tenseleyflow/shithub / bd63968

+# Load tests

+

+k6 scenarios used in the S39 hardening sprint. Each script is a

+single load shape; combine them by running concurrently from a

+load-generator host (the staging instance must NOT receive load

+from the production droplet).

+

+## Scenarios

+

+| Script                              | Shape                                                                 |

+|-------------------------------------|-----------------------------------------------------------------------|

+| `scenarios/mixed-read.js`           | 100 RPS anonymous browsing of public repos for 10 min                |

+| `scenarios/auth-mix.js`             | 50 RPS authenticated API + browsing for 10 min                       |

+| `scenarios/issue-comment-storm.js`  | 100 comments/sec across 50 issues for 5 min                          |

+| `scenarios/search-load.js`          | 30 RPS to search endpoints for 10 min                                |

+

+Two scenarios from the S39 spec are not yet shipped here:

+

+- **Push storm** — needs a Git client harness, not k6's HTTP runner.

+  Track in a follow-up.

+- **SSH connection burst** — needs a real SSH client; the SSH

+  transport itself isn't shipped (see

+  `docs/public/user/ssh.md`). When SSH lands, add an SSH-specific

+  scenario.

+

+## Running locally against the dev server

+

+```sh

+make dev-db dev-storage dev-migrate dev

+# in another terminal:

+make load-test BENCH_TARGET=http://127.0.0.1:8080

+```

+

+`make load-test` runs the mixed-read scenario by default; tune

+with `K6_SCENARIO=auth-mix make load-test` etc.

+

+## Running against staging

+

+```sh

+export BASE=https://staging.shithub.example

+export TOKEN=shp_<a-pat-on-a-test-account>

+export REPO=loadtest/issue-storm  # for the comment-storm scenario

+export FIRST_ISSUE=1

+

+k6 run -e BASE -e TOKEN tests/load/k6/scenarios/auth-mix.js

+k6 run -e BASE                     tests/load/k6/scenarios/mixed-read.js

+k6 run -e BASE -e TOKEN -e REPO -e FIRST_ISSUE tests/load/k6/scenarios/issue-comment-storm.js

+k6 run -e BASE                     tests/load/k6/scenarios/search-load.js

+```

+

+## Thresholds

+

+`thresholds.json` is shared across scenarios. Default thresholds:

+

+- HTTP failure rate < 1% (excluding rate-limit 429s, which k6

+  doesn't classify as failures).

+- p95 < 3000 ms.

+- p99 < 5000 ms.

+- Per-check pass rate > 99%.

+

+These come from the S39 spec: "p95 < 2x of S36's single-user

+bench numbers under sustained load." Tighten them once

+production has run for a quarter.

+

+## What good looks like

+

+After a clean run, capture the JSON output:

+

+```sh

+k6 run --out json=results.json tests/load/k6/scenarios/mixed-read.js

+```

+

+Summarise per-scenario p50/p95/p99 + total RPS into the capacity

+record (`docs/internal/capacity.md`). The numbers there are

+"S39 baseline at MVP launch"; subsequent hardening sprints diff

+against them to catch regressions.

+// SPDX-License-Identifier: AGPL-3.0-or-later

+//

+// k6 scenario: 50 RPS of authenticated API + browsing.

+// Each VU presents a PAT (Bearer token) on /api/v1 calls and

+// rotates between API reads, dashboard renders, and notification

+// inbox views.

+//

+// Required env:

+//   BASE   — staging URL

+//   TOKEN  — a PAT for a test user with `user:read` + `repo:read`

+//

+// Run:

+//   k6 run -e BASE=https://staging.shithub.example -e TOKEN=shp_... \

+//     tests/load/k6/scenarios/auth-mix.js

+

+import http from "k6/http";

+import { check } from "k6";

+

+const BASE  = __ENV.BASE  || "http://127.0.0.1:8080";

+const TOKEN = __ENV.TOKEN;

+if (!TOKEN) {

+  throw new Error("TOKEN env var required (a valid shp_ PAT)");

+}

+

+export const options = {

+  thresholds: JSON.parse(open("../thresholds.json")),

+  scenarios: {

+    auth_mix: {

+      executor: "constant-arrival-rate",

+      rate: 50,

+      timeUnit: "1s",

+      duration: __ENV.DURATION || "10m",

+      preAllocatedVUs: 25,

+      maxVUs: 100,

+    },

+  },

+};

+

+const apiHeaders = {

+  "Authorization": `Bearer ${TOKEN}`,

+  "Accept":        "application/json",

+};

+

+const ACTIONS = [

+  () => http.get(`${BASE}/api/v1/user`,         { headers: apiHeaders, tags: { kind: "api-user" } }),

+  () => http.get(`${BASE}/api/v1/user/starred`, { headers: apiHeaders, tags: { kind: "api-stars" } }),

+  () => http.get(`${BASE}/`,                    { tags: { kind: "ui-home" } }),

+  () => http.get(`${BASE}/notifications`,       { tags: { kind: "ui-notifications" } }),

+];

+

+export default function () {

+  const action = ACTIONS[Math.floor(Math.random() * ACTIONS.length)];

+  const res = action();

+  check(res, {

+    "no 5xx": (r) => r.status < 500,

+    "no auth 401": (r) => r.status !== 401,

+  });

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+//

+// k6 scenario: 100 comments/sec across 50 issues. Stresses the

+// notification fan-out path — every comment triggers email + inbox

+// + websocket fan-out via the worker queue.

+//

+// Verifies that:

+//   - Comment POSTs return 200 (or 429 if rate-limited).

+//   - Worker queue stays bounded under sustained load.

+//   - DB connection pool doesn't exhaust.

+//

+// Required env:

+//   BASE       — staging URL

+//   TOKEN      — a PAT for a test user with `repo` write to all 50 issues

+//   REPO       — `owner/name` of the test repo

+//   FIRST_ISSUE — int, the first issue number (script writes to FIRST..FIRST+49)

+//

+// NOTE: this scenario currently uses the issue web form (HTML) since

+// the issues API is not yet shipped (see docs/public/api/issues.md).

+// When the API lands, switch to it.

+

+import http from "k6/http";

+import { check } from "k6";

+

+const BASE        = __ENV.BASE || "http://127.0.0.1:8080";

+const REPO        = __ENV.REPO || "alice/loadtest";

+const FIRST_ISSUE = parseInt(__ENV.FIRST_ISSUE || "1", 10);

+const TOKEN       = __ENV.TOKEN;

+

+export const options = {

+  thresholds: JSON.parse(open("../thresholds.json")),

+  scenarios: {

+    comment_storm: {

+      executor: "constant-arrival-rate",

+      rate: 100,

+      timeUnit: "1s",

+      duration: __ENV.DURATION || "5m",

+      preAllocatedVUs: 50,

+      maxVUs: 200,

+    },

+  },

+};

+

+export default function () {

+  const issueNum = FIRST_ISSUE + Math.floor(Math.random() * 50);

+  const url = `${BASE}/${REPO}/issues/${issueNum}/comments`;

+  const body = {

+    body: `Load-test comment at ${Date.now()} (vu ${__VU} iter ${__ITER})`,

+  };

+  const headers = TOKEN

+    ? { "Authorization": `Bearer ${TOKEN}`, "Content-Type": "application/json" }

+    : { "Content-Type": "application/json" };

+

+  const res = http.post(url, JSON.stringify(body), { headers, tags: { kind: "issue-comment" } });

+  check(res, {

+    "no 5xx":             (r) => r.status < 500,

+    "200 or 429 expected": (r) => r.status === 200 || r.status === 201 || r.status === 429,

+  });

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+//

+// k6 scenario: anonymous browsing of public repos at 100 RPS

+// sustained for 10 minutes. This is the highest-volume traffic

+// shape we expect at MVP launch — the home page, /explore, and

+// repo overview pages dominate the read mix.

+//

+// Run:

+//   k6 run --vus 50 --duration 10m \

+//     -e BASE=https://staging.shithub.example \

+//     tests/load/k6/scenarios/mixed-read.js

+//

+// `vus` is intentionally tunable: 50 VUs at ~50 ms/req averages

+// to ~1000 RPS; the scenario is throttled by think-time so the

+// effective rate lands near 100 RPS unless the staging instance

+// is faster than expected.

+

+import http from "k6/http";

+import { check, sleep } from "k6";

+

+const BASE = __ENV.BASE || "http://127.0.0.1:8080";

+

+export const options = {

+  thresholds: JSON.parse(open("../thresholds.json")),

+  scenarios: {

+    anonymous_browse: {

+      executor: "constant-arrival-rate",

+      rate: 100, // requests per timeUnit

+      timeUnit: "1s",

+      duration: __ENV.DURATION || "10m",

+      preAllocatedVUs: 50,

+      maxVUs: 200,

+    },

+  },

+};

+

+const PATHS = [

+  "/",

+  "/explore",

+  "/explore?sort=stars",

+  "/-/health",

+  // Plug in seeded-fixture repo paths if your staging has them:

+  // "/alice/example-repo",

+  // "/alice/example-repo/tree/main",

+];

+

+export default function () {

+  const path = PATHS[Math.floor(Math.random() * PATHS.length)];

+  const res = http.get(`${BASE}${path}`, { tags: { route: path } });

+  check(res, {

+    "status 2xx or 304": (r) => r.status === 200 || r.status === 304,

+    "no 5xx":            (r) => r.status < 500,

+  });

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+//

+// k6 scenario: 30 RPS to search endpoints with realistic query

+// distribution. Search is one of the more DB-heavy paths; this

+// scenario surfaces N+1 regressions and index-coverage gaps.

+//

+// Run:

+//   k6 run -e BASE=https://staging.shithub.example \

+//     tests/load/k6/scenarios/search-load.js

+

+import http from "k6/http";

+import { check } from "k6";

+

+const BASE = __ENV.BASE || "http://127.0.0.1:8080";

+

+export const options = {

+  thresholds: JSON.parse(open("../thresholds.json")),

+  scenarios: {

+    search: {

+      executor: "constant-arrival-rate",

+      rate: 30,

+      timeUnit: "1s",

+      duration: __ENV.DURATION || "10m",

+      preAllocatedVUs: 20,

+      maxVUs: 80,

+    },

+  },

+};

+

+// Realistic distribution: short common terms dominate, with a long

+// tail of more specific phrases.

+const QUERIES = [

+  "func", "main", "test", "config", "import",

+  "TODO", "FIXME", "context.Context", "http.Handler",

+  "policy.Can", "render.New", "go-chi", "golang",

+  "argon2id", "session_key", "WAL archive",

+];

+const SCOPES = ["", "type:repo", "type:user", "type:issue"];

+

+export default function () {

+  const q = QUERIES[Math.floor(Math.random() * QUERIES.length)];

+  const scope = SCOPES[Math.floor(Math.random() * SCOPES.length)];

+  const path = `/search?q=${encodeURIComponent(q + (scope ? " " + scope : ""))}`;

+  const res = http.get(`${BASE}${path}`, { tags: { kind: "search" } });

+  check(res, {

+    "no 5xx": (r) => r.status < 500,

+  });

+}

+{

+  "_comment": "Shared k6 thresholds. Each scenario imports this so failure modes are consistent across the load-test suite. Numbers come from S36's bench harness baselines doubled, per the S39 spec ('p95 < 2x of S36's single-user bench numbers under sustained load').",

+  "http_req_failed":   ["rate<0.01"],

+  "http_req_duration": ["p(95)<3000", "p(99)<5000"],

+  "http_reqs":         ["count>1000"],

+  "checks":            ["rate>0.99"]

+}