SQLite & vectors
Bunfork keeps one narrow data model: encrypted vector records, exact embedded migrations, and bounded exhaustive cosine search.
Encrypted SQLite
The bundled SQLCipher build encrypts the database at rest. Bunfork validates the application ID, user version, complete migration ledger, exact table/index SQL, and absence of unexpected schema objects.
./target/release/bunfork keygen
./target/release/bunfork migrate
The key must decode to 32 random bytes represented by 64 hexadecimal characters. Keep the key outside the page and public directories and outside the deployment release.
Vector CLI
Global --tenant and --model values define the record scope. Put reads content from a UTF-8 file; embeddings are comma-separated finite f32 values.
./target/release/bunfork \
--tenant acme --model notes \
vector put note-1 \
--content-file note.txt \
--embedding 1,0,0
./target/release/bunfork \
--tenant acme --model notes \
vector search --embedding 0.9,0.1,0 --limit 5
./target/release/bunfork \
--tenant acme --model notes \
vector delete note-1
Search returns deterministic JSON matches ordered by cosine similarity. It considers only records with the query's dimension in the selected tenant/model scope.
Authenticated HTTP API
Vector endpoints require Authorization: Bearer <API_TOKEN>. For browser requests carrying an Origin header, the origin must match the configured public origin (or the request host when no public origin is configured).
curl --request PUT http://localhost:3100/api/vectors/note-1 \
--header "Authorization: Bearer $API_TOKEN" \
--header "Content-Type: application/json" \
--data '{"id":"note-1","content":"hello","embedding":[1,0,0]}'
curl --request POST http://localhost:3100/api/vectors/search \
--header "Authorization: Bearer $API_TOKEN" \
--header "Content-Type: application/json" \
--data '{"embedding":[1,0,0],"limit":5}'
curl --request DELETE http://localhost:3100/api/vectors/note-1 \
--header "Authorization: Bearer $API_TOKEN"
Hard limits
| Input | Limit |
|---|---|
| Embedding dimensions | 1–4,096 |
| Search candidates | At most 10,000 |
| Search work | At most 10,000,000 multiply-adds |
| Results | 1–25 |
| Record content | 64 KiB |
| JSON request body | 1 MiB |
A single in-process gate permits one HTTP vector search at a time; concurrent searches receive 429. Invalid IDs, dimensions, norms, limits, or budgets are client errors rather than server errors.