Production-impacting changes require a second reviewer.
Approval is a flow, not a checkbox. Requested → assigned → approved → applied. Each step writes an audit row.
●Product
Tenant as a first-class primitive.
Every flag, every rule, every audit row is tenant-scoped at the storage layer. Bypass is impossible — not because the SDK asks nicely, but because the row can't be written without one.
●Architecture
The whole platform is built around one data primitive.
MVP runs on Firebase. A custom data plane is a post-PMF decision, not day one.
Layer 04SDK
evaluate()
subscribe()
audit()
Layer 03Rules
flag
tenant override
rollout
approval
Layer 02Tenant
tenant_id
env
scope
region
Layer 01Storage
firestore
onSnapshot · change log
cloud functions
●SDK
Tenant is required at the API surface.
TypeScript first today. A Web SDK is on the v1 roadmap; edge resolution lands in v1.5. The evaluation API requires a tenant — enforced server-side, not optional.
typescript · argus-sdk@v0
// scoped, deterministic, reversible const flag = await argus.evaluate({ key: "new_billing_v2", tenant: ctx.tenantId, // required env: "prod", }); if (flag.on) renderNewBilling(); // → audit row written, scoped to tenant. // → reversible from the dashboard in one click. // → impossible to evaluate without a tenant.
●Tenant overrides
Resolution order, plainly stated.
Tenant override documents are first-class — not a special case of segments. They have their own audit stream and resolution lane.
→
Default
flag default value at evaluation time
→
Flag rule
global rule (env, segment, version target)
→
Tenant override
tenant-owned override document · audited
→
Rollout
deterministic hash · tenant_id + flag_key + salt
→
Resolved value
flag.on · with source metadata in response
→
Audit row
append-only · tenant-scoped · reconciled
●Approvals & RBAC
Two engineers approve prod. Roles scope to tenant.
Roles bind to account · tenant · flag.
A support lead can read tenant truth without touching prod. An approver scoped to tenant B cannot approve tenant A.
●Audit log
Append-only. Tenant-scoped. Source metadata travels.
Every resolution response carries the source of the value (default · rule · override · rollout). Every change writes a row you can query by tenant.
argus / audit · tenant=98chimp
streaming
flag=new_billing_v2 tenant=98chimp env=prod before=off after=50% actor=shahin
just now
approval=applied flag=new_billing_v2 approvers=marco, shahin
2m
override=created flag=kyc_lite tenant=98chimp value=on
14m
rbac=grant role=approver scope=tenant:98chimp subject=roberto@98chimp.com
38m
4 rows · last 1h · exportable to your siem
append-only
●Capability matrix
Multi-tenancy as the first row, not a checkbox.
Honest comparison against the alternatives most teams already run. We update this page as the tools ship changes.
●Roadmap
Plain text. Honest horizons.
v0 · MVP on Firebase
- Tenant-scoped evaluation API
- Per-tenant override documents
- Two-engineer prod approval
- Tenant-scoped RBAC
- Immutable audit rows
- Reversible tenant-scoped rollback
v1 · with design partners
- TypeScript / Web SDK
- Tenant feature matrix export (CSV + API)
- Audit feed export to customer SIEM
- Self-host helm chart (control + data parity)
v1.5+ · with proof
- Edge resolution
- Code-reference scanning · dead flag detection
- SOC 2 audit export packaging
- Operational AI · tenant rollout suggestions from history