12 - Performance Workbook

Purpose – define repeatable, data‑driven benchmarks that guard Stella Ops’ core pledge:

“P95 vulnerability feedback in ≤ 5 seconds.”

0 Benchmark Scope

AreaIncludedExcluded
SBOM‑first scanTrivy engine w/ warmed DBFull image unpack ≥ 300 MB
Delta SBOM ⭑Missing‑layer lookup & mergeMulti‑arch images
Policy eval ⭑YAML → JSON → rule matchRego (until GA)
Feed mergeNVD JSON 2023–2025GHSA GraphQL (plugin)
Quota wait‑path5 s soft‑wait, 60 s hard‑wait behaviourPaid tiers (unlimited)
API latencyREST /scan, /layers/missingUI SPA calls

⭑ = new in July 2025.

1 Hardware Baseline (Reference Rig)

ElementSpec
CPU8 vCPU (Intel Ice‑Lake equiv.)
Memory16 GiB
DiskNVMe SSD, 3 GB/s R/W
Network1 Gbit virt. switch
ContainerDocker 25.0 + overlay2
OSUbuntu 22.04 LTS (kernel 6.8)

All P95 targets assume a single‑node deployment on this rig unless stated.

2 Phase Targets & Gates

Phase (ID)Target P95Gate (CI)Rationale
SBOM_FIRST≤ 5 shardCore UX promise.
IMAGE_UNPACK≤ 10 ssoftFallback path for legacy flows.
DELTA_SBOM≤ 1 shardNeeded to stay sub‑5 s for big bases.
POLICY_EVAL≤ 50 mshardKeeps gate latency invisible to users.
QUOTA_WAITsoft ≤ 5 s
hard ≤ 60 s		hardEnsures graceful Free‑tier throttling.
SCHED_RESCAN≤ 30 ssoftNightly batch – not user‑facing.
FEED_MERGE≤ 60 ssoftOff‑peak cron @ 01:00.
API_P95≤ 200 mshardUI snappiness.

Gate legend — hard: break CI if regression > 3 × target,
soft: raise warning & issue ticket.

3 Test Harness

  • Runnerperf/run.sh, accepts --phase and --samples.
  • Metrics – Prometheus + jq extracts; aggregated via scripts/aggregate.ts.
  • CI – GitLab CI job benchmark publishes JSON to bench‑artifacts/.
  • Visualisation – Grafana dashboard Stella‑Perf (provisioned JSON).

Note – harness mounts /var/cache/trivy tmpfs to avoid disk noise.

4 Current Results (July 2025)

PhaseSamplesMean (s)P95 (s)Target OK?
SBOM_FIRST1003.74.9
IMAGE_UNPACK506.49.2
DELTA_SBOM1000.460.83
POLICY_EVAL1 0000.0210.041
QUOTA_WAIT804.0*4.9*
SCHED_RESCAN1018.324.9
FEED_MERGE338.141.0
API_P9520 0000.0870.143

Data files: bench-artifacts/2025‑07‑14/phase‑stats.json.

5 Δ‑SBOM Micro‑Benchmark Detail

5.1 Scenario

  1. Base image python:3.12-slim already scanned (all layers cached).
  2. Application layer (COPY . /app) triggers new digest.
  3. Stella CLI lists 7 layers, backend replies 6 hit, 1 miss.
  4. Builder scans only 1 layer (~9 MiB, 217 files) & uploads delta.

5.2 Key Timings

StepTime (ms)
/layers/missing13
Trivy single layer655
Upload delta blob88
Backend merge + CVE74
Total wall‑time830 ms

6 Quota Wait‑Path Benchmark Detail

6.1 Scenario

  1. Free‑tier token reaches scan #200 – dashboard shows yellow banner.

6.2 Key Timings

StepTime (ms)
/quota/check Redis LUA INCR0.8
Soft wait sleep (server)5 000
Hard wait sleep (server)60 000
End‑to‑end wall‑time (soft‑hit)5 003
End‑to‑end wall‑time (hard‑hit)60 004

7 Policy Eval Bench

7.1 Setup

  • Policy YAML: 28 rules, mix severity & package conditions.
  • Input: scan result JSON with 1 026 findings.
  • Evaluator: custom rules engine (Go structs → map look‑ups).

7.2 Latency Histogram

0‑10 ms  ▇▇▇▇▇▇▇▇▇▇  38 %
10‑20 ms ▇▇▇▇▇▇▇▇▇▇  42 %
20‑40 ms ▇▇▇▇▇▇     17 %
40‑50 ms ▇           3 %

P99 = 48 ms. Meets 50 ms gate.

8 Trend Snapshot

Perf trend spark‑line placeholder

Plot generated weekly by scripts/update‑trend.py; shows last 12 weeks P95 per phase.

9 Action Items

  1. Image Unpack – Evaluate zstd for layer decompress; aim to shave 1 s.
  2. Feed Merge – Parallelise regional XML feed parse (plugin) once stable.
  3. Rego Support – Prototype OPA side‑car; target ≤ 100 ms eval.
  4. Concurrency – Stress‑test 100 rps on 4‑node Redis cluster (Q4‑2025).

10 Change Log

DateNote
2025‑07‑14Added Δ‑SBOM & Policy Eval phases; updated targets & current results.
2025‑07‑12First public workbook (SBOM‑first, image‑unpack, feed merge).