From 701a988e7d89d5dafb9d3be966d75f9a73c4f5b2 Mon Sep 17 00:00:00 2001
From: Toby Hede <toby@cipherstash.com>
Date: Wed, 21 Jan 2026 13:02:55 +1100
Subject: [PATCH 01/25] feat(benchmark): add k6 Dockerfile with xk6-pgxpool

---
 tests/benchmark/k6/Dockerfile | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 tests/benchmark/k6/Dockerfile

diff --git a/tests/benchmark/k6/Dockerfile b/tests/benchmark/k6/Dockerfile
new file mode 100644
index 00000000..77d98704
--- /dev/null
+++ b/tests/benchmark/k6/Dockerfile
@@ -0,0 +1,11 @@
+FROM golang:1.22-alpine AS builder
+RUN apk add --no-cache git
+RUN go install go.k6.io/xk6/cmd/xk6@latest
+WORKDIR /build
+RUN xk6 build --with github.com/gcfabri/xk6-pgxpool@latest --output /build/k6
+
+FROM alpine:3.19
+RUN apk add --no-cache ca-certificates
+COPY --from=builder /build/k6 /usr/local/bin/k6
+WORKDIR /scripts
+ENTRYPOINT ["k6"]

From 195741d0ae4b47b7212fcb315bd76f6d82f57f18 Mon Sep 17 00:00:00 2001
From: Toby Hede <toby@cipherstash.com>
Date: Wed, 21 Jan 2026 13:02:56 +1100
Subject: [PATCH 02/25] feat(benchmark): add k6 config.js with connection
 helpers

---
 tests/benchmark/k6/scripts/lib/config.js | 47 ++++++++++++++++++++++++
 1 file changed, 47 insertions(+)
 create mode 100644 tests/benchmark/k6/scripts/lib/config.js

diff --git a/tests/benchmark/k6/scripts/lib/config.js b/tests/benchmark/k6/scripts/lib/config.js
new file mode 100644
index 00000000..8993cf18
--- /dev/null
+++ b/tests/benchmark/k6/scripts/lib/config.js
@@ -0,0 +1,47 @@
+// Connection configuration for k6 benchmarks
+// Ports: postgres=5532, proxy=6432
+//
+// xk6-pgxpool API:
+//   import pgxpool from 'k6/x/pgxpool'
+//   const pool = pgxpool.open(connString, minConns, maxConns)
+//   pgxpool.query(pool, sql, ...args)
+//   pgxpool.exec(pool, sql, ...args)
+
+export const POSTGRES_PORT = 5532;
+export const PROXY_PORT = 6432;
+
+export function getConnectionString(target) {
+  // Default to 127.0.0.1 (works on Linux CI and macOS with --network=host)
+  const host = __ENV.K6_DB_HOST || '127.0.0.1';
+  const port = target === 'proxy' ? PROXY_PORT : POSTGRES_PORT;
+  const user = __ENV.K6_DB_USER || 'cipherstash';
+  const password = __ENV.K6_DB_PASSWORD || 'p@ssword';
+  const database = __ENV.K6_DB_NAME || 'cipherstash';
+  // Default sslmode=disable for local/CI; override via K6_DB_SSLMODE if needed
+  const sslmode = __ENV.K6_DB_SSLMODE || 'disable';
+
+  return `postgres://${user}:${password}@${host}:${port}/${database}?sslmode=${sslmode}`;
+}
+
+export function getPoolConfig() {
+  return {
+    minConns: parseInt(__ENV.K6_POOL_MIN || '2'),
+    maxConns: parseInt(__ENV.K6_POOL_MAX || '10'),
+  };
+}
+
+export function getDefaultOptions(thresholds = {}) {
+  return {
+    scenarios: {
+      default: {
+        executor: 'constant-vus',
+        vus: parseInt(__ENV.K6_VUS || '10'),
+        duration: __ENV.K6_DURATION || '30s',
+      },
+    },
+    thresholds: {
+      'iteration_duration': ['p(95)<500'],
+      ...thresholds,
+    },
+  };
+}

From ed70ad8b3821241f9e6cb7baa46a1b7fd0f3a22d Mon Sep 17 00:00:00 2001
From: Toby Hede <toby@cipherstash.com>
Date: Wed, 21 Jan 2026 13:03:10 +1100
Subject: [PATCH 03/25] feat(benchmark): add k6 data.js with JSONB generators

---
 tests/benchmark/k6/scripts/lib/data.js | 62 ++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)
 create mode 100644 tests/benchmark/k6/scripts/lib/data.js

diff --git a/tests/benchmark/k6/scripts/lib/data.js b/tests/benchmark/k6/scripts/lib/data.js
new file mode 100644
index 00000000..018b3065
--- /dev/null
+++ b/tests/benchmark/k6/scripts/lib/data.js
@@ -0,0 +1,62 @@
+// JSONB payload generators for k6 benchmarks
+// Matches integration test fixtures in common.rs
+
+export function randomId() {
+  return Math.floor(Math.random() * Number.MAX_SAFE_INTEGER);
+}
+
+export function generateStandardJsonb(id) {
+  return {
+    id: id,
+    string: 'hello',
+    number: 42,
+    nested: {
+      number: 1815,
+      string: 'world',
+    },
+    array_string: ['hello', 'world'],
+    array_number: [42, 84],
+  };
+}
+
+export function generateLargeJsonb(id) {
+  // Credit report structure: 50 tradelines x 24 months = ~500KB
+  const tradelines = [];
+  for (let i = 0; i < 50; i++) {
+    const history = [];
+    for (let m = 0; m < 24; m++) {
+      history.push({
+        month: m + 1,
+        balance: Math.floor(Math.random() * 10000),
+        status: 'current',
+        payment: Math.floor(Math.random() * 500),
+      });
+    }
+    tradelines.push({
+      creditor: `Creditor ${i}`,
+      account_number: `ACCT${id}${i}`.padStart(16, '0'),
+      account_type: 'revolving',
+      opened_date: '2020-01-15',
+      credit_limit: 5000 + (i * 100),
+      current_balance: Math.floor(Math.random() * 5000),
+      payment_history: history,
+    });
+  }
+
+  return {
+    id: id,
+    report_id: `RPT-${id}`,
+    subject: {
+      name: 'Test Subject',
+      ssn_last4: '1234',
+      dob: '1990-01-01',
+    },
+    tradelines: tradelines,
+    inquiries: [
+      { date: '2024-01-01', creditor: 'Bank A' },
+      { date: '2024-02-15', creditor: 'Bank B' },
+    ],
+    public_records: [],
+    score: 750,
+  };
+}

From 3a43f8dc3523ceeb8e2e767593716477cb03cfa6 Mon Sep 17 00:00:00 2001
From: Toby Hede <toby@cipherstash.com>
Date: Wed, 21 Jan 2026 13:04:21 +1100
Subject: [PATCH 04/25] feat(benchmark): add k6 summary.js for benchmark-action
 output

---
 tests/benchmark/k6/scripts/lib/summary.js | 57 +++++++++++++++++++++++
 1 file changed, 57 insertions(+)
 create mode 100644 tests/benchmark/k6/scripts/lib/summary.js

diff --git a/tests/benchmark/k6/scripts/lib/summary.js b/tests/benchmark/k6/scripts/lib/summary.js
new file mode 100644
index 00000000..b507700f
--- /dev/null
+++ b/tests/benchmark/k6/scripts/lib/summary.js
@@ -0,0 +1,57 @@
+// benchmark-action compatible output formatter
+// Outputs JSON array for github-action-benchmark
+//
+// Usage in scripts:
+//   import { createSummaryHandler } from './lib/summary.js';
+//   export const handleSummary = createSummaryHandler('script-name');
+
+export function createSummaryHandler(scriptName) {
+  return function(data) {
+    const iterationsPerSecond = data.metrics.iterations
+      ? data.metrics.iterations.values.rate
+      : 0;
+
+    const p95Duration = data.metrics.iteration_duration
+      ? data.metrics.iteration_duration.values['p(95)']
+      : 0;
+
+    const output = [
+      {
+        name: `${scriptName}_iterations_per_second`,
+        unit: 'Number',
+        value: Math.round(iterationsPerSecond * 100) / 100,
+      },
+      {
+        name: `${scriptName}_p95_ms`,
+        unit: 'ms',
+        value: Math.round(p95Duration * 100) / 100,
+      },
+    ];
+
+    return {
+      'stdout': textSummary(data),
+      [`results/k6/${scriptName}-output.json`]: JSON.stringify(output, null, 2),
+    };
+  };
+}
+
+// Minimal text summary (k6 doesn't export textSummary by default in extensions)
+function textSummary(data) {
+  const lines = [];
+  lines.push('');
+  lines.push('=== Summary ===');
+
+  if (data.metrics.iterations) {
+    lines.push(`iterations: ${data.metrics.iterations.values.count}`);
+    lines.push(`rate: ${data.metrics.iterations.values.rate.toFixed(2)}/s`);
+  }
+
+  if (data.metrics.iteration_duration) {
+    const dur = data.metrics.iteration_duration.values;
+    lines.push(`duration p95: ${dur['p(95)'].toFixed(2)}ms`);
+    lines.push(`duration avg: ${dur.avg.toFixed(2)}ms`);
+  }
+
+  lines.push('');
+  return lines.join('\n');
+}

From 8d50683ea6085dccb06d689e3b3731363e1079fb Mon Sep 17 00:00:00 2001
From: Toby Hede <toby@cipherstash.com>
Date: Wed, 21 Jan 2026 13:04:22 +1100
Subject: [PATCH 05/25] feat(benchmark): add k6 text-equality.js baseline
 benchmark

---
 tests/benchmark/k6/scripts/text-equality.js | 58 +++++++++++++++++++++
 1 file changed, 58 insertions(+)
 create mode 100644 tests/benchmark/k6/scripts/text-equality.js

diff --git a/tests/benchmark/k6/scripts/text-equality.js b/tests/benchmark/k6/scripts/text-equality.js
new file mode 100644
index 00000000..cdc82ca2
--- /dev/null
+++ b/tests/benchmark/k6/scripts/text-equality.js
@@ -0,0 +1,58 @@
+// Text equality benchmark - baseline matching pgbench encrypted transaction
+//
+// Uses xk6-pgxpool API:
+//   pgxpool.open(connString, minConns, maxConns)
+//   pgxpool.exec(pool, sql, ...args)
+
+import pgxpool from 'k6/x/pgxpool';
+import { getConnectionString, getPoolConfig, getDefaultOptions } from './lib/config.js';
+import { createSummaryHandler } from './lib/summary.js';
+
+const target = __ENV.K6_TARGET || 'proxy';
+const connectionString = getConnectionString(target);
+const poolConfig = getPoolConfig();
+
+// ID range for text-equality benchmark data (isolated from other tests)
+const ID_START = 1000000;
+const ID_COUNT = 100;
+
+export const options = getDefaultOptions({
+  'iteration_duration': ['p(95)<100'],
+});
+
+const pool = pgxpool.open(connectionString, poolConfig.minConns, poolConfig.maxConns);
+
+export function setup() {
+  // Clean up any leftover data from crashed runs before inserting
+  pgxpool.exec(pool, `DELETE FROM benchmark_encrypted WHERE id BETWEEN $1 AND $2`, ID_START, ID_START + ID_COUNT - 1);
+
+  // Insert seed data for queries
+  for (let i = 0; i < ID_COUNT; i++) {
+    const id = ID_START + i;
+    const email = `user${i}@example.com`;
+    pgxpool.exec(
+      pool,
+      `INSERT INTO benchmark_encrypted (id, username, email) VALUES ($1, $2, $3)`,
+      id,
+      `user${i}`,
+      email
+    );
+  }
+}
+
+export default function() {
+  const i = Math.floor(Math.random() * ID_COUNT);
+  const email = `user${i}@example.com`;
+
+  // Use exec instead of query - we only need to verify the query runs, not inspect results
+  // This avoids potential resource leaks if pgxpool.query returns a cursor
+  pgxpool.exec(pool, `SELECT username FROM benchmark_encrypted WHERE email = $1`, email);
+}
+
+export function teardown() {
+  // Clean up seed data
+  pgxpool.exec(pool, `DELETE FROM benchmark_encrypted WHERE id BETWEEN $1 AND $2`, ID_START, ID_START + ID_COUNT - 1);
+  pgxpool.close(pool);
+}
+
+export const handleSummary = createSummaryHandler('text-equality');

From c1ecc87293bae69b3a3648bcc98fa70efef34d22 Mon Sep 17 00:00:00 2001
From: Toby Hede <toby@cipherstash.com>
Date: Wed, 21 Jan 2026 13:04:27 +1100
Subject: [PATCH 06/25] feat(benchmark): add k6 jsonb-insert.js benchmark

---
 tests/benchmark/k6/scripts/jsonb-insert.js | 38 ++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 tests/benchmark/k6/scripts/jsonb-insert.js

diff --git a/tests/benchmark/k6/scripts/jsonb-insert.js b/tests/benchmark/k6/scripts/jsonb-insert.js
new file mode 100644
index 00000000..3ab75b15
--- /dev/null
+++ b/tests/benchmark/k6/scripts/jsonb-insert.js
@@ -0,0 +1,38 @@
+// JSONB INSERT benchmark - primary CI benchmark for encrypted JSONB performance
+//
+// Uses xk6-pgxpool API:
+//   pgxpool.open(connString, minConns, maxConns)
+//   pgxpool.exec(pool, sql, ...args)
+
+import pgxpool from 'k6/x/pgxpool';
+import { getConnectionString, getPoolConfig, getDefaultOptions } from './lib/config.js';
+import { randomId, generateStandardJsonb } from './lib/data.js';
+import { createSummaryHandler } from './lib/summary.js';
+
+const target = __ENV.K6_TARGET || 'proxy';
+const connectionString = getConnectionString(target);
+const poolConfig = getPoolConfig();
+
+export const options = getDefaultOptions({
+  'iteration_duration': ['p(95)<500'],
+});
+
+const pool = pgxpool.open(connectionString, poolConfig.minConns, poolConfig.maxConns);
+
+export default function() {
+  const id = randomId();
+  const jsonb = generateStandardJsonb(id);
+
+  pgxpool.exec(
+    pool,
+    `INSERT INTO encrypted (id, encrypted_jsonb) VALUES ($1, $2)`,
+    id,
+    JSON.stringify(jsonb)
+  );
+}
+
+export function teardown() {
+  pgxpool.close(pool);
+}
+
+export const handleSummary = createSummaryHandler('jsonb-insert');

From 760ddf7831f50a72fcacba710381a9789b1044f7 Mon Sep 17 00:00:00 2001
From: Toby Hede <toby@cipherstash.com>
Date: Wed, 21 Jan 2026 13:05:47 +1100
Subject: [PATCH 07/25] feat(benchmark): add k6 jsonb-containment.js benchmark

---
 .../benchmark/k6/scripts/jsonb-containment.js | 73 +++++++++++++++++++
 1 file changed, 73 insertions(+)
 create mode 100644 tests/benchmark/k6/scripts/jsonb-containment.js

diff --git a/tests/benchmark/k6/scripts/jsonb-containment.js b/tests/benchmark/k6/scripts/jsonb-containment.js
new file mode 100644
index 00000000..f4f57db8
--- /dev/null
+++ b/tests/benchmark/k6/scripts/jsonb-containment.js
@@ -0,0 +1,73 @@
+// JSONB containment (@>) benchmark
+//
+// The @> operator on eql_v2_encrypted is confirmed working via integration tests:
+//   packages/cipherstash-proxy-integration/src/select/jsonb_contains.rs:13-14
+//   "SELECT encrypted_jsonb @> $1 FROM encrypted LIMIT 1"
+//
+// Uses xk6-pgxpool API:
+//   pgxpool.open(connString, minConns, maxConns)
+//   pgxpool.exec(pool, sql, ...args)
+
+import pgxpool from 'k6/x/pgxpool';
+import { getConnectionString, getPoolConfig, getDefaultOptions } from './lib/config.js';
+import { createSummaryHandler } from './lib/summary.js';
+
+const target = __ENV.K6_TARGET || 'proxy';
+const connectionString = getConnectionString(target);
+const poolConfig = getPoolConfig();
+
+// ID range for containment benchmark data (isolated from other tests)
+const ID_START = 2000000;
+const ID_COUNT = 100;
+
+export const options = getDefaultOptions({
+  'iteration_duration': ['p(95)<200'],
+});
+
+const pool = pgxpool.open(connectionString, poolConfig.minConns, poolConfig.maxConns);
+
+export function setup() {
+  // Clean up any leftover data from crashed runs before inserting
+  pgxpool.exec(pool, `DELETE FROM encrypted WHERE id BETWEEN $1 AND $2`, ID_START, ID_START + ID_COUNT - 1);
+
+  // Insert seed data with known values for containment queries
+  for (let i = 0; i < ID_COUNT; i++) {
+    const id = ID_START + i;
+    const jsonb = {
+      id: id,
+      string: `value${i % 10}`,
+      number: i % 10,
+      nested: { string: 'world', number: i },
+    };
+    pgxpool.exec(
+      pool,
+      `INSERT INTO encrypted (id, encrypted_jsonb) VALUES ($1, $2)`,
+      id,
+      JSON.stringify(jsonb)
+    );
+  }
+}
+
+export default function() {
+  const i = Math.floor(Math.random() * 10);
+  const pattern = JSON.stringify({ string: `value${i}` });
+
+  // Use exec instead of query - we only need to verify the query runs, not inspect results
+  // This avoids potential resource leaks if pgxpool.query returns a cursor
+  // Query uses @> containment operator on encrypted JSONB
+  pgxpool.exec(
+    pool,
+    `SELECT id FROM encrypted WHERE encrypted_jsonb @> $1 AND id BETWEEN $2 AND $3`,
+    pattern,
+    ID_START,
+    ID_START + ID_COUNT - 1
+  );
+}
+
+export function teardown() {
+  // Clean up seed data
+  pgxpool.exec(pool, `DELETE FROM encrypted WHERE id BETWEEN $1 AND $2`, ID_START, ID_START + ID_COUNT - 1);
+  pgxpool.close(pool);
+}
+
+export const handleSummary = createSummaryHandler('jsonb-containment');

From 8990c892585d5962f2d22ee77e68e15559976bc5 Mon Sep 17 00:00:00 2001
From: Toby Hede <toby@cipherstash.com>
Date: Wed, 21 Jan 2026 13:05:48 +1100
Subject: [PATCH 08/25] feat(benchmark): add k6 mise tasks

---
 tests/benchmark/mise.toml | 82 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 82 insertions(+)

diff --git a/tests/benchmark/mise.toml b/tests/benchmark/mise.toml
index c3d8b073..967c923a 100644
--- a/tests/benchmark/mise.toml
+++ b/tests/benchmark/mise.toml
@@ -172,3 +172,85 @@ run = """
 set -e
 echo docker compose up --build {{arg(name="service",default="pgcat")}} {{option(name="extra-args",default="")}} | bash
 """
+
+# ====================================================================================================
+# k6 Benchmarks
+# ====================================================================================================
+
+[tasks."k6:build"]
+description = "Build k6 Docker image with xk6-pgxpool"
+run = """
+docker build -t k6-pgxpool tests/benchmark/k6/
+"""
+
+[tasks."k6:run"]
+description = "Run a single k6 benchmark script"
+run = """
+#USAGE flag "--script <script>" help="Script name (without .js)" {
+#USAGE   choices "jsonb-insert" "jsonb-containment" "text-equality" "large-payload"
+#USAGE }
+#USAGE flag "--target <target>" default="proxy" help="Target service" {
+#USAGE   choices "postgres" "proxy"
+#USAGE }
+#USAGE flag "--vus <vus>" default="10" help="Number of virtual users"
+#USAGE flag "--duration <duration>" default="30s" help="Test duration"
+
+docker run --rm --network=host \
+  -v {{config_root}}/k6/scripts:/scripts \
+  -v {{config_root}}/results/k6:/scripts/results/k6 \
+  -e K6_TARGET=${usage_target} \
+  -e K6_VUS=${usage_vus} \
+  -e K6_DURATION=${usage_duration} \
+  k6-pgxpool run /scripts/${usage_script}.js
+"""
+
+[tasks."k6:benchmark"]
+description = "Run full k6 benchmark suite"
+run = """
+set -e
+
+echo
+echo '###############################################'
+echo '# k6 Benchmark Suite'
+echo '###############################################'
+echo
+
+mise run k6:build
+
+# Ensure benchmark schema exists (creates benchmark_encrypted table for text-equality)
+mise run benchmark:setup
+
+# JSONB INSERT (primary)
+echo "Running jsonb-insert..."
+mise run k6:run --script=jsonb-insert --target=proxy --duration=30s
+
+# Text equality (baseline)
+echo "Running text-equality..."
+mise run k6:run --script=text-equality --target=proxy --duration=30s
+
+# JSONB containment
+echo "Running jsonb-containment..."
+mise run k6:run --script=jsonb-containment --target=proxy --duration=30s
+
+echo
+echo "Results written to results/k6/"
+"""
+
+[tasks."k6:benchmark:continuous"]
+description = "Run k6 benchmark for CI (proxy + jsonb-insert only)"
+run = """
+set -e
+
+mise run k6:build
+
+echo
+echo '###############################################'
+echo '# k6 CI Benchmark: jsonb-insert via proxy'
+echo '###############################################'
+echo
+
+mise run k6:run --script=jsonb-insert --target=proxy --vus=10 --duration=30s
+
+# Copy output for benchmark-action
+cp results/k6/jsonb-insert-output.json results/k6-output.json
+"""

From a0ad6efa0626dbf7cdb13493f639af6a8a1385a4 Mon Sep 17 00:00:00 2001
From: Toby Hede <toby@cipherstash.com>
Date: Wed, 21 Jan 2026 13:05:49 +1100
Subject: [PATCH 09/25] feat(benchmark): add k6 large-payload.js benchmark

---
 tests/benchmark/k6/scripts/large-payload.js | 38 +++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 tests/benchmark/k6/scripts/large-payload.js

diff --git a/tests/benchmark/k6/scripts/large-payload.js b/tests/benchmark/k6/scripts/large-payload.js
new file mode 100644
index 00000000..117135f8
--- /dev/null
+++ b/tests/benchmark/k6/scripts/large-payload.js
@@ -0,0 +1,38 @@
+// Large payload (500KB+) INSERT benchmark for memory/performance investigation
+//
+// Uses xk6-pgxpool API:
+//   pgxpool.open(connString, minConns, maxConns)
+//   pgxpool.exec(pool, sql, ...args)
+
+import pgxpool from 'k6/x/pgxpool';
+import { getConnectionString, getPoolConfig, getDefaultOptions } from './lib/config.js';
+import { randomId, generateLargeJsonb } from './lib/data.js';
+import { createSummaryHandler } from './lib/summary.js';
+
+const target = __ENV.K6_TARGET || 'proxy';
+const connectionString = getConnectionString(target);
+const poolConfig = getPoolConfig();
+
+export const options = getDefaultOptions({
+  'iteration_duration': ['p(95)<30000'],  // 30s for large payloads
+});
+
+const pool = pgxpool.open(connectionString, poolConfig.minConns, poolConfig.maxConns);
+
+export default function() {
+  const id = randomId();
+  const jsonb = generateLargeJsonb(id);
+
+  pgxpool.exec(
+    pool,
+    `INSERT INTO encrypted (id, encrypted_jsonb) VALUES ($1, $2)`,
+    id,
+    JSON.stringify(jsonb)
+  );
+}
+
+export function teardown() {
+  pgxpool.close(pool);
+}
+
+export const handleSummary = createSummaryHandler('large-payload');

From 633bb8a3fbf242b1ebc41095d9ff62f55a306920 Mon Sep 17 00:00:00 2001
From: Toby Hede <toby@cipherstash.com>
Date: Wed, 21 Jan 2026 13:08:51 +1100
Subject: [PATCH 10/25] ci: add k6 benchmark steps to workflow

---
 .github/workflows/benchmark.yml | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index 128b5abd..dcf0bf9a 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -48,6 +48,29 @@ jobs:
           RUST_BACKTRACE: "1"
         run: mise run benchmark:continuous
 
+      - name: Build k6 with xk6-pgxpool
+        working-directory: tests/benchmark
+        run: mise run k6:build
+
+      - name: Run k6 benchmark
+        working-directory: tests/benchmark
+        env:
+          RUST_BACKTRACE: "1"
+        run: mise run k6:benchmark:continuous
+
+      # Store k6 benchmark result
+      - name: Store k6 benchmark result
+        uses: benchmark-action/github-action-benchmark@v1
+        with:
+          tool: 'customBiggerIsBetter'
+          output-file-path: tests/benchmark/results/k6-output.json
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          fail-on-alert: true
+          comment-on-alert: true
+          summary-always: true
+          auto-push: true
+          benchmark-data-dir-path: docs/k6
+
       # Download previous benchmark result from cache (if exists)
       - name: Download previous benchmark data
         uses: actions/cache@v4

From 16c9e0b4fae40fe9e3dd4843285fb4cdb2110982 Mon Sep 17 00:00:00 2001
From: Toby Hede <toby@cipherstash.com>
Date: Wed, 21 Jan 2026 13:20:18 +1100
Subject: [PATCH 11/25] fix(benchmark): migrate k6 scripts from xk6-pgxpool to
 xk6-sql

- Use official grafana/xk6-sql with postgres driver instead of unmaintained xk6-pgxpool
- Update Dockerfile to Go 1.23 with GOTOOLCHAIN=auto for newer xk6 compatibility
- Migrate all benchmark scripts to xk6-sql API (sql.open/db.exec/db.close)
- Default to host.docker.internal for macOS Docker compatibility
- Add network detection to use --network=host on Linux CI
- Create k6_run.sh task with proper USAGE flags for mise
- Update CI workflow to set K6_DB_HOST for Linux runners
---
 .github/workflows/benchmark.yml               |  1 +
 tests/benchmark/k6/Dockerfile                 |  5 +--
 .../benchmark/k6/scripts/jsonb-containment.js | 27 +++++++---------
 tests/benchmark/k6/scripts/jsonb-insert.js    | 19 ++++++------
 tests/benchmark/k6/scripts/large-payload.js   | 19 ++++++------
 tests/benchmark/k6/scripts/lib/config.js      | 24 ++++++--------
 tests/benchmark/k6/scripts/text-equality.js   | 26 +++++++---------
 tests/benchmark/mise.toml                     | 31 ++++---------------
 tests/benchmark/tasks/k6_run.sh               | 31 +++++++++++++++++++
 9 files changed, 93 insertions(+), 90 deletions(-)
 create mode 100755 tests/benchmark/tasks/k6_run.sh

diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index dcf0bf9a..040d3c3a 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -56,6 +56,7 @@ jobs:
         working-directory: tests/benchmark
         env:
           RUST_BACKTRACE: "1"
+          K6_DB_HOST: "127.0.0.1"
         run: mise run k6:benchmark:continuous
 
       # Store k6 benchmark result
diff --git a/tests/benchmark/k6/Dockerfile b/tests/benchmark/k6/Dockerfile
index 77d98704..097d1e04 100644
--- a/tests/benchmark/k6/Dockerfile
+++ b/tests/benchmark/k6/Dockerfile
@@ -1,8 +1,9 @@
-FROM golang:1.22-alpine AS builder
+FROM golang:1.23-alpine AS builder
 RUN apk add --no-cache git
+ENV GOTOOLCHAIN=auto
 RUN go install go.k6.io/xk6/cmd/xk6@latest
 WORKDIR /build
-RUN xk6 build --with github.com/gcfabri/xk6-pgxpool@latest --output /build/k6
+RUN xk6 build --with github.com/grafana/xk6-sql@latest --with github.com/grafana/xk6-sql-driver-postgres@latest --output /build/k6
 
 FROM alpine:3.19
 RUN apk add --no-cache ca-certificates
diff --git a/tests/benchmark/k6/scripts/jsonb-containment.js b/tests/benchmark/k6/scripts/jsonb-containment.js
index f4f57db8..1134de75 100644
--- a/tests/benchmark/k6/scripts/jsonb-containment.js
+++ b/tests/benchmark/k6/scripts/jsonb-containment.js
@@ -4,17 +4,17 @@
 //   packages/cipherstash-proxy-integration/src/select/jsonb_contains.rs:13-14
 //   "SELECT encrypted_jsonb @> $1 FROM encrypted LIMIT 1"
 //
-// Uses xk6-pgxpool API:
-//   pgxpool.open(connString, minConns, maxConns)
-//   pgxpool.exec(pool, sql, ...args)
+// Uses xk6-sql API:
+//   sql.open(driver, connString)
+//   db.exec(sql, ...args)
 
-import pgxpool from 'k6/x/pgxpool';
-import { getConnectionString, getPoolConfig, getDefaultOptions } from './lib/config.js';
+import sql from 'k6/x/sql';
+import driver from 'k6/x/sql/driver/postgres';
+import { getConnectionString, getDefaultOptions } from './lib/config.js';
 import { createSummaryHandler } from './lib/summary.js';
 
 const target = __ENV.K6_TARGET || 'proxy';
 const connectionString = getConnectionString(target);
-const poolConfig = getPoolConfig();
 
 // ID range for containment benchmark data (isolated from other tests)
 const ID_START = 2000000;
@@ -24,11 +24,11 @@ export const options = getDefaultOptions({
   'iteration_duration': ['p(95)<200'],
 });
 
-const pool = pgxpool.open(connectionString, poolConfig.minConns, poolConfig.maxConns);
+const db = sql.open(driver, connectionString);
 
 export function setup() {
   // Clean up any leftover data from crashed runs before inserting
-  pgxpool.exec(pool, `DELETE FROM encrypted WHERE id BETWEEN $1 AND $2`, ID_START, ID_START + ID_COUNT - 1);
+  db.exec(`DELETE FROM encrypted WHERE id BETWEEN $1 AND $2`, ID_START, ID_START + ID_COUNT - 1);
 
   // Insert seed data with known values for containment queries
   for (let i = 0; i < ID_COUNT; i++) {
@@ -39,8 +39,7 @@ export function setup() {
       number: i % 10,
       nested: { string: 'world', number: i },
     };
-    pgxpool.exec(
-      pool,
+    db.exec(
       `INSERT INTO encrypted (id, encrypted_jsonb) VALUES ($1, $2)`,
       id,
       JSON.stringify(jsonb)
@@ -53,10 +52,8 @@ export default function() {
   const pattern = JSON.stringify({ string: `value${i}` });
 
   // Use exec instead of query - we only need to verify the query runs, not inspect results
-  // This avoids potential resource leaks if pgxpool.query returns a cursor
   // Query uses @> containment operator on encrypted JSONB
-  pgxpool.exec(
-    pool,
+  db.exec(
     `SELECT id FROM encrypted WHERE encrypted_jsonb @> $1 AND id BETWEEN $2 AND $3`,
     pattern,
     ID_START,
@@ -66,8 +63,8 @@ export default function() {
 
 export function teardown() {
   // Clean up seed data
-  pgxpool.exec(pool, `DELETE FROM encrypted WHERE id BETWEEN $1 AND $2`, ID_START, ID_START + ID_COUNT - 1);
-  pgxpool.close(pool);
+  db.exec(`DELETE FROM encrypted WHERE id BETWEEN $1 AND $2`, ID_START, ID_START + ID_COUNT - 1);
+  db.close();
 }
 
 export const handleSummary = createSummaryHandler('jsonb-containment');
diff --git a/tests/benchmark/k6/scripts/jsonb-insert.js b/tests/benchmark/k6/scripts/jsonb-insert.js
index 3ab75b15..4164b3fa 100644
--- a/tests/benchmark/k6/scripts/jsonb-insert.js
+++ b/tests/benchmark/k6/scripts/jsonb-insert.js
@@ -1,30 +1,29 @@
 // JSONB INSERT benchmark - primary CI benchmark for encrypted JSONB performance
 //
-// Uses xk6-pgxpool API:
-//   pgxpool.open(connString, minConns, maxConns)
-//   pgxpool.exec(pool, sql, ...args)
+// Uses xk6-sql API:
+//   sql.open(driver, connString)
+//   db.exec(sql, ...args)
 
-import pgxpool from 'k6/x/pgxpool';
-import { getConnectionString, getPoolConfig, getDefaultOptions } from './lib/config.js';
+import sql from 'k6/x/sql';
+import driver from 'k6/x/sql/driver/postgres';
+import { getConnectionString, getDefaultOptions } from './lib/config.js';
 import { randomId, generateStandardJsonb } from './lib/data.js';
 import { createSummaryHandler } from './lib/summary.js';
 
 const target = __ENV.K6_TARGET || 'proxy';
 const connectionString = getConnectionString(target);
-const poolConfig = getPoolConfig();
 
 export const options = getDefaultOptions({
   'iteration_duration': ['p(95)<500'],
 });
 
-const pool = pgxpool.open(connectionString, poolConfig.minConns, poolConfig.maxConns);
+const db = sql.open(driver, connectionString);
 
 export default function() {
   const id = randomId();
   const jsonb = generateStandardJsonb(id);
 
-  pgxpool.exec(
-    pool,
+  db.exec(
     `INSERT INTO encrypted (id, encrypted_jsonb) VALUES ($1, $2)`,
     id,
     JSON.stringify(jsonb)
@@ -32,7 +31,7 @@ export default function() {
 }
 
 export function teardown() {
-  pgxpool.close(pool);
+  db.close();
 }
 
 export const handleSummary = createSummaryHandler('jsonb-insert');
diff --git a/tests/benchmark/k6/scripts/large-payload.js b/tests/benchmark/k6/scripts/large-payload.js
index 117135f8..dd1c7ef8 100644
--- a/tests/benchmark/k6/scripts/large-payload.js
+++ b/tests/benchmark/k6/scripts/large-payload.js
@@ -1,30 +1,29 @@
 // Large payload (500KB+) INSERT benchmark for memory/performance investigation
 //
-// Uses xk6-pgxpool API:
-//   pgxpool.open(connString, minConns, maxConns)
-//   pgxpool.exec(pool, sql, ...args)
+// Uses xk6-sql API:
+//   sql.open(driver, connString)
+//   db.exec(sql, ...args)
 
-import pgxpool from 'k6/x/pgxpool';
-import { getConnectionString, getPoolConfig, getDefaultOptions } from './lib/config.js';
+import sql from 'k6/x/sql';
+import driver from 'k6/x/sql/driver/postgres';
+import { getConnectionString, getDefaultOptions } from './lib/config.js';
 import { randomId, generateLargeJsonb } from './lib/data.js';
 import { createSummaryHandler } from './lib/summary.js';
 
 const target = __ENV.K6_TARGET || 'proxy';
 const connectionString = getConnectionString(target);
-const poolConfig = getPoolConfig();
 
 export const options = getDefaultOptions({
   'iteration_duration': ['p(95)<30000'],  // 30s for large payloads
 });
 
-const pool = pgxpool.open(connectionString, poolConfig.minConns, poolConfig.maxConns);
+const db = sql.open(driver, connectionString);
 
 export default function() {
   const id = randomId();
   const jsonb = generateLargeJsonb(id);
 
-  pgxpool.exec(
-    pool,
+  db.exec(
     `INSERT INTO encrypted (id, encrypted_jsonb) VALUES ($1, $2)`,
     id,
     JSON.stringify(jsonb)
@@ -32,7 +31,7 @@ export default function() {
 }
 
 export function teardown() {
-  pgxpool.close(pool);
+  db.close();
 }
 
 export const handleSummary = createSummaryHandler('large-payload');
diff --git a/tests/benchmark/k6/scripts/lib/config.js b/tests/benchmark/k6/scripts/lib/config.js
index 8993cf18..a8bed3c8 100644
--- a/tests/benchmark/k6/scripts/lib/config.js
+++ b/tests/benchmark/k6/scripts/lib/config.js
@@ -1,18 +1,21 @@
 // Connection configuration for k6 benchmarks
 // Ports: postgres=5532, proxy=6432
 //
-// xk6-pgxpool API:
-//   import pgxpool from 'k6/x/pgxpool'
-//   const pool = pgxpool.open(connString, minConns, maxConns)
-//   pgxpool.query(pool, sql, ...args)
-//   pgxpool.exec(pool, sql, ...args)
+// xk6-sql API:
+//   import sql from 'k6/x/sql';
+//   import driver from 'k6/x/sql/driver/postgres';
+//   const db = sql.open(driver, connString);
+//   db.exec(sql, ...args);
+//   const rows = db.query(sql, ...args);
+//   db.close();
 
 export const POSTGRES_PORT = 5532;
 export const PROXY_PORT = 6432;
 
 export function getConnectionString(target) {
-  // Default to 127.0.0.1 (works on Linux CI and macOS with --network=host)
-  const host = __ENV.K6_DB_HOST || '127.0.0.1';
+  // Default to host.docker.internal (works on macOS and Windows Docker)
+  // For Linux CI with --network=host, set K6_DB_HOST=127.0.0.1
+  const host = __ENV.K6_DB_HOST || 'host.docker.internal';
   const port = target === 'proxy' ? PROXY_PORT : POSTGRES_PORT;
   const user = __ENV.K6_DB_USER || 'cipherstash';
   const password = __ENV.K6_DB_PASSWORD || 'p@ssword';
@@ -23,13 +26,6 @@ export function getConnectionString(target) {
   return `postgres://${user}:${password}@${host}:${port}/${database}?sslmode=${sslmode}`;
 }
 
-export function getPoolConfig() {
-  return {
-    minConns: parseInt(__ENV.K6_POOL_MIN || '2'),
-    maxConns: parseInt(__ENV.K6_POOL_MAX || '10'),
-  };
-}
-
 export function getDefaultOptions(thresholds = {}) {
   return {
     scenarios: {
diff --git a/tests/benchmark/k6/scripts/text-equality.js b/tests/benchmark/k6/scripts/text-equality.js
index cdc82ca2..afb766b6 100644
--- a/tests/benchmark/k6/scripts/text-equality.js
+++ b/tests/benchmark/k6/scripts/text-equality.js
@@ -1,16 +1,16 @@
 // Text equality benchmark - baseline matching pgbench encrypted transaction
 //
-// Uses xk6-pgxpool API:
-//   pgxpool.open(connString, minConns, maxConns)
-//   pgxpool.exec(pool, sql, ...args)
+// Uses xk6-sql API:
+//   sql.open(driver, connString)
+//   db.exec(sql, ...args)
 
-import pgxpool from 'k6/x/pgxpool';
-import { getConnectionString, getPoolConfig, getDefaultOptions } from './lib/config.js';
+import sql from 'k6/x/sql';
+import driver from 'k6/x/sql/driver/postgres';
+import { getConnectionString, getDefaultOptions } from './lib/config.js';
 import { createSummaryHandler } from './lib/summary.js';
 
 const target = __ENV.K6_TARGET || 'proxy';
 const connectionString = getConnectionString(target);
-const poolConfig = getPoolConfig();
 
 // ID range for text-equality benchmark data (isolated from other tests)
 const ID_START = 1000000;
@@ -20,18 +20,17 @@ export const options = getDefaultOptions({
   'iteration_duration': ['p(95)<100'],
 });
 
-const pool = pgxpool.open(connectionString, poolConfig.minConns, poolConfig.maxConns);
+const db = sql.open(driver, connectionString);
 
 export function setup() {
   // Clean up any leftover data from crashed runs before inserting
-  pgxpool.exec(pool, `DELETE FROM benchmark_encrypted WHERE id BETWEEN $1 AND $2`, ID_START, ID_START + ID_COUNT - 1);
+  db.exec(`DELETE FROM benchmark_encrypted WHERE id BETWEEN $1 AND $2`, ID_START, ID_START + ID_COUNT - 1);
 
   // Insert seed data for queries
   for (let i = 0; i < ID_COUNT; i++) {
     const id = ID_START + i;
     const email = `user${i}@example.com`;
-    pgxpool.exec(
-      pool,
+    db.exec(
       `INSERT INTO benchmark_encrypted (id, username, email) VALUES ($1, $2, $3)`,
       id,
       `user${i}`,
@@ -45,14 +44,13 @@ export default function() {
   const email = `user${i}@example.com`;
 
   // Use exec instead of query - we only need to verify the query runs, not inspect results
-  // This avoids potential resource leaks if pgxpool.query returns a cursor
-  pgxpool.exec(pool, `SELECT username FROM benchmark_encrypted WHERE email = $1`, email);
+  db.exec(`SELECT username FROM benchmark_encrypted WHERE email = $1`, email);
 }
 
 export function teardown() {
   // Clean up seed data
-  pgxpool.exec(pool, `DELETE FROM benchmark_encrypted WHERE id BETWEEN $1 AND $2`, ID_START, ID_START + ID_COUNT - 1);
-  pgxpool.close(pool);
+  db.exec(`DELETE FROM benchmark_encrypted WHERE id BETWEEN $1 AND $2`, ID_START, ID_START + ID_COUNT - 1);
+  db.close();
 }
 
 export const handleSummary = createSummaryHandler('text-equality');
diff --git a/tests/benchmark/mise.toml b/tests/benchmark/mise.toml
index 967c923a..52eefda8 100644
--- a/tests/benchmark/mise.toml
+++ b/tests/benchmark/mise.toml
@@ -180,29 +180,10 @@ echo docker compose up --build {{arg(name="service",default="pgcat")}} {{option(
 [tasks."k6:build"]
 description = "Build k6 Docker image with xk6-pgxpool"
 run = """
-docker build -t k6-pgxpool tests/benchmark/k6/
+docker build -t k6-pgxpool {{config_root}}/k6/
 """
 
-[tasks."k6:run"]
-description = "Run a single k6 benchmark script"
-run = """
-#USAGE flag "--script <script>" help="Script name (without .js)" {
-#USAGE   choices "jsonb-insert" "jsonb-containment" "text-equality" "large-payload"
-#USAGE }
-#USAGE flag "--target <target>" default="proxy" help="Target service" {
-#USAGE   choices "postgres" "proxy"
-#USAGE }
-#USAGE flag "--vus <vus>" default="10" help="Number of virtual users"
-#USAGE flag "--duration <duration>" default="30s" help="Test duration"
-
-docker run --rm --network=host \
-  -v {{config_root}}/k6/scripts:/scripts \
-  -v {{config_root}}/results/k6:/scripts/results/k6 \
-  -e K6_TARGET=${usage_target} \
-  -e K6_VUS=${usage_vus} \
-  -e K6_DURATION=${usage_duration} \
-  k6-pgxpool run /scripts/${usage_script}.js
-"""
+# k6:run task is defined in tasks/k6_run.sh
 
 [tasks."k6:benchmark"]
 description = "Run full k6 benchmark suite"
@@ -222,15 +203,15 @@ mise run benchmark:setup
 
 # JSONB INSERT (primary)
 echo "Running jsonb-insert..."
-mise run k6:run --script=jsonb-insert --target=proxy --duration=30s
+mise run k6_run --script=jsonb-insert --target=proxy --duration=30s
 
 # Text equality (baseline)
 echo "Running text-equality..."
-mise run k6:run --script=text-equality --target=proxy --duration=30s
+mise run k6_run --script=text-equality --target=proxy --duration=30s
 
 # JSONB containment
 echo "Running jsonb-containment..."
-mise run k6:run --script=jsonb-containment --target=proxy --duration=30s
+mise run k6_run --script=jsonb-containment --target=proxy --duration=30s
 
 echo
 echo "Results written to results/k6/"
@@ -249,7 +230,7 @@ echo '# k6 CI Benchmark: jsonb-insert via proxy'
 echo '###############################################'
 echo
 
-mise run k6:run --script=jsonb-insert --target=proxy --vus=10 --duration=30s
+mise run k6_run --script=jsonb-insert --target=proxy --vus=10 --duration=30s
 
 # Copy output for benchmark-action
 cp results/k6/jsonb-insert-output.json results/k6-output.json
diff --git a/tests/benchmark/tasks/k6_run.sh b/tests/benchmark/tasks/k6_run.sh
new file mode 100755
index 00000000..211be6bc
--- /dev/null
+++ b/tests/benchmark/tasks/k6_run.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+#MISE description="Run a single k6 benchmark script"
+#USAGE flag "--script <script>" help="Script name (without .js)" {
+#USAGE   choices "jsonb-insert" "jsonb-containment" "text-equality" "large-payload"
+#USAGE }
+#USAGE flag "--target <target>" default="proxy" help="Target service" {
+#USAGE   choices "postgres" "proxy"
+#USAGE }
+#USAGE flag "--vus <vus>" default="10" help="Number of virtual users"
+#USAGE flag "--duration <duration>" default="30s" help="Test duration"
+
+set -e
+
+# Use --network=host on Linux for direct port access (CI)
+# On macOS, host.docker.internal is used instead
+if [ "$(uname)" = "Linux" ]; then
+  NETWORK_FLAG="--network=host"
+else
+  NETWORK_FLAG=""
+fi
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+
+docker run --rm $NETWORK_FLAG \
+  -v "$SCRIPT_DIR/k6/scripts:/scripts" \
+  -v "$SCRIPT_DIR/results/k6:/scripts/results/k6" \
+  -e K6_TARGET=${usage_target} \
+  -e K6_VUS=${usage_vus} \
+  -e K6_DURATION=${usage_duration} \
+  -e K6_DB_HOST=${K6_DB_HOST:-host.docker.internal} \
+  k6-pgxpool run /scripts/${usage_script}.js

From f41215e00517ff4515f1698aeb43de78f9b5d051 Mon Sep 17 00:00:00 2001
From: Toby Hede <toby@cipherstash.com>
Date: Wed, 21 Jan 2026 13:49:26 +1100
Subject: [PATCH 12/25] fix(benchmark): default K6_DB_HOST based on OS
 detection

On Linux, default to 127.0.0.1 (host.docker.internal doesn't resolve).
On macOS, default to host.docker.internal.

Removes explicit K6_DB_HOST from CI workflow since script now handles it.
---
 .github/workflows/benchmark.yml | 1 -
 tests/benchmark/tasks/k6_run.sh | 4 +++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index 040d3c3a..dcf0bf9a 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -56,7 +56,6 @@ jobs:
         working-directory: tests/benchmark
         env:
           RUST_BACKTRACE: "1"
-          K6_DB_HOST: "127.0.0.1"
         run: mise run k6:benchmark:continuous
 
       # Store k6 benchmark result
diff --git a/tests/benchmark/tasks/k6_run.sh b/tests/benchmark/tasks/k6_run.sh
index 211be6bc..4176068f 100755
--- a/tests/benchmark/tasks/k6_run.sh
+++ b/tests/benchmark/tasks/k6_run.sh
@@ -15,8 +15,10 @@ set -e
 # On macOS, host.docker.internal is used instead
 if [ "$(uname)" = "Linux" ]; then
   NETWORK_FLAG="--network=host"
+  DEFAULT_DB_HOST="127.0.0.1"
 else
   NETWORK_FLAG=""
+  DEFAULT_DB_HOST="host.docker.internal"
 fi
 
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
@@ -27,5 +29,5 @@ docker run --rm $NETWORK_FLAG \
   -e K6_TARGET=${usage_target} \
   -e K6_VUS=${usage_vus} \
   -e K6_DURATION=${usage_duration} \
-  -e K6_DB_HOST=${K6_DB_HOST:-host.docker.internal} \
+  -e K6_DB_HOST=${K6_DB_HOST:-$DEFAULT_DB_HOST} \
   k6-pgxpool run /scripts/${usage_script}.js

From 5bfa6049ebe14f9fb12056949b9c148b2f09583c Mon Sep 17 00:00:00 2001
From: Toby Hede <toby@cipherstash.com>
Date: Wed, 21 Jan 2026 14:46:20 +1100
Subject: [PATCH 13/25] fix(benchmark): use benchmark_encrypted table for k6
 JSONB scripts

k6 benchmarks were using the test schema's encrypted table which lacks
the required encryption config. Now uses benchmark_encrypted table with
proper ste_vec encryption for JSONB.

- Add encrypted_jsonb column to benchmark_encrypted table
- Add ste_vec search config for JSONB encryption
- Update jsonb-insert, jsonb-containment, large-payload scripts
---
 tests/benchmark/k6/scripts/jsonb-containment.js | 11 +++++------
 tests/benchmark/k6/scripts/jsonb-insert.js      |  2 +-
 tests/benchmark/k6/scripts/large-payload.js     |  2 +-
 tests/benchmark/sql/benchmark-schema.sql        | 11 ++++++++++-
 4 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/tests/benchmark/k6/scripts/jsonb-containment.js b/tests/benchmark/k6/scripts/jsonb-containment.js
index 1134de75..efcb6d9e 100644
--- a/tests/benchmark/k6/scripts/jsonb-containment.js
+++ b/tests/benchmark/k6/scripts/jsonb-containment.js
@@ -1,8 +1,7 @@
 // JSONB containment (@>) benchmark
 //
 // The @> operator on eql_v2_encrypted is confirmed working via integration tests:
-//   packages/cipherstash-proxy-integration/src/select/jsonb_contains.rs:13-14
-//   "SELECT encrypted_jsonb @> $1 FROM encrypted LIMIT 1"
+//   packages/cipherstash-proxy-integration/src/select/jsonb_contains.rs
 //
 // Uses xk6-sql API:
 //   sql.open(driver, connString)
@@ -28,7 +27,7 @@ const db = sql.open(driver, connectionString);
 
 export function setup() {
   // Clean up any leftover data from crashed runs before inserting
-  db.exec(`DELETE FROM encrypted WHERE id BETWEEN $1 AND $2`, ID_START, ID_START + ID_COUNT - 1);
+  db.exec(`DELETE FROM benchmark_encrypted WHERE id BETWEEN $1 AND $2`, ID_START, ID_START + ID_COUNT - 1);
 
   // Insert seed data with known values for containment queries
   for (let i = 0; i < ID_COUNT; i++) {
@@ -40,7 +39,7 @@ export function setup() {
       nested: { string: 'world', number: i },
     };
     db.exec(
-      `INSERT INTO encrypted (id, encrypted_jsonb) VALUES ($1, $2)`,
+      `INSERT INTO benchmark_encrypted (id, encrypted_jsonb) VALUES ($1, $2)`,
       id,
       JSON.stringify(jsonb)
     );
@@ -54,7 +53,7 @@ export default function() {
   // Use exec instead of query - we only need to verify the query runs, not inspect results
   // Query uses @> containment operator on encrypted JSONB
   db.exec(
-    `SELECT id FROM encrypted WHERE encrypted_jsonb @> $1 AND id BETWEEN $2 AND $3`,
+    `SELECT id FROM benchmark_encrypted WHERE encrypted_jsonb @> $1 AND id BETWEEN $2 AND $3`,
     pattern,
     ID_START,
     ID_START + ID_COUNT - 1
@@ -63,7 +62,7 @@ export default function() {
 
 export function teardown() {
   // Clean up seed data
-  db.exec(`DELETE FROM encrypted WHERE id BETWEEN $1 AND $2`, ID_START, ID_START + ID_COUNT - 1);
+  db.exec(`DELETE FROM benchmark_encrypted WHERE id BETWEEN $1 AND $2`, ID_START, ID_START + ID_COUNT - 1);
   db.close();
 }
 
diff --git a/tests/benchmark/k6/scripts/jsonb-insert.js b/tests/benchmark/k6/scripts/jsonb-insert.js
index 4164b3fa..8a2df168 100644
--- a/tests/benchmark/k6/scripts/jsonb-insert.js
+++ b/tests/benchmark/k6/scripts/jsonb-insert.js
@@ -24,7 +24,7 @@ export default function() {
   const jsonb = generateStandardJsonb(id);
 
   db.exec(
-    `INSERT INTO encrypted (id, encrypted_jsonb) VALUES ($1, $2)`,
+    `INSERT INTO benchmark_encrypted (id, encrypted_jsonb) VALUES ($1, $2)`,
     id,
     JSON.stringify(jsonb)
   );
diff --git a/tests/benchmark/k6/scripts/large-payload.js b/tests/benchmark/k6/scripts/large-payload.js
index dd1c7ef8..b3f276e2 100644
--- a/tests/benchmark/k6/scripts/large-payload.js
+++ b/tests/benchmark/k6/scripts/large-payload.js
@@ -24,7 +24,7 @@ export default function() {
   const jsonb = generateLargeJsonb(id);
 
   db.exec(
-    `INSERT INTO encrypted (id, encrypted_jsonb) VALUES ($1, $2)`,
+    `INSERT INTO benchmark_encrypted (id, encrypted_jsonb) VALUES ($1, $2)`,
     id,
     JSON.stringify(jsonb)
   );
diff --git a/tests/benchmark/sql/benchmark-schema.sql b/tests/benchmark/sql/benchmark-schema.sql
index c2024fe0..095e759f 100644
--- a/tests/benchmark/sql/benchmark-schema.sql
+++ b/tests/benchmark/sql/benchmark-schema.sql
@@ -11,7 +11,8 @@ DROP TABLE IF EXISTS benchmark_encrypted;
 CREATE TABLE benchmark_encrypted (
     id serial primary key,
     username text,
-    email eql_v2_encrypted
+    email eql_v2_encrypted,
+    encrypted_jsonb eql_v2_encrypted
 );
 
 SELECT eql_v2.add_column(
@@ -19,3 +20,11 @@ SELECT eql_v2.add_column(
   'email'
 );
 
+SELECT eql_v2.add_search_config(
+  'benchmark_encrypted',
+  'encrypted_jsonb',
+  'ste_vec',
+  'jsonb',
+  '{"prefix": "benchmark_encrypted/encrypted_jsonb"}'
+);
+

From e24241679d4c8ed487d0c1d6beb527a3570ed6e6 Mon Sep 17 00:00:00 2001
From: Toby Hede <toby@cipherstash.com>
Date: Wed, 21 Jan 2026 15:05:49 +1100
Subject: [PATCH 14/25] refactor(benchmark): rename k6 scripts to
 jsonb-ste-vec-* naming
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Rename k6 benchmark scripts to clarify they test JSONB with STE-VEC
encryption index (as distinct from plain JSONB):
- jsonb-insert.js → jsonb-ste-vec-insert.js
- jsonb-containment.js → jsonb-ste-vec-containment.js
- large-payload.js → jsonb-ste-vec-large-payload.js

Update k6:benchmark:continuous task to reference the renamed script.
---
 ...{jsonb-containment.js => jsonb-ste-vec-containment.js} | 0
 .../scripts/{jsonb-insert.js => jsonb-ste-vec-insert.js}  | 0
 .../{large-payload.js => jsonb-ste-vec-large-payload.js}  | 0
 tests/benchmark/mise.toml                                 | 8 ++++----
 4 files changed, 4 insertions(+), 4 deletions(-)
 rename tests/benchmark/k6/scripts/{jsonb-containment.js => jsonb-ste-vec-containment.js} (100%)
 rename tests/benchmark/k6/scripts/{jsonb-insert.js => jsonb-ste-vec-insert.js} (100%)
 rename tests/benchmark/k6/scripts/{large-payload.js => jsonb-ste-vec-large-payload.js} (100%)

diff --git a/tests/benchmark/k6/scripts/jsonb-containment.js b/tests/benchmark/k6/scripts/jsonb-ste-vec-containment.js
similarity index 100%
rename from tests/benchmark/k6/scripts/jsonb-containment.js
rename to tests/benchmark/k6/scripts/jsonb-ste-vec-containment.js
diff --git a/tests/benchmark/k6/scripts/jsonb-insert.js b/tests/benchmark/k6/scripts/jsonb-ste-vec-insert.js
similarity index 100%
rename from tests/benchmark/k6/scripts/jsonb-insert.js
rename to tests/benchmark/k6/scripts/jsonb-ste-vec-insert.js
diff --git a/tests/benchmark/k6/scripts/large-payload.js b/tests/benchmark/k6/scripts/jsonb-ste-vec-large-payload.js
similarity index 100%
rename from tests/benchmark/k6/scripts/large-payload.js
rename to tests/benchmark/k6/scripts/jsonb-ste-vec-large-payload.js
diff --git a/tests/benchmark/mise.toml b/tests/benchmark/mise.toml
index 52eefda8..710aab2d 100644
--- a/tests/benchmark/mise.toml
+++ b/tests/benchmark/mise.toml
@@ -218,7 +218,7 @@ echo "Results written to results/k6/"
 """
 
 [tasks."k6:benchmark:continuous"]
-description = "Run k6 benchmark for CI (proxy + jsonb-insert only)"
+description = "Run k6 benchmark for CI (proxy + jsonb-ste-vec-insert only)"
 run = """
 set -e
 
@@ -226,12 +226,12 @@ mise run k6:build
 
 echo
 echo '###############################################'
-echo '# k6 CI Benchmark: jsonb-insert via proxy'
+echo '# k6 CI Benchmark: jsonb-ste-vec-insert via proxy'
 echo '###############################################'
 echo
 
-mise run k6_run --script=jsonb-insert --target=proxy --vus=10 --duration=30s
+mise run k6_run --script=jsonb-ste-vec-insert --target=proxy --vus=10 --duration=30s
 
 # Copy output for benchmark-action
-cp results/k6/jsonb-insert-output.json results/k6-output.json
+cp results/k6/jsonb-ste-vec-insert-output.json results/k6-output.json
 """

From da51dabc17a9271d7429dd93d5aff5962f262cde Mon Sep 17 00:00:00 2001
From: Toby Hede <toby@cipherstash.com>
Date: Wed, 21 Jan 2026 15:07:48 +1100
Subject: [PATCH 15/25] feat(benchmark): add encrypted_jsonb_with_ste_vec
 column for STE-VEC benchmarks

Separate STE-VEC and non-STE-VEC JSONB benchmarks:

- Add encrypted_jsonb_with_ste_vec column with STE-VEC search config
- Update jsonb-ste-vec-* scripts to use the new STE-VEC column
- Add jsonb-large-payload.js for basic JSONB without STE-VEC index
- Update k6_run.sh script choices for new benchmark names

This enables comparing encryption overhead with and without
searchable encryption indexes.
---
 .../k6/scripts/jsonb-large-payload.js         | 38 +++++++++++++++++++
 .../k6/scripts/jsonb-ste-vec-containment.js   |  6 +--
 .../k6/scripts/jsonb-ste-vec-insert.js        |  4 +-
 .../k6/scripts/jsonb-ste-vec-large-payload.js |  4 +-
 tests/benchmark/sql/benchmark-schema.sql      | 13 +++++--
 tests/benchmark/tasks/k6_run.sh               |  2 +-
 6 files changed, 56 insertions(+), 11 deletions(-)
 create mode 100644 tests/benchmark/k6/scripts/jsonb-large-payload.js

diff --git a/tests/benchmark/k6/scripts/jsonb-large-payload.js b/tests/benchmark/k6/scripts/jsonb-large-payload.js
new file mode 100644
index 00000000..eabd4856
--- /dev/null
+++ b/tests/benchmark/k6/scripts/jsonb-large-payload.js
@@ -0,0 +1,38 @@
+// Large payload (500KB+) INSERT benchmark for memory/performance investigation
+// Uses encrypted_jsonb column (basic jsonb encryption, no ste_vec)
+//
+// Uses xk6-sql API:
+//   sql.open(driver, connString)
+//   db.exec(sql, ...args)
+
+import sql from 'k6/x/sql';
+import driver from 'k6/x/sql/driver/postgres';
+import { getConnectionString, getDefaultOptions } from './lib/config.js';
+import { randomId, generateLargeJsonb } from './lib/data.js';
+import { createSummaryHandler } from './lib/summary.js';
+
+const target = __ENV.K6_TARGET || 'proxy';
+const connectionString = getConnectionString(target);
+
+export const options = getDefaultOptions({
+  'iteration_duration': ['p(95)<30000'],  // 30s for large payloads
+});
+
+const db = sql.open(driver, connectionString);
+
+export default function() {
+  const id = randomId();
+  const jsonb = generateLargeJsonb(id);
+
+  db.exec(
+    `INSERT INTO benchmark_encrypted (id, encrypted_jsonb) VALUES ($1, $2)`,
+    id,
+    JSON.stringify(jsonb)
+  );
+}
+
+export function teardown() {
+  db.close();
+}
+
+export const handleSummary = createSummaryHandler('jsonb-large-payload');
diff --git a/tests/benchmark/k6/scripts/jsonb-ste-vec-containment.js b/tests/benchmark/k6/scripts/jsonb-ste-vec-containment.js
index efcb6d9e..65a3d167 100644
--- a/tests/benchmark/k6/scripts/jsonb-ste-vec-containment.js
+++ b/tests/benchmark/k6/scripts/jsonb-ste-vec-containment.js
@@ -39,7 +39,7 @@ export function setup() {
       nested: { string: 'world', number: i },
     };
     db.exec(
-      `INSERT INTO benchmark_encrypted (id, encrypted_jsonb) VALUES ($1, $2)`,
+      `INSERT INTO benchmark_encrypted (id, encrypted_jsonb_with_ste_vec) VALUES ($1, $2)`,
       id,
       JSON.stringify(jsonb)
     );
@@ -53,7 +53,7 @@ export default function() {
   // Use exec instead of query - we only need to verify the query runs, not inspect results
   // Query uses @> containment operator on encrypted JSONB
   db.exec(
-    `SELECT id FROM benchmark_encrypted WHERE encrypted_jsonb @> $1 AND id BETWEEN $2 AND $3`,
+    `SELECT id FROM benchmark_encrypted WHERE encrypted_jsonb_with_ste_vec @> $1 AND id BETWEEN $2 AND $3`,
     pattern,
     ID_START,
     ID_START + ID_COUNT - 1
@@ -66,4 +66,4 @@ export function teardown() {
   db.close();
 }
 
-export const handleSummary = createSummaryHandler('jsonb-containment');
+export const handleSummary = createSummaryHandler('jsonb-ste-vec-containment');
diff --git a/tests/benchmark/k6/scripts/jsonb-ste-vec-insert.js b/tests/benchmark/k6/scripts/jsonb-ste-vec-insert.js
index 8a2df168..f1bfe23a 100644
--- a/tests/benchmark/k6/scripts/jsonb-ste-vec-insert.js
+++ b/tests/benchmark/k6/scripts/jsonb-ste-vec-insert.js
@@ -24,7 +24,7 @@ export default function() {
   const jsonb = generateStandardJsonb(id);
 
   db.exec(
-    `INSERT INTO benchmark_encrypted (id, encrypted_jsonb) VALUES ($1, $2)`,
+    `INSERT INTO benchmark_encrypted (id, encrypted_jsonb_with_ste_vec) VALUES ($1, $2)`,
     id,
     JSON.stringify(jsonb)
   );
@@ -34,4 +34,4 @@ export function teardown() {
   db.close();
 }
 
-export const handleSummary = createSummaryHandler('jsonb-insert');
+export const handleSummary = createSummaryHandler('jsonb-ste-vec-insert');
diff --git a/tests/benchmark/k6/scripts/jsonb-ste-vec-large-payload.js b/tests/benchmark/k6/scripts/jsonb-ste-vec-large-payload.js
index b3f276e2..45412904 100644
--- a/tests/benchmark/k6/scripts/jsonb-ste-vec-large-payload.js
+++ b/tests/benchmark/k6/scripts/jsonb-ste-vec-large-payload.js
@@ -24,7 +24,7 @@ export default function() {
   const jsonb = generateLargeJsonb(id);
 
   db.exec(
-    `INSERT INTO benchmark_encrypted (id, encrypted_jsonb) VALUES ($1, $2)`,
+    `INSERT INTO benchmark_encrypted (id, encrypted_jsonb_with_ste_vec) VALUES ($1, $2)`,
     id,
     JSON.stringify(jsonb)
   );
@@ -34,4 +34,4 @@ export function teardown() {
   db.close();
 }
 
-export const handleSummary = createSummaryHandler('large-payload');
+export const handleSummary = createSummaryHandler('jsonb-ste-vec-large-payload');
diff --git a/tests/benchmark/sql/benchmark-schema.sql b/tests/benchmark/sql/benchmark-schema.sql
index 095e759f..e490f087 100644
--- a/tests/benchmark/sql/benchmark-schema.sql
+++ b/tests/benchmark/sql/benchmark-schema.sql
@@ -12,7 +12,8 @@ CREATE TABLE benchmark_encrypted (
     id serial primary key,
     username text,
     email eql_v2_encrypted,
-    encrypted_jsonb eql_v2_encrypted
+    encrypted_jsonb eql_v2_encrypted,
+    encrypted_jsonb_with_ste_vec eql_v2_encrypted
 );
 
 SELECT eql_v2.add_column(
@@ -20,11 +21,17 @@ SELECT eql_v2.add_column(
   'email'
 );
 
-SELECT eql_v2.add_search_config(
+SELECT eql_v2.add_column(
   'benchmark_encrypted',
   'encrypted_jsonb',
+  'jsonb'
+);
+
+SELECT eql_v2.add_search_config(
+  'benchmark_encrypted',
+  'encrypted_jsonb_with_ste_vec',
   'ste_vec',
   'jsonb',
-  '{"prefix": "benchmark_encrypted/encrypted_jsonb"}'
+  '{"prefix": "benchmark_encrypted/encrypted_jsonb_with_ste_vec"}'
 );
 
diff --git a/tests/benchmark/tasks/k6_run.sh b/tests/benchmark/tasks/k6_run.sh
index 4176068f..3c798b08 100755
--- a/tests/benchmark/tasks/k6_run.sh
+++ b/tests/benchmark/tasks/k6_run.sh
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 #MISE description="Run a single k6 benchmark script"
 #USAGE flag "--script <script>" help="Script name (without .js)" {
-#USAGE   choices "jsonb-insert" "jsonb-containment" "text-equality" "large-payload"
+#USAGE   choices "jsonb-ste-vec-insert" "jsonb-ste-vec-containment" "jsonb-ste-vec-large-payload" "jsonb-large-payload" "text-equality"
 #USAGE }
 #USAGE flag "--target <target>" default="proxy" help="Target service" {
 #USAGE   choices "postgres" "proxy"

From f1d8b97af4fdff29e594bbe3e3864e7de7d2ec11 Mon Sep 17 00:00:00 2001
From: Toby Hede <toby@cipherstash.com>
Date: Wed, 21 Jan 2026 15:17:32 +1100
Subject: [PATCH 16/25] fix(benchmark): constrain randomId() to PostgreSQL int4
 range

The randomId() function was generating values up to Number.MAX_SAFE_INTEGER
(~9 quadrillion), exceeding PostgreSQL's int4 max of 2.1 billion. This caused
"value is out of range for type integer" errors in k6 benchmarks.
---
 tests/benchmark/k6/scripts/lib/data.js | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/tests/benchmark/k6/scripts/lib/data.js b/tests/benchmark/k6/scripts/lib/data.js
index 018b3065..a911a84d 100644
--- a/tests/benchmark/k6/scripts/lib/data.js
+++ b/tests/benchmark/k6/scripts/lib/data.js
@@ -1,8 +1,11 @@
 // JSONB payload generators for k6 benchmarks
 // Matches integration test fixtures in common.rs
 
+// PostgreSQL int4 (serial) max value - prevents "out of range for type integer" errors
+const MAX_INT4 = 2147483647;
+
 export function randomId() {
-  return Math.floor(Math.random() * Number.MAX_SAFE_INTEGER);
+  return Math.floor(Math.random() * MAX_INT4);
 }
 
 export function generateStandardJsonb(id) {

From d66f6328c252564c2c15a5940222e31c8e6eff35 Mon Sep 17 00:00:00 2001
From: Toby Hede <toby@cipherstash.com>
Date: Wed, 21 Jan 2026 15:41:58 +1100
Subject: [PATCH 17/25] feat(benchmark): add jsonb-large-payload to CI
 benchmarks

Run both jsonb-ste-vec-insert and jsonb-large-payload benchmarks in CI,
merging outputs with jq for benchmark-action tracking.
---
 tests/benchmark/mise.toml | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/tests/benchmark/mise.toml b/tests/benchmark/mise.toml
index 710aab2d..4666a21d 100644
--- a/tests/benchmark/mise.toml
+++ b/tests/benchmark/mise.toml
@@ -218,7 +218,7 @@ echo "Results written to results/k6/"
 """
 
 [tasks."k6:benchmark:continuous"]
-description = "Run k6 benchmark for CI (proxy + jsonb-ste-vec-insert only)"
+description = "Run k6 benchmarks for CI (jsonb-ste-vec-insert + jsonb-large-payload)"
 run = """
 set -e
 
@@ -232,6 +232,14 @@ echo
 
 mise run k6_run --script=jsonb-ste-vec-insert --target=proxy --vus=10 --duration=30s
 
-# Copy output for benchmark-action
-cp results/k6/jsonb-ste-vec-insert-output.json results/k6-output.json
+echo
+echo '###############################################'
+echo '# k6 CI Benchmark: jsonb-large-payload via proxy'
+echo '###############################################'
+echo
+
+mise run k6_run --script=jsonb-large-payload --target=proxy --vus=10 --duration=30s
+
+# Merge outputs for benchmark-action
+jq -s 'add' results/k6/jsonb-ste-vec-insert-output.json results/k6/jsonb-large-payload-output.json > results/k6-output.json
 """

From 2aeda225e50e9dfeb252192ede09bcb47602f195 Mon Sep 17 00:00:00 2001
From: Toby Hede <toby@cipherstash.com>
Date: Wed, 21 Jan 2026 16:00:20 +1100
Subject: [PATCH 18/25] refactor(benchmark): split k6 metrics into throughput
 and latency outputs

Separate benchmark-action tracking for proper regression detection:
- Throughput (customBiggerIsBetter): rate in iter/s
- Latency (customSmallerIsBetter): p95 and p99 in ms

Adds p99 metric and configures summaryTrendStats for k6.
---
 .github/workflows/benchmark.yml           | 29 +++++++++++++-------
 tests/benchmark/k6/scripts/lib/config.js  |  1 +
 tests/benchmark/k6/scripts/lib/summary.js | 32 ++++++++++++++++++-----
 tests/benchmark/mise.toml                 |  9 ++++---
 4 files changed, 50 insertions(+), 21 deletions(-)

diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index dcf0bf9a..46fdb51f 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -42,12 +42,6 @@ jobs:
       - run: |
           mise run postgres:up --extra-args "--detach --wait"
 
-      - name: Run benchmark
-        working-directory: tests/benchmark
-        env:
-          RUST_BACKTRACE: "1"
-        run: mise run benchmark:continuous
-
       - name: Build k6 with xk6-pgxpool
         working-directory: tests/benchmark
         run: mise run k6:build
@@ -58,18 +52,33 @@ jobs:
           RUST_BACKTRACE: "1"
         run: mise run k6:benchmark:continuous
 
-      # Store k6 benchmark result
-      - name: Store k6 benchmark result
+      # Store k6 throughput benchmark (higher is better)
+      - name: Store k6 throughput benchmark
         uses: benchmark-action/github-action-benchmark@v1
         with:
+          name: 'k6 Throughput'
           tool: 'customBiggerIsBetter'
-          output-file-path: tests/benchmark/results/k6-output.json
+          output-file-path: tests/benchmark/results/k6-throughput.json
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          fail-on-alert: true
+          comment-on-alert: true
+          summary-always: true
+          auto-push: true
+          benchmark-data-dir-path: docs/k6/throughput
+
+      # Store k6 latency benchmark (lower is better)
+      - name: Store k6 latency benchmark
+        uses: benchmark-action/github-action-benchmark@v1
+        with:
+          name: 'k6 Latency'
+          tool: 'customSmallerIsBetter'
+          output-file-path: tests/benchmark/results/k6-latency.json
           github-token: ${{ secrets.GITHUB_TOKEN }}
           fail-on-alert: true
           comment-on-alert: true
           summary-always: true
           auto-push: true
-          benchmark-data-dir-path: docs/k6
+          benchmark-data-dir-path: docs/k6/latency
 
       # Download previous benchmark result from cache (if exists)
       - name: Download previous benchmark data
diff --git a/tests/benchmark/k6/scripts/lib/config.js b/tests/benchmark/k6/scripts/lib/config.js
index a8bed3c8..dd72fdf0 100644
--- a/tests/benchmark/k6/scripts/lib/config.js
+++ b/tests/benchmark/k6/scripts/lib/config.js
@@ -35,6 +35,7 @@ export function getDefaultOptions(thresholds = {}) {
         duration: __ENV.K6_DURATION || '30s',
       },
     },
+    summaryTrendStats: ['min', 'avg', 'med', 'p(90)', 'p(95)', 'p(99)', 'max'],
     thresholds: {
       'iteration_duration': ['p(95)<500'],
       ...thresholds,
diff --git a/tests/benchmark/k6/scripts/lib/summary.js b/tests/benchmark/k6/scripts/lib/summary.js
index b507700f..e1313832 100644
--- a/tests/benchmark/k6/scripts/lib/summary.js
+++ b/tests/benchmark/k6/scripts/lib/summary.js
@@ -1,5 +1,5 @@
 // benchmark-action compatible output formatter
-// Outputs JSON array for github-action-benchmark
+// Outputs separate JSON files for throughput (bigger is better) and latency (smaller is better)
 //
 // Usage in scripts:
 //   import { createSummaryHandler } from './lib/summary.js';
@@ -15,22 +15,37 @@ export function createSummaryHandler(scriptName) {
       ? data.metrics.iteration_duration.values['p(95)']
       : 0;
 
-    const output = [
+    const p99Duration = data.metrics.iteration_duration
+      ? data.metrics.iteration_duration.values['p(99)']
+      : 0;
+
+    // Throughput metrics (customBiggerIsBetter)
+    const throughputOutput = [
       {
-        name: `${scriptName}_iterations_per_second`,
-        unit: 'Number',
+        name: `${scriptName}_rate`,
+        unit: 'iter/s',
         value: Math.round(iterationsPerSecond * 100) / 100,
       },
+    ];
+
+    // Latency metrics (customSmallerIsBetter)
+    const latencyOutput = [
       {
-        name: `${scriptName}_p95_ms`,
+        name: `${scriptName}_p95`,
         unit: 'ms',
         value: Math.round(p95Duration * 100) / 100,
       },
+      {
+        name: `${scriptName}_p99`,
+        unit: 'ms',
+        value: Math.round(p99Duration * 100) / 100,
+      },
     ];
 
     return {
       'stdout': textSummary(data),
-      [`results/k6/${scriptName}-output.json`]: JSON.stringify(output, null, 2),
+      [`results/k6/${scriptName}-throughput.json`]: JSON.stringify(throughputOutput, null, 2),
+      [`results/k6/${scriptName}-latency.json`]: JSON.stringify(latencyOutput, null, 2),
     };
   };
 }
@@ -48,8 +63,11 @@ function textSummary(data) {
 
   if (data.metrics.iteration_duration) {
     const dur = data.metrics.iteration_duration.values;
-    lines.push(`duration p95: ${dur['p(95)'].toFixed(2)}ms`);
+    lines.push(`duration min: ${dur.min.toFixed(2)}ms`);
     lines.push(`duration avg: ${dur.avg.toFixed(2)}ms`);
+    lines.push(`duration p95: ${dur['p(95)'].toFixed(2)}ms`);
+    lines.push(`duration p99: ${dur['p(99)'].toFixed(2)}ms`);
+    lines.push(`duration max: ${dur.max.toFixed(2)}ms`);
   }
 
   lines.push('');
diff --git a/tests/benchmark/mise.toml b/tests/benchmark/mise.toml
index 4666a21d..1087a2a1 100644
--- a/tests/benchmark/mise.toml
+++ b/tests/benchmark/mise.toml
@@ -230,7 +230,7 @@ echo '# k6 CI Benchmark: jsonb-ste-vec-insert via proxy'
 echo '###############################################'
 echo
 
-mise run k6_run --script=jsonb-ste-vec-insert --target=proxy --vus=10 --duration=30s
+mise run k6_run --script=jsonb-ste-vec-insert --target=proxy --vus=10 --duration=60s
 
 echo
 echo '###############################################'
@@ -238,8 +238,9 @@ echo '# k6 CI Benchmark: jsonb-large-payload via proxy'
 echo '###############################################'
 echo
 
-mise run k6_run --script=jsonb-large-payload --target=proxy --vus=10 --duration=30s
+mise run k6_run --script=jsonb-large-payload --target=proxy --vus=10 --duration=60s
 
-# Merge outputs for benchmark-action
-jq -s 'add' results/k6/jsonb-ste-vec-insert-output.json results/k6/jsonb-large-payload-output.json > results/k6-output.json
+# Merge outputs for benchmark-action (separate files for throughput vs latency)
+jq -s 'add' results/k6/*-throughput.json > results/k6-throughput.json
+jq -s 'add' results/k6/*-latency.json > results/k6-latency.json
 """

From a84e5dd2559260b7facc007311a11914261590b2 Mon Sep 17 00:00:00 2001
From: Toby Hede <toby@cipherstash.com>
Date: Wed, 21 Jan 2026 16:23:36 +1100
Subject: [PATCH 19/25] fix(ci): add proxy startup and restore pgbench
 benchmark

- Setup EQL and benchmark schema before k6 runs
- Start proxy and wait for it to be ready
- Add missing pgbench benchmark run step
- Move pgbench data to docs/pgbench for consistency
---
 .github/workflows/benchmark.yml | 25 ++++++++++++++++++++-----
 1 file changed, 20 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index 46fdb51f..6f936811 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -42,6 +42,17 @@ jobs:
       - run: |
           mise run postgres:up --extra-args "--detach --wait"
 
+      - name: Setup EQL and benchmark schema
+        working-directory: tests/benchmark
+        run: |
+          mise --env tcp run postgres:setup
+          mise run benchmark:setup
+
+      - name: Start proxy
+        run: |
+          mise --env tcp run proxy:up proxy --extra-args "--detach --wait"
+          mise --env tcp run test:wait_for_postgres_to_quack --port 6432 --max-retries 20
+
       - name: Build k6 with xk6-pgxpool
         working-directory: tests/benchmark
         run: mise run k6:build
@@ -80,6 +91,12 @@ jobs:
           auto-push: true
           benchmark-data-dir-path: docs/k6/latency
 
+      - name: Run pgbench benchmark
+        working-directory: tests/benchmark
+        env:
+          RUST_BACKTRACE: "1"
+        run: mise run benchmark_service --target=proxy --transaction=encrypted --protocol=extended --port=6432 --time=30 --clients=10
+
       # Download previous benchmark result from cache (if exists)
       - name: Download previous benchmark data
         uses: actions/cache@v4
@@ -88,20 +105,18 @@ jobs:
           key: ${{ runner.os }}-benchmark
 
       # Run `github-action-benchmark` action
-      - name: Store benchmark result
+      - name: Store pgbench benchmark result
         uses: benchmark-action/github-action-benchmark@v1
         with:
-          # What benchmark tool the output.txt came from
+          name: 'pgbench'
           tool: 'customBiggerIsBetter'
-          # Where the output from the benchmark tool is stored
           output-file-path: tests/benchmark/results/output.json
-
           github-token: ${{ secrets.GITHUB_TOKEN }}
           fail-on-alert: true
           comment-on-alert: true
           summary-always: true
           auto-push: true
-          benchmark-data-dir-path: docs
+          benchmark-data-dir-path: docs/pgbench
 
       - uses: ./.github/actions/send-slack-notification
         with:

From 5264422b75ec9f1ead6eee6b6f39c50966c92d29 Mon Sep 17 00:00:00 2001
From: Toby Hede <toby@cipherstash.com>
Date: Wed, 21 Jan 2026 16:38:24 +1100
Subject: [PATCH 20/25] fix(ci): move proxy setup into k6:benchmark:continuous
 task

The CI workflow was calling mise tasks like test:wait_for_postgres_to_quack
outside the tests/benchmark directory where they are defined, causing
a panic in the task parser.

Move all setup steps (postgres:setup, benchmark:setup, proxy:up, and
wait_for_postgres_to_quack) into the k6:benchmark:continuous mise task
which runs with working-directory: tests/benchmark.
---
 .github/workflows/benchmark.yml | 15 --------------
 tests/benchmark/mise.toml       | 35 +++++++++++++++++++++++++++++----
 2 files changed, 31 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index 6f936811..352dd4a2 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -42,21 +42,6 @@ jobs:
       - run: |
           mise run postgres:up --extra-args "--detach --wait"
 
-      - name: Setup EQL and benchmark schema
-        working-directory: tests/benchmark
-        run: |
-          mise --env tcp run postgres:setup
-          mise run benchmark:setup
-
-      - name: Start proxy
-        run: |
-          mise --env tcp run proxy:up proxy --extra-args "--detach --wait"
-          mise --env tcp run test:wait_for_postgres_to_quack --port 6432 --max-retries 20
-
-      - name: Build k6 with xk6-pgxpool
-        working-directory: tests/benchmark
-        run: mise run k6:build
-
       - name: Run k6 benchmark
         working-directory: tests/benchmark
         env:
diff --git a/tests/benchmark/mise.toml b/tests/benchmark/mise.toml
index 1087a2a1..7acb3cca 100644
--- a/tests/benchmark/mise.toml
+++ b/tests/benchmark/mise.toml
@@ -222,22 +222,49 @@ description = "Run k6 benchmarks for CI (jsonb-ste-vec-insert + jsonb-large-payl
 run = """
 set -e
 
-mise run k6:build
+echo
+echo '###############################################'
+echo '# Preflight'
+echo '###############################################'
+echo
+
+mise run benchmark:clean
+
+# Ensure Postgres instances are running
+mise run test:integration:preflight
 
 echo
 echo '###############################################'
-echo '# k6 CI Benchmark: jsonb-ste-vec-insert via proxy'
+echo '# Setup'
 echo '###############################################'
 echo
 
-mise run k6_run --script=jsonb-ste-vec-insert --target=proxy --vus=10 --duration=60s
+# Ensure EQL is set up before we try and start Proxy
+mise --env tcp run postgres:setup
+
+mise run benchmark:setup
+
+mise --env tcp run proxy:up proxy --extra-args "--detach --wait"
+mise --env tcp run test:wait_for_postgres_to_quack --port 6432 --max-retries 20
 
 echo
 echo '###############################################'
-echo '# k6 CI Benchmark: jsonb-large-payload via proxy'
+echo '# k6 Benchmarks'
 echo '###############################################'
 echo
 
+mise run k6:build
+
+echo
+echo '# jsonb-ste-vec-insert via proxy'
+echo
+
+mise run k6_run --script=jsonb-ste-vec-insert --target=proxy --vus=10 --duration=60s
+
+echo
+echo '# jsonb-large-payload via proxy'
+echo
+
 mise run k6_run --script=jsonb-large-payload --target=proxy --vus=10 --duration=60s
 
 # Merge outputs for benchmark-action (separate files for throughput vs latency)

From d026b9f0322df7f1d387407cc74b2af39537ad89 Mon Sep 17 00:00:00 2001
From: Toby Hede <toby@cipherstash.com>
Date: Wed, 21 Jan 2026 17:16:35 +1100
Subject: [PATCH 21/25] feat(benchmark): add customer-realistic JSONB payload
 generators

Replace encrypted_jsonb column with two new columns sized to match
real customer workloads:
- encrypted_jsonb_extract (~288KB): structured credit report with
  130 tradelines, 45 inquiries, credit scores
- encrypted_jsonb_full (~515KB): raw bureau data with 330 consumer
  records, 750 processing records

Add K6_PAYLOAD_MODE env var to test extract, full, or dual (default)
column inserts. Dual mode replicates the customer scenario that
caused 25s+ timeouts.
---
 .../k6/scripts/jsonb-large-payload.js         |  44 ++-
 tests/benchmark/k6/scripts/lib/data.js        | 273 ++++++++++++++++++
 tests/benchmark/sql/benchmark-schema.sql      |  13 +-
 3 files changed, 318 insertions(+), 12 deletions(-)

diff --git a/tests/benchmark/k6/scripts/jsonb-large-payload.js b/tests/benchmark/k6/scripts/jsonb-large-payload.js
index eabd4856..05aa28af 100644
--- a/tests/benchmark/k6/scripts/jsonb-large-payload.js
+++ b/tests/benchmark/k6/scripts/jsonb-large-payload.js
@@ -1,5 +1,6 @@
-// Large payload (500KB+) INSERT benchmark for memory/performance investigation
-// Uses encrypted_jsonb column (basic jsonb encryption, no ste_vec)
+// Large payload INSERT benchmark for memory/performance investigation
+// Uses encrypted_jsonb_extract (~250KB) and encrypted_jsonb_full (~500KB) columns
+// Replicates customer scenario with realistic credit report structures
 //
 // Uses xk6-sql API:
 //   sql.open(driver, connString)
@@ -8,12 +9,15 @@
 import sql from 'k6/x/sql';
 import driver from 'k6/x/sql/driver/postgres';
 import { getConnectionString, getDefaultOptions } from './lib/config.js';
-import { randomId, generateLargeJsonb } from './lib/data.js';
+import { randomId, generateExtractPayload, generateFullPayload } from './lib/data.js';
 import { createSummaryHandler } from './lib/summary.js';
 
 const target = __ENV.K6_TARGET || 'proxy';
 const connectionString = getConnectionString(target);
 
+// Payload mode: 'extract' (~250KB), 'full' (~500KB), or 'dual' (both columns)
+const payloadMode = __ENV.K6_PAYLOAD_MODE || 'dual';
+
 export const options = getDefaultOptions({
   'iteration_duration': ['p(95)<30000'],  // 30s for large payloads
 });
@@ -22,13 +26,35 @@ const db = sql.open(driver, connectionString);
 
 export default function() {
   const id = randomId();
-  const jsonb = generateLargeJsonb(id);
 
-  db.exec(
-    `INSERT INTO benchmark_encrypted (id, encrypted_jsonb) VALUES ($1, $2)`,
-    id,
-    JSON.stringify(jsonb)
-  );
+  if (payloadMode === 'extract') {
+    // ~250KB payload only
+    const extractPayload = generateExtractPayload(id);
+    db.exec(
+      `INSERT INTO benchmark_encrypted (id, encrypted_jsonb_extract) VALUES ($1, $2)`,
+      id,
+      JSON.stringify(extractPayload)
+    );
+  } else if (payloadMode === 'full') {
+    // ~500KB payload only
+    const fullPayload = generateFullPayload(id);
+    db.exec(
+      `INSERT INTO benchmark_encrypted (id, encrypted_jsonb_full) VALUES ($1, $2)`,
+      id,
+      JSON.stringify(fullPayload)
+    );
+  } else {
+    // Dual mode: insert both columns simultaneously (default)
+    // This replicates the customer scenario that caused 25s+ timeouts
+    const extractPayload = generateExtractPayload(id);
+    const fullPayload = generateFullPayload(id);
+    db.exec(
+      `INSERT INTO benchmark_encrypted (id, encrypted_jsonb_extract, encrypted_jsonb_full) VALUES ($1, $2, $3)`,
+      id,
+      JSON.stringify(extractPayload),
+      JSON.stringify(fullPayload)
+    );
+  }
 }
 
 export function teardown() {
diff --git a/tests/benchmark/k6/scripts/lib/data.js b/tests/benchmark/k6/scripts/lib/data.js
index a911a84d..edfbed55 100644
--- a/tests/benchmark/k6/scripts/lib/data.js
+++ b/tests/benchmark/k6/scripts/lib/data.js
@@ -22,6 +22,279 @@ export function generateStandardJsonb(id) {
   };
 }
 
+// Helper: generate random date string within range
+function randomDate(startYear, endYear) {
+  const year = startYear + Math.floor(Math.random() * (endYear - startYear + 1));
+  const month = String(Math.floor(Math.random() * 12) + 1).padStart(2, '0');
+  const day = String(Math.floor(Math.random() * 28) + 1).padStart(2, '0');
+  return `${year}-${month}-${day}`;
+}
+
+// Helper: generate random alphanumeric string
+function randomAlphanumeric(length) {
+  const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
+  let result = '';
+  for (let i = 0; i < length; i++) {
+    result += chars.charAt(Math.floor(Math.random() * chars.length));
+  }
+  return result;
+}
+
+// Account type options for tradelines
+const ACCOUNT_TYPES = ['revolving', 'installment', 'mortgage', 'open', 'collection'];
+const PAYMENT_STATUSES = ['current', 'late_30', 'late_60', 'late_90', 'late_120', 'charged_off'];
+const INDUSTRY_CODES = ['bank', 'credit_union', 'finance_company', 'retail', 'utility', 'medical'];
+
+/**
+ * Generate extract payload (~250KB)
+ * Structure based on processed credit report data with:
+ * - 130 tradelines with 15 payment snapshots each
+ * - 45 inquiries with industry data
+ * - Credit scores with score reasons
+ */
+export function generateExtractPayload(id) {
+  // Generate 130 tradelines (tuned for ~250KB)
+  const tradelines = [];
+  for (let i = 0; i < 130; i++) {
+    // 15 payment snapshots per tradeline
+    const paymentHistory = [];
+    for (let m = 0; m < 15; m++) {
+      paymentHistory.push({
+        period: `2023-${String(m + 1).padStart(2, '0')}`,
+        balance: Math.floor(Math.random() * 50000),
+        status: PAYMENT_STATUSES[Math.floor(Math.random() * PAYMENT_STATUSES.length)],
+        scheduledPayment: Math.floor(Math.random() * 2000),
+        actualPayment: Math.floor(Math.random() * 2000),
+        pastDueAmount: Math.floor(Math.random() * 1000),
+      });
+    }
+
+    tradelines.push({
+      tradelineId: `TL-${id}-${i}`,
+      creditorName: `Creditor ${String.fromCharCode(65 + (i % 26))}${Math.floor(i / 26)}`,
+      accountNumber: randomAlphanumeric(16),
+      accountType: ACCOUNT_TYPES[i % ACCOUNT_TYPES.length],
+      accountStatus: i % 10 === 0 ? 'closed' : 'open',
+      openedDate: randomDate(2010, 2022),
+      closedDate: i % 10 === 0 ? randomDate(2022, 2024) : null,
+      creditLimit: 1000 + (i * 500),
+      highestBalance: 500 + Math.floor(Math.random() * 10000),
+      currentBalance: Math.floor(Math.random() * 8000),
+      monthlyPayment: 50 + Math.floor(Math.random() * 500),
+      lastActivityDate: randomDate(2023, 2024),
+      paymentHistory: paymentHistory,
+      termsMonths: [12, 24, 36, 48, 60][i % 5],
+      originalAmount: 1000 + (i * 1000),
+      responsibilityCode: ['individual', 'joint', 'authorized'][i % 3],
+    });
+  }
+
+  // Generate 45 inquiries (tuned for ~250KB)
+  const inquiries = [];
+  for (let i = 0; i < 45; i++) {
+    inquiries.push({
+      inquiryId: `INQ-${id}-${i}`,
+      inquiryDate: randomDate(2022, 2024),
+      creditorName: `Bank ${String.fromCharCode(65 + (i % 26))}`,
+      industryCode: INDUSTRY_CODES[i % INDUSTRY_CODES.length],
+      inquiryType: i % 3 === 0 ? 'hard' : 'soft',
+      purposeCode: ['credit_card', 'auto_loan', 'mortgage', 'personal_loan'][i % 4],
+    });
+  }
+
+  // Generate score reasons
+  const scoreReasons = [
+    { code: 'R01', description: 'Length of credit history' },
+    { code: 'R02', description: 'Number of accounts with balances' },
+    { code: 'R03', description: 'Proportion of balances to credit limits' },
+    { code: 'R04', description: 'Recent account activity' },
+    { code: 'R05', description: 'Number of recent inquiries' },
+  ];
+
+  return {
+    reportId: `RPT-${id}`,
+    generatedAt: new Date().toISOString(),
+    consumer: {
+      consumerId: `CON-${id}`,
+      firstName: `FirstName${id % 1000}`,
+      lastName: `LastName${id % 1000}`,
+      dateOfBirth: randomDate(1950, 2000),
+      ssnMasked: `XXX-XX-${String(id % 10000).padStart(4, '0')}`,
+    },
+    scores: [
+      {
+        scoreType: 'primary',
+        scoreValue: 300 + Math.floor(Math.random() * 550),
+        scoreDate: randomDate(2024, 2024),
+        scoreReasons: scoreReasons.slice(0, 4),
+      },
+      {
+        scoreType: 'industry',
+        scoreValue: 300 + Math.floor(Math.random() * 550),
+        scoreDate: randomDate(2024, 2024),
+        scoreReasons: scoreReasons.slice(1, 5),
+      },
+    ],
+    tradelines: tradelines,
+    inquiries: inquiries,
+    publicRecords: [],
+    collections: [],
+    summary: {
+      totalAccounts: tradelines.length,
+      openAccounts: tradelines.filter(t => t.accountStatus === 'open').length,
+      closedAccounts: tradelines.filter(t => t.accountStatus === 'closed').length,
+      totalBalance: tradelines.reduce((sum, t) => sum + t.currentBalance, 0),
+      totalCreditLimit: tradelines.reduce((sum, t) => sum + t.creditLimit, 0),
+      hardInquiries: inquiries.filter(i => i.inquiryType === 'hard').length,
+      softInquiries: inquiries.filter(i => i.inquiryType === 'soft').length,
+    },
+  };
+}
+
+/**
+ * Generate full payload (~500KB)
+ * Structure based on raw credit bureau data with:
+ * - 330 consumer records (addresses, employers, phone numbers)
+ * - 750 processing records with metadata
+ */
+export function generateFullPayload(id) {
+  // Generate 110 address records (tuned for ~500KB)
+  const addresses = [];
+  for (let i = 0; i < 110; i++) {
+    addresses.push({
+      addressId: `ADDR-${id}-${i}`,
+      addressLine1: `${100 + i} Street ${String.fromCharCode(65 + (i % 26))}`,
+      addressLine2: i % 5 === 0 ? `Apt ${i}` : null,
+      city: `City${i % 50}`,
+      state: ['CA', 'TX', 'NY', 'FL', 'IL', 'PA', 'OH', 'GA', 'NC', 'MI'][i % 10],
+      zipCode: `${10000 + (i * 100)}`,
+      addressType: ['current', 'previous', 'mailing'][i % 3],
+      reportedDate: randomDate(2015, 2024),
+      verifiedDate: i % 2 === 0 ? randomDate(2023, 2024) : null,
+      sourceCode: `SRC${i % 10}`,
+      residencyMonths: Math.floor(Math.random() * 120),
+    });
+  }
+
+  // Generate 110 employer records (tuned for ~500KB)
+  const employers = [];
+  for (let i = 0; i < 110; i++) {
+    employers.push({
+      employerId: `EMP-${id}-${i}`,
+      employerName: `Company ${String.fromCharCode(65 + (i % 26))}${Math.floor(i / 26)} Inc`,
+      occupation: ['engineer', 'manager', 'analyst', 'director', 'specialist'][i % 5],
+      industry: ['technology', 'finance', 'healthcare', 'retail', 'manufacturing'][i % 5],
+      employmentStatus: ['employed', 'self_employed', 'unemployed', 'retired'][i % 4],
+      startDate: randomDate(2010, 2022),
+      endDate: i % 4 === 2 ? randomDate(2022, 2024) : null,
+      income: 30000 + Math.floor(Math.random() * 170000),
+      incomeFrequency: ['annual', 'monthly', 'weekly'][i % 3],
+      verifiedDate: i % 3 === 0 ? randomDate(2023, 2024) : null,
+      sourceCode: `SRC${i % 10}`,
+    });
+  }
+
+  // Generate 110 phone number records (tuned for ~500KB)
+  const phoneNumbers = [];
+  for (let i = 0; i < 110; i++) {
+    phoneNumbers.push({
+      phoneId: `PHN-${id}-${i}`,
+      phoneNumber: `${200 + (i % 800)}-${100 + (i % 900)}-${1000 + (i % 9000)}`,
+      phoneType: ['mobile', 'home', 'work'][i % 3],
+      isPrimary: i === 0,
+      reportedDate: randomDate(2018, 2024),
+      verifiedDate: i % 2 === 0 ? randomDate(2023, 2024) : null,
+      sourceCode: `SRC${i % 10}`,
+    });
+  }
+
+  // Generate 750 processing records (tuned for ~500KB)
+  const processingRecords = [];
+  for (let i = 0; i < 750; i++) {
+    processingRecords.push({
+      recordId: `PROC-${id}-${i}`,
+      recordType: ['tradeline', 'inquiry', 'public_record', 'collection', 'consumer_statement'][i % 5],
+      sourceId: `SOURCE-${i % 20}`,
+      sourceType: ['bureau', 'creditor', 'public', 'consumer'][i % 4],
+      receivedAt: randomDate(2020, 2024) + 'T' + String(Math.floor(Math.random() * 24)).padStart(2, '0') + ':' +
+                  String(Math.floor(Math.random() * 60)).padStart(2, '0') + ':' +
+                  String(Math.floor(Math.random() * 60)).padStart(2, '0') + 'Z',
+      processedAt: randomDate(2020, 2024) + 'T' + String(Math.floor(Math.random() * 24)).padStart(2, '0') + ':' +
+                   String(Math.floor(Math.random() * 60)).padStart(2, '0') + ':' +
+                   String(Math.floor(Math.random() * 60)).padStart(2, '0') + 'Z',
+      status: ['processed', 'pending', 'error', 'archived'][i % 4],
+      validationScore: Math.floor(Math.random() * 100),
+      matchConfidence: Math.random(),
+      metadata: {
+        version: `v${1 + (i % 5)}.${i % 10}.0`,
+        checksum: randomAlphanumeric(32),
+        encoding: 'UTF-8',
+        compressionType: i % 3 === 0 ? 'gzip' : 'none',
+        sizeBytes: 100 + Math.floor(Math.random() * 10000),
+        processingTimeMs: Math.floor(Math.random() * 1000),
+        retryCount: i % 10 === 0 ? Math.floor(Math.random() * 3) : 0,
+        priority: ['low', 'medium', 'high', 'critical'][i % 4],
+        tags: [`tag${i % 10}`, `category${i % 5}`],
+      },
+      rawData: {
+        originalFormat: ['xml', 'json', 'csv', 'fixed_width'][i % 4],
+        fieldCount: 10 + (i % 50),
+        nullFields: i % 10,
+        warningCount: i % 5,
+        transformations: [`transform_${i % 8}`],
+      },
+    });
+  }
+
+  // Generate dispute records
+  const disputes = [];
+  for (let i = 0; i < 20; i++) {
+    disputes.push({
+      disputeId: `DISP-${id}-${i}`,
+      disputeType: ['accuracy', 'identity', 'fraud', 'duplicate'][i % 4],
+      disputeStatus: ['open', 'investigating', 'resolved', 'rejected'][i % 4],
+      filedDate: randomDate(2022, 2024),
+      resolvedDate: i % 4 === 2 || i % 4 === 3 ? randomDate(2023, 2024) : null,
+      relatedRecordId: `PROC-${id}-${i * 10}`,
+      description: `Dispute regarding record ${i}`,
+      resolution: i % 4 === 2 ? 'corrected' : i % 4 === 3 ? 'verified_accurate' : null,
+    });
+  }
+
+  return {
+    rawReportId: `RAW-${id}`,
+    bureauCode: ['experian', 'equifax', 'transunion'][id % 3],
+    pullDate: new Date().toISOString(),
+    consumer: {
+      consumerId: `CON-${id}`,
+      firstName: `FirstName${id % 1000}`,
+      middleName: id % 3 === 0 ? `MiddleName${id % 100}` : null,
+      lastName: `LastName${id % 1000}`,
+      suffix: id % 20 === 0 ? ['Jr', 'Sr', 'III'][id % 3] : null,
+      dateOfBirth: randomDate(1950, 2000),
+      ssnFull: `${String(100 + (id % 900)).padStart(3, '0')}-${String(10 + (id % 90)).padStart(2, '0')}-${String(id % 10000).padStart(4, '0')}`,
+      addresses: addresses,
+      employers: employers,
+      phoneNumbers: phoneNumbers,
+    },
+    processingRecords: processingRecords,
+    disputes: disputes,
+    metadata: {
+      version: '2.0.0',
+      schemaVersion: '1.5.0',
+      generatedBy: 'benchmark-generator',
+      processingNode: `node-${id % 10}`,
+      totalRecords: processingRecords.length,
+      totalConsumerRecords: addresses.length + employers.length + phoneNumbers.length,
+      checksums: {
+        consumer: randomAlphanumeric(64),
+        processing: randomAlphanumeric(64),
+        disputes: randomAlphanumeric(64),
+      },
+    },
+  };
+}
+
 export function generateLargeJsonb(id) {
   // Credit report structure: 50 tradelines x 24 months = ~500KB
   const tradelines = [];
diff --git a/tests/benchmark/sql/benchmark-schema.sql b/tests/benchmark/sql/benchmark-schema.sql
index e490f087..88a9972c 100644
--- a/tests/benchmark/sql/benchmark-schema.sql
+++ b/tests/benchmark/sql/benchmark-schema.sql
@@ -12,8 +12,9 @@ CREATE TABLE benchmark_encrypted (
     id serial primary key,
     username text,
     email eql_v2_encrypted,
-    encrypted_jsonb eql_v2_encrypted,
-    encrypted_jsonb_with_ste_vec eql_v2_encrypted
+    encrypted_jsonb_extract eql_v2_encrypted,      -- ~250KB: structured report data
+    encrypted_jsonb_full eql_v2_encrypted,         -- ~500KB: raw report data
+    encrypted_jsonb_with_ste_vec eql_v2_encrypted  -- STE-VEC benchmarks
 );
 
 SELECT eql_v2.add_column(
@@ -23,7 +24,13 @@ SELECT eql_v2.add_column(
 
 SELECT eql_v2.add_column(
   'benchmark_encrypted',
-  'encrypted_jsonb',
+  'encrypted_jsonb_extract',
+  'jsonb'
+);
+
+SELECT eql_v2.add_column(
+  'benchmark_encrypted',
+  'encrypted_jsonb_full',
   'jsonb'
 );
 

From edce9aa5b452a0d285dd0eb73846203964c81723 Mon Sep 17 00:00:00 2001
From: Toby Hede <toby@cipherstash.com>
Date: Wed, 21 Jan 2026 17:17:14 +1100
Subject: [PATCH 22/25] fix(benchmark): resolve Docker file permission issues
 in CI

- Pre-create results/k6 directory before Docker runs
- Run k6 container with --user flag to preserve file ownership
- Ensure results directory exists before jq merge commands

Fixes "Permission denied" error when writing k6-throughput.json
---
 tests/benchmark/mise.toml       | 2 ++
 tests/benchmark/tasks/k6_run.sh | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/tests/benchmark/mise.toml b/tests/benchmark/mise.toml
index 7acb3cca..8ddbf220 100644
--- a/tests/benchmark/mise.toml
+++ b/tests/benchmark/mise.toml
@@ -268,6 +268,8 @@ echo
 mise run k6_run --script=jsonb-large-payload --target=proxy --vus=10 --duration=60s
 
 # Merge outputs for benchmark-action (separate files for throughput vs latency)
+# Ensure results directory is writable (may have been created by Docker)
+mkdir -p results
 jq -s 'add' results/k6/*-throughput.json > results/k6-throughput.json
 jq -s 'add' results/k6/*-latency.json > results/k6-latency.json
 """
diff --git a/tests/benchmark/tasks/k6_run.sh b/tests/benchmark/tasks/k6_run.sh
index 3c798b08..4ae88854 100755
--- a/tests/benchmark/tasks/k6_run.sh
+++ b/tests/benchmark/tasks/k6_run.sh
@@ -23,7 +23,11 @@ fi
 
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 
+# Pre-create results directory to avoid Docker creating it as root
+mkdir -p "$SCRIPT_DIR/results/k6"
+
 docker run --rm $NETWORK_FLAG \
+  --user "$(id -u):$(id -g)" \
   -v "$SCRIPT_DIR/k6/scripts:/scripts" \
   -v "$SCRIPT_DIR/results/k6:/scripts/results/k6" \
   -e K6_TARGET=${usage_target} \

From 405a10d76764d27e3bee5d399e250312cfa96215 Mon Sep 17 00:00:00 2001
From: Toby Hede <toby@cipherstash.com>
Date: Wed, 21 Jan 2026 17:19:38 +1100
Subject: [PATCH 23/25] fix(benchmark): use correct script names in
 k6:benchmark task

Replace references to non-existent scripts (jsonb-insert, jsonb-containment)
with actual script names (jsonb-ste-vec-insert, jsonb-large-payload).
---
 tests/benchmark/mise.toml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/tests/benchmark/mise.toml b/tests/benchmark/mise.toml
index 8ddbf220..9180f99f 100644
--- a/tests/benchmark/mise.toml
+++ b/tests/benchmark/mise.toml
@@ -201,17 +201,17 @@ mise run k6:build
 # Ensure benchmark schema exists (creates benchmark_encrypted table for text-equality)
 mise run benchmark:setup
 
-# JSONB INSERT (primary)
-echo "Running jsonb-insert..."
-mise run k6_run --script=jsonb-insert --target=proxy --duration=30s
+# JSONB STE-VEC INSERT (primary)
+echo "Running jsonb-ste-vec-insert..."
+mise run k6_run --script=jsonb-ste-vec-insert --target=proxy --duration=30s
 
 # Text equality (baseline)
 echo "Running text-equality..."
 mise run k6_run --script=text-equality --target=proxy --duration=30s
 
-# JSONB containment
-echo "Running jsonb-containment..."
-mise run k6_run --script=jsonb-containment --target=proxy --duration=30s
+# JSONB large payload
+echo "Running jsonb-large-payload..."
+mise run k6_run --script=jsonb-large-payload --target=proxy --duration=30s
 
 echo
 echo "Results written to results/k6/"

From e688c7e9cf2f71583b40aab9496802dc2f53f87d Mon Sep 17 00:00:00 2001
From: Toby Hede <toby@cipherstash.com>
Date: Wed, 21 Jan 2026 17:28:21 +1100
Subject: [PATCH 24/25] fix(benchmark): run only jsonb-large-payload in CI

Remove jsonb-ste-vec-insert from k6:benchmark:continuous task.
Simplify output handling to copy single benchmark results.
---
 tests/benchmark/mise.toml | 15 ++++-----------
 1 file changed, 4 insertions(+), 11 deletions(-)

diff --git a/tests/benchmark/mise.toml b/tests/benchmark/mise.toml
index 9180f99f..c0bcc66e 100644
--- a/tests/benchmark/mise.toml
+++ b/tests/benchmark/mise.toml
@@ -218,7 +218,7 @@ echo "Results written to results/k6/"
 """
 
 [tasks."k6:benchmark:continuous"]
-description = "Run k6 benchmarks for CI (jsonb-ste-vec-insert + jsonb-large-payload)"
+description = "Run k6 benchmarks for CI (jsonb-large-payload)"
 run = """
 set -e
 
@@ -255,21 +255,14 @@ echo
 
 mise run k6:build
 
-echo
-echo '# jsonb-ste-vec-insert via proxy'
-echo
-
-mise run k6_run --script=jsonb-ste-vec-insert --target=proxy --vus=10 --duration=60s
-
 echo
 echo '# jsonb-large-payload via proxy'
 echo
 
 mise run k6_run --script=jsonb-large-payload --target=proxy --vus=10 --duration=60s
 
-# Merge outputs for benchmark-action (separate files for throughput vs latency)
-# Ensure results directory is writable (may have been created by Docker)
+# Copy outputs for benchmark-action (separate files for throughput vs latency)
 mkdir -p results
-jq -s 'add' results/k6/*-throughput.json > results/k6-throughput.json
-jq -s 'add' results/k6/*-latency.json > results/k6-latency.json
+cp results/k6/jsonb-large-payload-throughput.json results/k6-throughput.json
+cp results/k6/jsonb-large-payload-latency.json results/k6-latency.json
 """

From 04e9acffdb5dd3ea1f8bb54be7696c12313f6620 Mon Sep 17 00:00:00 2001
From: Toby Hede <toby@cipherstash.com>
Date: Wed, 21 Jan 2026 17:28:58 +1100
Subject: [PATCH 25/25] fix(ci): add pull-requests write permission for
 benchmark alerts

The benchmark-action needs pull-requests:write to comment on PRs
when performance regressions are detected.
---
 .github/workflows/benchmark.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index 352dd4a2..6c08a161 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -16,6 +16,8 @@ permissions:
   deployments: write
   # contents permission to update benchmark contents in gh-pages branch
   contents: write
+  # pull-requests permission to comment on PRs with benchmark alerts
+  pull-requests: write
 
 jobs:
   benchmark: