DB
Operations

Supported boundaries

Production scope and compatibility status of the current all-in-one engine.

Use this page as the first deployment gate. The machine-readable capability matrix in the engine repository is authoritative for a specific source revision.

Runtime profile

SurfaceStatusOperator boundary
All-in-one nyxdb processImplementedOne local process owns catalog, query, PSI, storage, and listener lifecycle.
Native SQL parse/bind/plan/executeImplementedUse the tested NYXDB dialect, not generic SQL compatibility assumptions.
Local catalog, WAL, immutable parts, restart recoveryImplementedRequires an explicit persistent --data-dir.
Statement visibility/isolationExperimentalOne-operation snapshots only; no MVCC transaction across requests.
PSI stream:key routingImplementedExact stream and key are both part of route identity.
Streaming readsExperimentalSnapshot plus live updates; no reconnect continuity SLA.
Materialized views and transformsExperimentalIn-process maintenance; no distributed worker recovery contract.
Published read-only application endpointsExperimentalTyped one-shot and live queries with server-injected claims; end users cannot submit raw SQL or writes.
End-user auth providers and live gatesExperimentalLookup or streaming token-to-claims mapping; live-gate revocation is process-local.
Static and query-driven endpoint limitsExperimentalPer-process endpoint/user or subscription enforcement; no gateway or cluster-wide quota.
Operator users and separate grant domainExperimentalEnforcement requires --require-auth; admin is implicit-manage and named non-admin operators are default-deny for raw query/stream plus endpoint/view execute/subscribe access to scanned base relations. Operator-class calls remain exempt from application quotas.
Local storage pools/policiesExperimentalLocal placement only; operational semantics are still hardening.
Native single-node backup/restore/PITRImplementedV1 repository is local-directory based and covers the synthesized default disk.

Explicitly absent

  • cross-node replication and consensus;
  • high availability or automatic failover;
  • distributed query or storage roles;
  • object-store parts/archival in the community runtime;
  • multi-statement transactions, BEGIN/COMMIT, and MVCC snapshot isolation;
  • zero-downtime rolling upgrades or a mixed-version cluster contract; and
  • durable cursor tokens that resume a stream across connections;
  • native TLS or a native WebSocket Origin allow-list; and
  • a supported direct-public or zero-trust deployment profile.

Local shards, a storage mirror placement, shared PSI channels, and a materialized view are not substitutes for node redundancy.

The operator gate is open by default. Without --require-auth, every unauthenticated connection is an implicit operator with complete SQL and write access, even if application auth providers exist. Enable the flag for every browser-facing or otherwise untrusted listener, then place the native raw-TCP/ws:// listener behind reviewed TLS termination plus Origin and network policy.

Status vocabulary

StatusRelease interpretation
ImplementedExecutable and covered by current conformance evidence.
ExperimentalExecutable and tested, but interface or operational compatibility may change.
Design-onlyA decision or roadmap exists without a usable runtime surface.
StubA target or placeholder exists but not the advertised behavior.
UnsupportedDeliberately unavailable in this revision.

An ADR records intent and rationale. It does not promote a feature to Implemented.

Pre-deployment verification

Run the exact artifact you will deploy:

nyxdb --capabilities
nyxdb --readiness
nyxdb --help

--capabilities reports build/runtime capability metadata. --readiness is a static deployment-capability preflight; it does not connect to a running server. Save the output with the release manifest and compare it during an upgrade.

Use matching server and client revisions for production-like testing while the wire surface is pre-GA. Do not infer compatibility from successful TCP connect alone.

When application access is in scope, also prove that an authenticated end user can invoke only approved endpoints or granted logical views, cannot forge server claims, and is denied SQL, writes, and block ingest. Review application and operator grant catalogs independently. Account for endpoint-first name resolution, USING being schema validation rather than provider affinity, and operator-class endpoint/view calls enforcing base-relation operator grants while remaining exempt from application quotas. Drain existing subscriptions before endpoint replacement or drop because their bindings do not change and drop removes governor state. See Direct application access and Operator governance.

On this page