This matrix describes the current feature surface from the source tree as it exists today.
Legend:
Done: implemented and clearly present in the codebasePartial: implemented with important caveats or limited scopeMissing: not implemented as a first-class feature
Protocols
| Area | Status | Notes |
|---|---|---|
| Downstream HTTP/3 | Done |
Native QUIC/H3 ingress path |
| Downstream HTTP/1.1 | Done |
Via bootstrap TLS listener |
| Downstream HTTP/2 | Done |
Via bootstrap TLS listener |
| Upstream HTTP/2 | Done |
Used for https:// backends |
| Upstream HTTP/1.1 | Done |
Used for http:// backends; mixed H1/H2 pools supported |
| Upstream HTTP/3 | Missing |
Not implemented |
| gRPC trailers | Done |
Integration coverage exists |
| Broad WebSocket support | Partial |
Limited bootstrap-side behavior only |
| General CONNECT proxying | Partial |
Policy exists, not a broad general-purpose CONNECT platform |
Routing
| Area | Status | Notes |
|---|---|---|
| Host routing | Done |
Exact and wildcard matching |
| Path-prefix routing | Done |
Longest-prefix semantics |
| Method-aware routing | Done |
Deterministic tie-breaking |
| Deterministic route selection | Done |
Explicitly defended in implementation and tests |
| Header-based routing | Missing |
Not a route matcher today |
| Query-based routing | Missing |
Not a route matcher today |
| Cookie-based routing | Missing |
Not a route matcher today |
| Weighted route splitting | Missing |
No route-level traffic policy engine |
Load Balancing
| Area | Status | Notes |
|---|---|---|
| Round-robin | Done |
Implemented |
| Random | Done |
Implemented |
| Consistent-hash | Done |
Weighted ring rebuild on membership changes |
| Least-connections | Done |
Implemented |
| Latency-aware | Done |
EWMA-like scoring plus inflight signal |
| Sticky CID | Done |
Implemented as a selection mode |
| Weighted backends | Done |
Implemented |
| Canary rollout controls | Missing |
No first-class release traffic controls |
| Request mirroring | Missing |
Not implemented |
| Fault injection | Missing |
Not implemented |
TLS And Trust
| Area | Status | Notes |
|---|---|---|
| Downstream TLS termination | Done |
Core capability |
| SNI certificate selection | Done |
Multiple certs with fallback behavior |
| Downstream client-auth | Done |
Optional and required modes on bootstrap listener |
| Upstream TLS verification | Done |
Safe-by-default when using HTTPS backends |
| Custom upstream CA file | Done |
Implemented |
| Custom upstream CA dir | Done |
Implemented |
| TLS cert hot reload | Done |
New handshakes only |
| Full TLS/runtime live reconfiguration | Partial |
Cert reload exists, broad runtime reload does not |
Resilience And Safety
| Area | Status | Notes |
|---|---|---|
| Active health checks | Done |
Implemented |
| Passive health signals | Done |
Implemented |
| Circuit breaker | Done |
Implemented |
| Retry budget | Done |
Implemented |
| Hedging | Done |
Implemented with restrictions |
| Brownout | Done |
Implemented |
| Adaptive admission | Done |
Implemented |
| Route queue caps | Done |
Implemented |
| Global inflight limits | Done |
Implemented |
| Per-upstream inflight limits | Done |
Implemented |
| Per-backend inflight limits | Done |
Implemented |
| Rate limiting | Missing |
Overload control exists, classic rate limiting does not |
Control Plane And Discovery
| Area | Status | Notes |
|---|---|---|
| Health endpoint | Done |
Implemented |
| Readiness endpoint | Done |
Implemented |
| Runtime status endpoint | Done |
Implemented |
| Restart endpoint | Done |
Implemented |
| Cert reload endpoint | Done |
Implemented |
| Full config hot reload | Missing |
Biggest current control-plane gap |
| Dynamic route updates | Missing |
Requires restart or future reload model |
| Dynamic upstream membership API | Missing |
No first-class API |
| DNS refresh | Done |
Implemented for hostname-based backends |
| Rich service discovery | Missing |
No Kubernetes/xDS/Consul-class discovery |
Policy, Security, And Platform Features
| Area | Status | Notes |
|---|---|---|
| Header mutation for forwarding policy | Done |
Host and forwarded-header policy exists |
| Generic request/response rewrite engine | Missing |
Not a broad filter system |
| JWT validation | Missing |
Not implemented |
| OIDC / auth gateway | Missing |
Not implemented |
| External auth integration | Missing |
Not implemented |
| RBAC / policy engine | Missing |
Not implemented |
| WAF capabilities | Missing |
Not implemented |
| Plugin / extension model | Missing |
Not implemented |
Observability And Ops
| Area | Status | Notes |
|---|---|---|
| Prometheus metrics | Done |
Rich built-in metrics |
| Structured logging | Done |
Plain and JSON formats |
| OTLP tracing hooks | Done |
Optional |
| Packaging for Docker | Done |
Present |
| Packaging for Debian/systemd | Done |
Present |
| Benchmark suite | Done |
Dedicated crate and scripts |
| Production runbook maturity | Partial |
Present, but should be expanded and tightened |
Practical Summary
Spooky is strongest today as:
- an HTTP/3-first edge proxy
- a deterministic routing and balancing layer with scheme-driven H1/H2 upstream transport
- a proxy with strong resource-bound and teardown behavior
Spooky is not yet strongest as:
- a general-purpose legacy protocol proxy
- a dynamic fleet-managed control-plane-driven proxy
- a fully featured API gateway
- a highly extensible filter platform