feat: Production hardening, security fixes, and performance infrastructure

Major improvements across security, performance, and reliability:

Security & Testing:
- Fix SQL injection vulnerability in row-level security expression substitution
- Add escape_sql_string() to properly escape context variables
- Add 12 new RLS edge case tests including injection prevention
- Add encryption tests for nonce uniqueness and tampered ciphertext
- Add protocol/auth.rs tests for MD5/SCRAM-SHA-256 authentication

MVCC & Transaction Improvements:
- Implement SSI write-skew detection for Serializable isolation
- Fix garbage collection to properly traverse version chains
- Add storage integration methods (export/import version state)
- Activate deadlock detector and transaction timeouts

Query Optimizer:
- Implement BitSet::subsets_of_size() using Gosper's hack
- Implement BitSet::splits() for join order optimization
- Implement extract_joins() to walk plan tree
- Implement split_join_predicates() for predicate pushdown

Feature Completion:
- Implement point-in-time recovery with ISO 8601 timestamp parsing
- Connect alerting system to real prometheus metrics
- Optimize segment reading with BTreeMap-based index
- Add segment bounds tracking for efficient event retrieval

Performance Infrastructure:
- Add large-scale benchmarks (100K, 500K rows)
- Add concurrent stress tests (2, 4, 8 threads)
- Add memory pressure scenarios
- Create benchmark regression detection script
- Add CI job for benchmark regression checks on PRs
- Add Makefile targets: bench-baseline, bench-check

Version bump to 0.9.1-alpha

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: DavidLiedle

.github/workflows/ci.yml

@@ -43,6 +43,41 @@ jobs:
       - name: Security audit
         run: cargo install cargo-audit --locked && cargo audit
 
+  benchmark:
+    name: Benchmark
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Cache cargo
+        uses: Swatinem/rust-cache@v2
+
+      - name: Download baseline
+        uses: actions/cache@v4
+        with:
+          path: benchmarks/baseline
+          key: benchmark-baseline-${{ github.base_ref }}
+          restore-keys: |
+            benchmark-baseline-main
+            benchmark-baseline-
+
+      - name: Run benchmark regression check
+        run: ./scripts/benchmark_regression.sh --threshold 15
+        continue-on-error: true
+
+      - name: Upload benchmark results
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: benchmark-results
+          path: |
+            benchmark_report.txt
+            target/criterion/
+
   build-release:
     name: Build Release
     needs: test

Cargo.lock

@@ -3,7 +3,7 @@ members = ["crates/driftdb-core", "crates/driftdb-cli", "crates/driftdb-admin",
 resolver = "2"
 
 [workspace.package]
-version = "0.9.0-alpha"
+version = "0.9.1-alpha"
 authors = ["DriftDB Contributors"]
 edition = "2021"
 license = "MIT"

Cargo.toml

@@ -1,4 +1,4 @@
-.PHONY: build test bench demo clean fmt clippy ci
+.PHONY: build test bench bench-baseline bench-check bench-check-strict demo clean fmt clippy ci
 
 # Build the project
 build:
@@ -51,6 +51,18 @@ test-coverage:
 bench:
 	cargo bench --all
 
+# Run benchmarks and save as baseline
+bench-baseline:
+	./scripts/benchmark_regression.sh --save-baseline
+
+# Run benchmarks and check for regressions (10% threshold)
+bench-check:
+	./scripts/benchmark_regression.sh --threshold 10
+
+# Run benchmarks and check with custom threshold
+bench-check-strict:
+	./scripts/benchmark_regression.sh --threshold 5
+
 # Run the demo scenario
 demo: build
 	@echo "=== DriftDB Demo ==="

Makefile

@@ -1,6 +1,6 @@
 # DriftDB
 
-**Experimental PostgreSQL-Compatible Time-Travel Database (v0.9.0-alpha)** - An ambitious temporal database project with advanced architectural designs for enterprise features. Query your data at any point in history using standard SQL.
+**Experimental PostgreSQL-Compatible Time-Travel Database (v0.9.1-alpha)** - An ambitious temporal database project with advanced architectural designs for enterprise features. Query your data at any point in history using standard SQL.
 
 ⚠️ **ALPHA SOFTWARE - NOT FOR PRODUCTION USE**: This version contains experimental implementations of enterprise features. The codebase compiles cleanly with zero warnings and includes comprehensive CI with security auditing. Many advanced features remain as architectural designs requiring implementation.
 
@@ -100,14 +100,16 @@ SELECT * FROM events;                -- Shows 'modified'
 - **Secondary indexes**: B-tree indexes for fast lookups
 - **Snapshots & compaction**: Optimized performance with compression
 
-### Planned Enterprise Features (Not Yet Functional)
-The following features have been architecturally designed but are not yet operational:
-- **Authentication & Authorization**: Planned RBAC with user management (code incomplete)
-- **Encryption at Rest**: Designed AES-256-GCM encryption (not functional)
-- **Distributed Consensus**: Raft protocol structure (requires debugging)
-- **Advanced Transactions**: MVCC design for isolation levels (partial implementation)
-- **Enterprise Backup**: Backup system architecture (compilation errors)
-- **Security Monitoring**: Monitoring framework (not integrated)
+### Enterprise Features (In Progress)
+The following features have been architecturally designed with varying levels of implementation:
+- **Row-Level Security**: Policy-based access control with SQL injection protection
+- **MVCC Isolation**: Multi-version concurrency control with SSI write-skew detection
+- **Query Optimizer**: Cost-based optimization with join reordering and index selection
+- **Point-in-Time Recovery**: Restore database to any timestamp
+- **Alerting System**: Real-time metrics monitoring with configurable alerts
+- **Authentication & Authorization**: RBAC with user management (partial)
+- **Encryption at Rest**: AES-256-GCM encryption (partial)
+- **Performance Regression Detection**: CI-integrated benchmark comparison
 
 ### Working Infrastructure
 - **Connection pooling**: Thread-safe connection pool with RAII guards
@@ -562,6 +564,12 @@ make test
 # Run benchmarks
 make bench
 
+# Save benchmark baseline (for regression detection)
+make bench-baseline
+
+# Check for performance regressions (10% threshold)
+make bench-check
+
 # Format code
 make fmt
 
@@ -572,6 +580,23 @@ make clippy
 make ci
 ```
 
+### Performance Regression Detection
+
+DriftDB includes automated benchmark regression detection:
+
+```bash
+# Save current performance as baseline
+./scripts/benchmark_regression.sh --save-baseline
+
+# Check for regressions (default 10% threshold)
+./scripts/benchmark_regression.sh
+
+# Check with custom threshold
+./scripts/benchmark_regression.sh --threshold 5
+```
+
+The CI pipeline automatically checks for performance regressions on pull requests.
+
 ## Performance
 
 ### Benchmark Results
@@ -671,13 +696,17 @@ DriftDB is currently in **alpha** stage with significant recent improvements but
 | PostgreSQL Protocol | 🟢 Working | Yes |
 | WAL & Crash Recovery | 🟡 Beta | Almost |
 | ACID Transactions | 🟡 Beta | Almost |
+| MVCC Isolation | 🟡 Beta | Almost |
 | Event Sourcing | 🟢 Working | Yes |
 | WHERE Clause Support | 🟢 Working | Yes |
 | UPDATE/DELETE | 🟢 Working | Yes |
+| Row-Level Security | 🟡 Beta | Almost |
+| Query Optimizer | 🟡 Beta | Almost |
+| Point-in-Time Recovery | 🟡 Beta | Almost |
 | Replication Framework | 🟡 Beta | Almost |
 | Schema Migrations | 🟡 Beta | Almost |
 | Connection Pooling | 🔶 Alpha | No |
-| Monitoring & Metrics | 🔶 Placeholder | No |
+| Monitoring & Alerting | 🟡 Beta | Almost |
 | Admin Tools | 🔶 Alpha | No |
 
 ## Roadmap