Skip to main content

Fail-open design

The single most important property of chukei is this: a chukei-side failure can never break a query. Anything the proxy cannot handle with full confidence degrades to byte-identical passthrough — the query runs exactly as it would with no proxy in the path. This is what makes putting an in-path component in front of a production warehouse defensible.

Every failure path leads to passthrough

  query-request

     v
  decode + parse ok?    -- no    -->  passthrough
     │ ok
     v
  determinism gate ok?  -- veto  -->  passthrough
     │ ok
     v
  plugin bus ok?        -- panic -->  passthrough
     │ ok
     v
  cache ok?             -- error -->  passthrough
     │ ok
     v
  apply winning Decision  ->  forward, or serve cache

     v
  Snowflake

  every "--" branch above is passthrough = "fail open"

Concretely, the following all fall through to passthrough rather than erroring:

  • SQL the parser doesn't recognise (e.g. MATCH_RECOGNIZE, vendor syntax)
  • a plugin panic (caught and isolated; the query continues)
  • a cache backend that is slow or unavailable
  • any ambiguity in the determinism gate
  • non-query endpoints — PUT/GET, SHOW/DESCRIBE, async statements

Why this is the right default for a proxy

The worst case is paying what you already pay.

A dashboard or advisor tool fails safe because it is out of band — nobody's query depends on it. An in-path proxy must earn that same safety, and fail-open is how: the degraded state of chukei is "transparent passthrough," which is operationally identical to not running chukei at all.

This bounds the blast radius of every other component:

  • A restart faster than the driver's retry budget (~10 s) is invisible to clients; sessions resume without re-login.
  • Rollback is repointing the hostname back at *.snowflakecomputing.com — under a minute, nothing to uninstall.
  • Any single plugin can be disabled with one env var (CHUKEI_PLUGINS_<NAME>_ENABLED=false) while queries keep flowing.

How it's enforced

Fail-open is not a hope — it is a tested invariant. The hot path is deterministic Rust with panic isolation around plugin execution, and the production-validation suite drives exotic syntax, file transfers, async and long-running queries, and large chunked results through the proxy specifically to confirm passthrough behaviour. See is a proxy in front of Snowflake safe? for each objection answered with measured numbers.