Capabilities & status
The production boundary of the current NYXDB release — implemented, experimental, design-only, stub, and unsupported surfaces with evidence.
This page describes the current executable product, not the future state in accepted architecture decisions. The canonical machine-maintained inventory is the engine's capability matrix, which links every public claim to source and an executable conformance target.
Status vocabulary
| Status | Meaning |
|---|---|
| Implemented | Available in the all-in-one profile, covered by executable conformance, and intended to remain compatible. |
| Experimental | Executable and tested, but the interface, operations model, or compatibility contract may change before GA. |
| Design-only | Described by an ADR or roadmap; no supported runtime surface exists. |
| Stub | Source or protocol scaffolding exists, but it does not implement the advertised product behavior. |
| Unsupported | Not provided by this release and must not be inferred from adjacent code or design documents. |
Supported deployment profile
The only supported server profile is one single-node all-in-one nyxdb
process. That process owns SQL execution, PSI, the local WAL and catalog,
storage parts, compaction, and local topology through one EngineHost.
| Surface | Status | Exact boundary | Evidence |
|---|---|---|---|
All-in-one nyxdb server | Implemented | The default build, package, and production-candidate process. | main.cpp, nyxdb-test-server-restart |
| In-process table sharding | Implemented | Multiple shards execute inside one EngineHost; this is not node-level distribution. | ADR-037, nyxdb-test-server-sharded |
| Distributed cluster | Design-only | Reserved service architecture; no supported multi-process data or control plane. | ADR-016 |
| High availability and failover | Unsupported | No supported leader election, replicated commit, failover, or availability SLA. | Capability boundary |
| Cross-node replication | Stub | A placeholder exists, but no product target or replication protocol ships. | src/services/replicator |
Run nyxdb --capabilities to print versioned capability JSON from the binary
you are about to deploy. nyxdb --readiness and --health are packaging
preflights: they report whether this binary is startup-capable; they are not a
live network probe.
Query semantics
| Surface | Status | Exact boundary | Evidence |
|---|---|---|---|
| SQL parse, bind, plan, execute | Implemented | Tested DDL, DML, SELECT, joins, aggregates, expressions, and introspection run in the native engine. | src/engine/query, nyxdb-test-query-execution |
| Single-operation visibility | Experimental | Statement and batch visibility is tested; this is the current isolation boundary. | ADR-083, nyxdb-test-row-storage |
| MVCC and multi-statement transactions | Design-only | There is no runtime BEGIN, COMMIT, rollback, or MVCC snapshot-isolation contract. | ADR-017 |
Do not translate "single-operation visibility" into a broader transaction promise. Applications that need a workflow spanning multiple statements must provide their own coordination and recovery policy.
Storage and recovery
| Surface | Status | Exact boundary | Evidence |
|---|---|---|---|
| Local catalog, WAL, parts, and restart replay | Implemented | --data-dir enables local persistence for the all-in-one process. | ADR-035, nyxdb-test-server-restart |
| Per-table WAL durability | Implemented | Local none-equivalent ephemeral policy plus async/group and synchronous disk policies have explicit crash behavior; this is not replica durability. | nyxdb-test-server-durability |
| NYXP parts, pruning, compaction, TTL | Implemented | Immutable local parts and background compaction run in the supported profile. | ADR-003, nyxdb-test-part-flusher |
| Local disks, pools, placement, movement | Experimental | Functional single-node topology; operational durability semantics continue to harden. | ADR-036 |
| Backup, restore, inclusive-sequence PITR | Implemented | nyxdb-backup supports fail-closed, on-demand local repository backup, restore, retention, and journal-sequence PITR. | Operator runbook, nyxdb-test-backup |
| Object-store parts or native archive backend | Unsupported | The community runtime accepts local disk roots; native object-store storage is not shipped. | Capability boundary |
Streaming and dataflow
| Surface | Status | Exact boundary | Evidence |
|---|---|---|---|
PSI stream:key event routing | Implemented | Core in-process routing contract for subscriptions and engine maintainers. | psi.h, nyxdb-test-in-memory-psi |
STREAM SELECT and shared channels | Experimental | Initial snapshot plus live updates are executable; reconnect and distributed continuity are not production SLAs. | stream_channels.h, nyxdb-test-server-channels |
| Continuous transforms | Experimental | In-process maintained relations are tested; distributed DAG recovery is not a shipped contract. | ADR-080, nyxdb-test-transform-host |
Application access and governance
These surfaces are executable but Experimental. They let an operator publish a narrow read-only application contract and govern database users, but they do not supply the missing public-network perimeter.
| Surface | Status | Exact boundary | Evidence |
|---|---|---|---|
| Published application endpoints | Experimental | Operators publish typed, parameterized one-shot or streaming queries. Authenticated end users execute or subscribe through endpoint operations; claims are injected by the server, raw SQL is refused, and errors are sanitized. | ADR-039, nyxdb-test-server-endpoints |
| End-user auth providers and live auth gates | Experimental | Lookup and STREAM SELECT providers map tokens to trusted claims. Live gates maintain a valid-session replica and revoke removed or expired sessions; no configured provider means no end-user entry. | ADR-041, nyxdb-test-server-auth-gate |
| End-user endpoint limits and governance | Experimental | Six static endpoint settings and four query-driven dimensions enforce process-local endpoint/user or subscription limits. Live changes can deny or terminate work; gateway and cluster-wide accounting are not shipped. | endpoint_gate.h, nyxdb-test-rate-limits |
| Operator users, authentication, and access grants | Experimental | Engine-managed users authenticate with passwords. Password-bearing user DDL is replaced by one fixed label before live/retained query telemetry and profiler publication. --require-auth gates operator SQL; admin bypasses access checks, while named non-admin operators are default-deny against an isolated base-relation grant catalog for raw query/stream and endpoint/view execute/subscribe operations. Operators remain exempt from application endpoint quotas. | ADR-042, ADR-043, nyxdb-test-operator-auth |
Operator authentication is opt-in. Without --require-auth, every
unauthenticated connection is an implicit operator with the complete SQL and
write surface. Use the flag for every listener reachable by a browser or
otherwise untrusted client. Native TLS and a zero-trust deployment profile
are Unsupported: terminate TLS externally, enforce Origin and network
policy at the edge, and retain a trusted-network boundary.
Current Experimental boundaries matter to authorization review: an endpoint's
USING provider validates claims schema but does not require invocation
through that provider; endpoint names win over colliding view names; and
operator-class endpoint operations enforce base-relation operator grants but
remain exempt from application quotas. Existing subscriptions also keep frozen
queries and claims across endpoint replace/drop, and drop removes their
governor state. Follow the drain and negative-test procedures in
Operator governance.
Protocols, drivers, and UI
Every client-facing transport is experimental in the current pre-GA release. Pin the engine and driver to compatible revisions, exercise downgrade behavior, and do not infer a long-term wire-compatibility promise yet.
| Surface | Status | Exact boundary | Evidence |
|---|---|---|---|
| Raw TCP v1 text protocol | Experimental | Functional framed SQL transport with TSV results; compatibility is not declared stable. | transport.h, nyxdb-test-server-ping |
| WebSocket transport | Experimental | RFC 6455 binary messages carry the same engine frames on the same port. | ws_transport.h, nyxdb-test-ws-protocol |
| Wire v2 and block ingest | Experimental | Per-connection negotiation, typed columnar results, streaming frames, and binary ingest are executable. | ADR-081, nyxdb-test-server-wire-v2 |
| gRPC service API | Stub | Generated scaffolding can be enabled; no supported EngineHost gRPC front door ships. | proto/table.proto |
nyxsql, JDBC, web console | Experimental | Functional clients for the current transports. The console replays operator auth; current nyxsql and JDBC revisions do not expose operator credentials and cannot query a --require-auth server. JDBC streaming is limited to append-shaped v1 row streams; maintained snapshot/delta streams require another client. | drivers, console |
Closed-network delivery scope
The current audit and release work target a controlled, closed network. That scope does not turn the experimental wire formats into stable APIs and does not expand the single-node durability contract into replication or high availability. Revisit the canonical capability matrix for every engine upgrade; when a surface graduates, its status and executable evidence change together.
| Security surface | Status | Exact boundary | Evidence |
|---|---|---|---|
| Native TLS and zero-trust deployment | Unsupported | The server exposes raw TCP and ws:// without native TLS. Experimental auth and governance do not make direct public production exposure supported. | Capability boundary, ADR-039 |