This page lists the most important current product limits so operators and contributors do not have to infer them from scattered documents.

Architectural Limits

  • Spooky is centered on HTTP/3 downstream with scheme-driven upstream transport: https:// backends use HTTP/2, http:// backends use HTTP/1.1. Mixed deployments are supported.
  • It is not yet a broad multi-protocol reverse proxy in the same class as older general-purpose incumbents.
  • It is not yet a dynamic control-plane-driven proxy platform.

Configuration And Control Plane Limits

  • Full configuration hot reload exists for runtime-managed settings, but some startup-owned changes still require a restart.
  • Dynamic route updates are not implemented as a first-class runtime feature outside config reload.
  • Dynamic upstream membership changes are limited to DNS refresh rather than a richer control-plane API.
  • There is no transactional apply, generation diff, rollback, or staged config activation model.

Protocol Limits

  • Upstream HTTP/3 forwarding is not implemented.
  • CONNECT support exists only as a constrained policy feature, not as a broad proxy capability.
  • WebSocket and upgrade handling are limited and are not yet a full-feature parity surface.

Traffic-Management Limits

  • No route-level weighted traffic splitting.
  • No request mirroring or shadow traffic.
  • No built-in fault injection layer.
  • No full request/response rewrite/filter pipeline.

Security And Policy Limits

  • No JWT validation.
  • No OIDC or full auth gateway feature set.
  • No external authorization filter.
  • No RBAC or generic policy engine.
  • No WAF or advanced request-inspection layer.

Platform And Ecosystem Limits

  • No Kubernetes-native control plane or operator.
  • No xDS-style fleet management.
  • No plugin or extension model.
  • No service-mesh positioning or mesh-native runtime integration.

Engineering Limits

  • The central edge runtime remains concentrated in a very large module.
  • This increases change risk and makes long-term feature growth harder.
  • Some docs and operational guidance still need tighter separation between stable behavior and future intent.

What These Limits Mean In Practice

Spooky is a strong candidate when:

  • HTTP/3 edge performance and correctness are primary goals
  • the upstream environment speaks HTTP/2 (https:// backends) or HTTP/1.1 (http:// backends), or a mix of both
  • the deployment can tolerate occasional restarts for startup-owned config changes
  • the deployment does not require rich traffic policy or auth gateway features

Spooky is a poor fit today when:

  • every config field must be live-reloadable with no restart boundary
  • upstream protocol breadth is required
  • advanced API gateway behavior is required
  • a rich dynamic control plane is expected
  • a plugin/filter ecosystem is required