Limits and Quotas
RowOps enforces limits based on organization tier and system constraints. This page documents the limit structure, enforcement points, and known considerations.
Limits as Policy
Tier limits represent policy decisions, not hard technical constraints. Limits are:
- Enforced at specific checkpoints in the system
- Subject to change between versions
- Potentially inconsistent between enforcement points
Do not rely on limits as security boundaries without verification.
Tier-Based Limits
Resource Limits by Tier
The following limits are defined in dashboard tier policy:
| Resource | Free | Pro | Scale | Enterprise |
|---|---|---|---|---|
| Max Projects | 1 | 3 | 10 | Unlimited |
| Max Rows/Import | 1,000 | 100,000 | 1,000,000 | Unlimited |
| Max Domains | Localhost + 1 | Localhost + 3 | Localhost + 10 | Unlimited |
| Log Retention | 0 days | 30 days | 90 days | 365 days |
Feature Availability
| Feature | Free | Pro | Scale | Enterprise |
|---|---|---|---|---|
| Basic validation | Yes | Yes | Yes | Yes |
| Masking | Limited | Yes | Yes | Yes |
| Transforms | Limited | Yes | Yes | Yes |
| Profiling | Basic | Full | Full | Full |
| Fuzzy matching | No | No | Yes | Yes |
| SSO | No | No | No | Yes |
Enforcement Points
Server-Side Enforcement
Limits enforced before API response:
| Limit | Enforcement Location |
|---|---|
| Row limits | License verification (/api/license/verify) |
| Project limits | Project creation API |
| Domain limits | Domain registration API |
| Feature access | License verification response |
Client-Side Checks
Some limits are checked client-side:
| Check | Location |
|---|---|
| Tier gate | Engine initialization + worker/WASM boundary |
| Row limits | Pipeline start + worker/WASM boundary |
| Demo mode limit | Pipeline execution (100 rows) |
Client-side checks are not security boundaries. Server-side enforcement is authoritative.
Hard Caps (DoS Prevention)
System-wide hard caps prevent resource exhaustion:
| Limit | Value | Purpose |
|---|---|---|
| Max columns | 250 | Memory protection |
| Max row length | 1 MB | Parse buffer limits |
| Max schema fields | 500 | Schema complexity |
| Max transform steps | 20 | Pipeline complexity |
| Max nesting depth | 20 | Recursion protection |
These caps apply regardless of tier.
Enforcement Timing
Limits are checked at different times:
| Limit | When Checked |
|---|---|
| Row limits | License verification + pipeline start + WASM boundary |
| Project limits | At project creation |
| Domain limits | At domain registration |
| Feature limits | At feature invocation |
A request may pass early checks but fail later checks.
Demo Mode Limits
Demo mode (headless) has fixed limits regardless of tier:
| Limit | Value |
|---|---|
| Max rows | 100 |
| Watermark | Applied to exports |
Demo mode is for testing only. It bypasses license verification.
Unverified or Offline Behavior
When entitlement verification cannot be performed (no network, invalid token), the execution plane fails closed:
| Behavior | Description |
|---|---|
| Tier gate | Defaults to Free |
| Row limits | Enforced at Free limits |
| Features | Premium modules disabled until a verified token is provided |
Cached entitlement tokens are not security boundaries and can be tampered with locally.
What Limits Do Not Prevent
Limits are not security controls:
| Scenario | Limit Behavior |
|---|---|
| Memory exhaustion | Hard caps exist but browser may still crash on large files |
| Processing time | No time limits on pipeline execution |
| CPU usage | No throttling within pipeline |
| Concurrent requests | No per-client rate limiting documented |
Monitoring Limit Usage
Dashboard Visibility
Usage is visible in the dashboard:
- Current row usage against limits
- Project count against limit
- Domain count against limit
API Access
Usage can be queried via API (endpoints vary by implementation).
Exceeding Limits
Behavior When Exceeded
| Limit | Behavior |
|---|---|
| Row limit | stop_with_warning by default; hard_error when configured or denied server-side |
| Project limit | 402 error; creation blocked |
| Domain limit | 402 error; registration blocked |
| Feature limit | Feature unavailable or degraded |
Row Limit Handling
Row limits are enforced at pipeline start and at the worker/WASM boundary.
Default behavior (stop_with_warning):
- Parsing stops at the tier limit
- A
ROW_LIMIT_REACHEDwarning is emitted with skipped row metadata - A
skippedpartition records omitted rows
Strict behavior (hard_error):
- Parsing aborts immediately with an error
- No partial output is returned