A cryptographic key that is too short, predictable, or improperly encoded is worse than no key at all. The generate command must uphold a strict invariant: the output is always a correctly-sized, random, properly-encoded secret.

Every CLI application is a contract between the program and the user. Clap helps us encode that contract as invariants — required arguments, valid subcommands, and structured input — enforced before a single line of business logic runs.

Structs let you define your own types — and your own invariants. By controlling construction, field access, and method behavior, you decide what 'valid' means for your data.

Rust's borrowing rules encode a fundamental invariant: you can have many readers or one writer, but never both. This single rule eliminates data races at compile time.

Ownership is not a feature of Rust. It IS Rust. Three rules, enforced at compile time, that eliminate use-after-free, double-free, and data races — without a garbage collector.

Every function in Rust is a boundary — and every boundary is a place where invariants are declared. Parameter types, return types, and the expression system all enforce contracts the compiler checks.

In Rust, every branch of a conditional must agree on its type. Every loop has explicit termination semantics. Control flow isn't just syntax — it's a set of invariants the compiler enforces.

Rust is statically typed — every value has a type known at compile time. This isn't a convenience feature. It's an invariant that eliminates entire categories of runtime failures.

Every Cargo command upholds a specific contract. Build guarantees compilation. Test guarantees verification. Publish guarantees distribution. Here's the full reference.

Cargo isn't just a convenience tool. It enforces a set of invariants about how Rust projects are structured, built, and distributed — so you can't accidentally break the build.