UDB logoUDB
Architecture

Proto in, typed responses out

UDB is a broker over external databases — backends own data replication; UDB owns the contract, routing, tenant isolation, control-plane state, CDC, sagas, and SDKs. One descriptor drives build-time generation and runtime enforcement, so docs, SDKs, and behavior can’t drift.

UDB architecture pipeline: project protos parsed into a catalog manifest that drives build-time generation and the per-request runtime pipeline (authn/authz → admission → neutral IR → executor → backends).
Project protos → catalog manifest → build-time generation + per-request runtime pipeline.
Single source of truth

The descriptor is the contract

Proto plus the embedded descriptor manifest is the one product contract for RPCs, DTOs, table/column security, endpoint security, SDK metadata, CLI scaffolds, events, native service ids, and docs. Runtime decodes it and fails closed if it can’t.

📐

You own the model

Describe entities in normal .proto files and annotate where data lives and how it’s secured.

🏗️

Generation

The parser builds a deterministic catalog manifest → DDL/RLS, migrations, SDKs, CLI scaffolds, and generated docs.

🛡️

Runtime enforcement

The same descriptor drives the method-security tower layer, redaction, event contracts, and capability reporting.

Per-request pipeline

What happens on every call

UDB request flow from SDK call through authentication, authorization, admission control, neutral IR, executor dispatch, and backend execution.
Request lifecycle from SDK to backend and back.
  • 1
    Authenticate — bearer JWT, session, API key, or federated identity; mTLS SAN where configured.
  • 2
    Authorize — one engine for RBAC + ABAC + ReBAC over Casbin, with explicit-deny-wins and a deterministic decision_id.
  • 3
    Admission — per-tenant fair channels, concurrency limits, and bounded-queue backpressure.
  • 4
    Neutral IR — the request compiles to a backend-agnostic intermediate representation.
  • 5
    Execute — the right executor speaks the backend dialect; RLS context is applied with SET LOCAL.
  • 6
    Emit & audit — typed response back; events to the transactional outbox; a redacted compliance envelope to audit.
Two planes, one contract

Data plane and a network-isolated control plane

PlaneListenerSurfaceRPCs
Data planePublic DataBrokerRelational, vector, object, cache, document, graph, time-series, analytical; transactions, CDC, catalog, migration, saga76
Control planeIsolated UDB_AUTH_GRPC_ADDR15 native services — authn, authz, API keys, IdP, tenant, notification, analytics, storage, asset, WebRTC, policy distribution186

The control plane is PEP-frontable and serves the public plane via Authorize/GetNativeAccess. Runtime domain modules own the business engines; service modules only adapt them to gRPC.

Explore the data plane Explore the control plane