feat(bench): add @cipherstash/bench for index-engagement validation

Adds a new private workspace package that runs encrypted query forms through
EXPLAIN against a 10k-row fixture, asserting that each integration's emitted
SQL engages the canonical EQL functional indexes (hmac_256 / bloom_filter /
ste_vec) instead of falling back to seq scan.

Drizzle adapter is in; encryptedSupabase and Prisma scaffold to follow.

Two layers:
- __tests__/  — vitest assertions on plan shape (cheap, CI-runnable).
- __benches__/ — vitest --bench timings (on-demand).

The drizzle/operators.explain.test.ts file currently fails on eq / inArray —
that's the pre-fix repro for the bare-equality bug. The fix follows in a
stacked branch.

Author: coderdan

packages/bench/.gitignore

@@ -0,0 +1 @@
+results/

packages/bench/README.md

@@ -0,0 +1,49 @@
+# @cipherstash/bench
+
+Performance / index-engagement benchmarks for stack integrations.
+
+This package validates that each integration emits SQL that engages the canonical
+EQL functional indexes (`eql_v2.hmac_256`, `eql_v2.bloom_filter`, `eql_v2.ste_vec`)
+on a Supabase-shaped install (no operator classes). It runs in two layers:
+
+1. **EXPLAIN-shape tests** (`__tests__/`) — vitest tests that assert on
+   `EXPLAIN (ANALYZE, BUFFERS, FORMAT JSON)` output. Pass/fail. Cheap.
+2. **Wall-clock benches** (`__benches__/`) — vitest `--bench` (tinybench)
+   measuring median / p95 latency. On-demand; emits JSON to `results/`.
+
+## Prerequisites
+
+- Local Postgres + EQL via the repo-root `local/docker-compose.yml`:
+  ```bash
+  cd ../../local && docker compose up -d
+  ```
+- A CipherStash profile signed in (`stash login`). Auth is read from the
+  CipherStash profile; no environment variables required.
+- `DATABASE_URL` only needs to be set if you want to override the default
+  (`postgres://cipherstash:password@localhost:5432/cipherstash`).
+
+## Run
+
+The bench package's tests are **developer-run only** — they're not invoked by
+the repo's CI `test` step (the scripts are deliberately named `test:local` /
+`bench:local` so turbo's default `test` task skips this package).
+
+```bash
+# Credential-free smoke (verifies schema + EXPLAIN harness):
+pnpm test:local -- db-only
+
+# Full suite (requires CipherStash auth via `stash login`, seeds 10k rows on first run):
+pnpm db:setup                   # apply schema + seed BENCH_ROWS rows (default 10k)
+pnpm test:local                 # EXPLAIN-shape assertions for #421 / #422
+pnpm bench:local                # timing benches (slow)
+pnpm db:reset                   # drop schema (keeps EQL install)
+```
+
+`__tests__/db-only.test.ts` only touches Postgres + the EQL install and is the
+recommended starter — it's enough to verify the harness locally before wiring
+auth. The other tests under `__tests__/` and the benches under `__benches__/`
+use `@cipherstash/stack`'s `Encryption` client for real encryption.
+
+## Why this exists
+
+See cipherstash/stack issues #420, #421, #422.

packages/bench/__benches__/drizzle/operators.bench.ts

@@ -0,0 +1,65 @@
+import { afterAll, beforeAll, bench, describe } from 'vitest'
+import { buildDrizzleQueries } from '../../src/drizzle/queries.js'
+import {
+  type BenchHandle,
+  benchTable,
+  buildBench,
+  teardownBench,
+} from '../../src/drizzle/setup.js'
+import { applySchema } from '../../src/harness/db.js'
+import { seed } from '../../src/harness/seed.js'
+
+let handle: BenchHandle
+let q: ReturnType<typeof buildDrizzleQueries>
+
+beforeAll(async () => {
+  handle = await buildBench()
+  await applySchema(handle.pgClient)
+  await seed(handle)
+  q = buildDrizzleQueries(handle.encryptionClient)
+})
+
+afterAll(async () => {
+  if (handle) await teardownBench(handle)
+})
+
+/**
+ * Encrypt the query value once (outside the timed loop) and then time the
+ * SELECT round-trip only — the encryption cost is paid by the caller in real
+ * code too, but folding it into the bench would dominate timings and obscure
+ * the index-engagement signal we actually care about.
+ */
+describe('drizzle', () => {
+  bench('eq (string match)', async () => {
+    const where = await q.eq('value-0000042')
+    await handle.db.select().from(benchTable).where(where)
+  })
+
+  bench('inArray (3 string matches)', async () => {
+    const where = await q.inArray([
+      'value-0000042',
+      'value-0000123',
+      'value-0000999',
+    ])
+    await handle.db.select().from(benchTable).where(where)
+  })
+
+  bench('like (prefix)', async () => {
+    const where = await q.like('%value-00000%')
+    await handle.db.select().from(benchTable).where(where)
+  })
+
+  bench('gt (int)', async () => {
+    const where = await q.gt(9990)
+    await handle.db.select().from(benchTable).where(where)
+  })
+
+  bench('between (int)', async () => {
+    const where = await q.between(4000, 4100)
+    await handle.db.select().from(benchTable).where(where)
+  })
+
+  bench('orderBy desc + limit 10', async () => {
+    await handle.db.select().from(benchTable).orderBy(q.desc()).limit(10)
+  })
+})

packages/bench/__tests__/db-only.test.ts

@@ -0,0 +1,56 @@
+/**
+ * DB-only smoke tests — exercise the schema/mode/EXPLAIN path against the
+ * existing local-postgres container without requiring CipherStash credentials.
+ * The seed/encryption path is covered separately by `harness.test.ts`, which
+ * does require credentials.
+ */
+import { afterAll, beforeAll, describe, expect, it } from 'vitest'
+import { applySchema, connect, countBenchRows } from '../src/harness/db.js'
+import { explain, hasNodeType, summarize } from '../src/harness/explain.js'
+import type pg from 'pg'
+
+let client: pg.Client
+
+beforeAll(async () => {
+  client = await connect()
+  await applySchema(client)
+})
+
+afterAll(async () => {
+  if (client) await client.end()
+})
+
+describe('db-only harness', () => {
+  it('schema applied (bench table exists, count is 0)', async () => {
+    const rows = await countBenchRows(client)
+    expect(rows).toBe(0)
+  })
+
+  it('EXPLAIN parses a trivial plan', async () => {
+    const plan = await explain(client, 'SELECT id FROM bench LIMIT 1', [], {
+      analyze: false,
+    })
+    expect(plan['Node Type']).toBeTruthy()
+    expect(typeof summarize(plan)).toBe('string')
+  })
+
+  it('functional indexes exist after schema apply', async () => {
+    const res = await client.query<{ indexname: string }>(
+      `SELECT indexname FROM pg_indexes WHERE tablename = 'bench' ORDER BY indexname`,
+    )
+    const names = res.rows.map((r) => r.indexname)
+    expect(names).toContain('bench_text_hmac_idx')
+    expect(names).toContain('bench_text_bloom_idx')
+    expect(names).toContain('bench_jsonb_stevec_idx')
+  })
+
+  it('plan walker traverses nested Plans nodes', async () => {
+    const plan = await explain(
+      client,
+      'SELECT b1.id FROM bench b1 JOIN bench b2 ON b1.id = b2.id LIMIT 1',
+      [],
+      { analyze: false },
+    )
+    expect(hasNodeType(plan, 'Limit')).toBe(true)
+  })
+})

packages/bench/__tests__/drizzle/operators.explain.test.ts

@@ -0,0 +1,196 @@
+import { writeFileSync, mkdirSync } from 'node:fs'
+import { resolve, dirname } from 'node:path'
+import { fileURLToPath } from 'node:url'
+import type { SQL } from 'drizzle-orm'
+import { afterAll, beforeAll, describe, expect, it } from 'vitest'
+import { buildDrizzleQueries } from '../../src/drizzle/queries.js'
+import {
+  type BenchHandle,
+  benchTable,
+  buildBench,
+  teardownBench,
+} from '../../src/drizzle/setup.js'
+import { applySchema } from '../../src/harness/db.js'
+import {
+  type PlanNode,
+  explain,
+  hasSeqScan,
+  summarize,
+  topScan,
+} from '../../src/harness/explain.js'
+import { seed } from '../../src/harness/seed.js'
+
+const __dirname = dirname(fileURLToPath(import.meta.url))
+const resultsDir = resolve(__dirname, '..', '..', 'results')
+
+let handle: BenchHandle
+let q: ReturnType<typeof buildDrizzleQueries>
+const investigationLog: Record<string, unknown> = { observations: {} }
+
+beforeAll(async () => {
+  handle = await buildBench()
+  await applySchema(handle.pgClient)
+  await seed(handle)
+  q = buildDrizzleQueries(handle.encryptionClient)
+})
+
+afterAll(async () => {
+  if (handle) await teardownBench(handle)
+
+  // Persist #422 investigation outputs as a JSON artifact regardless of pass/fail.
+  try {
+    mkdirSync(resultsDir, { recursive: true })
+    writeFileSync(
+      resolve(resultsDir, 'explain-shape.json'),
+      `${JSON.stringify(investigationLog, null, 2)}\n`,
+    )
+  } catch (err) {
+    console.warn('[bench] failed to persist investigation log:', err)
+  }
+})
+
+/**
+ * Compile a Drizzle WHERE expression to SQL+params and run EXPLAIN against it.
+ * Wraps in a SELECT that touches the bench table so the planner has to make
+ * a decision on the encrypted column.
+ */
+async function explainWhere(where: SQL): Promise<PlanNode> {
+  const query = handle.db.select().from(benchTable).where(where)
+  const compiled = query.toSQL()
+  return explain(handle.pgClient, compiled.sql, compiled.params as unknown[])
+}
+
+async function explainOrderBy(orderBy: SQL): Promise<PlanNode> {
+  const query = handle.db.select().from(benchTable).orderBy(orderBy).limit(10)
+  const compiled = query.toSQL()
+  return explain(handle.pgClient, compiled.sql, compiled.params as unknown[])
+}
+
+function recordObservation(name: string, plan: PlanNode): void {
+  const scan = topScan(plan)
+  investigationLog.observations = {
+    ...(investigationLog.observations as Record<string, unknown>),
+    [name]: {
+      summary: summarize(plan),
+      nodeType: scan?.['Node Type'],
+      indexName: scan?.['Index Name'] ?? null,
+    },
+  }
+}
+
+function recordError(name: string, err: unknown): void {
+  investigationLog.observations = {
+    ...(investigationLog.observations as Record<string, unknown>),
+    [name]: {
+      error: err instanceof Error ? err.message : String(err),
+    },
+  }
+}
+
+/**
+ * Run a Drizzle WHERE-shaped expression through EXPLAIN, but if compiling or
+ * planning the query fails (e.g. the operator returns a non-boolean type), log
+ * the error to the investigation artifact instead of bubbling it. #422 tests
+ * must never block CI — they're observational.
+ */
+async function tryExplainWhere(name: string, where: SQL): Promise<void> {
+  try {
+    const plan = await explainWhere(where)
+    recordObservation(name, plan)
+  } catch (err) {
+    recordError(name, err)
+  }
+}
+
+// --- #421: equality + array operators -------------------------------------
+//
+// `bench_text_hmac_idx` (functional hash on eql_v2.hmac_256) is the expected
+// fast path. Pre-fix Drizzle emits bare `=` / `<>` / `IN (...)` which falls
+// back to seq scan. Post-fix it emits `eql_v2.hmac_256(col) =
+// eql_v2.hmac_256(value)` and the index scan kicks in.
+//
+// `eq` and `inArray` are naturally high-selectivity (only a few rows match),
+// so the planner should pick the hmac index — assertion enforces it.
+//
+// `ne` and `notInArray` are naturally low-selectivity (almost all rows match);
+// even with the hmac index available the planner correctly chooses a seq
+// scan because it would re-touch nearly every row. We record their plans for
+// the investigation log but don't assert — the SQL shape is what matters,
+// and that's covered by the unit tests under packages/stack.
+describe('#421: equality and array operators', () => {
+  it('eq engages the hmac functional index', async () => {
+    const plan = await explainWhere(await q.eq('value-0000042'))
+    recordObservation('eq', plan)
+    expect(hasSeqScan(plan), summarize(plan)).toBe(false)
+  })
+
+  it('inArray engages the hmac functional index', async () => {
+    const plan = await explainWhere(
+      await q.inArray(['value-0000042', 'value-0000123', 'value-0000999']),
+    )
+    recordObservation('inArray', plan)
+    expect(hasSeqScan(plan), summarize(plan)).toBe(false)
+  })
+
+  it('records ne plan shape (low-selectivity, not asserted)', async () => {
+    const plan = await explainWhere(await q.ne('value-0000042'))
+    recordObservation('ne', plan)
+  })
+
+  it('records notInArray plan shape (low-selectivity, not asserted)', async () => {
+    const plan = await explainWhere(
+      await q.notInArray(['value-0000042', 'value-0000123']),
+    )
+    recordObservation('notInArray', plan)
+  })
+})
+
+// --- #422: investigation operators ----------------------------------------
+//
+// We don't yet know which call-shaped forms the planner inlines. Record plan
+// shape; assertions land in a follow-up once #422 closes.
+describe('#422: call-shaped operators (recorded, not asserted)', () => {
+  it('records like / ilike plan shapes', async () => {
+    await tryExplainWhere('like', (await q.like('%value-00000%')) as SQL)
+    await tryExplainWhere('ilike', (await q.ilike('%VALUE-00000%')) as SQL)
+  })
+
+  it('records gt / gte / lt / lte plan shapes', async () => {
+    for (const [name, build] of [
+      ['gt', () => q.gt(5000)],
+      ['gte', () => q.gte(5000)],
+      ['lt', () => q.lt(5000)],
+      ['lte', () => q.lte(5000)],
+    ] as const) {
+      await tryExplainWhere(name, (await build()) as SQL)
+    }
+  })
+
+  it('records between plan shape', async () => {
+    await tryExplainWhere('between', (await q.between(2500, 7500)) as SQL)
+  })
+
+  it('records jsonb operator plan shapes', async () => {
+    for (const [name, build] of [
+      ['jsonbPathQueryFirst', () => q.jsonbPathQueryFirst('$.idx')],
+      ['jsonbGet', () => q.jsonbGet('$.idx')],
+      ['jsonbPathExists', () => q.jsonbPathExists('$.idx')],
+    ] as const) {
+      await tryExplainWhere(name, await build())
+    }
+  })
+
+  it('records ORDER BY plan shape (asc / desc)', async () => {
+    for (const [name, sql] of [
+      ['asc', q.asc()],
+      ['desc', q.desc()],
+    ] as const) {
+      try {
+        const plan = await explainOrderBy(sql)
+        recordObservation(`orderBy_${name}`, plan)
+      } catch (err) {
+        recordError(`orderBy_${name}`, err)
+      }
+    }
+  })
+})