SOC 2 audit tier_events tablosunda eksik satir buldum — applyTiersToAll silent failure (PR #629 HHH-prelim)

Kayseri Erkilet 44-yas bagimsiz SOC 2 + ISO 27001 audit specialist Selami 16-yil 8-yil Big Four risk advisory + 8-yil solo. Q2 2026 thMenu yillik SOC 2 Type II re-certification CC7.1 + CC7.2. Metodoloji sample-based test audit-log tablosu × system actual state-change events cross-correlate affiliate tier change ornek. tier_events tablo 60 row affiliate_profiles.commission_rate son 90 gun 72 distinct affiliate degisim. 12 row eksik SOC 2 CC7.1 sistemde olan tum onemli degisimlerin izlenmesini sart kosar eksik audit-log entry gap sayilir. Selami compliance team yazdi 72 affiliate tier change 12 tier_events yer almiyor hangi surec INSERT etmesi gerekiyor partial-failure. Engineering 3 yanlis teori (1) manuel super-admin tier flip audit yapmiyor olabilir 0 manuel flip 90 gun; (2) Stripe webhook async race condition PR #621 batch FFF F3 OCC race-guard shipped tier_events insert normal; (3) PR #621 FFF F3 race-guard skip audit siz mi 3 vaka log 12 explain etmez. Dogru teori applyTiersToAll cron tier_events INSERT fail oluyor ama bulk return value sessizce yutuyor. Adli analiz cloudflare/src/cron-jobs/affiliate.ts:applyTiersToAll + apps/web-admin/src/lib/affiliate/tier.ts:evaluateTier. PR #626 batch GGG F1 evaluateTier return tipinde audit_logged: boolean tier upgrade basarili commission_rate guncel ama tier_events INSERT fail (Supabase outage FK constraint mismatch transient error) belirtmek icin eklenmis. evaluateTier caller bu flag okuyup partial-failure surface. Stripe webhook handler uygulayan const result = await evaluateTier; if (!result.audit_logged) console.warn [BEACON:tier_audit_failed]. SOC 2 logger pickup. AMA applyTiersToAll bu flag discard ediyordu const results = await Promise.all(affiliates.map(a => evaluateTier(a.id))); return { total: affiliates.length, upgraded: results.filter(r => r.upgraded).length }. Sadece upgraded count audit_logged: false loop silently yutuluyor aggregate response 100 affiliate processed 12 upgraded green check gercekte 12 upgraded ama 3 tier_events INSERT fail audit gap. 12 eksik row kaynak transient Supabase API errors nightly applyTiersToAll cron commission_rate update succeed (atomic OCC race-guard + commission_rate update first) sonra tier_events INSERT Supabase 503 evaluateTier audit_logged: false return applyTiersToAll discard. PR #629 batch HHH-prelim minimal fix iki yeni return field upgraded_audit_failed: number + upgraded_audit_failed_ids: string[] capped 100. Loop: const auditFails = results.filter(r => r.upgraded && !r.audit_logged); return { total, upgraded, upgraded_audit_failed: auditFails.length, upgraded_audit_failed_ids: auditFails.map(r => r.affiliate_id).slice(0, 100) }. count > 0 console.warn [BEACON:tier_audit_failed_bulk] Logpush + Sentry SOC 2 logger partial-failure goruyor. Production backfill 12 eksik row commission_rate + tier_changed_at × tier_events cross-correlate INSERT tier_events source cron:applyTiersToAll:retro-backfill. Selami MEDIUM severity audit findings deploy + backfill RESOLVED 2026 SOC 2 Type II clean opinion. Selami LinkedIn 48 saat reproduce + fix + backfill 1.7k. Cillian Dublin Donnybrook 14-yil bagimsiz SOC 2 + ISO 27001 audit Irish + UK SaaS paralel ayni clean opinion. Pattern per-item function partial-failure flag (audit_logged: false) bulk caller aggregate response forward etmeli silent-failure-mode pattern aggregate API all green derken realityyi yansitmiyorsa downstream gap gormez. Sibling-surface sweep cron/process-deletions r2_objects_attempted vs r2_objects_deleted + cron/affiliate.releaseClawback clawback_status + cron/feedback-sentiment AI failure ratio + cron/inventory-predict AI + push failure ratio. Implementation per-item function tum partial-failure flag aciklikla return tipinde tanimla + bulk caller filter + count + aggregate *_audit_failed *_failed_ids capped + structured [BEACON:] log marker + Sentry pickup + operator dashboard partial-failure widget + PR template checkbox + quarterly audit cross-correlate. PR #629 referans.

İlgili makaleler