CQRS+ES: The Pubsub Bridge for Command Outcomes and Atomic Audit Logging

The event-XOR-error invariant on command handlers. How to inform the caller of a business outcome without breaking the event/error separation, and why audit logging must be atomic.

domenica 14 giugno 2026 New tab

919 words~4 min read

In the previous articles of this series, we covered the network and security layers of the authentication service: PKCS#12, timing oracle, mTLS, CRL. Let's now dive into the application architecture. The service is built with CQRS + Event Sourcing, and two non-obvious patterns deserve an article.

The event-XOR-error invariant

In a well-disciplined CQRS/ES system, a command handler does exactly one thing: it emits an event OR returns an error. Never both. Never neither.

func (h *LoginHandler) Handle(cmd LoginCommand) ([]Event, error) {

user, err := h.repo.Load(cmd.UserID)

CQRS+ES: The Pubsub Bridge for Command Outcomes and Atomic Audit Logging

CQRS+ES: The Pubsub Bridge for Command Outcomes and Atomic Audit Logging

Related reading

System Design - 14. Event-Driven Architecture: Event Sourcing, CQRS, and the…

Architecture of Chaos Part 3 — Event Sourcing Saved Our Audit Trail, Then a…

CQRS: Where It Helps and Where It Hurts in Backend Systems

Optimistic concurrency is the whole design: event sourcing on Aurora DSQL

Edict: a CQRS framework for .NET, built in two weeks with Claude

I Should Have Put Events in the Same Database as the Aggregate Root—Heres What…

Related reading

System Design - 14. Event-Driven Architecture: Event Sourcing, CQRS, and the…

Architecture of Chaos Part 3 — Event Sourcing Saved Our Audit Trail, Then a…

CQRS: Where It Helps and Where It Hurts in Backend Systems

Optimistic concurrency is the whole design: event sourcing on Aurora DSQL

Edict: a CQRS framework for .NET, built in two weeks with Claude

I Should Have Put Events in the Same Database as the Aggregate Root—Heres What…