Summary

Adds lightweight query complexity checking during validation and refactors GoodFaithIntrospection to use validation rules instead of ExecutableNormalizedOperation (ENO).

Query Complexity Limits

• New QueryComplexityLimits class with maxDepth and maxFieldsCount settings
• Default limits: depth 100, fields 100,000 (use QueryComplexityLimits.NONE to disable)
• Configuration via GraphQLContext using QueryComplexityLimits.KEY
• Fragment fields counted at each spread site; complexity calculated lazily during first spread traversal
• No additional AST traversal — complexity tracked during normal validation
• New validation error types: MaxQueryDepthExceeded, MaxQueryFieldsExceeded

GoodFaithIntrospection Refactor

• Replaced ENO-based introspection checking with a validation rule (GOOD_FAITH_INTROSPECTION)
• Introspection queries are detected dynamically during validation when __schema or __type is encountered on the Query type — no pre-scan of the document needed
• On detection, complexity limits are tightened to good faith bounds (500 fields, depth 20) and subsequent limit breaches throw GoodFaithIntrospectionExceeded directly
• Correctly detects introspection fields inside inline fragments and fragment spreads (the old ENO-based approach handled this, but any AST pre-scan would miss them)
• Same field instance limits as before: Query.__schema, Query.__type, __Type.fields/inputFields/interfaces/possibleTypes each allowed at most once

Usage

QueryComplexityLimits limits = QueryComplexityLimits.newLimits()
    .maxDepth(10)
    .maxFieldsCount(100)
    .build();

ExecutionInput input = ExecutionInput.newExecutionInput()
    .query(query)
    .graphQLContext(ctx -> ctx.put(QueryComplexityLimits.KEY, limits))
    .build();

Breaking changes

Behavioral changes

• Default query complexity limits are now enforced. All queries are subject to default limits of depth 100 and 100,000 fields. Queries exceeding these limits will receive MaxQueryDepthExceeded or MaxQueryFieldsExceeded validation errors. Use QueryComplexityLimits.NONE via GraphQLContext to disable, or call QueryComplexityLimits.setDefaultLimits(QueryComplexityLimits.NONE) globally.
• GoodFaithIntrospection now runs during validation instead of execution. Bad faith introspection errors are now returned as validation errors rather than being detected at execution time via ENO. The same checks are enforced but they happen earlier in the pipeline.

GoodFaithIntrospection (@PublicApi)

• Removed checkIntrospection(ExecutionContext) — was the ENO-based entry point, no longer needed
• Removed ALLOWED_FIELD_INSTANCES map — field instance limits are now enforced inside the validator
• Added isEnabled(GraphQLContext) — checks whether good faith introspection is enabled for a request
• Added goodFaithLimits(QueryComplexityLimits) — computes the effective limits for introspection queries
• BadFaithIntrospectionError.getLocations() return type changed to @Nullable List<SourceLocation>

ValidationErrorType (@PublicApi)

• Added MaxQueryDepthExceeded enum value
• Added MaxQueryFieldsExceeded enum value

OperationValidationRule (@PublicApi)

• Added GOOD_FAITH_INTROSPECTION enum value

ParseAndValidate (@PublicApi)

• Added overload validate(GraphQLSchema, Document, Predicate, Locale, QueryComplexityLimits) accepting optional complexity limits

New public classes

• QueryComplexityLimits (@PublicApi) — configuration for depth and field count limits
• QueryComplexityLimits.Builder (@PublicApi) — builder for QueryComplexityLimits

Test plan

• Existing GoodFaithIntrospection tests pass (bad faith detection, disable/enable, deep queries)
• New tests for introspection via inline fragments and fragment spreads
• New tests for tooBigOperation path (field count and depth limit exceeded)
• New tests for custom user limits combined with good faith limits
• QueryComplexityLimits unit tests for depth and field count enforcement
• Benchmark tests updated to use QueryComplexityLimits.NONE
• All Java versions (11, 17, 21, 25) pass

🤖 Generated with Claude Code