Add PERFORMANCE_ANALYSIS.md: in-depth scalability analysis vs OpenJDK 21

[Copilot]

Documents the concrete scalability advantages of Dirty Chai's authorization subsystem over the legacy OpenJDK implementation, with particular focus on ConcurrentPolicyFile and CombinerSecurityManager — two components that historically exposed severe lock contention under concurrent workloads.

What's covered

• ConcurrentPolicyFile — lock-free implies() via a single volatile array read; no per-domain synchronized cache; no DNS calls during CodeSource comparison; bitwise case conversion in URI normalization; PermissionComparator avoids I/O-triggering Permission.hashCode()/equals()
• CombinerSecurityManager — two independent non-blocking caches (checked: 20s TTL, contextCache: 60s TTL, both backed by ConcurrentHashMap/ConcurrentSkipListSet); parallel domain checks via VirtualThreadPerTaskExecutor for stacks ≥4 domains (converts serial SocketPermission waits to parallel); ScopedValue over ThreadLocal for recursion tracking
• AccessControlContext interning — global ConcurrentSkipListMap cache with weak value refs; pre-computed hashCode; DomainIdentity/UriCodeSource eliminates DNS from cache-key equality checks
• Legacy contention hotspots eliminated — maps each removed bottleneck (global policy class lock, synchronized WeakHashMap PDcache, reverse-DNS in CodeSource.implies(), serial domain stack evaluation) to its Dirty Chai replacement
• Overhead introduced — quantifies the marginal cost of new guards (LoadClassPermission, SerialObjectPermission, NativeAccessPermission) relative to the paths they protect
• JVM tuning guidance — large young-gen recommendation for CombinerSecurityManager's short-lived object pattern
• Benchmark pointers — maps existing JMH microbenchmarks (DoPrivileged, GetContext, ProtectionDomainBench) to the subsystems they exercise

[pfirmstone]

Very thorough review.