Skip to content

perf(rbac): optimize ExpireRoles command for production #120

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 8, 2025
Merged

perf(rbac): optimize ExpireRoles command for production #120

merged 2 commits into from
Nov 8, 2025

Conversation

@kevalyq
Copy link
Contributor

@kevalyq kevalyq commented Nov 8, 2025

Summary

Optimizes the ExpireRoles command based on Copilot review feedback from PR #118, addressing performance, memory efficiency, and race condition concerns for production use.

Related Issues

Closes #119

Changes

🎯 Code Style & Consistency

  • Removed declare(strict_types=1) - Aligns with other console commands (GenerateTenantCommand, RotateDekCommand, RotateKekCommand)

⚡ Performance Optimizations

  • Batch processing - Process 100 expired roles per transaction (previously: 1 role per transaction)
  • Memory efficiency - Use cursor() instead of get() for streaming results without loading all into memory
  • Separation of concerns - Extract processChunk() helper method for cleaner code organization

🔒 Race Condition Prevention

  • Delete-first-then-log pattern - Only create audit log if role was actually deleted (if ($deleted > 0))
  • Prevents duplicate logs - Concurrent scheduler executions won't create duplicate audit entries

Testing

New Tests (5 added)

  • Large dataset processing - 250 expired roles without memory issues
  • Concurrent execution - No duplicate audit logs on rapid consecutive runs
  • Chunk boundaries - Exactly 100 roles (1 chunk)
  • Chunk boundaries - 101 roles (2 chunks: 100 + 1)
  • All existing tests - Still passing (14 total, 46 assertions)

Quality Gates

  • Tests: 183 passed (528 assertions)
  • PHPStan Level 9: No errors
  • Pint: PASS
  • REUSE: Compliant
  • Preflight: OK (185 changed lines)

Performance Impact

Before

  • ❌ Separate transaction per role (overhead for 1000+ roles)
  • get() loads all expired roles into memory
  • ❌ Potential duplicate logs on concurrent execution

After

  • ✅ 100 roles per transaction (up to 10x fewer transactions)
  • cursor() streams results (constant memory usage)
  • ✅ Race condition protected (delete-first pattern)

Deployment Notes

No migration required. Command is backward compatible.

Checklist

  • Tests written and passing (14 tests, 46 assertions)
  • PHPStan Level 9 compliant
  • Pint code style compliant
  • REUSE compliant
  • CHANGELOG.md updated
  • No breaking changes
  • All quality gates passed

@kevalyq
perf(rbac): optimize ExpireRoles command for production (#119)
ef3160b 
- Remove declare(strict_types=1) for consistency
- Implement batch processing (100 items/transaction)
- Use cursor() for memory-efficient streaming
- Delete-first-then-log pattern prevents race conditions
- Add processChunk() helper for separation of concerns
- Test coverage: 250 roles, chunk boundaries, concurrency

Closes #119
Copilot AI review requested due to automatic review settings November 8, 2025 23:05
@github-actions
Copy link

github-actions bot commented Nov 8, 2025

💡 Tip: Consider Using Draft PRs

Benefits of opening PRs as drafts initially:

  • 💰 Saves CI runtime and Copilot review credits
  • 🎯 Automatically sets linked issues to "🚧 In Progress" status
  • 🚀 Mark "Ready for review" when done to trigger full CI pipeline

How to convert:

  1. Click "Still in progress? Convert to draft" in the sidebar, OR
  2. Use gh pr ready when ready for review

This is just a friendly reminder - feel free to continue as is! 😊

Copilot AI reviewed Nov 8, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR optimizes the roles:expire command for better performance and concurrency handling when processing expired temporal role assignments. The optimization shifts from individual transactions per role to batch processing with chunking, implements a delete-first-then-log pattern to prevent duplicate audit logs, and uses cursor-based streaming for memory efficiency.

Key Changes:

  • Refactored command to use cursor-based streaming and batch processing (100 items per chunk) instead of per-item transactions
  • Implemented delete-first-then-log pattern to prevent duplicate audit logs during concurrent execution
  • Added comprehensive test coverage for chunk boundaries (100, 101, 250 roles) and race condition scenarios

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File Description
app/Console/Commands/ExpireRoles.php Refactored to use cursor streaming and batch processing; extracted chunk processing logic into separate method; removed declare(strict_types=1)
tests/Feature/Console/ExpireRolesCommandTest.php Added four new test cases covering large-scale processing, concurrent execution, and chunk boundary conditions
CHANGELOG.md Documented the optimization changes and improvements

@kevalyq
refactor: implement Copilot review suggestions
035c630 
- Extract CHUNK_SIZE constant (DRY principle)
- Optimize test performance with factory()->count()
- 18% faster test execution (7.83s -> 6.42s)

All tests pass: 14 passed (46 assertions)
@kevalyq kevalyq merged commit 8c52e5f into main Nov 8, 2025
15 checks passed
@kevalyq kevalyq deleted the perf/optimize-expire-roles-119 branch November 8, 2025 23:14
@github-actions
Copy link

github-actions bot commented Nov 8, 2025

💡 Tip: Consider Using Draft PRs

Benefits of opening PRs as drafts initially:

  • 💰 Saves CI runtime and Copilot review credits
  • 🎯 Automatically sets linked issues to "🚧 In Progress" status
  • 🚀 Mark "Ready for review" when done to trigger full CI pipeline

How to convert:

  1. Click "Still in progress? Convert to draft" in the sidebar, OR
  2. Use gh pr ready when ready for review

This is just a friendly reminder - feel free to continue as is! 😊

@kevalyq kevalyq mentioned this pull request Nov 9, 2025
Closed
28 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

RBAC: Optimize ExpireRoles Command (Follow-up to PR #118)

2 participants

@kevalyq