Merge branch 'trunk' into docs/nsql-ux-improvements

Author: lukekim

website/docs/api/tls/index.md

@@ -80,9 +80,26 @@ runtime:
 
 To learn more about secrets, see [Secret Stores](../../components/secret-stores).
 
+## Certificate Hot-Reload
+
+When TLS is configured using **file paths** (`certificate_file` / `key_file` or `--tls-certificate-file` / `--tls-key-file`), the runtime automatically watches the certificate and key files for changes and reloads them without restarting. This is useful when certificates are rotated by external tools such as SPIRE, cert-manager, or kubelet.
+
+- In-flight TLS connections are unaffected — only new handshakes use the rotated certificate.
+- If a rotated file contains invalid PEM data, the runtime logs the error and continues serving with the previous certificate.
+- File changes are detected via polling (every 2 seconds). Atomic file renames are handled correctly.
+
+When TLS is configured using **inline values** (`certificate` / `key`, including `${secrets:…}` references), certificates are loaded once at startup and are not automatically reloaded.
+
+The `runtime_tls_reload_total` OTel counter tracks reload attempts:
+
+| Label    | Values                    |
+| -------- | ------------------------- |
+| `scope`  | `public`, `cluster`       |
+| `result` | `ok`, `io_error`, `parse_error` |
+
 :::info
 
-Changes to TLS configuration are not applied at runtime and will only take effect on startup.
+When using inline certificates or secrets (`certificate` / `key`), changes are not applied at runtime and will only take effect on restart.
 
 :::
 

website/docs/components/catalogs/ducklake.md

@@ -198,6 +198,7 @@ Spice integrates with multiple secret stores to help manage sensitive data secur
 
 :::warning[Limitations]
 
+- Spice uses DuckDB 1.4.4, which supports DuckLake format versions 0.1, 0.2, and 0.3 only. Catalogs created with DuckDB 1.5.x or later use format v0.4+, which is not currently supported.
 - The DuckLake DuckDB extension is downloaded at runtime on first use, requiring network connectivity.
 - The `information_schema` and `pg_catalog` system schemas are automatically filtered out during discovery.
 - Catalog refresh is non-incremental — a full re-query of `information_schema` is performed on each refresh cycle.

website/docs/components/catalogs/index.md

@@ -29,7 +29,7 @@ Supported Catalog Connectors include:
 | `databricks`    | Databricks              | Beta   | Spark Connect, S3/Delta Lake |
 | `iceberg`       | Apache Iceberg          | Beta   | Parquet                      |
 | `spice.ai`      | Spice.ai Cloud Platform | Beta   | Arrow Flight                 |
-| `ducklake`      | DuckLake                | Alpha  | Parquet                      |
+| `ducklake`      | DuckLake                | Beta   | Parquet                      |
 | `glue`          | AWS Glue                | Alpha  | Parquet, Iceberg             |
 | `snowflake`     | Snowflake               | Alpha  | Snowflake SQL                |
 | `pg`            | PostgreSQL / Redshift   | Alpha  | PostgreSQL Wire Protocol     |

website/docs/components/data-accelerators/cayenne/deployment.md

@@ -58,7 +58,7 @@ For point-lookup-heavy workloads, size `cayenne_segment_cache_mb` generously —
 
 | Parameter             | Description                                               |
 | --------------------- | --------------------------------------------------------- |
-| `upload_concurrency`  | Parallel segment uploads during refresh / append commits. |
+| `cayenne_upload_concurrency` | Parallel segment uploads during refresh / append commits. |
 
 For S3 Express One Zone, 8–16 parallel uploads typically maximize throughput. For standard S3 across regions, higher concurrency helps hide per-request latency.
 

website/docs/components/data-accelerators/index.md

@@ -31,10 +31,10 @@ By default, datasets are locally materialized using in-memory Arrow records.
 | ---------- | ------------------------------- | ----------------- | ---------------- |
 | `cayenne`  | [Spice Cayenne][cayenne]        | Release Candidate | `file`, `file_create`, `file_update` |
 | `arrow`    | In-Memory Arrow Records         | Stable            | `memory`         |
-| `duckdb`   | Embedded [DuckDB][duckdb]       | Stable            | `memory`, `file` |
+| `duckdb`   | Embedded [DuckDB][duckdb]       | Stable            | `memory`, `file`, `file_create`, `file_update` |
 | `postgres` | Attached [PostgreSQL][postgres] (Spice.ai Enterprise) | Release Candidate | N/A              |
-| `sqlite`   | Embedded [SQLite][sqlite]       | Release Candidate | `memory`, `file` |
-| `turso`    | Embedded [Turso][turso]         | Beta              | `memory`, `file` |
+| `sqlite`   | Embedded [SQLite][sqlite]       | Release Candidate | `memory`, `file`, `file_create`, `file_update` |
+| `turso`    | Embedded [Turso][turso]         | Beta              | `memory`, `file`, `file_create`, `file_update` |
 
 [cayenne]: ./cayenne/index.md
 [duckdb]: ./duckdb/index.md

website/docs/components/data-accelerators/postgres/index.md

@@ -37,7 +37,6 @@ The connection to PostgreSQL can be configured by providing the following `param
   - `require`: This mode requires a TLS connection.
   - `prefer`: (default) This mode will try to establish a secure TLS connection if possible, but will connect insecurely if the server does not support TLS.
   - `disable`: This mode will not attempt to use a TLS connection, even if the server supports it.
-  - `allow`: This mode will try a non-TLS connection first, then retry with TLS if the server requires it.
 - `pg_sslrootcert`: Optional. Path to a custom PEM certificate file that the connector will trust.
 - `pg_connection_pool_min`: Optional. The minimum number of connections to keep open in the pool, lazily created when requested. Default is `5`.
 - `connection_pool_size`: Optional. The maximum number of connections created in the connection pool. Default is `10`.

website/docs/components/data-connectors/abfs.md

@@ -66,7 +66,7 @@ The dataset name cannot be a [reserved keyword](../../reference/spicepod/keyword
 
 | Parameter name              | Description                                                                                                                                         |
 | --------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `file_format`               | Specifies the data format. Required if not inferrable from `from`. Options: `parquet`, `csv`. Refer to [File Formats](./#file-formats) for details. |
+| `file_format`               | Specifies the data format. Required if not inferrable from `from`. Options: `parquet`, `csv`, `json`. Refer to [File Formats](./#file-formats) for details. |
 | `abfs_account`              | Azure storage account name                                                                                                                          |
 | `abfs_container_name`       | Azure container name                                                                                                                                |
 | `abfs_sas_string`           | SAS (Shared Access Signature) Token to use for authorization                                                                                        |
@@ -79,6 +79,8 @@ The dataset name cannot be a [reserved keyword](../../reference/spicepod/keyword
 | `abfs_proxy_excludes`       | A list of hosts to exclude from proxy connections                                                                                                   |
 | `abfs_disable_tagging`      | Disable tagging objects. Use this if your backing store doesn't support tags                                                                        |
 | `allow_http`                | Allow insecure HTTP connections                                                                                                                     |
+| `client_timeout`            | Optional. Timeout for Azure client operations.                                                                                                      |
+| `abfs_versioning`           | Enable Azure blob versioning. Default: `disabled`                                                                                                   |
 | `hive_partitioning_enabled` | Enable partitioning using hive-style partitioning from the folder structure. Defaults to `false`                                                    |
 | `schema_source_path`        | Specifies the URL used to infer the dataset schema. Default to the most recently modified file                                                      |
 

website/docs/components/data-connectors/adbc.md

@@ -112,6 +112,7 @@ The dataset name cannot be a [reserved keyword](../../reference/spicepod/keyword
 | `adbc_schema`              | Optional. Sets the default schema for the connection.                                                                                |
 | `connection_pool_size`     | Optional. Maximum number of connections in the connection pool. Default: `5`.                                                        |
 | `connection_pool_min_idle` | Optional. Minimum number of idle connections in the pool. Default: `1`.                                                              |
+| `query_federation`         | Optional. Controls whether queries are federated to the ADBC source. Values: `enabled`, `disabled`. Default: `enabled`.              |
 
 :::warning[In-memory databases]
 In-memory database URIs (e.g., `:memory:` or URIs containing `mode=memory`) are not supported.

website/docs/components/data-connectors/clickhouse.md

@@ -89,7 +89,9 @@ The table below shows the ClickHouse data types supported, along with the type m
 | `FixedString`    | `Utf8`                      |
 | `UUID`           | `Utf8`                      |
 | `Date`           | `Date32`                    |
+| `Date32`         | `Date32`                    |
 | `DateTime`       | `Timestamp(Second, None)`   |
+| `DateTime64`     | `Timestamp(Second, None)`   |
 | `Nullable(T)`    | Mapped inner type `T`       |
 
 ## Examples

website/docs/components/data-connectors/databricks/index.md

@@ -91,6 +91,17 @@ The following parameters apply only when `mode` is `sql_warehouse` and control c
 | `statement_max_retries`      | Optional. Maximum number of poll retries when waiting for async statement completion. Default: `14`.                           |
 | `disable_on_permanent_error` | Optional. When `true`, non-retryable errors (401, 403, 404) permanently disable the connector. Default: `true`.               |
 
+#### Rate control
+
+The Databricks connector supports per-dataset rate control parameters when `mode` is `spark_connect` or `sql_warehouse`. These override [`runtime.params`](../../reference/spicepod/runtime#runtimeparams) HTTP rate control defaults. When [`runtime.source_rate_control.state_location`](../../reference/spicepod/runtime#runtimesource_rate_control) is configured, rate limits are coordinated across the cluster.
+
+| Parameter Name              | Description                                                                                                                                                     |
+| --------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `requests_per_second_limit` | Optional. Maximum HTTP requests per second to the Databricks endpoint. Overrides `runtime.params.http_requests_per_second_limit`.                                |
+| `requests_per_minute_limit` | Optional. Maximum HTTP requests per minute to the Databricks endpoint. Overrides `runtime.params.http_requests_per_minute_limit`.                                |
+| `rate_control_jitter_min`   | Optional. Minimum random delay before HTTP requests when rate control is active. Defaults to `5ms` when a rate limit is configured. Accepts durations like `5ms`. |
+| `rate_control_jitter_max`   | Optional. Maximum random delay before HTTP requests when rate control is active. Defaults to `10ms` when a rate limit is configured. Accepts durations like `10ms`. |
+
 ## Authentication
 
 ### Personal access token