Add CodSpeed performance benchmarks for Rust domain layer

.github/workflows/codspeed.yml

@@ -0,0 +1,53 @@
+name: CodSpeed
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  # `workflow_dispatch` allows CodSpeed to trigger backtest
+  # performance analysis in order to generate initial data.
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  id-token: write
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  codspeed:
+    name: Run benchmarks
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: src-tauri
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Linux dependencies
+        working-directory: .
+        run: >
+          sudo apt-get update &&
+          sudo apt-get install -y
+          libwebkit2gtk-4.1-dev
+          libappindicator3-dev
+          librsvg2-dev
+          patchelf
+
+      - name: Setup rust toolchain, cache and cargo-codspeed binary
+        uses: moonrepo/setup-rust@v0
+        with:
+          channel: stable
+          cache-target: release
+          bins: cargo-codspeed
+
+      - name: Build the benchmark target(s)
+        run: cargo codspeed build
+
+      - name: Run the benchmarks
+        uses: CodSpeedHQ/action@v4
+        with:
+          mode: simulation
+          run: cd src-tauri && cargo codspeed run

CHANGELOG.md

@@ -9,6 +9,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
+- **CodSpeed performance benchmarks** (CI): new `domain_benchmarks` Criterion harness in `src-tauri/benches/domain_benchmarks.rs` exercising the pure `domain::model::config` helpers (`apply_patch`, `normalize_link_check_parallelism`, `normalize_max_concurrent`). Wired through a new `.github/workflows/codspeed.yml` workflow that runs the benches under CodSpeed on every PR, providing automated perf-regression tracking for the domain layer. `criterion` + `codspeed-criterion-compat` added as dev-dependencies; `[[bench]]` target declared with `harness = false` so Criterion drives the run.
+
 - **CI hardening** (scope `ci`): new GitHub Actions jobs `secrets-scan` (rejects `.env`/`.pem`/`.key`/etc. tracked files plus `AKIA*`/`sk-ant-*`/`ghp_*`/`AIza*` API key patterns in tracked content), `forbidden-tools` (rejects `pnpm-lock.yaml`/`yarn.lock`, `.eslintrc*`/`biome.json*`/`.prettierrc*` configs, and any `#[allow(dead_code|unused|...)]` / `@ts-ignore` / `@ts-expect-error` / `oxlint-disable` comment), and `changelog-check` (PR-only — fails when `*.rs` / `*.ts` / `*.tsx` change without a matching `CHANGELOG.md` edit). Existing `cargo audit` swapped for `cargo deny check` covering advisories + licenses + bans + sources via the new `deny.toml`. Frontend job now runs `oxfmt --check`, `knip --reporter compact`, and uploads `coverage/` as an artifact. New `mutants.yml` workflow runs `cargo mutants --in-diff` on PRs touching `src-tauri/**` and a 4-shard nightly sweep on `main`.
 - **Release verification** (scope `ci`): new `verify-tag` job in `release.yml` blocks the build matrix when `Cargo.toml`, `package.json`, the pushed tag, and the `CHANGELOG.md` section are out of sync.
 - **Hook hardening** (scope `ci`): pre-commit gains `oxfmt --check` (scoped via new `.oxfmtignore` to keep `src-tauri/gen/`, `contrib/`, `registry/`, `*.md` untouched), `scripts/no-secrets.sh` (file-pattern + diff-content scan), `scripts/no-manual-deps.sh` (rejects manual `Cargo.toml` / `package.json` dep edits without an updated lock — enforces `cargo add` / `npm install`), and `changelog-updated`. Pre-push gains `cargo deny check licenses bans advisories` and `knip --reporter compact`. New `knip.json` keeps `files` / `dependencies` / `unlisted` / `binaries` / `unresolved` as `error` and demotes `exports` / `types` / `nsExports` / `nsTypes` / `duplicates` / `enumMembers` to `warn` for backwards-compatible adoption. `src-tauri/.cargo/mutants.toml` excludes the binary entrypoint, `build.rs`, `tests/**`, and the SQLite migrations from cargo-mutants and bumps `timeout_multiplier` to 2.0 / `minimum_test_timeout` to 60s to absorb Tauri/sea-orm/extism cold-build latency. `package.json` adds `knip ^6.11` and `oxfmt ^0.47` as devDependencies.

README.md

@@ -5,6 +5,7 @@
 [![Built with Tauri](https://img.shields.io/badge/built%20with-Tauri%202-24c8db?logo=tauri)](https://tauri.app)
 [![Rust](https://img.shields.io/badge/rust-1.95-orange?logo=rust)](src-tauri/Cargo.toml)
 [![CI](https://github.com/mpiton/vortex/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/mpiton/vortex/actions/workflows/ci.yml)
+[![CodSpeed](https://img.shields.io/endpoint?url=https://codspeed.io/badge.json)](https://codspeed.io/mpiton/vortex?utm_source=badge)
 
 Open-source desktop download manager — successor to JDownloader. Tauri 2 + Rust backend + React 19 frontend, hexagonal architecture, CQRS, WASM plugin system (Extism).