go-crypt/crypt/bench_test.go

package crypt

import (
	"crypto/rand"
	"crypto/sha256"
	"testing"
)

// BenchmarkArgon2Derive measures Argon2id key derivation (32-byte key).
func BenchmarkArgon2Derive(b *testing.B) {
	passphrase := []byte("benchmark-passphrase")
	salt := make([]byte, argon2SaltLen)
	_, _ = rand.Read(salt)

	b.ResetTimer()
	for range b.N {
		_ = DeriveKey(passphrase, salt, argon2KeyLen)
	}
}

// BenchmarkChaCha20Encrypt_1KB measures ChaCha20-Poly1305 encryption of 1KB.
func BenchmarkChaCha20Encrypt_1KB(b *testing.B) {
	key := make([]byte, 32)
	_, _ = rand.Read(key)
	plaintext := make([]byte, 1024)
	_, _ = rand.Read(plaintext)

	b.ResetTimer()
	b.SetBytes(1024)
	for range b.N {
		_, _ = ChaCha20Encrypt(plaintext, key)
	}
}

// BenchmarkChaCha20Encrypt_1MB measures ChaCha20-Poly1305 encryption of 1MB.
func BenchmarkChaCha20Encrypt_1MB(b *testing.B) {
	key := make([]byte, 32)
	_, _ = rand.Read(key)
	plaintext := make([]byte, 1024*1024)
	_, _ = rand.Read(plaintext)

	b.ResetTimer()
	b.SetBytes(1024 * 1024)
	for range b.N {
		_, _ = ChaCha20Encrypt(plaintext, key)
	}
}

// BenchmarkAESGCMEncrypt_1KB measures AES-256-GCM encryption of 1KB.
func BenchmarkAESGCMEncrypt_1KB(b *testing.B) {
	key := make([]byte, 32)
	_, _ = rand.Read(key)
	plaintext := make([]byte, 1024)
	_, _ = rand.Read(plaintext)

	b.ResetTimer()
	b.SetBytes(1024)
	for range b.N {
		_, _ = AESGCMEncrypt(plaintext, key)
	}
}

// BenchmarkAESGCMEncrypt_1MB measures AES-256-GCM encryption of 1MB.
func BenchmarkAESGCMEncrypt_1MB(b *testing.B) {
	key := make([]byte, 32)
	_, _ = rand.Read(key)
	plaintext := make([]byte, 1024*1024)
	_, _ = rand.Read(plaintext)

	b.ResetTimer()
	b.SetBytes(1024 * 1024)
	for range b.N {
		_, _ = AESGCMEncrypt(plaintext, key)
	}
}

// BenchmarkHMACSHA256_1KB measures HMAC-SHA256 of a 1KB message.
func BenchmarkHMACSHA256_1KB(b *testing.B) {
	key := make([]byte, 32)
	_, _ = rand.Read(key)
	message := make([]byte, 1024)
	_, _ = rand.Read(message)

	b.ResetTimer()
	b.SetBytes(1024)
	for range b.N {
		_ = HMACSHA256(message, key)
	}
}

// BenchmarkVerifyHMACSHA256 measures HMAC verification (constant-time compare).
func BenchmarkVerifyHMACSHA256(b *testing.B) {
	key := make([]byte, 32)
	_, _ = rand.Read(key)
	message := make([]byte, 1024)
	_, _ = rand.Read(message)
	mac := HMACSHA256(message, key)

	b.ResetTimer()
	for range b.N {
		_ = VerifyHMAC(message, key, mac, sha256.New)
	}
}
test(phase0): expand test coverage, security audit, and benchmarks Add 29 new tests across auth/, crypt/, and trust/ packages: - auth: concurrent sessions, token uniqueness, challenge expiry boundary, empty password, long/unicode usernames, air-gapped round-trip, expired refresh - crypt: wrong passphrase, empty/large plaintext, KDF determinism, HKDF info separation, checksum edge cases - trust: concurrent registry operations, tier validation, token expiry boundary, empty ScopedRepos behaviour, unknown capabilities Add benchmark suites: - crypt: Argon2, ChaCha20, AES-GCM, HMAC (1KB/1MB payloads) - trust: PolicyEvaluate (100 agents), RegistryGet, RegistryRegister Security audit documented in FINDINGS.md: - F1: LTHN hash used for password verification (medium) - F2: PGP private keys not zeroed after use (low, upstream limitation) - F3: Empty ScopedRepos bypasses repo scope check (medium) - F4: go vet clean, no math/rand, no secrets in error messages All tests pass with -race. go vet clean. Co-Authored-By: Virgil <virgil@lethean.io> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-20 01:14:41 +00:00			`package crypt`

			`import (`
			`"crypto/rand"`
			`"crypto/sha256"`
			`"testing"`
			`)`

			`// BenchmarkArgon2Derive measures Argon2id key derivation (32-byte key).`
			`func BenchmarkArgon2Derive(b *testing.B) {`
			`passphrase := []byte("benchmark-passphrase")`
			`salt := make([]byte, argon2SaltLen)`
			`_, _ = rand.Read(salt)`

			`b.ResetTimer()`
feat: modernise to Go 1.26 iterators and stdlib helpers Add iter.Seq iterators for trust registry (ListSeq), audit log (EventsSeq, QuerySeq), and approval store (PendingSeq). Use slices.DeleteFunc in session store, slices.SortFunc in testcmd, range-over-int in benchmarks. Co-Authored-By: Gemini <noreply@google.com> Co-Authored-By: Virgil <virgil@lethean.io> 2026-02-23 05:47:04 +00:00			`for range b.N {`
test(phase0): expand test coverage, security audit, and benchmarks Add 29 new tests across auth/, crypt/, and trust/ packages: - auth: concurrent sessions, token uniqueness, challenge expiry boundary, empty password, long/unicode usernames, air-gapped round-trip, expired refresh - crypt: wrong passphrase, empty/large plaintext, KDF determinism, HKDF info separation, checksum edge cases - trust: concurrent registry operations, tier validation, token expiry boundary, empty ScopedRepos behaviour, unknown capabilities Add benchmark suites: - crypt: Argon2, ChaCha20, AES-GCM, HMAC (1KB/1MB payloads) - trust: PolicyEvaluate (100 agents), RegistryGet, RegistryRegister Security audit documented in FINDINGS.md: - F1: LTHN hash used for password verification (medium) - F2: PGP private keys not zeroed after use (low, upstream limitation) - F3: Empty ScopedRepos bypasses repo scope check (medium) - F4: go vet clean, no math/rand, no secrets in error messages All tests pass with -race. go vet clean. Co-Authored-By: Virgil <virgil@lethean.io> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-20 01:14:41 +00:00			`_ = DeriveKey(passphrase, salt, argon2KeyLen)`
			`}`
			`}`

			`// BenchmarkChaCha20Encrypt_1KB measures ChaCha20-Poly1305 encryption of 1KB.`
			`func BenchmarkChaCha20Encrypt_1KB(b *testing.B) {`
			`key := make([]byte, 32)`
			`_, _ = rand.Read(key)`
			`plaintext := make([]byte, 1024)`
			`_, _ = rand.Read(plaintext)`

			`b.ResetTimer()`
			`b.SetBytes(1024)`
feat: modernise to Go 1.26 iterators and stdlib helpers Add iter.Seq iterators for trust registry (ListSeq), audit log (EventsSeq, QuerySeq), and approval store (PendingSeq). Use slices.DeleteFunc in session store, slices.SortFunc in testcmd, range-over-int in benchmarks. Co-Authored-By: Gemini <noreply@google.com> Co-Authored-By: Virgil <virgil@lethean.io> 2026-02-23 05:47:04 +00:00			`for range b.N {`
test(phase0): expand test coverage, security audit, and benchmarks Add 29 new tests across auth/, crypt/, and trust/ packages: - auth: concurrent sessions, token uniqueness, challenge expiry boundary, empty password, long/unicode usernames, air-gapped round-trip, expired refresh - crypt: wrong passphrase, empty/large plaintext, KDF determinism, HKDF info separation, checksum edge cases - trust: concurrent registry operations, tier validation, token expiry boundary, empty ScopedRepos behaviour, unknown capabilities Add benchmark suites: - crypt: Argon2, ChaCha20, AES-GCM, HMAC (1KB/1MB payloads) - trust: PolicyEvaluate (100 agents), RegistryGet, RegistryRegister Security audit documented in FINDINGS.md: - F1: LTHN hash used for password verification (medium) - F2: PGP private keys not zeroed after use (low, upstream limitation) - F3: Empty ScopedRepos bypasses repo scope check (medium) - F4: go vet clean, no math/rand, no secrets in error messages All tests pass with -race. go vet clean. Co-Authored-By: Virgil <virgil@lethean.io> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-20 01:14:41 +00:00			`_, _ = ChaCha20Encrypt(plaintext, key)`
			`}`
			`}`

			`// BenchmarkChaCha20Encrypt_1MB measures ChaCha20-Poly1305 encryption of 1MB.`
			`func BenchmarkChaCha20Encrypt_1MB(b *testing.B) {`
			`key := make([]byte, 32)`
			`_, _ = rand.Read(key)`
			`plaintext := make([]byte, 1024*1024)`
			`_, _ = rand.Read(plaintext)`

			`b.ResetTimer()`
			`b.SetBytes(1024 * 1024)`
feat: modernise to Go 1.26 iterators and stdlib helpers Add iter.Seq iterators for trust registry (ListSeq), audit log (EventsSeq, QuerySeq), and approval store (PendingSeq). Use slices.DeleteFunc in session store, slices.SortFunc in testcmd, range-over-int in benchmarks. Co-Authored-By: Gemini <noreply@google.com> Co-Authored-By: Virgil <virgil@lethean.io> 2026-02-23 05:47:04 +00:00			`for range b.N {`
test(phase0): expand test coverage, security audit, and benchmarks Add 29 new tests across auth/, crypt/, and trust/ packages: - auth: concurrent sessions, token uniqueness, challenge expiry boundary, empty password, long/unicode usernames, air-gapped round-trip, expired refresh - crypt: wrong passphrase, empty/large plaintext, KDF determinism, HKDF info separation, checksum edge cases - trust: concurrent registry operations, tier validation, token expiry boundary, empty ScopedRepos behaviour, unknown capabilities Add benchmark suites: - crypt: Argon2, ChaCha20, AES-GCM, HMAC (1KB/1MB payloads) - trust: PolicyEvaluate (100 agents), RegistryGet, RegistryRegister Security audit documented in FINDINGS.md: - F1: LTHN hash used for password verification (medium) - F2: PGP private keys not zeroed after use (low, upstream limitation) - F3: Empty ScopedRepos bypasses repo scope check (medium) - F4: go vet clean, no math/rand, no secrets in error messages All tests pass with -race. go vet clean. Co-Authored-By: Virgil <virgil@lethean.io> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-20 01:14:41 +00:00			`_, _ = ChaCha20Encrypt(plaintext, key)`
			`}`
			`}`

			`// BenchmarkAESGCMEncrypt_1KB measures AES-256-GCM encryption of 1KB.`
			`func BenchmarkAESGCMEncrypt_1KB(b *testing.B) {`
			`key := make([]byte, 32)`
			`_, _ = rand.Read(key)`
			`plaintext := make([]byte, 1024)`
			`_, _ = rand.Read(plaintext)`

			`b.ResetTimer()`
			`b.SetBytes(1024)`
feat: modernise to Go 1.26 iterators and stdlib helpers Add iter.Seq iterators for trust registry (ListSeq), audit log (EventsSeq, QuerySeq), and approval store (PendingSeq). Use slices.DeleteFunc in session store, slices.SortFunc in testcmd, range-over-int in benchmarks. Co-Authored-By: Gemini <noreply@google.com> Co-Authored-By: Virgil <virgil@lethean.io> 2026-02-23 05:47:04 +00:00			`for range b.N {`
test(phase0): expand test coverage, security audit, and benchmarks Add 29 new tests across auth/, crypt/, and trust/ packages: - auth: concurrent sessions, token uniqueness, challenge expiry boundary, empty password, long/unicode usernames, air-gapped round-trip, expired refresh - crypt: wrong passphrase, empty/large plaintext, KDF determinism, HKDF info separation, checksum edge cases - trust: concurrent registry operations, tier validation, token expiry boundary, empty ScopedRepos behaviour, unknown capabilities Add benchmark suites: - crypt: Argon2, ChaCha20, AES-GCM, HMAC (1KB/1MB payloads) - trust: PolicyEvaluate (100 agents), RegistryGet, RegistryRegister Security audit documented in FINDINGS.md: - F1: LTHN hash used for password verification (medium) - F2: PGP private keys not zeroed after use (low, upstream limitation) - F3: Empty ScopedRepos bypasses repo scope check (medium) - F4: go vet clean, no math/rand, no secrets in error messages All tests pass with -race. go vet clean. Co-Authored-By: Virgil <virgil@lethean.io> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-20 01:14:41 +00:00			`_, _ = AESGCMEncrypt(plaintext, key)`
			`}`
			`}`

			`// BenchmarkAESGCMEncrypt_1MB measures AES-256-GCM encryption of 1MB.`
			`func BenchmarkAESGCMEncrypt_1MB(b *testing.B) {`
			`key := make([]byte, 32)`
			`_, _ = rand.Read(key)`
			`plaintext := make([]byte, 1024*1024)`
			`_, _ = rand.Read(plaintext)`

			`b.ResetTimer()`
			`b.SetBytes(1024 * 1024)`
feat: modernise to Go 1.26 iterators and stdlib helpers Add iter.Seq iterators for trust registry (ListSeq), audit log (EventsSeq, QuerySeq), and approval store (PendingSeq). Use slices.DeleteFunc in session store, slices.SortFunc in testcmd, range-over-int in benchmarks. Co-Authored-By: Gemini <noreply@google.com> Co-Authored-By: Virgil <virgil@lethean.io> 2026-02-23 05:47:04 +00:00			`for range b.N {`
test(phase0): expand test coverage, security audit, and benchmarks Add 29 new tests across auth/, crypt/, and trust/ packages: - auth: concurrent sessions, token uniqueness, challenge expiry boundary, empty password, long/unicode usernames, air-gapped round-trip, expired refresh - crypt: wrong passphrase, empty/large plaintext, KDF determinism, HKDF info separation, checksum edge cases - trust: concurrent registry operations, tier validation, token expiry boundary, empty ScopedRepos behaviour, unknown capabilities Add benchmark suites: - crypt: Argon2, ChaCha20, AES-GCM, HMAC (1KB/1MB payloads) - trust: PolicyEvaluate (100 agents), RegistryGet, RegistryRegister Security audit documented in FINDINGS.md: - F1: LTHN hash used for password verification (medium) - F2: PGP private keys not zeroed after use (low, upstream limitation) - F3: Empty ScopedRepos bypasses repo scope check (medium) - F4: go vet clean, no math/rand, no secrets in error messages All tests pass with -race. go vet clean. Co-Authored-By: Virgil <virgil@lethean.io> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-20 01:14:41 +00:00			`_, _ = AESGCMEncrypt(plaintext, key)`
			`}`
			`}`

			`// BenchmarkHMACSHA256_1KB measures HMAC-SHA256 of a 1KB message.`
			`func BenchmarkHMACSHA256_1KB(b *testing.B) {`
			`key := make([]byte, 32)`
			`_, _ = rand.Read(key)`
			`message := make([]byte, 1024)`
			`_, _ = rand.Read(message)`

			`b.ResetTimer()`
			`b.SetBytes(1024)`
feat: modernise to Go 1.26 iterators and stdlib helpers Add iter.Seq iterators for trust registry (ListSeq), audit log (EventsSeq, QuerySeq), and approval store (PendingSeq). Use slices.DeleteFunc in session store, slices.SortFunc in testcmd, range-over-int in benchmarks. Co-Authored-By: Gemini <noreply@google.com> Co-Authored-By: Virgil <virgil@lethean.io> 2026-02-23 05:47:04 +00:00			`for range b.N {`
test(phase0): expand test coverage, security audit, and benchmarks Add 29 new tests across auth/, crypt/, and trust/ packages: - auth: concurrent sessions, token uniqueness, challenge expiry boundary, empty password, long/unicode usernames, air-gapped round-trip, expired refresh - crypt: wrong passphrase, empty/large plaintext, KDF determinism, HKDF info separation, checksum edge cases - trust: concurrent registry operations, tier validation, token expiry boundary, empty ScopedRepos behaviour, unknown capabilities Add benchmark suites: - crypt: Argon2, ChaCha20, AES-GCM, HMAC (1KB/1MB payloads) - trust: PolicyEvaluate (100 agents), RegistryGet, RegistryRegister Security audit documented in FINDINGS.md: - F1: LTHN hash used for password verification (medium) - F2: PGP private keys not zeroed after use (low, upstream limitation) - F3: Empty ScopedRepos bypasses repo scope check (medium) - F4: go vet clean, no math/rand, no secrets in error messages All tests pass with -race. go vet clean. Co-Authored-By: Virgil <virgil@lethean.io> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-20 01:14:41 +00:00			`_ = HMACSHA256(message, key)`
			`}`
			`}`

			`// BenchmarkVerifyHMACSHA256 measures HMAC verification (constant-time compare).`
			`func BenchmarkVerifyHMACSHA256(b *testing.B) {`
			`key := make([]byte, 32)`
			`_, _ = rand.Read(key)`
			`message := make([]byte, 1024)`
			`_, _ = rand.Read(message)`
			`mac := HMACSHA256(message, key)`

			`b.ResetTimer()`
feat: modernise to Go 1.26 iterators and stdlib helpers Add iter.Seq iterators for trust registry (ListSeq), audit log (EventsSeq, QuerySeq), and approval store (PendingSeq). Use slices.DeleteFunc in session store, slices.SortFunc in testcmd, range-over-int in benchmarks. Co-Authored-By: Gemini <noreply@google.com> Co-Authored-By: Virgil <virgil@lethean.io> 2026-02-23 05:47:04 +00:00			`for range b.N {`
test(phase0): expand test coverage, security audit, and benchmarks Add 29 new tests across auth/, crypt/, and trust/ packages: - auth: concurrent sessions, token uniqueness, challenge expiry boundary, empty password, long/unicode usernames, air-gapped round-trip, expired refresh - crypt: wrong passphrase, empty/large plaintext, KDF determinism, HKDF info separation, checksum edge cases - trust: concurrent registry operations, tier validation, token expiry boundary, empty ScopedRepos behaviour, unknown capabilities Add benchmark suites: - crypt: Argon2, ChaCha20, AES-GCM, HMAC (1KB/1MB payloads) - trust: PolicyEvaluate (100 agents), RegistryGet, RegistryRegister Security audit documented in FINDINGS.md: - F1: LTHN hash used for password verification (medium) - F2: PGP private keys not zeroed after use (low, upstream limitation) - F3: Empty ScopedRepos bypasses repo scope check (medium) - F4: go vet clean, no math/rand, no secrets in error messages All tests pass with -race. go vet clean. Co-Authored-By: Virgil <virgil@lethean.io> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-20 01:14:41 +00:00			`_ = VerifyHMAC(message, key, mac, sha256.New)`
			`}`
			`}`