perf(db): reuse prepared statements on hot paths

- Prepare the user_accounts role lookup once in the auth middleware; it
  runs on nearly every authenticated request
- Prepare session store get/set/destroy/purge statements once in the
  constructor instead of per request
- Prepare the per-check SELECT once per PDF job instead of once per check

src/lib/SessionStore.js

@@ -7,16 +7,20 @@ const { Store } = require('express-session');
 class SessionStore extends Store {
   constructor(db) {
     super();
-    this.db = db;
+    // Prepared once — get/set run on every request
+    this.getStmt   = db.prepare('SELECT sess, expired FROM sessions WHERE sid = ?');
+    this.setStmt   = db.prepare('INSERT OR REPLACE INTO sessions (sid, sess, expired) VALUES (?, ?, ?)');
+    this.delStmt   = db.prepare('DELETE FROM sessions WHERE sid = ?');
+    this.purgeStmt = db.prepare('DELETE FROM sessions WHERE expired < ?');
     // Purge expired sessions every 10 minutes
     setInterval(() => {
-      try { db.prepare('DELETE FROM sessions WHERE expired < ?').run(Date.now()); } catch (_) {}
+      try { this.purgeStmt.run(Date.now()); } catch (_) {}
     }, 10 * 60 * 1000).unref();
   }
 
   get(sid, cb) {
     try {
-      const row = this.db.prepare('SELECT sess, expired FROM sessions WHERE sid = ?').get(sid);
+      const row = this.getStmt.get(sid);
       if (!row) return cb(null, null);
       if (Date.now() > row.expired) {
         this.destroy(sid, () => {});
@@ -33,16 +37,14 @@ class SessionStore extends Store {
         ? sess.cookie.maxAge
         : 7 * 24 * 60 * 60 * 1000;
       const expired = Date.now() + maxAge;
-      this.db.prepare(
+      this.setStmt.run(sid, JSON.stringify(sess), expired);
-        'INSERT OR REPLACE INTO sessions (sid, sess, expired) VALUES (?, ?, ?)'
-      ).run(sid, JSON.stringify(sess), expired);
       cb(null);
     } catch (e) { cb(e); }
   }
 
   destroy(sid, cb) {
     try {
-      this.db.prepare('DELETE FROM sessions WHERE sid = ?').run(sid);
+      this.delStmt.run(sid);
       cb(null);
     } catch (e) { cb(e); }
   }

src/middleware/auth.js

@@ -2,6 +2,11 @@
 
 const db = require('../db/database');
 
+// Prepared once — this lookup runs on nearly every authenticated request
+const accountRoleStmt = db.prepare(
+  'SELECT role FROM user_accounts WHERE user_id = ? AND account_id = ?'
+);
+
 function requireAuth(req, res, next) {
   if (!req.session || !req.session.userId) {
     return res.status(401).json({ error: 'Not authenticated.' });
@@ -28,10 +33,7 @@ function requireEditor(req, res, next) {
 function canAccessAccount(session, accountId) {
   if (!session || !session.userId) return false;
   if (session.role === 'admin') return true;
-  const row = db.prepare(
+  return !!accountRoleStmt.get(session.userId, accountId);
-    'SELECT 1 FROM user_accounts WHERE user_id = ? AND account_id = ?'
-  ).get(session.userId, accountId);
-  return !!row;
 }
 
 // Returns true if the user has editor (write) access to the given account.
@@ -39,9 +41,7 @@ function canAccessAccount(session, accountId) {
 function isEditorForAccount(session, accountId) {
   if (!session || !session.userId) return false;
   if (session.role === 'admin') return true;
-  const row = db.prepare(
+  const row = accountRoleStmt.get(session.userId, accountId);
-    "SELECT role FROM user_accounts WHERE user_id = ? AND account_id = ?"
-  ).get(session.userId, accountId);
   return !!(row && row.role === 'editor');
 }
 

src/routes/pdf.js

@@ -30,10 +30,11 @@ router.post('/', async (req, res) => {
   }
 
   // Fetch checks in the order provided; verify each belongs to the declared account
+  const checkStmt = db.prepare('SELECT * FROM checks WHERE id = ?');
   let checks;
   try {
     checks = checkIds.map(id => {
-      const check = db.prepare('SELECT * FROM checks WHERE id = ?').get(id);
+      const check = checkStmt.get(id);
       if (!check) throw new Error(`Check ID ${id} not found`);
       if (check.account_id !== resolvedAccountId) throw new Error(`Check ID ${id} does not belong to this account`);
       return check;