Hyrum's Law

With enough users, it doesn't matter what you promise in your API contract — all observable behaviors of your system will be depended on by someone, somewhere. That's Hyrum's Law, and it quietly undermines one of the most common assumptions in software design.

The assumption is that you can change your internals freely as long as you don't change the public contract. The distinction between "public interface" and "private implementation" feels clean in theory. In practice, users don't interact with your contract. They interact with your behavior — and they build on whatever they observe, whether you intended it or not.

If your API returns data quickly, users will write code that depends on that speed. If it happens to return a list in alphabetical order, users will write code that breaks when you change the sorting algorithm. Your implementation detail has become someone else's dependency:

// Implementation Detail: We happen to return users sorted by ID
function getUsers() {
  return db.query("SELECT * FROM users ORDER BY id");
}

// User's Code: Relying on implicit behavior
const users = getUsers();
const firstUser = users[0]; // "I know this is the first user by ID"

This is why "bug fixes" sometimes break users. The behavior you're correcting was never promised — but someone built on it anyway, because it was observable and consistent. From your perspective it was a bug. From theirs, it was load-bearing.