This document collects reproducibility guidance, benchmark interpretation, and security evaluation pointers for Ignite.
Use this document when:
- evaluating runtime overhead
- comparing audit and non-audit execution paths
- documenting security assumptions for internal reviews
Current benchmark script:
bun run scripts/benchmark.tsPrimary outputs:
benchmarks/results.mdbenchmarks/results.json
Benchmark categories:
- cold start
- warm start
- docker overhead vs native
- audit mode overhead
Before collecting numbers:
- pin Bun and Docker versions
- record CPU model, core count, and memory
- minimize background load
- run multiple iterations and warmups
- keep service fixture stable between runs
- warm/cold numbers include Docker behavior, not only Ignite overhead
- docker overhead baseline should be measured independently
- small negative deltas in audit overhead can occur from run variance
- compare medians or percentile bands in addition to mean
For threat analysis and review reports, include:
- trust boundary definition (host, Docker, service code)
- network and filesystem restrictions under audit mode
- policy coverage limits (what is not enforced)
- API exposure controls (auth, rate limits, host binding)
- runtime and dependency surface area
- baseline preflight and execution on sample workloads
- stress test memory/time limits and failure modes
- adversarial tests (network/file/process attempts) in audit mode
- HTTP endpoint abuse tests (auth/rate limit)
- repeatability validation across machines/runners
When producing a report for stakeholders, include:
- commit SHA
- benchmark raw JSON
- environment details
- test command outputs
- known limitations and caveats