The latest articles on Forem by Odilon HUGONNOT (@ohugonnot). https://forem.com/ohugonnot https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3833552%2F48d32eab-68ed-4496-8ba6-f01e32806723.png https://forem.com/ohugonnot en Odilon HUGONNOT Fri, 01 May 2026 09:00:02 +0000 https://forem.com/ohugonnot/linux-network-tuning-tcp-bbr-nic-ring-buffers-and-sftp-throughput-4hni https://forem.com/ohugonnot/linux-network-tuning-tcp-bbr-nic-ring-buffers-and-sftp-throughput-4hni <p>The server is on a Gbit link. <code>ethtool</code> confirms 1000 Mbps on the interface. And yet every SFTP transfer caps out somewhere around 800 KB/s. Not 80 MB/s — 800 kilobytes per second. Less than 1% of the theoretical capacity.</p> <p>The problem isn't bandwidth. It's a stack of bad defaults: a congestion control algorithm designed for year-2000 networks, microscopically small NIC ring buffers, and application socket buffers sized for DSL lines. Here are the five tweaks that fixed it.</p> <h2> TCP BBR: replacing CUBIC </h2> <p>CUBIC has been Linux's default congestion control algorithm since 2006. It works by growing the congestion window (<em>cwnd</em>) until it detects a packet loss, then cutting it in half. On modern low-latency, high-bandwidth networks, this loss-triggered reaction is a problem: a single dropped packet (thermal noise, NIC buffer overflow) causes a 50% throughput drop followed by a slow recovery.</p> <p>BBR (Bottleneck Bandwidth and Round-trip propagation time), developed by Google in 2016, doesn't react to loss — it models the actual link throughput by continuously measuring bandwidth and minimum RTT. It holds the window at the optimal level without waiting for drops. On a Gbit link under real traffic, the difference is immediately noticeable.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># /etc/sysctl.d/99-bbr.conf</span> net.ipv4.tcp_congestion_control <span class="o">=</span> bbr <span class="c"># BBR replaces CUBIC</span> net.ipv4.tcp_slow_start_after_idle <span class="o">=</span> 0 <span class="c"># keep cwnd between download pauses</span> net.ipv4.tcp_no_metrics_save <span class="o">=</span> 1 <span class="c"># ignore TCP metrics from previous sessions</span> net.ipv4.tcp_fastopen <span class="o">=</span> 3 <span class="c"># TCP Fast Open client+server (-1 RTT on reconnects)</span> net.ipv4.tcp_mtu_probing <span class="o">=</span> 1 <span class="c"># MTU probing if ICMP is blocked upstream</span> net.ipv4.tcp_wmem <span class="o">=</span> 4096 262144 16777216 <span class="c"># TCP write buffer: default 256 KB, max 16 MB</span> net.core.netdev_max_backlog <span class="o">=</span> 5000 <span class="c"># packet queue before kernel processing at 1 Gbit/s</span> net.core.netdev_budget <span class="o">=</span> 600 <span class="c"># packets processed per NAPI cycle</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Apply immediately (persists across reboots via the file)</span> sysctl <span class="nt">-p</span> /etc/sysctl.d/99-bbr.conf <span class="c"># Verify</span> sysctl net.ipv4.tcp_congestion_control <span class="c"># → net.ipv4.tcp_congestion_control = bbr</span> </code></pre> </div> <p><code>tcp_slow_start_after_idle</code> deserves special attention for SFTP. By default, Linux resets cwnd to 10 after a period of inactivity on a TCP connection. An interactive SFTP session alternates activity and pauses — every time you start a new transfer after browsing a directory, TCP restarts in slow start. Disabling this avoids that unnecessary reset.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>lsmod | <span class="nb">grep </span>bbr <span class="c"># → tcp_bbr 20480 1</span> <span class="c"># If absent: modprobe tcp_bbr</span> </code></pre> </div> <h2> NIC ring buffers: the main cause of drops </h2> <p>This is probably the highest-impact change, and the least documented one. A NIC ring buffer is a memory region between the network card and the kernel. The NIC deposits received packets there. If the buffer fills before the kernel processes them, new packets are silently dropped.</p> <p>The default on most Ethernet cards is 256 or 512 entries RX. At 1 Gbit/s with 1500-byte frames, that's ~83,000 packets per second to absorb. A 256-entry buffer can saturate in under a millisecond if the kernel is temporarily busy elsewhere. The result: invisible drops, a collapsing CUBIC cwnd, and stalled throughput.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check current state</span> ethtool <span class="nt">-g</span> enp2s0f0 <span class="c"># Ring parameters for enp2s0f0:</span> <span class="c"># Pre-set maximums:</span> <span class="c"># RX: 4096</span> <span class="c"># TX: 4096</span> <span class="c"># Current hardware settings:</span> <span class="c"># RX: 256 ← too small</span> <span class="c"># TX: 256 ← too small</span> <span class="c"># Apply (takes effect immediately, lost on reboot)</span> ethtool <span class="nt">-G</span> enp2s0f0 rx 4096 tx 4096 <span class="c"># Verify</span> ethtool <span class="nt">-g</span> enp2s0f0 <span class="c"># Current hardware settings:</span> <span class="c"># RX: 4096</span> <span class="c"># TX: 4096</span> </code></pre> </div> <p>To make the setting persistent, add it to <code>/etc/network/interfaces</code> after the interface configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># In /etc/network/interfaces, after dns-search (or at the end of the iface block)</span> post-up ethtool <span class="nt">-G</span> enp2s0f0 rx 4096 tx 4096 </code></pre> </div> <p>Replace <code>enp2s0f0</code> with your actual interface name (<code>ip link show</code> to list). Not all NICs support 4096 — <code>ethtool -g</code> shows the maximums under "Pre-set maximums".<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Monitor NIC drops in real time</span> watch <span class="nt">-n1</span> ethtool <span class="nt">-S</span> enp2s0f0 | <span class="nb">grep</span> <span class="nt">-i</span> drop <span class="c"># rx_missed_errors and rx_fifo_errors indicate ring buffer drops</span> </code></pre> </div> <h2> ProFTPD and Apache: application-level buffers </h2> <p>Once the kernel and NIC layers are tuned, application buffers become the next bottleneck. ProFTPD and Apache defaults are sized for modest connections — they haven't been meaningfully updated since a time when Gbit/s was reserved for carrier backbones.</p> <h3> ProFTPD — socket buffers </h3> <p>ProFTPD exposes <code>SocketOptions</code> to control socket buffer sizes at the TCP level. Default values (<code>rcvbuf</code> and <code>sndbuf</code>) are typically 87 KB or less. Bumping to 1 MB lets the kernel hold more data in flight without waiting on client ACKs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># In /etc/proftpd/proftpd.conf, after UseSendFile on SocketOptions rcvbuf 1048576 sndbuf 1048576 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>systemctl reload proftpd </code></pre> </div> <h3> Apache — send buffer </h3> <p>Apache has its own <code>SendBufferSize</code> directive that controls the TCP send buffer size for HTTP connections. Without it, Apache uses the system default, often 87 KB. On a Gbit link serving large static files or substantial API responses, this is a real constraint.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># In /etc/apache2/apache2.conf (global level) SendBufferSize 1048576 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>apache2ctl configtest <span class="o">&amp;&amp;</span> systemctl reload apache2 </code></pre> </div> <h2> TLS: session cache and OCSP Stapling </h2> <p>A full TLS handshake costs 1 to 2 extra RTTs. On HTTPS, a client that reconnects frequently — browser reopening connections, transfer tool with reconnects, monitoring — multiplies these RTTs unnecessarily. TLS session cache allows resuming an existing session without a full handshake.</p> <p>OCSP Stapling solves a different problem: without stapling, the browser must contact the CA's OCSP server to verify certificate validity. That's an additional external round-trip, potentially slow, on every new connection. With stapling, Apache prefetches the OCSP response and includes it in the TLS handshake — the client doesn't need to contact the CA.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># In /etc/apache2/mods-enabled/ssl.conf # Shared memory session cache: 10 MB (~40,000 simultaneous sessions) SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(10485760) SSLSessionCacheTimeout 3600 # OCSP Stapling: Apache prefetches and caches the OCSP response SSLUseStapling on SSLStaplingCache shmcb:/var/run/apache2/ssl_stapling(2097152) SSLStaplingReturnResponderErrors off </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>apache2ctl configtest <span class="o">&amp;&amp;</span> systemctl reload apache2 </code></pre> </div> <p><code>SSLStaplingReturnResponderErrors off</code> matters: without it, if the upstream OCSP server is temporarily unreachable, Apache returns the error to the client instead of falling back gracefully. Not what you want in production.</p> <h2> Results and verification </h2> <p>After applying all these changes, SFTP throughput went from ~800 KB/s to several tens of MB/s on the same Gbit connection. The bottleneck was never the network — it was the accumulation of bad defaults at each layer of the stack.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># BBR active</span> sysctl net.ipv4.tcp_congestion_control <span class="c"># → bbr</span> <span class="c"># NIC ring buffers</span> ethtool <span class="nt">-g</span> enp2s0f0 | <span class="nb">grep</span> <span class="nt">-A5</span> <span class="s2">"Current hardware"</span> <span class="c"># → RX: 4096 / TX: 4096</span> <span class="c"># TCP stats (retransmissions, drops)</span> ss <span class="nt">-s</span> <span class="c"># → retrans: 0/0 ideally</span> <span class="c"># SFTP throughput test (1 GB file)</span> sftp user@server <span class="o">&lt;&lt;&lt;</span> <span class="s1">$'put /tmp/testfile /tmp/testfile'</span> <span class="c"># Verify OCSP Stapling</span> openssl s_client <span class="nt">-connect</span> your-domain.com:443 <span class="nt">-status</span> &lt; /dev/null 2&gt;&amp;1 | <span class="nb">grep</span> <span class="nt">-i</span> <span class="s2">"OCSP"</span> <span class="c"># → OCSP Response Status: successful (0x0)</span> <span class="c"># Verify TLS session resumption</span> openssl s_client <span class="nt">-connect</span> your-domain.com:443 <span class="nt">-reconnect</span> 2&gt;&amp;1 | <span class="nb">grep</span> <span class="s2">"Reused"</span> <span class="c"># → Reused, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384</span> </code></pre> </div> <h2> Conclusion </h2> <p>These settings should have been the defaults for the kernel and daemons long ago. BBR has been stable since 2016. A 256-entry ring buffer on a Gbit card makes no sense. An 87 KB socket buffer on a modern connection is folklore.</p> <p>The technical difficulty is low — each change is a single line. The problem is that these defaults produce no visible error: throughput is just "disappointing", logs show nothing, and you spend hours looking at the application before checking the network stack.</p> <p>One caveat: adapt the values to your actual topology. <code>tcp_wmem</code> at 16 MB on a machine with 512 MB RAM and 1000 concurrent connections may create other problems. These parameters are calibrated for a dedicated server with few simultaneous connections on a local or datacenter network.</p> <p><strong>📄 Associated CLAUDE.md</strong></p> <p><a href="https://www.web-developpeur.com/blog/claude-md/view.php?ctx=optimisation-reseau-linux" rel="noopener noreferrer">View</a> • <a href="https://www.web-developpeur.com/blog/claude-md/contexts/optimisation-reseau-linux.md" rel="noopener noreferrer">Download</a> • <a href="https://www.web-developpeur.com/blog/claude-md/" rel="noopener noreferrer">Catalogue</a></p> linux tcp bbr sftp Odilon HUGONNOT Thu, 30 Apr 2026 09:00:03 +0000 https://forem.com/ohugonnot/securing-a-dedicated-linux-debian-12-server-complete-post-incident-guide-2bbl https://forem.com/ohugonnot/securing-a-dedicated-linux-debian-12-server-complete-post-incident-guide-2bbl <p>An ordinary Tuesday morning. I glance at Apache logs before starting work — a conditioned reflex, rarely useful. Except that morning. In <code>error.log</code>, hundreds of identical lines, all from the same IP: <code>13.37.248.113</code>. HTTP Digest authentication attempts in a loop, combining common usernames with generic passwords.</p> <p>The server held. HTTP Digest auth with a correct password is a solid barrier against brute force if the password is strong. But the incident still triggered a full audit I'd been putting off for too long.</p> <p>This server hosts a private seedbox shared with about twenty users, a PHP website behind Apache with HTTP Digest authentication, SFTP access via ProFTPD, a wiki in Docker behind an Apache reverse proxy, and Jellyfin for streaming. A classic setup for a semi-professional personal server. Here is everything that was reviewed, fixed, and automated.</p> <h2> 1. Detecting and responding to a brute force attack </h2> <h3> Reading Apache logs to identify attempts </h3> <p>Apache's HTTP Digest authentication logs its failures in <code>error.log</code>, not <code>access.log</code>. The codes to look for are <code>AH01790</code> and <code>AH01794</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Count failed attempts by IP over the last 24h</span> <span class="nb">grep</span> <span class="s2">"AH0179"</span> /var/log/apache2/error.log | <span class="nb">grep</span> <span class="nt">-oP</span> <span class="s1">'\[client \K[0-9.]+'</span> | <span class="nb">sort</span> | <span class="nb">uniq</span> <span class="nt">-c</span> | <span class="nb">sort</span> <span class="nt">-rn</span> | <span class="nb">head</span> <span class="nt">-20</span> <span class="c"># See full lines for a specific IP</span> <span class="nb">grep</span> <span class="s2">"13.37.248.113"</span> /var/log/apache2/error.log | <span class="nb">tail</span> <span class="nt">-30</span> </code></pre> </div> <p>Log lines look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>Tue Feb 18 07:23:41.412893 2026] <span class="o">[</span>auth_digest:error] <span class="o">[</span>pid 1234] <span class="o">[</span>client 13.37.248.113:58432] AH01790: user admin: password mismatch: /protected/ <span class="o">[</span>Tue Feb 18 07:23:41.718204 2026] <span class="o">[</span>auth_digest:error] <span class="o">[</span>pid 1234] <span class="o">[</span>client 13.37.248.113:58433] AH01794: user root <span class="k">in </span>realm <span class="s2">"Private Area"</span> not found: /protected/ <span class="o">[</span>Tue Feb 18 07:23:42.091337 2026] <span class="o">[</span>auth_digest:error] <span class="o">[</span>pid 1234] <span class="o">[</span>client 13.37.248.113:58434] AH01790: user administrator: password mismatch: /protected/ </code></pre> </div> <p>Three distinct patterns in these logs: <code>password mismatch</code> (known user, wrong password), <code>not found</code> (non-existent user), and sometimes <code>nonce mismatch</code> (replay of expired challenge). The attacker was clearly testing a list of generic login/password pairs.</p> <h3> Identifying the attacker </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Quick whois</span> whois 13.37.248.113 <span class="c"># Geolocation without installing anything</span> curl <span class="nt">-s</span> https://ipinfo.io/13.37.248.113/json </code></pre> </div> <p>Result: IP belonging to Amazon AWS eu-west-3 (Paris). Classic. Cheap AWS VPS instances are used en masse for this kind of operation because they're easy to create, difficult to trace back to a real person, and often poorly monitored. The IP has since been reported on AbuseIPDB with around sixty reports.</p> <h3> Verifying no intrusion occurred </h3> <p>Before doing anything else, verify that nothing actually got in. The brute force may have found something before it was noticed.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Successful SSH connections (look for unexpected logins)</span> <span class="nb">grep</span> <span class="s2">"Accepted"</span> /var/log/auth.log | <span class="nb">tail</span> <span class="nt">-50</span> <span class="c"># Failed SSH attempts from the same IP</span> <span class="nb">grep</span> <span class="s2">"13.37.248.113"</span> /var/log/auth.log <span class="c"># SFTP activity (ProFTPD log)</span> <span class="nb">grep</span> <span class="s2">"13.37.248.113"</span> /var/log/proftpd/proftpd.log 2&gt;/dev/null <span class="c"># Check timestamps on sensitive files</span> <span class="nb">stat</span> /etc/passwd /etc/shadow /etc/sudoers <span class="nb">ls</span> <span class="nt">-la</span> /root/.ssh/ <span class="nb">ls</span> <span class="nt">-la</span> /home/ <span class="c"># Look for files modified recently in /etc (last 24h)</span> find /etc <span class="nt">-newer</span> /tmp/ref_file <span class="nt">-ls</span> 2&gt;/dev/null <span class="c"># Create the reference file first: touch -d "24 hours ago" /tmp/ref_file</span> </code></pre> </div> <p>In this specific case, nothing. The attack was limited to HTTP Digest, without touching SSH. But that doesn't change the need to close the weak points that could have been exploited.</p> <h2> 2. fail2ban — Protection against brute force </h2> <p>fail2ban analyzes logs and bans IPs that exceed an attempt threshold. The default config is a good starting point, but it has significant gaps for this specific setup.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>apt <span class="nb">install </span>fail2ban systemctl <span class="nb">enable </span>fail2ban </code></pre> </div> <p>All customizations go in <code>/etc/fail2ban/jail.local</code> (never modify <code>jail.conf</code> directly — it will be overwritten during updates).</p> <h3> SSH jail </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># /etc/fail2ban/jail.local</span> <span class="o">[</span>DEFAULT] bantime <span class="o">=</span> 86400 <span class="p">;</span> 24h findtime <span class="o">=</span> 600 <span class="p">;</span> detection window: 10 minutes maxretry <span class="o">=</span> 5 banaction <span class="o">=</span> iptables-multiport <span class="o">[</span>sshd] enabled <span class="o">=</span> <span class="nb">true </span>port <span class="o">=</span> ssh logpath <span class="o">=</span> %<span class="o">(</span>sshd_log<span class="o">)</span>s backend <span class="o">=</span> %<span class="o">(</span>sshd_backend<span class="o">)</span>s maxretry <span class="o">=</span> 5 </code></pre> </div> <h3> apache-auth jail — the default filter trap </h3> <p>fail2ban includes a default <code>apache-auth</code> filter. It does not detect HTTP Digest authentication errors from Apache 2.4. The default filter looks for patterns like <code>Authorization Required</code> or Basic Auth errors — not the <code>AH01790</code> / <code>AH01794</code> from the <code>auth_digest</code> module.</p> <p>A custom filter is required:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># /etc/fail2ban/filter.d/apache-auth.local</span> <span class="o">[</span>Definition] failregex <span class="o">=</span> <span class="se">\[</span>client &lt;HOST&gt;:.<span class="k">*</span><span class="se">\]</span> AH01790: user .+: password mismatch <span class="se">\[</span>client &lt;HOST&gt;:.<span class="k">*</span><span class="se">\]</span> AH01794: user .+ <span class="k">in </span>realm .+ not found <span class="se">\[</span>client &lt;HOST&gt;:.<span class="k">*</span><span class="se">\]</span> AH01788: .+nonce from .+ received on .+ - not found </code></pre> </div> <p>Then the corresponding jail in <code>jail.local</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>apache-auth] enabled <span class="o">=</span> <span class="nb">true </span>filter <span class="o">=</span> apache-auth port <span class="o">=</span> http,https logpath <span class="o">=</span> /var/log/apache2/error.log maxretry <span class="o">=</span> 8 bantime <span class="o">=</span> 86400 findtime <span class="o">=</span> 300 </code></pre> </div> <p>To test the filter before enabling it in production:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Test the filter against a real log excerpt</span> fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-auth.local <span class="nt">--print-all-matched</span> </code></pre> </div> <h3> ProFTPD jail </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>proftpd] enabled <span class="o">=</span> <span class="nb">true </span>port <span class="o">=</span> ftp,ftp-data,ftps,ftps-data logpath <span class="o">=</span> /var/log/proftpd/proftpd.log maxretry <span class="o">=</span> 6 bantime <span class="o">=</span> 86400 </code></pre> </div> <h3> Checking jail status </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Overview</span> fail2ban-client status <span class="c"># Details of a specific jail</span> fail2ban-client status apache-auth fail2ban-client status sshd <span class="c"># Manually unban an IP (if you ban yourself)</span> fail2ban-client <span class="nb">set </span>sshd unbanip 1.2.3.4 <span class="c"># fail2ban logs</span> <span class="nb">tail</span> <span class="nt">-f</span> /var/log/fail2ban.log </code></pre> </div> <h2> 3. SSH/SFTP — Restricting access </h2> <p>About twenty users have SFTP access to upload and retrieve files. None of them need a full SSH shell. That's unnecessary attack surface.</p> <h3> sftponly group and ChrootDirectory </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create the group</span> groupadd sftponly <span class="c"># Add existing users</span> usermod <span class="nt">-aG</span> sftponly alice usermod <span class="nt">-aG</span> sftponly bob <span class="c"># etc.</span> </code></pre> </div> <p>In <code>/etc/ssh/sshd_config</code>, add this block at the end (it must come after any existing <code>Match</code> directive):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Match Group sftponly ForceCommand internal-sftp <span class="nt">-l</span> INFO <span class="nt">-f</span> AUTH ChrootDirectory %h AllowTcpForwarding no X11Forwarding no PermitTunnel no AllowAgentForwarding no </code></pre> </div> <p><strong>The chroot trap.</strong> The <code>ChrootDirectory</code> directive imposes a severe and counter-intuitive constraint: the chroot root directory must belong to <code>root:root</code> with <code>755</code> permissions. If it's the user's home directory and they own it, SSH refuses the connection silently — the user just sees a connection error with no explanation on the client side.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Correct structure for an SFTP chroot</span> <span class="c"># The home must be root:root 755</span> <span class="nb">ls</span> <span class="nt">-la</span> /home/alice/ <span class="c"># drwxr-xr-x 3 root root 4096 ...</span> <span class="c"># Subdirectories belong to the user</span> <span class="nb">ls</span> <span class="nt">-la</span> /home/alice/downloads/ <span class="c"># drwxr-xr-x 2 alice alice 4096 ...</span> <span class="c"># Fix permissions if needed</span> <span class="nb">chown </span>root:root /home/alice <span class="nb">chmod </span>755 /home/alice <span class="c"># The user must still be able to write somewhere</span> <span class="nb">mkdir</span> <span class="nt">-p</span> /home/alice/uploads <span class="nb">chown </span>alice:alice /home/alice/uploads <span class="nb">chmod </span>755 /home/alice/uploads </code></pre> </div> <h3> Detailed SFTP logging </h3> <p>By default, SFTP transfers are not logged in a useful way. Enable logging in the <code>Subsystem</code> directive:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># In /etc/ssh/sshd_config</span> <span class="c"># Replace the existing Subsystem line with:</span> Subsystem sftp internal-sftp <span class="nt">-l</span> INFO <span class="nt">-f</span> AUTH </code></pre> </div> <p>Transfers then appear in <code>/var/log/auth.log</code> with the format <code>sftp-server[PID]: open "/path/file.txt" flags READ mode 0666</code>.</p> <h3> Disable root SSH login </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># In /etc/ssh/sshd_config</span> PermitRootLogin prohibit-password <span class="c"># Verify no unknown key exists</span> <span class="nb">cat</span> /root/.ssh/authorized_keys <span class="c"># If the file contains keys you don't recognize: security incident</span> </code></pre> </div> <p><code>prohibit-password</code> (formerly <code>without-password</code>) forbids password login but allows SSH keys. It's safer than <code>no</code> if you need emergency access via key.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Reload SSH after modification</span> sshd <span class="nt">-t</span> <span class="o">&amp;&amp;</span> systemctl reload sshd </code></pre> </div> <h2> 4. Permissions and sensitive files </h2> <p>After verifying nothing was modified, this is the opportunity to put permissions into a correct state once and for all.</p> <h3> Credential files </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># htdigest files — readable by root and www-data only</span> <span class="nb">chown </span>root:www-data /etc/apache2/.htdigest <span class="nb">chmod </span>640 /etc/apache2/.htdigest <span class="c"># Configuration files with passwords</span> <span class="nb">chown </span>root:www-data /var/www/html/config.php <span class="nb">chmod </span>640 /var/www/html/config.php <span class="c"># Normal user home directories</span> <span class="nb">chmod </span>700 /home/alice <span class="nb">chown </span>alice:alice /home/alice <span class="c"># Exception: home dirs of chrooted SFTP users → root:root 755 (see section 3)</span> </code></pre> </div> <h3> Block web access to sensitive directories </h3> <p>The natural temptation is to use <code>&lt;Location&gt;</code> with <code>Require all denied</code>. Problem: in Apache 2.4 with HTTP Digest authentication configured at the parent level, <code>Require</code> directives can interact unexpectedly with inherited auth. In some configurations, access is simply challenged with a Digest prompt instead of being denied.</p> <p><code>RewriteRule</code> is more reliable because it runs in Apache's processing pipeline before authentication:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># In .htaccess or the vhost RewriteEngine On # Block direct access to internal data RewriteRule ^/data/internal - [F,L] RewriteRule ^/uploads/private - [F,L] # Block config files accidentally exposed RewriteRule \.(env|log|sql|bak)$ - [F,L] </code></pre> </div> <p>The <code>[F]</code> flag returns a 403 immediately. <code>[L]</code> stops processing further rules.</p> <h2> 5. Sudoers — Principle of least privilege </h2> <p>By default on Debian, the installation often creates a user in the <code>sudo</code> group. In a context where the server is shared and exposes services, keeping accounts with full sudo is unnecessary risk.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># List who has sudo</span> getent group <span class="nb">sudo</span> <span class="c"># Remove sudo from a non-root account</span> deluser adminuser <span class="nb">sudo</span> <span class="c"># Verify</span> <span class="nb">sudo</span> <span class="nt">-l</span> <span class="nt">-U</span> adminuser <span class="c"># "User adminuser is not allowed to run sudo"</span> </code></pre> </div> <p>If the admin needs elevation, <code>su</code> is sufficient — they know the root password. No need for sudo on a personal server.</p> <h3> www-data and scripts with privileges </h3> <p>If PHP scripts need to execute system commands with elevated privileges (reload Apache, run a maintenance script), never put <code>www-data</code> in sudo globally. Create a file in <code>/etc/sudoers.d/</code> with only what is strictly necessary:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># /etc/sudoers.d/www-data</span> <span class="c"># Always use absolute paths</span> www-data <span class="nv">ALL</span><span class="o">=(</span>ALL<span class="o">)</span> NOPASSWD: /usr/sbin/apachectl graceful www-data <span class="nv">ALL</span><span class="o">=(</span>ALL<span class="o">)</span> NOPASSWD: /usr/local/bin/maintenance-script.sh </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Correct permissions on this file</span> <span class="nb">chmod </span>440 /etc/sudoers.d/www-data <span class="c"># Check syntax before saving</span> visudo <span class="nt">-c</span> <span class="nt">-f</span> /etc/sudoers.d/www-data </code></pre> </div> <p>Scripts called by <code>www-data</code> must validate their inputs. If a parameter is passed from PHP, use <code>escapeshellarg()</code> and validate the format before calling <code>shell_exec()</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="cp">&lt;?php</span> <span class="c1">// Validate the parameter before using it</span> <span class="nv">$user</span> <span class="o">=</span> <span class="nv">$_POST</span><span class="p">[</span><span class="s1">'username'</span><span class="p">]</span> <span class="o">??</span> <span class="s1">''</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nb">preg_match</span><span class="p">(</span><span class="s1">'/^[a-z][a-z0-9_]{2,31}$/'</span><span class="p">,</span> <span class="nv">$user</span><span class="p">))</span> <span class="p">{</span> <span class="k">die</span><span class="p">(</span><span class="s1">'Invalid username format'</span><span class="p">);</span> <span class="p">}</span> <span class="nv">$escaped</span> <span class="o">=</span> <span class="nb">escapeshellarg</span><span class="p">(</span><span class="nv">$user</span><span class="p">);</span> <span class="nv">$output</span> <span class="o">=</span> <span class="nb">shell_exec</span><span class="p">(</span><span class="s2">"sudo /usr/local/bin/create-user-dir.sh </span><span class="nv">$escaped</span><span class="s2">"</span><span class="p">);</span> <span class="cp">?&gt;</span> </code></pre> </div> <h2> 6. Audit and intrusion detection (auditd) </h2> <p>fail2ban reacts. auditd observes and records. The two are complementary.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>apt <span class="nb">install </span>auditd audispd-plugins systemctl <span class="nb">enable </span>auditd </code></pre> </div> <p>Create the rules file <code>/etc/audit/rules.d/security.rules</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># /etc/audit/rules.d/security.rules</span> <span class="c"># sudoers modifications</span> <span class="nt">-w</span> /etc/sudoers <span class="nt">-p</span> wa <span class="nt">-k</span> sudoers <span class="nt">-w</span> /etc/sudoers.d/ <span class="nt">-p</span> wa <span class="nt">-k</span> sudoers <span class="c"># SSH configuration</span> <span class="nt">-w</span> /etc/ssh/sshd_config <span class="nt">-p</span> wa <span class="nt">-k</span> sshd_config <span class="c"># Root SSH keys</span> <span class="nt">-w</span> /root/.ssh/authorized_keys <span class="nt">-p</span> wa <span class="nt">-k</span> root_keys <span class="c"># System accounts</span> <span class="nt">-w</span> /etc/passwd <span class="nt">-p</span> wa <span class="nt">-k</span> accounts <span class="nt">-w</span> /etc/shadow <span class="nt">-p</span> wa <span class="nt">-k</span> accounts <span class="nt">-w</span> /etc/group <span class="nt">-p</span> wa <span class="nt">-k</span> accounts <span class="c"># su and sudo execution</span> <span class="nt">-w</span> /usr/bin/su <span class="nt">-p</span> x <span class="nt">-k</span> su_exec <span class="nt">-w</span> /usr/bin/sudo <span class="nt">-p</span> x <span class="nt">-k</span> sudo_exec <span class="c"># Crontab</span> <span class="nt">-w</span> /etc/crontab <span class="nt">-p</span> wa <span class="nt">-k</span> crontab <span class="nt">-w</span> /etc/cron.d/ <span class="nt">-p</span> wa <span class="nt">-k</span> crontab <span class="nt">-w</span> /var/spool/cron/ <span class="nt">-p</span> wa <span class="nt">-k</span> crontab <span class="c"># fail2ban configuration</span> <span class="nt">-w</span> /etc/fail2ban/ <span class="nt">-p</span> wa <span class="nt">-k</span> fail2ban <span class="c"># Sensitive application configuration files</span> <span class="nt">-w</span> /var/www/html/config.php <span class="nt">-p</span> rwa <span class="nt">-k</span> app_config <span class="nt">-w</span> /etc/apache2/ <span class="nt">-p</span> wa <span class="nt">-k</span> apache_config </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Load rules without restarting</span> augenrules <span class="nt">--load</span> <span class="c"># Verify active rules</span> auditctl <span class="nt">-l</span> <span class="c"># Consult events (last 24h)</span> ausearch <span class="nt">-ts</span> yesterday <span class="nt">-te</span> now | aureport <span class="nt">-f</span> <span class="nt">-i</span> | <span class="nb">head</span> <span class="nt">-50</span> </code></pre> </div> <h3> Process accounting with acct </h3> <p>acct records every command executed by every user, with timestamp and duration. Less verbose than auditd, but excellent for a post-incident audit: "what did user X do yesterday between 2pm and 3pm?"<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>apt <span class="nb">install </span>acct accton on <span class="c"># Enable recording</span> <span class="c"># See recent commands by user</span> lastcomm <span class="nt">--user</span> alice | <span class="nb">head</span> <span class="nt">-30</span> <span class="c"># Recent root commands</span> lastcomm <span class="nt">--user</span> root | <span class="nb">head</span> <span class="nt">-50</span> <span class="c"># Filter by specific command</span> lastcomm <span class="nt">--command</span> bash </code></pre> </div> <h3> rkhunter — Rootkit scanner </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>apt <span class="nb">install </span>rkhunter <span class="c"># Initialize the baseline (do this immediately after a clean installation)</span> rkhunter <span class="nt">--update</span> rkhunter <span class="nt">--propupd</span> <span class="c"># Full scan</span> rkhunter <span class="nt">--check</span> <span class="nt">--skip-keypress</span> <span class="c"># After a system update, regenerate the baseline</span> apt upgrade <span class="o">&amp;&amp;</span> rkhunter <span class="nt">--propupd</span> </code></pre> </div> <p>rkhunter will generate false positives at first — legitimate files it doesn't recognize. Go through the warnings once to qualify them. Real rootkits don't hide in plain sight (if the system is already compromised, rkhunter will likely be bypassed), but the tool is useful for detecting unexpected modifications to system binaries.</p> <h2> 7. Automated security audit with AI analysis </h2> <p>The problem with monitoring logs on an exposed server: the background noise is enormous. Hundreds of SSH attempts per day from Chinese and Russian IPs is the norm. Alerting on all of them by email would mean never reading your email.</p> <p>The solution put in place: collect the raw report every night, pass this report to Claude via CLI to distinguish background noise from real incidents, and only send an email if something warrants attention.</p> <h3> Collection script </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># /root/scripts/security-audit.sh</span> <span class="c"># Runs every night via cron: 3 0 * * * /root/scripts/security-audit.sh</span> <span class="nb">set</span> <span class="nt">-euo</span> pipefail <span class="nv">REPORT_DIR</span><span class="o">=</span><span class="s2">"/var/log/security-audit"</span> <span class="nv">TODAY</span><span class="o">=</span><span class="si">$(</span><span class="nb">date</span> +%Y-%m-%d<span class="si">)</span> <span class="nv">REPORT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$REPORT_DIR</span><span class="s2">/</span><span class="nv">$TODAY</span><span class="s2">.txt"</span> <span class="nb">mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$REPORT_DIR</span><span class="s2">"</span> <span class="nb">chmod </span>700 <span class="s2">"</span><span class="nv">$REPORT_DIR</span><span class="s2">"</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"=== SECURITY REPORT - </span><span class="nv">$TODAY</span><span class="s2"> ==="</span> <span class="nb">echo</span> <span class="s2">"Generated on: </span><span class="si">$(</span><span class="nb">date</span><span class="si">)</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"=== AUDITD EVENTS (24h) ==="</span> ausearch <span class="nt">-ts</span> yesterday <span class="nt">-te</span> now 2&gt;/dev/null | aureport <span class="nt">-f</span> <span class="nt">-i</span> 2&gt;/dev/null | <span class="nb">tail</span> <span class="nt">-100</span> <span class="o">||</span> <span class="nb">echo</span> <span class="s2">"auditd: no events"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"=== FAIL2BAN - ACTIVE BANS ==="</span> <span class="k">for </span>jail <span class="k">in </span>sshd apache-auth proftpd<span class="p">;</span> <span class="k">do </span><span class="nb">echo</span> <span class="s2">"--- </span><span class="nv">$jail</span><span class="s2"> ---"</span> fail2ban-client status <span class="s2">"</span><span class="nv">$jail</span><span class="s2">"</span> 2&gt;/dev/null <span class="o">||</span> <span class="nb">echo</span> <span class="s2">"jail </span><span class="nv">$jail</span><span class="s2"> not active"</span> <span class="k">done </span><span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"=== SSH - FAILED ATTEMPTS (24h) ==="</span> <span class="nb">grep</span> <span class="s2">"Failed password"</span> /var/log/auth.log | <span class="nb">grep</span> <span class="s2">"</span><span class="si">$(</span><span class="nb">date</span> +%b<span class="si">)</span><span class="s2">"</span> | <span class="nb">tail</span> <span class="nt">-50</span> <span class="o">||</span> <span class="nb">echo</span> <span class="s2">"none"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"=== SSH - SUCCESSFUL CONNECTIONS (24h) ==="</span> <span class="nb">grep</span> <span class="s2">"Accepted"</span> /var/log/auth.log | <span class="nb">grep</span> <span class="s2">"</span><span class="si">$(</span><span class="nb">date</span> +%b<span class="si">)</span><span class="s2">"</span> <span class="o">||</span> <span class="nb">echo</span> <span class="s2">"none"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"=== LISTENING PORTS (check) ==="</span> ss <span class="nt">-tlnp</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"=== ESTABLISHED OUTBOUND CONNECTIONS ==="</span> ss <span class="nt">-tnp</span> state established | <span class="nb">grep</span> <span class="nt">-v</span> <span class="s2">"127.0.0.1"</span> | <span class="nb">grep</span> <span class="nt">-v</span> <span class="s2">"::1"</span> | <span class="nb">head</span> <span class="nt">-30</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="c"># rkhunter scan only on Sundays (day 7)</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="si">$(</span><span class="nb">date</span> +%u<span class="si">)</span><span class="s2">"</span> <span class="nt">-eq</span> 7 <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"=== RKHUNTER SCAN (weekly) ==="</span> rkhunter <span class="nt">--check</span> <span class="nt">--skip-keypress</span> <span class="nt">--quiet</span> 2&gt;&amp;1 | <span class="nb">tail</span> <span class="nt">-30</span> <span class="o">||</span> <span class="nb">echo</span> <span class="s2">"rkhunter: error"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="k">fi </span><span class="nb">echo</span> <span class="s2">"=== END OF REPORT ==="</span> <span class="o">}</span> <span class="o">&gt;</span> <span class="s2">"</span><span class="nv">$REPORT</span><span class="s2">"</span> 2&gt;&amp;1 <span class="nb">chmod </span>600 <span class="s2">"</span><span class="nv">$REPORT</span><span class="s2">"</span> <span class="c"># Run AI analysis separately</span> /root/scripts/security-analyze.sh <span class="s2">"</span><span class="nv">$REPORT</span><span class="s2">"</span> </code></pre> </div> <h3> AI analysis script </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># /root/scripts/security-analyze.sh</span> <span class="c"># Receives the report path as argument</span> <span class="nb">set</span> <span class="nt">-euo</span> pipefail <span class="nv">REPORT</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">1</span><span class="k">:-}</span><span class="s2">"</span> <span class="nv">ADMIN_EMAIL</span><span class="o">=</span><span class="s2">"admin@example.com"</span> <span class="nv">TODAY</span><span class="o">=</span><span class="si">$(</span><span class="nb">date</span> +%Y-%m-%d<span class="si">)</span> <span class="nv">ANALYSIS_TIMEOUT</span><span class="o">=</span>60 <span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$REPORT</span><span class="s2">"</span> <span class="o">]</span> <span class="o">||</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$REPORT</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Usage: </span><span class="nv">$0</span><span class="s2"> /path/to/report.txt"</span> <span class="o">&gt;</span>&amp;2 <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># Prompt for Claude — ask for JSON only to make parsing easy</span> <span class="nv">PROMPT</span><span class="o">=</span><span class="s2">"Analyze this Linux server security report. Distinguish real incidents from normal events (SSH attempts from random IPs are typical background noise). A real incident would be: a successful SSH connection from an unknown IP, a sensitive file change in auditd, an unexpected open port, or an abnormally high volume of attempts on a specific service. Reply ONLY with valid JSON, no markdown, no explanation: {</span><span class="se">\"</span><span class="s2">alert</span><span class="se">\"</span><span class="s2">: true/false, </span><span class="se">\"</span><span class="s2">summary</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">2-3 sentence summary</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">details</span><span class="se">\"</span><span class="s2">: [</span><span class="se">\"</span><span class="s2">point1</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">point2</span><span class="se">\"</span><span class="s2">]}"</span> <span class="c"># Claude call with timeout</span> <span class="nv">AI_RESPONSE</span><span class="o">=</span><span class="s2">""</span> <span class="nv">AI_ERROR</span><span class="o">=</span>0 <span class="k">if </span><span class="nb">command</span> <span class="nt">-v</span> claude <span class="o">&gt;</span>/dev/null 2&gt;&amp;1<span class="p">;</span> <span class="k">then </span><span class="nv">AI_RESPONSE</span><span class="o">=</span><span class="si">$(</span><span class="nb">timeout</span> <span class="s2">"</span><span class="nv">$ANALYSIS_TIMEOUT</span><span class="s2">"</span> bash <span class="nt">-c</span> <span class="s2">"cat '</span><span class="nv">$REPORT</span><span class="s2">' | claude --print --model claude-haiku-4-5 '</span><span class="nv">$PROMPT</span><span class="s2">'"</span> 2&gt;/dev/null<span class="si">)</span> <span class="o">||</span> <span class="nv">AI_ERROR</span><span class="o">=</span>1 <span class="k">else </span><span class="nv">AI_ERROR</span><span class="o">=</span>1 <span class="k">fi</span> <span class="c"># Safe fallback: if AI is unavailable, send raw report</span> <span class="c"># We don't miss an incident because the API was down</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$AI_ERROR</span><span class="s2">"</span> <span class="nt">-eq</span> 1 <span class="o">]</span> <span class="o">||</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$AI_RESPONSE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span>mail <span class="nt">-s</span> <span class="s2">"[SECURITY] Report </span><span class="nv">$TODAY</span><span class="s2"> - AI analysis unavailable"</span> <span class="s2">"</span><span class="nv">$ADMIN_EMAIL</span><span class="s2">"</span> &lt; <span class="s2">"</span><span class="nv">$REPORT</span><span class="s2">"</span> <span class="nb">exit </span>0 <span class="k">fi</span> <span class="c"># Parse the response JSON</span> <span class="nv">ALERT</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$AI_RESPONSE</span><span class="s2">"</span> | python3 <span class="nt">-c</span> <span class="s2">"import sys,json; d=json.load(sys.stdin); print(d.get('alert', False))"</span> 2&gt;/dev/null <span class="o">||</span> <span class="nb">echo</span> <span class="s2">"parse_error"</span><span class="si">)</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$ALERT</span><span class="s2">"</span> <span class="o">=</span> <span class="s2">"parse_error"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> <span class="c"># Invalid JSON → fallback raw report</span> mail <span class="nt">-s</span> <span class="s2">"[SECURITY] Report </span><span class="nv">$TODAY</span><span class="s2"> - invalid AI response"</span> <span class="s2">"</span><span class="nv">$ADMIN_EMAIL</span><span class="s2">"</span> &lt; <span class="s2">"</span><span class="nv">$REPORT</span><span class="s2">"</span> <span class="nb">exit </span>0 <span class="k">fi if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$ALERT</span><span class="s2">"</span> <span class="o">=</span> <span class="s2">"True"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nv">SUMMARY</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$AI_RESPONSE</span><span class="s2">"</span> | python3 <span class="nt">-c</span> <span class="s2">"import sys,json; d=json.load(sys.stdin); print(d.get('summary', 'N/A'))"</span> 2&gt;/dev/null <span class="o">||</span> <span class="nb">echo</span> <span class="s2">"N/A"</span><span class="si">)</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"AI Analysis: </span><span class="nv">$SUMMARY</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"--- Full report ---"</span> <span class="nb">cat</span> <span class="s2">"</span><span class="nv">$REPORT</span><span class="s2">"</span> <span class="o">}</span> | mail <span class="nt">-s</span> <span class="s2">"[SECURITY ALERT] </span><span class="nv">$TODAY</span><span class="s2"> - Incident detected"</span> <span class="s2">"</span><span class="nv">$ADMIN_EMAIL</span><span class="s2">"</span> <span class="k">fi</span> <span class="c"># If alert=False: nothing. The report is archived in $REPORT_DIR for manual review.</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Make executable and schedule</span> <span class="nb">chmod </span>700 /root/scripts/security-audit.sh <span class="nb">chmod </span>700 /root/scripts/security-analyze.sh <span class="c"># Root crontab</span> crontab <span class="nt">-e</span> <span class="c"># Add:</span> <span class="c"># 0 3 * * * /root/scripts/security-audit.sh</span> </code></pre> </div> <p>The advantage of the systematic fallback: if Claude API is down, times out, or returns invalid JSON, the raw report is sent anyway. You don't risk missing a real incident because the third-party analysis service was unavailable that night.</p> <h2> 8. PHP security </h2> <h3> Secure sessions </h3> <p>By default, PHP sessions are not configured to resist cookie theft. Add to <code>php.ini</code> or at the start of every script that uses sessions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="cp">&lt;?php</span> <span class="c1">// Configure before session_start()</span> <span class="nb">ini_set</span><span class="p">(</span><span class="s1">'session.cookie_httponly'</span><span class="p">,</span> <span class="mi">1</span><span class="p">);</span> <span class="c1">// Inaccessible from JavaScript</span> <span class="nb">ini_set</span><span class="p">(</span><span class="s1">'session.cookie_secure'</span><span class="p">,</span> <span class="mi">1</span><span class="p">);</span> <span class="c1">// HTTPS only</span> <span class="nb">ini_set</span><span class="p">(</span><span class="s1">'session.cookie_samesite'</span><span class="p">,</span> <span class="s1">'Lax'</span><span class="p">);</span> <span class="c1">// Partial CSRF protection</span> <span class="nb">ini_set</span><span class="p">(</span><span class="s1">'session.use_strict_mode'</span><span class="p">,</span> <span class="mi">1</span><span class="p">);</span> <span class="c1">// Reject session IDs not generated by the server</span> <span class="nb">session_start</span><span class="p">();</span> <span class="cp">?&gt;</span> </code></pre> </div> <p>Or in <code>/etc/php/8.x/apache2/php.ini</code> to apply globally:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>session.cookie_httponly <span class="o">=</span> 1 session.cookie_secure <span class="o">=</span> 1 session.cookie_samesite <span class="o">=</span> Lax session.use_strict_mode <span class="o">=</span> 1 </code></pre> </div> <h3> CSRF protection </h3> <p>Every form that performs an action (modification, deletion, submission) must be protected with a CSRF token. The minimal but correct implementation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="cp">&lt;?php</span> <span class="nb">session_start</span><span class="p">();</span> <span class="c1">// Token generation (once per session or per form)</span> <span class="k">if</span> <span class="p">(</span><span class="k">empty</span><span class="p">(</span><span class="nv">$_SESSION</span><span class="p">[</span><span class="s1">'csrf_token'</span><span class="p">]))</span> <span class="p">{</span> <span class="nv">$_SESSION</span><span class="p">[</span><span class="s1">'csrf_token'</span><span class="p">]</span> <span class="o">=</span> <span class="nb">bin2hex</span><span class="p">(</span><span class="nb">random_bytes</span><span class="p">(</span><span class="mi">32</span><span class="p">));</span> <span class="p">}</span> <span class="c1">// In the HTML form</span> <span class="c1">// &lt;input type="hidden" name="csrf_token" value="&lt;?= htmlspecialchars($_SESSION['csrf_token']) ?&gt;"&gt;</span> <span class="c1">// Verification on POST requests</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$_SERVER</span><span class="p">[</span><span class="s1">'REQUEST_METHOD'</span><span class="p">]</span> <span class="o">===</span> <span class="s1">'POST'</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$submitted_token</span> <span class="o">=</span> <span class="nv">$_POST</span><span class="p">[</span><span class="s1">'csrf_token'</span><span class="p">]</span> <span class="o">??</span> <span class="s1">''</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nb">hash_equals</span><span class="p">(</span><span class="nv">$_SESSION</span><span class="p">[</span><span class="s1">'csrf_token'</span><span class="p">],</span> <span class="nv">$submitted_token</span><span class="p">))</span> <span class="p">{</span> <span class="nb">http_response_code</span><span class="p">(</span><span class="mi">403</span><span class="p">);</span> <span class="k">die</span><span class="p">(</span><span class="s1">'Invalid CSRF token'</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Regenerate after use for single-use forms</span> <span class="nv">$_SESSION</span><span class="p">[</span><span class="s1">'csrf_token'</span><span class="p">]</span> <span class="o">=</span> <span class="nb">bin2hex</span><span class="p">(</span><span class="nb">random_bytes</span><span class="p">(</span><span class="mi">32</span><span class="p">));</span> <span class="p">}</span> <span class="cp">?&gt;</span> </code></pre> </div> <h3> Rate limiting on sensitive actions </h3> <p>Without a database or Redis, basic session-based rate limiting is sufficient for small sites:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="cp">&lt;?php</span> <span class="k">function</span> <span class="n">check_rate_limit</span><span class="p">(</span><span class="kt">string</span> <span class="nv">$action</span><span class="p">,</span> <span class="kt">int</span> <span class="nv">$max_attempts</span><span class="p">,</span> <span class="kt">int</span> <span class="nv">$window_seconds</span><span class="p">):</span> <span class="kt">bool</span> <span class="p">{</span> <span class="nv">$key</span> <span class="o">=</span> <span class="s1">'rate_limit_'</span> <span class="mf">.</span> <span class="nv">$action</span><span class="p">;</span> <span class="nv">$now</span> <span class="o">=</span> <span class="nb">time</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="k">isset</span><span class="p">(</span><span class="nv">$_SESSION</span><span class="p">[</span><span class="nv">$key</span><span class="p">]))</span> <span class="p">{</span> <span class="nv">$_SESSION</span><span class="p">[</span><span class="nv">$key</span><span class="p">]</span> <span class="o">=</span> <span class="p">[</span><span class="s1">'count'</span> <span class="o">=&gt;</span> <span class="mi">0</span><span class="p">,</span> <span class="s1">'reset_at'</span> <span class="o">=&gt;</span> <span class="nv">$now</span> <span class="o">+</span> <span class="nv">$window_seconds</span><span class="p">];</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$now</span> <span class="o">&gt;</span> <span class="nv">$_SESSION</span><span class="p">[</span><span class="nv">$key</span><span class="p">][</span><span class="s1">'reset_at'</span><span class="p">])</span> <span class="p">{</span> <span class="nv">$_SESSION</span><span class="p">[</span><span class="nv">$key</span><span class="p">]</span> <span class="o">=</span> <span class="p">[</span><span class="s1">'count'</span> <span class="o">=&gt;</span> <span class="mi">0</span><span class="p">,</span> <span class="s1">'reset_at'</span> <span class="o">=&gt;</span> <span class="nv">$now</span> <span class="o">+</span> <span class="nv">$window_seconds</span><span class="p">];</span> <span class="p">}</span> <span class="nv">$_SESSION</span><span class="p">[</span><span class="nv">$key</span><span class="p">][</span><span class="s1">'count'</span><span class="p">]</span><span class="o">++</span><span class="p">;</span> <span class="k">return</span> <span class="nv">$_SESSION</span><span class="p">[</span><span class="nv">$key</span><span class="p">][</span><span class="s1">'count'</span><span class="p">]</span> <span class="o">&lt;=</span> <span class="nv">$max_attempts</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Usage</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nf">check_rate_limit</span><span class="p">(</span><span class="s1">'login'</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">300</span><span class="p">))</span> <span class="p">{</span> <span class="c1">// 5 attempts per 5 minutes</span> <span class="nb">http_response_code</span><span class="p">(</span><span class="mi">429</span><span class="p">);</span> <span class="k">die</span><span class="p">(</span><span class="s1">'Too many attempts. Please try again in a few minutes.'</span><span class="p">);</span> <span class="p">}</span> <span class="cp">?&gt;</span> </code></pre> </div> <h2> 9. Apache HTTP headers </h2> <p>These headers strengthen security on the browser side. They don't prevent a server intrusion, but they reduce the attack surface for XSS and clickjacking vulnerabilities.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># In .htaccess or the vhost config # Requires mod_headers: a2enmod headers &lt;IfModule mod_headers.c&gt; # Prevents the browser from guessing the MIME type Header always set X-Content-Type-Options "nosniff" # Prevents inclusion in iframes (clickjacking protection) Header always set X-Frame-Options "SAMEORIGIN" # Controls information sent in the Referer header Header always set Referrer-Policy "strict-origin-when-cross-origin" # Disables sensitive unused features Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()" # Remove Apache version from responses Header always unset X-Powered-By ServerTokens Prod ServerSignature Off &lt;/IfModule&gt; </code></pre> </div> <p>HSTS (<code>Strict-Transport-Security</code>) is handled automatically by Certbot/Let's Encrypt if the site is on HTTPS. Don't configure it manually unless you know exactly what you're doing — a too-long duration with an HTTPS config error can make the site inaccessible for months from browsers that cached the header.</p> <h2> 10. Docker — Isolating containers </h2> <p>When Apache acts as a reverse proxy to Docker containers, a common shortcut is to expose container ports on all network interfaces. The result: the service is directly accessible from the Internet, completely bypassing the reverse proxy and all the authentication that comes with it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># /srv/wiki/docker-compose.yml</span> services: wiki: image: requarks/wiki:2 <span class="c"># BAD — accessible from any IP on port 3000</span> ports: - <span class="s2">"3000:3000"</span> <span class="c"># GOOD — only from localhost, the reverse proxy can reach it, Internet cannot</span> ports: - <span class="s2">"127.0.0.1:3000:3000"</span> </code></pre> </div> <p>The Apache reverse proxy config:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&lt;VirtualHost *:443&gt; ServerName wiki.example.com ProxyPreserveHost On ProxyPass / http://127.0.0.1:3000/ ProxyPassReverse / http://127.0.0.1:3000/ # Authentication is handled here, not in the container &lt;Location /admin&gt; AuthType Digest AuthName "Admin Area" AuthDigestProvider file AuthUserFile /etc/apache2/.htdigest Require valid-user &lt;/Location&gt; &lt;/VirtualHost&gt; </code></pre> </div> <p>Check existing containers that might have this problem:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># List exposed Docker ports</span> docker ps <span class="nt">--format</span> <span class="s2">"table {{.Names}}</span><span class="se">\t</span><span class="s2">{{.Ports}}"</span> <span class="c"># Look for bindings on 0.0.0.0 (problematic)</span> docker ps <span class="nt">--format</span> <span class="s2">"{{.Ports}}"</span> | <span class="nb">grep</span> <span class="s2">"0.0.0.0"</span> </code></pre> </div> <h2> 11. Automatic updates </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>apt <span class="nb">install </span>unattended-upgrades apt-listchanges <span class="c"># Enable</span> dpkg-reconfigure <span class="nt">-plow</span> unattended-upgrades </code></pre> </div> <p>Verify the generated configuration in <code>/etc/apt/apt.conf.d/20auto-upgrades</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>APT::Periodic::Update-Package-Lists <span class="s2">"1"</span><span class="p">;</span> APT::Periodic::Download-Upgradeable-Packages <span class="s2">"1"</span><span class="p">;</span> APT::Periodic::AutocleanInterval <span class="s2">"7"</span><span class="p">;</span> APT::Periodic::Unattended-Upgrade <span class="s2">"1"</span><span class="p">;</span> </code></pre> </div> <p>On Debian 12, security updates are included by default in the unattended-upgrades configuration. Check <code>/etc/apt/apt.conf.d/50unattended-upgrades</code> to ensure the <code>Debian-Security</code> origins are uncommented.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Simulate what would be updated</span> unattended-upgrade <span class="nt">--dry-run</span> <span class="nt">-d</span> <span class="c"># Force an update now</span> unattended-upgrade <span class="nt">-d</span> <span class="c"># View logs of past updates</span> <span class="nb">cat</span> /var/log/unattended-upgrades/unattended-upgrades.log | <span class="nb">tail</span> <span class="nt">-50</span> </code></pre> </div> <h2> 12. Log retention </h2> <p>Debian keeps system logs for 4 weeks by default. If you detect an incident and want to know what happened 6 weeks ago, you have nothing. Extend retention now, before you need it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># /etc/logrotate.d/rsyslog — change rotate 4 to rotate 13 for ~3 months</span> <span class="c"># (check the existing content first)</span> <span class="nb">cat</span> /etc/logrotate.d/rsyslog </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Modified version</span> /var/log/syslog /var/log/auth.log /var/log/kern.log /var/log/mail.log /var/log/daemon.log <span class="o">{</span> rotate 13 weekly missingok notifempty compress delaycompress sharedscripts postrotate /usr/lib/rsyslog/rsyslog-rotate endscript <span class="o">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># /etc/logrotate.d/apache2 — extend to 365 days</span> <span class="c"># Look for "rotate" in the existing file and adapt</span> <span class="c"># Recommended format for Apache: daily rotation, 365 files</span> /var/log/apache2/<span class="k">*</span>.log <span class="o">{</span> daily rotate 365 missingok notifempty compress delaycompress sharedscripts postrotate <span class="k">if </span>invoke-rc.d apache2 status <span class="o">&gt;</span> /dev/null 2&gt;&amp;1<span class="p">;</span> <span class="k">then </span>invoke-rc.d apache2 reload <span class="o">&gt;</span> /dev/null 2&gt;&amp;1 <span class="k">fi </span>endscript <span class="o">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># fail2ban: 54 weeks (~1 year)</span> <span class="c"># /etc/logrotate.d/fail2ban</span> /var/log/fail2ban.log <span class="o">{</span> weekly rotate 54 compress delaycompress missingok postrotate fail2ban-client flushlogs 1&gt;/dev/null <span class="o">||</span> <span class="nb">true </span>endscript <span class="o">}</span> <span class="c"># Test logrotate config</span> logrotate <span class="nt">--debug</span> /etc/logrotate.conf </code></pre> </div> <h2> 13. Password changes post-incident </h2> <p>The least glamorous but most critical part. After any suspicion of intrusion, even if the analysis concludes it was a failed attempt, change all passwords that could have been exposed. When in doubt, change them.</p> <h3> htdigest password </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Change a user's password in an htdigest file</span> htdigest /etc/apache2/.htdigest <span class="s2">"Private Area"</span> alice <span class="c"># Verify the resulting file (format: user:realm:md5_hash)</span> <span class="nb">cat</span> /etc/apache2/.htdigest </code></pre> </div> <h3> System passwords </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Change a user's password</span> passwd alice <span class="c"># Change root password</span> passwd root <span class="c"># Force change on next login</span> chage <span class="nt">-d</span> 0 alice </code></pre> </div> <h3> Checking consistency </h3> <p>The classic trap: a password is referenced in multiple places. Before validating a change, search for all occurrences:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Search for references to a username in configs</span> <span class="nb">grep</span> <span class="nt">-r</span> <span class="s2">"alice"</span> /etc/apache2/ 2&gt;/dev/null <span class="nb">grep</span> <span class="nt">-r</span> <span class="s2">"alice"</span> /etc/proftpd/ 2&gt;/dev/null <span class="nb">grep</span> <span class="nt">-r</span> <span class="s2">"alice"</span> /var/www/html/ 2&gt;/dev/null <span class="c"># Find htpasswd and htdigest files</span> find /etc/apache2 /var/www <span class="nt">-name</span> <span class="s2">".htpasswd"</span> <span class="nt">-o</span> <span class="nt">-name</span> <span class="s2">".htdigest"</span> 2&gt;/dev/null </code></pre> </div> <p>A password can live in the htdigest file, in an application's configuration (wiki, seedbox), in maintenance scripts, and in internal documentation. Updating just one of the four and re-explaining everything to all users three weeks later is not a recommended experience.</p> <h2> Conclusion — Security hardening checklist </h2> <p>What this audit produced concretely, summarized for a quick review:</p> <ul> <li> fail2ban installed and configured with custom filter for Apache auth_digest</li> <li> Active jails: sshd, apache-auth, proftpd</li> <li> sftponly group with chroot and ForceCommand internal-sftp</li> <li> Chrooted users' home dirs at root:root 755 (unavoidable constraint)</li> <li> Detailed SFTP logging enabled in sshd_config</li> <li> Root SSH login set to prohibit-password, authorized_keys verified</li> <li> Credential file permissions reviewed (640, root:www-data)</li> <li> Sensitive directories blocked by RewriteRule (not Location)</li> <li> Accounts without sudo need removed from the sudo group</li> <li> www-data sudoers limited to strictly necessary commands</li> <li> auditd installed with rules on critical files</li> <li> acct installed for per-user command history</li> <li> rkhunter installed, baseline initialized</li> <li> Daily audit script with AI analysis and raw report fallback</li> <li> Secure PHP sessions (httponly, secure, samesite)</li> <li> CSRF protection on forms</li> <li> Security HTTP headers configured in Apache</li> <li> Docker ports bound to 127.0.0.1 only</li> <li> unattended-upgrades active for security updates</li> <li> Extended log retention (3 months for auth.log, 1 year for Apache)</li> <li> All potentially exposed passwords changed</li> </ul> <p>A server exposed on the Internet will always be attacked. That comes with the territory. The question isn't to prevent attempts — that's impossible — but to ensure that attempts fail, that any eventual successes are detected quickly, and that you have the logs needed to understand what happened.</p> <p>This audit took about two days of work spread over a week. Most points should have been done at initial installation. That's rarely the case. What matters is doing it before something serious happens — and automating monitoring so you don't have to revisit it manually every week.</p> scurit linux debian fail2ban Odilon HUGONNOT Wed, 29 Apr 2026 09:00:02 +0000 https://forem.com/ohugonnot/testing-a-production-bash-script-38-tests-without-a-framework-55a4 https://forem.com/ohugonnot/testing-a-production-bash-script-38-tests-without-a-framework-55a4 <p>The context: a Bash script to display Claude Code rate limits in a terminal status bar. At first it seems trivial — a few functions, reading a JSON file, some formatting. But the script quickly ends up handling: JSON parsing with <code>jq</code>, time formatting with timezone, percentage calculations, Unicode progress bar generation, countdown logic. And above all: several edge cases (missing data, corrupted JSON, quotas at 0, unknown timezone).</p> <p>Without tests, every change becomes a lottery. You change the countdown formatting, you don't know if you broke the percentage calculation. You add active model handling, you don't know if the corrupted JSON fixtures still pass. With 38 unit tests on a Bash script, you modify with confidence — and <code>bash tests/test_statusline.sh</code> in 2 seconds confirms nothing is broken.</p> <h2> Why no Bash testing framework </h2> <p>Bash testing frameworks exist: bats-core, shunit2, shellspec. They're good. For this project, the choice was not to add one — zero external dependencies in the repo, one-liner install. A test framework is a dependency. The constraint was simple: tests run with native bash, nothing to install.</p> <p>Result: ~100 lines of homemade test helpers. No magic, no DSL, no plugin to update — just functions and conventions. For a 300-line script, that's the right level of engineering. A <code>testing framework</code> to test a Bash script is often more complexity than the script itself.</p> <h2> The basic structure: assertions and counters </h2> <p>The test file starts with two global counters and two assertion functions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c"># tests/test_statusline.sh</span> <span class="nv">PASS</span><span class="o">=</span>0 <span class="nv">FAIL</span><span class="o">=</span>0 assert_eq<span class="o">()</span> <span class="o">{</span> <span class="nb">local </span><span class="nv">description</span><span class="o">=</span><span class="s2">"</span><span class="nv">$1</span><span class="s2">"</span> <span class="nb">local </span><span class="nv">expected</span><span class="o">=</span><span class="s2">"</span><span class="nv">$2</span><span class="s2">"</span> <span class="nb">local </span><span class="nv">actual</span><span class="o">=</span><span class="s2">"</span><span class="nv">$3</span><span class="s2">"</span> <span class="k">if</span> <span class="o">[[</span> <span class="s2">"</span><span class="nv">$expected</span><span class="s2">"</span> <span class="o">==</span> <span class="s2">"</span><span class="nv">$actual</span><span class="s2">"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">" ✓ </span><span class="nv">$description</span><span class="s2">"</span> <span class="o">((</span>PASS++<span class="o">))</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">" ✗ </span><span class="nv">$description</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">" expected: </span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$expected</span><span class="s2">"</span> | <span class="nb">cat</span> <span class="nt">-A</span><span class="si">)</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">" actual: </span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$actual</span><span class="s2">"</span> | <span class="nb">cat</span> <span class="nt">-A</span><span class="si">)</span><span class="s2">"</span> <span class="o">((</span>FAIL++<span class="o">))</span> <span class="k">fi</span> <span class="o">}</span> assert_contains<span class="o">()</span> <span class="o">{</span> <span class="nb">local </span><span class="nv">description</span><span class="o">=</span><span class="s2">"</span><span class="nv">$1</span><span class="s2">"</span> <span class="nb">local </span><span class="nv">needle</span><span class="o">=</span><span class="s2">"</span><span class="nv">$2</span><span class="s2">"</span> <span class="nb">local </span><span class="nv">haystack</span><span class="o">=</span><span class="s2">"</span><span class="nv">$3</span><span class="s2">"</span> <span class="k">if</span> <span class="o">[[</span> <span class="s2">"</span><span class="nv">$haystack</span><span class="s2">"</span> <span class="o">==</span> <span class="k">*</span><span class="s2">"</span><span class="nv">$needle</span><span class="s2">"</span><span class="k">*</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">" ✓ </span><span class="nv">$description</span><span class="s2">"</span> <span class="o">((</span>PASS++<span class="o">))</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">" ✗ </span><span class="nv">$description</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">" expected to contain: </span><span class="nv">$needle</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">" actual: </span><span class="nv">$haystack</span><span class="s2">"</span> <span class="o">((</span>FAIL++<span class="o">))</span> <span class="k">fi</span> <span class="o">}</span> <span class="c"># At the end of the test file:</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"Results: </span><span class="nv">$PASS</span><span class="s2"> passed, </span><span class="nv">$FAIL</span><span class="s2"> failed"</span> <span class="o">[[</span> <span class="nv">$FAIL</span> <span class="nt">-eq</span> 0 <span class="o">]]</span> <span class="o">||</span> <span class="nb">exit </span>1 </code></pre> </div> <p>The <code>cat -A</code> in the error message displays invisible characters (spaces, tabs, <code>\n</code>, <code>$</code> at end of line) — essential for debugging tests that fail on an extra space in a formatted string. Without it, you spend 20 minutes comparing two strings that look identical visually but aren't equal.</p> <h2> Testing Bash functions: the isolation problem </h2> <p>The main script (<code>statusline.sh</code>) isn't designed to be sourced in tests — it executes top-level code as soon as it's launched. The pattern to isolate functions without modifying production behavior:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># In statusline.sh, wrap the executable code:</span> <span class="k">if</span> <span class="o">[[</span> <span class="s2">"</span><span class="k">${</span><span class="nv">BASH_SOURCE</span><span class="p">[0]</span><span class="k">}</span><span class="s2">"</span> <span class="o">==</span> <span class="s2">"</span><span class="k">${</span><span class="nv">0</span><span class="k">}</span><span class="s2">"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then</span> <span class="c"># Executed only when the script is run directly</span> main <span class="s2">"</span><span class="nv">$@</span><span class="s2">"</span> <span class="k">fi</span> <span class="c"># Functions defined in the file remain available when sourced</span> </code></pre> </div> <p>In the test file, source the functions without triggering <code>main</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Source functions without executing main</span> <span class="nb">source</span> <span class="s2">"</span><span class="si">$(</span><span class="nb">dirname</span> <span class="s2">"</span><span class="nv">$0</span><span class="s2">"</span><span class="si">)</span><span class="s2">/../statusline.sh"</span> <span class="c"># Now we can test functions directly</span> <span class="nv">result</span><span class="o">=</span><span class="si">$(</span>format_percentage 67<span class="si">)</span> assert_eq <span class="s2">"67% gives yellow"</span> <span class="s2">"🟡"</span> <span class="s2">"</span><span class="nv">$result</span><span class="s2">"</span> </code></pre> </div> <p><code>BASH_SOURCE[0]</code> holds the path of the currently executing script. <code>$0</code> holds the path of the script launched by the user. When you source a file, these two values differ — the <code>if</code> doesn't execute.</p> <h2> Mocking external dependencies </h2> <p>The script calls <code>jq</code>, reads JSON files, uses <code>date</code> with timezone. For unit tests on Bash scripts, you mock by redefining commands in the test scope — Bash resolves functions before binaries in PATH:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Mock jq to return controlled data</span> jq<span class="o">()</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"42"</span> <span class="o">}</span> <span class="nb">export</span> <span class="nt">-f</span> jq <span class="nv">result</span><span class="o">=</span><span class="si">$(</span>get_context_percentage<span class="si">)</span> assert_eq <span class="s2">"context at 42%"</span> <span class="s2">"42"</span> <span class="s2">"</span><span class="nv">$result</span><span class="s2">"</span> <span class="c"># Clean up the mock after the test</span> <span class="nb">unset</span> <span class="nt">-f</span> jq </code></pre> </div> <p>For more complex JSON data, create fixtures in <code>tests/fixtures/</code> and override the path variable via the environment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">USAGE_FILE</span><span class="o">=</span><span class="s2">"tests/fixtures/usage_normal.json"</span> <span class="se">\</span> <span class="nv">result</span><span class="o">=</span><span class="si">$(</span>render_statusline<span class="si">)</span> assert_contains <span class="s2">"displays the model"</span> <span class="s2">"Sonnet 4.6"</span> <span class="s2">"</span><span class="nv">$result</span><span class="s2">"</span> <span class="nv">USAGE_FILE</span><span class="o">=</span><span class="s2">"tests/fixtures/usage_corrupted.json"</span> <span class="se">\</span> <span class="nv">result</span><span class="o">=</span><span class="si">$(</span>render_statusline<span class="si">)</span> assert_contains <span class="s2">"corrupted JSON → fallback"</span> <span class="s2">"N/A"</span> <span class="s2">"</span><span class="nv">$result</span><span class="s2">"</span> </code></pre> </div> <p>The advantage: fixtures are real readable JSON files, versionable, easy to update when the format changes. No need to mock <code>jq</code> for each case — you provide the input data directly.</p> <h2> A concrete example: testing the Unicode progress bar </h2> <p>The progress bar (<code>▓▓▓░░░░░</code>) is one of the most tested functions — it must correctly handle edge cases of Bash integer division:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>test_progress_bar<span class="o">()</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"--- Progress bar ---"</span> assert_eq <span class="s2">"0% → 8 empty blocks"</span> <span class="s2">"░░░░░░░░"</span> <span class="s2">"</span><span class="si">$(</span>make_bar 0<span class="si">)</span><span class="s2">"</span> assert_eq <span class="s2">"50% → 4 full 4 empty"</span> <span class="s2">"▓▓▓▓░░░░"</span> <span class="s2">"</span><span class="si">$(</span>make_bar 50<span class="si">)</span><span class="s2">"</span> assert_eq <span class="s2">"100%→ 8 full blocks"</span> <span class="s2">"▓▓▓▓▓▓▓▓"</span> <span class="s2">"</span><span class="si">$(</span>make_bar 100<span class="si">)</span><span class="s2">"</span> assert_eq <span class="s2">"34% → rounded down"</span> <span class="s2">"▓▓░░░░░░"</span> <span class="s2">"</span><span class="si">$(</span>make_bar 34<span class="si">)</span><span class="s2">"</span> assert_eq <span class="s2">"99% → 7 full"</span> <span class="s2">"▓▓▓▓▓▓▓░"</span> <span class="s2">"</span><span class="si">$(</span>make_bar 99<span class="si">)</span><span class="s2">"</span> <span class="o">}</span> </code></pre> </div> <p>5 tests, 5 edge cases. The <code>34%</code> case is the most important: <code>34 * 8 / 100 = 2.72</code> → rounded to 2 by Bash integer division (no <code>bc</code>, no <code>awk</code>). Without an explicit test, this behavior is discovered in production when the bar displays one too many blocks. The <code>99%</code> case verifies that the last block stays empty — 7 full, not 8.</p> <h2> The result: 38 tests, 0 external framework </h2> <p>Final organization of tests by category:</p> <ul> <li> <strong>Progress bar</strong> (5 tests) — boundary values, integer division rounding</li> <li> <strong>Color coding</strong> (6 tests) — green/yellow/red thresholds by percentage</li> <li> <strong>Percentage formatting</strong> (4 tests) — display with <code>%</code>, zero, 100</li> <li> <strong>Time formatting</strong> (8 tests) — countdown, timezone, reset times, midnight</li> <li> <strong>JSON parsing</strong> (7 tests) — missing data, null values, corrupted JSON</li> <li> <strong>Full statusline render</strong> (8 tests) — complete output with real data fixtures</li> </ul> <p>Run: <code>bash tests/test_statusline.sh</code>. Output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nt">---</span> Progress bar <span class="nt">---</span> ✓ 0% → 8 empty blocks ✓ 50% → 4 full 4 empty ✓ 100% → 8 full blocks ✓ 34% → rounded down ✓ 99% → 7 full <span class="nt">---</span> Color coding <span class="nt">---</span> ✓ 0% → green ✓ 74% → green ✓ 75% → yellow ✓ 89% → yellow ✓ 90% → red ✓ 100% → red <span class="o">[</span>...] Results: 38 passed, 0 failed </code></pre> </div> <h2> What it changes in practice </h2> <p>The statusline evolved 12+ times in a single day of development: adding the active model, overhauling the countdown, adding git dirty status, handling exhausted quotas. With each change, <code>bash tests/test_statusline.sh</code> in 2 seconds. Regressions are caught immediately — not after restarting Claude Code to see that the bar displays <code>N/A</code> instead of the percentage.</p> <p>Bash has no typing, no strict linter, no IDE that highlights logic errors. Tests compensate. This isn't a substitute for a real language — it's the minimal safety net that makes the script modifiable without anxiety.</p> <h2> Conclusion </h2> <p>100 lines of helpers. 38 Bash unit tests. Zero external dependencies. For a production Bash script that needs to be modifiable safely, that's the right investment. The pattern is portable to any Bash project: <code>assert_eq</code>, <code>assert_contains</code>, mock by function redefinition, fixtures as JSON files. No need for a testing framework to test a 300-line script.</p> <p>The full project is on GitHub: <a href="https://github.com/ohugonnot/claude-code-statusline" rel="noopener noreferrer">github.com/ohugonnot/claude-code-statusline</a></p> bash tests developertools scripting Odilon HUGONNOT Tue, 28 Apr 2026 09:00:02 +0000 https://forem.com/ohugonnot/migrating-postman-to-bruno-in-a-monorepo-the-practical-guide-3inf https://forem.com/ohugonnot/migrating-postman-to-bruno-in-a-monorepo-the-practical-guide-3inf <p>The ticket lands on a Monday morning: <em>"Migrate Postman collections to Bruno, integrate them into the monorepo."</em> You've used Postman for years without thinking too hard about it. Bruno you've heard of but never opened. The official docs list features. Medium articles explain "the 10 reasons to switch." Neither tells you concretely how to start clean on a monorepo with 6 services — patient API, lab, doctor portal, backoffice, billing, drug database — 3 environments, and secrets you can't commit.</p> <p>This is that guide. No preamble, no progressive intro — straight to what you need to know so the result is clean from the first commit.</p> <h2> Why Bruno </h2> <p>The real reason isn't "Bruno is better than Postman." It's that Postman has drifted toward a cloud-first model that creates concrete problems in a team:</p> <ul> <li> Postman collections live in Postman's cloud, not in your repo. They're not reviewable in a PR, they don't follow branches, and if someone modifies a request without telling anyone, it shows up nowhere in your version history.</li> <li> Workspace sharing requires an account and a paid Postman organization plan once you go beyond 4 or 5 active developers.</li> <li> The Postman client weighs 300+ MB (Electron). Anecdotal on its own, but representative of the model: grow the tool to justify the cloud value.</li> <li> Postman environment variables are stored in Postman's cloud, which creates friction for secrets: either you put them there (and lose control) or you manage them outside (and you're maintaining two separate configurations).</li> </ul> <p><a href="https://www.usebruno.com/" rel="noopener noreferrer">Bruno</a> solves all of this with one architectural decision: collections are text files (the <code>.bru</code> format, a simple DSL) stored in a directory. No account, no cloud, no magic sync. A <code>git clone</code> and everything is there. Request changes show up in diffs, PRs, and git blame. That's the only real reason to migrate.</p> <h2> The concepts in 5 minutes </h2> <p>Bruno has three concepts to understand before opening the interface. Two are similar to Postman, one is meaningfully different.</p> <p><strong>Collection</strong> — a directory of <code>.bru</code> files. When you open Bruno and create a collection, you pick a folder on your disk. That's it. Each request is a <code>.bru</code> file in that folder or a subfolder.</p> <p><strong>Environment</strong> — a named set of variables, defined in the Bruno UI and stored in the collection directory under an <code>environments/</code> subfolder, one <code>.bru</code> file per environment. These files are <strong>version-controlled</strong>. They hold non-sensitive variables: base URLs, ports, domain names, feature flags. You can put <code>base_url = http://localhost:8080</code> in there; you should not put a JWT token or a client certificate.</p> <p><strong>.env</strong> — a standard <code>.env</code> file at the root of the collection, <strong>gitignored</strong>. It holds secrets: tokens, passwords, paths to certificates. Bruno loads it automatically. In your <code>.bru</code> files, you access environment variables with <code>{{TOKEN}}</code> (which looks first in the active Environment, then in the <code>.env</code>) or with <code>process.env.TOKEN</code> in scripts.</p> <p>Concept</p> <p>Version-controlled?</p> <p>Use for</p> <p><code>environments/*.bru</code></p> <p>Yes</p> <p>base_url, ports, domain names</p> <p><code>.env</code></p> <p>No (gitignored)</p> <p>Tokens, certificates, passwords</p> <p><code>.bru</code> (requests)</p> <p>Yes</p> <p>API call definitions</p> <h2> Structure in the monorepo </h2> <p>First decision: where to put the collections in the monorepo. Options include <code>postman/</code> (legacy name, avoid it), <code>api-collection/</code> (verbose), <code>api/</code> (ambiguous if you already have Go packages called <code>api</code>), <code>bruno/</code> (the tool name — explicit, short, unambiguous).</p> <p>The <code>bruno/</code> choice has an added benefit: it's visible in the tree that this is a Bruno collection, not a Go code directory. When someone clones the repo for the first time, they don't have to guess what's in that folder.</p> <p>Recommended structure for 6 services:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>bruno/ ├── environments/ │ ├── local.bru │ ├── dev.bru │ └── prod.bru ├── .env # gitignored — tokens, certs ├── .gitignore ├── patient-api/ # Patient API — REST │ ├── health.bru │ ├── patients/ │ │ ├── create-patient.bru │ │ └── get-patient.bru │ └── ... ├── lab-service/ # Lab Service — gRPC │ ├── lab-results.bru │ └── ... ├── doctor-portal/ # REST │ └── ... ├── backoffice/ # REST │ └── ... ├── billing-service/ # REST │ └── ... └── drug-db-api/ # REST — external API (e.g. OpenFDA) └── ... </code></pre> </div> <p>The <code>.gitignore</code> inside <code>bruno/</code> contains at minimum:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>.env </code></pre> </div> <p>One service = one subfolder. Inside, you can create as many subfolders as needed to organize requests by resource or feature. Bruno renders the directory tree as-is in its explorer.</p> <h2> Managing environments </h2> <p>Environment files are <code>.bru</code> files with a slightly different syntax from request files. Here's what a realistic <code>local.bru</code> looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>vars { patient_url: http://localhost:8080 lab_url: localhost:9090 doctor_url: http://localhost:8081 backoffice_url: http://localhost:8082 billing_url: http://localhost:8083 drug_db_url: https://api.openfda.gov grpc_tls: false } vars:secret [ AUTH_TOKEN DRUG_DB_API_KEY ] </code></pre> </div> <p>The <code>vars:secret</code> block lists the names of secret variables — it declares their existence without their value. The actual values come from the <code>.env</code>. This is what allows Bruno to handle display (masked in the UI) without storing secrets in the versioned file.</p> <p>The <code>dev.bru</code> file looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>vars { patient_url: https://patient-dev.acme-internal.com lab_url: lab-dev.acme-internal.com:443 doctor_url: https://doctor-dev.acme-internal.com backoffice_url: https://backoffice-dev.acme-internal.com billing_url: https://billing-dev.acme-internal.com drug_db_url: https://api.openfda.gov grpc_tls: true } vars:secret [ AUTH_TOKEN DRUG_DB_API_KEY ] </code></pre> </div> <p>To switch environments in Bruno: dropdown menu in the top right of the interface, select <em>local</em>, <em>dev</em>, or <em>prod</em>. All requests immediately use the new environment's variables.</p> <h2> Secrets in .env </h2> <p>The <code>.env</code> at the root of <code>bruno/</code> holds the actual values of secret variables declared in the environments:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>AUTH_TOKEN= DRUG_DB_API_KEY= CLIENT_CERT_PATH=/home/user/.certs/client.crt CLIENT_KEY_PATH=/home/user/.certs/client.key </code></pre> </div> <p>In a <code>.bru</code> request file, you reference these variables with double-brace syntax:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>headers { Authorization: Bearer {{AUTH_TOKEN}} X-DrugDB-Key: {{DRUG_DB_API_KEY}} } </code></pre> </div> <p>Bruno resolves <code>{{AUTH_TOKEN}}</code> by looking in order: active Environment variables, then <code>.env</code>. If you've defined <code>AUTH_TOKEN</code> in both, the Environment wins. That's the expected behavior: you can override a secret per environment without touching the <code>.env</code> file.</p> <p>For client certificates (mutual TLS), Bruno supports configuration in the collection settings. You can reference paths from the <code>.env</code>: <code>{{CLIENT_CERT_PATH}}</code> in the certificate path field.</p> <h2> gRPC with server reflection </h2> <p>Acme's lab service exposes a gRPC service — analysis results stream in as each machine finishes a measurement, without waiting for the full batch to complete. The good news: Bruno supports gRPC natively, and it supports <em>server reflection</em> mode — you don't need the <code>.proto</code> file to discover and call methods. The server responds to a reflection request and Bruno builds the list of available methods.</p> <p>For reflection to work, your Go service needs to have registered the reflection service. If it hasn't yet, two lines to add in <code>main.go</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">import</span> <span class="s">"google.golang.org/grpc/reflection"</span> <span class="c">// In the function that configures the gRPC server:</span> <span class="n">reflection</span><span class="o">.</span><span class="n">Register</span><span class="p">(</span><span class="n">grpcServer</span><span class="p">)</span> </code></pre> </div> <p>Here's what a <code>.bru</code> file for a unary gRPC request looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>meta { name: Get Lab Results type: grpc seq: 1 } url: {{lab_url}} body { { "patient_id": "{{patient_id}}", "test_type": "blood_panel", "date_from": "2026-01-01" } } grpc { method: LabResultService/GetResults reflect: true tls: {{grpc_tls}} } </code></pre> </div> <p>The <code>reflect: true</code> field tells Bruno to use server reflection to fetch the schema. <code>tls: {{grpc_tls}}</code> uses the environment variable — <code>false</code> locally, <code>true</code> on dev/prod. The URL is just host:port, no scheme. The <code>patient_id</code> in the body can be injected from a pre-request script or copied from a previous REST response (patient record creation).</p> <p>For gRPC streaming (server-stream, client-stream, bidirectional), Bruno supports that too but the configuration differs slightly — the official docs cover that case better than any summary can.</p> <h2> What a real .bru file looks like </h2> <p>This is where people coming from Postman are most surprised: requests are plain text files with a simple syntax, not 200-line nested JSON. Here's a complete REST request with bearer auth, JSON body, and custom headers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>meta { name: Create Patient Record type: http seq: 1 } post { url: {{patient_url}}/v1/patients body: json auth: bearer } auth:bearer { token: {{AUTH_TOKEN}} } headers { X-Request-ID: {{$randomUUID}} X-Client-Version: 2.1.0 } body:json { { "last_name": "Dupont", "first_name": "Marie", "dob": "1985-03-12", "nss": "{{$randomUUID}}" } } tests { test("status is 201", function() { expect(res.status).to.equal(201); }); test("has patient id", function() { expect(res.body.patient_id).to.be.a("string"); }); } </code></pre> </div> <p>A few things worth noting about this format:</p> <ul> <li> <code>seq</code> controls the display order in Bruno's explorer.</li> <li> <code>{{$randomUUID}}</code> is a built-in dynamic variable — Bruno provides several (<code>$timestamp</code>, <code>$randomInt</code>, etc.).</li> <li> The <code>tests</code> block uses Chai for assertions — same syntax as Postman if you were using it before v10.</li> <li> There's no pre-request script in some weird JSON/DSL format — it's plain JavaScript in a <code>script:pre-request { }</code> block.</li> </ul> <p>This file is readable in a diff. If someone changes the body or adds a header, you see it in the PR. That's the fundamental difference from Postman.</p> <h2> Migrating from Postman </h2> <p>Bruno supports import from Postman Collection v2.1.</p> <p>What migrates cleanly: simple REST requests, headers, JSON/form-data bodies, non-secret environment variables. Bruno generates one <code>.bru</code> file per request, folder structure is preserved.</p> <p>What doesn't migrate correctly:</p> <ul> <li> <strong>Complex pre-request scripts</strong> — Postman scripts using <code>pm.sendRequest()</code> or advanced environment manipulation need to be rewritten manually. Bruno's syntax is similar but not identical.</li> <li> <strong>Postman Flows</strong> — completely Postman-specific, no equivalent in Bruno.</li> <li> <strong>Monitors and mock servers</strong> — Postman cloud features, out of scope for Bruno.</li> <li> <strong>Secret variables</strong> — you normally don't export these, so they won't appear in the exported JSON anyway.</li> </ul> <p>Pragmatic recommendation: import one collection, check the result, fix what's broken. Don't bulk-import all 6 services without verifying. Critical requests (auth, resource creation) are worth recreating by hand in 5 minutes rather than importing and leaving with unpredictable behavior. The <code>.bru</code> format is simple enough for that.</p> <h3> Step by step </h3> <ol> <li> <strong>Download and install Bruno</strong> — available at <a href="https://www.usebruno.com/downloads" rel="noopener noreferrer">usebruno.com/downloads</a> for macOS, Linux, and Windows. No account required, no cloud, standard installation.</li> <li> <strong>Export from Postman</strong> — in Postman, right-click on the collection → <em>Export</em> → <em>Collection v2.1</em> → save the JSON file locally.</li> <li> <strong>Create the Bruno collection in the repo</strong> — in Bruno: <em>File → Open Collection</em> → select the <code>bruno/</code> folder in the monorepo (or create a new folder if it doesn't exist yet). Bruno opens that folder as the collection root.</li> <li> <strong>Import the Postman collection</strong> — in Bruno: <em>File → Import Collection → Postman Collection v2.1</em> → select the JSON exported in step 2. Bruno creates one <code>.bru</code> file per request in the current folder, preserving the folder structure.</li> <li> <strong>Create the environments</strong> — in Bruno: <em>Environments</em> menu (gear icon, top right) → <em>Create Environment</em> → name it <code>local</code>. Add your variables: <code>base_url</code>, ports, etc. Repeat for <code>dev</code> and <code>prod</code>. Bruno creates the corresponding files in <code>bruno/environments/</code>.</li> <li> <strong>Create the .env and .gitignore</strong> — create <code>bruno/.env</code> with your secrets (tokens, API keys, certificate paths). Create <code>bruno/.gitignore</code> with at minimum <code>.env</code> in it. Commit the <code>.gitignore</code>, never commit the <code>.env</code>.</li> <li> <strong>Verify and fix</strong> — test each imported request one by one. Fix variables if needed (<code>{{variable}}</code> syntax from Postman is compatible with Bruno, but complex pre-request scripts need to be rewritten manually in a <code>script:pre-request { }</code> block using plain JavaScript).</li> <li> <strong>Commit</strong> — <code>git add bruno/</code> → <code>git commit -m "feat: migrate API collections from Postman to Bruno"</code>. The <code>.bru</code> files, <code>environments/*.bru</code>, and <code>.gitignore</code> are version-controlled. The <code>.env</code> never is.</li> </ol> <h2> Conclusion </h2> <p>The Postman → Bruno migration takes half a day for a monorepo of this size. Half of that time is initial setup (structure, environments, <code>.env</code>). The other half is verifying that imported requests actually work.</p> <p>What you gain isn't "a better API tool." It's that collections become code: reviewable in PRs, diffable commit by commit, consistent across all developers without manual sync. When someone adds an endpoint or changes a parameter, it's in the same commit as the Go code.</p> <p>That's enough to justify the migration.</p> bruno postman api grpc Odilon HUGONNOT Mon, 27 Apr 2026 09:00:03 +0000 https://forem.com/ohugonnot/testing-a-go-exchange-api-client-mocks-httptest-and-testcontainers-2nl0 https://forem.com/ohugonnot/testing-a-go-exchange-api-client-mocks-httptest-and-testcontainers-2nl0 <p>The Go service runs locally, tests pass. Then you remember the tests are hitting the real Binance API. The next day, CI fails: rate limit exceeded, unstable network, or the exchange quietly renamed a field in its response. Tests that depend on external APIs are flaky at best, unusable in CI at worst.</p> <p>The problem is structural: exchanges don't have usable sandbox environments (Binance testnet exists, but with constraints that make automated integration testing difficult), rate limits are aggressive, and some operations like <code>PlaceOrder</code> have real side effects. A different approach is needed.</p> <h2> The problem with external APIs in tests </h2> <p>Three concrete reasons you can't test against real exchange APIs in CI:</p> <ul> <li> <strong>Rate limits</strong>: Binance caps at 1200 requests/minute on the order book endpoint. Ten developers running tests in parallel, and the first ones get banned.</li> <li> <strong>No reliable sandbox</strong>: OKEx and Coinbase Pro have test environments, but their availability isn't guaranteed, the data isn't representative, and authentication is yet another CI problem to solve.</li> <li> <strong>Side effects</strong>: a test that places a real order during a demo is the kind of incident you don't forget.</li> </ul> <p>Three approaches to work around this, in order of complexity:</p> <p>Approach</p> <p>Use case</p> <p>Speed</p> <p>HTTP mock (<code>httptest.NewServer</code>)</p> <p>Test API response parsing</p> <p>Very fast</p> <p>Interface mock (<code>mockgen</code>)</p> <p>Test business logic in isolation</p> <p>Very fast</p> <p>Testcontainers</p> <p>Integration tests with a real DB</p> <p>Slow (10-30s)</p> <h2> Defining an Exchange interface </h2> <p>The key insight: define a Go interface that all exchange clients implement. This is the foundation of testability. Without it, the service depends on a concrete type and becomes impossible to mock properly.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// exchange/client.go</span> <span class="k">type</span> <span class="n">OrderBook</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Bids</span> <span class="p">[]</span><span class="n">Level</span> <span class="s">`json:"bids"`</span> <span class="n">Asks</span> <span class="p">[]</span><span class="n">Level</span> <span class="s">`json:"asks"`</span> <span class="p">}</span> <span class="k">type</span> <span class="n">Level</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Price</span> <span class="n">decimal</span><span class="o">.</span><span class="n">Decimal</span> <span class="n">Qty</span> <span class="n">decimal</span><span class="o">.</span><span class="n">Decimal</span> <span class="p">}</span> <span class="k">type</span> <span class="n">Order</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Pair</span> <span class="kt">string</span> <span class="n">Side</span> <span class="kt">string</span> <span class="c">// "buy" | "sell"</span> <span class="n">Quantity</span> <span class="n">decimal</span><span class="o">.</span><span class="n">Decimal</span> <span class="n">Price</span> <span class="n">decimal</span><span class="o">.</span><span class="n">Decimal</span> <span class="p">}</span> <span class="k">type</span> <span class="n">OrderResult</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">OrderID</span> <span class="kt">string</span> <span class="n">Status</span> <span class="kt">string</span> <span class="n">FilledQty</span> <span class="n">decimal</span><span class="o">.</span><span class="n">Decimal</span> <span class="p">}</span> <span class="c">// ExchangeClient is the interface all exchange clients implement.</span> <span class="c">// The service depends on this interface, never on concrete types.</span> <span class="k">type</span> <span class="n">ExchangeClient</span> <span class="k">interface</span> <span class="p">{</span> <span class="n">GetOrderBook</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">pair</span> <span class="kt">string</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">OrderBook</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="n">PlaceOrder</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">order</span> <span class="n">Order</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">OrderResult</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="n">GetBalance</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">)</span> <span class="p">(</span><span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="n">decimal</span><span class="o">.</span><span class="n">Decimal</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>Each exchange implements the interface. The service receives <code>ExchangeClient</code> as a parameter — not <code>*BinanceClient</code> or <code>*CoinbaseClient</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// exchange/binance.go</span> <span class="k">type</span> <span class="n">BinanceClient</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">baseURL</span> <span class="kt">string</span> <span class="n">apiKey</span> <span class="kt">string</span> <span class="n">secretKey</span> <span class="kt">string</span> <span class="n">httpClient</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Client</span> <span class="p">}</span> <span class="k">func</span> <span class="n">NewBinanceClient</span><span class="p">(</span><span class="n">apiKey</span><span class="p">,</span> <span class="n">secretKey</span> <span class="kt">string</span><span class="p">)</span> <span class="o">*</span><span class="n">BinanceClient</span> <span class="p">{</span> <span class="k">return</span> <span class="o">&amp;</span><span class="n">BinanceClient</span><span class="p">{</span> <span class="n">baseURL</span><span class="o">:</span> <span class="s">"https://api.binance.com"</span><span class="p">,</span> <span class="n">apiKey</span><span class="o">:</span> <span class="n">apiKey</span><span class="p">,</span> <span class="n">secretKey</span><span class="o">:</span> <span class="n">secretKey</span><span class="p">,</span> <span class="n">httpClient</span><span class="o">:</span> <span class="o">&amp;</span><span class="n">http</span><span class="o">.</span><span class="n">Client</span><span class="p">{</span><span class="n">Timeout</span><span class="o">:</span> <span class="m">10</span> <span class="o">*</span> <span class="n">time</span><span class="o">.</span><span class="n">Second</span><span class="p">},</span> <span class="p">}</span> <span class="p">}</span> <span class="c">// BinanceClient implements ExchangeClient.</span> <span class="k">func</span> <span class="p">(</span><span class="n">c</span> <span class="o">*</span><span class="n">BinanceClient</span><span class="p">)</span> <span class="n">GetOrderBook</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">pair</span> <span class="kt">string</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">OrderBook</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="c">// real HTTP call to Binance</span> <span class="p">}</span> <span class="c">// exchange/coinbase.go</span> <span class="k">type</span> <span class="n">CoinbaseClient</span> <span class="k">struct</span> <span class="p">{</span> <span class="c">/* ... */</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">c</span> <span class="o">*</span><span class="n">CoinbaseClient</span><span class="p">)</span> <span class="n">GetOrderBook</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">pair</span> <span class="kt">string</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">OrderBook</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="c">// real HTTP call to Coinbase</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// aggregator/service.go</span> <span class="k">type</span> <span class="n">AggregatorService</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">exchanges</span> <span class="p">[]</span><span class="n">ExchangeClient</span> <span class="p">}</span> <span class="k">func</span> <span class="n">NewAggregatorService</span><span class="p">(</span><span class="n">exchanges</span> <span class="o">...</span><span class="n">ExchangeClient</span><span class="p">)</span> <span class="o">*</span><span class="n">AggregatorService</span> <span class="p">{</span> <span class="k">return</span> <span class="o">&amp;</span><span class="n">AggregatorService</span><span class="p">{</span><span class="n">exchanges</span><span class="o">:</span> <span class="n">exchanges</span><span class="p">}</span> <span class="p">}</span> <span class="c">// In tests, pass mocks. In production, pass real clients.</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="n">binance</span> <span class="o">:=</span> <span class="n">exchange</span><span class="o">.</span><span class="n">NewBinanceClient</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"BINANCE_KEY"</span><span class="p">),</span> <span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"BINANCE_SECRET"</span><span class="p">))</span> <span class="n">coinbase</span> <span class="o">:=</span> <span class="n">exchange</span><span class="o">.</span><span class="n">NewCoinbaseClient</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"COINBASE_KEY"</span><span class="p">),</span> <span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"COINBASE_SECRET"</span><span class="p">))</span> <span class="n">svc</span> <span class="o">:=</span> <span class="n">aggregator</span><span class="o">.</span><span class="n">NewAggregatorService</span><span class="p">(</span><span class="n">binance</span><span class="p">,</span> <span class="n">coinbase</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h2> Mocks with mockgen </h2> <p>Once the interface is defined, <code>mockgen</code> generates mocks automatically. Don't write them by hand — maintenance becomes a nightmare as soon as the interface evolves.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// exchange/client.go</span> <span class="c">// Add this directive to generate mocks</span> <span class="c">//go:generate mockgen -destination=../mocks/mock_exchange.go -package=mocks . ExchangeClient</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>go generate ./exchange/... </code></pre> </div> <p>The generated file at <code>mocks/mock_exchange.go</code> provides a ready-to-use <code>MockExchangeClient</code>. Table-driven test for a service that aggregates order books from multiple exchanges:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// aggregator/service_test.go</span> <span class="k">func</span> <span class="n">TestAggregateOrderBooks</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">tests</span> <span class="o">:=</span> <span class="p">[]</span><span class="k">struct</span> <span class="p">{</span> <span class="n">name</span> <span class="kt">string</span> <span class="n">binanceOB</span> <span class="o">*</span><span class="n">exchange</span><span class="o">.</span><span class="n">OrderBook</span> <span class="n">coinbaseOB</span> <span class="o">*</span><span class="n">exchange</span><span class="o">.</span><span class="n">OrderBook</span> <span class="n">binanceErr</span> <span class="kt">error</span> <span class="n">coinbaseErr</span> <span class="kt">error</span> <span class="n">wantBestBid</span> <span class="n">decimal</span><span class="o">.</span><span class="n">Decimal</span> <span class="n">wantErr</span> <span class="kt">bool</span> <span class="p">}{</span> <span class="p">{</span> <span class="n">name</span><span class="o">:</span> <span class="s">"normal case — best bid on Coinbase"</span><span class="p">,</span> <span class="n">binanceOB</span><span class="o">:</span> <span class="o">&amp;</span><span class="n">exchange</span><span class="o">.</span><span class="n">OrderBook</span><span class="p">{</span> <span class="n">Bids</span><span class="o">:</span> <span class="p">[]</span><span class="n">exchange</span><span class="o">.</span><span class="n">Level</span><span class="p">{</span> <span class="p">{</span><span class="n">Price</span><span class="o">:</span> <span class="n">decimal</span><span class="o">.</span><span class="n">NewFromFloat</span><span class="p">(</span><span class="m">65000</span><span class="p">),</span> <span class="n">Qty</span><span class="o">:</span> <span class="n">decimal</span><span class="o">.</span><span class="n">NewFromFloat</span><span class="p">(</span><span class="m">0.5</span><span class="p">)},</span> <span class="p">},</span> <span class="p">},</span> <span class="n">coinbaseOB</span><span class="o">:</span> <span class="o">&amp;</span><span class="n">exchange</span><span class="o">.</span><span class="n">OrderBook</span><span class="p">{</span> <span class="n">Bids</span><span class="o">:</span> <span class="p">[]</span><span class="n">exchange</span><span class="o">.</span><span class="n">Level</span><span class="p">{</span> <span class="p">{</span><span class="n">Price</span><span class="o">:</span> <span class="n">decimal</span><span class="o">.</span><span class="n">NewFromFloat</span><span class="p">(</span><span class="m">65100</span><span class="p">),</span> <span class="n">Qty</span><span class="o">:</span> <span class="n">decimal</span><span class="o">.</span><span class="n">NewFromFloat</span><span class="p">(</span><span class="m">0.3</span><span class="p">)},</span> <span class="p">},</span> <span class="p">},</span> <span class="n">wantBestBid</span><span class="o">:</span> <span class="n">decimal</span><span class="o">.</span><span class="n">NewFromFloat</span><span class="p">(</span><span class="m">65100</span><span class="p">),</span> <span class="p">},</span> <span class="p">{</span> <span class="n">name</span><span class="o">:</span> <span class="s">"exchange down — return an error"</span><span class="p">,</span> <span class="n">binanceErr</span><span class="o">:</span> <span class="n">errors</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="s">"connection refused"</span><span class="p">),</span> <span class="n">wantErr</span><span class="o">:</span> <span class="no">true</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="n">name</span><span class="o">:</span> <span class="s">"empty order book — skip that exchange"</span><span class="p">,</span> <span class="n">binanceOB</span><span class="o">:</span> <span class="o">&amp;</span><span class="n">exchange</span><span class="o">.</span><span class="n">OrderBook</span><span class="p">{</span> <span class="n">Bids</span><span class="o">:</span> <span class="p">[]</span><span class="n">exchange</span><span class="o">.</span><span class="n">Level</span><span class="p">{</span> <span class="p">{</span><span class="n">Price</span><span class="o">:</span> <span class="n">decimal</span><span class="o">.</span><span class="n">NewFromFloat</span><span class="p">(</span><span class="m">64900</span><span class="p">),</span> <span class="n">Qty</span><span class="o">:</span> <span class="n">decimal</span><span class="o">.</span><span class="n">NewFromFloat</span><span class="p">(</span><span class="m">1.0</span><span class="p">)},</span> <span class="p">},</span> <span class="p">},</span> <span class="n">coinbaseOB</span><span class="o">:</span> <span class="o">&amp;</span><span class="n">exchange</span><span class="o">.</span><span class="n">OrderBook</span><span class="p">{</span><span class="n">Bids</span><span class="o">:</span> <span class="p">[]</span><span class="n">exchange</span><span class="o">.</span><span class="n">Level</span><span class="p">{}},</span> <span class="n">wantBestBid</span><span class="o">:</span> <span class="n">decimal</span><span class="o">.</span><span class="n">NewFromFloat</span><span class="p">(</span><span class="m">64900</span><span class="p">),</span> <span class="p">},</span> <span class="p">}</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">tt</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">tests</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Run</span><span class="p">(</span><span class="n">tt</span><span class="o">.</span><span class="n">name</span><span class="p">,</span> <span class="k">func</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">ctrl</span> <span class="o">:=</span> <span class="n">gomock</span><span class="o">.</span><span class="n">NewController</span><span class="p">(</span><span class="n">t</span><span class="p">)</span> <span class="k">defer</span> <span class="n">ctrl</span><span class="o">.</span><span class="n">Finish</span><span class="p">()</span> <span class="n">binanceMock</span> <span class="o">:=</span> <span class="n">mocks</span><span class="o">.</span><span class="n">NewMockExchangeClient</span><span class="p">(</span><span class="n">ctrl</span><span class="p">)</span> <span class="n">coinbaseMock</span> <span class="o">:=</span> <span class="n">mocks</span><span class="o">.</span><span class="n">NewMockExchangeClient</span><span class="p">(</span><span class="n">ctrl</span><span class="p">)</span> <span class="n">binanceMock</span><span class="o">.</span><span class="n">EXPECT</span><span class="p">()</span><span class="o">.</span> <span class="n">GetOrderBook</span><span class="p">(</span><span class="n">gomock</span><span class="o">.</span><span class="n">Any</span><span class="p">(),</span> <span class="s">"BTCUSDT"</span><span class="p">)</span><span class="o">.</span> <span class="n">Return</span><span class="p">(</span><span class="n">tt</span><span class="o">.</span><span class="n">binanceOB</span><span class="p">,</span> <span class="n">tt</span><span class="o">.</span><span class="n">binanceErr</span><span class="p">)</span> <span class="k">if</span> <span class="n">tt</span><span class="o">.</span><span class="n">binanceErr</span> <span class="o">==</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">coinbaseMock</span><span class="o">.</span><span class="n">EXPECT</span><span class="p">()</span><span class="o">.</span> <span class="n">GetOrderBook</span><span class="p">(</span><span class="n">gomock</span><span class="o">.</span><span class="n">Any</span><span class="p">(),</span> <span class="s">"BTCUSDT"</span><span class="p">)</span><span class="o">.</span> <span class="n">Return</span><span class="p">(</span><span class="n">tt</span><span class="o">.</span><span class="n">coinbaseOB</span><span class="p">,</span> <span class="n">tt</span><span class="o">.</span><span class="n">coinbaseErr</span><span class="p">)</span> <span class="p">}</span> <span class="n">svc</span> <span class="o">:=</span> <span class="n">aggregator</span><span class="o">.</span><span class="n">NewAggregatorService</span><span class="p">(</span><span class="n">binanceMock</span><span class="p">,</span> <span class="n">coinbaseMock</span><span class="p">)</span> <span class="n">result</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">svc</span><span class="o">.</span><span class="n">GetBestBid</span><span class="p">(</span><span class="n">context</span><span class="o">.</span><span class="n">Background</span><span class="p">(),</span> <span class="s">"BTCUSDT"</span><span class="p">)</span> <span class="k">if</span> <span class="n">tt</span><span class="o">.</span><span class="n">wantErr</span> <span class="p">{</span> <span class="n">require</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">require</span><span class="o">.</span><span class="n">NoError</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="n">assert</span><span class="o">.</span><span class="n">True</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">tt</span><span class="o">.</span><span class="n">wantBestBid</span><span class="o">.</span><span class="n">Equal</span><span class="p">(</span><span class="n">result</span><span class="p">),</span> <span class="s">"expected %s, got %s"</span><span class="p">,</span> <span class="n">tt</span><span class="o">.</span><span class="n">wantBestBid</span><span class="p">,</span> <span class="n">result</span><span class="p">)</span> <span class="p">})</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The test verifies the service's behavior, not its implementation. If OKEx is added tomorrow, you add a mock in the tests without touching any existing logic.</p> <h2> HTTP mock server for testing parsing </h2> <p>Interface mocks test business logic, but not the HTTP layer. If Binance changes its response format, the mocks won't catch it — they return Go structs, not JSON.</p> <p>To test that <code>BinanceClient.GetOrderBook()</code> correctly parses the real API format, use <code>httptest.NewServer</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// exchange/binance_test.go</span> <span class="k">func</span> <span class="n">TestBinanceOrderBookParsing</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="c">// Real format from Binance API GET /api/v3/depth</span> <span class="n">server</span> <span class="o">:=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewServer</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">HandlerFunc</span><span class="p">(</span><span class="k">func</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="n">assert</span><span class="o">.</span><span class="n">Equal</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="s">"/api/v3/depth"</span><span class="p">,</span> <span class="n">r</span><span class="o">.</span><span class="n">URL</span><span class="o">.</span><span class="n">Path</span><span class="p">)</span> <span class="n">assert</span><span class="o">.</span><span class="n">Equal</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="s">"BTCUSDT"</span><span class="p">,</span> <span class="n">r</span><span class="o">.</span><span class="n">URL</span><span class="o">.</span><span class="n">Query</span><span class="p">()</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="s">"symbol"</span><span class="p">))</span> <span class="n">w</span><span class="o">.</span><span class="n">Header</span><span class="p">()</span><span class="o">.</span><span class="n">Set</span><span class="p">(</span><span class="s">"Content-Type"</span><span class="p">,</span> <span class="s">"application/json"</span><span class="p">)</span> <span class="n">json</span><span class="o">.</span><span class="n">NewEncoder</span><span class="p">(</span><span class="n">w</span><span class="p">)</span><span class="o">.</span><span class="n">Encode</span><span class="p">(</span><span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="k">interface</span><span class="p">{}{</span> <span class="s">"lastUpdateId"</span><span class="o">:</span> <span class="m">1027024</span><span class="p">,</span> <span class="s">"bids"</span><span class="o">:</span> <span class="p">[][]</span><span class="kt">string</span><span class="p">{</span> <span class="p">{</span><span class="s">"65000.00000000"</span><span class="p">,</span> <span class="s">"0.50000000"</span><span class="p">},</span> <span class="p">{</span><span class="s">"64950.00000000"</span><span class="p">,</span> <span class="s">"1.20000000"</span><span class="p">},</span> <span class="p">},</span> <span class="s">"asks"</span><span class="o">:</span> <span class="p">[][]</span><span class="kt">string</span><span class="p">{</span> <span class="p">{</span><span class="s">"65001.00000000"</span><span class="p">,</span> <span class="s">"0.30000000"</span><span class="p">},</span> <span class="p">{</span><span class="s">"65010.00000000"</span><span class="p">,</span> <span class="s">"0.80000000"</span><span class="p">},</span> <span class="p">},</span> <span class="p">})</span> <span class="p">}))</span> <span class="k">defer</span> <span class="n">server</span><span class="o">.</span><span class="n">Close</span><span class="p">()</span> <span class="c">// Point the client at the test server</span> <span class="n">client</span> <span class="o">:=</span> <span class="n">exchange</span><span class="o">.</span><span class="n">NewBinanceClientWithBaseURL</span><span class="p">(</span><span class="n">server</span><span class="o">.</span><span class="n">URL</span><span class="p">,</span> <span class="s">"test-key"</span><span class="p">,</span> <span class="s">"test-secret"</span><span class="p">)</span> <span class="n">ob</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">client</span><span class="o">.</span><span class="n">GetOrderBook</span><span class="p">(</span><span class="n">context</span><span class="o">.</span><span class="n">Background</span><span class="p">(),</span> <span class="s">"BTCUSDT"</span><span class="p">)</span> <span class="n">require</span><span class="o">.</span><span class="n">NoError</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="n">require</span><span class="o">.</span><span class="n">Len</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">ob</span><span class="o">.</span><span class="n">Bids</span><span class="p">,</span> <span class="m">2</span><span class="p">)</span> <span class="n">require</span><span class="o">.</span><span class="n">Len</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">ob</span><span class="o">.</span><span class="n">Asks</span><span class="p">,</span> <span class="m">2</span><span class="p">)</span> <span class="n">assert</span><span class="o">.</span><span class="n">True</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">decimal</span><span class="o">.</span><span class="n">NewFromFloat</span><span class="p">(</span><span class="m">65000</span><span class="p">)</span><span class="o">.</span><span class="n">Equal</span><span class="p">(</span><span class="n">ob</span><span class="o">.</span><span class="n">Bids</span><span class="p">[</span><span class="m">0</span><span class="p">]</span><span class="o">.</span><span class="n">Price</span><span class="p">))</span> <span class="n">assert</span><span class="o">.</span><span class="n">True</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">decimal</span><span class="o">.</span><span class="n">NewFromFloat</span><span class="p">(</span><span class="m">0.5</span><span class="p">)</span><span class="o">.</span><span class="n">Equal</span><span class="p">(</span><span class="n">ob</span><span class="o">.</span><span class="n">Bids</span><span class="p">[</span><span class="m">0</span><span class="p">]</span><span class="o">.</span><span class="n">Qty</span><span class="p">))</span> <span class="n">assert</span><span class="o">.</span><span class="n">True</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">decimal</span><span class="o">.</span><span class="n">NewFromFloat</span><span class="p">(</span><span class="m">65001</span><span class="p">)</span><span class="o">.</span><span class="n">Equal</span><span class="p">(</span><span class="n">ob</span><span class="o">.</span><span class="n">Asks</span><span class="p">[</span><span class="m">0</span><span class="p">]</span><span class="o">.</span><span class="n">Price</span><span class="p">))</span> <span class="p">}</span> </code></pre> </div> <p>This test catches real bugs: renamed field, unexpected decimal format, unexpected element order in the array. It also documents exactly what the client expects from the API — useful when Binance ships a breaking change.</p> <p>For this to work, the constructor needs a configurable <code>baseURL</code>. Good practice anyway — it lets you point to Binance testnet or a proxy in production:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">NewBinanceClientWithBaseURL</span><span class="p">(</span><span class="n">baseURL</span><span class="p">,</span> <span class="n">apiKey</span><span class="p">,</span> <span class="n">secretKey</span> <span class="kt">string</span><span class="p">)</span> <span class="o">*</span><span class="n">BinanceClient</span> <span class="p">{</span> <span class="k">return</span> <span class="o">&amp;</span><span class="n">BinanceClient</span><span class="p">{</span> <span class="n">baseURL</span><span class="o">:</span> <span class="n">baseURL</span><span class="p">,</span> <span class="n">apiKey</span><span class="o">:</span> <span class="n">apiKey</span><span class="p">,</span> <span class="n">secretKey</span><span class="o">:</span> <span class="n">secretKey</span><span class="p">,</span> <span class="n">httpClient</span><span class="o">:</span> <span class="o">&amp;</span><span class="n">http</span><span class="o">.</span><span class="n">Client</span><span class="p">{</span><span class="n">Timeout</span><span class="o">:</span> <span class="m">10</span> <span class="o">*</span> <span class="n">time</span><span class="o">.</span><span class="n">Second</span><span class="p">},</span> <span class="p">}</span> <span class="p">}</span> <span class="k">func</span> <span class="n">NewBinanceClient</span><span class="p">(</span><span class="n">apiKey</span><span class="p">,</span> <span class="n">secretKey</span> <span class="kt">string</span><span class="p">)</span> <span class="o">*</span><span class="n">BinanceClient</span> <span class="p">{</span> <span class="k">return</span> <span class="n">NewBinanceClientWithBaseURL</span><span class="p">(</span><span class="s">"https://api.binance.com"</span><span class="p">,</span> <span class="n">apiKey</span><span class="p">,</span> <span class="n">secretKey</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h2> Testcontainers for integration tests </h2> <p>Mocks cover business logic and HTTP parsing. One case remains: verifying that trades are correctly persisted to the database. A real PostgreSQL is needed here — DB mocks don't test real SQL queries, constraints, or transactions.</p> <p><a href="https://testcontainers.com/guides/getting-started-with-testcontainers-for-go/" rel="noopener noreferrer">testcontainers-go</a> starts a Docker container from within the test, then tears it down when done. No manual setup, no shared database where developers step on each other:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// repository/trade_test.go</span> <span class="c">// +build integration</span> <span class="k">func</span> <span class="n">TestSaveTradeIntegration</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">ctx</span> <span class="o">:=</span> <span class="n">context</span><span class="o">.</span><span class="n">Background</span><span class="p">()</span> <span class="n">pg</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">testcontainers</span><span class="o">.</span><span class="n">GenericContainer</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">testcontainers</span><span class="o">.</span><span class="n">GenericContainerRequest</span><span class="p">{</span> <span class="n">ContainerRequest</span><span class="o">:</span> <span class="n">testcontainers</span><span class="o">.</span><span class="n">ContainerRequest</span><span class="p">{</span> <span class="n">Image</span><span class="o">:</span> <span class="s">"postgres:16"</span><span class="p">,</span> <span class="n">ExposedPorts</span><span class="o">:</span> <span class="p">[]</span><span class="kt">string</span><span class="p">{</span><span class="s">"5432/tcp"</span><span class="p">},</span> <span class="n">Env</span><span class="o">:</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="kt">string</span><span class="p">{</span> <span class="s">"POSTGRES_PASSWORD"</span><span class="o">:</span> <span class="s">"test"</span><span class="p">,</span> <span class="s">"POSTGRES_DB"</span><span class="o">:</span> <span class="s">"trades_test"</span><span class="p">,</span> <span class="s">"POSTGRES_USER"</span><span class="o">:</span> <span class="s">"test"</span><span class="p">,</span> <span class="p">},</span> <span class="n">WaitingFor</span><span class="o">:</span> <span class="n">wait</span><span class="o">.</span><span class="n">ForListeningPort</span><span class="p">(</span><span class="s">"5432/tcp"</span><span class="p">),</span> <span class="p">},</span> <span class="n">Started</span><span class="o">:</span> <span class="no">true</span><span class="p">,</span> <span class="p">})</span> <span class="n">require</span><span class="o">.</span><span class="n">NoError</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="k">defer</span> <span class="n">pg</span><span class="o">.</span><span class="n">Terminate</span><span class="p">(</span><span class="n">ctx</span><span class="p">)</span> <span class="n">host</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">pg</span><span class="o">.</span><span class="n">Host</span><span class="p">(</span><span class="n">ctx</span><span class="p">)</span> <span class="n">port</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">pg</span><span class="o">.</span><span class="n">MappedPort</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="s">"5432/tcp"</span><span class="p">)</span> <span class="n">dsn</span> <span class="o">:=</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">"postgres://test:test@%s:%s/trades_test?sslmode=disable"</span><span class="p">,</span> <span class="n">host</span><span class="p">,</span> <span class="n">port</span><span class="o">.</span><span class="n">Port</span><span class="p">())</span> <span class="n">db</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">sqlx</span><span class="o">.</span><span class="n">ConnectContext</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="s">"pgx"</span><span class="p">,</span> <span class="n">dsn</span><span class="p">)</span> <span class="n">require</span><span class="o">.</span><span class="n">NoError</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="k">defer</span> <span class="n">db</span><span class="o">.</span><span class="n">Close</span><span class="p">()</span> <span class="c">// Apply migrations</span> <span class="n">require</span><span class="o">.</span><span class="n">NoError</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">runMigrations</span><span class="p">(</span><span class="n">db</span><span class="p">))</span> <span class="n">repo</span> <span class="o">:=</span> <span class="n">repository</span><span class="o">.</span><span class="n">NewTradeRepository</span><span class="p">(</span><span class="n">db</span><span class="p">)</span> <span class="n">trade</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">model</span><span class="o">.</span><span class="n">Trade</span><span class="p">{</span> <span class="n">Exchange</span><span class="o">:</span> <span class="s">"binance"</span><span class="p">,</span> <span class="n">Pair</span><span class="o">:</span> <span class="s">"BTCUSDT"</span><span class="p">,</span> <span class="n">Side</span><span class="o">:</span> <span class="s">"buy"</span><span class="p">,</span> <span class="n">Price</span><span class="o">:</span> <span class="n">decimal</span><span class="o">.</span><span class="n">NewFromFloat</span><span class="p">(</span><span class="m">65000</span><span class="p">),</span> <span class="n">Quantity</span><span class="o">:</span> <span class="n">decimal</span><span class="o">.</span><span class="n">NewFromFloat</span><span class="p">(</span><span class="m">0.1</span><span class="p">),</span> <span class="n">ExecutedAt</span><span class="o">:</span> <span class="n">time</span><span class="o">.</span><span class="n">Now</span><span class="p">()</span><span class="o">.</span><span class="n">UTC</span><span class="p">(),</span> <span class="p">}</span> <span class="n">err</span> <span class="o">=</span> <span class="n">repo</span><span class="o">.</span><span class="n">Save</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">trade</span><span class="p">)</span> <span class="n">require</span><span class="o">.</span><span class="n">NoError</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="n">require</span><span class="o">.</span><span class="n">NotEmpty</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">trade</span><span class="o">.</span><span class="n">ID</span><span class="p">)</span> <span class="c">// Verify persistence</span> <span class="n">saved</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">repo</span><span class="o">.</span><span class="n">GetByID</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">trade</span><span class="o">.</span><span class="n">ID</span><span class="p">)</span> <span class="n">require</span><span class="o">.</span><span class="n">NoError</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="n">assert</span><span class="o">.</span><span class="n">Equal</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="s">"binance"</span><span class="p">,</span> <span class="n">saved</span><span class="o">.</span><span class="n">Exchange</span><span class="p">)</span> <span class="n">assert</span><span class="o">.</span><span class="n">True</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">trade</span><span class="o">.</span><span class="n">Price</span><span class="o">.</span><span class="n">Equal</span><span class="p">(</span><span class="n">saved</span><span class="o">.</span><span class="n">Price</span><span class="p">))</span> <span class="p">}</span> </code></pre> </div> <p>The <code>// +build integration</code> build tag isolates these tests from unit tests. Run them separately:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Unit tests only (fast, run on every commit)</span> go <span class="nb">test</span> ./... <span class="c"># Integration tests (slow, run on main branch or pre-deploy)</span> go <span class="nb">test</span> <span class="nt">-tags</span><span class="o">=</span>integration ./... </code></pre> </div> <p>Testcontainers takes between 10 and 30 seconds to start the container (depending on whether the image is cached). Acceptable for an integration suite, not for unit tests run 50 times a day.</p> <h2> What not to test </h2> <p>With mocks and <code>httptest</code>, it's tempting to test everything. Three things to avoid:</p> <p><strong>Testing that the Binance API works.</strong> That's not your code. If the Binance API is down, your service should detect the error and propagate it correctly — that's what you test, not Binance's uptime.</p> <p><strong>Over-mocking.</strong> If every call returns exactly what you told it to return, you end up testing the mock, not the service. A test that passes because the mocks are perfectly configured to pass is a false positive. The <code>httptest.NewServer</code> with real JSON is more honest than a mock that returns a Go struct directly.</p> <p><strong>Testing implementation rather than behavior.</strong> A test that verifies <code>GetOrderBook</code> was called exactly twice in a specific order is brittle. What matters: the service returns the best bid. How it gets there is its own business.</p> <h2> Conclusion </h2> <p>The layered structure — Exchange interface → business service → repository — isn't an abstraction for its own sake. It's what makes testing possible without hitting real APIs. The business service doesn't know whether it's talking to Binance or a mock. The test mock doesn't know whether the service actually calls the exchange.</p> <p>In practice, all three test levels coexist in the project: unit tests with mockgen for fast logic, <code>httptest.NewServer</code> to validate API response parsing, and testcontainers for persistence integration tests. Each has its role. None replaces the others.</p> <p>The most valuable test is often the HTTP parsing one. Business logic changes slowly. Exchange API formats change without warning.</p> go tests api binance Odilon HUGONNOT Sun, 26 Apr 2026 09:00:04 +0000 https://forem.com/ohugonnot/ddd-in-go-applied-to-crypto-exchange-apis-3on4 https://forem.com/ohugonnot/ddd-in-go-applied-to-crypto-exchange-apis-3on4 <p>You write CQRS. You talk about aggregates. You emit domain events. But where do these concepts come from? Domain-Driven Design. Without understanding DDD, CQRS is just a pattern you copy-paste and hope it holds. With DDD, it becomes a tool you use consciously, for the right reasons.</p> <p>This article lays the conceptual foundations. The concrete terrain: a Go service consuming APIs from multiple crypto exchanges (Binance, OKEx, Coinbase). Because an <code>Order</code> in trading is something any trader understands — that's exactly the kind of domain where DDD pays off.</p> <h2> Domain first, technology second </h2> <p>DDD's core principle is uncomfortable when you come from a technical background: the business model takes precedence over technology. You don't start with "what database", or "what API does Binance expose". You start with "what is an Order in this system? What is a Position? What happens when an order is partially filled?"</p> <p>For a crypto trading service, the domain is: <strong>orders</strong> you place, <strong>positions</strong> that evolve, <strong>market data</strong> arriving continuously, a <strong>portfolio</strong> whose value you monitor. Not "a Binance wrapper". Not "a websocket consumer". Those are implementation details.</p> <p>The practical difference: if your model is domain-centric, you can replace Binance with OKEx without touching your business logic. If your model is API-centric, you rewrite everything every time an exchange changes an endpoint.</p> <blockquote> <p>DDD doesn't say "ignore technology". It says "don't let technology contaminate your business model".</p> </blockquote> <h2> Bounded contexts: splitting without cutting to the bone </h2> <p>This is the most practical DDD concept, and the most frequently misunderstood. A bounded context is an explicit boundary inside which a model has a precise, coherent meaning. Outside that boundary, the same word can mean something different — and that's acceptable.</p> <p>For a crypto trading service, three natural bounded contexts emerge:</p> <h3> Market Data </h3> <p>Prices, order books, tickers, recent trades. This context is <strong>read-heavy</strong>, near real-time. Binance can push 10 updates per second on BTC/USDT. The model here is simple: immutable snapshots. A <code>Ticker</code> in Market Data has no mutable state — it's just a value at a point in time.</p> <h3> Trading </h3> <p>Orders, executions, positions. This context is <strong>command-heavy</strong>. An <code>Order</code> here has a full lifecycle: created, submitted, partially filled, cancelled. Business logic is concentrated here: validation rules, exchange rejection handling, fee calculation. This is where your aggregates live.</p> <h3> Portfolio </h3> <p>Balances, P&amp;L, trade history. This context is a <strong>read model</strong> oriented toward reporting. It consumes events emitted by Trading to maintain a coherent view of the portfolio. Updates can be slightly delayed — a few seconds of lag is acceptable for reporting.</p> <p>Why separate them? Because they have radically different constraints. Market Data at 10 updates/sec doesn't need the same model as Portfolio reporting aggregating data over 3 months. Putting everything in the same model means making compromises that make everything more complex without any benefit.</p> <p>Bounded Context</p> <p>Load</p> <p>Consistency</p> <p>Business complexity</p> <p>Market Data</p> <p>Very high (websockets)</p> <p>Eventual OK</p> <p>Low</p> <p>Trading</p> <p>Moderate (commands)</p> <p>Strong (transactional)</p> <p>High</p> <p>Portfolio</p> <p>Low (read model)</p> <p>Eventual OK</p> <p>Low</p> <h2> Aggregates and Value Objects in Go </h2> <p>Two core DDD building blocks that Go implements naturally, without any framework.</p> <p>A <strong>Value Object</strong> is immutable. Its identity is defined by its value, not by a reference. <code>Price{Amount: 42000, Currency: "USD"}</code> equals another <code>Price</code> with the same fields. In Go, this translates to a struct without a pointer, passed by value.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="c">// Value Object — immutable, equality by value</span> <span class="k">type</span> <span class="n">Price</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Amount</span> <span class="n">decimal</span><span class="o">.</span><span class="n">Decimal</span> <span class="n">Currency</span> <span class="kt">string</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">p</span> <span class="n">Price</span><span class="p">)</span> <span class="n">IsZero</span><span class="p">()</span> <span class="kt">bool</span> <span class="p">{</span> <span class="k">return</span> <span class="n">p</span><span class="o">.</span><span class="n">Amount</span><span class="o">.</span><span class="n">IsZero</span><span class="p">()</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">p</span> <span class="n">Price</span><span class="p">)</span> <span class="n">Add</span><span class="p">(</span><span class="n">other</span> <span class="n">Price</span><span class="p">)</span> <span class="p">(</span><span class="n">Price</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="n">p</span><span class="o">.</span><span class="n">Currency</span> <span class="o">!=</span> <span class="n">other</span><span class="o">.</span><span class="n">Currency</span> <span class="p">{</span> <span class="k">return</span> <span class="n">Price</span><span class="p">{},</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"currency mismatch: %s vs %s"</span><span class="p">,</span> <span class="n">p</span><span class="o">.</span><span class="n">Currency</span><span class="p">,</span> <span class="n">other</span><span class="o">.</span><span class="n">Currency</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="n">Price</span><span class="p">{</span><span class="n">Amount</span><span class="o">:</span> <span class="n">p</span><span class="o">.</span><span class="n">Amount</span><span class="o">.</span><span class="n">Add</span><span class="p">(</span><span class="n">other</span><span class="o">.</span><span class="n">Amount</span><span class="p">),</span> <span class="n">Currency</span><span class="o">:</span> <span class="n">p</span><span class="o">.</span><span class="n">Currency</span><span class="p">},</span> <span class="no">nil</span> <span class="p">}</span> <span class="k">type</span> <span class="n">TradingPair</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Base</span> <span class="kt">string</span> <span class="c">// "BTC"</span> <span class="n">Quote</span> <span class="kt">string</span> <span class="c">// "USDT"</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">tp</span> <span class="n">TradingPair</span><span class="p">)</span> <span class="n">String</span><span class="p">()</span> <span class="kt">string</span> <span class="p">{</span> <span class="k">return</span> <span class="n">tp</span><span class="o">.</span><span class="n">Base</span> <span class="o">+</span> <span class="s">"/"</span> <span class="o">+</span> <span class="n">tp</span><span class="o">.</span><span class="n">Quote</span> <span class="p">}</span> </code></pre> </div> <p>An <strong>Aggregate</strong> is a unit of consistency. All modifications go through its methods — never through direct field access. It guarantees that its business invariants are always upheld. And in event sourcing, it emits events to describe what happened.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="k">type</span> <span class="n">OrderStatus</span> <span class="kt">int</span> <span class="k">const</span> <span class="p">(</span> <span class="n">StatusPending</span> <span class="n">OrderStatus</span> <span class="o">=</span> <span class="no">iota</span> <span class="n">StatusPartial</span> <span class="n">StatusFilled</span> <span class="n">StatusCancelled</span> <span class="p">)</span> <span class="c">// Aggregate — consistency guaranteed, modification through methods only</span> <span class="k">type</span> <span class="n">Order</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">id</span> <span class="n">OrderID</span> <span class="n">pair</span> <span class="n">TradingPair</span> <span class="n">side</span> <span class="n">Side</span> <span class="c">// Buy / Sell</span> <span class="n">quantity</span> <span class="n">decimal</span><span class="o">.</span><span class="n">Decimal</span> <span class="n">filledQty</span> <span class="n">decimal</span><span class="o">.</span><span class="n">Decimal</span> <span class="n">status</span> <span class="n">OrderStatus</span> <span class="n">events</span> <span class="p">[]</span><span class="n">DomainEvent</span> <span class="p">}</span> <span class="k">func</span> <span class="n">NewOrder</span><span class="p">(</span><span class="n">pair</span> <span class="n">TradingPair</span><span class="p">,</span> <span class="n">side</span> <span class="n">Side</span><span class="p">,</span> <span class="n">qty</span> <span class="n">decimal</span><span class="o">.</span><span class="n">Decimal</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">Order</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="n">qty</span><span class="o">.</span><span class="n">IsZero</span><span class="p">()</span> <span class="o">||</span> <span class="n">qty</span><span class="o">.</span><span class="n">IsNegative</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"invalid quantity: %s"</span><span class="p">,</span> <span class="n">qty</span><span class="p">)</span> <span class="p">}</span> <span class="n">o</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">Order</span><span class="p">{</span> <span class="n">id</span><span class="o">:</span> <span class="n">NewOrderID</span><span class="p">(),</span> <span class="n">pair</span><span class="o">:</span> <span class="n">pair</span><span class="p">,</span> <span class="n">side</span><span class="o">:</span> <span class="n">side</span><span class="p">,</span> <span class="n">quantity</span><span class="o">:</span> <span class="n">qty</span><span class="p">,</span> <span class="n">status</span><span class="o">:</span> <span class="n">StatusPending</span><span class="p">,</span> <span class="p">}</span> <span class="n">o</span><span class="o">.</span><span class="n">events</span> <span class="o">=</span> <span class="nb">append</span><span class="p">(</span><span class="n">o</span><span class="o">.</span><span class="n">events</span><span class="p">,</span> <span class="n">OrderCreated</span><span class="p">{</span> <span class="n">OrderID</span><span class="o">:</span> <span class="n">o</span><span class="o">.</span><span class="n">id</span><span class="p">,</span> <span class="n">Pair</span><span class="o">:</span> <span class="n">pair</span><span class="p">,</span> <span class="n">Side</span><span class="o">:</span> <span class="n">side</span><span class="p">,</span> <span class="n">Qty</span><span class="o">:</span> <span class="n">qty</span><span class="p">,</span> <span class="p">})</span> <span class="k">return</span> <span class="n">o</span><span class="p">,</span> <span class="no">nil</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">o</span> <span class="o">*</span><span class="n">Order</span><span class="p">)</span> <span class="n">Fill</span><span class="p">(</span><span class="n">qty</span> <span class="n">decimal</span><span class="o">.</span><span class="n">Decimal</span><span class="p">,</span> <span class="n">price</span> <span class="n">Price</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="k">if</span> <span class="n">o</span><span class="o">.</span><span class="n">status</span> <span class="o">!=</span> <span class="n">StatusPending</span> <span class="o">&amp;&amp;</span> <span class="n">o</span><span class="o">.</span><span class="n">status</span> <span class="o">!=</span> <span class="n">StatusPartial</span> <span class="p">{</span> <span class="k">return</span> <span class="n">ErrOrderNotFillable</span> <span class="p">}</span> <span class="k">if</span> <span class="n">qty</span><span class="o">.</span><span class="n">GreaterThan</span><span class="p">(</span><span class="n">o</span><span class="o">.</span><span class="n">quantity</span><span class="o">.</span><span class="n">Sub</span><span class="p">(</span><span class="n">o</span><span class="o">.</span><span class="n">filledQty</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"fill qty %s exceeds remaining %s"</span><span class="p">,</span> <span class="n">qty</span><span class="p">,</span> <span class="n">o</span><span class="o">.</span><span class="n">quantity</span><span class="o">.</span><span class="n">Sub</span><span class="p">(</span><span class="n">o</span><span class="o">.</span><span class="n">filledQty</span><span class="p">))</span> <span class="p">}</span> <span class="n">o</span><span class="o">.</span><span class="n">filledQty</span> <span class="o">=</span> <span class="n">o</span><span class="o">.</span><span class="n">filledQty</span><span class="o">.</span><span class="n">Add</span><span class="p">(</span><span class="n">qty</span><span class="p">)</span> <span class="k">if</span> <span class="n">o</span><span class="o">.</span><span class="n">filledQty</span><span class="o">.</span><span class="n">Equal</span><span class="p">(</span><span class="n">o</span><span class="o">.</span><span class="n">quantity</span><span class="p">)</span> <span class="p">{</span> <span class="n">o</span><span class="o">.</span><span class="n">status</span> <span class="o">=</span> <span class="n">StatusFilled</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">o</span><span class="o">.</span><span class="n">status</span> <span class="o">=</span> <span class="n">StatusPartial</span> <span class="p">}</span> <span class="n">o</span><span class="o">.</span><span class="n">events</span> <span class="o">=</span> <span class="nb">append</span><span class="p">(</span><span class="n">o</span><span class="o">.</span><span class="n">events</span><span class="p">,</span> <span class="n">OrderFilled</span><span class="p">{</span> <span class="n">OrderID</span><span class="o">:</span> <span class="n">o</span><span class="o">.</span><span class="n">id</span><span class="p">,</span> <span class="n">Qty</span><span class="o">:</span> <span class="n">qty</span><span class="p">,</span> <span class="n">Price</span><span class="o">:</span> <span class="n">price</span><span class="p">,</span> <span class="p">})</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">o</span> <span class="o">*</span><span class="n">Order</span><span class="p">)</span> <span class="n">Cancel</span><span class="p">()</span> <span class="kt">error</span> <span class="p">{</span> <span class="k">if</span> <span class="n">o</span><span class="o">.</span><span class="n">status</span> <span class="o">==</span> <span class="n">StatusFilled</span> <span class="o">||</span> <span class="n">o</span><span class="o">.</span><span class="n">status</span> <span class="o">==</span> <span class="n">StatusCancelled</span> <span class="p">{</span> <span class="k">return</span> <span class="n">ErrOrderAlreadyTerminal</span> <span class="p">}</span> <span class="n">o</span><span class="o">.</span><span class="n">status</span> <span class="o">=</span> <span class="n">StatusCancelled</span> <span class="n">o</span><span class="o">.</span><span class="n">events</span> <span class="o">=</span> <span class="nb">append</span><span class="p">(</span><span class="n">o</span><span class="o">.</span><span class="n">events</span><span class="p">,</span> <span class="n">OrderCancelled</span><span class="p">{</span><span class="n">OrderID</span><span class="o">:</span> <span class="n">o</span><span class="o">.</span><span class="n">id</span><span class="p">})</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> <span class="c">// Events are retrieved then purged after persistence</span> <span class="k">func</span> <span class="p">(</span><span class="n">o</span> <span class="o">*</span><span class="n">Order</span><span class="p">)</span> <span class="n">PopEvents</span><span class="p">()</span> <span class="p">[]</span><span class="n">DomainEvent</span> <span class="p">{</span> <span class="n">events</span> <span class="o">:=</span> <span class="n">o</span><span class="o">.</span><span class="n">events</span> <span class="n">o</span><span class="o">.</span><span class="n">events</span> <span class="o">=</span> <span class="no">nil</span> <span class="k">return</span> <span class="n">events</span> <span class="p">}</span> </code></pre> </div> <p>Notice what's absent: no database access, no HTTP calls, no external dependencies. The aggregate is pure Go. It expresses business rules and generates events — that's it. Persistence is someone else's problem.</p> <h2> Anti-Corruption Layer: isolating external APIs </h2> <p>Binance returns prices as strings: <code>"4.00000000"</code>. OKEx uses a different format. Coinbase yet another. If you let these external formats leak into your domain, you have a problem: your model becomes dependent on the whims of three different exchanges.</p> <p>The Anti-Corruption Layer (ACL) is the translation boundary. Outside: the exchange's model. Inside: your domain. The ACL translates, and your domain never hears about Binance.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="c">// External model — what Binance actually sends</span> <span class="k">type</span> <span class="n">binanceOrderBook</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">LastUpdateID</span> <span class="kt">int64</span> <span class="s">`json:"lastUpdateId"`</span> <span class="n">Bids</span> <span class="p">[][]</span><span class="kt">string</span> <span class="s">`json:"bids"`</span> <span class="c">// [["price", "qty"], ...]</span> <span class="n">Asks</span> <span class="p">[][]</span><span class="kt">string</span> <span class="s">`json:"asks"`</span> <span class="p">}</span> <span class="c">// ACL: translates Binance model to domain</span> <span class="k">func</span> <span class="p">(</span><span class="n">c</span> <span class="o">*</span><span class="n">BinanceClient</span><span class="p">)</span> <span class="n">GetOrderBook</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">pair</span> <span class="n">TradingPair</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">domain</span><span class="o">.</span><span class="n">OrderBook</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">raw</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">c</span><span class="o">.</span><span class="n">fetchRaw</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">pair</span><span class="o">.</span><span class="n">String</span><span class="p">())</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"binance order book %s: %w"</span><span class="p">,</span> <span class="n">pair</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="n">translateBinanceOrderBook</span><span class="p">(</span><span class="n">raw</span><span class="p">)</span> <span class="p">}</span> <span class="k">func</span> <span class="n">translateBinanceOrderBook</span><span class="p">(</span><span class="n">raw</span> <span class="o">*</span><span class="n">binanceOrderBook</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">domain</span><span class="o">.</span><span class="n">OrderBook</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">bids</span> <span class="o">:=</span> <span class="nb">make</span><span class="p">([]</span><span class="n">domain</span><span class="o">.</span><span class="n">PriceLevel</span><span class="p">,</span> <span class="m">0</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">raw</span><span class="o">.</span><span class="n">Bids</span><span class="p">))</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">b</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">raw</span><span class="o">.</span><span class="n">Bids</span> <span class="p">{</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">b</span><span class="p">)</span> <span class="o">!=</span> <span class="m">2</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"unexpected bid format: %v"</span><span class="p">,</span> <span class="n">b</span><span class="p">)</span> <span class="p">}</span> <span class="n">price</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">decimal</span><span class="o">.</span><span class="n">NewFromString</span><span class="p">(</span><span class="n">b</span><span class="p">[</span><span class="m">0</span><span class="p">])</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"invalid bid price %q: %w"</span><span class="p">,</span> <span class="n">b</span><span class="p">[</span><span class="m">0</span><span class="p">],</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="n">qty</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">decimal</span><span class="o">.</span><span class="n">NewFromString</span><span class="p">(</span><span class="n">b</span><span class="p">[</span><span class="m">1</span><span class="p">])</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"invalid bid qty %q: %w"</span><span class="p">,</span> <span class="n">b</span><span class="p">[</span><span class="m">1</span><span class="p">],</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="n">bids</span> <span class="o">=</span> <span class="nb">append</span><span class="p">(</span><span class="n">bids</span><span class="p">,</span> <span class="n">domain</span><span class="o">.</span><span class="n">PriceLevel</span><span class="p">{</span> <span class="n">Price</span><span class="o">:</span> <span class="n">domain</span><span class="o">.</span><span class="n">Price</span><span class="p">{</span><span class="n">Amount</span><span class="o">:</span> <span class="n">price</span><span class="p">,</span> <span class="n">Currency</span><span class="o">:</span> <span class="s">"USDT"</span><span class="p">},</span> <span class="n">Quantity</span><span class="o">:</span> <span class="n">qty</span><span class="p">,</span> <span class="p">})</span> <span class="p">}</span> <span class="c">// same for asks...</span> <span class="k">return</span> <span class="o">&amp;</span><span class="n">domain</span><span class="o">.</span><span class="n">OrderBook</span><span class="p">{</span><span class="n">Bids</span><span class="o">:</span> <span class="n">bids</span><span class="p">},</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p>And for OKEx, the same interface, a different translation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="c">// External OKEx model — completely different format</span> <span class="k">type</span> <span class="n">okexOrderBook</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Data</span> <span class="p">[]</span><span class="k">struct</span> <span class="p">{</span> <span class="n">Asks</span> <span class="p">[][]</span><span class="kt">string</span> <span class="s">`json:"asks"`</span> <span class="c">// [["price", "qty", "liquidated", "count"], ...]</span> <span class="n">Bids</span> <span class="p">[][]</span><span class="kt">string</span> <span class="s">`json:"bids"`</span> <span class="n">Timestamp</span> <span class="kt">string</span> <span class="s">`json:"ts"`</span> <span class="p">}</span> <span class="s">`json:"data"`</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">c</span> <span class="o">*</span><span class="n">OKExClient</span><span class="p">)</span> <span class="n">GetOrderBook</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">pair</span> <span class="n">TradingPair</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">domain</span><span class="o">.</span><span class="n">OrderBook</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">raw</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">c</span><span class="o">.</span><span class="n">fetchRaw</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">pair</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"okex order book %s: %w"</span><span class="p">,</span> <span class="n">pair</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="n">translateOKExOrderBook</span><span class="p">(</span><span class="n">raw</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>Your trading code has no idea who's providing the order book. It calls an <code>OrderBookProvider</code> interface and receives a <code>domain.OrderBook</code>. If Binance changes its API from v3 to v4 with a new response format, only <code>translateBinanceOrderBook</code> changes. Zero impact on business logic.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="c">// Interface defined by the domain — not by the exchanges</span> <span class="k">type</span> <span class="n">OrderBookProvider</span> <span class="k">interface</span> <span class="p">{</span> <span class="n">GetOrderBook</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">pair</span> <span class="n">TradingPair</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">OrderBook</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">}</span> <span class="c">// The trading service has no dependency on Binance, OKEx or Coinbase</span> <span class="k">type</span> <span class="n">TradingService</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">orderBook</span> <span class="n">OrderBookProvider</span> <span class="n">orderRepo</span> <span class="n">OrderRepository</span> <span class="p">}</span> </code></pre> </div> <h2> DDD and CQRS: how they fit together </h2> <p>If you've read the articles on <a href="https://www.web-developpeur.com/en/blog/cqrs-go-aggregate-transition-clone" rel="noopener noreferrer">CQRS aggregates</a> and <a href="https://www.web-developpeur.com/en/blog/cqrs-go-command-handlers-testabilite" rel="noopener noreferrer">command handlers</a>, you've already seen DDD in action without it being explicitly named.</p> <p>DDD gives you the model: aggregates, Value Objects, domain events, bounded contexts. CQRS is the architectural pattern that exploits that model. The relationship is direct:</p> <ul> <li> A <strong>Command</strong> expresses a business intent (<code>PlaceOrder</code>, <code>CancelOrder</code>)</li> <li> The <strong>command handler</strong> loads the aggregate, calls a business method</li> <li> The <strong>aggregate</strong> validates the invariant and emits a <strong>DomainEvent</strong> </li> <li> The event is persisted, then propagated to <strong>read models</strong> (Portfolio, history) </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="c">// Command — business intent</span> <span class="k">type</span> <span class="n">PlaceOrderCommand</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Pair</span> <span class="n">TradingPair</span> <span class="n">Side</span> <span class="n">Side</span> <span class="n">Quantity</span> <span class="n">decimal</span><span class="o">.</span><span class="n">Decimal</span> <span class="p">}</span> <span class="c">// Handler — orchestrates without business logic</span> <span class="k">func</span> <span class="p">(</span><span class="n">h</span> <span class="o">*</span><span class="n">PlaceOrderHandler</span><span class="p">)</span> <span class="n">Handle</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">cmd</span> <span class="n">PlaceOrderCommand</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="n">order</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">domain</span><span class="o">.</span><span class="n">NewOrder</span><span class="p">(</span><span class="n">cmd</span><span class="o">.</span><span class="n">Pair</span><span class="p">,</span> <span class="n">cmd</span><span class="o">.</span><span class="n">Side</span><span class="p">,</span> <span class="n">cmd</span><span class="o">.</span><span class="n">Quantity</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"invalid order: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Submit to exchange via ACL</span> <span class="n">exchangeID</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">h</span><span class="o">.</span><span class="n">exchange</span><span class="o">.</span><span class="n">SubmitOrder</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">order</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"exchange submission: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="n">order</span><span class="o">.</span><span class="n">SetExchangeID</span><span class="p">(</span><span class="n">exchangeID</span><span class="p">)</span> <span class="c">// Persist the aggregate and its events</span> <span class="k">return</span> <span class="n">h</span><span class="o">.</span><span class="n">orderRepo</span><span class="o">.</span><span class="n">Save</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">order</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>Without DDD, the command handler accumulates business logic. With DDD, it orchestrates: load, call, persist. The logic belongs to the aggregate.</p> <h2> What DDD doesn't solve </h2> <p>DDD adds complexity. Abstraction layers, interfaces everywhere, translations between models. On a simple CRUD service — user list, a few REST endpoints, no complex business rules — it's clear over-engineering.</p> <p>For a crypto trading engine with business rules spanning multiple exchanges, invariants to maintain, divergent external formats, and logic that evolves with the market — it pays off. The cost of abstraction is offset by the ability to change one piece without bringing down the others.</p> <p>The most honest test: if a domain expert — a trader — can read your code and recognize their business concepts, DDD is working. If your code talks about <code>BinanceWebsocketMessageParser</code> and <code>RestAPIResponseDTO</code>, you've let technology invade the domain.</p> <h2> Conclusion </h2> <p>DDD is not an architecture, it's a modeling philosophy. It says: code should speak the language of the people who understand the problem, not the language of the people who understand the technology. In a crypto trading service, that means <code>Order</code>, <code>Position</code>, <code>TradingPair</code> — not <code>BinanceResponseWrapper</code>.</p> <p>Bounded contexts provide the structure. Aggregates provide consistency. Anti-Corruption Layers provide isolation. And when you add CQRS on top, you have a system where each part has a clear responsibility and explicit boundaries.</p> <p>Next time you write a command handler, ask yourself: does this logic belong in the handler or in the aggregate? If the answer is "in the aggregate", you're doing DDD.</p> go ddd architecture crypto Odilon HUGONNOT Sat, 25 Apr 2026 09:00:03 +0000 https://forem.com/ohugonnot/advanced-postgresql-jsonb-partial-indexes-and-partitioning-24em https://forem.com/ohugonnot/advanced-postgresql-jsonb-partial-indexes-and-partitioning-24em <p>A <code>trades</code> table with 50 million rows. The query "which active trades for this user this month" takes 4 seconds. After applying the four techniques in this article: <strong>12 ms</strong>.</p> <p>This isn't magic — it's a solid understanding of what PostgreSQL actually does under the hood. I already covered slow query diagnosis with <a href="https://www.web-developpeur.com/en/blog/postgresql-debug-requete-lente-optimisation" rel="noopener noreferrer">EXPLAIN ANALYZE basics</a>. Here we go further: the four levers that make a real difference on high-volume production tables.</p> <h2> JSONB: storing flexible schemas without sacrificing performance </h2> <p>Every crypto exchange exposes a different API. Binance returns a <code>clientOrderId</code>, Kraken a <code>userref</code>, Coinbase a <code>client_order_id</code> nested inside a sub-object. If you create a dedicated column for each field from each exchange, your table ends up with 40 columns where 35 are <code>NULL</code> for every single row.</p> <p>JSONB solves this problem — provided you understand when to use it.</p> <h3> <code>json</code> vs <code>jsonb</code> — always use <code>jsonb</code> </h3> <p><code>json</code> stores the raw text as-is. <code>jsonb</code> decomposes it into a binary representation at insert time. The consequences:</p> <ul> <li> <code>jsonb</code> is <strong>indexable</strong> (GIN, expression indexes)</li> <li> <code>jsonb</code> supports <strong>containment operators</strong> (<code>@&gt;</code>, <code>?</code>)</li> <li> <code>jsonb</code> is slightly slower to write, but significantly faster to read</li> </ul> <p>Simple rule: always use <code>jsonb</code>.</p> <h3> Essential operators </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Access a key (returns jsonb)</span> <span class="k">SELECT</span> <span class="n">exchange_meta</span> <span class="o">-&gt;</span> <span class="s1">'exchange'</span> <span class="k">FROM</span> <span class="n">trades</span><span class="p">;</span> <span class="c1">-- Access a key (returns text)</span> <span class="k">SELECT</span> <span class="n">exchange_meta</span> <span class="o">-&gt;&gt;</span> <span class="s1">'exchange'</span> <span class="k">FROM</span> <span class="n">trades</span><span class="p">;</span> <span class="c1">-- Containment: does the JSON contain this sub-object?</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">trades</span> <span class="k">WHERE</span> <span class="n">exchange_meta</span> <span class="o">@&gt;</span> <span class="s1">'{"exchange": "binance"}'</span><span class="p">;</span> <span class="c1">-- Key existence</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">trades</span> <span class="k">WHERE</span> <span class="n">exchange_meta</span> <span class="o">?</span> <span class="s1">'client_order_id'</span><span class="p">;</span> </code></pre> </div> <h3> Adding the column and GIN index </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Store exchange-specific metadata without extra columns</span> <span class="k">ALTER</span> <span class="k">TABLE</span> <span class="n">trades</span> <span class="k">ADD</span> <span class="k">COLUMN</span> <span class="n">exchange_meta</span> <span class="n">JSONB</span><span class="p">;</span> <span class="c1">-- GIN index for containment queries (@&gt; operator)</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_trades_exchange_meta</span> <span class="k">ON</span> <span class="n">trades</span> <span class="k">USING</span> <span class="n">GIN</span> <span class="p">(</span><span class="n">exchange_meta</span><span class="p">);</span> <span class="c1">-- Query: all trades with a specific exchange order ID</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">trades</span> <span class="k">WHERE</span> <span class="n">exchange_meta</span> <span class="o">@&gt;</span> <span class="s1">'{"order_id": "12345"}'</span><span class="p">;</span> <span class="c1">-- Query: all Binance trades with status filled</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">trades</span> <span class="k">WHERE</span> <span class="n">exchange_meta</span> <span class="o">@&gt;</span> <span class="s1">'{"exchange": "binance", "status": "filled"}'</span><span class="p">;</span> </code></pre> </div> <p>The GIN index on <code>exchange_meta</code> automatically covers all keys in your documents. No need to anticipate upfront which keys you'll query against.</p> <h3> When not to use JSONB </h3> <p>JSONB is not an excuse to skip data modeling. If you regularly filter on a field — <code>user_id</code>, <code>status</code>, <code>created_at</code> — that field must be a real column with a proper B-tree index. Putting those fields inside JSON forfeits all planner optimizations.</p> <p><strong>Rule:</strong> JSONB for variable data that is rarely filtered directly. Typed columns for everything that is frequently filtered, sorted, or joined.</p> <h2> Partial indexes: only index what matters </h2> <p>This is the most underused PostgreSQL feature. A partial index only covers rows that satisfy a <code>WHERE</code> clause. Its size can be 100x smaller than a full index — and it fits entirely in RAM.</p> <h3> The problem with full indexes </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Full index on status: indexes ALL 50 MILLION rows,</span> <span class="c1">-- including the 49.9 million closed trades nobody queries</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_trades_status</span> <span class="k">ON</span> <span class="n">trades</span><span class="p">(</span><span class="n">status</span><span class="p">);</span> <span class="c1">-- Approximate size</span> <span class="k">SELECT</span> <span class="n">pg_size_pretty</span><span class="p">(</span><span class="n">pg_relation_size</span><span class="p">(</span><span class="s1">'idx_trades_status'</span><span class="p">));</span> <span class="c1">-- → 1 GB</span> </code></pre> </div> <h3> The solution: partial index on active rows only </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Partial index: only the ~100,000 active trades</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_trades_active</span> <span class="k">ON</span> <span class="n">trades</span><span class="p">(</span><span class="n">user_id</span><span class="p">,</span> <span class="n">created_at</span><span class="p">)</span> <span class="k">WHERE</span> <span class="n">status</span> <span class="o">=</span> <span class="s1">'active'</span><span class="p">;</span> <span class="c1">-- Actual size</span> <span class="k">SELECT</span> <span class="n">pg_size_pretty</span><span class="p">(</span><span class="n">pg_relation_size</span><span class="p">(</span><span class="s1">'idx_trades_active'</span><span class="p">));</span> <span class="c1">-- → 3 MB ← fits entirely in shared memory</span> <span class="c1">-- This query uses the partial index directly</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">trades</span> <span class="k">WHERE</span> <span class="n">user_id</span> <span class="o">=</span> <span class="mi">123</span> <span class="k">AND</span> <span class="n">status</span> <span class="o">=</span> <span class="s1">'active'</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">created_at</span> <span class="k">DESC</span><span class="p">;</span> </code></pre> </div> <p>PostgreSQL knows that a query with <code>WHERE status = 'active'</code> can use this index — the index predicate is a subset of the query condition. The planner selects the partial index automatically.</p> <h3> Other common use cases </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Unverified emails (minority of users)</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_users_unverified</span> <span class="k">ON</span> <span class="n">users</span><span class="p">(</span><span class="n">created_at</span><span class="p">)</span> <span class="k">WHERE</span> <span class="n">verified</span> <span class="o">=</span> <span class="k">false</span><span class="p">;</span> <span class="c1">-- Pending jobs in a queue</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_jobs_pending</span> <span class="k">ON</span> <span class="n">jobs</span><span class="p">(</span><span class="n">priority</span><span class="p">,</span> <span class="n">created_at</span><span class="p">)</span> <span class="k">WHERE</span> <span class="n">status</span> <span class="o">=</span> <span class="s1">'pending'</span><span class="p">;</span> <span class="c1">-- Open orders</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_orders_open</span> <span class="k">ON</span> <span class="n">orders</span><span class="p">(</span><span class="n">user_id</span><span class="p">,</span> <span class="n">amount</span><span class="p">)</span> <span class="k">WHERE</span> <span class="n">closed_at</span> <span class="k">IS</span> <span class="k">NULL</span><span class="p">;</span> </code></pre> </div> <p>The principle is always the same: identify the subset of rows your hot queries target, and index only that subset.</p> <h2> EXPLAIN ANALYZE: reading between the lines </h2> <p>"Seq Scan bad, Index Scan good" — that's the naive reading. The reality is more nuanced. Here's how to read an execution plan correctly.</p> <h3> The full command </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">EXPLAIN</span> <span class="p">(</span><span class="k">ANALYZE</span><span class="p">,</span> <span class="n">BUFFERS</span><span class="p">,</span> <span class="n">FORMAT</span> <span class="nb">TEXT</span><span class="p">)</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">trades</span> <span class="k">WHERE</span> <span class="n">user_id</span> <span class="o">=</span> <span class="mi">123</span> <span class="k">AND</span> <span class="n">status</span> <span class="o">=</span> <span class="s1">'active'</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">created_at</span> <span class="k">DESC</span> <span class="k">LIMIT</span> <span class="mi">20</span><span class="p">;</span> </code></pre> </div> <p><code>ANALYZE</code> actually executes the query and measures real timings. <code>BUFFERS</code> reports cache and disk activity. Never run this on a <code>DELETE</code> or <code>UPDATE</code> without wrapping it in a transaction.</p> <h3> Decoding the plan </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Limit (cost=0.56..18.42 rows=20 width=112) (actual time=0.124..0.198 rows=20 loops=1) -&gt; Index Only Scan Backward using idx_trades_active on trades (cost=0.56..2891.33 rows=3201 width=112) (actual time=0.121..0.183 rows=20 loops=1) Index Cond: (user_id = 123) Heap Fetches: 0 Buffers: shared hit=5 read=0 Planning Time: 0.312 ms Execution Time: 0.221 ms </code></pre> </div> <p>The key nodes:</p> <ul> <li> <strong>Index Only Scan</strong> — the best case. PostgreSQL reads the index without touching the heap (the physical table). <code>Heap Fetches: 0</code> confirms zero table access. This is possible because all needed columns are covered by the index.</li> <li> <strong><code>rows=3201</code> estimated vs <code>rows=20</code> actual</strong> — a moderate discrepancy, acceptable. A 100x divergence means stale statistics; run <code>ANALYZE trades;</code>.</li> <li> <strong>Buffers: shared hit=5 read=0</strong> — everything served from memory cache, zero disk I/O. If <code>read</code> is high, your working set doesn't fit in RAM.</li> </ul> <h3> Pattern to watch for: the expensive Sort node </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Sort (cost=15234.12..15489.23 rows=102044 width=112) (actual time=1823.44..2104.12 rows=102044 loops=1) Sort Key: created_at DESC Sort Method: external merge Disk: 8432kB </code></pre> </div> <p><code>external merge Disk</code> means the sort spilled to disk — <code>work_mem</code> is insufficient, or the index should include the sort column. Fix: include <code>created_at</code> in the index so rows come out pre-sorted.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Before: index without sort order</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_trades_user</span> <span class="k">ON</span> <span class="n">trades</span><span class="p">(</span><span class="n">user_id</span><span class="p">)</span> <span class="k">WHERE</span> <span class="n">status</span> <span class="o">=</span> <span class="s1">'active'</span><span class="p">;</span> <span class="c1">-- After: composite index with native sort direction</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_trades_user_date</span> <span class="k">ON</span> <span class="n">trades</span><span class="p">(</span><span class="n">user_id</span><span class="p">,</span> <span class="n">created_at</span> <span class="k">DESC</span><span class="p">)</span> <span class="k">WHERE</span> <span class="n">status</span> <span class="o">=</span> <span class="s1">'active'</span><span class="p">;</span> <span class="c1">-- → The Sort node disappears from the plan</span> </code></pre> </div> <h2> Date partitioning: the solution for massive tables </h2> <p>Beyond 10 million rows on an append-only table (trades, logs, events), date-range partitioning becomes necessary. The idea: physically split the table into sub-tables by time period. A query for "this month" only scans one partition instead of the whole thing.</p> <h3> Creating the partitioned table </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Parent table — defines the structure and partition key</span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">trades</span> <span class="p">(</span> <span class="n">id</span> <span class="n">BIGSERIAL</span><span class="p">,</span> <span class="n">user_id</span> <span class="nb">BIGINT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">pair</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">amount</span> <span class="nb">NUMERIC</span><span class="p">(</span><span class="mi">20</span><span class="p">,</span> <span class="mi">8</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">status</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">DEFAULT</span> <span class="s1">'active'</span><span class="p">,</span> <span class="n">exchange_meta</span> <span class="n">JSONB</span><span class="p">,</span> <span class="n">created_at</span> <span class="n">TIMESTAMPTZ</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">DEFAULT</span> <span class="n">NOW</span><span class="p">()</span> <span class="p">)</span> <span class="k">PARTITION</span> <span class="k">BY</span> <span class="k">RANGE</span> <span class="p">(</span><span class="n">created_at</span><span class="p">);</span> <span class="c1">-- Monthly partitions</span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">trades_2026_01</span> <span class="k">PARTITION</span> <span class="k">OF</span> <span class="n">trades</span> <span class="k">FOR</span> <span class="k">VALUES</span> <span class="k">FROM</span> <span class="p">(</span><span class="s1">'2026-01-01'</span><span class="p">)</span> <span class="k">TO</span> <span class="p">(</span><span class="s1">'2026-02-01'</span><span class="p">);</span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">trades_2026_02</span> <span class="k">PARTITION</span> <span class="k">OF</span> <span class="n">trades</span> <span class="k">FOR</span> <span class="k">VALUES</span> <span class="k">FROM</span> <span class="p">(</span><span class="s1">'2026-02-01'</span><span class="p">)</span> <span class="k">TO</span> <span class="p">(</span><span class="s1">'2026-03-01'</span><span class="p">);</span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">trades_2026_03</span> <span class="k">PARTITION</span> <span class="k">OF</span> <span class="n">trades</span> <span class="k">FOR</span> <span class="k">VALUES</span> <span class="k">FROM</span> <span class="p">(</span><span class="s1">'2026-03-01'</span><span class="p">)</span> <span class="k">TO</span> <span class="p">(</span><span class="s1">'2026-04-01'</span><span class="p">);</span> </code></pre> </div> <h3> Partition pruning in action </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">EXPLAIN</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">trades</span> <span class="k">WHERE</span> <span class="n">created_at</span> <span class="o">&gt;=</span> <span class="s1">'2026-03-01'</span> <span class="k">AND</span> <span class="n">created_at</span> <span class="o">&lt;</span> <span class="s1">'2026-04-01'</span> <span class="k">AND</span> <span class="n">user_id</span> <span class="o">=</span> <span class="mi">123</span><span class="p">;</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Append (cost=0.29..45.23 rows=18 width=156) Partitions: trades_2026_03 -&gt; Index Scan using trades_2026_03_user_id_idx on trades_2026_03 (cost=0.29..45.23 rows=18 width=156) Index Cond: (user_id = 123) </code></pre> </div> <p><code>Partitions: trades_2026_03</code> — PostgreSQL eliminated all other partitions at planning time. It physically accesses only March 2026.</p> <h3> Operational benefits </h3> <ul> <li> <strong>Instant archiving</strong>: <code>DROP TABLE trades_2024_01</code> removes a full month of data without a massive <code>DELETE</code> or table lock.</li> <li> <strong>Targeted VACUUM</strong>: autovacuum runs partition by partition. Frozen old partitions are never reprocessed.</li> <li> <strong>Local indexes</strong>: indexes created on the parent table are automatically created on each partition — each one smaller, faster to build, and more likely to fit in memory. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Creating an index applies to all existing and future partitions</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="k">ON</span> <span class="n">trades</span><span class="p">(</span><span class="n">user_id</span><span class="p">,</span> <span class="n">created_at</span> <span class="k">DESC</span><span class="p">)</span> <span class="k">WHERE</span> <span class="n">status</span> <span class="o">=</span> <span class="s1">'active'</span><span class="p">;</span> <span class="c1">-- Archive January 2024 without locking the table</span> <span class="k">DROP</span> <span class="k">TABLE</span> <span class="n">trades_2024_01</span><span class="p">;</span> <span class="c1">-- Or detach first, then archive</span> <span class="k">ALTER</span> <span class="k">TABLE</span> <span class="n">trades</span> <span class="n">DETACH</span> <span class="k">PARTITION</span> <span class="n">trades_2024_01</span><span class="p">;</span> </code></pre> </div> <h2> Combining all four </h2> <p>Here is the final state of the table after applying all four techniques:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- 1. Table partitioned by month</span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">trades</span> <span class="p">(</span> <span class="n">id</span> <span class="n">BIGSERIAL</span><span class="p">,</span> <span class="n">user_id</span> <span class="nb">BIGINT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">pair</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">amount</span> <span class="nb">NUMERIC</span><span class="p">(</span><span class="mi">20</span><span class="p">,</span> <span class="mi">8</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">status</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">DEFAULT</span> <span class="s1">'active'</span><span class="p">,</span> <span class="n">exchange_meta</span> <span class="n">JSONB</span><span class="p">,</span> <span class="c1">-- 2. JSONB for variable metadata</span> <span class="n">created_at</span> <span class="n">TIMESTAMPTZ</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">DEFAULT</span> <span class="n">NOW</span><span class="p">()</span> <span class="p">)</span> <span class="k">PARTITION</span> <span class="k">BY</span> <span class="k">RANGE</span> <span class="p">(</span><span class="n">created_at</span><span class="p">);</span> <span class="c1">-- Monthly partitions (automate with pg_partman in production)</span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">trades_2026_03</span> <span class="k">PARTITION</span> <span class="k">OF</span> <span class="n">trades</span> <span class="k">FOR</span> <span class="k">VALUES</span> <span class="k">FROM</span> <span class="p">(</span><span class="s1">'2026-03-01'</span><span class="p">)</span> <span class="k">TO</span> <span class="p">(</span><span class="s1">'2026-04-01'</span><span class="p">);</span> <span class="c1">-- 3. Partial index: only active trades, composite with sort direction</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_trades_active</span> <span class="k">ON</span> <span class="n">trades</span><span class="p">(</span><span class="n">user_id</span><span class="p">,</span> <span class="n">created_at</span> <span class="k">DESC</span><span class="p">)</span> <span class="k">WHERE</span> <span class="n">status</span> <span class="o">=</span> <span class="s1">'active'</span><span class="p">;</span> <span class="c1">-- 4. GIN index for containment queries on exchange_meta</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_trades_exchange_meta</span> <span class="k">ON</span> <span class="n">trades</span> <span class="k">USING</span> <span class="n">GIN</span> <span class="p">(</span><span class="n">exchange_meta</span><span class="p">);</span> </code></pre> </div> <p>The query that used to take 4 seconds:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Before: Seq Scan over 50M rows, 4 seconds</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">trades</span> <span class="k">WHERE</span> <span class="n">user_id</span> <span class="o">=</span> <span class="mi">123</span> <span class="k">AND</span> <span class="n">status</span> <span class="o">=</span> <span class="s1">'active'</span> <span class="k">AND</span> <span class="n">created_at</span> <span class="o">&gt;=</span> <span class="n">date_trunc</span><span class="p">(</span><span class="s1">'month'</span><span class="p">,</span> <span class="n">NOW</span><span class="p">())</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">created_at</span> <span class="k">DESC</span> <span class="k">LIMIT</span> <span class="mi">20</span><span class="p">;</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>-- After: partition pruning + composite partial index -- Execution Time: 12 ms Index Only Scan Backward using idx_trades_active on trades_2026_03 Index Cond: (user_id = 123) Filter: (created_at &gt;= date_trunc('month', now())) Heap Fetches: 0 Buffers: shared hit=4 read=0 </code></pre> </div> <p>The gain comes from cumulative effect: partitioning narrows the scope to a single monthly partition, the partial index only covers active trades within that partition, and the index column order eliminates the sort. PostgreSQL touches only the 4 memory pages it strictly needs.</p> <h2> Conclusion </h2> <p>The logical optimization order for a high-volume table:</p> <ol> <li> <strong>Partial indexes first</strong>: immediate gain, zero schema change, spectacular impact on hot queries targeting a data subset.</li> <li> <strong>JSONB for variable data</strong>: when external API responses have unpredictable fields, JSONB with a GIN index avoids a proliferation of <code>NULL</code> columns. It does not replace typed columns for frequently filtered fields.</li> <li> <strong>Partitioning when the table is truly large</strong>: from 10M rows on append-only data. The upfront investment is higher (migration, partition automation, pg_partman), but the long-term operational benefits are substantial.</li> </ol> <p>And at every step, <code>EXPLAIN (ANALYZE, BUFFERS)</code> to verify the planner is doing what you expect. Row estimates and the hit/read ratio don't lie.</p> postgres jsonb indexation performance Odilon HUGONNOT Fri, 24 Apr 2026 09:00:03 +0000 https://forem.com/ohugonnot/postgresql-debugging-a-slow-query-and-optimizing-it-56l1 https://forem.com/ohugonnot/postgresql-debugging-a-slow-query-and-optimizing-it-56l1 <p>It's Friday at 6:30 PM. Your query takes 4 seconds to respond in prod. The client sent you a screenshot of their loading screen. Your phone is ringing. There's a cold beer waiting for you. That's the context in which you're going to debug a slow PostgreSQL query.</p> <p>Good news: 80% of PostgreSQL performance problems have an identifiable cause in under 10 minutes with the right tools. This guide follows the logical order of a real investigation — not an exhaustive PG feature catalog, but a method that works.</p> <h2> EXPLAIN vs EXPLAIN ANALYZE: one predicts, the other executes </h2> <p>The classic first mistake: using <code>EXPLAIN</code> alone and wondering why the numbers don't match what you observe in prod.</p> <p><strong><code>EXPLAIN</code></strong> displays the execution plan that PostgreSQL <em>thinks</em> it will use, based on the statistics it has in memory. It doesn't execute the query. Costs are estimates, <em>rows</em> are predictions.</p> <p><strong><code>EXPLAIN ANALYZE</code></strong> actually executes the query and enriches the plan with measured values: real time, actual rows processed, number of loops. That's what you want. Warning: it actually runs the query — don't run it on a <code>DELETE</code> or <code>UPDATE</code> without a <code>BEGIN</code>/<code>ROLLBACK</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Safe for write queries</span> <span class="k">BEGIN</span><span class="p">;</span> <span class="k">EXPLAIN</span> <span class="k">ANALYZE</span> <span class="k">UPDATE</span> <span class="n">orders</span> <span class="k">SET</span> <span class="n">status</span> <span class="o">=</span> <span class="s1">'processed'</span> <span class="k">WHERE</span> <span class="n">created_at</span> <span class="o">&lt;</span> <span class="n">NOW</span><span class="p">()</span> <span class="o">-</span> <span class="n">INTERVAL</span> <span class="s1">'30 days'</span><span class="p">;</span> <span class="k">ROLLBACK</span><span class="p">;</span> <span class="c1">-- For a SELECT, no special precautions needed</span> <span class="k">EXPLAIN</span> <span class="p">(</span><span class="k">ANALYZE</span><span class="p">,</span> <span class="n">BUFFERS</span><span class="p">,</span> <span class="n">FORMAT</span> <span class="nb">TEXT</span><span class="p">)</span> <span class="k">SELECT</span> <span class="n">u</span><span class="p">.</span><span class="n">email</span><span class="p">,</span> <span class="k">COUNT</span><span class="p">(</span><span class="n">o</span><span class="p">.</span><span class="n">id</span><span class="p">)</span> <span class="k">AS</span> <span class="n">order_count</span> <span class="k">FROM</span> <span class="n">users</span> <span class="n">u</span> <span class="k">JOIN</span> <span class="n">orders</span> <span class="n">o</span> <span class="k">ON</span> <span class="n">o</span><span class="p">.</span><span class="n">user_id</span> <span class="o">=</span> <span class="n">u</span><span class="p">.</span><span class="n">id</span> <span class="k">WHERE</span> <span class="n">u</span><span class="p">.</span><span class="n">created_at</span> <span class="o">&gt;=</span> <span class="s1">'2025-01-01'</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="n">u</span><span class="p">.</span><span class="n">email</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">order_count</span> <span class="k">DESC</span> <span class="k">LIMIT</span> <span class="mi">20</span><span class="p">;</span> </code></pre> </div> <p>The <code>BUFFERS</code> option is valuable: it shows how many blocks were read from cache (<em>shared hit</em>) vs from disk (<em>read</em>). A query with lots of disk reads on a table that should be cached is a strong signal.</p> <h3> What to look for in the output </h3> <p>Three things to spot immediately:</p> <ul> <li> <strong>Seq Scan on a large table</strong>: PostgreSQL scans every row one by one. On a 50,000-row table, this is often acceptable. On 10 million, it's not.</li> <li> <strong>Large gap between <em>rows estimated</em> and <em>rows actual</em></strong>: if PostgreSQL expected to filter 50 rows and processed 80,000, its statistics are stale or the query is poorly written.</li> <li> <strong>Node with disproportionate time</strong>: the plan is a tree. The slowest node is the culprit. The displayed time is cumulative — subtract the time of child nodes to isolate a node's own cost. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Example of problematic EXPLAIN ANALYZE output</span> <span class="n">Seq</span> <span class="n">Scan</span> <span class="k">on</span> <span class="n">orders</span> <span class="p">(</span><span class="n">cost</span><span class="o">=</span><span class="mi">0</span><span class="p">.</span><span class="mi">00</span><span class="p">..</span><span class="mi">48520</span><span class="p">.</span><span class="mi">00</span> <span class="k">rows</span><span class="o">=</span><span class="mi">2000</span> <span class="n">width</span><span class="o">=</span><span class="mi">120</span><span class="p">)</span> <span class="p">(</span><span class="n">actual</span> <span class="nb">time</span><span class="o">=</span><span class="mi">0</span><span class="p">.</span><span class="mi">042</span><span class="p">..</span><span class="mi">3841</span><span class="p">.</span><span class="mi">223</span> <span class="k">rows</span><span class="o">=</span><span class="mi">1847291</span> <span class="n">loops</span><span class="o">=</span><span class="mi">1</span><span class="p">)</span> <span class="n">Filter</span><span class="p">:</span> <span class="p">(</span><span class="n">status</span> <span class="o">=</span> <span class="s1">'pending'</span> <span class="k">AND</span> <span class="n">created_at</span> <span class="o">&gt;</span> <span class="s1">'2024-01-01'</span><span class="p">)</span> <span class="k">Rows</span> <span class="n">Removed</span> <span class="k">by</span> <span class="n">Filter</span><span class="p">:</span> <span class="mi">152709</span> <span class="n">Planning</span> <span class="nb">Time</span><span class="p">:</span> <span class="mi">1</span><span class="p">.</span><span class="mi">2</span> <span class="n">ms</span> <span class="n">Execution</span> <span class="nb">Time</span><span class="p">:</span> <span class="mi">4102</span><span class="p">.</span><span class="mi">8</span> <span class="n">ms</span> <span class="c1">-- What we see:</span> <span class="c1">-- 1. Seq Scan on "orders" → no index used</span> <span class="c1">-- 2. rows estimated = 2,000, rows actual = 1,847,291 → catastrophic statistics</span> <span class="c1">-- 3. 4 seconds → matches exactly what the client is seeing</span> </code></pre> </div> <h2> The usual suspects </h2> <h3> 1. Missing index on a filtered column </h3> <p>The most common case. An <code>orders</code> table with 2 million rows, a query filtering on <code>user_id</code>, no index. PostgreSQL does a full Seq Scan. The fix takes 30 seconds.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- The slow query</span> <span class="k">SELECT</span> <span class="n">id</span><span class="p">,</span> <span class="n">total</span><span class="p">,</span> <span class="n">status</span> <span class="k">FROM</span> <span class="n">orders</span> <span class="k">WHERE</span> <span class="n">user_id</span> <span class="o">=</span> <span class="mi">42</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">created_at</span> <span class="k">DESC</span><span class="p">;</span> <span class="c1">-- EXPLAIN ANALYZE shows:</span> <span class="c1">-- Seq Scan on orders (actual time=0.031..2341.5 rows=47 loops=1)</span> <span class="c1">-- Filter: (user_id = 42)</span> <span class="c1">-- Rows Removed by Filter: 1999953</span> <span class="c1">-- The fix</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">CONCURRENTLY</span> <span class="n">idx_orders_user_id</span> <span class="k">ON</span> <span class="n">orders</span><span class="p">(</span><span class="n">user_id</span><span class="p">);</span> <span class="c1">-- CONCURRENTLY: creates the index without locking the table for writes</span> <span class="c1">-- After creation, the same query:</span> <span class="c1">-- Index Scan using idx_orders_user_id on orders</span> <span class="c1">-- (actual time=0.041..0.189 rows=47 loops=1)</span> <span class="c1">-- 2.3 seconds → 0.2 ms</span> </code></pre> </div> <h3> 2. Index exists but isn't used </h3> <p>A trickier situation: the index exists, but PostgreSQL doesn't use it. Three main reasons.</p> <p><strong>Function in the WHERE clause</strong>: the moment you apply a function to an indexed column, the index is unusable — PostgreSQL can't scan the index on the transformed value.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Index on email, but unused</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_users_email</span> <span class="k">ON</span> <span class="n">users</span><span class="p">(</span><span class="n">email</span><span class="p">);</span> <span class="c1">-- The index does nothing here</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">users</span> <span class="k">WHERE</span> <span class="k">LOWER</span><span class="p">(</span><span class="n">email</span><span class="p">)</span> <span class="o">=</span> <span class="s1">'alice@example.com'</span><span class="p">;</span> <span class="c1">-- Expression index — solves the problem</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_users_email_lower</span> <span class="k">ON</span> <span class="n">users</span><span class="p">(</span><span class="k">LOWER</span><span class="p">(</span><span class="n">email</span><span class="p">));</span> <span class="c1">-- Or rewrite the query if data is already lowercase</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">users</span> <span class="k">WHERE</span> <span class="n">email</span> <span class="o">=</span> <span class="s1">'alice@example.com'</span><span class="p">;</span> </code></pre> </div> <p><strong>LIKE with leading wildcard</strong>: <code>LIKE '%dupont'</code> can't use a B-tree index, because it requires scanning all values to find those that <em>end with</em> "dupont". <code>LIKE 'dupont%'</code>, on the other hand, can.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Guaranteed Seq Scan, even with an index on last_name</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">customers</span> <span class="k">WHERE</span> <span class="n">last_name</span> <span class="k">LIKE</span> <span class="s1">'%martin'</span><span class="p">;</span> <span class="c1">-- Uses the B-tree index</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">customers</span> <span class="k">WHERE</span> <span class="n">last_name</span> <span class="k">LIKE</span> <span class="s1">'martin%'</span><span class="p">;</span> <span class="c1">-- For "contains" searches, use pg_trgm + GIN</span> <span class="k">CREATE</span> <span class="n">EXTENSION</span> <span class="n">IF</span> <span class="k">NOT</span> <span class="k">EXISTS</span> <span class="n">pg_trgm</span><span class="p">;</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_customers_last_name_trgm</span> <span class="k">ON</span> <span class="n">customers</span> <span class="k">USING</span> <span class="n">GIN</span><span class="p">(</span><span class="n">last_name</span> <span class="n">gin_trgm_ops</span><span class="p">);</span> <span class="c1">-- Now this LIKE uses the index</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">customers</span> <span class="k">WHERE</span> <span class="n">last_name</span> <span class="k">LIKE</span> <span class="s1">'%martin%'</span><span class="p">;</span> </code></pre> </div> <p><strong>Poor cardinality</strong>: if a column has very few distinct values (e.g. <code>status</code> with 3 possible values on 2 million rows), PostgreSQL may estimate that a Seq Scan is faster than an Index Scan followed by 600,000 random lookups. It's often right. The solution: a partial index.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- 2 million orders, 95% have status = 'completed', 5% status = 'pending'</span> <span class="c1">-- A simple index on status is not very useful for 'completed'</span> <span class="c1">-- But very useful for 'pending' (100,000 rows out of 2 million)</span> <span class="c1">-- Partial index: only indexes pending rows</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_orders_pending</span> <span class="k">ON</span> <span class="n">orders</span><span class="p">(</span><span class="n">created_at</span><span class="p">)</span> <span class="k">WHERE</span> <span class="n">status</span> <span class="o">=</span> <span class="s1">'pending'</span><span class="p">;</span> <span class="c1">-- This query now uses the partial index</span> <span class="k">SELECT</span> <span class="n">id</span><span class="p">,</span> <span class="n">user_id</span><span class="p">,</span> <span class="n">total</span> <span class="k">FROM</span> <span class="n">orders</span> <span class="k">WHERE</span> <span class="n">status</span> <span class="o">=</span> <span class="s1">'pending'</span> <span class="k">AND</span> <span class="n">created_at</span> <span class="o">&gt;</span> <span class="n">NOW</span><span class="p">()</span> <span class="o">-</span> <span class="n">INTERVAL</span> <span class="s1">'7 days'</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">created_at</span> <span class="k">DESC</span><span class="p">;</span> </code></pre> </div> <h3> 3. The N+1 problem via ORM </h3> <p>Not specific to PostgreSQL, but PostgreSQL suffers from it as much as any other database. The ORM loads 100 articles, then for each article makes a separate query to load the author. Result: 101 queries instead of one.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- What the ORM generates (N+1)</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">articles</span> <span class="k">LIMIT</span> <span class="mi">100</span><span class="p">;</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">users</span> <span class="k">WHERE</span> <span class="n">id</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">users</span> <span class="k">WHERE</span> <span class="n">id</span> <span class="o">=</span> <span class="mi">2</span><span class="p">;</span> <span class="c1">-- ... 98 more times</span> <span class="c1">-- What it should do</span> <span class="k">SELECT</span> <span class="n">a</span><span class="p">.</span><span class="n">id</span><span class="p">,</span> <span class="n">a</span><span class="p">.</span><span class="n">title</span><span class="p">,</span> <span class="n">a</span><span class="p">.</span><span class="n">body</span><span class="p">,</span> <span class="n">a</span><span class="p">.</span><span class="n">published_at</span><span class="p">,</span> <span class="n">u</span><span class="p">.</span><span class="n">id</span> <span class="k">AS</span> <span class="n">author_id</span><span class="p">,</span> <span class="n">u</span><span class="p">.</span><span class="n">name</span> <span class="k">AS</span> <span class="n">author_name</span><span class="p">,</span> <span class="n">u</span><span class="p">.</span><span class="n">avatar_url</span> <span class="k">FROM</span> <span class="n">articles</span> <span class="n">a</span> <span class="k">JOIN</span> <span class="n">users</span> <span class="n">u</span> <span class="k">ON</span> <span class="n">u</span><span class="p">.</span><span class="n">id</span> <span class="o">=</span> <span class="n">a</span><span class="p">.</span><span class="n">author_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">a</span><span class="p">.</span><span class="n">published_at</span> <span class="k">DESC</span> <span class="k">LIMIT</span> <span class="mi">100</span><span class="p">;</span> </code></pre> </div> <p>Detection happens in the logs or via <code>pg_stat_statements</code> (see below): dozens of identical queries with just one parameter changing, executed in rapid succession. In Go: plain SQL with a single JOIN. In Laravel/Django: eager loading.</p> <h3> 4. Stale statistics </h3> <p>PostgreSQL maintains statistics on data distribution in each table (via autovacuum). If these statistics are outdated — after a large import, a bulk DELETE — the planner makes bad decisions. Symptom: large gap between <em>rows estimated</em> and <em>rows actual</em> in EXPLAIN ANALYZE.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Update statistics without blocking writes</span> <span class="k">ANALYZE</span> <span class="n">orders</span><span class="p">;</span> <span class="c1">-- After a bulk load or data purge</span> <span class="k">VACUUM</span> <span class="k">ANALYZE</span> <span class="n">orders</span><span class="p">;</span> <span class="c1">-- Check statistics freshness</span> <span class="k">SELECT</span> <span class="n">schemaname</span><span class="p">,</span> <span class="n">tablename</span><span class="p">,</span> <span class="n">last_analyze</span><span class="p">,</span> <span class="n">last_autoanalyze</span><span class="p">,</span> <span class="n">n_live_tup</span><span class="p">,</span> <span class="n">n_dead_tup</span> <span class="k">FROM</span> <span class="n">pg_stat_user_tables</span> <span class="k">WHERE</span> <span class="n">tablename</span> <span class="o">=</span> <span class="s1">'orders'</span><span class="p">;</span> </code></pre> </div> <h3> 5. Too many rows returned </h3> <p>Sometimes the query is correctly indexed but returns 50,000 rows when you're displaying 20. Add <code>LIMIT</code> and paginate properly. For sorted lists on large volumes, offset-based pagination itself becomes a problem beyond a few thousand pages: <code>OFFSET 100000 LIMIT 20</code> forces PG to scan 100,020 rows to return 20.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Offset pagination — slow on large pages</span> <span class="k">SELECT</span> <span class="n">id</span><span class="p">,</span> <span class="n">title</span><span class="p">,</span> <span class="n">published_at</span> <span class="k">FROM</span> <span class="n">articles</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">published_at</span> <span class="k">DESC</span> <span class="k">LIMIT</span> <span class="mi">20</span> <span class="k">OFFSET</span> <span class="mi">10000</span><span class="p">;</span> <span class="c1">-- Cursor pagination (keyset pagination) — fast regardless of page number</span> <span class="k">SELECT</span> <span class="n">id</span><span class="p">,</span> <span class="n">title</span><span class="p">,</span> <span class="n">published_at</span> <span class="k">FROM</span> <span class="n">articles</span> <span class="k">WHERE</span> <span class="n">published_at</span> <span class="o">&lt;</span> <span class="s1">'2024-06-15 10:23:00'</span> <span class="c1">-- last value from the previous page</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">published_at</span> <span class="k">DESC</span> <span class="k">LIMIT</span> <span class="mi">20</span><span class="p">;</span> </code></pre> </div> <h2> Choosing the right index type </h2> <p>PostgreSQL offers several index types. In practice, you use three of them.</p> <h3> B-tree (default) </h3> <p>Covers 95% of cases: equality, inequality, sorting, range queries. It's the default when you write <code>CREATE INDEX</code> without specifying a type. Effective on high-cardinality columns (identifiers, emails, dates, amounts).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_orders_created_at</span> <span class="k">ON</span> <span class="n">orders</span><span class="p">(</span><span class="n">created_at</span><span class="p">);</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_users_email</span> <span class="k">ON</span> <span class="n">users</span><span class="p">(</span><span class="n">email</span><span class="p">);</span> <span class="c1">-- Composite index: column order matters.</span> <span class="c1">-- Useful for queries that filter on user_id AND sort on created_at.</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_orders_user_created</span> <span class="k">ON</span> <span class="n">orders</span><span class="p">(</span><span class="n">user_id</span><span class="p">,</span> <span class="n">created_at</span> <span class="k">DESC</span><span class="p">);</span> </code></pre> </div> <h3> GIN — Full-text search and JSONB </h3> <p>For searches in text (<code>tsvector</code>), arrays, or JSONB columns. A B-tree index on a JSONB field doesn't help for queries like <code>WHERE metadata @&gt; '{"role": "admin"}'</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- GIN index for JSONB queries</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_users_metadata</span> <span class="k">ON</span> <span class="n">users</span> <span class="k">USING</span> <span class="n">GIN</span><span class="p">(</span><span class="n">metadata</span><span class="p">);</span> <span class="c1">-- Now efficient</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">users</span> <span class="k">WHERE</span> <span class="n">metadata</span> <span class="o">@&gt;</span> <span class="s1">'{"role": "admin", "active": true}'</span><span class="p">;</span> <span class="c1">-- GIN index for full-text search</span> <span class="k">ALTER</span> <span class="k">TABLE</span> <span class="n">articles</span> <span class="k">ADD</span> <span class="k">COLUMN</span> <span class="n">search_vector</span> <span class="n">tsvector</span><span class="p">;</span> <span class="k">UPDATE</span> <span class="n">articles</span> <span class="k">SET</span> <span class="n">search_vector</span> <span class="o">=</span> <span class="n">to_tsvector</span><span class="p">(</span><span class="s1">'english'</span><span class="p">,</span> <span class="n">COALESCE</span><span class="p">(</span><span class="n">title</span><span class="p">,</span> <span class="s1">''</span><span class="p">)</span> <span class="o">||</span> <span class="s1">' '</span> <span class="o">||</span> <span class="n">COALESCE</span><span class="p">(</span><span class="n">body</span><span class="p">,</span> <span class="s1">''</span><span class="p">));</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_articles_search</span> <span class="k">ON</span> <span class="n">articles</span> <span class="k">USING</span> <span class="n">GIN</span><span class="p">(</span><span class="n">search_vector</span><span class="p">);</span> <span class="k">SELECT</span> <span class="n">title</span> <span class="k">FROM</span> <span class="n">articles</span> <span class="k">WHERE</span> <span class="n">search_vector</span> <span class="o">@@</span> <span class="n">plainto_tsquery</span><span class="p">(</span><span class="s1">'english'</span><span class="p">,</span> <span class="s1">'postgresql optimization index'</span><span class="p">);</span> </code></pre> </div> <h3> BRIN — Sequential timestamps </h3> <p>BRIN (Block Range INdex) is tiny in size and highly efficient for columns whose values grow naturally with insertion: timestamps, sequential IDs. The principle: instead of indexing each value, it stores min/max values per data block. On a log table of several hundred GB, it can drastically reduce query time with an index of just a few MB.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Log table with 500 million rows.</span> <span class="c1">-- A B-tree index on created_at would weigh ~15 GB.</span> <span class="c1">-- A BRIN index weighs a few MB.</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_logs_created_at_brin</span> <span class="k">ON</span> <span class="n">access_logs</span> <span class="k">USING</span> <span class="n">BRIN</span><span class="p">(</span><span class="n">created_at</span><span class="p">);</span> <span class="c1">-- Efficient for time range queries</span> <span class="k">SELECT</span> <span class="k">COUNT</span><span class="p">(</span><span class="o">*</span><span class="p">),</span> <span class="n">path</span> <span class="k">FROM</span> <span class="n">access_logs</span> <span class="k">WHERE</span> <span class="n">created_at</span> <span class="o">&gt;=</span> <span class="s1">'2026-02-01'</span> <span class="k">AND</span> <span class="n">created_at</span> <span class="o">&lt;</span> <span class="s1">'2026-03-01'</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="n">path</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="k">count</span> <span class="k">DESC</span><span class="p">;</span> </code></pre> </div> <h2> pg_stat_statements: finding expensive queries in production </h2> <p>Up to now we knew which query to analyze. In production, you often don't. <code>pg_stat_statements</code> accumulates statistics on all executed queries: total time, call count, mean time. This is where you find queries that run 10,000 times per hour and take 200ms each — less visible than a 4-second query, but far more impactful in aggregate.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Enable the extension (requires a PostgreSQL restart)</span> <span class="c1">-- In postgresql.conf: shared_preload_libraries = 'pg_stat_statements'</span> <span class="k">CREATE</span> <span class="n">EXTENSION</span> <span class="n">IF</span> <span class="k">NOT</span> <span class="k">EXISTS</span> <span class="n">pg_stat_statements</span><span class="p">;</span> <span class="c1">-- The 10 most expensive queries by total time</span> <span class="k">SELECT</span> <span class="k">LEFT</span><span class="p">(</span><span class="n">query</span><span class="p">,</span> <span class="mi">100</span><span class="p">)</span> <span class="k">AS</span> <span class="n">query_short</span><span class="p">,</span> <span class="n">calls</span><span class="p">,</span> <span class="n">ROUND</span><span class="p">(</span><span class="n">total_exec_time</span><span class="p">::</span><span class="nb">numeric</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span> <span class="k">AS</span> <span class="n">total_ms</span><span class="p">,</span> <span class="n">ROUND</span><span class="p">(</span><span class="n">mean_exec_time</span><span class="p">::</span><span class="nb">numeric</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span> <span class="k">AS</span> <span class="n">mean_ms</span><span class="p">,</span> <span class="n">ROUND</span><span class="p">(</span><span class="n">stddev_exec_time</span><span class="p">::</span><span class="nb">numeric</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span> <span class="k">AS</span> <span class="n">stddev_ms</span><span class="p">,</span> <span class="k">rows</span> <span class="k">FROM</span> <span class="n">pg_stat_statements</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">total_exec_time</span> <span class="k">DESC</span> <span class="k">LIMIT</span> <span class="mi">10</span><span class="p">;</span> <span class="c1">-- Queries with the highest standard deviation (time instability)</span> <span class="c1">-- Possible symptom: different plan depending on parameters, or random cache miss</span> <span class="k">SELECT</span> <span class="k">LEFT</span><span class="p">(</span><span class="n">query</span><span class="p">,</span> <span class="mi">100</span><span class="p">)</span> <span class="k">AS</span> <span class="n">query_short</span><span class="p">,</span> <span class="n">calls</span><span class="p">,</span> <span class="n">ROUND</span><span class="p">(</span><span class="n">mean_exec_time</span><span class="p">::</span><span class="nb">numeric</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span> <span class="k">AS</span> <span class="n">mean_ms</span><span class="p">,</span> <span class="n">ROUND</span><span class="p">(</span><span class="n">stddev_exec_time</span><span class="p">::</span><span class="nb">numeric</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span> <span class="k">AS</span> <span class="n">stddev_ms</span> <span class="k">FROM</span> <span class="n">pg_stat_statements</span> <span class="k">WHERE</span> <span class="n">calls</span> <span class="o">&gt;</span> <span class="mi">100</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">stddev_exec_time</span> <span class="k">DESC</span> <span class="k">LIMIT</span> <span class="mi">10</span><span class="p">;</span> <span class="c1">-- Reset stats (useful after a deployment or optimization)</span> <span class="k">SELECT</span> <span class="n">pg_stat_statements_reset</span><span class="p">();</span> </code></pre> </div> <p><code>pg_stat_statements</code> doesn't interrupt service and has no measurable performance impact. There's no reason not to enable it in production on all your PostgreSQL clusters.</p> <h2> Quick tips </h2> <h3> Force PostgreSQL to show the plan with an index </h3> <p>Sometimes PostgreSQL chooses a Seq Scan when an index exists, and you want to see what the plan would look like with the index. <code>SET enable_seqscan = off</code> forces the planner to prefer index scans for the current session. Useful for diagnosis, not as a permanent fix.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- In your session only — no global change</span> <span class="k">SET</span> <span class="n">enable_seqscan</span> <span class="o">=</span> <span class="k">off</span><span class="p">;</span> <span class="k">EXPLAIN</span> <span class="k">ANALYZE</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">orders</span> <span class="k">WHERE</span> <span class="n">user_id</span> <span class="o">=</span> <span class="mi">42</span><span class="p">;</span> <span class="c1">-- Restore to normal</span> <span class="k">SET</span> <span class="n">enable_seqscan</span> <span class="o">=</span> <span class="k">on</span><span class="p">;</span> <span class="c1">-- Interpretation:</span> <span class="c1">-- If the plan with index is faster → create the index or run ANALYZE (stale stats).</span> <span class="c1">-- If the plan with index is slower → PostgreSQL was right to do the Seq Scan.</span> <span class="c1">-- Perhaps the query returns too many rows for an index to help.</span> </code></pre> </div> <h3> work_mem for sorts and hash joins </h3> <p>When you see <code>Sort Method: external merge Disk</code> in EXPLAIN ANALYZE, PostgreSQL ran out of memory and had to write to disk for sorting. Increasing <code>work_mem</code> for the session can fix the problem immediately.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Default work_mem = 4MB — insufficient for large aggregations</span> <span class="k">SET</span> <span class="n">work_mem</span> <span class="o">=</span> <span class="s1">'64MB'</span><span class="p">;</span> <span class="k">EXPLAIN</span> <span class="k">ANALYZE</span> <span class="k">SELECT</span> <span class="n">user_id</span><span class="p">,</span> <span class="k">SUM</span><span class="p">(</span><span class="n">total</span><span class="p">)</span> <span class="k">AS</span> <span class="n">revenue</span> <span class="k">FROM</span> <span class="n">orders</span> <span class="k">WHERE</span> <span class="n">created_at</span> <span class="o">&gt;=</span> <span class="s1">'2025-01-01'</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="n">user_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">revenue</span> <span class="k">DESC</span><span class="p">;</span> <span class="c1">-- With sufficient work_mem:</span> <span class="c1">-- Sort Method: quicksort Memory: 12kB ← all in RAM, fast</span> <span class="c1">-- Without sufficient work_mem:</span> <span class="c1">-- Sort Method: external merge Disk: 48MB ← writes to disk, slow</span> <span class="c1">-- Warning: don't increase work_mem globally without calculation.</span> <span class="c1">-- It applies PER sort operation AND per concurrent connection.</span> <span class="c1">-- 100 connections × 5 sorts × 64MB = potentially 32 GB consumed.</span> <span class="c1">-- Reserve it for sessions that need it, or adjust max_connections.</span> </code></pre> </div> <h3> VACUUM ANALYZE after a bulk load </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- After an import or bulk DELETE</span> <span class="k">VACUUM</span> <span class="k">ANALYZE</span> <span class="n">orders</span><span class="p">;</span> <span class="c1">-- VACUUM reclaims space from dead tuples (after UPDATE/DELETE)</span> <span class="c1">-- ANALYZE updates planner statistics</span> <span class="c1">-- Both together: essential after any large data modification</span> <span class="c1">-- Check table bloat</span> <span class="k">SELECT</span> <span class="n">n_dead_tup</span><span class="p">,</span> <span class="n">n_live_tup</span><span class="p">,</span> <span class="n">ROUND</span><span class="p">(</span><span class="mi">100</span><span class="p">.</span><span class="mi">0</span> <span class="o">*</span> <span class="n">n_dead_tup</span> <span class="o">/</span> <span class="k">NULLIF</span><span class="p">(</span><span class="n">n_live_tup</span> <span class="o">+</span> <span class="n">n_dead_tup</span><span class="p">,</span> <span class="mi">0</span><span class="p">),</span> <span class="mi">1</span><span class="p">)</span> <span class="k">AS</span> <span class="n">dead_pct</span> <span class="k">FROM</span> <span class="n">pg_stat_user_tables</span> <span class="k">WHERE</span> <span class="n">tablename</span> <span class="o">=</span> <span class="s1">'orders'</span><span class="p">;</span> <span class="c1">-- If dead_pct &gt; 10-20%, a VACUUM is needed</span> </code></pre> </div> <h2> The method in summary </h2> <p>When a PostgreSQL query is slow, here's the investigation order that resolves the vast majority of cases:</p> <ol> <li> <strong>EXPLAIN (ANALYZE, BUFFERS)</strong> on the offending query. Identify the slowest node. Look for Seq Scan on a large table, gap between rows estimated / actual.</li> <li> <strong>Missing index?</strong> Create it with <code>CONCURRENTLY</code> in production. Verify the query is written to benefit from it — no function on the indexed column, no <code>LIKE '%...'</code>.</li> <li> <strong>Stale statistics?</strong> <code>VACUUM ANALYZE</code> on the affected table.</li> <li> <strong>In production with no specific query to target?</strong> <code>pg_stat_statements</code> to identify offenders by total time or call count.</li> </ol> <p>80% of PostgreSQL performance problems are solved with EXPLAIN ANALYZE and a well-placed index. The remaining 20% involve configuration tuning (shared_buffers, work_mem, max_connections), rewriting complex queries, or table partitioning — but that's a topic for another article.</p> <p>The beer can wait another 10 minutes. The client can't.</p> <p><strong>📄 Associated CLAUDE.md</strong></p> <p><a href="https://www.web-developpeur.com/blog/claude-md/view.php?ctx=postgresql-performance" rel="noopener noreferrer">View</a> • <a href="https://www.web-developpeur.com/blog/claude-md/contexts/postgresql-performance.md" rel="noopener noreferrer">Download</a> • <a href="https://www.web-developpeur.com/blog/claude-md/" rel="noopener noreferrer">Catalog</a></p> postgres performance sql index Odilon HUGONNOT Thu, 23 Apr 2026 09:00:02 +0000 https://forem.com/ohugonnot/cqrs-in-go-part-4-postgresql-as-an-event-store-be4 https://forem.com/ohugonnot/cqrs-in-go-part-4-postgresql-as-an-event-store-be4 <p>CQRS in Go series:</p> <ul> <li> <a href="https://www.web-developpeur.com/en/blog/cqrs-go-aggregate-transition-clone" rel="noopener noreferrer"><strong>Part 1</strong>: the aggregate, Transition() and Clone()</a> </li> <li> <a href="https://www.web-developpeur.com/en/blog/cqrs-go-command-handlers-testabilite" rel="noopener noreferrer"><strong>Part 2</strong>: command handlers without side effects</a> </li> <li> <a href="https://www.web-developpeur.com/en/blog/cqrs-go-sagas-choreographie-events" rel="noopener noreferrer"><strong>Part 3</strong>: sagas and event choreography</a> </li> <li> <strong>Part 4</strong>: PostgreSQL as an event store</li> </ul> <p>The first three parts laid the groundwork: immutable aggregates, pure command handlers, sagas through choreography. One central question remains — where do we persist the events? This part answers that question using PostgreSQL as an append-only event store, with no additional dependencies.</p> <h2> Why PostgreSQL and not EventStoreDB or Kafka </h2> <p>EventStoreDB is an excellent tool, designed specifically for event sourcing. But it's an additional component to deploy, monitor, back up, and maintain. For a team already running PostgreSQL in production, adding EventStoreDB means doubling the operational footprint for a database.</p> <p>Kafka is often mentioned in this context. It's a message bus, not an event store. Reading by aggregate ID is not its strong suit — Kafka is optimized for sequential partition consumption, not for "give me all events for order CMD-4521 in order". Default retention is time-limited. Reconstituting an aggregate from Kafka requires non-trivial work.</p> <p>PostgreSQL, you already have it. Native ACID, JSONB with indexing, backups integrated into your existing infrastructure, monitoring your team knows, pg_dump, replication, point-in-time recovery. For 90% of projects, an append-only table in PostgreSQL is more than enough. Moving to a dedicated tool makes sense when you're processing millions of events per second — a threshold most projects never reach.</p> <h2> The es_events table — the core </h2> <p>Everything rests on a single table:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">es_events</span> <span class="p">(</span> <span class="n">id</span> <span class="n">BIGSERIAL</span> <span class="k">PRIMARY</span> <span class="k">KEY</span><span class="p">,</span> <span class="n">aggregate_id</span> <span class="n">UUID</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">aggregate_type</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">64</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">event_type</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">128</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">event_data</span> <span class="n">JSONB</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">metadata</span> <span class="n">JSONB</span> <span class="k">DEFAULT</span> <span class="s1">'{}'</span><span class="p">,</span> <span class="k">version</span> <span class="nb">INT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">created_at</span> <span class="n">TIMESTAMPTZ</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">DEFAULT</span> <span class="n">NOW</span><span class="p">(),</span> <span class="k">UNIQUE</span> <span class="p">(</span><span class="n">aggregate_id</span><span class="p">,</span> <span class="k">version</span><span class="p">)</span> <span class="p">);</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_es_events_aggregate</span> <span class="k">ON</span> <span class="n">es_events</span> <span class="p">(</span><span class="n">aggregate_id</span><span class="p">,</span> <span class="k">version</span><span class="p">);</span> </code></pre> </div> <p>Each column has a specific role:</p> <ul> <li> <strong>id (BIGSERIAL)</strong>: global position in the stream. This is the cursor used by projectors to track where they are. Monotonically increasing, never reused.</li> <li> <strong>aggregate_id</strong>: the identifier of the entity involved — the UUID of the order, payment, or shipment. This is the primary read key for reconstituting an aggregate.</li> <li> <strong>aggregate_type</strong>: the type of the aggregate — "order", "payment", "shipping". Allows filtering events by domain and avoids UUID collisions between different types.</li> <li> <strong>event_type</strong>: the name of the event — "OrderPlaced", "PaymentConfirmed", "ShipmentDispatched". Used to deserialize <code>event_data</code> into the correct Go type.</li> <li> <strong>event_data (JSONB)</strong>: the serialized event payload. JSONB enables indexing and field-level queries when needed, without sacrificing flexibility.</li> <li> <strong>metadata (JSONB)</strong>: traceability information — who triggered the action (user ID), correlation ID, causation ID, client timestamp. Not domain data, but indispensable in production.</li> <li> <strong>version</strong>: sequence number per aggregate. The first event of an aggregate is at version 1, the second at version 2, and so on.</li> </ul> <p>The <code>UNIQUE (aggregate_id, version)</code> constraint is the centerpiece of concurrent safety. It makes it impossible to insert two events with the same version on the same aggregate. This is the optimistic locking mechanism — no read lock, a constraint violation on write in case of conflict.</p> <h2> Append — writing an event </h2> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">EventStore</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">db</span> <span class="o">*</span><span class="n">sqlx</span><span class="o">.</span><span class="n">DB</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">s</span> <span class="o">*</span><span class="n">EventStore</span><span class="p">)</span> <span class="n">Append</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">aggregateID</span> <span class="n">uuid</span><span class="o">.</span><span class="n">UUID</span><span class="p">,</span> <span class="n">aggregateType</span> <span class="kt">string</span><span class="p">,</span> <span class="n">expectedVersion</span> <span class="kt">int</span><span class="p">,</span> <span class="n">events</span> <span class="p">[]</span><span class="n">StorableEvent</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="n">tx</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">s</span><span class="o">.</span><span class="n">db</span><span class="o">.</span><span class="n">BeginTxx</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="no">nil</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"begin tx: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">defer</span> <span class="n">tx</span><span class="o">.</span><span class="n">Rollback</span><span class="p">()</span> <span class="k">for</span> <span class="n">i</span><span class="p">,</span> <span class="n">event</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">events</span> <span class="p">{</span> <span class="n">version</span> <span class="o">:=</span> <span class="n">expectedVersion</span> <span class="o">+</span> <span class="n">i</span> <span class="o">+</span> <span class="m">1</span> <span class="n">data</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">json</span><span class="o">.</span><span class="n">Marshal</span><span class="p">(</span><span class="n">event</span><span class="o">.</span><span class="n">Data</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"marshal event: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">=</span> <span class="n">tx</span><span class="o">.</span><span class="n">ExecContext</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="s">` INSERT INTO es_events (aggregate_id, aggregate_type, event_type, event_data, metadata, version) VALUES ($1, $2, $3, $4, $5, $6) `</span><span class="p">,</span> <span class="n">aggregateID</span><span class="p">,</span> <span class="n">aggregateType</span><span class="p">,</span> <span class="n">event</span><span class="o">.</span><span class="n">Type</span><span class="p">,</span> <span class="n">data</span><span class="p">,</span> <span class="n">event</span><span class="o">.</span><span class="n">Metadata</span><span class="p">,</span> <span class="n">version</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="c">// UNIQUE violation = version conflict = optimistic locking</span> <span class="k">if</span> <span class="n">isUniqueViolation</span><span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="n">ErrConcurrencyConflict</span> <span class="p">}</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"insert event: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="n">tx</span><span class="o">.</span><span class="n">Commit</span><span class="p">()</span> <span class="p">}</span> </code></pre> </div> <p>The <code>expectedVersion</code> parameter is the number of the last known event at the time the aggregate was loaded. If the handler produces two events, they will be inserted at versions <code>expectedVersion + 1</code> and <code>expectedVersion + 2</code>.</p> <p>If another goroutine wrote an event between loading and writing, the UNIQUE constraint kicks in — PostgreSQL rejects the insert with a constraint violation, translated into <code>ErrConcurrencyConflict</code>. The client can retry: it will reload the aggregate with the new event, recalculate the state, and re-execute the handler. This is optimistic locking — no read lock, just a check at write time.</p> <h2> Load — reloading an aggregate </h2> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">s</span> <span class="o">*</span><span class="n">EventStore</span><span class="p">)</span> <span class="n">Load</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">aggregateID</span> <span class="n">uuid</span><span class="o">.</span><span class="n">UUID</span><span class="p">)</span> <span class="p">([]</span><span class="n">StoredEvent</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">var</span> <span class="n">events</span> <span class="p">[]</span><span class="n">StoredEvent</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">s</span><span class="o">.</span><span class="n">db</span><span class="o">.</span><span class="n">SelectContext</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">events</span><span class="p">,</span> <span class="s">` SELECT id, aggregate_id, aggregate_type, event_type, event_data, metadata, version, created_at FROM es_events WHERE aggregate_id = $1 ORDER BY version ASC `</span><span class="p">,</span> <span class="n">aggregateID</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"loading events: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="n">events</span><span class="p">,</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p>The aggregate's state is never stored directly. It's always recalculated by replaying events in order, calling <code>Transition()</code> on each one (see Part 1). This is the replay. The result is deterministic — the same events always produce the same state. This is what makes the system testable and auditable.</p> <h2> Subscriptions — feeding projections </h2> <p>Projectors — the components that maintain read views — must be notified of new events. The simplest solution: a positions table.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">es_subscriptions</span> <span class="p">(</span> <span class="n">subscriber_id</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">128</span><span class="p">)</span> <span class="k">PRIMARY</span> <span class="k">KEY</span><span class="p">,</span> <span class="n">last_event_id</span> <span class="nb">BIGINT</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">DEFAULT</span> <span class="mi">0</span><span class="p">,</span> <span class="n">updated_at</span> <span class="n">TIMESTAMPTZ</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">DEFAULT</span> <span class="n">NOW</span><span class="p">()</span> <span class="p">);</span> </code></pre> </div> <p>Each projector records the identifier of the last event it processed. On startup or after a crash, it resumes from this position. The polling pattern:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">Subscriber</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">db</span> <span class="o">*</span><span class="n">sqlx</span><span class="o">.</span><span class="n">DB</span> <span class="n">subscriberID</span> <span class="kt">string</span> <span class="n">handler</span> <span class="n">EventHandler</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">s</span> <span class="o">*</span><span class="n">Subscriber</span><span class="p">)</span> <span class="n">Poll</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="c">// 1. Read the last processed position</span> <span class="k">var</span> <span class="n">lastID</span> <span class="kt">int64</span> <span class="n">s</span><span class="o">.</span><span class="n">db</span><span class="o">.</span><span class="n">GetContext</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">lastID</span><span class="p">,</span> <span class="s">"SELECT last_event_id FROM es_subscriptions WHERE subscriber_id = $1"</span><span class="p">,</span> <span class="n">s</span><span class="o">.</span><span class="n">subscriberID</span><span class="p">,</span> <span class="p">)</span> <span class="c">// 2. Load new events</span> <span class="k">var</span> <span class="n">events</span> <span class="p">[]</span><span class="n">StoredEvent</span> <span class="n">s</span><span class="o">.</span><span class="n">db</span><span class="o">.</span><span class="n">SelectContext</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">events</span><span class="p">,</span> <span class="s">"SELECT * FROM es_events WHERE id &gt; $1 ORDER BY id ASC LIMIT 100"</span><span class="p">,</span> <span class="n">lastID</span><span class="p">,</span> <span class="p">)</span> <span class="c">// 3. Process within a transaction</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">event</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">events</span> <span class="p">{</span> <span class="n">tx</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">s</span><span class="o">.</span><span class="n">db</span><span class="o">.</span><span class="n">BeginTxx</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="no">nil</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">s</span><span class="o">.</span><span class="n">handler</span><span class="o">.</span><span class="n">Handle</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">tx</span><span class="p">,</span> <span class="n">event</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">tx</span><span class="o">.</span><span class="n">Rollback</span><span class="p">()</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"handling event %d: %w"</span><span class="p">,</span> <span class="n">event</span><span class="o">.</span><span class="n">ID</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="c">// 4. Update the position in the same transaction</span> <span class="n">tx</span><span class="o">.</span><span class="n">ExecContext</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="s">"UPDATE es_subscriptions SET last_event_id = $1, updated_at = NOW() WHERE subscriber_id = $2"</span><span class="p">,</span> <span class="n">event</span><span class="o">.</span><span class="n">ID</span><span class="p">,</span> <span class="n">s</span><span class="o">.</span><span class="n">subscriberID</span><span class="p">,</span> <span class="p">)</span> <span class="n">tx</span><span class="o">.</span><span class="n">Commit</span><span class="p">()</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p>The critical detail is in point 4: the position update and event processing are in the same transaction. If the process crashes between processing and updating the position, the event will be reprocessed on the next poll. This is at-least-once delivery — handlers must be idempotent to absorb duplicates without side effects.</p> <p>Idempotency in practice: a handler that inserts a row into a read view can use <code>INSERT ... ON CONFLICT DO NOTHING</code>, or check whether the row already exists. The deduplication key is generally the <code>event_id</code> or a combination of unique business fields.</p> <h2> Real-time notifications with LISTEN/NOTIFY </h2> <p>Polling introduces latency — at best a few hundred milliseconds if the poll runs frequently, at worst several seconds. For read views that need to be reactive, PostgreSQL offers a native mechanism: LISTEN/NOTIFY.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Event store side: notify after each INSERT</span> <span class="k">func</span> <span class="p">(</span><span class="n">s</span> <span class="o">*</span><span class="n">EventStore</span><span class="p">)</span> <span class="n">Append</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">aggregateID</span> <span class="n">uuid</span><span class="o">.</span><span class="n">UUID</span><span class="p">,</span> <span class="n">aggregateType</span> <span class="kt">string</span><span class="p">,</span> <span class="n">expectedVersion</span> <span class="kt">int</span><span class="p">,</span> <span class="n">events</span> <span class="p">[]</span><span class="n">StorableEvent</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="n">tx</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">s</span><span class="o">.</span><span class="n">db</span><span class="o">.</span><span class="n">BeginTxx</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="no">nil</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"begin tx: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">defer</span> <span class="n">tx</span><span class="o">.</span><span class="n">Rollback</span><span class="p">()</span> <span class="c">// ... insert events ...</span> <span class="c">// Notify subscribers</span> <span class="k">if</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">tx</span><span class="o">.</span><span class="n">ExecContext</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="s">"NOTIFY es_events_channel"</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"notify: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="n">tx</span><span class="o">.</span><span class="n">Commit</span><span class="p">()</span> <span class="p">}</span> <span class="c">// Subscriber side: listen instead of polling</span> <span class="k">func</span> <span class="p">(</span><span class="n">s</span> <span class="o">*</span><span class="n">Subscriber</span><span class="p">)</span> <span class="n">Listen</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="n">conn</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">s</span><span class="o">.</span><span class="n">db</span><span class="o">.</span><span class="n">Conn</span><span class="p">(</span><span class="n">ctx</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"acquire conn: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">defer</span> <span class="n">conn</span><span class="o">.</span><span class="n">Close</span><span class="p">()</span> <span class="k">if</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">conn</span><span class="o">.</span><span class="n">ExecContext</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="s">"LISTEN es_events_channel"</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"listen: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">for</span> <span class="p">{</span> <span class="k">select</span> <span class="p">{</span> <span class="k">case</span> <span class="o">&lt;-</span><span class="n">ctx</span><span class="o">.</span><span class="n">Done</span><span class="p">()</span><span class="o">:</span> <span class="k">return</span> <span class="n">ctx</span><span class="o">.</span><span class="n">Err</span><span class="p">()</span> <span class="k">default</span><span class="o">:</span> <span class="p">}</span> <span class="c">// Wait for notification (blocking with timeout)</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">conn</span><span class="o">.</span><span class="n">WaitForNotification</span><span class="p">(</span><span class="n">ctx</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"wait notification: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Poll immediately after the notification</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">s</span><span class="o">.</span><span class="n">Poll</span><span class="p">(</span><span class="n">ctx</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">err</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The notification is sent inside the Append transaction — it's only delivered to listeners once the transaction commits. No false alarms on rollback.</p> <p>In production, combine both approaches: LISTEN for real-time reactivity under normal conditions, periodic polling (every 5 to 30 seconds) as a safety net in case of reconnection or missed notification. The dedicated LISTEN connection must not be taken from the standard connection pool — it occupies a connection permanently.</p> <h2> The command gateway — putting it all together </h2> <p>With the event store in place, the complete flow for a command becomes explicit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">CommandGateway</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">store</span> <span class="o">*</span><span class="n">EventStore</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">gw</span> <span class="o">*</span><span class="n">CommandGateway</span><span class="p">)</span> <span class="n">Execute</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">aggregateID</span> <span class="n">uuid</span><span class="o">.</span><span class="n">UUID</span><span class="p">,</span> <span class="n">cmd</span> <span class="n">Command</span><span class="p">,</span> <span class="n">handler</span> <span class="n">CommandHandler</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="c">// 1. Load events</span> <span class="n">storedEvents</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">gw</span><span class="o">.</span><span class="n">store</span><span class="o">.</span><span class="n">Load</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">aggregateID</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"load aggregate: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="c">// 2. Reconstruct state</span> <span class="n">state</span> <span class="o">:=</span> <span class="n">Replay</span><span class="p">(</span><span class="n">storedEvents</span><span class="p">)</span> <span class="n">currentVersion</span> <span class="o">:=</span> <span class="nb">len</span><span class="p">(</span><span class="n">storedEvents</span><span class="p">)</span> <span class="c">// 3. Execute the handler (pure, no side effects)</span> <span class="n">newEvents</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">handler</span><span class="o">.</span><span class="n">Handle</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">state</span><span class="p">,</span> <span class="n">cmd</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">err</span> <span class="p">}</span> <span class="c">// 4. Persist the new events</span> <span class="k">return</span> <span class="n">gw</span><span class="o">.</span><span class="n">store</span><span class="o">.</span><span class="n">Append</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">aggregateID</span><span class="p">,</span> <span class="n">cmd</span><span class="o">.</span><span class="n">AggregateType</span><span class="p">(),</span> <span class="n">currentVersion</span><span class="p">,</span> <span class="n">newEvents</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>If two commands arrive simultaneously on the same aggregate, the second fails with <code>ErrConcurrencyConflict</code>. The client can retry — it will reload the aggregate including the events from the first command, recalculate the state, and re-execute the handler on the updated state. In practice, real conflicts are rare on well-bounded aggregates; most concurrent operations touch different aggregates.</p> <p>This is also the pattern that makes command handlers testable without infrastructure (Part 2): the gateway injects the state, the handler produces events, the gateway persists. Each responsibility is isolated.</p> <h2> Performance — when events accumulate </h2> <p>An aggregate with a few dozen events reloads in microseconds. An aggregate with 10,000 events — a long-lived order, a very active user account — starts to weigh on the replay. The solution is snapshots.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">es_snapshots</span> <span class="p">(</span> <span class="n">aggregate_id</span> <span class="n">UUID</span> <span class="k">PRIMARY</span> <span class="k">KEY</span><span class="p">,</span> <span class="n">aggregate_type</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">64</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="k">version</span> <span class="nb">INT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">state_data</span> <span class="n">JSONB</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">created_at</span> <span class="n">TIMESTAMPTZ</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">DEFAULT</span> <span class="n">NOW</span><span class="p">()</span> <span class="p">);</span> </code></pre> </div> <p>A snapshot is a captured, serialized state at a given point in time, associated with its version. Loading with a snapshot proceeds in two steps:</p> <ul> <li> Load the most recent snapshot for the aggregate (if it exists)</li> <li> Load only the events after the snapshot's version</li> <li> Replay the partial events on the snapshot's state</li> </ul> <p>The simplest practical rule: create a snapshot every 100 events. Most aggregates never reach this limit — a typical e-commerce aggregate generates 5 to 20 events over its lifetime. Snapshots are only necessary for high-volume aggregates: accounts, wallets, inventories updated hundreds of times per day.</p> <p>Important: snapshots are an optimization, not a change to the data model. Events remain the source of truth. A corrupted or deleted snapshot is not data loss — the aggregate can be reconstituted from the beginning of its events.</p> <h2> Series summary </h2> <p>Across four parts, we built a complete CQRS implementation in Go:</p> <ul> <li> <strong>Part 1 — The aggregate</strong>: immutable state, <code>Transition()</code> for applying events, <code>Clone()</code> for dry-runs. The foundation that makes everything else testable.</li> <li> <strong>Part 2 — Command handlers</strong>: pure functions that take a state and a command, return events or an error. No database, no HTTP, testable in complete isolation.</li> <li> <strong>Part 3 — Sagas and choreography</strong>: coordination between aggregates through published events. Each service reacts to what interests it, without direct coupling. Sagas handle compensation in case of distributed failure.</li> <li> <strong>Part 4 — The event store</strong>: PostgreSQL as the persistence infrastructure. Append-only table, optimistic locking through UNIQUE constraint, subscriptions for projectors, LISTEN/NOTIFY for reactivity, snapshots for large-scale performance.</li> </ul> <p>These four patterns combine: the command gateway loads via the event store, calls the pure handler, persists the produced events. Subscribers read the global stream and maintain read views. Sagas listen for certain event types and trigger commands on other aggregates.</p> <p>The result is a system that is auditable by construction — the complete history is in the events —, testable at every layer, and operable with the PostgreSQL infrastructure you already manage.</p> <p><strong>📄 Associated CLAUDE.md</strong></p> <p><a href="https://www.web-developpeur.com/blog/claude-md/view.php?ctx=cqrs-event-sourcing-go" rel="noopener noreferrer">View</a> • <a href="https://www.web-developpeur.com/blog/claude-md/contexts/cqrs-event-sourcing-go.md" rel="noopener noreferrer">Download</a> • <a href="https://www.web-developpeur.com/blog/claude-md/" rel="noopener noreferrer">Catalogue</a></p> cqrs eventsourcing go postgres Odilon HUGONNOT Wed, 22 Apr 2026 09:00:03 +0000 https://forem.com/ohugonnot/cqrs-in-go-part-3-sagas-and-event-choreography-3hfm https://forem.com/ohugonnot/cqrs-in-go-part-3-sagas-and-event-choreography-3hfm <p>CQRS in Go series:</p> <ul> <li> <a href="https://www.web-developpeur.com/en/blog/cqrs-go-aggregate-transition-clone" rel="noopener noreferrer"><strong>Part 1</strong>: the aggregate, Transition() and Clone()</a> </li> <li> <a href="https://www.web-developpeur.com/en/blog/cqrs-go-command-handlers-testabilite" rel="noopener noreferrer"><strong>Part 2</strong>: command handlers without side effects</a> </li> <li> <strong>Part 3</strong>: sagas and event choreography</li> <li> <a href="https://www.web-developpeur.com/en/blog/cqrs-go-postgresql-event-store" rel="noopener noreferrer"><strong>Part 4</strong>: PostgreSQL as an event store</a> </li> </ul> <h2> The problem — two aggregates need to cooperate </h2> <p>Concrete scenario: a payment is validated. The <code>Payment</code> aggregate emits a <code>PaymentConfirmed</code> event. In response, a shipment needs to be created in the <code>Shipping</code> aggregate.</p> <p>The problem: the two aggregates don't know each other, and that's intentional. An aggregate that directly calls another aggregate is a fundamental violation of the pattern. The aggregate is an isolated unit of consistency. If <code>Payment</code> knows about <code>Shipping</code>, you're recreating tight coupling — exactly what you were trying to avoid by leaving the classic transactional model.</p> <p>The question is: how do you make <code>Shipping</code> react to something that happened in <code>Payment</code>, without one knowing the other? There are two families of answers: orchestration and choreography.</p> <h2> Orchestration vs choreography </h2> <p><strong>Orchestration</strong> sets up a central conductor — a <code>SagaManager</code> — that knows all the steps, all transitions, and all possible rollbacks. When <code>PaymentConfirmed</code> arrives, the <code>SagaManager</code> explicitly calls the <code>Shipping</code> service, then the <code>Email</code> service, then the <code>Stock</code> service. The flow is readable in one place. In case of error, the manager knows exactly what to compensate.</p> <p>The downside: the <code>SagaManager</code> knows everyone. Adding a new step to the flow forces you to modify this central component. It becomes a tight coupling point between domains that should ignore each other.</p> <p><strong>Choreography</strong> works differently. Each aggregate emits events. Independent handlers listen to these events and trigger commands on other aggregates. Nobody centralizes knowledge of the flow — it emerges from the sum of reactions.</p> <p>Choreography wins in most cases because it scales better, adding new behavior on an existing event doesn't touch existing code, and each handler can evolve, be redeployed, or even fail without blocking the others. The price to pay: the flow is not readable in one place — we'll come back to that in section 6.</p> <h2> The event handler — the link between aggregates </h2> <p>The central tool of choreography is the event handler. It listens to events from one aggregate and triggers commands on another. Its responsibility is narrow: translate an event into a command. Nothing more.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// PaymentEventHandler reacts to Payment events to trigger Shipping.</span> <span class="k">type</span> <span class="n">PaymentEventHandler</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">shippingCmd</span> <span class="n">ShippingCommandService</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">h</span> <span class="n">PaymentEventHandler</span><span class="p">)</span> <span class="n">Handle</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">event</span> <span class="n">DomainEvent</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="k">switch</span> <span class="n">e</span> <span class="o">:=</span> <span class="n">event</span><span class="o">.</span><span class="p">(</span><span class="k">type</span><span class="p">)</span> <span class="p">{</span> <span class="k">case</span> <span class="n">PaymentConfirmed</span><span class="o">:</span> <span class="k">return</span> <span class="n">h</span><span class="o">.</span><span class="n">shippingCmd</span><span class="o">.</span><span class="n">CreateShipment</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">CreateShipmentCmd</span><span class="p">{</span> <span class="n">OrderID</span><span class="o">:</span> <span class="n">e</span><span class="o">.</span><span class="n">OrderID</span><span class="p">,</span> <span class="n">CustomerID</span><span class="o">:</span> <span class="n">e</span><span class="o">.</span><span class="n">CustomerID</span><span class="p">,</span> <span class="n">Items</span><span class="o">:</span> <span class="n">e</span><span class="o">.</span><span class="n">Items</span><span class="p">,</span> <span class="n">Address</span><span class="o">:</span> <span class="n">e</span><span class="o">.</span><span class="n">ShippingAddress</span><span class="p">,</span> <span class="p">})</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p>The event handler contains no business logic. It doesn't decide whether the shipment should be created — that decision was already made by the fact that <code>PaymentConfirmed</code> was emitted. It doesn't validate data — that's the <code>Shipping</code> command handler's job. It translates, nothing more.</p> <p>If the logic in an event handler starts to grow — conditions, branches, multiple calls — it's a signal that an aggregate is missing somewhere, or that a responsibility hasn't been properly carved out.</p> <h2> Saga idempotency </h2> <p>An event can be redelivered. This happens whenever a handler successfully processes an event but crashes before acknowledging the message. The broker (Kafka, RabbitMQ, or even a simple queue table in PostgreSQL) doesn't know the processing succeeded — it redelivers. If the saga isn't idempotent, you create two shipments for a single order.</p> <p>The simplest solution: check before acting. If a shipment already exists for this <code>OrderID</code>, treat it as a duplicate and ignore it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">h</span> <span class="n">PaymentEventHandler</span><span class="p">)</span> <span class="n">Handle</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">event</span> <span class="n">DomainEvent</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="k">switch</span> <span class="n">e</span> <span class="o">:=</span> <span class="n">event</span><span class="o">.</span><span class="p">(</span><span class="k">type</span><span class="p">)</span> <span class="p">{</span> <span class="k">case</span> <span class="n">PaymentConfirmed</span><span class="o">:</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">h</span><span class="o">.</span><span class="n">shippingCmd</span><span class="o">.</span><span class="n">CreateShipment</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">CreateShipmentCmd</span><span class="p">{</span> <span class="n">OrderID</span><span class="o">:</span> <span class="n">e</span><span class="o">.</span><span class="n">OrderID</span><span class="p">,</span> <span class="n">CustomerID</span><span class="o">:</span> <span class="n">e</span><span class="o">.</span><span class="n">CustomerID</span><span class="p">,</span> <span class="n">Items</span><span class="o">:</span> <span class="n">e</span><span class="o">.</span><span class="n">Items</span><span class="p">,</span> <span class="n">Address</span><span class="o">:</span> <span class="n">e</span><span class="o">.</span><span class="n">ShippingAddress</span><span class="p">,</span> <span class="p">})</span> <span class="c">// If the shipment already exists, it's a duplicate — ignore it.</span> <span class="k">if</span> <span class="n">errors</span><span class="o">.</span><span class="n">Is</span><span class="p">(</span><span class="n">err</span><span class="p">,</span> <span class="n">ErrShipmentAlreadyExists</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> <span class="k">return</span> <span class="n">err</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p>This <code>ErrShipmentAlreadyExists</code> error must be a sentinel error defined in the <code>Shipping</code> package, and the <code>CreateShipment</code> command handler must check uniqueness on <code>OrderID</code> before inserting — ideally with a unique constraint in the database to make the check atomic.</p> <p>The other approach is an idempotency key: pass the event's ID as an idempotency key to the command handler, which stores it and silently rejects any duplicate with the same key. This is more generic but requires a dedicated tracking table. Both approaches are valid; the choice often depends on whether the command handler is already instrumented for idempotency keys (see Part 2 of the series).</p> <h2> Partial failures </h2> <p>An event can trigger multiple independent reactions: create the shipment, send the confirmation email, decrement stock. If all these reactions are in a single handler and the email fails, the shipment is created but the stock is never updated. The handler failed midway and the final state is inconsistent.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Bad: one big handler doing everything sequentially.</span> <span class="k">func</span> <span class="p">(</span><span class="n">h</span> <span class="n">BigHandler</span><span class="p">)</span> <span class="n">Handle</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">event</span> <span class="n">DomainEvent</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="k">switch</span> <span class="n">e</span> <span class="o">:=</span> <span class="n">event</span><span class="o">.</span><span class="p">(</span><span class="k">type</span><span class="p">)</span> <span class="p">{</span> <span class="k">case</span> <span class="n">PaymentConfirmed</span><span class="o">:</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">h</span><span class="o">.</span><span class="n">shipping</span><span class="o">.</span><span class="n">Create</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">toShipmentCmd</span><span class="p">(</span><span class="n">e</span><span class="p">));</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">err</span> <span class="c">// email and stock will never be processed</span> <span class="p">}</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">h</span><span class="o">.</span><span class="n">email</span><span class="o">.</span><span class="n">Send</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">toConfirmationEmail</span><span class="p">(</span><span class="n">e</span><span class="p">));</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">err</span> <span class="c">// stock will never be processed</span> <span class="p">}</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">h</span><span class="o">.</span><span class="n">stock</span><span class="o">.</span><span class="n">Update</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">toStockCmd</span><span class="p">(</span><span class="n">e</span><span class="p">));</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">err</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p>The solution is to never put multiple responsibilities in the same handler. One handler, one action.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// One handler per responsibility. Each can fail independently.</span> <span class="k">type</span> <span class="n">ShippingOnPayment</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">shippingCmd</span> <span class="n">ShippingCommandService</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">h</span> <span class="n">ShippingOnPayment</span><span class="p">)</span> <span class="n">Handle</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">event</span> <span class="n">DomainEvent</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="k">if</span> <span class="n">e</span><span class="p">,</span> <span class="n">ok</span> <span class="o">:=</span> <span class="n">event</span><span class="o">.</span><span class="p">(</span><span class="n">PaymentConfirmed</span><span class="p">);</span> <span class="n">ok</span> <span class="p">{</span> <span class="k">return</span> <span class="n">h</span><span class="o">.</span><span class="n">shippingCmd</span><span class="o">.</span><span class="n">CreateShipment</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">CreateShipmentCmd</span><span class="p">{</span> <span class="n">OrderID</span><span class="o">:</span> <span class="n">e</span><span class="o">.</span><span class="n">OrderID</span><span class="p">,</span> <span class="n">Items</span><span class="o">:</span> <span class="n">e</span><span class="o">.</span><span class="n">Items</span><span class="p">,</span> <span class="n">Address</span><span class="o">:</span> <span class="n">e</span><span class="o">.</span><span class="n">ShippingAddress</span><span class="p">,</span> <span class="p">})</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> <span class="k">type</span> <span class="n">EmailOnPayment</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">mailer</span> <span class="n">EmailService</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">h</span> <span class="n">EmailOnPayment</span><span class="p">)</span> <span class="n">Handle</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">event</span> <span class="n">DomainEvent</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="k">if</span> <span class="n">e</span><span class="p">,</span> <span class="n">ok</span> <span class="o">:=</span> <span class="n">event</span><span class="o">.</span><span class="p">(</span><span class="n">PaymentConfirmed</span><span class="p">);</span> <span class="n">ok</span> <span class="p">{</span> <span class="k">return</span> <span class="n">h</span><span class="o">.</span><span class="n">mailer</span><span class="o">.</span><span class="n">SendConfirmation</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">e</span><span class="o">.</span><span class="n">CustomerEmail</span><span class="p">,</span> <span class="n">e</span><span class="o">.</span><span class="n">OrderID</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> <span class="k">type</span> <span class="n">StockOnPayment</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">stockCmd</span> <span class="n">StockCommandService</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">h</span> <span class="n">StockOnPayment</span><span class="p">)</span> <span class="n">Handle</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">event</span> <span class="n">DomainEvent</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="k">if</span> <span class="n">e</span><span class="p">,</span> <span class="n">ok</span> <span class="o">:=</span> <span class="n">event</span><span class="o">.</span><span class="p">(</span><span class="n">PaymentConfirmed</span><span class="p">);</span> <span class="n">ok</span> <span class="p">{</span> <span class="k">return</span> <span class="n">h</span><span class="o">.</span><span class="n">stockCmd</span><span class="o">.</span><span class="n">DecrementStock</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">DecrementStockCmd</span><span class="p">{</span> <span class="n">Items</span><span class="o">:</span> <span class="n">e</span><span class="o">.</span><span class="n">Items</span><span class="p">,</span> <span class="p">})</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p>These three handlers are registered separately on the <code>PaymentConfirmed</code> event. If the email fails, it will be retried independently — without blocking the shipment or the stock update. A failure in one branch doesn't poison the others.</p> <p>Retry with exponential backoff is handled by the infrastructure (broker, worker), not the handler. The handler has one responsibility: try to perform its action and return an error if it fails. The system decides how many times to retry.</p> <p>Eventual consistency is an accepted consequence. After a crash, the stock will be updated on the next retry — in a few seconds or minutes depending on the retry policy. For most e-commerce use cases, this is acceptable. If it's not acceptable, you need a distributed transaction, and you're leaving the scope of choreography.</p> <h2> Tracing the flow — the event/handler table </h2> <p>In choreography, the flow is not readable in any single file. It's distributed across dozens of handlers. Without documentation, it's impossible to know what gets triggered when <code>PaymentConfirmed</code> is emitted. That's the cost of choreography.</p> <p>The practical answer is a mapping table, maintained manually or generated from handler registrations. For each event, list the handlers and the action they perform. This is the system's map.</p> <p>Event</p> <p>Handler</p> <p>Action</p> <p><code>PaymentConfirmed</code></p> <p><code>ShippingOnPayment</code></p> <p>Creates the shipment</p> <p><code>PaymentConfirmed</code></p> <p><code>EmailOnPayment</code></p> <p>Order confirmation email</p> <p><code>PaymentConfirmed</code></p> <p><code>StockOnPayment</code></p> <p>Decrements stock</p> <p><code>ShipmentCreated</code></p> <p><code>EmailOnShipment</code></p> <p>"Your package has shipped" email</p> <p><code>ShipmentCreated</code></p> <p><code>TrackingOnShipment</code></p> <p>Creates the delivery tracking</p> <p>This table should live in the project documentation, not in a comment buried in some file. It answers the question "what happens when this event is emitted?" — a question you ask frequently in production when something goes wrong.</p> <p>In Go, you can also centralize handler registrations in a <code>wire.go</code> or <code>handlers.go</code> file per domain, which makes the mapping readable in code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">registerPaymentHandlers</span><span class="p">(</span><span class="n">bus</span> <span class="n">EventBus</span><span class="p">,</span> <span class="n">deps</span> <span class="n">Dependencies</span><span class="p">)</span> <span class="p">{</span> <span class="n">bus</span><span class="o">.</span><span class="n">Register</span><span class="p">(</span><span class="n">PaymentConfirmed</span><span class="p">{},</span> <span class="n">ShippingOnPayment</span><span class="p">{</span><span class="n">shippingCmd</span><span class="o">:</span> <span class="n">deps</span><span class="o">.</span><span class="n">ShippingCmd</span><span class="p">})</span> <span class="n">bus</span><span class="o">.</span><span class="n">Register</span><span class="p">(</span><span class="n">PaymentConfirmed</span><span class="p">{},</span> <span class="n">EmailOnPayment</span><span class="p">{</span><span class="n">mailer</span><span class="o">:</span> <span class="n">deps</span><span class="o">.</span><span class="n">Mailer</span><span class="p">})</span> <span class="n">bus</span><span class="o">.</span><span class="n">Register</span><span class="p">(</span><span class="n">PaymentConfirmed</span><span class="p">{},</span> <span class="n">StockOnPayment</span><span class="p">{</span><span class="n">stockCmd</span><span class="o">:</span> <span class="n">deps</span><span class="o">.</span><span class="n">StockCmd</span><span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>All handlers tied to <code>PaymentConfirmed</code> are visible in one function. No need to grep the entire codebase to find what reacts to this event.</p> <h2> When choreography isn't enough </h2> <p>Choreography has one limit: flows with compensation. Compensation = undoing an already-completed step because a subsequent step failed. The classic example: booking a hotel, a flight, and a rental car for a trip. If the flight is unavailable, you need to cancel the hotel reservation that already succeeded.</p> <p>In pure choreography, this scenario forces you to emit a <code>FlightBookingFailed</code> event and have a handler that cancels the hotel. This works, but the handler needs to know whether the hotel was booked for this trip — which implies shared state. You're rebuilding an orchestrator, but implicitly and scattered across the codebase.</p> <p>In this case, a <strong>process manager</strong> is justified. A process manager is an event handler with its own state. It listens to events from different steps, maintains progress state, and decides on compensations if needed.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">BookingProcessManager</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">bookingID</span> <span class="n">uuid</span><span class="o">.</span><span class="n">UUID</span> <span class="n">hotelOK</span> <span class="kt">bool</span> <span class="n">flightOK</span> <span class="kt">bool</span> <span class="n">carOK</span> <span class="kt">bool</span> <span class="n">hotelCmd</span> <span class="n">HotelCommandService</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">pm</span> <span class="o">*</span><span class="n">BookingProcessManager</span><span class="p">)</span> <span class="n">Handle</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">event</span> <span class="n">DomainEvent</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="k">switch</span> <span class="n">e</span> <span class="o">:=</span> <span class="n">event</span><span class="o">.</span><span class="p">(</span><span class="k">type</span><span class="p">)</span> <span class="p">{</span> <span class="k">case</span> <span class="n">HotelReserved</span><span class="o">:</span> <span class="n">pm</span><span class="o">.</span><span class="n">hotelOK</span> <span class="o">=</span> <span class="no">true</span> <span class="c">// Trigger the flight booking</span> <span class="k">return</span> <span class="n">pm</span><span class="o">.</span><span class="n">flightCmd</span><span class="o">.</span><span class="n">BookFlight</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">BookFlightCmd</span><span class="p">{</span> <span class="n">BookingID</span><span class="o">:</span> <span class="n">pm</span><span class="o">.</span><span class="n">bookingID</span><span class="p">,</span> <span class="n">FlightRef</span><span class="o">:</span> <span class="n">e</span><span class="o">.</span><span class="n">FlightRef</span><span class="p">,</span> <span class="p">})</span> <span class="k">case</span> <span class="n">FlightBooked</span><span class="o">:</span> <span class="n">pm</span><span class="o">.</span><span class="n">flightOK</span> <span class="o">=</span> <span class="no">true</span> <span class="c">// Trigger the car reservation</span> <span class="k">return</span> <span class="n">pm</span><span class="o">.</span><span class="n">carCmd</span><span class="o">.</span><span class="n">ReserveCar</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">ReserveCarCmd</span><span class="p">{</span> <span class="n">BookingID</span><span class="o">:</span> <span class="n">pm</span><span class="o">.</span><span class="n">bookingID</span><span class="p">,</span> <span class="p">})</span> <span class="k">case</span> <span class="n">FlightBookingFailed</span><span class="o">:</span> <span class="c">// Compensation: cancel the hotel if already booked</span> <span class="k">if</span> <span class="n">pm</span><span class="o">.</span><span class="n">hotelOK</span> <span class="p">{</span> <span class="k">return</span> <span class="n">pm</span><span class="o">.</span><span class="n">hotelCmd</span><span class="o">.</span><span class="n">CancelReservation</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">CancelHotelCmd</span><span class="p">{</span> <span class="n">BookingID</span><span class="o">:</span> <span class="n">pm</span><span class="o">.</span><span class="n">bookingID</span><span class="p">,</span> <span class="p">})</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p>The difference from a global <code>SagaManager</code>: this process manager only knows the travel booking flow. It's not a centralization point for all system flows. One process manager per saga, not one manager for everything.</p> <p>Its state must be persisted — in a database or the event store — to survive restarts. This is the only place in a choreographed architecture where you explicitly accept having a component with its own state and centralized flow logic. The rest of the system continues to operate through choreography.</p> <h2> Summary </h2> <ul> <li> An aggregate cannot call another aggregate directly — choreography through events is the standard solution.</li> <li> The event handler is a translator: it transforms an event into a command on another aggregate. No business logic inside.</li> <li> Sagas must be idempotent: an event can be redelivered, the handler must detect and ignore duplicates.</li> <li> One handler per responsibility: never put multiple independent actions in a single handler. A partial failure must not block other branches.</li> <li> Eventual consistency is an accepted consequence: a branch that fails will be retried independently, without blocking the others.</li> <li> The event/handler table is the essential documentation for a choreographed system. Without it, the flow is unreadable.</li> <li> For flows with compensation, a process manager with its own state is justified — but one per saga, not a global manager.</li> </ul> <p>Part 4 covers the PostgreSQL event store: how to persist events, manage aggregate versioning, and implement replay from the database.</p> <p><strong>📄 Associated CLAUDE.md</strong></p> <p><a href="https://www.web-developpeur.com/blog/claude-md/view.php?ctx=cqrs-event-sourcing-go" rel="noopener noreferrer">View</a> • <a href="https://www.web-developpeur.com/blog/claude-md/contexts/cqrs-event-sourcing-go.md" rel="noopener noreferrer">Download</a> • <a href="https://www.web-developpeur.com/blog/claude-md/" rel="noopener noreferrer">Catalogue</a></p> cqrs eventsourcing go sagas Odilon HUGONNOT Tue, 21 Apr 2026 09:00:02 +0000 https://forem.com/ohugonnot/cqrs-in-go-part-2-side-effect-free-command-handlers-3ocd https://forem.com/ohugonnot/cqrs-in-go-part-2-side-effect-free-command-handlers-3ocd <p>CQRS in Go series:</p> <ul> <li> <a href="https://www.web-developpeur.com/en/blog/cqrs-go-aggregate-transition-clone" rel="noopener noreferrer"><strong>Part 1</strong>: the aggregate, Transition() and Clone()</a> </li> <li> <strong>Part 2</strong>: command handlers without side effects</li> <li> <a href="https://www.web-developpeur.com/en/blog/cqrs-go-sagas-choreographie-events" rel="noopener noreferrer"><strong>Part 3</strong>: sagas and event choreography</a> </li> <li> <a href="https://www.web-developpeur.com/en/blog/cqrs-go-postgresql-event-store" rel="noopener noreferrer"><strong>Part 4</strong>: PostgreSQL as an event store</a> </li> </ul> <p>If you followed Part 1, you know what an aggregate is and how <code>Transition()</code> reconstructs state from events. Now, a more concrete question: who decides to emit those events? Who validates that a command is legitimate? That's the role of the command handler.</p> <p>And that's where many CQRS projects drift. The handler starts clean, then accumulates dependencies. A repo here, an email service there. Three months later, you have a test that spins up a database to verify that a required field is actually required.</p> <p>There's a better way.</p> <h2> The problem with classic handlers </h2> <p>Here's what a "standard" handler looks like — the one you write when you apply CQRS without pushing the reasoning all the way through:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// ❌ Classic handler — depends on everything</span> <span class="k">func</span> <span class="p">(</span><span class="n">h</span> <span class="o">*</span><span class="n">OrderHandler</span><span class="p">)</span> <span class="n">PlaceOrder</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">cmd</span> <span class="n">PlaceOrderCmd</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="n">customer</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">h</span><span class="o">.</span><span class="n">customerRepo</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">cmd</span><span class="o">.</span><span class="n">CustomerID</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">err</span> <span class="p">}</span> <span class="n">order</span> <span class="o">:=</span> <span class="n">Order</span><span class="p">{</span> <span class="n">ID</span><span class="o">:</span> <span class="n">uuid</span><span class="o">.</span><span class="n">New</span><span class="p">(),</span> <span class="n">CustomerID</span><span class="o">:</span> <span class="n">customer</span><span class="o">.</span><span class="n">ID</span><span class="p">,</span> <span class="n">Items</span><span class="o">:</span> <span class="n">cmd</span><span class="o">.</span><span class="n">Items</span><span class="p">,</span> <span class="p">}</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">h</span><span class="o">.</span><span class="n">orderRepo</span><span class="o">.</span><span class="n">Save</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">order</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">err</span> <span class="p">}</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">h</span><span class="o">.</span><span class="n">emailService</span><span class="o">.</span><span class="n">Send</span><span class="p">(</span><span class="n">customer</span><span class="o">.</span><span class="n">Email</span><span class="p">,</span> <span class="s">"Order placed"</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">err</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p>To test this function, you need: a mock <code>customerRepo</code>, a mock <code>orderRepo</code>, a mock <code>emailService</code>. Three mocks for a single test. And each test becomes a wiring exercise — you spend more time configuring the environment than testing the business logic.</p> <p>The worst part: the actual business logic fits in five lines. The rest is I/O. And that's precisely the problem: I/O and business logic are mixed together.</p> <h2> The magic signature </h2> <p>The solution fits in one signature:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">Handle</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">state</span> <span class="n">Order</span><span class="p">,</span> <span class="n">cmd</span> <span class="n">PlaceOrderCmd</span><span class="p">)</span> <span class="p">(</span><span class="n">Events</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> </code></pre> </div> <p>Three important things in this signature:</p> <ul> <li> The handler receives the <strong>current state</strong> of the aggregate — not a repository, not a DB connection. The state is already reconstructed when the handler is called.</li> <li> It returns <strong>events</strong> — not a modified state, not a boolean. Facts: "here's what happened".</li> <li> Zero I/O, zero side effects. The handler doesn't even know PostgreSQL exists.</li> </ul> <p>Here's the complete implementation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">PlaceOrderCmd</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">OrderID</span> <span class="n">uuid</span><span class="o">.</span><span class="n">UUID</span> <span class="n">CustomerID</span> <span class="n">uuid</span><span class="o">.</span><span class="n">UUID</span> <span class="n">Items</span> <span class="p">[]</span><span class="n">OrderItem</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">cmd</span> <span class="n">PlaceOrderCmd</span><span class="p">)</span> <span class="n">Validate</span><span class="p">()</span> <span class="kt">error</span> <span class="p">{</span> <span class="k">if</span> <span class="n">cmd</span><span class="o">.</span><span class="n">OrderID</span> <span class="o">==</span> <span class="n">uuid</span><span class="o">.</span><span class="n">Nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"order ID required"</span><span class="p">)</span> <span class="p">}</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">cmd</span><span class="o">.</span><span class="n">Items</span><span class="p">)</span> <span class="o">==</span> <span class="m">0</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"at least one item required"</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> <span class="k">type</span> <span class="n">PlaceOrderHandler</span> <span class="k">struct</span><span class="p">{}</span> <span class="k">func</span> <span class="p">(</span><span class="n">h</span> <span class="n">PlaceOrderHandler</span><span class="p">)</span> <span class="n">Handle</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">state</span> <span class="n">Order</span><span class="p">,</span> <span class="n">cmd</span> <span class="n">PlaceOrderCmd</span><span class="p">)</span> <span class="p">(</span><span class="n">Events</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">cmd</span><span class="o">.</span><span class="n">Validate</span><span class="p">();</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">err</span> <span class="p">}</span> <span class="c">// Business invariant: can't place an order that's already placed</span> <span class="k">if</span> <span class="n">state</span><span class="o">.</span><span class="n">Status</span> <span class="o">==</span> <span class="n">OrderStatusPlaced</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">ErrOrderAlreadyPlaced</span> <span class="p">}</span> <span class="n">total</span> <span class="o">:=</span> <span class="m">0</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">item</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">cmd</span><span class="o">.</span><span class="n">Items</span> <span class="p">{</span> <span class="n">total</span> <span class="o">+=</span> <span class="n">item</span><span class="o">.</span><span class="n">UnitPrice</span> <span class="o">*</span> <span class="n">item</span><span class="o">.</span><span class="n">Quantity</span> <span class="p">}</span> <span class="k">var</span> <span class="n">events</span> <span class="n">Events</span> <span class="n">events</span><span class="o">.</span><span class="n">Append</span><span class="p">(</span><span class="n">OrderPlaced</span><span class="p">{</span> <span class="n">OrderID</span><span class="o">:</span> <span class="n">cmd</span><span class="o">.</span><span class="n">OrderID</span><span class="p">,</span> <span class="n">CustomerID</span><span class="o">:</span> <span class="n">cmd</span><span class="o">.</span><span class="n">CustomerID</span><span class="p">,</span> <span class="n">Items</span><span class="o">:</span> <span class="n">cmd</span><span class="o">.</span><span class="n">Items</span><span class="p">,</span> <span class="n">Total</span><span class="o">:</span> <span class="n">total</span><span class="p">,</span> <span class="n">PlacedAt</span><span class="o">:</span> <span class="n">time</span><span class="o">.</span><span class="n">Now</span><span class="p">(),</span> <span class="p">})</span> <span class="k">return</span> <span class="n">events</span><span class="p">,</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p>This handler is a pure function disguised as a method. Same inputs, same output, every time. No internal state. No hidden dependencies. Testable in complete isolation.</p> <h2> Validation in two layers </h2> <p>Look at the structure: validation is split into two distinct levels with different responsibilities.</p> <p><strong>Layer 1: <code>cmd.Validate()</code></strong> — structural validation. Required fields, correct formats, simple constraints. This validation can be called before even loading the aggregate from the store. No business context needed. It belongs to the command itself.</p> <p><strong>Layer 2: business invariants in the handler</strong> — these validations require the current state. "Can we cancel this order?" depends on the order's current status. Without state, you can't answer.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">CancelOrderCmd</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">OrderID</span> <span class="n">uuid</span><span class="o">.</span><span class="n">UUID</span> <span class="n">Reason</span> <span class="kt">string</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">cmd</span> <span class="n">CancelOrderCmd</span><span class="p">)</span> <span class="n">Validate</span><span class="p">()</span> <span class="kt">error</span> <span class="p">{</span> <span class="k">if</span> <span class="n">cmd</span><span class="o">.</span><span class="n">Reason</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"cancellation reason required"</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">h</span> <span class="n">CancelOrderHandler</span><span class="p">)</span> <span class="n">Handle</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">state</span> <span class="n">Order</span><span class="p">,</span> <span class="n">cmd</span> <span class="n">CancelOrderCmd</span><span class="p">)</span> <span class="p">(</span><span class="n">Events</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">cmd</span><span class="o">.</span><span class="n">Validate</span><span class="p">();</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">err</span> <span class="p">}</span> <span class="c">// Business invariants — depend on state</span> <span class="k">if</span> <span class="n">state</span><span class="o">.</span><span class="n">Status</span> <span class="o">==</span> <span class="n">OrderStatusShipped</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"cannot cancel shipped order"</span><span class="p">)</span> <span class="p">}</span> <span class="k">if</span> <span class="n">state</span><span class="o">.</span><span class="n">Status</span> <span class="o">==</span> <span class="n">OrderStatusCancelled</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"order already cancelled"</span><span class="p">)</span> <span class="p">}</span> <span class="k">var</span> <span class="n">events</span> <span class="n">Events</span> <span class="n">events</span><span class="o">.</span><span class="n">Append</span><span class="p">(</span><span class="n">OrderCancelled</span><span class="p">{</span> <span class="n">OrderID</span><span class="o">:</span> <span class="n">cmd</span><span class="o">.</span><span class="n">OrderID</span><span class="p">,</span> <span class="n">Reason</span><span class="o">:</span> <span class="n">cmd</span><span class="o">.</span><span class="n">Reason</span><span class="p">,</span> <span class="n">CancelledAt</span><span class="o">:</span> <span class="n">time</span><span class="o">.</span><span class="n">Now</span><span class="p">(),</span> <span class="p">})</span> <span class="k">return</span> <span class="n">events</span><span class="p">,</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p>The separation is clean. Structural validation errors surface early, before any loading from the store. Business invariant errors surface later, when context is available.</p> <h2> Tests — 10 lines, no mocks </h2> <p>This is where the design pays off. Here's a complete test for the happy path:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">TestPlaceOrder_Success</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">handler</span> <span class="o">:=</span> <span class="n">PlaceOrderHandler</span><span class="p">{}</span> <span class="n">state</span> <span class="o">:=</span> <span class="n">Order</span><span class="p">{}</span> <span class="c">// empty state = new order</span> <span class="n">cmd</span> <span class="o">:=</span> <span class="n">PlaceOrderCmd</span><span class="p">{</span> <span class="n">OrderID</span><span class="o">:</span> <span class="n">uuid</span><span class="o">.</span><span class="n">New</span><span class="p">(),</span> <span class="n">CustomerID</span><span class="o">:</span> <span class="n">uuid</span><span class="o">.</span><span class="n">New</span><span class="p">(),</span> <span class="n">Items</span><span class="o">:</span> <span class="p">[]</span><span class="n">OrderItem</span><span class="p">{{</span><span class="n">ProductID</span><span class="o">:</span> <span class="s">"SKU-1"</span><span class="p">,</span> <span class="n">Quantity</span><span class="o">:</span> <span class="m">2</span><span class="p">,</span> <span class="n">UnitPrice</span><span class="o">:</span> <span class="m">1500</span><span class="p">}},</span> <span class="p">}</span> <span class="n">events</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">handler</span><span class="o">.</span><span class="n">Handle</span><span class="p">(</span><span class="n">context</span><span class="o">.</span><span class="n">Background</span><span class="p">(),</span> <span class="n">state</span><span class="p">,</span> <span class="n">cmd</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Fatalf</span><span class="p">(</span><span class="s">"unexpected error: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">events</span><span class="p">)</span> <span class="o">!=</span> <span class="m">1</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Fatalf</span><span class="p">(</span><span class="s">"expected 1 event, got %d"</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">events</span><span class="p">))</span> <span class="p">}</span> <span class="n">placed</span><span class="p">,</span> <span class="n">ok</span> <span class="o">:=</span> <span class="n">events</span><span class="p">[</span><span class="m">0</span><span class="p">]</span><span class="o">.</span><span class="p">(</span><span class="n">OrderPlaced</span><span class="p">)</span> <span class="k">if</span> <span class="o">!</span><span class="n">ok</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Fatalf</span><span class="p">(</span><span class="s">"expected OrderPlaced, got %T"</span><span class="p">,</span> <span class="n">events</span><span class="p">[</span><span class="m">0</span><span class="p">])</span> <span class="p">}</span> <span class="k">if</span> <span class="n">placed</span><span class="o">.</span><span class="n">Total</span> <span class="o">!=</span> <span class="m">3000</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"expected total 3000, got %d"</span><span class="p">,</span> <span class="n">placed</span><span class="o">.</span><span class="n">Total</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>No mocks. No DB. No Docker. No setup/teardown. This test runs in microseconds on any machine.</p> <p>Business invariants test just as simply — just pass a state with the right status:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">TestPlaceOrder_AlreadyPlaced</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">handler</span> <span class="o">:=</span> <span class="n">PlaceOrderHandler</span><span class="p">{}</span> <span class="n">state</span> <span class="o">:=</span> <span class="n">Order</span><span class="p">{</span><span class="n">Status</span><span class="o">:</span> <span class="n">OrderStatusPlaced</span><span class="p">}</span> <span class="c">// order already placed</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">handler</span><span class="o">.</span><span class="n">Handle</span><span class="p">(</span><span class="n">context</span><span class="o">.</span><span class="n">Background</span><span class="p">(),</span> <span class="n">state</span><span class="p">,</span> <span class="n">PlaceOrderCmd</span><span class="p">{</span> <span class="n">OrderID</span><span class="o">:</span> <span class="n">uuid</span><span class="o">.</span><span class="n">New</span><span class="p">(),</span> <span class="n">Items</span><span class="o">:</span> <span class="p">[]</span><span class="n">OrderItem</span><span class="p">{{</span><span class="n">ProductID</span><span class="o">:</span> <span class="s">"SKU-1"</span><span class="p">,</span> <span class="n">Quantity</span><span class="o">:</span> <span class="m">1</span><span class="p">,</span> <span class="n">UnitPrice</span><span class="o">:</span> <span class="m">100</span><span class="p">}},</span> <span class="p">})</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="n">ErrOrderAlreadyPlaced</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Fatalf</span><span class="p">(</span><span class="s">"expected ErrOrderAlreadyPlaced, got %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>And table-driven tests are particularly readable because the only variable between cases is the initial state:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">TestCancelOrder</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">tests</span> <span class="o">:=</span> <span class="p">[]</span><span class="k">struct</span> <span class="p">{</span> <span class="n">name</span> <span class="kt">string</span> <span class="n">state</span> <span class="n">Order</span> <span class="n">wantErr</span> <span class="kt">bool</span> <span class="p">}{</span> <span class="p">{</span><span class="s">"draft order"</span><span class="p">,</span> <span class="n">Order</span><span class="p">{</span><span class="n">Status</span><span class="o">:</span> <span class="n">OrderStatusDraft</span><span class="p">},</span> <span class="no">false</span><span class="p">},</span> <span class="p">{</span><span class="s">"placed order"</span><span class="p">,</span> <span class="n">Order</span><span class="p">{</span><span class="n">Status</span><span class="o">:</span> <span class="n">OrderStatusPlaced</span><span class="p">},</span> <span class="no">false</span><span class="p">},</span> <span class="p">{</span><span class="s">"shipped order"</span><span class="p">,</span> <span class="n">Order</span><span class="p">{</span><span class="n">Status</span><span class="o">:</span> <span class="n">OrderStatusShipped</span><span class="p">},</span> <span class="no">true</span><span class="p">},</span> <span class="p">{</span><span class="s">"already cancelled"</span><span class="p">,</span> <span class="n">Order</span><span class="p">{</span><span class="n">Status</span><span class="o">:</span> <span class="n">OrderStatusCancelled</span><span class="p">},</span> <span class="no">true</span><span class="p">},</span> <span class="p">}</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">tt</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">tests</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Run</span><span class="p">(</span><span class="n">tt</span><span class="o">.</span><span class="n">name</span><span class="p">,</span> <span class="k">func</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">CancelOrderHandler</span><span class="p">{}</span><span class="o">.</span><span class="n">Handle</span><span class="p">(</span><span class="n">context</span><span class="o">.</span><span class="n">Background</span><span class="p">(),</span> <span class="n">tt</span><span class="o">.</span><span class="n">state</span><span class="p">,</span> <span class="n">CancelOrderCmd</span><span class="p">{</span> <span class="n">OrderID</span><span class="o">:</span> <span class="n">uuid</span><span class="o">.</span><span class="n">New</span><span class="p">(),</span> <span class="n">Reason</span><span class="o">:</span> <span class="s">"changed mind"</span><span class="p">,</span> <span class="p">})</span> <span class="k">if</span> <span class="p">(</span><span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span><span class="p">)</span> <span class="o">!=</span> <span class="n">tt</span><span class="o">.</span><span class="n">wantErr</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"got err=%v, wantErr=%v"</span><span class="p">,</span> <span class="n">err</span><span class="p">,</span> <span class="n">tt</span><span class="o">.</span><span class="n">wantErr</span><span class="p">)</span> <span class="p">}</span> <span class="p">})</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Four status cases, four lines in the table. The test logic is entirely in the data — which is exactly what table-driven tests aim for.</p> <h2> The Events type and Append() </h2> <p>The <code>Events</code> type is intentionally simple:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">Events</span> <span class="p">[]</span><span class="n">DomainEvent</span> <span class="k">func</span> <span class="p">(</span><span class="n">e</span> <span class="o">*</span><span class="n">Events</span><span class="p">)</span> <span class="n">Append</span><span class="p">(</span><span class="n">event</span> <span class="n">DomainEvent</span><span class="p">)</span> <span class="p">{</span> <span class="o">*</span><span class="n">e</span> <span class="o">=</span> <span class="nb">append</span><span class="p">(</span><span class="o">*</span><span class="n">e</span><span class="p">,</span> <span class="n">event</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>It's a slice. No event bus, no dispatcher, no middleware. Just a slice with a helper method so the calling code is a bit more readable than <code>*e = append(*e, event)</code>.</p> <p>Why so simple? Because the handler doesn't need to know what happens next. It emits events. That's it. What happens after — persistence, projections, sagas — is the command gateway's problem.</p> <h2> The full flow — from HTTP to storage </h2> <p>For the complete picture, here's what the command gateway does when it receives a command. The handler sees none of this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// What the CommandGateway does when it receives a command:</span> <span class="c">// 1. Load the aggregate's existing events from the store</span> <span class="c">// 2. Replay events to reconstruct state (via Transition())</span> <span class="c">// 3. Call handler.Handle(ctx, state, cmd)</span> <span class="c">// 4. Store the new events in the store</span> <span class="c">// 5. Notify event handlers (projections, sagas)</span> <span class="k">func</span> <span class="p">(</span><span class="n">g</span> <span class="o">*</span><span class="n">CommandGateway</span><span class="p">)</span> <span class="n">Dispatch</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">aggregateID</span> <span class="n">uuid</span><span class="o">.</span><span class="n">UUID</span><span class="p">,</span> <span class="n">cmd</span> <span class="n">Command</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="c">// Load and reconstruct the aggregate</span> <span class="n">storedEvents</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">g</span><span class="o">.</span><span class="n">store</span><span class="o">.</span><span class="n">Load</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">aggregateID</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"loading aggregate %s: %w"</span><span class="p">,</span> <span class="n">aggregateID</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="n">state</span> <span class="o">:=</span> <span class="n">g</span><span class="o">.</span><span class="n">aggregate</span><span class="o">.</span><span class="n">Rebuild</span><span class="p">(</span><span class="n">storedEvents</span><span class="p">)</span> <span class="c">// The handler knows nothing of what came before</span> <span class="n">newEvents</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">g</span><span class="o">.</span><span class="n">handler</span><span class="o">.</span><span class="n">Handle</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">state</span><span class="p">,</span> <span class="n">cmd</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">err</span> <span class="p">}</span> <span class="c">// Store the new events</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">g</span><span class="o">.</span><span class="n">store</span><span class="o">.</span><span class="n">Append</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">aggregateID</span><span class="p">,</span> <span class="n">newEvents</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"appending events: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Notify projections and sagas (async)</span> <span class="n">g</span><span class="o">.</span><span class="n">bus</span><span class="o">.</span><span class="n">Publish</span><span class="p">(</span><span class="n">newEvents</span><span class="p">)</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p>The handler is called at step 3. It receives an already-reconstructed state, returns events, and doesn't know what comes before or after. This deliberate ignorance is what makes it testable.</p> <p>The details of the PostgreSQL store and event-based reconstruction are covered in Part 4. What matters here: the handler is pure.</p> <h2> Summary </h2> <ul> <li> <strong>Pure handler</strong>: no dependency on repos, DBs, or external services. Receives a state, returns events.</li> <li> <strong>Signature <code>Handle(ctx, state, cmd) (Events, error)</code></strong>: that's the contract. The entire architecture follows from it.</li> <li> <strong>Two-layer validation</strong>: structural on the command (<code>cmd.Validate()</code>), business in the handler. Each where it has the necessary context.</li> <li> <strong>Tests without mocks</strong>: build a state, call the handler, verify the events. No setup, no infrastructure, no Docker.</li> <li> <strong>Events as a slice</strong>: <code>type Events []DomainEvent</code>. No bus built into the handler. Routing complexity belongs elsewhere.</li> <li> <strong>The gateway orchestrates</strong>: loading from the store, state reconstruction, handler call, event persistence. The handler sees none of this — and that's intentional.</li> </ul> <p>Part 3 covers sagas: how to react to an event to trigger other commands, and how to orchestrate business processes that span multiple aggregates.</p> <p><strong>📄 Associated CLAUDE.md</strong></p> <p><a href="https://www.web-developpeur.com/blog/claude-md/view.php?ctx=cqrs-event-sourcing-go" rel="noopener noreferrer">View</a> • <a href="https://www.web-developpeur.com/blog/claude-md/contexts/cqrs-event-sourcing-go.md" rel="noopener noreferrer">Download</a> • <a href="https://www.web-developpeur.com/blog/claude-md/" rel="noopener noreferrer">Catalogue</a></p> cqrs eventsourcing go command Odilon HUGONNOT Mon, 20 Apr 2026 09:00:01 +0000 https://forem.com/ohugonnot/cqrs-in-go-part-1-the-aggregate-transition-and-the-clone-you-forget-142d https://forem.com/ohugonnot/cqrs-in-go-part-1-the-aggregate-transition-and-the-clone-you-forget-142d <p>CQRS in Go series:</p> <ul> <li> <strong>Part 1</strong>: the aggregate, Transition() and Clone()</li> <li> <a href="https://www.web-developpeur.com/en/blog/cqrs-go-command-handlers-testabilite" rel="noopener noreferrer"><strong>Part 2</strong>: command handlers without side effects</a> </li> <li> <a href="https://www.web-developpeur.com/en/blog/cqrs-go-sagas-choreographie-events" rel="noopener noreferrer"><strong>Part 3</strong>: sagas and event choreography</a> </li> <li> <a href="https://www.web-developpeur.com/en/blog/cqrs-go-postgresql-event-store" rel="noopener noreferrer"><strong>Part 4</strong>: PostgreSQL as an event store</a> </li> </ul> <h2> What an aggregate is </h2> <p>The aggregate is the guardian of business consistency. It's the one that says "no" when an operation is invalid: you can't cancel an order that's already been shipped, you can't add an item to a closed cart. This logic lives in the aggregate and nowhere else.</p> <p>In Event Sourcing, the aggregate has no directly persisted state. Its state is the result of replaying all its events from the beginning. Each event represents something that happened — immutable, factual, in the past. The aggregate replays them in order and reconstructs its current state.</p> <p>What the aggregate does not do: I/O. It doesn't read from the database, doesn't make HTTP requests, doesn't send emails. It receives a command, validates whether it can be applied to its current state, and emits events. That's it. This constraint is what makes it testable at zero cost.</p> <h2> The structure in Go </h2> <p>An <code>Order</code> aggregate in Go looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">OrderStatus</span> <span class="kt">string</span> <span class="k">const</span> <span class="p">(</span> <span class="n">OrderStatusDraft</span> <span class="n">OrderStatus</span> <span class="o">=</span> <span class="s">"draft"</span> <span class="n">OrderStatusPlaced</span> <span class="n">OrderStatus</span> <span class="o">=</span> <span class="s">"placed"</span> <span class="n">OrderStatusShipped</span> <span class="n">OrderStatus</span> <span class="o">=</span> <span class="s">"shipped"</span> <span class="n">OrderStatusCancelled</span> <span class="n">OrderStatus</span> <span class="o">=</span> <span class="s">"cancelled"</span> <span class="p">)</span> <span class="k">type</span> <span class="n">OrderItem</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">ProductID</span> <span class="kt">string</span> <span class="n">Quantity</span> <span class="kt">int</span> <span class="n">UnitPrice</span> <span class="kt">int</span> <span class="c">// in cents</span> <span class="p">}</span> <span class="k">type</span> <span class="n">Order</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">OrderID</span> <span class="n">uuid</span><span class="o">.</span><span class="n">UUID</span> <span class="n">CustomerID</span> <span class="n">uuid</span><span class="o">.</span><span class="n">UUID</span> <span class="n">Status</span> <span class="n">OrderStatus</span> <span class="n">Items</span> <span class="p">[]</span><span class="n">OrderItem</span> <span class="n">Total</span> <span class="kt">int</span> <span class="n">CreatedAt</span> <span class="n">time</span><span class="o">.</span><span class="n">Time</span> <span class="p">}</span> </code></pre> </div> <p>Two deliberate choices here. First, <strong>value struct, not a pointer</strong>. When you pass an <code>Order</code>, Go makes a copy of it. That's exactly what we want: two versions of a state don't share memory by default (except for slices and maps — we'll get to that). An aggregate passed by pointer between multiple goroutines is a source of silent bugs.</p> <p>Second, fields are exported here to simplify the example, but in production you keep them private to the package and only expose what's needed through methods. The aggregate is not a DTO.</p> <h2> Events as the source of truth </h2> <p>Events are facts that have occurred. They don't describe an intention — that's the role of commands — they describe what happened.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">OrderPlaced</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">OrderID</span> <span class="n">uuid</span><span class="o">.</span><span class="n">UUID</span> <span class="n">CustomerID</span> <span class="n">uuid</span><span class="o">.</span><span class="n">UUID</span> <span class="n">Items</span> <span class="p">[]</span><span class="n">OrderItem</span> <span class="n">Total</span> <span class="kt">int</span> <span class="n">PlacedAt</span> <span class="n">time</span><span class="o">.</span><span class="n">Time</span> <span class="p">}</span> <span class="k">type</span> <span class="n">OrderItemAdded</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">OrderID</span> <span class="n">uuid</span><span class="o">.</span><span class="n">UUID</span> <span class="n">Item</span> <span class="n">OrderItem</span> <span class="n">NewTotal</span> <span class="kt">int</span> <span class="p">}</span> <span class="k">type</span> <span class="n">OrderCancelled</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">OrderID</span> <span class="n">uuid</span><span class="o">.</span><span class="n">UUID</span> <span class="n">Reason</span> <span class="kt">string</span> <span class="n">CancelledAt</span> <span class="n">time</span><span class="o">.</span><span class="n">Time</span> <span class="p">}</span> </code></pre> </div> <p>Once emitted, an event never changes. You don't correct a past event — you emit a new event that compensates. That's the fundamental difference from an UPDATE in a database.</p> <p>The aggregate declares the event types it handles via <code>EventKinds()</code>. This is useful for the event store which needs to know how to deserialize stored events:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">o</span> <span class="n">Order</span><span class="p">)</span> <span class="n">EventKinds</span><span class="p">()</span> <span class="p">[]</span><span class="n">DomainEvent</span> <span class="p">{</span> <span class="k">return</span> <span class="p">[]</span><span class="n">DomainEvent</span><span class="p">{</span> <span class="n">OrderPlaced</span><span class="p">{},</span> <span class="n">OrderItemAdded</span><span class="p">{},</span> <span class="n">OrderCancelled</span><span class="p">{},</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Transition() — the heart of the pattern </h2> <p><code>Transition()</code> is the method that applies an event to the current state and returns a new state. It's the only place where the aggregate's state evolves.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">o</span> <span class="n">Order</span><span class="p">)</span> <span class="n">Transition</span><span class="p">(</span><span class="n">event</span> <span class="n">DomainEvent</span><span class="p">)</span> <span class="n">Order</span> <span class="p">{</span> <span class="k">switch</span> <span class="n">e</span> <span class="o">:=</span> <span class="n">event</span><span class="o">.</span><span class="p">(</span><span class="k">type</span><span class="p">)</span> <span class="p">{</span> <span class="k">case</span> <span class="n">OrderPlaced</span><span class="o">:</span> <span class="n">o</span><span class="o">.</span><span class="n">OrderID</span> <span class="o">=</span> <span class="n">e</span><span class="o">.</span><span class="n">OrderID</span> <span class="n">o</span><span class="o">.</span><span class="n">CustomerID</span> <span class="o">=</span> <span class="n">e</span><span class="o">.</span><span class="n">CustomerID</span> <span class="n">o</span><span class="o">.</span><span class="n">Status</span> <span class="o">=</span> <span class="n">OrderStatusPlaced</span> <span class="n">o</span><span class="o">.</span><span class="n">Items</span> <span class="o">=</span> <span class="n">e</span><span class="o">.</span><span class="n">Items</span> <span class="n">o</span><span class="o">.</span><span class="n">Total</span> <span class="o">=</span> <span class="n">e</span><span class="o">.</span><span class="n">Total</span> <span class="n">o</span><span class="o">.</span><span class="n">CreatedAt</span> <span class="o">=</span> <span class="n">e</span><span class="o">.</span><span class="n">PlacedAt</span> <span class="k">case</span> <span class="n">OrderItemAdded</span><span class="o">:</span> <span class="n">o</span><span class="o">.</span><span class="n">Items</span> <span class="o">=</span> <span class="nb">append</span><span class="p">(</span><span class="n">o</span><span class="o">.</span><span class="n">Items</span><span class="p">,</span> <span class="n">e</span><span class="o">.</span><span class="n">Item</span><span class="p">)</span> <span class="n">o</span><span class="o">.</span><span class="n">Total</span> <span class="o">=</span> <span class="n">e</span><span class="o">.</span><span class="n">NewTotal</span> <span class="k">case</span> <span class="n">OrderCancelled</span><span class="o">:</span> <span class="n">o</span><span class="o">.</span><span class="n">Status</span> <span class="o">=</span> <span class="n">OrderStatusCancelled</span> <span class="p">}</span> <span class="k">return</span> <span class="n">o</span> <span class="p">}</span> </code></pre> </div> <p>The receiver is a value, not a pointer. When Go calls this method, it copies the current <code>Order</code> into <code>o</code>. We modify this copy and return it. If you ignore the return value, nothing has changed — the original <code>Order</code> is intact.</p> <p>It's a pure reducer, exactly like <code>Array.prototype.reduce</code> in JavaScript or <code>fold</code> in Haskell. The current state is a deterministic function of all past events:</p> <p><code>state = events.reduce(initialState, transition)</code></p> <p>The practical consequence: you can reconstruct the aggregate's state at any historical point in time by replaying events up to that point. To debug a bug that occurred on February 14th at 2:37 PM, replay the events up to that timestamp and inspect the state. No logs to dig through, no snapshots to restore.</p> <h2> The Clone() trap — the silent bug </h2> <p>This is where most CQRS implementations in Go fall apart. And it's silent: no panic, no error, just corrupted data.</p> <p>The problem comes from Go's memory model for slices. A slice is a three-field structure: a pointer to the backing array, a length, and a capacity. When Go copies a struct containing a slice, it copies these three fields — but not the backing array. Both copies point to the same array in memory.</p> <p><code>append</code> is particularly treacherous. If the slice has enough capacity to accommodate the new element, <code>append</code> writes directly into the existing backing array without allocating a new one. Result: the old state is modified without the code knowing it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="s">"fmt"</span> <span class="k">type</span> <span class="n">OrderItem</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">ProductID</span> <span class="kt">string</span> <span class="n">Quantity</span> <span class="kt">int</span> <span class="p">}</span> <span class="k">type</span> <span class="n">Order</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Items</span> <span class="p">[]</span><span class="n">OrderItem</span> <span class="p">}</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="c">// Slice with capacity 4, length 1 — enough room for append without reallocation</span> <span class="n">original</span> <span class="o">:=</span> <span class="n">Order</span><span class="p">{</span> <span class="n">Items</span><span class="o">:</span> <span class="nb">make</span><span class="p">([]</span><span class="n">OrderItem</span><span class="p">,</span> <span class="m">1</span><span class="p">,</span> <span class="m">4</span><span class="p">),</span> <span class="p">}</span> <span class="n">original</span><span class="o">.</span><span class="n">Items</span><span class="p">[</span><span class="m">0</span><span class="p">]</span> <span class="o">=</span> <span class="n">OrderItem</span><span class="p">{</span><span class="n">ProductID</span><span class="o">:</span> <span class="s">"A"</span><span class="p">,</span> <span class="n">Quantity</span><span class="o">:</span> <span class="m">1</span><span class="p">}</span> <span class="c">// Simulate a naive Transition: copy the struct, append to the copy</span> <span class="n">modified</span> <span class="o">:=</span> <span class="n">original</span> <span class="n">modified</span><span class="o">.</span><span class="n">Items</span> <span class="o">=</span> <span class="nb">append</span><span class="p">(</span><span class="n">modified</span><span class="o">.</span><span class="n">Items</span><span class="p">,</span> <span class="n">OrderItem</span><span class="p">{</span><span class="n">ProductID</span><span class="o">:</span> <span class="s">"B"</span><span class="p">,</span> <span class="n">Quantity</span><span class="o">:</span> <span class="m">2</span><span class="p">})</span> <span class="c">// The trap: append wrote into the shared backing array.</span> <span class="c">// original.Items still points to len=1, but index [1] in memory</span> <span class="c">// now contains product "B". Reslice and it reappears.</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="s">"original length:"</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">original</span><span class="o">.</span><span class="n">Items</span><span class="p">))</span> <span class="c">// 1 — reassuring</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="s">"modified length:"</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">modified</span><span class="o">.</span><span class="n">Items</span><span class="p">))</span> <span class="c">// 2</span> <span class="c">// But:</span> <span class="n">ghost</span> <span class="o">:=</span> <span class="n">original</span><span class="o">.</span><span class="n">Items</span><span class="p">[</span><span class="o">:</span><span class="m">2</span><span class="p">]</span> <span class="c">// Reslice within existing capacity</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="s">"ghost item:"</span><span class="p">,</span> <span class="n">ghost</span><span class="p">[</span><span class="m">1</span><span class="p">]</span><span class="o">.</span><span class="n">ProductID</span><span class="p">)</span> <span class="c">// "B" — it's there</span> <span class="p">}</span> </code></pre> </div> <p>In practice in a CQRS system, this scenario occurs as soon as you store a snapshot or pass a state between goroutines. The old state you thought was immutable has been silently modified.</p> <p>The solution is <code>Clone()</code>. Before any <code>Transition()</code>, explicitly clone the state to break the link with the backing array:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">o</span> <span class="n">Order</span><span class="p">)</span> <span class="n">Clone</span><span class="p">()</span> <span class="n">Order</span> <span class="p">{</span> <span class="n">c</span> <span class="o">:=</span> <span class="n">o</span> <span class="k">if</span> <span class="n">o</span><span class="o">.</span><span class="n">Items</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">c</span><span class="o">.</span><span class="n">Items</span> <span class="o">=</span> <span class="nb">make</span><span class="p">([]</span><span class="n">OrderItem</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">o</span><span class="o">.</span><span class="n">Items</span><span class="p">))</span> <span class="nb">copy</span><span class="p">(</span><span class="n">c</span><span class="o">.</span><span class="n">Items</span><span class="p">,</span> <span class="n">o</span><span class="o">.</span><span class="n">Items</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="n">c</span> <span class="p">}</span> </code></pre> </div> <p><code>copy</code> allocates a new backing array and copies the elements into it. After that, <code>c.Items</code> and <code>o.Items</code> are completely independent. Any subsequent <code>append</code> on one doesn't touch the other.</p> <p>The same constraint applies to maps. Go copies the reference, not the content. A <code>Cart</code> with a map requires an explicit deep clone:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">Cart</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Items</span> <span class="k">map</span><span class="p">[</span><span class="n">uuid</span><span class="o">.</span><span class="n">UUID</span><span class="p">]</span><span class="n">CartItem</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">c</span> <span class="n">Cart</span><span class="p">)</span> <span class="n">Clone</span><span class="p">()</span> <span class="n">Cart</span> <span class="p">{</span> <span class="n">clone</span> <span class="o">:=</span> <span class="n">c</span> <span class="n">clone</span><span class="o">.</span><span class="n">Items</span> <span class="o">=</span> <span class="nb">make</span><span class="p">(</span><span class="k">map</span><span class="p">[</span><span class="n">uuid</span><span class="o">.</span><span class="n">UUID</span><span class="p">]</span><span class="n">CartItem</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">c</span><span class="o">.</span><span class="n">Items</span><span class="p">))</span> <span class="k">for</span> <span class="n">k</span><span class="p">,</span> <span class="n">v</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">c</span><span class="o">.</span><span class="n">Items</span> <span class="p">{</span> <span class="n">clone</span><span class="o">.</span><span class="n">Items</span><span class="p">[</span><span class="n">k</span><span class="p">]</span> <span class="o">=</span> <span class="n">v</span> <span class="p">}</span> <span class="k">return</span> <span class="n">clone</span> <span class="p">}</span> </code></pre> </div> <p>If <code>CartItem</code> itself contains slices or maps, you need to go one level deeper. That's the only case where the depth of the clone depends on the actual data structure — there's no safe generic shortcut in Go.</p> <p>The production rule: <strong>always call <code>Clone()</code> before <code>Transition()</code></strong>. You can also integrate it directly into <code>Transition()</code> as the first instruction, which makes the pattern foolproof at the cost of a systematic copy even when it's not needed. For most aggregates, this overhead is negligible.</p> <h2> Replay — reconstructing state from events </h2> <p>With <code>Clone()</code> and <code>Transition()</code> in place, the replay fits in five lines:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">Replay</span><span class="p">(</span><span class="n">events</span> <span class="p">[]</span><span class="n">DomainEvent</span><span class="p">)</span> <span class="n">Order</span> <span class="p">{</span> <span class="k">var</span> <span class="n">state</span> <span class="n">Order</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">event</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">events</span> <span class="p">{</span> <span class="n">state</span> <span class="o">=</span> <span class="n">state</span><span class="o">.</span><span class="n">Clone</span><span class="p">()</span><span class="o">.</span><span class="n">Transition</span><span class="p">(</span><span class="n">event</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="n">state</span> <span class="p">}</span> </code></pre> </div> <p>Start from an empty <code>Order</code>, apply each event in order, and get the final state. Proof that the aggregate is pure: this function is deterministic. Same list of events, same result, every time. No network calls, no cache, no system clock. You can call it from a test without any mocks.</p> <p>Replay is also what allows you to fix bugs after the fact. If the logic in <code>Transition()</code> was incorrect and you fix it, you can replay all historical events and get corrected states — provided the events themselves are correct, which they are by definition since they represent what actually happened.</p> <h2> Summary </h2> <ul> <li> The aggregate is the guardian of business consistency. It does no I/O.</li> <li> Its state is a pure function of the events it has received since its creation.</li> <li> <code>Transition(event)</code> applies an event and returns a new state — method on a value, not a pointer.</li> <li> Go copies structs by value, but slices and maps share their backing store. Without <code>Clone()</code>, mutations via <code>append</code> can silently corrupt old states.</li> <li> <code>Clone()</code> must deep copy all collections in the struct.</li> <li> Replay reconstructs any historical state by replaying events — no I/O, therefore trivially testable.</li> </ul> <p>Part 2 covers command handlers: how to validate a command against the aggregate's current state, emit the appropriate events, and keep everything free of side effects and implicit dependencies.</p> <p><strong>📄 Associated CLAUDE.md</strong></p> <p><a href="https://www.web-developpeur.com/blog/claude-md/view.php?ctx=cqrs-event-sourcing-go" rel="noopener noreferrer">View</a> • <a href="https://www.web-developpeur.com/blog/claude-md/contexts/cqrs-event-sourcing-go.md" rel="noopener noreferrer">Download</a> • <a href="https://www.web-developpeur.com/blog/claude-md/" rel="noopener noreferrer">Catalogue</a></p> cqrs eventsourcing go aggregate