Skip to content

Performance: pooled HTTP client + JWT verify cache + benchmarks#36

Merged
Jacobobber merged 1 commit into
mainfrom
feat/performance
Jul 8, 2026
Merged

Performance: pooled HTTP client + JWT verify cache + benchmarks#36
Jacobobber merged 1 commit into
mainfrom
feat/performance

Conversation

@Jacobobber

Copy link
Copy Markdown
Owner

Makes "competitive performance" a measured claim, from researching how the popular harnesses stay fast and applying it to hallpass's hot paths. Two changes, both benchmarked.

  • Pooled HTTP clientHttpxClient holds one httpx.Client and reuses it across calls (keep-alive connection pooling) instead of opening a fresh connection per request. Repeated calls to a service skip the TCP + TLS handshake. Adds close() and an optional http2= flag.
  • JWT verify cacheTokenVerifier caches a verified Principal keyed by the token until its exp, skipping the RSA signature check on a repeated bearer. Safe: a token verifies identically until it expires and JWT verification consults no revocation list, so the cache is not observable. Bounded; cache_size=0 disables it.

Measured with the new evals/benchmark.py:

operation ops/sec
token verify, cached ~3,500,000
token verify, uncached (RSA) ~22,000
call-time gating ~4,700,000
FLEX encode / parse ~630,000 / ~285,000
HTTP pooled vs unpooled (loopback) ~5x

A repeated token is ~160x cheaper than a cold RSA verify; pooling is ~5x on loopback and more over real TLS. Async/uvloop was deliberately skipped and documented as a non-goal (a 2.0 rewrite for a synchronous core, not a quick win).

6 new tests: verify-cache skips re-verification (proved with a call-counting JWKS), cache_size=0 disables it, a different token still verifies, the client pools one connection and resets on close(), and a benchmark sanity run. Two pre-existing HttpxClient body-handling tests updated for the pooled path. 273 tests, mypy --strict, ruff (whole repo), catalog-freshness green. Backward compatible; v1.3.0.

Informed by researching how the popular harnesses stay fast, applied to the
hot paths and measured, not claimed.

- HttpxClient holds one httpx.Client and reuses it (keep-alive pooling) instead
  of a fresh connection per request; repeated calls to a service skip the TLS
  handshake. ~5x on loopback, more over real TLS. Adds close() + http2 flag.
- TokenVerifier caches a verified Principal by token until its exp, skipping the
  RSA check on a repeated bearer (~160x on the hot path). Safe: a token verifies
  identically until expiry and no revocation list is consulted. cache_size=0
  disables it.
- evals/benchmark.py: throughput micro-benches (verify cached/uncached, gating,
  FLEX, vault) + loopback pooled-vs-unpooled HTTP. README Performance section
  with the numbers.

Async/uvloop deliberately skipped: a 2.0 rewrite for a sync core, not a quick
win; documented as a non-goal.

273 tests (+6), mypy --strict, ruff (whole repo), catalog freshness all green.
v1.3.0.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@Jacobobber Jacobobber merged commit 4c7f1e1 into main Jul 8, 2026
12 checks passed
@Jacobobber Jacobobber deleted the feat/performance branch July 8, 2026 20:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant