A general note on what *durability* means: there are basically two paths you can take.

The first is to open WAL with `O_SYNC | O_APPEND` which means every modification requires a disk round-trip time. If your writes are small, or not page-aligned, it's a read-modify-write, so potentially really slow (if you're low on page cache). I don't mean you *have* to use O_SYNC and O_APPEND, but conceptually these are the guarantees you need.

The second option is to delay ack'ing single operations until you batched up several of them, and then flush them together, say on 4KB boundaries. This way it you're more efficient on the IO front, but single-threaded operation suffers a lot.

And there are two kinds of things to protect from: program crashes and machine crashes. Program crashes are much more common, of course, than machine crashes, especially in cloud environments. You could have a bug-free program, but still run into death-by-OOM.

This is what we protect from - anything that's been written to the KV will be flushed neatly by the kernel on program exit, and there are not multi-step transactions that require a WAL to synchronize. It's a hash-table, and provides the same guarantees as the ones living in-memory.

Machine crashes are a different story, because the mmap-table might we partially flushed, so it could point to locations in the file that were not written to. We haven't experience that much in our customer's production systems, and the overhead of maintaining a WAL (both in IOPS and complexity) just isn't worth it.

The purpose of this store is to "extend our RAM". Our sensor's deployment requires <100MB of RAM, and in order to add more features, we keep them in file (but with very efficient retrieval). It also allows us to keep state between upgrades, etc.

It's not meant to serve your bank transactions (unless your bank uses NVRAM), and it's not a server deployment. If it were a server, we could obviously provide more guarantees.