optimize WSL2 performance: cache binary path, skip redundant .exe spawns

theoephraim · claude · theoephraim · commit dc10b2d6a8cf · 2026-04-09T15:33:07.000-07:00
- Cache resolveNativeBinary() result (was called 6x per invocation)
- Reuse keys from status response in keyExists() to skip key-exists .exe spawn
- Fix daemon spawn polling: simpler pipe_exists check at 50ms intervals
- Increase timeout to 60s for WSL2 decrypt (includes Windows Hello prompt)

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/packages/encryption-binary-rust/src/daemon_client.rs b/packages/encryption-binary-rust/src/daemon_client.rs
@@ -180,16 +180,8 @@ fn spawn_daemon() -> Result<(), String> {
     // Wait for daemon to become ready (poll pipe availability)
     let start = std::time::Instant::now();
     while start.elapsed() < MAX_SPAWN_WAIT {
-        std::thread::sleep(std::time::Duration::from_millis(100));
-
-        // Try to connect — if it works, daemon is ready
-        if try_daemon_decrypt("", "").is_err() {
-            // Could be "pipe not found" (not ready) or "decrypt failed" (ready but bad request)
-            // Check if the pipe exists by trying to open it
-            if pipe_exists() {
-                return Ok(());
-            }
-        } else {
+        std::thread::sleep(std::time::Duration::from_millis(50));
+        if pipe_exists() {
             return Ok(());
         }
     }
diff --git a/packages/varlock/src/lib/local-encrypt/binary-resolver.ts b/packages/varlock/src/lib/local-encrypt/binary-resolver.ts
@@ -145,29 +145,37 @@ function ensureExecutable(binaryPath: string): string {
  * Resolve the native helper binary path.
  * Returns undefined if no binary is found — caller should fall back to pure JS.
  */
+let _cachedBinaryPath: string | undefined | null = null; // null = not yet resolved
+
 export function resolveNativeBinary(): string | undefined {
+  if (_cachedBinaryPath !== null) return _cachedBinaryPath;
+
   debug(`resolving: platform=${process.platform}, isWSL=${isWSL()}, binaryName=${getPlatformBinaryName()}, subdir=${getNativeBinSubdir()}`);
 
   const seaSibling = resolveSeaSibling();
   if (seaSibling) {
     debug(`resolved via SEA sibling: ${seaSibling}`);
-    return ensureExecutable(seaSibling);
+    _cachedBinaryPath = ensureExecutable(seaSibling);
+    return _cachedBinaryPath;
   }
 
   const npmBundled = resolveNpmBundled();
   if (npmBundled) {
     debug(`resolved via npm bundled: ${npmBundled}`);
-    return ensureExecutable(npmBundled);
+    _cachedBinaryPath = ensureExecutable(npmBundled);
+    return _cachedBinaryPath;
   }
 
   const devFallback = resolveDevFallback();
   if (devFallback) {
     debug(`resolved via dev fallback: ${devFallback}`);
-    return ensureExecutable(devFallback);
+    _cachedBinaryPath = ensureExecutable(devFallback);
+    return _cachedBinaryPath;
   }
 
   debug('NOT FOUND: no binary resolved from any strategy');
   debug(`  SEA sibling dir: ${path.dirname(process.execPath)}`);
   debug(`  npm bundled dir: ${path.resolve(__dirname, '..', '..', '..', 'native-bins', getNativeBinSubdir())}`);
+  _cachedBinaryPath = undefined;
   return undefined;
 }
diff --git a/packages/varlock/src/lib/local-encrypt/index.ts b/packages/varlock/src/lib/local-encrypt/index.ts
@@ -30,7 +30,7 @@ function debug(msg: string) {
 
 // ── Native binary one-shot commands ────────────────────────────────────
 
-function runNativeBinary(args: Array<string>): string {
+function runNativeBinary(args: Array<string>, opts?: { timeout?: number }): string {
   const binaryPath = resolveNativeBinary();
   if (!binaryPath) {
     debug('runNativeBinary: no binary found');
@@ -39,14 +39,14 @@ function runNativeBinary(args: Array<string>): string {
   debug(`runNativeBinary: ${binaryPath} ${args.join(' ')}`);
   const output = execFileSync(binaryPath, args, {
     encoding: 'utf-8',
-    timeout: 30_000,
+    timeout: opts?.timeout ?? 30_000,
   }).trim();
   debug(`runNativeBinary result: ${output.slice(0, 200)}`);
   return output;
 }
 
-function runNativeBinaryJson<T = Record<string, unknown>>(args: Array<string>): T {
-  const output = runNativeBinary(args);
+function runNativeBinaryJson<T = Record<string, unknown>>(args: Array<string>, opts?: { timeout?: number }): T {
+  const output = runNativeBinary(args, opts);
   const parsed = JSON.parse(output);
   if (parsed.error) {
     throw new Error(parsed.error);
@@ -57,6 +57,8 @@ function runNativeBinaryJson<T = Record<string, unknown>>(args: Array<string>):
 // ── Backend detection ──────────────────────────────────────────────────
 
 let cachedBackendInfo: BackendInfo | undefined;
+/** Keys reported by the status command — avoids a separate key-exists .exe spawn on WSL2 */
+let cachedStatusKeys: Array<string> | undefined;
 
 function detectBackendType(): { type: BackendType; isFileFallback: boolean } {
   const binaryPath = resolveNativeBinary();
@@ -89,7 +91,8 @@ export function getBackendInfo(): BackendInfo {
     // Query the native binary for its actual capabilities
     try {
       const status = runNativeBinaryJson<NativeStatusResult>(['status']);
-      debug(`getBackendInfo: status result: hardwareBacked=${status.hardwareBacked}, biometricAvailable=${status.biometricAvailable}, backend=${status.backend}`);
+      debug(`getBackendInfo: status result: hardwareBacked=${status.hardwareBacked}, biometricAvailable=${status.biometricAvailable}, backend=${status.backend}, keys=${status.keys?.join(',')}`);
+      cachedStatusKeys = status.keys;
       cachedBackendInfo = {
         type,
         platform: process.platform,
@@ -146,6 +149,11 @@ export function keyExists(keyId: string = DEFAULT_KEY_ID): boolean {
   if (backend.type === 'file') {
     return fileBackend.keyExists(keyId);
   }
+  // Use cached keys from status command to avoid an extra .exe spawn (significant on WSL2)
+  if (cachedStatusKeys) {
+    debug(`keyExists: using cached status keys for ${keyId}`);
+    return cachedStatusKeys.includes(keyId);
+  }
   const result = runNativeBinaryJson<{ exists: boolean }>(['key-exists', '--key-id', keyId]);
   return result.exists;
 }
@@ -204,7 +212,11 @@ export async function decryptValue(ciphertext: string, keyId: string = DEFAULT_K
   if (backend.biometricAvailable) {
     if (isWSL()) {
       debug('decryptValue: WSL2 biometric decrypt via --via-daemon');
-      const result = runNativeBinaryJson<{ plaintext: string }>(['decrypt', '--key-id', keyId, '--data', ciphertext, '--via-daemon']);
+      // Longer timeout: includes daemon spawn + Windows Hello biometric prompt
+      const result = runNativeBinaryJson<{ plaintext: string }>(
+        ['decrypt', '--key-id', keyId, '--data', ciphertext, '--via-daemon'],
+        { timeout: 60_000 },
+      );
       return result.plaintext;
     }
     debug('decryptValue: biometric decrypt via daemon client');
