perf(filter): SIMD memmem fast-path for has() — 51% faster, Tier 2/3 CEL

Chunk 4 — performance optimisation, CEL evaluation tests, benchmarks, docs.

SIMD/zero-copy review optimisations:
- Pre-compiled memchr::memmem::Finder for FieldExists/FieldNotExists
  with single-segment paths. Detects "field": pattern in raw bytes,
  bypassing JSON parser entirely.
  - has(_table) match: 218ns -> 107ns (51% faster)
  - 5 filters first-match-wins: 1697ns -> 129ns (92% faster)
- Stack-allocated path arrays via with_path_refs (1-4 segments inline)
  eliminates per-message Vec allocation
- extract_string_value uses sonic-rs is_str() + memchr SIMD escape
  detection — zero-copy Cow<str> for the common case (no escapes)
- Fix field extraction in classify.rs for method calls (host.matches
  was extracting "host.matches" instead of "host")

Tier 2/3 CEL evaluation tests (5 new):
- Compound expression: severity > 3 && source != "internal"
- size() function on arrays
- Field-to-field comparison
- Tier 3 regex via host.matches("^prod-.*")
- Missing field safety

Benchmark suite (benches/filter_benchmark.rs):
- No-filter baseline: 3.2 ns (zero overhead confirmed)
- Tier 1 has() match: 107 ns (memmem fast-path)
- Tier 1 ==: 288 ns match, 741 ns no-match (sonic-rs full scan)
- Tier 1 startsWith: 250 ns
- Tier 1 dotted path: 239 ns
- Tier 2/3 CEL benchmarks (feature-gated)

Docs:
- STATE.md: added transport-filter to Key Components
- STATE.md: added TransportFilterEngine decision entry

700 tests pass, clippy clean with --all-features.
memchr added to transport feature for SIMD substring search.

Author: catinspace-au

Cargo.toml

@@ -96,7 +96,7 @@ config-reload = ["config", "parking_lot", "tokio", "tracing"]
 config-postgres = ["config", "sqlx", "tokio", "serde_json"]
 
 # Transport features
-transport = ["tokio", "serde_json", "rmp-serde", "chrono", "async-trait", "regex"]
+transport = ["tokio", "serde_json", "rmp-serde", "chrono", "async-trait", "regex", "memchr"]
 transport-memory = ["transport"]
 transport-kafka = ["transport", "rdkafka", "regex", "tokio-util"]
 transport-grpc = ["transport", "dep:tonic", "dep:tonic-prost", "dep:prost", "dep:prost-types", "dep:tonic-prost-build", "dep:prost-build"]
@@ -232,6 +232,7 @@ sonic-rs = { version = ">=0.5, <1", optional = true }
 
 # Regex (topic resolver include/exclude filters)
 regex = { version = ">=1.11, <2", optional = true }
+memchr = { version = ">=2.7", optional = true }
 
 # Async trait (for tiered-sink Sink trait)
 async-trait = { version = ">=0.1.88, <0.2", optional = true }
@@ -306,3 +307,8 @@ harness = false
 name = "engine_benchmark"
 harness = false
 required-features = ["worker"]
+
+[[bench]]
+name = "filter_benchmark"
+harness = false
+required-features = ["transport-memory"]

STATE.md

@@ -39,6 +39,7 @@ Modular library with feature-gated components. Each module can be enabled/disabl
 15. **memory** - MemoryGuard: cgroup-aware memory backpressure with auto-detection
 16. **scaling** - ScalingPressure: KEDA autoscaling signal calculation
 17. **cli** - DfeApp trait, ServiceRuntime (pre-wired metrics + worker pool + batch engine + memory guard + shutdown)
+18. **transport-filter** - TransportFilterEngine: CEL-syntax message filtering embedded in every transport. Tier 1 SIMD field ops (~50-100ns), Tier 2 compiled CEL (opt-in), Tier 3 complex CEL with regex/iteration (opt-in). Inbound/outbound, drop/dlq, first-match-wins.
 
 ### Tech Stack
 
@@ -154,6 +155,7 @@ spool, cache, secrets, HTTP client, DLQ — with zero additional wiring.
 - **DFE parallelisation pattern** — split sequential hot loops into parallel (pure `&self` computation via rayon) and sequential (mutable state: buffer push, mark_pending, stats, DLQ) phases. The `BatchProcessor` trait + `BatchPipeline` struct in rustlib provide the common framework. Each DFE app implements `BatchProcessor` for its domain. See `src/pipeline/` module.
 - **ServiceRuntime** — pre-built infrastructure for DFE service apps. Created by `run_app()` before `run_service()`. Contains MetricsManager, DfeMetrics, MemoryGuard (optional), shutdown token (with K8s pre-stop delay), worker pool (optional), batch engine (optional), scaling pressure (optional), RuntimeContext. Apps receive it fully wired. See `src/cli/runtime.rs`.
 - **BatchEngine** — SIMD-optimised batch processing for DFE pipelines. Two modes: `process_mid_tier()` (parse JSON via sonic-rs + parallel transform via rayon) and `process_raw()` (skip parsing, parallel transform on raw bytes). Transport-wired: `run_async()` / `run_raw_async()` with async sink, sink-managed commit tokens, and optional ticker callback. See `src/worker/engine/`.
+- **TransportFilterEngine** — CEL-syntax message filtering embedded in every transport (Kafka, gRPC, Memory, File, Pipe, HTTP, Redis). Three performance tiers: Tier 1 (SIMD field ops via sonic_rs::get_from_slice, ~50-200ns/msg, always enabled), Tier 2 (compiled CEL with extracted fields, requires `expression.allow_cel_filters_in/out`), Tier 3 (CEL with regex/iteration/time, requires `expression.allow_complex_filters_in/out`). Operators write CEL syntax — engine classifies via text pattern matching and bypasses CEL engine entirely for Tier 1. First-match-wins, drop/dlq actions, fail-fast at startup. Zero downstream code changes — config-only activation. See `src/transport/filter/`.
 - **RuntimeContext** — rich runtime metadata detected once at startup (pod_name, namespace, node_name, container_id, memory_limit_bytes, cpu_quota_cores). Global singleton via OnceLock. All modules read from this instead of doing their own env var lookups. No-ops on bare metal. See `src/env.rs`.
 - **K8s pre-stop compliance** — shutdown handler sleeps `PRESTOP_DELAY_SECS` (default 5 in K8s, 0 elsewhere) before cancelling the token. Prevents traffic routing to a draining pod.
 - **Deployment contract CI bridge** — `container-manifest.json` (minimal CI subset), `Dockerfile.runtime` (runtime stage fragment for CI composition), OCI labels (static from contract, dynamic injected by CI), `from_cargo_toml()` for auto-detecting native deps, `schema_version` field.

benches/filter_benchmark.rs

@@ -0,0 +1,233 @@
+// Project:   hyperi-rustlib
+// File:      benches/filter_benchmark.rs
+// Purpose:   Criterion benchmarks for transport filter engine performance
+// Language:  Rust
+//
+// License:   FSL-1.1-ALv2
+// Copyright: (c) 2026 HYPERI PTY LIMITED
+
+//! Benchmarks for the transport filter engine.
+//!
+//! Validates the design assumption: Tier 1 filters are ~50-100ns/msg via SIMD,
+//! and the no-filter overhead is negligible.
+
+use criterion::{Criterion, Throughput, criterion_group, criterion_main};
+
+use hyperi_rustlib::transport::filter::{
+    FilterAction, FilterDisposition, FilterRule, TransportFilterEngine, TransportFilterTierConfig,
+};
+
+const SAMPLE_PAYLOAD: &[u8] = br#"{"_table":"events","host":"prod-web01","source_type":"syslog","severity":3,"id":12345,"timestamp":"2026-04-10T12:00:00Z","message":"Sample log event with some realistic padding for benchmarking"}"#;
+
+const POISON_PAYLOAD: &[u8] = br#"{"_table":"events","status":"poison","data":"x"}"#;
+
+fn bench_no_filters_baseline(c: &mut Criterion) {
+    let engine = TransportFilterEngine::empty();
+
+    let mut group = c.benchmark_group("filter_no_filters");
+    group.throughput(Throughput::Elements(1));
+    group.bench_function("apply_inbound_no_filters", |b| {
+        b.iter(|| std::hint::black_box(engine.apply_inbound(SAMPLE_PAYLOAD)));
+    });
+    group.finish();
+}
+
+fn bench_tier1_field_exists(c: &mut Criterion) {
+    let engine = TransportFilterEngine::new(
+        &[FilterRule {
+            expression: "has(_table)".into(),
+            action: FilterAction::Drop,
+        }],
+        &[],
+        &TransportFilterTierConfig::default(),
+    )
+    .unwrap();
+
+    let mut group = c.benchmark_group("filter_tier1_field_exists");
+    group.throughput(Throughput::Elements(1));
+    group.bench_function("match", |b| {
+        b.iter(|| std::hint::black_box(engine.apply_inbound(SAMPLE_PAYLOAD)));
+    });
+    group.finish();
+}
+
+fn bench_tier1_field_equals(c: &mut Criterion) {
+    let engine = TransportFilterEngine::new(
+        &[FilterRule {
+            expression: r#"status == "poison""#.into(),
+            action: FilterAction::Drop,
+        }],
+        &[],
+        &TransportFilterTierConfig::default(),
+    )
+    .unwrap();
+
+    let mut group = c.benchmark_group("filter_tier1_field_equals");
+    group.throughput(Throughput::Elements(1));
+    group.bench_function("no_match_pass", |b| {
+        b.iter(|| {
+            let result = engine.apply_inbound(SAMPLE_PAYLOAD);
+            assert_eq!(result, FilterDisposition::Pass);
+            std::hint::black_box(result)
+        });
+    });
+    group.bench_function("match_drop", |b| {
+        b.iter(|| {
+            let result = engine.apply_inbound(POISON_PAYLOAD);
+            assert_eq!(result, FilterDisposition::Drop);
+            std::hint::black_box(result)
+        });
+    });
+    group.finish();
+}
+
+fn bench_tier1_starts_with(c: &mut Criterion) {
+    let engine = TransportFilterEngine::new(
+        &[FilterRule {
+            expression: r#"host.startsWith("prod-")"#.into(),
+            action: FilterAction::Drop,
+        }],
+        &[],
+        &TransportFilterTierConfig::default(),
+    )
+    .unwrap();
+
+    let mut group = c.benchmark_group("filter_tier1_starts_with");
+    group.throughput(Throughput::Elements(1));
+    group.bench_function("match", |b| {
+        b.iter(|| std::hint::black_box(engine.apply_inbound(SAMPLE_PAYLOAD)));
+    });
+    group.finish();
+}
+
+fn bench_tier1_dotted_path(c: &mut Criterion) {
+    let nested_payload =
+        br#"{"metadata":{"source":"aws","region":"ap-southeast-2"},"event":"login"}"#;
+    let engine = TransportFilterEngine::new(
+        &[FilterRule {
+            expression: r#"metadata.source == "aws""#.into(),
+            action: FilterAction::Drop,
+        }],
+        &[],
+        &TransportFilterTierConfig::default(),
+    )
+    .unwrap();
+
+    let mut group = c.benchmark_group("filter_tier1_dotted_path");
+    group.throughput(Throughput::Elements(1));
+    group.bench_function("nested_match", |b| {
+        b.iter(|| std::hint::black_box(engine.apply_inbound(nested_payload)));
+    });
+    group.finish();
+}
+
+fn bench_tier1_first_match_wins(c: &mut Criterion) {
+    // 5 filters, message matches the third one
+    let rules = vec![
+        FilterRule {
+            expression: "has(no_match_1)".into(),
+            action: FilterAction::Drop,
+        },
+        FilterRule {
+            expression: "has(no_match_2)".into(),
+            action: FilterAction::Drop,
+        },
+        FilterRule {
+            expression: "has(_table)".into(),
+            action: FilterAction::Drop,
+        },
+        FilterRule {
+            expression: "has(no_match_3)".into(),
+            action: FilterAction::Drop,
+        },
+        FilterRule {
+            expression: "has(no_match_4)".into(),
+            action: FilterAction::Drop,
+        },
+    ];
+    let engine =
+        TransportFilterEngine::new(&rules, &[], &TransportFilterTierConfig::default()).unwrap();
+
+    let mut group = c.benchmark_group("filter_tier1_first_match_wins");
+    group.throughput(Throughput::Elements(1));
+    group.bench_function("match_at_position_3", |b| {
+        b.iter(|| std::hint::black_box(engine.apply_inbound(SAMPLE_PAYLOAD)));
+    });
+    group.finish();
+}
+
+#[cfg(feature = "expression")]
+fn bench_tier2_compound_cel(c: &mut Criterion) {
+    let tier_config = TransportFilterTierConfig {
+        allow_cel_filters_in: true,
+        ..Default::default()
+    };
+    let engine = TransportFilterEngine::new(
+        &[FilterRule {
+            expression: r#"severity > 3 && source != "internal""#.into(),
+            action: FilterAction::Drop,
+        }],
+        &[],
+        &tier_config,
+    )
+    .unwrap();
+
+    let payload = br#"{"severity":5,"source":"external","data":"x"}"#;
+
+    let mut group = c.benchmark_group("filter_tier2_compound_cel");
+    group.throughput(Throughput::Elements(1));
+    group.bench_function("compound_cel_match", |b| {
+        b.iter(|| std::hint::black_box(engine.apply_inbound(payload)));
+    });
+    group.finish();
+}
+
+#[cfg(feature = "expression")]
+fn bench_tier3_regex_cel(c: &mut Criterion) {
+    let tier_config = TransportFilterTierConfig {
+        allow_complex_filters_in: true,
+        ..Default::default()
+    };
+    let engine = TransportFilterEngine::new(
+        &[FilterRule {
+            expression: r#"host.matches("^prod-.*$")"#.into(),
+            action: FilterAction::Drop,
+        }],
+        &[],
+        &tier_config,
+    )
+    .unwrap();
+
+    let mut group = c.benchmark_group("filter_tier3_regex_cel");
+    group.throughput(Throughput::Elements(1));
+    group.bench_function("regex_match", |b| {
+        b.iter(|| std::hint::black_box(engine.apply_inbound(SAMPLE_PAYLOAD)));
+    });
+    group.finish();
+}
+
+#[cfg(feature = "expression")]
+criterion_group!(
+    benches,
+    bench_no_filters_baseline,
+    bench_tier1_field_exists,
+    bench_tier1_field_equals,
+    bench_tier1_starts_with,
+    bench_tier1_dotted_path,
+    bench_tier1_first_match_wins,
+    bench_tier2_compound_cel,
+    bench_tier3_regex_cel,
+);
+
+#[cfg(not(feature = "expression"))]
+criterion_group!(
+    benches,
+    bench_no_filters_baseline,
+    bench_tier1_field_exists,
+    bench_tier1_field_equals,
+    bench_tier1_starts_with,
+    bench_tier1_dotted_path,
+    bench_tier1_first_match_wins,
+);
+
+criterion_main!(benches);

src/transport/filter/classify.rs

@@ -237,34 +237,63 @@ fn check_restricted_functions(expr: &str) -> bool {
 /// Extract field references from an expression (for Tier 2/3 CEL context building).
 ///
 /// Scans for identifier patterns that aren't CEL keywords or function names.
-/// Returns unique field names (may include dotted paths).
+/// For method calls like `field.matches("...")`, extracts only the receiver field.
+/// Returns unique field names (may include dotted paths for nested access).
 fn extract_field_references(expr: &str) -> Vec<String> {
-    static RE_IDENT: LazyLock<Regex> =
-        LazyLock::new(|| Regex::new(r"\b([a-zA-Z_][\w.]*)\b").unwrap());
+    // Match dotted identifier (potentially nested) — we'll trim trailing method call
+    // segments after matching.
+    static RE_IDENT: LazyLock<Regex> = LazyLock::new(|| Regex::new(r"[a-zA-Z_][\w.]*").unwrap());
 
     let mut fields: Vec<String> = Vec::new();
-    let mut in_string = false;
 
-    // Track string boundaries
+    // Build a mask of which byte positions are inside string literals
+    let mut in_string_mask = vec![false; expr.len()];
+    let mut in_string = false;
+    let mut prev_was_escape = false;
     for (i, ch) in expr.char_indices() {
-        if ch == '"' {
+        if in_string {
+            in_string_mask[i] = true;
+        }
+        if ch == '"' && !prev_was_escape {
             in_string = !in_string;
         }
-        if in_string {
+        prev_was_escape = ch == '\\' && !prev_was_escape;
+    }
+
+    for m in RE_IDENT.find_iter(expr) {
+        if in_string_mask.get(m.start()).copied().unwrap_or(false) {
             continue;
         }
 
-        // Check if an identifier starts here
-        if let Some(m) = RE_IDENT.find(&expr[i..])
-            && m.start() == 0
-        {
-            let ident = m.as_str();
-            // Skip CEL keywords
-            let base = ident.split('.').next().unwrap_or(ident);
-            if !CEL_KEYWORDS.contains(&base) && !fields.contains(&ident.to_string()) {
-                fields.push(ident.to_string());
+        let mut ident = m.as_str().to_string();
+
+        // If this identifier is immediately followed by '(' (a function call),
+        // strip the last dotted segment (the method name) — the receiver is
+        // the actual field reference.
+        let after = &expr[m.end()..];
+        if after.trim_start().starts_with('(') {
+            if let Some(dot_pos) = ident.rfind('.') {
+                // Method call on a field: keep the receiver
+                ident.truncate(dot_pos);
+            } else {
+                // Bare function call (e.g., has(), size()) — not a field
+                continue;
             }
         }
+
+        if ident.is_empty() {
+            continue;
+        }
+
+        // Skip CEL keywords (check the leading segment)
+        let base = ident.split('.').next().unwrap_or(&ident);
+        if CEL_KEYWORDS.contains(&base) {
+            continue;
+        }
+
+        if !fields.contains(&ident) {
+            fields.push(ident);
+        }
     }
 
     fields