Supported boundaries
Production scope and compatibility status of the current all-in-one engine.
Use this page as the first deployment gate. The machine-readable capability matrix in the engine repository is authoritative for a specific source revision.
Runtime profile
| Surface | Status | Operator boundary |
|---|---|---|
All-in-one nyxdb process | Implemented | One local process owns catalog, query, PSI, storage, and listener lifecycle. |
| Native SQL parse/bind/plan/execute | Implemented | Use the tested NYXDB dialect, not generic SQL compatibility assumptions. |
| Local catalog, WAL, immutable parts, restart recovery | Implemented | Requires an explicit persistent --data-dir. |
| Statement visibility/isolation | Experimental | One-operation snapshots only; no MVCC transaction across requests. |
PSI stream:key routing | Implemented | Exact stream and key are both part of route identity. |
| Streaming reads | Experimental | Snapshot plus live updates; no reconnect continuity SLA. |
| Materialized views and transforms | Experimental | In-process maintenance; no distributed worker recovery contract. |
| Published read-only application endpoints | Experimental | Typed one-shot and live queries with server-injected claims; end users cannot submit raw SQL or writes. |
| End-user auth providers and live gates | Experimental | Lookup or streaming token-to-claims mapping; live-gate revocation is process-local. |
| Static and query-driven endpoint limits | Experimental | Per-process endpoint/user or subscription enforcement; no gateway or cluster-wide quota. |
| Operator users and separate grant domain | Experimental | Enforcement requires --require-auth; admin is implicit-manage and named non-admin operators are default-deny for raw query/stream plus endpoint/view execute/subscribe access to scanned base relations. Operator-class calls remain exempt from application quotas. |
| Local storage pools/policies | Experimental | Local placement only; operational semantics are still hardening. |
| Native single-node backup/restore/PITR | Implemented | V1 repository is local-directory based and covers the synthesized default disk. |
Explicitly absent
- cross-node replication and consensus;
- high availability or automatic failover;
- distributed query or storage roles;
- object-store parts/archival in the community runtime;
- multi-statement transactions,
BEGIN/COMMIT, and MVCC snapshot isolation; - zero-downtime rolling upgrades or a mixed-version cluster contract; and
- durable cursor tokens that resume a stream across connections;
- native TLS or a native WebSocket Origin allow-list; and
- a supported direct-public or zero-trust deployment profile.
Local shards, a storage mirror placement, shared PSI channels, and a
materialized view are not substitutes for node redundancy.
The operator gate is open by default. Without --require-auth, every
unauthenticated connection is an implicit operator with complete SQL and
write access, even if application auth providers exist. Enable the flag for
every browser-facing or otherwise untrusted listener, then place the native
raw-TCP/ws:// listener behind reviewed TLS termination plus Origin and
network policy.
Status vocabulary
| Status | Release interpretation |
|---|---|
| Implemented | Executable and covered by current conformance evidence. |
| Experimental | Executable and tested, but interface or operational compatibility may change. |
| Design-only | A decision or roadmap exists without a usable runtime surface. |
| Stub | A target or placeholder exists but not the advertised behavior. |
| Unsupported | Deliberately unavailable in this revision. |
An ADR records intent and rationale. It does not promote a feature to Implemented.
Pre-deployment verification
Run the exact artifact you will deploy:
nyxdb --capabilities
nyxdb --readiness
nyxdb --help--capabilities reports build/runtime capability metadata.
--readiness is a static deployment-capability preflight; it does not connect
to a running server. Save the output with the release manifest and compare it
during an upgrade.
Use matching server and client revisions for production-like testing while the wire surface is pre-GA. Do not infer compatibility from successful TCP connect alone.
When application access is in scope, also prove that an authenticated end user
can invoke only approved endpoints or granted logical views, cannot forge
server claims, and is denied SQL, writes, and block ingest. Review application
and operator grant catalogs independently. Account for endpoint-first name
resolution, USING being schema validation rather than provider affinity, and
operator-class endpoint/view calls enforcing base-relation operator grants while
remaining exempt from application quotas. Drain existing subscriptions before
endpoint replacement or drop because their bindings do not change and drop
removes governor state. See
Direct application access and
Operator governance.