/claim #30

Summary

• Adds a dependency-free benchmark runner under benchmarks/ for every current /api/ route.
• Captures p50, p95, p99 latency, sustained RPS, error rate, and TTFB.
• Writes JSON and markdown reports to benchmarks/results/.
• Adds benchmark and benchmark:smoke scripts plus reviewable thresholds.
• Adds .env.benchmark.example and benchmarks/README.md for local/staging configuration.
• Adds a pull-request smoke benchmark workflow at .github/workflows/benchmark-smoke.yml.
• Fixes the API test script so Node runs the existing test files instead of treating src/tests as one file.

Demo video

https://raw.githubusercontent.com/Ckeplinger199/bug-bounty/demo-videos-2026-05-20/bounty-demo-videos/2026-05-20/pr-431-benchmark-demo.mp4

Benchmark summary

Mode: full local run on http://127.0.0.1:4000 Requests per endpoint: 8 Concurrency: 2 Warmup requests per endpoint: 1 All 20 endpoint gates passed with 0% error rate. Full markdown and JSON results are committed in benchmarks/results/.

Verification

• npm test passed.
• npm run benchmark passed.
• npm run benchmark:smoke passed.
• GitHub Actions benchmark-smoke passed in 21s: https://github.com/SecureBananaLabs/bug-bounty/actions/runs/26184050394/job/77034585209.
• Demo video SHA-256: 61a9f45dc9aef748bce6ed35e0bebace25e49a4d06893414706b793d4fd29bbb.
• git diff --check passed.

Benchmark Environment

Hardware

• CPU model & core count: Apple M3 Ultra, 28 cores.
• RAM: 96 GiB total.
• Storage type: internal Apple SSD.
• Network interface: loopback.
• Machine type: local workstation.
• OS & version: Darwin 25.3.0 arm64.

Runtime

• Node.js version: v24.9.0.
• Any resource limits applied: none intentionally applied.
• Other significant processes running during benchmark: normal local workstation background processes.

If submitted by or with an AI agent

• Agent or tool name: Codex.
• Underlying model and version: GPT-5 class Codex runtime.
• Inference provider: OpenAI.
• Orchestration framework if any: Codex workspace tools.
• Execution mode: human-initiated, agent-executed.
• Did the agent have shell/tool access during execution: yes.
• Did the agent have internet access during execution: yes.
• Were benchmark commands run by the agent directly or handed off to the human to run: run directly by the agent.
• Any known agent constraints or sandboxing that may have affected execution: local workstation run against loopback by default; no private secrets were included.