Skip to content

Add authz guard chain and server cold-start benchmarks#501

Merged
zeevdr merged 2 commits into
mainfrom
bench/authz-guard-cold-start-474
May 19, 2026
Merged

Add authz guard chain and server cold-start benchmarks#501
zeevdr merged 2 commits into
mainfrom
bench/authz-guard-cold-start-474

Conversation

@zeevdr
Copy link
Copy Markdown
Member

@zeevdr zeevdr commented May 19, 2026

Summary

  • Gates beta readiness by establishing baseline performance numbers for the authorization hot path and server startup time (issue Bench: authz Guard chain cost and server cold-start time #474).
  • Uses the in-memory backend so benchmarks run without any external dependencies (no PostgreSQL or Redis required in CI).
  • Results are uploaded as a per-SHA artifact on every code PR, giving a stable time-series for regression detection once a threshold is determined.

Test plan

  • BenchmarkChain_TenantAndRole — 2-guard pipeline (TenantScopeGuard + RolePolicyGuard), zero allocations per op
  • BenchmarkChain_FullPipeline_CacheHit — full 3-guard pipeline with field locks from context cache, zero allocations per op
  • BenchmarkChain_FullPipeline_StoreLookup — full 3-guard pipeline with stub store lookup, zero allocations per op
  • BenchmarkServerColdStart — in-memory store init → server.New → service registration → Serve → first health-check RPC (~1 ms on dev hardware)
  • make test passes (all packages, race detector enabled)
  • golangci-lint clean

Closes #474

🤖 Generated with Claude Code

@zeevdr @claude
bench(authz,server): add guard chain and cold-start benchmarks
287ecc5 
Add two benchmark suites gating beta readiness (issue #474):

- internal/authz/guard_bench_test.go: three scenarios covering the
  TenantScopeGuard + RolePolicyGuard + FieldLockGuard pipeline —
  two-guard path, full pipeline with context-cache hit, and full
  pipeline with store lookup. All three allocate zero bytes per op.

- cmd/server/main_bench_test.go: BenchmarkServerColdStart measures
  wall-clock time from the start of in-memory store initialization
  through the first gRPC health-check RPC returning SERVING (~1 ms
  on dev hardware). Uses grpc.WaitForReady so the measurement is
  stable without sleep-based synchronization.

- internal/server/server.go: expose Addr() so the cold-start bench
  can resolve the OS-assigned port after New("0", ...).

- .github/workflows/ci.yml: add a bench job that runs both suites
  with -benchtime=5s and uploads bench.txt as a SHA-keyed artifact
  for tracking over time. Job is an allowed-skip in the check gate
  (informational, no regression threshold yet).

Closes #474

Co-Authored-By: Claude <noreply@anthropic.com>
@zeevdr zeevdr added this to the Beta Readiness milestone May 19, 2026
@zeevdr zeevdr added enhancement New feature or request server Server changes size: S Quick win — a few hours or less priority: P0 Blocks alpha or release labels May 19, 2026
@codecov
Copy link
Copy Markdown

codecov Bot commented May 19, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@zeevdr @claude
test(server): cover Addr() method to satisfy codecov/patch
d0d1980 
Co-Authored-By: Claude <noreply@anthropic.com>
@zeevdr zeevdr merged commit e37428a into main May 19, 2026
21 checks passed
@zeevdr zeevdr deleted the bench/authz-guard-cold-start-474 branch May 19, 2026 17:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

enhancement New feature or request priority: P0 Blocks alpha or release server Server changes size: S Quick win — a few hours or less

Projects

None yet

Milestone

Beta Readiness

Development

Successfully merging this pull request may close these issues.

Bench: authz Guard chain cost and server cold-start time

1 participant

@zeevdr