Skip to content

Performance diagnostics #353

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tobyhede wants to merge 31 commits into
base: main
Choose a base branch
from
Open

Performance diagnostics #353

tobyhede wants to merge 31 commits into from

Conversation

@tobyhede
Copy link
Contributor

@tobyhede tobyhede commented Jan 22, 2026

  1. Slow Statement Logging
    Logs detailed breakdown when statement exceeds threshold (default 2s)

  2. Labeled Metrics
    Existing histograms (statements_session_duration_seconds, statements_execution_duration_seconds) get labels:

  3. ZeroKMS Cipher Init Timing
    New metric: keyset_cipher_init_duration_seconds

  4. Configuration

CS_LOG__SLOW_STATEMENTS=true
CS_LOG__SLOW_STATEMENT_MIN_DURATION_MS=2000
CS_LOG__SLOW_STATEMENTS_LEVEL=warn

tobyhede added 30 commits January 22, 2026 13:11
@tobyhede
feat(context): add PhaseTiming struct for performance breakdown
4bf781c 
Tracks individual phase durations for statement processing:
- parse, encrypt, server_write, server_wait, server_response, client_write, decrypt

Enables detailed performance breakdown in diagnostic logs.
@tobyhede
feat(context): add StatementMetadata for diagnostic tracking
309528c 
Captures statement-level metadata:
- statement_type (INSERT/UPDATE/DELETE/SELECT/OTHER)
- protocol (simple/extended)
- encrypted flag and value count
- param_bytes and query_fingerprint

Enables labeled metrics and detailed diagnostic logs.
@tobyhede
feat(log): add SLOW_STATEMENTS log target
91f386c 
New log target for slow statement logging, configurable via
CS_LOG__SLOW_STATEMENTS_LEVEL environment variable (default: warn).
@tobyhede
feat(config): add slow statement logging configuration
64ac236 
Adds configuration options for slow statement logging:
- CS_LOG__SLOW_STATEMENTS: enable slow statement logging
- CS_LOG__SLOW_STATEMENT_MIN_DURATION_MS: threshold (default 2000ms)
- CS_LOG__SLOW_STATEMENTS_LEVEL: log level (default warn when enabled)

Simple config: just set CS_LOG__SLOW_STATEMENTS=true
@tobyhede
fix(log): export SLOW_STATEMENTS from log module
e4fd48f
@tobyhede
feat(context): integrate PhaseTiming and StatementMetadata into session
f9bca38 
SessionMetricsContext now tracks phase timing breakdown and statement
metadata for diagnostic logging.
@tobyhede
feat(metrics): add keyset_cipher_init_duration_seconds histogram
ed54387 
Measures time for ZeroKMS cipher initialization, which includes the
network call to ZeroKMS. This helps isolate ZeroKMS latency as a
bottleneck separate from local crypto operations.
@tobyhede
feat(config): add slow_statements_enabled() and slow_statement_min_du…
2bb7346 
…ration() accessors

Convenient accessors for slow statement logging configuration.
@tobyhede
fix(tests): fix duplicate #[test] attribute in tandem tests
31dcccf
@tobyhede
feat(context): add phase timing and metadata helper methods
07e7685 
Adds methods to Context for recording phase durations:
- record_parse_duration (set once)
- add_encrypt_duration/add_decrypt_duration (accumulate)
- add_server_write_duration/add_server_response_duration/add_client_write_duration (accumulate)
- record_server_wait_or_add_response (helper for first response vs subsequent)
- update_statement_metadata for metadata updates

These enable frontend.rs and backend.rs to instrument phases.
@tobyhede
feat(io): record server/client IO durations for diagnostics
ca0824a 
- Frontend tracks server write time
- Backend splits first response wait vs response time
- Backend tracks client write time
@tobyhede
feat(io): record server write duration in frontend
fc3f653 
Records write_to_server duration using add_server_write_duration helper
@tobyhede
feat(frontend): instrument extended protocol with timing and metadata
e5dbc0b 
parse_handler tracks:
- Parse duration
- Statement type and fingerprint

bind_handler tracks:
- Parameter bytes size
@tobyhede
feat(frontend): record encrypt phase timing for diagnostics
d054c79 
encrypt_literals and encrypt_params now record their duration to
the session phase timing for slow-statement breakdown.
@tobyhede
feat(frontend): instrument query_handler with parse timing and metadata
d8695a4 
Tracks:
- Parse/typecheck duration for phase breakdown
- Statement type (INSERT/UPDATE/DELETE/SELECT/OTHER)
- Protocol type (simple)
- Query fingerprint
- Multi-statement flag for simple queries
@tobyhede
feat(frontend): complete instrumentation for diagnostics
9f497e1 
- Task 8: add_encrypt_duration and update_statement_metadata in encrypt_literals and encrypt_params
- Task 9: query_handler already instrumented
- Task 10: parse_handler with Extended protocol timing/metadata, bind_handler with param_bytes
- Task 10a: write_to_server with add_server_write_duration
@tobyhede
docs: add SLOW_STATEMENTS.md for performance troubleshooting
6683afa 
Documents:
- Configuration options for slow statement logging
- Slow statement log structure and interpretation
- Prometheus metric labels and example queries
- Common symptom/cause mapping
@tobyhede
feat(metrics): add statement_type, protocol, mapped labels and slow s…
b356dec 
…tatement logging

Existing duration histograms now include labels:
- statement_type: insert/update/delete/select/other
- protocol: simple/extended
- mapped: true/false
- multi_statement: true/false

Slow statement logging with phase breakdown when enabled.
Enables Grafana filtering by statement type and encryption status.
@tobyhede
test: add automated diagnostics log and metrics label checks
e98eac5 
- Integration test scrapes /metrics and asserts statement labels
- Adds diagnostics module for testing metrics endpoint
- Adds reqwest HTTP client dependency for metrics scraping
@tobyhede
chore: update Cargo.lock with reqwest dependency
da5c193
@tobyhede
fix(metrics): correct diagnostics timing and metadata recording
41e1349 
- Record parse duration before encryption work starts to avoid double-counting
- Update encrypt_params metadata unconditionally for slow-statement logging
- Add decrypt duration recording via add_decrypt_duration() call
- Remove unused re-exports from context/mod.rs
- Fix needless_borrow clippy warnings in query_handler loop

These changes ensure phase timings accurately reflect actual work:
- parse_ms captures SQL parsing + type-checking only
- encrypt_ms and decrypt_ms are tracked separately without overlap
- Statement metadata updates regardless of Prometheus status
@tobyhede
style: apply cargo fmt formatting
47af9db 
Auto-formatting applied by cargo fmt to various files.
@tobyhede
test(metrics): update prometheus assertions to be label-aware
45193f1 
Updates duration metric assertions to use regex matching that supports labeled metrics, ensuring quantile matches work regardless of other labels present.
@tobyhede
Fix diagnostics attribution for pipelined sessions
13c49c4
@tobyhede
Improve diagnostics metadata and integration metrics fetch
7e5007a
@tobyhede
Format diagnostics frontend changes
6959c1f
@tobyhede
test(integration): expose prometheus port for proxy-tls
321701f 
Adds port 9930 to the proxy-tls service in docker-compose.yml to enable metrics collection during TLS-enabled integration tests.
@tobyhede
docs(context): document two-phase timing pattern in ExecuteContext
9f07ad1 
Add doc comments explaining why timing data is accumulated in ExecuteContext
during backend message processing and transferred to SessionMetricsContext
on completion. This pattern exists because the backend operates on the execute
queue without direct access to the session metrics queue.
@tobyhede
refactor(diagnostics): extract retry configuration to named constants
7808462 
Replace magic numbers in fetch_metrics_with_retry with documented constants:
- METRICS_FETCH_MAX_RETRIES (5) - ~1 second total wait with 200ms delay
- METRICS_FETCH_RETRY_DELAY_MS (200) - balance responsiveness with scrape time
@tobyhede
refactor(frontend): improve session ID handling and reduce duplication
061bd29 
Address code review suggestions:
- Add warning log when bind_handler falls back to latest_session_id()
- Thread session_id explicitly through write_to_server signature
- Combine duplicate Option<SessionId> guards in encrypt_params
@tobyhede
refactor(frontend): remove unused session_id parameter from write_to_…
e6bf1de 
…server

All callers passed None, making the parameter obsolete. Simplified to
always use latest_session_id() directly.
coderdan
coderdan reviewed Jan 27, 2026
View reviewed changes
packages/cipherstash-proxy-integration/Cargo.toml
tracing = { workspace = true }
tracing-subscriber = { workspace = true }
uuid = { version = "1.11.0", features = ["serde", "v4"] }
reqwest = { version = "0.12", features = ["rustls-tls"] }
Copy link
Contributor

@coderdan coderdan Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The latest reqwest is 0.13

coderdan
coderdan reviewed Jan 27, 2026
View reviewed changes
packages/cipherstash-proxy/src/postgresql/context/statement_metadata.rs
Comment on lines +27 to +36
/// Return lowercase label for metrics
pub fn as_label(&self) -> &'static str {
match self {
StatementType::Insert => "insert",
StatementType::Update => "update",
StatementType::Delete => "delete",
StatementType::Select => "select",
StatementType::Other => "other",
}
}
Copy link
Contributor

@coderdan coderdan Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This label is lowercase but the serde serializer uses uppercase. Is that intentional?

coderdan
coderdan reviewed Jan 27, 2026
View reviewed changes
packages/cipherstash-proxy/src/postgresql/context/statement_metadata.rs
Comment on lines +108 to +116
pub fn set_query_fingerprint(&mut self, sql: &str) {
use std::collections::hash_map::DefaultHasher;
use std::hash::{Hash, Hasher};

let mut hasher = DefaultHasher::new();
sql.hash(&mut hasher);
let hash = hasher.finish();
self.query_fingerprint = Some(format!("{:08x}", hash & 0xFFFFFFFF));
}
Copy link
Contributor

@coderdan coderdan Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the fingerprint is going to be included in logs or metrics then I'd recommend using a keyed hash/HMAC (e.g. Blake3) to generate the fingerprint. The default hasher is non-cryptographic and it would feasible to brute-force/dictionary attack to reveal statements which may contain sensitive data.

Risk
Likelihood: low
Impact: moderate

coderdan
coderdan requested changes Jan 27, 2026
View reviewed changes
Copy link
Contributor

@coderdan coderdan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is epic work! Query fingerprint I think should be addressed before merging.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderdan coderdan coderdan requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tobyhede @coderdan