REST in Peace
docs.eventsourcingdb.ioLearn something new every day.
Something that comes to mind as a "problem" is that popular DBs are not designed to manage this (at least I do not think so), so you can have a DB and violate the principle of only appending, and the DB will let you.
And how difficult is it to migrate to this model or away? Although this is the same "problem" with any model, I suppose.
Just one pinprick: "discovering capabilities at runtime" is a security antipattern. There can never be wildcard roles. Every interaction must specify one (possibly composed) role.
I think two different meanings of "capabilities" are getting conflated here. In the HATEOAS sense, capabilities are the state transitions a server advertises via hypermedia links – an API discovery mechanism, not an authorization model. Roles and permissions are orthogonal to that and of course still enforced server-side on every request. A server that takes hypermedia seriously only advertises links the current user is actually allowed to follow, which is arguably a security plus.
Also worth noting: that sentence was just a historical aside about Fielding's original definition. The actual argument of the piece is that what most people call REST is really CRUD over HTTP, and that commands and queries are a better fit.