ui/_docs/06_metrics/perf_2026-05-13_cycle3.md

# Performance Test Report — Cycle 3

**Date**: 2026-05-13
**Cycle**: Phase B / Cycle 3 (post AZ-510, AZ-511; AZ-512 deferred and AZ-513 prerequisite filed on the admin/ workspace)
**Runner**: `scripts/run-performance-tests.sh` (generated by test-spec Phase 4)
**Mode**: static-only profile executed (NFT-PERF-01); e2e profile (NFT-PERF-02..10) records SKIP because the Playwright perf config is not yet wired (see "E2E profile status" below)
**Verdict**: **PASS** (no Warn / Fail; one Pass + nine documented SKIPs + three documented Quarantines)

---

## Summary

| Scenario | Result | Measured | Threshold | Source |
|----------|--------|----------|-----------|--------|
| NFT-PERF-01 (initial JS bundle, gzipped) | **PASS** | 290 575 B (≈ 284 KB) | ≤ 2 097 152 B (2 MB) — AC-11 / row 40 of `results_report.md` | `dist/assets/*.js` summed via `gzip -c \| wc -c` after `bun run build` |
| NFT-PERF-02 (auth refresh round-trip p95) | SKIP | n/a | ≤ 200 ms — row 11 of `results_report.md` | Deferred — Playwright perf project not yet wired |
| NFT-PERF-03 (SSE refresh rotation) | QUARANTINE | — | Step 8 hardening | Per script's static quarantine list |
| NFT-PERF-04..07 | SKIP | n/a | per `performance-tests.md` | Deferred — Playwright perf project not yet wired |
| NFT-PERF-08 (panel-width persistence) | QUARANTINE | — | Step 4 fix | Per script's static quarantine list |
| NFT-PERF-09 (settings save error surfacing) | QUARANTINE | — | Step 4 fix | Per script's static quarantine list |
| NFT-PERF-10 (FCP on /flights, warm-cache) | SKIP | n/a | ≤ 3 000 ms — row 98 of `results_report.md` | Deferred — Playwright perf project not yet wired |

**Per perf-mode gate logic** (`test-run` skill §Perf Mode step 5): only Warn or Fail block. No scenario reports either; the gate passes.

---

## What changed in cycle 3 vs the cycle-2 perf posture

### AZ-510 (auth bootstrap consolidation) — perf surface

The bootstrap path now does TWO sequential network calls on every cold mount:

1. `POST /api/admin/auth/refresh` (with `credentials:'include'`)
2. `GET /api/admin/users/me` (chained, gated on the bearer set in step 1)

**Spec NFR budget** (from `_docs/02_tasks/done/AZ-510_auth_bootstrap_consolidation.md`): the chain must complete within **200 ms p95 on dev compose** — same nginx/auth/host topology as production. This is the same threshold NFT-PERF-02 measures (the cycle-2 test only measured the standalone refresh; cycle 3 implicitly extends the budget to cover the chain).

**Bundle-size impact**: the AZ-510 patch added one new endpoint builder (`endpoints.admin.usersMe()`), a `runBootstrap` helper, a module-scoped `bootstrapInflight` promise, the `__resetBootstrapInflightForTests` test hook, and a defensive `permissions?.includes` check. NFT-PERF-01 measured 290 575 B gzipped — well under the 2 MB threshold (~14% of budget). For comparison: the cycle-2 baseline measurement was not recorded in a comparable file, but the order of magnitude is unchanged. **No bundle regression.**

**Cold-mount p95 latency** (NFT-PERF-02): not measured this cycle because the e2e Playwright perf project is still pending (see below). The AZ-510 unit tests cover the wire-shape contract (FT-P-01 un-quarantined) but do not measure latency. **Coverage gap acknowledged**; closing it requires shipping the Playwright perf project (tracked under AZ-457..AZ-482).

### AZ-511 (classColors carve-out) — perf surface

Pure structural move + import-path swap. Function bodies unchanged. No bundle-size delta beyond noise (a second module file is now resolved, but tree-shaking eliminates any per-symbol overhead). **No measurable perf impact.**

### AZ-512 (deferred) — perf surface

No source code changes shipped. **No perf impact.**

---

## E2E profile status

The script's e2e profile (`NFT-PERF-02..10`) records SKIP for all scenarios because `e2e/playwright.perf.config.ts` does not exist yet. Quoting `scripts/run-performance-tests.sh:138`:

> `Awaiting NFT-PERF-* task implementations (AZ-457..AZ-482); until then the e2e perf scenarios are SKIPPED.`

This is a **legitimate skip** per the test-run skill's classification:

- ✅ Tracked: AZ-457..AZ-482 are the per-AC tasks that will produce the Playwright perf project.
- ✅ Documented: the script itself names the skip rationale and the unblocking ticket range.
- ✅ Not a "we didn't set something up" workaround — it is a "feature not yet implemented" pattern with a clear unblock path.
- ❌ Coverage cost: NFT-PERF-02 (auth refresh ≤ 200ms p95) — directly relevant to AZ-510 — is therefore not measured this cycle.

**Recommendation for the next cycle**: prioritise one or more of AZ-457..AZ-482 specifically to deliver the Playwright perf project so NFT-PERF-02 can serve as the regression guard for AZ-510's bootstrap-chain latency.

Until then: AZ-510's latency is verified only at the spec-NFR level, not by an executable threshold check. The `console.error` diagnostic prefix on the chained `/users/me` failure path means a backend latency regression that pushes the chain over budget would still surface as a failure event in dev-tools console, but not as a CI gate.

---

## Quarantined scenarios (carry-over, unchanged in cycle 3)

These three are documentary-only in the script — they never gate today and have not been re-classified by cycle 3:

- **NFT-PERF-03** — SSE refresh rotation (deferred to Step 8 hardening — pre-existing).
- **NFT-PERF-08** — panel-width persistence (deferred to Step 4 fix — pre-existing).
- **NFT-PERF-09** — settings save error surfacing (deferred to Step 4 fix — pre-existing).

The NFT-PERF-09 quarantine is interesting in context: AZ-477 (cycle 2) added a Vitest-level test for the same 2 s error budget (`tests/settings_resilience.test.tsx`), which **passed** in the cycle 3 functional sanity run (231/231, 14.72 s total). So the *behaviour* the quarantined NFT-PERF-09 was meant to gate is now covered functionally; the perf-budget aspect remains deferred to the e2e Playwright project.

---

## Verdict

**PASS** for cycle 3. The single executable scenario (NFT-PERF-01) is well under threshold; all SKIPs are legitimate (Playwright perf project not yet wired, with a tracked unblock path); all QUARANTINES are pre-existing carry-overs.

**Coverage gap acknowledged**: AZ-510's bootstrap-chain latency (NFT-PERF-02 budget = 200 ms p95) is not executed by an automated gate. Closing this gap requires AZ-457..AZ-482 to ship the Playwright perf project.

---

## Self-verification

- [x] Static-only profile executed; exit code 0.
- [x] All scenarios classified per `test-run` perf-mode step 4 (Pass / Warn / Fail / Unverified / SKIP / QUARANTINE).
- [x] Each SKIP carries a documented rationale + tracked unblock path.
- [x] AZ-510 perf surface explicitly addressed (bundle delta + acknowledged latency-gate gap).
- [x] AZ-511 perf surface explicitly addressed (no measurable impact).
- [x] AZ-512 perf surface explicitly addressed (deferred, no shipped code).
- [x] Per-perf-mode gate logic applied: no Warn / Fail → return success.

## Pointer back

Raw runner summary: `test-output/performance-summary.txt`.
Cycle 3 implementation report: `_docs/03_implementation/implementation_report_auth_classcolors_cycle3.md`.
Cycle 3 security delta: `_docs/05_security/security_report_cycle3_delta.md`.