Comment by notpushkin

Hmm, I guess I did Keybase a disservice. They do use a chain per user, and also store each leaf in a global Merkle tree, and then also store new Merkle tree root hash in a blockchain (previously Bitcoin, currently Stellar).

Although I think there are ways to make Merkle trees append-only (see e.g. the Certificate Transparency protocol [1]). This should be a suitable audit log implementation, even if a bit more tricky. That said, it is probably an overkill for most scenarios!

[1]: 2.1.2. Merkle Consistency Proofs: https://datatracker.ietf.org/doc/html/rfc6962#section-2.1.2

As for the DSL, I think I’m more interested in the specific usecases for changing the rules in the runtime, considering that you have to change the code to e.g. add a new endpoint. Is it perhaps a common thing to tweak for each tenant or something?

Personally, I’m considering pgfga [2] for my next project, though the rules will probably live in the codebase for now :-)

[2]: https://github.com/isaacharrisholt/pgfga