Add API benchmark suite

[TheOnlyOne001]

/claim #30

Summary

• Added npm run benchmark and npm run benchmark:smoke for the API benchmark suite.
• Added benchmarks/run.mjs to start the Express API locally by default, cover every current /api/* route plus /health, send realistic JSON/form payloads, and use a benchmark JWT for /api/admin/metrics.
• Added JSON/Markdown result output under benchmarks/results, threshold checks in benchmarks/thresholds.json, .env.benchmark documentation, and a GitHub Actions smoke benchmark gate.
• Made the API test script use an explicit test-file glob so npm test runs reliably on Node 22.

Validation

• npm test passed.
• npm run benchmark:smoke passed and wrote JSON/Markdown results.
• npm run benchmark passed and wrote JSON/Markdown results.
• git diff --check passed.

Full Benchmark Summary

Run: 2026-05-17T06-08-38-962Z-full
Mode: local, concurrency 2, 4 iterations per worker.

Endpoint	Requests	p50 ms	p95 ms	p99 ms	p95 TTFB ms	Sustained RPS	Peak RPS	Error %	Statuses
GET /health	8	9.22	17.38	17.93	16.92	165.77	8	0	200: 8
POST /api/auth/register	8	14.18	17.45	17.76	17.09	130.38	8	0	201: 8
POST /api/auth/login	8	11.66	12.79	13.02	12.43	170.47	8	0	200: 8
GET /api/auth/oauth/github/callback	8	5.92	7.07	7.09	6.72	308.22	8	0	200: 8
POST /api/auth/refresh	8	10.4	11.5	11.88	11.04	186.08	8	0	200: 8
GET /api/users	8	6.62	7.44	7.55	7.11	294.56	8	0	200: 8
POST /api/users	8	5.52	8.03	8.17	7.84	317.82	8	0	201: 8
GET /api/jobs	8	3.98	4.15	4.15	3.94	493.86	8	0	200: 8
POST /api/jobs	8	5.23	5.44	5.5	5.23	383.37	8	0	201: 8
GET /api/proposals	8	4.03	4.12	4.13	3.91	498.06	8	0	200: 8
POST /api/proposals	8	5.03	6.64	6.68	6.47	388.69	8	0	201: 8
POST /api/payments	8	5.4	5.87	5.96	5.69	375.01	8	0	201: 8
GET /api/reviews	8	4.11	4.57	4.58	4.39	482.55	8	0	200: 8
POST /api/reviews	8	4.84	5.99	6.12	5.79	394.75	8	0	201: 8
GET /api/messages	8	3.98	5.11	5.25	4.97	472.85	8	0	200: 8
POST /api/messages	8	4.03	4.51	4.54	4.35	483.45	8	0	201: 8
GET /api/notifications	8	3.45	4.32	4.38	4.16	555.74	8	0	200: 8
POST /api/notifications	8	3.8	6.42	6.65	6.25	455.28	8	0	201: 8
POST /api/uploads	8	7.16	10.01	10.02	9.81	254.28	8	0	201: 8
GET /api/search?q=api%20benchmark	8	3.37	4.01	4.05	3.82	556.33	8	0	200: 8
GET /api/admin/metrics	8	5.63	6.82	6.87	6.61	334.34	8	0	200: 8

All endpoints passed configured thresholds.

Benchmark Environment

Hardware

• CPU model and core count: AMD Ryzen 5 3550H with Radeon Vega Mobile Gfx, 4 cores / 8 logical processors
• RAM: 14.9 GB total, about 4.2 GB free during environment check
• Storage type: SSD (CT500P1SSD8)
• Network interface: loopback (127.0.0.1) for local benchmark
• Machine type: local workstation
• OS and version: Microsoft Windows 11 Home Single Language, 10.0.26200

Runtime

• Node.js version: v22.17.1
• Resource limits: none intentionally applied
• Other significant processes running: normal local workstation background processes

If submitted by or with an AI agent

• Agent or tool name: OpenAI Codex coding agent
• Underlying model and version: GPT-5 based Codex model
• Inference provider: OpenAI
• Orchestration framework: Codex desktop app with shell/GitHub CLI tools
• Execution mode: human-initiated, agent-executed, human-supervised through this PR
• Shell/tool access during execution: yes
• Internet access during execution: yes
• Benchmark commands run by the agent directly or handed off: run directly by the agent
• Known constraints/sandboxing that may have affected execution: local Windows workstation; no filesystem sandbox; local benchmark defaults kept under the app rate-limit window

[TheOnlyOne001]

Demo / verification note for reviewers:

• CI ran npm run benchmark:smoke successfully here: https://github.com/SecureBananaLabs/bug-bounty/actions/runs/25983183259/job/76375625814
• That run starts the Express API locally, benchmarks all current API routes, checks thresholds, and uploads generated JSON/Markdown benchmark artifacts.
• The PR body includes the full local npm run benchmark Markdown summary for the higher-iteration baseline run.

I could not attach a native GitHub video through the CLI, so I included reproducible commands, CI evidence, and the full generated summary directly in the PR body.

[BossChaos]

Code Review — Bounty #30 ($750)

PR: Add API benchmark suite by @TheOnlyOne001

• ✅ Benchmark suite implementation
• ✅ Directly relevant to Bounty Benchmark APIs with p50, p95, p99 latency, RPS, error rate and TTFB #30 ($750)

Wallet: 0xdaE5d307339074A24F579dB48e7c639359D94904

Code review under Bounty #30 — API Benchmark Suite ($750)