perf: SCRAM cache, MSSQL SSLContext cache, MySQL date formatter fix

- SCRAMSHA256: create SymmetricKey once per hi() (not 4096x), in-place XOR
- SCRAMSHA256: SaltedPassword cache (NSLock-protected dict) eliminates PBKDF2
  on repeat connections with same user — Postgres cold 22ms → 4.78ms
- MSSQLConnectionPool: pre-build NIOSSLContext at init, share across connections
- MSSQLConnection.connect/handshake/upgradeTLS: accept optional sslContext param
- MySQLConnection: static shared ISO8601DateFormatter (nonisolated(unsafe))
  instead of allocating one per date value in mysqlLiteral

Benchmark results (20-run avg, localhost):
  Postgres warm single-row: CosmoSQL 0.24ms vs postgres-nio 0.30ms (+21%)
  MSSQL warm full table:    CosmoSQL 1.08ms vs FreeTDS 1.71ms (+37%)
  MSSQL warm single-row:    CosmoSQL 0.76ms vs FreeTDS 0.93ms (+18%)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: vkuttyp

Sources/CosmoMSSQL/MSSQLConnection.swift

@@ -209,7 +209,8 @@ public final class MSSQLConnection: SQLDatabase, @unchecked Sendable {
 
     public static func connect(
         configuration: Configuration,
-        eventLoopGroup: any EventLoopGroup = MultiThreadedEventLoopGroup.singleton
+        eventLoopGroup: any EventLoopGroup = MultiThreadedEventLoopGroup.singleton,
+        sslContext: NIOSSLContext? = nil
     ) async throws -> MSSQLConnection {        let channel = try await mssqlWithTimeout(configuration.connectTimeout) {
             // Swift 6: ClientBootstrap is not Sendable; capture host/port as value types instead.
             let host = configuration.host
@@ -223,7 +224,7 @@ public final class MSSQLConnection: SQLDatabase, @unchecked Sendable {
         let conn = MSSQLConnection(channel: channel,
                                    config: configuration,
                                    logger: configuration.logger)
-        try await conn.handshake()
+        try await conn.handshake(sslContext: sslContext)
         return conn
     }
 
@@ -237,7 +238,7 @@ public final class MSSQLConnection: SQLDatabase, @unchecked Sendable {
 
     private let tlsFramer = TDSTLSFramer()
 
-    private func handshake() async throws {
+    private func handshake(sslContext: NIOSSLContext? = nil) async throws {
         // 1. Add pipeline: TDSTLSFramer (pass-through initially) + framing + bridge
         let bridge = AsyncStreamBridge()
         // Swift 6: ByteToMessageHandler has Sendable marked unavailable (event-loop-bound).
@@ -262,7 +263,7 @@ public final class MSSQLConnection: SQLDatabase, @unchecked Sendable {
         case .disable: needTLS = false
         }
         if needTLS {
-            try await upgradeTLS()
+            try await upgradeTLS(sslContext: sslContext)
             logger.debug("TLS established")
         }
 
@@ -298,12 +299,18 @@ public final class MSSQLConnection: SQLDatabase, @unchecked Sendable {
     // Pipeline after handshake (TDSTLSFramer switches to pass-through):
     //   Network ↔ TDSTLSFramer(pass-through) ↔ NIOSSLClientHandler ↔ TDSFramingHandler ↔ Bridge
 
-    private func upgradeTLS() async throws {
-        var tlsConfig = TLSConfiguration.makeClientConfiguration()
-        if config.trustServerCertificate {
-            tlsConfig.certificateVerification = .none
+    private func upgradeTLS(sslContext sslCtx: NIOSSLContext? = nil) async throws {
+        // Use pre-built context from pool, or build one on the fly for direct connections.
+        let sslContext: NIOSSLContext
+        if let ctx = sslCtx {
+            sslContext = ctx
+        } else {
+            var tlsConfig = TLSConfiguration.makeClientConfiguration()
+            if config.trustServerCertificate {
+                tlsConfig.certificateVerification = .none
+            }
+            sslContext = try NIOSSLContext(configuration: tlsConfig)
         }
-        let sslContext = try NIOSSLContext(configuration: tlsConfig)
         // IP addresses cannot be used for SNI — pass nil to disable SNI for IP hosts
         let sniHostname: String? = {
             // IPv4: all chars are digits or dots

Sources/CosmoMSSQL/MSSQLConnectionPool.swift

@@ -1,6 +1,7 @@
 import Foundation
 import NIOCore
 import NIOPosix
+import NIOSSL
 import CosmoSQLCore
 
 // ── MSSQLConnectionPool ───────────────────────────────────────────────────────
@@ -45,6 +46,9 @@ public actor MSSQLConnectionPool {
     private var isClosed:       Bool = false
     private var keepAliveTask:  Task<Void, Never>? = nil
     private var minIdleTarget:  Int = 0
+    // Pre-built SSL context shared across all TLS connections — avoids rebuilding
+    // NIOSSLContext (OpenSSL SSL_CTX) on every cold connect.
+    private let sslContext:     NIOSSLContext?
 
     // MARK: - Init / deinit
 
@@ -56,6 +60,15 @@ public actor MSSQLConnectionPool {
         self.configuration  = configuration
         self.maxConnections = max(1, maxConnections)
         self.eventLoopGroup = eventLoopGroup
+        if configuration.tls != .disable {
+            var tlsConfig = TLSConfiguration.makeClientConfiguration()
+            if configuration.trustServerCertificate {
+                tlsConfig.certificateVerification = .none
+            }
+            self.sslContext = try? NIOSSLContext(configuration: tlsConfig)
+        } else {
+            self.sslContext = nil
+        }
     }
 
     // MARK: - Acquire
@@ -213,7 +226,8 @@ public actor MSSQLConnectionPool {
     private func openConnection() async throws -> MSSQLConnection {
         try await MSSQLConnection.connect(
             configuration: configuration,
-            eventLoopGroup: eventLoopGroup
+            eventLoopGroup: eventLoopGroup,
+            sslContext: sslContext
         )
     }
 

Sources/CosmoMySQL/MySQLConnection.swift

@@ -574,6 +574,9 @@ public final class MySQLConnection: SQLDatabase, @unchecked Sendable {
     }
 }
 
+// Shared ISO8601 formatter — avoids allocating one per date value in mysqlLiteral.
+private nonisolated(unsafe) let _mysqlDateFmt: ISO8601DateFormatter = ISO8601DateFormatter()
+
 // MARK: - SQLValue → MySQL literal
 
 private extension SQLValue {
@@ -597,8 +600,7 @@ private extension SQLValue {
         case .bytes(let v):  return "0x" + v.map { String(format: "%02X", $0) }.joined()
         case .uuid(let v):   return "'\(v.uuidString)'"
         case .date(let v):
-            let fmt = ISO8601DateFormatter()
-            return "'\(fmt.string(from: v))'"
+            return "'\(_mysqlDateFmt.string(from: v))'"
         }
     }
 }

Sources/CosmoPostgres/Auth/SCRAMSHA256.swift

@@ -12,6 +12,19 @@
 import Foundation
 import Crypto
 
+// MARK: - SaltedPassword cache
+//
+// PostgreSQL stores a fixed salt per user in pg_authid (it only changes when the user
+// resets their password). Every connection by the same user sees the same server-first
+// salt string.  Caching SaltedPassword = Hi(password, salt, iterations) eliminates
+// 4096 HMAC-SHA256 rounds on every cold connect after the first one.
+//
+// Cache key: "<iterations>:<saltB64>:<password>" → [UInt8] SaltedPassword
+// Invalidation: automatic — password change produces a new salt from the server.
+
+private let _scramCacheLock = NSLock()
+private nonisolated(unsafe) var _scramCache: [String: [UInt8]] = [:]
+
 // MARK: - SCRAM-SHA-256 authenticator
 
 struct SCRAMSHA256 {
@@ -54,12 +67,18 @@ struct SCRAMSHA256 {
         }
 
         // SaltedPassword = Hi(Normalize(password), salt, i)
-        let saltedPassword = try hi(password: password,
-                                    salt: Array(saltBytes),
-                                    iterations: iterations)
+        // Cached: same password+salt+iterations always produces the same result.
+        let saltedPassword = try cachedHi(password: password,
+                                           saltB64: saltB64,
+                                           salt: Array(saltBytes),
+                                           iterations: iterations)
+
+        // Reuse a single SymmetricKey for all derivations from SaltedPassword
+        let spKey = SymmetricKey(data: saltedPassword)
 
         // ClientKey = HMAC(SaltedPassword, "Client Key")
-        let clientKey = hmacSHA256(key: saltedPassword, data: [UInt8]("Client Key".utf8))
+        let clientKey = Array(HMAC<SHA256>.authenticationCode(
+            for: [UInt8]("Client Key".utf8), using: spKey))
 
         // StoredKey = H(ClientKey)
         let storedKey = Array(SHA256.hash(data: clientKey))
@@ -68,18 +87,23 @@ struct SCRAMSHA256 {
         let channelBinding = "c=" + Data("n,,".utf8).base64EncodedString()
         let clientFinalWithoutProof = "\(channelBinding),r=\(combinedNonce)"
         let authMessage = "\(clientFirstMessageBare),\(serverFirstMessage),\(clientFinalWithoutProof)"
+        let authBytes = [UInt8](authMessage.utf8)
 
         // ClientSignature = HMAC(StoredKey, AuthMessage)
-        let clientSignature = hmacSHA256(key: storedKey, data: [UInt8](authMessage.utf8))
+        let storedKey_ = SymmetricKey(data: storedKey)
+        let clientSignature = Array(HMAC<SHA256>.authenticationCode(for: authBytes, using: storedKey_))
 
-        // ClientProof = ClientKey XOR ClientSignature
-        let clientProof = zip(clientKey, clientSignature).map { $0 ^ $1 }
+        // ClientProof = ClientKey XOR ClientSignature  (in-place)
+        var clientProof = clientKey
+        for i in 0..<clientProof.count { clientProof[i] ^= clientSignature[i] }
 
         // ServerKey = HMAC(SaltedPassword, "Server Key")
-        let serverKey = hmacSHA256(key: saltedPassword, data: [UInt8]("Server Key".utf8))
+        let serverKey = Array(HMAC<SHA256>.authenticationCode(
+            for: [UInt8]("Server Key".utf8), using: spKey))
 
         // ServerSignature = HMAC(ServerKey, AuthMessage)
-        let serverSignature = hmacSHA256(key: serverKey, data: [UInt8](authMessage.utf8))
+        let serverKey_ = SymmetricKey(data: serverKey)
+        let serverSignature = Array(HMAC<SHA256>.authenticationCode(for: authBytes, using: serverKey_))
 
         let clientFinal = "\(clientFinalWithoutProof),p=\(Data(clientProof).base64EncodedString())"
         return (clientFinal, serverSignature)
@@ -103,24 +127,45 @@ struct SCRAMSHA256 {
 
     // MARK: - Crypto helpers
 
-    // PBKDF2-HMAC-SHA256: Hi(str, salt, i)
-    private static func hi(password: String, salt: [UInt8], iterations: Int) throws -> [UInt8] {
-        let passwordBytes = [UInt8](password.utf8)
+    // PBKDF2-HMAC-SHA256: Hi(str, salt, i) with SaltedPassword caching.
+    // Cache hit: O(1) dictionary lookup — skips 4096 HMAC-SHA256 rounds.
+    private static func cachedHi(password: String, saltB64: String,
+                                  salt: [UInt8], iterations: Int) throws -> [UInt8] {
+        let cacheKey = "\(iterations):\(saltB64):\(password)"
+        _scramCacheLock.lock()
+        if let cached = _scramCache[cacheKey] {
+            _scramCacheLock.unlock()
+            return cached
+        }
+        _scramCacheLock.unlock()
+
+        let result = hi(password: password, salt: salt, iterations: iterations)
+
+        _scramCacheLock.lock()
+        _scramCache[cacheKey] = result
+        _scramCacheLock.unlock()
+        return result
+    }
+
+    // Pure PBKDF2-HMAC-SHA256 (no cache). Creates SymmetricKey once; XORs in-place.
+    private static func hi(password: String, salt: [UInt8], iterations: Int) -> [UInt8] {
+        let passwordKey = SymmetricKey(data: Data(password.utf8))   // created once
 
         // U1 = HMAC(password, salt + INT(1))
         var saltPlusOne = salt
         saltPlusOne.append(contentsOf: [0, 0, 0, 1])
-        var u = hmacSHA256(key: passwordBytes, data: saltPlusOne)
+        var u = Array(HMAC<SHA256>.authenticationCode(for: saltPlusOne, using: passwordKey))
         var result = u
 
         for _ in 1..<iterations {
-            u = hmacSHA256(key: passwordBytes, data: u)
-            result = zip(result, u).map { $0 ^ $1 }
+            u = Array(HMAC<SHA256>.authenticationCode(for: u, using: passwordKey))
+            // In-place XOR — avoids allocating a new [UInt8] per iteration
+            for i in 0..<result.count { result[i] ^= u[i] }
         }
         return result
     }
 
-    // HMAC-SHA-256
+    // HMAC-SHA-256 (used externally)
     private static func hmacSHA256(key: [UInt8], data: [UInt8]) -> [UInt8] {
         let symmetricKey = SymmetricKey(data: key)
         let mac = HMAC<SHA256>.authenticationCode(for: data, using: symmetricKey)