[asciimike]

A long time ago, I was the PM on Firestore security rules, which was intended to solve both of those issues.

https://github.com/FirebaseExtended/protobuf-rules-gen was the closest we got: declaring types as protobufs (because Google, of course) and then generating both security rules to guarantee validity as well as client types that would match. I wanted to add proto annotations to do additional validity (e.g. add a regex to validate the phone number string was correct, do length checks on strings, etc.), but we never quite got there (not sure proto annotations are a thing externally either).

The short answer is that backend rules engines, either in their own DSL or bolted on to e.g. SQL, are pretty tough to get right, and have a super steep learning curve. IMO, AWS API Gateway with Lambda Authorizers get this most correct: it offers a programming model that people are familiar with (writing code to access external resources to make the authZ decision) with a clear performance tradeoff (ability to cache the result for a period of time).