Documentation menu

SQLite & vectors

Bunfork keeps one narrow data model: encrypted vector records, exact embedded migrations, and bounded exhaustive cosine search.

Encrypted SQLite

The bundled SQLCipher build encrypts the database at rest. Bunfork validates the application ID, user version, complete migration ledger, exact table/index SQL, and absence of unexpected schema objects.

./target/release/bunfork keygen
./target/release/bunfork migrate

The key must decode to 32 random bytes represented by 64 hexadecimal characters. Keep the key outside the page and public directories and outside the deployment release.

Vector CLI

Global --tenant and --model values define the record scope. Put reads content from a UTF-8 file; embeddings are comma-separated finite f32 values.

./target/release/bunfork \
  --tenant acme --model notes \
  vector put note-1 \
  --content-file note.txt \
  --embedding 1,0,0

./target/release/bunfork \
  --tenant acme --model notes \
  vector search --embedding 0.9,0.1,0 --limit 5

./target/release/bunfork \
  --tenant acme --model notes \
  vector delete note-1

Search returns deterministic JSON matches ordered by cosine similarity. It considers only records with the query's dimension in the selected tenant/model scope.

Authenticated HTTP API

Vector endpoints require Authorization: Bearer <API_TOKEN>. For browser requests carrying an Origin header, the origin must match the configured public origin (or the request host when no public origin is configured).

curl --request PUT http://localhost:3100/api/vectors/note-1 \
  --header "Authorization: Bearer $API_TOKEN" \
  --header "Content-Type: application/json" \
  --data '{"id":"note-1","content":"hello","embedding":[1,0,0]}'

curl --request POST http://localhost:3100/api/vectors/search \
  --header "Authorization: Bearer $API_TOKEN" \
  --header "Content-Type: application/json" \
  --data '{"embedding":[1,0,0],"limit":5}'

curl --request DELETE http://localhost:3100/api/vectors/note-1 \
  --header "Authorization: Bearer $API_TOKEN"

Hard limits

InputLimit
Embedding dimensions1–4,096
Search candidatesAt most 10,000
Search workAt most 10,000,000 multiply-adds
Results1–25
Record content64 KiB
JSON request body1 MiB

A single in-process gate permits one HTTP vector search at a time; concurrent searches receive 429. Invalid IDs, dimensions, norms, limits, or budgets are client errors rather than server errors.