impossible combinations; this one catches domain concepts hiding inside a boolean.

Parse, Don't Validate

Validate at the boundary. Use strong types internally. Never re-validate data that a type already guarantees.

Accept raw input at system boundaries (user input, API responses).
Parse it into a domain type that enforces validity at construction.
Pass the domain type through the system. No further validation needed.

# Boundary: parse raw input into domain type

email = Email(raw_input)  # raises if invalid

# Interior: trust the type
def send_welcome(email: Email) -> None:
    # No need to validate -- Email guarantees validity

If you find validation logic deep inside business logic, it belongs at the construction boundary instead.

Make Invalid States Unrepresentable

Use the type system to make illegal combinations impossible to construct.

Problem -- boolean flags create invalid combinations:

struct User { email: Option<String>, email_verified: bool }
# Can have email_verified=true with email=None

Solution -- encode state in the type:

enum User {
    Unverified { email: Email },
    Verified { email: Email, verified_at: Timestamp },
}

When reviewing code, ask: "Can this type represent a state that is meaningless in the domain?" If yes, redesign it.

Semantic Types Over Structural Types

Name types for what they ARE in the domain, not what they are made of.

Wrong (structural)	Right (semantic)
`NonEmptyString`	`UserName`
`PositiveInteger`	`OrderQuantity`
`ValidatedEmail`	`CustomerEmail`

The test: if two fields have the same structural type, the compiler cannot catch you swapping them. Semantic types prevent this.

// BAD: title and name are both NonEmptyString -- swappable
{ title: NonEmptyString, name: NonEmptyString }

// GOOD: distinct types catch mix-ups at compile time
{ title: UserTitle, name: UserName }

Structural types are useful as building blocks that semantic types wrap. The semantic type adds domain identity; the structural type provides reusable validation.

Newtypes for Identifiers

Every identifier gets its own type. Never use raw String or int for IDs.

struct AccountId(Uuid);
struct UserId(Uuid);

// Compiler catches: transfer(user_id, account_id) won't compile
fn transfer(from: AccountId, to: AccountId, user: UserId) -> Result<(), Error>

Ergonomic Conversions

Make construction validated and extraction easy.

Construction (IN): Always through a validating constructor. No automatic conversion from primitives.
Extraction (OUT): Provide Display, AsRef, Into or equivalent so the type is convenient to use. Getting the inner value out should be trivial.

Never provide an automatic conversion FROM a primitive -- that bypasses validation and undermines parse-don't-validate.

Exhaustive Matching

Use enums with exhaustive match/switch to ensure all cases are handled. Never use a catch-all default for domain states -- it silently swallows new variants.

Veto Authority

When reviewing code (whether in a TDD cycle or a standalone review), you have authority to reject designs that violate these principles. When exercising this authority:

State the specific violation (e.g., "primitive obsession: email is String, should be Email type").
Propose the alternative with a concrete type definition.
Explain the impact in one sentence.
If the other party disagrees, engage substantively for up to two rounds. Then escalate to the human.

Do not back down from valid domain concerns to avoid conflict. Do not silently accept designs that violate these principles.

Enforcement Note

Standalone mode : Advisory. The agent follows domain modeling principles by convention.
TDD domain review (chaining) : Advisory. Veto is self-enforced: the agent must reject its own work when it violates these principles, with the same rigor as if a separate agent were reviewing.
TDD domain review (subagents) : Gating. Domain veto blocks phase progression. The reviewing agent can reject the handoff.

Hard constraints:

Do not silently accept designs that violate these principles: [RP] -- if human explicitly overrides, record the override and the principle it violates.

Constraints

Veto authority -- "do not back down" : Do not rationalize away a valid concern to avoid the friction of escalation. It does not mean refuse to engage with counterarguments. If the counterargument is genuinely convincing -- the principle doesn't apply here -- update your assessment. If you're backing down because escalation is inconvenient, that's a violation.
Bool-as-state vs. conditions : The test is: does this boolean represent a state transition the domain cares about (e.g., active/inactive, open/closed)? If yes, use an enum. If it genuinely answers a yes/no question with no domain state implications (e.g., "is this calculation positive?"), a boolean is fine. When in doubt, use an enum -- the cost of a small enum is lower than the cost of a boolean that silently accumulates domain meaning.

Verification

After applying domain modeling principles, verify:

No primitive types (String, int, number) used for domain concepts
No bool fields encoding domain states (use enums for state machines)
All identifiers use newtype wrappers, not raw primitives
Invalid states are unrepresentable (no contradictory field combinations)
Validation occurs at construction boundaries, not deep in business logic
Types are named for domain meaning (semantic), not structure
Two fields with the same underlying type cannot be accidentally swapped
Enum matching is exhaustive with no catch-all defaults for domain states

If any criterion is not met, create or refine the domain type before proceeding.

Dependencies

This skill works standalone. For enhanced workflows, it integrates with:

tdd: Domain review is a mandatory checkpoint in the TDD cycle. This skill provides the principles that review checks for.
code-review: Domain integrity is stage 3 of the three-stage review. This skill defines what to look for.
architecture-decisions: Architectural patterns (event sourcing, CQRS, hexagonal) affect where domain boundaries fall.

Missing a dependency? Install with:

npx skills add jwilger/agent-skills --skill tdd

Weekly Installs

Repository

jwilger/agent-skills

GitHub Stars

First Seen

Feb 12, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Installed on

claude-code76

codex74

cursor74

opencode72

github-copilot72

amp72

冲刺回顾模板：敏捷团队回顾会议指南与模板（开始-停止-继续/愤怒-悲伤-高兴/4Ls）

10,400 周安装