I'm a CodeIgniter user and I'm taking a look at Kohana. First thing I noticed is that in the documentation every snippet starts with:
<?php defined('SYSPATH') or die('No direct script access.');
assuming I'll be using .htaccess for address rewrite, is this really necessary? Is it an alternative to .htaccess for the purpouse of avoiding direct access? Is it just a good practice for "defense in depth"?
It's used to make sure you can only access the scripts through index.php (where SYSPATH is defined).
It's another layer of security if your script files are in a web accessible location. This check will stop people from executing classes like http://example.com/application/classes/controllers/welcome.php
In reality the files should be outside of the webroot with the index.php referencing the right locations, but that's not possible all the time, so they have that check.
I guess you could get away with leaving it out if you have .htaccess protecting those directories, but it doesn't cost anything to have so you might as well just keep it.
If you are using a .htaccess file to protect your system files, this is not required. However, since kohana has to support non .htaccess use, we place that there in the core system files for some basic security.