DB

Capabilities & status

The production boundary of the current NYXDB release — implemented, experimental, design-only, stub, and unsupported surfaces with evidence.

This page describes the current executable product, not the future state in accepted architecture decisions. The canonical machine-maintained inventory is the engine's capability matrix, which links every public claim to source and an executable conformance target.

Status vocabulary

StatusMeaning
ImplementedAvailable in the all-in-one profile, covered by executable conformance, and intended to remain compatible.
ExperimentalExecutable and tested, but the interface, operations model, or compatibility contract may change before GA.
Design-onlyDescribed by an ADR or roadmap; no supported runtime surface exists.
StubSource or protocol scaffolding exists, but it does not implement the advertised product behavior.
UnsupportedNot provided by this release and must not be inferred from adjacent code or design documents.

Supported deployment profile

The only supported server profile is one single-node all-in-one nyxdb process. That process owns SQL execution, PSI, the local WAL and catalog, storage parts, compaction, and local topology through one EngineHost.

SurfaceStatusExact boundaryEvidence
All-in-one nyxdb serverImplementedThe default build, package, and production-candidate process.main.cpp, nyxdb-test-server-restart
In-process table shardingImplementedMultiple shards execute inside one EngineHost; this is not node-level distribution.ADR-037, nyxdb-test-server-sharded
Distributed clusterDesign-onlyReserved service architecture; no supported multi-process data or control plane.ADR-016
High availability and failoverUnsupportedNo supported leader election, replicated commit, failover, or availability SLA.Capability boundary
Cross-node replicationStubA placeholder exists, but no product target or replication protocol ships.src/services/replicator

Run nyxdb --capabilities to print versioned capability JSON from the binary you are about to deploy. nyxdb --readiness and --health are packaging preflights: they report whether this binary is startup-capable; they are not a live network probe.

Query semantics

SurfaceStatusExact boundaryEvidence
SQL parse, bind, plan, executeImplementedTested DDL, DML, SELECT, joins, aggregates, expressions, and introspection run in the native engine.src/engine/query, nyxdb-test-query-execution
Single-operation visibilityExperimentalStatement and batch visibility is tested; this is the current isolation boundary.ADR-083, nyxdb-test-row-storage
MVCC and multi-statement transactionsDesign-onlyThere is no runtime BEGIN, COMMIT, rollback, or MVCC snapshot-isolation contract.ADR-017

Do not translate "single-operation visibility" into a broader transaction promise. Applications that need a workflow spanning multiple statements must provide their own coordination and recovery policy.

Storage and recovery

SurfaceStatusExact boundaryEvidence
Local catalog, WAL, parts, and restart replayImplemented--data-dir enables local persistence for the all-in-one process.ADR-035, nyxdb-test-server-restart
Per-table WAL durabilityImplementedLocal none-equivalent ephemeral policy plus async/group and synchronous disk policies have explicit crash behavior; this is not replica durability.nyxdb-test-server-durability
NYXP parts, pruning, compaction, TTLImplementedImmutable local parts and background compaction run in the supported profile.ADR-003, nyxdb-test-part-flusher
Local disks, pools, placement, movementExperimentalFunctional single-node topology; operational durability semantics continue to harden.ADR-036
Backup, restore, inclusive-sequence PITRImplementednyxdb-backup supports fail-closed, on-demand local repository backup, restore, retention, and journal-sequence PITR.Operator runbook, nyxdb-test-backup
Object-store parts or native archive backendUnsupportedThe community runtime accepts local disk roots; native object-store storage is not shipped.Capability boundary

Streaming and dataflow

SurfaceStatusExact boundaryEvidence
PSI stream:key event routingImplementedCore in-process routing contract for subscriptions and engine maintainers.psi.h, nyxdb-test-in-memory-psi
STREAM SELECT and shared channelsExperimentalInitial snapshot plus live updates are executable; reconnect and distributed continuity are not production SLAs.stream_channels.h, nyxdb-test-server-channels
Continuous transformsExperimentalIn-process maintained relations are tested; distributed DAG recovery is not a shipped contract.ADR-080, nyxdb-test-transform-host

Application access and governance

These surfaces are executable but Experimental. They let an operator publish a narrow read-only application contract and govern database users, but they do not supply the missing public-network perimeter.

SurfaceStatusExact boundaryEvidence
Published application endpointsExperimentalOperators publish typed, parameterized one-shot or streaming queries. Authenticated end users execute or subscribe through endpoint operations; claims are injected by the server, raw SQL is refused, and errors are sanitized.ADR-039, nyxdb-test-server-endpoints
End-user auth providers and live auth gatesExperimentalLookup and STREAM SELECT providers map tokens to trusted claims. Live gates maintain a valid-session replica and revoke removed or expired sessions; no configured provider means no end-user entry.ADR-041, nyxdb-test-server-auth-gate
End-user endpoint limits and governanceExperimentalSix static endpoint settings and four query-driven dimensions enforce process-local endpoint/user or subscription limits. Live changes can deny or terminate work; gateway and cluster-wide accounting are not shipped.endpoint_gate.h, nyxdb-test-rate-limits
Operator users, authentication, and access grantsExperimentalEngine-managed users authenticate with passwords. Password-bearing user DDL is replaced by one fixed label before live/retained query telemetry and profiler publication. --require-auth gates operator SQL; admin bypasses access checks, while named non-admin operators are default-deny against an isolated base-relation grant catalog for raw query/stream and endpoint/view execute/subscribe operations. Operators remain exempt from application endpoint quotas.ADR-042, ADR-043, nyxdb-test-operator-auth

Operator authentication is opt-in. Without --require-auth, every unauthenticated connection is an implicit operator with the complete SQL and write surface. Use the flag for every listener reachable by a browser or otherwise untrusted client. Native TLS and a zero-trust deployment profile are Unsupported: terminate TLS externally, enforce Origin and network policy at the edge, and retain a trusted-network boundary.

Current Experimental boundaries matter to authorization review: an endpoint's USING provider validates claims schema but does not require invocation through that provider; endpoint names win over colliding view names; and operator-class endpoint operations enforce base-relation operator grants but remain exempt from application quotas. Existing subscriptions also keep frozen queries and claims across endpoint replace/drop, and drop removes their governor state. Follow the drain and negative-test procedures in Operator governance.

Protocols, drivers, and UI

Every client-facing transport is experimental in the current pre-GA release. Pin the engine and driver to compatible revisions, exercise downgrade behavior, and do not infer a long-term wire-compatibility promise yet.

SurfaceStatusExact boundaryEvidence
Raw TCP v1 text protocolExperimentalFunctional framed SQL transport with TSV results; compatibility is not declared stable.transport.h, nyxdb-test-server-ping
WebSocket transportExperimentalRFC 6455 binary messages carry the same engine frames on the same port.ws_transport.h, nyxdb-test-ws-protocol
Wire v2 and block ingestExperimentalPer-connection negotiation, typed columnar results, streaming frames, and binary ingest are executable.ADR-081, nyxdb-test-server-wire-v2
gRPC service APIStubGenerated scaffolding can be enabled; no supported EngineHost gRPC front door ships.proto/table.proto
nyxsql, JDBC, web consoleExperimentalFunctional clients for the current transports. The console replays operator auth; current nyxsql and JDBC revisions do not expose operator credentials and cannot query a --require-auth server. JDBC streaming is limited to append-shaped v1 row streams; maintained snapshot/delta streams require another client.drivers, console

Closed-network delivery scope

The current audit and release work target a controlled, closed network. That scope does not turn the experimental wire formats into stable APIs and does not expand the single-node durability contract into replication or high availability. Revisit the canonical capability matrix for every engine upgrade; when a surface graduates, its status and executable evidence change together.

Security surfaceStatusExact boundaryEvidence
Native TLS and zero-trust deploymentUnsupportedThe server exposes raw TCP and ws:// without native TLS. Experimental auth and governance do not make direct public production exposure supported.Capability boundary, ADR-039

On this page