Question
Design a tamper-evident audit-log system for a financial platform that must record every privileged action (admin logins, permission changes, money movements) such that no one — not even a DBA or a compromised insider with write access — can silently alter or delete a past entry. It ingests ~80k events/sec, must support compliance queries over years of history, and must let an auditor cryptographically prove the log has not been tampered with. Cover the append-only structure, the integrity mechanism, and how you detect deletion vs. modification.
Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.