Server

Production-ready TCP server with security, clustering, and monitoring.

Security

• Authentication -- SCRAM-SHA-256 (salted challenge-response). No plaintext passwords on the wire.
• TLS/SSL -- Certificate-based encryption for all traffic.
• RBAC -- Three roles:
  • Admin -- Full access to all commands including user management
  • ReadWrite -- CRUD, indexes, transactions, blobs, search, procedures
  • Read -- Queries, counts, aggregations, list operations only
• Audit logging -- Every operation logged with timestamp and user context. GELF format for centralized logging.

Wire Protocol

OxiWire is OxiDB's custom binary protocol. Fixed-size encoding (1-byte type tags, 4-byte LE lengths, 8-byte LE numbers). Faster than JSON and MsgPack for both serialization and deserialization.

Clients can also use plain JSON over the same TCP connection.

Clustering (Raft)

Multi-node replication via Raft consensus (openraft). Each node runs its own state machine and persistent log; writes commit on quorum (2/3 for a 3-node group). Enable with the cluster feature flag in oxidb-server.

Persistent state v0.28.18 — Raft state is written to raft_meta.json + raft_log.jsonl on every mutation. Nodes survive container restarts and rejoin their Raft group automatically (previously the node would come back as a fresh Learner and the cluster would diverge).

To bootstrap a 3-node cluster, send raft_init on node 1, then raft_add_learner for nodes 2 and 3, then raft_change_membership: [1, 2, 3]. The full reference deployment lives at ShardReplicaRealWorldTest/ — 3 shards × 3 Raft nodes, fronted by oxipool, validated under 1M-record load with mid-stream failover.

Configuration