bench(compliance): scanner pipeline benchmarks with baselines

[SimplyLiz]

What this PR does

Adds performance benchmarks for the compliance scanner — the innermost loop of every ckb audit compliance run — which had zero benchmark coverage. Also commits a reproducible baseline and documents every efficiency issue found during the investigation.

Files changed:

• internal/compliance/scanner_bench_test.go — 10 benchmark functions
• testdata/benchmarks/compliance_baseline.txt — committed 5-run baseline (Apple M4 Pro, arm64)

---

Architecture context

During ckb audit compliance, RunAudit fans out up to 131 checks in parallel (capped at 32 workers). The per-line call chain during a PII scan is:

RunAudit (parallel, up to 32 workers)
  └─ check.Run(scope)              — 131 checks, many open all files independently
       └─ PIIScanner.ScanFiles()   — opens every source file with os.Open
            └─ scanFile (per file)
                 └─ extractContainer(line)       — 7 compiled regexes, every line
                 └─ extractIdentifiers(line)     — regex match + map alloc, every line
                      └─ normalizeIdentifier(id) — camelCase→snake_case, per identifier
                           └─ matchPII(norm)     — map lookup + O(n) suffix scan
                                └─ isNonPIIIdentifier(norm) — 46-entry linear scan

On a large repo this chain runs tens of millions of times across the check fan-out.

---

Benchmark results (Apple M4 Pro, arm64, -count=5)

Individual hot paths

Function	ns/op	B/op	allocs/op	Notes
normalizeIdentifier (typical)	138	138	4	4 allocs even for short idents
normalizeIdentifier (60-char)	650	1352	9	rune slice + string rebuilds
extractIdentifiers	555	219	6	new map + slice every call
extractContainer	502	24	0	submatch slice on match lines
isNonPIIIdentifier	197	0	0	alloc-free but has hidden issue (see §4)
matchPII (hit)	706	0	0	alloc-free — map lookup
matchPII (full suffix scan / miss)	1130	0	0	O(n_patterns) linear scan
NewPIIScanner	2400	13048	6	one-time cost, but called 18× per audit

On the zeros: matchPII and isNonPIIIdentifier allocate nothing in their inner paths. Zero is correct — map lookups and string comparisons stay on the stack.

Pipeline scale (single file)

File size	ns/op	MB/s	B/op	allocs/op
500 lines	1.83ms	8.3	210 KB	6,989
5k lines	18.5ms	8.3	2.1 MB	69,843
50k lines	185ms	8.3	20.9 MB	698,383

Throughput is flat ~8.3 MB/s regardless of file size — the work is strictly O(lines). But 14 allocs/line is constant. Every line allocates regardless of content.

File-set scale (full audit simulation)

Repo size	Wall time	allocs/op	Memory
100 files × 300 lines	112ms	419k	12 MB
1k files × 300 lines	1.12s	4.2M	126 MB
5k files × 300 lines	5.6s	21M	631 MB

Perfectly linear — no amortization. On a 20k-file monorepo with all frameworks enabled, multiple PII-checking frameworks (GDPR, HIPAA, CCPA, ISO27701) each invoke the PII scanner independently, so the real allocation count is a multiple of these figures.

Pattern count scaling

Patterns	ns/op	vs default
~80 (default)	1174 ns	baseline
100 (+20 custom)	1365 ns	+16%
200 (+120 custom)	2340 ns	+99%
500 (+420 custom)	5270 ns	+349%

Exactly O(n). Every miss touches every pattern. Custom patterns from .ckb/config.json degrade all non-matching identifiers proportionally.

---

Efficiency issues found — ranked by impact

1. regexp.MustCompile inside the per-line inner loop — CRITICAL

Three safety-framework checks compile a new regex on every line of every file:

internal/compliance/iec61508/structural.go:118
internal/compliance/iso26262/asil_checks.go:142
internal/compliance/do178c/structural.go:187

All three have the identical pattern:

for _, file := range scope.Files {
    for i, line := range lines {
        if currentFunc != "" && lineNum > funcStartLine {
            callPattern := regexp.MustCompile(`\b` + regexp.QuoteMeta(currentFunc) + `\s*\(`)
            // ^^^^ compiled per line, per file ^^^^
            if callPattern.MatchString(line) { ...

regexp.MustCompile parses and compiles the regex each call. For a 10k-line file with 500 functions, this compiles 10k–500k regexes per check invocation. The pattern only changes when currentFunc changes (at a new function boundary), so it should be compiled once per detected function, not once per line.

Fix: move the compile outside the line loop, keyed on currentFunc:

var callPattern *regexp.Regexp
var compiledFor string

for i, line := range lines {
    if m := funcDefPattern.FindStringSubmatch(line); len(m) > 1 {
        currentFunc = m[1]
        callPattern = regexp.MustCompile(`\b` + regexp.QuoteMeta(currentFunc) + `\s*\(`)
        compiledFor = currentFunc
        _ = compiledFor
    }
    if callPattern != nil {
        callPattern.MatchString(line)
    }

Or even simpler: use strings.Contains(line, currentFunc+"(") — the regex only needs to match a word boundary and \s*(, which strings.Contains can approximate with a quick check before a regex fallback.

---

2. 18 independent NewPIIScanner + ScanFiles calls per audit — HIGH

Every PII-related check creates its own scanner and walks every source file:

gdpr/pii.go           — 3 calls (pii-detection, pii-in-logs, pii-in-errors)
gdpr/retention.go     — 4 calls (no-retention-policy, no-deletion-endpoint,
                                  missing-consent, and a 4th check)
gdpr/crypto.go        — 1 call
hipaa/phi_detection.go — 2 calls
hipaa/access_control.go — 2 calls
iso27701/processing.go — 1 call
iso27701/rights.go    — 4 calls (one per rights check)
iso27001/leakage.go   — 1 call

Each ScanFiles call opens every .go/.ts/.py/... file in the repo with os.Open, reads it line by line, and runs the full normalize+match pipeline. A 5k-file repo scanned 18 times = 90k redundant file opens with 90k redundant pipeline passes.

Since all 18 calls use the same scope.Config.PIIFieldPatterns, the result is identical every time. The ScanScope is shared across all checks but has no result cache.

Fix: compute PII fields once, store on ScanScope:

type ScanScope struct {
    // ... existing fields ...
    piiOnce   sync.Once
    piiFields []PIIField
    piiErr    error
}

func (s *ScanScope) GetPIIFields(ctx context.Context) ([]PIIField, error) {
    s.piiOnce.Do(func() {
        scanner := NewPIIScanner(s.Config.PIIFieldPatterns)
        s.piiFields, s.piiErr = scanner.ScanFiles(ctx, s)
    })
    return s.piiFields, s.piiErr
}

Expected reduction: 17 of 18 full file scans eliminated. On a 5k-file audit this is the difference between 5.6s × 18 and 5.6s × 1 for PII scanning alone.

---

3. gdpr/retention.go reads files twice per check — HIGH

noRetentionPolicyCheck.Run (retention.go:22) calls piiScanner.ScanFiles to find PII fields (opens all files once), then immediately calls os.ReadFile on every file again to scan for retention indicators (line 49):

piiScanner := compliance.NewPIIScanner(scope.Config.PIIFieldPatterns)
piiFields, _ := piiScanner.ScanFiles(ctx, scope)     // opens all files
...
for _, file := range scope.Files {
    content, err := os.ReadFile(filepath.Join(..., file))  // opens all files again
    lower := strings.ToLower(string(content))              // copies entire file to lowercase

strings.ToLower(string(content)) on large files allocates a full copy of the file contents. Three more checks in retention.go repeat the same double-open pattern (lines 156, 215, 384).

Fix: check for retention indicators during the initial PII scan pass (they can share the same line-by-line iteration), or cache file contents on ScanScope for the first read.

---

4. nonPIISuffixes slice allocated on every isNonPIIIdentifier call — MEDIUM

// scanner.go:283 — inside the function body
func isNonPIIIdentifier(normalized string) bool {
    ...
    nonPIISuffixes := []string{   // ← allocated every call
        "file_name", "filename", "func_name", "function_name",
        // ... 46 entries total
    }
    for _, suffix := range nonPIISuffixes {
        if normalized == suffix || strings.HasSuffix(normalized, "_"+suffix) {

A 46-element string slice is allocated on the heap every time this function is called. isNonPIIIdentifier is called from matchPII for every identifier that hits the name-matching path — potentially millions of times per audit.

Additionally, iterating 46 suffixes linearly when most calls return false after the full scan is O(46) per call. This is measurable in the benchmark at 197 ns/op, but the allocation is the worse issue.

Fix: move to a package-level map[string]bool built at init time:

var nonPIISuffixSet = func() map[string]bool {
    suffixes := []string{"file_name", "filename", ...}
    m := make(map[string]bool, len(suffixes))
    for _, s := range suffixes {
        m[s] = true
    }
    return m
}()

Then the check becomes O(1) with no allocation: return nonPIISuffixSet[normalized] (with a suffix-split for the HasSuffix case).

---

5. extractIdentifiers allocates a fresh map[string]bool per line — MEDIUM

// scanner.go:375
func extractIdentifiers(line string) []string {
    seen := make(map[string]bool, len(matches))  // ← new allocation every line

At 14 allocs/line and ~6,000 allocs for 500 lines, this map is the dominant allocation source. For a 5k-file audit it produces ~18M allocations just from this map.

Fix: pass a map[string]bool in from the caller (created once per file, cleared between lines):

// In scanFile, create once:
seen := make(map[string]bool, 32)

// Each line:
for k := range seen { delete(seen, k) }  // clear
identifiers := extractIdentifiersInto(line, seen)

Go's map-clear idiom (for k := range m { delete(m, k) }) reuses the underlying hash table memory without resizing. This would cut 18M allocs to ~5k (one per file) for the same audit.

---

6. matchPII suffix scan is O(n_patterns) — MEDIUM

// scanner.go:256
for _, p := range s.patterns {
    if len(p.Pattern) > 4 && strings.HasSuffix(normalized, "_"+p.Pattern) {

Every identifier that doesn't exactly match (the common case) triggers a linear scan across all patterns. Already measured: 1.13µs for the default ~80 patterns, scaling to 5.27µs at 500. With 18 independent scanner instances, custom patterns degrade all 18 passes.

Fix: at NewPIIScanner construction time, build a suffix → pattern index:

type PIIScanner struct {
    ...
    suffixIndex map[string]PIIPattern  // last snake_case word → pattern
}

When checking user_email_address, extract the last word (address) and look it up directly. O(1) instead of O(n_patterns).

---

7. normalizeIdentifier rune allocations — LOW

Four heap allocations per call: []rune conversion, result []rune append, string(result) conversion, and the strings.ReplaceAll loop for __ collapsing. The loop is bounded (SCREAMING_SNAKE identifiers can have consecutive underscores) but allocates a new string on each iteration.

The 138 ns/op baseline is acceptable for typical identifiers. The 650 ns/op for long (60-char) identifiers is where the rune slice capacity grows. Not a priority fix unless normalizeIdentifier is called on very long synthetic identifiers, but worth noting for the suffix-index approach above (which would call normalizeIdentifier less often).

---

8. bufio.Scanner default 64 KB line limit — LOW

All file scanning (scanner.go, ScanFileLines) uses bufio.NewScanner(f) with the default 64 KB max token size. This causes silent truncation on lines longer than 64 KB — possible in minified JS, generated protobuf, or large raw string literals. Not a performance issue but a correctness risk on generated code.

---

Summary table

Issue	Location	Impact	Fix complexity
regexp.MustCompile per line	iec61508/structural.go:118, iso26262/asil_checks.go:142, do178c/structural.go:187	CRITICAL — compiles regex for every line in every file	Low — move compile outside line loop
18× independent PII file scans	gdpr/, hipaa/, iso27701/, iso27001/	HIGH — 17/18 scans are redundant	Medium — add sync.Once cache to ScanScope
Double file-read in retention checks	gdpr/retention.go:23,49,156,215,384	HIGH — full file re-read + ToLower copy	Low — combine with PII scan pass
nonPIISuffixes allocated per call	scanner.go:283	MEDIUM — 46-elem slice on every isNonPIIIdentifier call	Low — move to package-level map
extractIdentifiers map per line	scanner.go:375	MEDIUM — 18M allocs per 5k-file audit	Low — pass map from caller, clear between lines
matchPII O(n_patterns) suffix scan	scanner.go:256	MEDIUM — 4.5× slower at 500 custom patterns	Medium — build suffix index at construction
normalizeIdentifier rune allocs	scanner.go:307	Low	Medium
bufio.Scanner 64 KB limit	scanner.go:83, fileutil.go:19	Low (correctness)	Low — add scanner.Buffer() call

---

How to compare after optimizations

# After making changes:
go test -bench=. -benchmem -count=6 ./internal/compliance/... > /tmp/after.txt
benchstat testdata/benchmarks/compliance_baseline.txt /tmp/after.txt

The BenchmarkAuditFileSet benchmarks are the best signal for the high-impact fixes — they will show the improvement from fix #2 (PII scan deduplication) most clearly, since they simulate the multi-file pass that dominates real audit time.

---

Test plan

• go test -run='^$' -bench='^$' ./internal/compliance/... — compile check passes
• Full benchmark run completes without errors (84s for -count=5 on M4 Pro)
• Baseline committed and readable by benchstat
• Re-run baseline locally if your machine differs from arm64

[github-actions]

🟢 Change Impact Analysis

Metric	Value
Risk Level	LOW 🟢
Files Changed	4
Symbols Changed	3
Directly Affected	0
Transitively Affected	0

Blast Radius: 0 modules, 0 files, 0 unique callers

📝 Changed Symbols (3)

Symbol	File	Type	Confidence
internal/backends/scip/loader.go	internal/backends/scip/loader.go	modified	30%
internal/query/engine.go	internal/query/engine.go	modified	30%
internal/query/fts.go	internal/query/fts.go	modified	30%

Recommendations

• ℹ️ coverage: 3 symbols have low mapping confidence. Index may be stale.
  • Action: Run 'ckb index' to refresh the SCIP index

---

_{Generated by CKB}

[github-actions]

CKB Analysis

🎯 3 changed → 0 affected · 📊 3 complex · 💣 1 blast · 📚 160 stale

Risk factors: Moderate churn: 763 lines changed

👥 Suggested: @lisa.welsch1985@gmail.com (100%), @talantyyr@gmail.com (60%)

Metric	Value
Impact Analysis	3 symbols → 0 affected	🟢
Doc Coverage	8.125%	⚠️
Complexity	3 violations	⚠️
Coupling	0 gaps	✅
Blast Radius	0 modules, 0 files	✅
Index	indexed (0s)	💾

🎯 Change Impact Analysis · 🟢 LOW · 3 changed → 0 affected

Metric	Value
Symbols Changed	3
Directly Affected	0
Transitively Affected	0
Modules in Blast Radius	0
Files in Blast Radius	0

Symbols changed in this PR:

• internal/backends/scip/loader.go [modified] (30%) — internal/backends/scip/loader.go
• internal/query/engine.go [modified] (30%) — internal/query/engine.go
• internal/query/fts.go [modified] (30%) — internal/query/fts.go

Recommendations:

• ℹ️ 3 symbols have low mapping confidence. Index may be stale.
  • Action: Run 'ckb index' to refresh the SCIP index

💣 Blast radius · 0 symbols · 1 tests · 0 consumers

Tests that may break:

• internal/compliance/scanner_bench_test.go

📊 Complexity · 3 violations

File	Cyclomatic	Cognitive
internal/backends/scip/loader.go	⚠️ 48	⚠️ 134
internal/compliance/scanner_bench_test.go	13	⚠️ 51
internal/query/fts.go	⚠️ 16	⚠️ 39

💡 Quick wins · 10 suggestions

• 🟡 Add tests → internal/audit/analyzer.go
• 🟡 Add tests → internal/query/engine_test.go
• 🟡 Add tests → internal/daemon/refresh_test.go
• 🟡 Add tests → internal/audit/audit_test.go
• 🟡 Add tests → internal/identity/identity_test.go
• 🟢 Assign backup owner → internal/audit/analyzer.go
• 🟢 Assign backup owner → internal/query/engine_test.go
• 🟢 Assign backup owner → internal/daemon/refresh_test.go

📚 Stale docs · 160 broken references

• docs/CONTRIBUTING.md:108 → errors.New
• docs/CONTRIBUTING.md:108 → errors.SYMBOL_NOT_FOUND
• docs/CONTRIBUTING.md:111 → errors.Wrap
• docs/backlog/index-refresh-improvements.md:36 → watcher.Add
• docs/backlog/index-refresh-improvements.md:36 → filepath.Join
• docs/backlog/index-refresh-improvements.md:97 → time.Second
• docs/featureplans/change-impact-analysis-checklist.md:208 → coverage.out
• docs/featureplans/change-impact-analysis-checklist.md:214 → lcov.info
• docs/featureplans/change-impact-analysis-checklist.md:309 → coverage.out
• docs/featureplans/change-impact-analysis.md:448 → scip.SCIPIndex
• docs/featureplans/change-impact-analysis.md:478 → context.Context
• docs/featureplans/change-impact-analysis.md:669 → coverage.out
• docs/features/a2a/overview.md:41 → index.initialized
• docs/features/a2a/overview.md:42 → index.fresh
• docs/features/a2a/overview.md:43 → index.commitsBehind

---

_{Generated by CKB · Run details}

[codecov]

Codecov Report

❌ Patch coverage is 87.68116% with 17 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
internal/query/fts.go	35.7%	9 Missing ⚠️
internal/backends/scip/loader.go	95.0%	3 Missing and 3 partials ⚠️
internal/query/engine.go	50.0%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##           develop    #204   +/-   ##
=======================================
  Coverage     43.0%   43.0%           
=======================================
  Files          507     507           
  Lines        77953   78022   +69     
=======================================
+ Hits         33568   33614   +46     
- Misses       42022   42045   +23     
  Partials      2363    2363           

Flag	Coverage Δ
unit	43.0% <87.6%> (+<0.1%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

📢 Thoughts on this report? Let us know!

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

CKB review failed to generate output.

[github-actions]

CKB review failed to generate output.