@adaptic/backend-legacy 0.0.48 → 0.0.50

package/esm/config/metrics.d.ts

@@ -0,0 +1,88 @@
+import { Request, Response, Router } from 'express';
+import { Registry, Counter, Histogram, Gauge } from 'prom-client';
+/**
+ * Dedicated Prometheus registry for backend-legacy metrics.
+ * Using a dedicated registry avoids conflicts with default Node.js metrics
+ * that might be registered by other libraries.
+ */
+export declare const metricsRegistry: Registry<"text/plain; version=0.0.4; charset=utf-8">;
+/** Counts total HTTP requests by method, route, and status code */
+export declare const httpRequestsTotal: Counter<"method" | "route" | "status_code">;
+/** Histogram of HTTP request durations in seconds */
+export declare const httpRequestDuration: Histogram<"method" | "route" | "status_code">;
+/** Counts total GraphQL operations by type and name */
+export declare const graphqlOperationsTotal: Counter<"status" | "operation_type" | "operation_name">;
+/** Histogram of GraphQL operation durations in seconds */
+export declare const graphqlOperationDuration: Histogram<"operation_type" | "operation_name">;
+/** Counts GraphQL errors by operation and error code */
+export declare const graphqlErrorsTotal: Counter<"operation_type" | "operation_name" | "error_code">;
+/** Histogram of Prisma query durations in seconds */
+export declare const dbQueryDuration: Histogram<"operation" | "model">;
+/** Gauge for active database connections */
+export declare const dbConnectionsActive: Gauge<string>;
+/** Gauge for active GraphQL subscriptions */
+export declare const activeSubscriptions: Gauge<string>;
+/** Gauge for active WebSocket connections */
+export declare const activeWebSocketConnections: Gauge<string>;
+/**
+ * Initializes Prometheus metrics collection.
+ *
+ * Registers default Node.js metrics (CPU, memory, event loop, GC) and
+ * application-specific metrics for HTTP, GraphQL, and database operations.
+ *
+ * Environment variables:
+ * - PROMETHEUS_METRICS_ENABLED: Explicit on/off ('true'/'false'). Defaults to on in production/staging.
+ *
+ * @returns true if metrics were initialized, false if disabled
+ */
+export declare function initMetrics(): boolean;
+/**
+ * Express middleware that records HTTP request metrics.
+ * Tracks request count and duration for each method/route/status combination.
+ *
+ * Should be mounted early in the middleware chain to capture all requests.
+ */
+export declare function metricsMiddleware(req: Request, res: Response, next: () => void): void;
+/**
+ * Creates an Apollo Server plugin that records GraphQL operation metrics.
+ *
+ * Tracks:
+ * - Operation count by type (query/mutation/subscription) and name
+ * - Operation duration
+ * - Error count by operation and error code
+ *
+ * @returns Apollo Server plugin configuration
+ */
+export declare function createMetricsPlugin(): {
+    requestDidStart: () => Promise<{
+        willSendResponse: (requestContext: {
+            operationName?: string | null;
+            operation?: {
+                operation: string;
+            } | null;
+            response: {
+                body: {
+                    kind: string;
+                    singleResult?: {
+                        errors?: ReadonlyArray<{
+                            extensions?: {
+                                code?: string;
+                            };
+                        }>;
+                    };
+                };
+            };
+        }) => Promise<void>;
+    }>;
+};
+/**
+ * Creates an Express router that exposes Prometheus metrics at GET /metrics.
+ *
+ * The endpoint returns metrics in Prometheus text exposition format.
+ * This should be scraped by a Prometheus server at regular intervals.
+ *
+ * Note: This endpoint should be protected in production (e.g., by firewall rules
+ * or by requiring a bearer token). It is excluded from rate limiting by default.
+ */
+export declare function createMetricsRouter(): Router;
+//# sourceMappingURL=metrics.d.ts.map

package/esm/config/metrics.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"metrics.d.ts","sourceRoot":"","sources":["../../../src/config/metrics.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACpD,OAAO,EACL,QAAQ,EACR,OAAO,EACP,SAAS,EACT,KAAK,EAEN,MAAM,aAAa,CAAC;AAKrB;;;;GAIG;AACH,eAAO,MAAM,eAAe,sDAAiB,CAAC;AAO9C,mEAAmE;AACnE,eAAO,MAAM,iBAAiB,6CAK5B,CAAC;AAEH,qDAAqD;AACrD,eAAO,MAAM,mBAAmB,+CAM9B,CAAC;AAEH,uDAAuD;AACvD,eAAO,MAAM,sBAAsB,yDAKjC,CAAC;AAEH,0DAA0D;AAC1D,eAAO,MAAM,wBAAwB,gDAMnC,CAAC;AAEH,wDAAwD;AACxD,eAAO,MAAM,kBAAkB,6DAK7B,CAAC;AAMH,qDAAqD;AACrD,eAAO,MAAM,eAAe,kCAM1B,CAAC;AAEH,4CAA4C;AAC5C,eAAO,MAAM,mBAAmB,eAI9B,CAAC;AAMH,6CAA6C;AAC7C,eAAO,MAAM,mBAAmB,eAI9B,CAAC;AAEH,6CAA6C;AAC7C,eAAO,MAAM,0BAA0B,eAIrC,CAAC;AAiCH;;;;;;;;;;GAUG;AACH,wBAAgB,WAAW,IAAI,OAAO,CAmBrC;AAMD;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,IAAI,GAAG,IAAI,CAoBrF;AAMD;;;;;;;;;GASG;AACH,wBAAgB,mBAAmB,IAAI;IACrC,eAAe,EAAE,MAAM,OAAO,CAAC;QAC7B,gBAAgB,EAAE,CAAC,cAAc,EAAE;YACjC,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;YAC9B,SAAS,CAAC,EAAE;gBAAE,SAAS,EAAE,MAAM,CAAA;aAAE,GAAG,IAAI,CAAC;YACzC,QAAQ,EAAE;gBAAE,IAAI,EAAE;oBAAE,IAAI,EAAE,MAAM,CAAC;oBAAC,YAAY,CAAC,EAAE;wBAAE,MAAM,CAAC,EAAE,aAAa,CAAC;4BAAE,UAAU,CAAC,EAAE;gCAAE,IAAI,CAAC,EAAE,MAAM,CAAA;6BAAE,CAAA;yBAAE,CAAC,CAAA;qBAAE,CAAA;iBAAE,CAAA;aAAE,CAAC;SACrH,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;KACrB,CAAC,CAAC;CACJ,CAiDA;AAMD;;;;;;;;GAQG;AACH,wBAAgB,mBAAmB,IAAI,MAAM,CAiB5C"}

package/esm/config/metrics.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"metrics.js","sourceRoot":"","sources":["../../../src/config/metrics.ts"],"names":[],"mappings":"AAAA,OAAO,EAAqB,MAAM,EAAE,MAAM,SAAS,CAAC;AACpD,OAAO,EACL,QAAQ,EACR,OAAO,EACP,SAAS,EACT,KAAK,EACL,qBAAqB,GACtB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAC;AAEzC,MAAM,YAAY,GAAG,gBAAgB,CAAC;AAEtC;;;;GAIG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,IAAI,QAAQ,EAAE,CAAC;AAC9C,eAAe,CAAC,gBAAgB,CAAC,EAAE,OAAO,EAAE,YAAY,EAAE,CAAC,CAAC;AAE5D,8EAA8E;AAC9E,iCAAiC;AACjC,8EAA8E;AAE9E,mEAAmE;AACnE,MAAM,CAAC,MAAM,iBAAiB,GAAG,IAAI,OAAO,CAAC;IAC3C,IAAI,EAAE,qBAAqB;IAC3B,IAAI,EAAE,+BAA+B;IACrC,UAAU,EAAE,CAAC,QAAQ,EAAE,OAAO,EAAE,aAAa,CAAU;IACvD,SAAS,EAAE,CAAC,eAAe,CAAC;CAC7B,CAAC,CAAC;AAEH,qDAAqD;AACrD,MAAM,CAAC,MAAM,mBAAmB,GAAG,IAAI,SAAS,CAAC;IAC/C,IAAI,EAAE,+BAA+B;IACrC,IAAI,EAAE,sCAAsC;IAC5C,UAAU,EAAE,CAAC,QAAQ,EAAE,OAAO,EAAE,aAAa,CAAU;IACvD,OAAO,EAAE,CAAC,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;IAClE,SAAS,EAAE,CAAC,eAAe,CAAC;CAC7B,CAAC,CAAC;AAEH,uDAAuD;AACvD,MAAM,CAAC,MAAM,sBAAsB,GAAG,IAAI,OAAO,CAAC;IAChD,IAAI,EAAE,0BAA0B;IAChC,IAAI,EAAE,oCAAoC;IAC1C,UAAU,EAAE,CAAC,gBAAgB,EAAE,gBAAgB,EAAE,QAAQ,CAAU;IACnE,SAAS,EAAE,CAAC,eAAe,CAAC;CAC7B,CAAC,CAAC;AAEH,0DAA0D;AAC1D,MAAM,CAAC,MAAM,wBAAwB,GAAG,IAAI,SAAS,CAAC;IACpD,IAAI,EAAE,oCAAoC;IAC1C,IAAI,EAAE,2CAA2C;IACjD,UAAU,EAAE,CAAC,gBAAgB,EAAE,gBAAgB,CAAU;IACzD,OAAO,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,EAAE,EAAE,EAAE,CAAC;IACxD,SAAS,EAAE,CAAC,eAAe,CAAC;CAC7B,CAAC,CAAC;AAEH,wDAAwD;AACxD,MAAM,CAAC,MAAM,kBAAkB,GAAG,IAAI,OAAO,CAAC;IAC5C,IAAI,EAAE,sBAAsB;IAC5B,IAAI,EAAE,gCAAgC;IACtC,UAAU,EAAE,CAAC,gBAAgB,EAAE,gBAAgB,EAAE,YAAY,CAAU;IACvE,SAAS,EAAE,CAAC,eAAe,CAAC;CAC7B,CAAC,CAAC;AAEH,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E,qDAAqD;AACrD,MAAM,CAAC,MAAM,eAAe,GAAG,IAAI,SAAS,CAAC;IAC3C,IAAI,EAAE,2BAA2B;IACjC,IAAI,EAAE,yCAAyC;IAC/C,UAAU,EAAE,CAAC,WAAW,EAAE,OAAO,CAAU;IAC3C,OAAO,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;IAChE,SAAS,EAAE,CAAC,eAAe,CAAC;CAC7B,CAAC,CAAC;AAEH,4CAA4C;AAC5C,MAAM,CAAC,MAAM,mBAAmB,GAAG,IAAI,KAAK,CAAC;IAC3C,IAAI,EAAE,uBAAuB;IAC7B,IAAI,EAAE,qDAAqD;IAC3D,SAAS,EAAE,CAAC,eAAe,CAAC;CAC7B,CAAC,CAAC;AAEH,8EAA8E;AAC9E,oCAAoC;AACpC,8EAA8E;AAE9E,6CAA6C;AAC7C,MAAM,CAAC,MAAM,mBAAmB,GAAG,IAAI,KAAK,CAAC;IAC3C,IAAI,EAAE,8BAA8B;IACpC,IAAI,EAAE,wCAAwC;IAC9C,SAAS,EAAE,CAAC,eAAe,CAAC;CAC7B,CAAC,CAAC;AAEH,6CAA6C;AAC7C,MAAM,CAAC,MAAM,0BAA0B,GAAG,IAAI,KAAK,CAAC;IAClD,IAAI,EAAE,8BAA8B;IACpC,IAAI,EAAE,wCAAwC;IAC9C,SAAS,EAAE,CAAC,eAAe,CAAC;CAC7B,CAAC,CAAC;AAEH,8EAA8E;AAC9E,sBAAsB;AACtB,8EAA8E;AAE9E,8CAA8C;AAC9C,MAAM,WAAW,GAAG,IAAI,KAAK,CAAC;IAC5B,IAAI,EAAE,oBAAoB;IAC1B,IAAI,EAAE,+BAA+B;IACrC,SAAS,EAAE,CAAC,eAAe,CAAC;CAC7B,CAAC,CAAC;AAEH,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;AAE7B,8EAA8E;AAC9E,iBAAiB;AACjB,8EAA8E;AAE9E;;;;GAIG;AACH,SAAS,gBAAgB;IACvB,MAAM,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC;IAC/D,IAAI,eAAe,KAAK,SAAS,EAAE,CAAC;QAClC,OAAO,eAAe,KAAK,MAAM,IAAI,eAAe,KAAK,GAAG,CAAC;IAC/D,CAAC;IACD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,aAAa,CAAC;IAClD,OAAO,GAAG,KAAK,YAAY,IAAI,GAAG,KAAK,SAAS,CAAC;AACnD,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,WAAW;IACzB,IAAI,CAAC,gBAAgB,EAAE,EAAE,CAAC;QACxB,MAAM,CAAC,IAAI,CAAC,2CAA2C,EAAE;YACvD,MAAM,EAAE,kEAAkE;SAC3E,CAAC,CAAC;QACH,OAAO,KAAK,CAAC;IACf,CAAC;IAED,uEAAuE;IACvE,qBAAqB,CAAC,EAAE,QAAQ,EAAE,eAAe,EAAE,CAAC,CAAC;IAErD,mCAAmC;IACnC,MAAM,yBAAyB,GAAG,KAAK,CAAC;IACxC,WAAW,CAAC,GAAG,EAAE;QACf,WAAW,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,GAAG,IAAI,CAAC,CAAC;IACnD,CAAC,EAAE,yBAAyB,CAAC,CAAC;IAE9B,MAAM,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;IAC9C,OAAO,IAAI,CAAC;AACd,CAAC;AAED,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E;;;;;GAKG;AACH,MAAM,UAAU,iBAAiB,CAAC,GAAY,EAAE,GAAa,EAAE,IAAgB;IAC7E,IAAI,CAAC,gBAAgB,EAAE,EAAE,CAAC;QACxB,IAAI,EAAE,CAAC;QACP,OAAO;IACT,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;IAEtC,GAAG,CAAC,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE;QACpB,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC;QAC3D,MAAM,eAAe,GAAG,UAAU,GAAG,GAAG,CAAC;QACzC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,EAAE,IAAI,IAAI,GAAG,CAAC,IAAI,IAAI,SAAS,CAAC;QACvD,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC;QAC1B,MAAM,UAAU,GAAG,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAE1C,iBAAiB,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,WAAW,EAAE,UAAU,EAAE,CAAC,CAAC;QAClE,mBAAmB,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,WAAW,EAAE,UAAU,EAAE,EAAE,eAAe,CAAC,CAAC;IAC3F,CAAC,CAAC,CAAC;IAEH,IAAI,EAAE,CAAC;AACT,CAAC;AAED,8EAA8E;AAC9E,uBAAuB;AACvB,8EAA8E;AAE9E;;;;;;;;;GASG;AACH,MAAM,UAAU,mBAAmB;IASjC,OAAO;QACL,KAAK,CAAC,eAAe;YACnB,MAAM,KAAK,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YAEtC,OAAO;gBACL,KAAK,CAAC,gBAAgB,CAAC,cAAc;oBACnC,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC;oBAC3D,MAAM,eAAe,GAAG,UAAU,GAAG,GAAG,CAAC;oBAEzC,MAAM,aAAa,GAAG,cAAc,CAAC,aAAa,IAAI,WAAW,CAAC;oBAClE,MAAM,aAAa,GAAG,cAAc,CAAC,SAAS,EAAE,SAAS,IAAI,SAAS,CAAC;oBAEvE,wBAAwB,CAAC,OAAO,CAC9B,EAAE,cAAc,EAAE,aAAa,EAAE,cAAc,EAAE,aAAa,EAAE,EAChE,eAAe,CAChB,CAAC;oBAEF,MAAM,YAAY,GAAG,cAAc,CAAC,QAAQ,CAAC,IAAI,CAAC;oBAClD,MAAM,SAAS,GACb,YAAY,CAAC,IAAI,KAAK,QAAQ;wBAC9B,YAAY,CAAC,YAAY,EAAE,MAAM;wBACjC,YAAY,CAAC,YAAY,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC;oBAE9C,IAAI,SAAS,IAAI,YAAY,CAAC,IAAI,KAAK,QAAQ,IAAI,YAAY,CAAC,YAAY,EAAE,MAAM,EAAE,CAAC;wBACrF,KAAK,MAAM,KAAK,IAAI,YAAY,CAAC,YAAY,CAAC,MAAM,EAAE,CAAC;4BACrD,MAAM,SAAS,GAAG,KAAK,CAAC,UAAU,EAAE,IAAI,IAAI,uBAAuB,CAAC;4BACpE,kBAAkB,CAAC,GAAG,CAAC;gCACrB,cAAc,EAAE,aAAa;gCAC7B,cAAc,EAAE,aAAa;gCAC7B,UAAU,EAAE,MAAM,CAAC,SAAS,CAAC;6BAC9B,CAAC,CAAC;wBACL,CAAC;wBACD,sBAAsB,CAAC,GAAG,CAAC;4BACzB,cAAc,EAAE,aAAa;4BAC7B,cAAc,EAAE,aAAa;4BAC7B,MAAM,EAAE,OAAO;yBAChB,CAAC,CAAC;oBACL,CAAC;yBAAM,CAAC;wBACN,sBAAsB,CAAC,GAAG,CAAC;4BACzB,cAAc,EAAE,aAAa;4BAC7B,cAAc,EAAE,aAAa;4BAC7B,MAAM,EAAE,SAAS;yBAClB,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;aACF,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E;;;;;;;;GAQG;AACH,MAAM,UAAU,mBAAmB;IACjC,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC;IAExB,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,KAAK,EAAE,IAAa,EAAE,GAAa,EAAiB,EAAE;QAC3E,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC,OAAO,EAAE,CAAC;YAChD,GAAG,CAAC,GAAG,CAAC,cAAc,EAAE,eAAe,CAAC,WAAW,CAAC,CAAC;YACrD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAChC,CAAC;QAAC,OAAO,YAAY,EAAE,CAAC;YACtB,MAAM,CAAC,KAAK,CAAC,4BAA4B,EAAE;gBACzC,KAAK,EAAE,YAAY,YAAY,KAAK,CAAC,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC;aACnF,CAAC,CAAC;YACH,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;QACrD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/esm/config/metrics.mjs

@@ -0,0 +1,248 @@
+import { Router } from 'express';
+import { Registry, Counter, Histogram, Gauge, collectDefaultMetrics, } from 'prom-client';
+import { logger } from '../utils/logger.mjs';
+const SERVICE_NAME = 'backend-legacy';
+/**
+ * Dedicated Prometheus registry for backend-legacy metrics.
+ * Using a dedicated registry avoids conflicts with default Node.js metrics
+ * that might be registered by other libraries.
+ */
+export const metricsRegistry = new Registry();
+metricsRegistry.setDefaultLabels({ service: SERVICE_NAME });
+// ---------------------------------------------------------------------------
+// HTTP / GraphQL request metrics
+// ---------------------------------------------------------------------------
+/** Counts total HTTP requests by method, route, and status code */
+export const httpRequestsTotal = new Counter({
+    name: 'http_requests_total',
+    help: 'Total number of HTTP requests',
+    labelNames: ['method', 'route', 'status_code'],
+    registers: [metricsRegistry],
+});
+/** Histogram of HTTP request durations in seconds */
+export const httpRequestDuration = new Histogram({
+    name: 'http_request_duration_seconds',
+    help: 'Duration of HTTP requests in seconds',
+    labelNames: ['method', 'route', 'status_code'],
+    buckets: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10],
+    registers: [metricsRegistry],
+});
+/** Counts total GraphQL operations by type and name */
+export const graphqlOperationsTotal = new Counter({
+    name: 'graphql_operations_total',
+    help: 'Total number of GraphQL operations',
+    labelNames: ['operation_type', 'operation_name', 'status'],
+    registers: [metricsRegistry],
+});
+/** Histogram of GraphQL operation durations in seconds */
+export const graphqlOperationDuration = new Histogram({
+    name: 'graphql_operation_duration_seconds',
+    help: 'Duration of GraphQL operations in seconds',
+    labelNames: ['operation_type', 'operation_name'],
+    buckets: [0.01, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10, 30],
+    registers: [metricsRegistry],
+});
+/** Counts GraphQL errors by operation and error code */
+export const graphqlErrorsTotal = new Counter({
+    name: 'graphql_errors_total',
+    help: 'Total number of GraphQL errors',
+    labelNames: ['operation_type', 'operation_name', 'error_code'],
+    registers: [metricsRegistry],
+});
+// ---------------------------------------------------------------------------
+// Database metrics
+// ---------------------------------------------------------------------------
+/** Histogram of Prisma query durations in seconds */
+export const dbQueryDuration = new Histogram({
+    name: 'db_query_duration_seconds',
+    help: 'Duration of database queries in seconds',
+    labelNames: ['operation', 'model'],
+    buckets: [0.001, 0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 5],
+    registers: [metricsRegistry],
+});
+/** Gauge for active database connections */
+export const dbConnectionsActive = new Gauge({
+    name: 'db_connections_active',
+    help: 'Number of active database connections (approximate)',
+    registers: [metricsRegistry],
+});
+// ---------------------------------------------------------------------------
+// WebSocket / Subscriptions metrics
+// ---------------------------------------------------------------------------
+/** Gauge for active GraphQL subscriptions */
+export const activeSubscriptions = new Gauge({
+    name: 'graphql_active_subscriptions',
+    help: 'Number of active GraphQL subscriptions',
+    registers: [metricsRegistry],
+});
+/** Gauge for active WebSocket connections */
+export const activeWebSocketConnections = new Gauge({
+    name: 'websocket_active_connections',
+    help: 'Number of active WebSocket connections',
+    registers: [metricsRegistry],
+});
+// ---------------------------------------------------------------------------
+// Application metrics
+// ---------------------------------------------------------------------------
+/** Gauge for application uptime in seconds */
+const uptimeGauge = new Gauge({
+    name: 'app_uptime_seconds',
+    help: 'Application uptime in seconds',
+    registers: [metricsRegistry],
+});
+const startedAt = Date.now();
+// ---------------------------------------------------------------------------
+// Initialization
+// ---------------------------------------------------------------------------
+/**
+ * Determines if metrics collection is enabled.
+ * Enabled by default in production/staging; can be explicitly controlled
+ * via PROMETHEUS_METRICS_ENABLED env var.
+ */
+function isMetricsEnabled() {
+    const explicitSetting = process.env.PROMETHEUS_METRICS_ENABLED;
+    if (explicitSetting !== undefined) {
+        return explicitSetting === 'true' || explicitSetting === '1';
+    }
+    const env = process.env.NODE_ENV || 'development';
+    return env === 'production' || env === 'staging';
+}
+/**
+ * Initializes Prometheus metrics collection.
+ *
+ * Registers default Node.js metrics (CPU, memory, event loop, GC) and
+ * application-specific metrics for HTTP, GraphQL, and database operations.
+ *
+ * Environment variables:
+ * - PROMETHEUS_METRICS_ENABLED: Explicit on/off ('true'/'false'). Defaults to on in production/staging.
+ *
+ * @returns true if metrics were initialized, false if disabled
+ */
+export function initMetrics() {
+    if (!isMetricsEnabled()) {
+        logger.info('Prometheus metrics collection is disabled', {
+            reason: 'PROMETHEUS_METRICS_ENABLED not set or environment is development',
+        });
+        return false;
+    }
+    // Register default Node.js metrics (memory, CPU, event loop lag, etc.)
+    collectDefaultMetrics({ register: metricsRegistry });
+    // Update uptime gauge periodically
+    const UPTIME_UPDATE_INTERVAL_MS = 15000;
+    setInterval(() => {
+        uptimeGauge.set((Date.now() - startedAt) / 1000);
+    }, UPTIME_UPDATE_INTERVAL_MS);
+    logger.info('Prometheus metrics initialized');
+    return true;
+}
+// ---------------------------------------------------------------------------
+// Express middleware
+// ---------------------------------------------------------------------------
+/**
+ * Express middleware that records HTTP request metrics.
+ * Tracks request count and duration for each method/route/status combination.
+ *
+ * Should be mounted early in the middleware chain to capture all requests.
+ */
+export function metricsMiddleware(req, res, next) {
+    if (!isMetricsEnabled()) {
+        next();
+        return;
+    }
+    const start = process.hrtime.bigint();
+    res.on('finish', () => {
+        const durationNs = Number(process.hrtime.bigint() - start);
+        const durationSeconds = durationNs / 1e9;
+        const route = req.route?.path || req.path || 'unknown';
+        const method = req.method;
+        const statusCode = String(res.statusCode);
+        httpRequestsTotal.inc({ method, route, status_code: statusCode });
+        httpRequestDuration.observe({ method, route, status_code: statusCode }, durationSeconds);
+    });
+    next();
+}
+// ---------------------------------------------------------------------------
+// Apollo Server plugin
+// ---------------------------------------------------------------------------
+/**
+ * Creates an Apollo Server plugin that records GraphQL operation metrics.
+ *
+ * Tracks:
+ * - Operation count by type (query/mutation/subscription) and name
+ * - Operation duration
+ * - Error count by operation and error code
+ *
+ * @returns Apollo Server plugin configuration
+ */
+export function createMetricsPlugin() {
+    return {
+        async requestDidStart() {
+            const start = process.hrtime.bigint();
+            return {
+                async willSendResponse(requestContext) {
+                    const durationNs = Number(process.hrtime.bigint() - start);
+                    const durationSeconds = durationNs / 1e9;
+                    const operationName = requestContext.operationName || 'anonymous';
+                    const operationType = requestContext.operation?.operation || 'unknown';
+                    graphqlOperationDuration.observe({ operation_type: operationType, operation_name: operationName }, durationSeconds);
+                    const responseBody = requestContext.response.body;
+                    const hasErrors = responseBody.kind === 'single' &&
+                        responseBody.singleResult?.errors &&
+                        responseBody.singleResult.errors.length > 0;
+                    if (hasErrors && responseBody.kind === 'single' && responseBody.singleResult?.errors) {
+                        for (const error of responseBody.singleResult.errors) {
+                            const errorCode = error.extensions?.code || 'INTERNAL_SERVER_ERROR';
+                            graphqlErrorsTotal.inc({
+                                operation_type: operationType,
+                                operation_name: operationName,
+                                error_code: String(errorCode),
+                            });
+                        }
+                        graphqlOperationsTotal.inc({
+                            operation_type: operationType,
+                            operation_name: operationName,
+                            status: 'error',
+                        });
+                    }
+                    else {
+                        graphqlOperationsTotal.inc({
+                            operation_type: operationType,
+                            operation_name: operationName,
+                            status: 'success',
+                        });
+                    }
+                },
+            };
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// Metrics endpoint
+// ---------------------------------------------------------------------------
+/**
+ * Creates an Express router that exposes Prometheus metrics at GET /metrics.
+ *
+ * The endpoint returns metrics in Prometheus text exposition format.
+ * This should be scraped by a Prometheus server at regular intervals.
+ *
+ * Note: This endpoint should be protected in production (e.g., by firewall rules
+ * or by requiring a bearer token). It is excluded from rate limiting by default.
+ */
+export function createMetricsRouter() {
+    const router = Router();
+    router.get('/metrics', async (_req, res) => {
+        try {
+            const metrics = await metricsRegistry.metrics();
+            res.set('Content-Type', metricsRegistry.contentType);
+            res.status(200).send(metrics);
+        }
+        catch (metricsError) {
+            logger.error('Failed to generate metrics', {
+                error: metricsError instanceof Error ? metricsError.message : String(metricsError),
+            });
+            res.status(500).send('Failed to generate metrics');
+        }
+    });
+    return router;
+}
+//# sourceMappingURL=metrics.js.map

package/esm/config/persisted-queries.d.ts

@@ -0,0 +1,40 @@
+import { ApolloServerPluginCacheControlDisabled } from '@apollo/server/plugin/disabled';
+/**
+ * Simple in-memory key-value cache implementing Apollo's KeyValueCache interface.
+ * Provides LRU eviction when the cache reaches maximum capacity.
+ */
+export declare class InMemoryAPQCache {
+    private cache;
+    private readonly maxSize;
+    constructor(maxSize?: number);
+    get(key: string): Promise<string | undefined>;
+    set(key: string, value: string, options?: {
+        ttl?: number | null;
+    }): Promise<void>;
+    delete(key: string): Promise<boolean>;
+    /** Returns the current number of cached entries */
+    get size(): number;
+    /** Clears all cached entries */
+    clear(): void;
+}
+/**
+ * Determines if APQ (Automatic Persisted Queries) is enabled.
+ * Enabled by default. Disable via APQ_ENABLED=false.
+ */
+export declare function isAPQEnabled(): boolean;
+/**
+ * Creates and returns an APQ cache instance for use with Apollo Server.
+ *
+ * Apollo Server 5 enables APQ by default when a cache is available.
+ * To disable APQ entirely, set APQ_ENABLED=false.
+ *
+ * @returns The configured APQ cache, or undefined if APQ is disabled
+ */
+export declare function createAPQCache(): InMemoryAPQCache | undefined;
+/**
+ * Returns the Apollo Server cache control plugin configuration.
+ * When APQ is disabled, this returns the cache control disabled plugin
+ * to explicitly disable caching behavior.
+ */
+export declare function getCacheControlPlugin(): ReturnType<typeof ApolloServerPluginCacheControlDisabled> | undefined;
+//# sourceMappingURL=persisted-queries.d.ts.map

package/esm/config/persisted-queries.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"persisted-queries.d.ts","sourceRoot":"","sources":["../../../src/config/persisted-queries.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,sCAAsC,EAAE,MAAM,gCAAgC,CAAC;AAwCxF;;;GAGG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,KAAK,CAA0B;IACvC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;gBAErB,OAAO,CAAC,EAAE,MAAM;IAKtB,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IAgB7C,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE;QAAE,GAAG,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAcjF,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAI3C,mDAAmD;IACnD,IAAI,IAAI,IAAI,MAAM,CAEjB;IAED,gCAAgC;IAChC,KAAK,IAAI,IAAI;CAGd;AAED;;;GAGG;AACH,wBAAgB,YAAY,IAAI,OAAO,CAMtC;AAcD;;;;;;;GAOG;AACH,wBAAgB,cAAc,IAAI,gBAAgB,GAAG,SAAS,CAW7D;AAED;;;;GAIG;AACH,wBAAgB,qBAAqB,IAAI,UAAU,CAAC,OAAO,sCAAsC,CAAC,GAAG,SAAS,CAK7G"}

package/esm/config/persisted-queries.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"persisted-queries.js","sourceRoot":"","sources":["../../../src/config/persisted-queries.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,sCAAsC,EAAE,MAAM,gCAAgC,CAAC;AACxF,OAAO,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAC;AAEzC;;;GAGG;AACH,MAAM,yBAAyB,GAAG,CAAC,CAAC;AAEpC;;;GAGG;AACH,MAAM,sBAAsB,GAAG,IAAI,CAAC;AA2BpC;;;GAGG;AACH,MAAM,OAAO,gBAAgB;IACnB,KAAK,CAA0B;IACtB,OAAO,CAAS;IAEjC,YAAY,OAAgB;QAC1B,IAAI,CAAC,OAAO,GAAG,OAAO,IAAI,sBAAsB,CAAC;QACjD,IAAI,CAAC,KAAK,GAAG,IAAI,GAAG,EAAE,CAAC;IACzB,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,GAAW;QACnB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,CAAC,KAAK;YAAE,OAAO,SAAS,CAAC;QAE7B,uBAAuB;QACvB,IAAI,KAAK,CAAC,SAAS,KAAK,IAAI,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;YAC7D,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACvB,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,+DAA+D;QAC/D,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACvB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QAC3B,OAAO,KAAK,CAAC,KAAK,CAAC;IACrB,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,GAAW,EAAE,KAAa,EAAE,OAAiC;QACrE,oCAAoC;QACpC,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,IAAI,CAAC,OAAO,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YAC5D,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC;YACjD,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;gBAC5B,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAC/B,CAAC;QACH,CAAC;QAED,MAAM,UAAU,GAAG,OAAO,EAAE,GAAG,IAAI,yBAAyB,CAAC;QAC7D,MAAM,SAAS,GAAG,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,UAAU,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;QACzE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAW;QACtB,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAChC,CAAC;IAED,mDAAmD;IACnD,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;IACzB,CAAC;IAED,gCAAgC;IAChC,KAAK;QACH,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;IACrB,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,UAAU,YAAY;IAC1B,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC;IACxC,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;QAC1B,OAAO,OAAO,KAAK,OAAO,IAAI,OAAO,KAAK,GAAG,CAAC;IAChD,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,SAAS,eAAe;IACtB,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;IAChD,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,MAAM,GAAG,QAAQ,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;QACtC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,MAAM,GAAG,CAAC;YAAE,OAAO,MAAM,CAAC;IAClD,CAAC;IACD,OAAO,sBAAsB,CAAC;AAChC,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,cAAc;IAC5B,IAAI,CAAC,YAAY,EAAE,EAAE,CAAC;QACpB,MAAM,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAC;QAC1D,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,OAAO,GAAG,eAAe,EAAE,CAAC;IAClC,MAAM,KAAK,GAAG,IAAI,gBAAgB,CAAC,OAAO,CAAC,CAAC;IAE5C,MAAM,CAAC,IAAI,CAAC,2CAA2C,EAAE,EAAE,YAAY,EAAE,OAAO,EAAE,CAAC,CAAC;IACpF,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,qBAAqB;IACnC,IAAI,CAAC,YAAY,EAAE,EAAE,CAAC;QACpB,OAAO,sCAAsC,EAAE,CAAC;IAClD,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/esm/config/persisted-queries.mjs

@@ -0,0 +1,114 @@
+import { ApolloServerPluginCacheControlDisabled } from '@apollo/server/plugin/disabled';
+import { logger } from '../utils/logger.mjs';
+/**
+ * Default cache TTL for persisted query hashes in seconds.
+ * Set to 0 to disable TTL (hashes persist indefinitely in memory).
+ */
+const DEFAULT_CACHE_TTL_SECONDS = 0;
+/**
+ * Maximum size of the in-memory persisted query cache.
+ * Once exceeded, oldest entries are evicted (LRU).
+ */
+const DEFAULT_MAX_CACHE_SIZE = 1000;
+/**
+ * Simple in-memory key-value cache implementing Apollo's KeyValueCache interface.
+ * Provides LRU eviction when the cache reaches maximum capacity.
+ */
+export class InMemoryAPQCache {
+    cache;
+    maxSize;
+    constructor(maxSize) {
+        this.maxSize = maxSize || DEFAULT_MAX_CACHE_SIZE;
+        this.cache = new Map();
+    }
+    async get(key) {
+        const entry = this.cache.get(key);
+        if (!entry)
+            return undefined;
+        // Check TTL expiration
+        if (entry.expiresAt !== null && Date.now() > entry.expiresAt) {
+            this.cache.delete(key);
+            return undefined;
+        }
+        // Move to end for LRU ordering (Map preserves insertion order)
+        this.cache.delete(key);
+        this.cache.set(key, entry);
+        return entry.value;
+    }
+    async set(key, value, options) {
+        // Evict oldest entry if at capacity
+        if (this.cache.size >= this.maxSize && !this.cache.has(key)) {
+            const oldestKey = this.cache.keys().next().value;
+            if (oldestKey !== undefined) {
+                this.cache.delete(oldestKey);
+            }
+        }
+        const ttlSeconds = options?.ttl ?? DEFAULT_CACHE_TTL_SECONDS;
+        const expiresAt = ttlSeconds > 0 ? Date.now() + ttlSeconds * 1000 : null;
+        this.cache.set(key, { value, expiresAt });
+    }
+    async delete(key) {
+        return this.cache.delete(key);
+    }
+    /** Returns the current number of cached entries */
+    get size() {
+        return this.cache.size;
+    }
+    /** Clears all cached entries */
+    clear() {
+        this.cache.clear();
+    }
+}
+/**
+ * Determines if APQ (Automatic Persisted Queries) is enabled.
+ * Enabled by default. Disable via APQ_ENABLED=false.
+ */
+export function isAPQEnabled() {
+    const setting = process.env.APQ_ENABLED;
+    if (setting !== undefined) {
+        return setting !== 'false' && setting !== '0';
+    }
+    return true;
+}
+/**
+ * Resolves the maximum APQ cache size from environment variables.
+ */
+function getMaxCacheSize() {
+    const envValue = process.env.APQ_MAX_CACHE_SIZE;
+    if (envValue) {
+        const parsed = parseInt(envValue, 10);
+        if (!isNaN(parsed) && parsed > 0)
+            return parsed;
+    }
+    return DEFAULT_MAX_CACHE_SIZE;
+}
+/**
+ * Creates and returns an APQ cache instance for use with Apollo Server.
+ *
+ * Apollo Server 5 enables APQ by default when a cache is available.
+ * To disable APQ entirely, set APQ_ENABLED=false.
+ *
+ * @returns The configured APQ cache, or undefined if APQ is disabled
+ */
+export function createAPQCache() {
+    if (!isAPQEnabled()) {
+        logger.info('Automatic Persisted Queries (APQ) disabled');
+        return undefined;
+    }
+    const maxSize = getMaxCacheSize();
+    const cache = new InMemoryAPQCache(maxSize);
+    logger.info('Automatic Persisted Queries (APQ) enabled', { maxCacheSize: maxSize });
+    return cache;
+}
+/**
+ * Returns the Apollo Server cache control plugin configuration.
+ * When APQ is disabled, this returns the cache control disabled plugin
+ * to explicitly disable caching behavior.
+ */
+export function getCacheControlPlugin() {
+    if (!isAPQEnabled()) {
+        return ApolloServerPluginCacheControlDisabled();
+    }
+    return undefined;
+}
+//# sourceMappingURL=persisted-queries.js.map

package/esm/config/tracing.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Initializes OpenTelemetry tracing for the backend-legacy service.
+ *
+ * Configures:
+ * - HTTP instrumentation for incoming/outgoing HTTP requests
+ * - Express instrumentation for route-level spans
+ * - GraphQL instrumentation for resolver-level spans
+ * - OTLP HTTP exporter for sending traces to a collector (e.g., Jaeger, Grafana Tempo)
+ *
+ * Environment variables:
+ * - OTEL_TRACING_ENABLED: Explicit on/off ('true'/'false'). Defaults to on in production/staging.
+ * - OTEL_EXPORTER_OTLP_ENDPOINT: Collector endpoint (default: http://localhost:4318/v1/traces)
+ * - OTEL_SERVICE_NAME: Override service name (default: 'backend-legacy')
+ *
+ * Call this function before any other imports that need instrumentation (e.g., before Express/Apollo setup).
+ */
+export declare function initTracing(): void;
+/**
+ * Gracefully shuts down the OpenTelemetry SDK.
+ * Should be called during application shutdown (SIGTERM/SIGINT handlers).
+ * Flushes any pending spans before shutting down.
+ */
+export declare function shutdownTracing(): Promise<void>;
+//# sourceMappingURL=tracing.d.ts.map

package/esm/config/tracing.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tracing.d.ts","sourceRoot":"","sources":["../../../src/config/tracing.ts"],"names":[],"mappings":"AAiDA;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,WAAW,IAAI,IAAI,CAgDlC;AAED;;;;GAIG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC,IAAI,CAAC,CAWrD"}

package/esm/config/tracing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tracing.js","sourceRoot":"","sources":["../../../src/config/tracing.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,iBAAiB,EAAE,MAAM,yCAAyC,CAAC;AAC5E,OAAO,EAAE,mBAAmB,EAAE,MAAM,qCAAqC,CAAC;AAC1E,OAAO,EAAE,sBAAsB,EAAE,MAAM,wCAAwC,CAAC;AAChF,OAAO,EAAE,sBAAsB,EAAE,MAAM,wCAAwC,CAAC;AAChF,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,EAAE,iBAAiB,EAAE,oBAAoB,EAAE,MAAM,qCAAqC,CAAC;AAC9F,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AACnE,OAAO,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAC;AAEzC,MAAM,YAAY,GAAG,gBAAgB,CAAC;AAEtC;;;GAGG;AACH,SAAS,iBAAiB;IACxB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAAC;QAC1C,OAAQ,GAAG,CAAC,OAAkB,IAAI,SAAS,CAAC;IAC9C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,eAAe;IACtB,OAAO,OAAO,CAAC,GAAG,CAAC,2BAA2B,IAAI,iCAAiC,CAAC;AACtF,CAAC;AAED;;;;GAIG;AACH,SAAS,gBAAgB;IACvB,MAAM,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;IACzD,IAAI,eAAe,KAAK,SAAS,EAAE,CAAC;QAClC,OAAO,eAAe,KAAK,MAAM,IAAI,eAAe,KAAK,GAAG,CAAC;IAC/D,CAAC;IACD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,aAAa,CAAC;IAClD,OAAO,GAAG,KAAK,YAAY,IAAI,GAAG,KAAK,SAAS,CAAC;AACnD,CAAC;AAED,IAAI,GAAG,GAAmB,IAAI,CAAC;AAE/B;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,WAAW;IACzB,IAAI,CAAC,gBAAgB,EAAE,EAAE,CAAC;QACxB,MAAM,CAAC,IAAI,CAAC,mCAAmC,EAAE;YAC/C,MAAM,EAAE,4DAA4D;SACrE,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,MAAM,QAAQ,GAAG,eAAe,EAAE,CAAC;IACnC,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,YAAY,CAAC;IAClE,MAAM,cAAc,GAAG,iBAAiB,EAAE,CAAC;IAE3C,MAAM,aAAa,GAAG,IAAI,iBAAiB,CAAC;QAC1C,GAAG,EAAE,QAAQ;KACd,CAAC,CAAC;IAEH,MAAM,QAAQ,GAAG,sBAAsB,CAAC;QACtC,CAAC,iBAAiB,CAAC,EAAE,WAAW;QAChC,CAAC,oBAAoB,CAAC,EAAE,cAAc;QACtC,wBAAwB,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,aAAa;KAChE,CAAC,CAAC;IAEH,GAAG,GAAG,IAAI,OAAO,CAAC;QAChB,QAAQ;QACR,cAAc,EAAE,CAAC,IAAI,kBAAkB,CAAC,aAAa,CAAC,CAAC;QACvD,gBAAgB,EAAE;YAChB,IAAI,mBAAmB,CAAC;gBACtB,yBAAyB,EAAE,CAAC,GAAG,EAAE,EAAE;oBACjC,oDAAoD;oBACpD,OAAO,GAAG,CAAC,GAAG,KAAK,SAAS,IAAI,GAAG,CAAC,GAAG,KAAK,UAAU,CAAC;gBACzD,CAAC;aACF,CAAC;YACF,IAAI,sBAAsB,EAAE;YAC5B,IAAI,sBAAsB,CAAC;gBACzB,UAAU,EAAE,IAAI;gBAChB,WAAW,EAAE,IAAI;gBACjB,KAAK,EAAE,CAAC;aACT,CAAC;SACH;KACF,CAAC,CAAC;IAEH,GAAG,CAAC,KAAK,EAAE,CAAC;IAEZ,MAAM,CAAC,IAAI,CAAC,mCAAmC,EAAE;QAC/C,QAAQ;QACR,WAAW;QACX,cAAc;KACf,CAAC,CAAC;AACL,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe;IACnC,IAAI,GAAG,EAAE,CAAC;QACR,IAAI,CAAC;YACH,MAAM,GAAG,CAAC,QAAQ,EAAE,CAAC;YACrB,MAAM,CAAC,IAAI,CAAC,8CAA8C,CAAC,CAAC;QAC9D,CAAC;QAAC,OAAO,aAAa,EAAE,CAAC;YACvB,MAAM,CAAC,KAAK,CAAC,2CAA2C,EAAE;gBACxD,KAAK,EAAE,aAAa,YAAY,KAAK,CAAC,CAAC,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC;aACtF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;AACH,CAAC"}

package/esm/config/tracing.mjs

@@ -0,0 +1,122 @@
+import { NodeSDK } from '@opentelemetry/sdk-node';
+import { OTLPTraceExporter } from '@opentelemetry/exporter-trace-otlp-http';
+import { HttpInstrumentation } from '@opentelemetry/instrumentation-http';
+import { ExpressInstrumentation } from '@opentelemetry/instrumentation-express';
+import { GraphQLInstrumentation } from '@opentelemetry/instrumentation-graphql';
+import { resourceFromAttributes } from '@opentelemetry/resources';
+import { ATTR_SERVICE_NAME, ATTR_SERVICE_VERSION } from '@opentelemetry/semantic-conventions';
+import { BatchSpanProcessor } from '@opentelemetry/sdk-trace-node';
+import { logger } from '../utils/logger.mjs';
+const SERVICE_NAME = 'backend-legacy';
+/**
+ * Reads the package version for trace resource attributes.
+ * Falls back to 'unknown' if the version cannot be determined.
+ */
+function getPackageVersion() {
+    try {
+        const pkg = require('../../package.json');
+        return pkg.version || 'unknown';
+    }
+    catch {
+        return 'unknown';
+    }
+}
+/**
+ * Resolves the OTLP endpoint from environment variables.
+ * Defaults to http://localhost:4318/v1/traces (standard OTLP HTTP endpoint).
+ */
+function getOtlpEndpoint() {
+    return process.env.OTEL_EXPORTER_OTLP_ENDPOINT || 'http://localhost:4318/v1/traces';
+}
+/**
+ * Determines if tracing is enabled.
+ * Disabled by default in development; enabled in production and staging.
+ * Can be explicitly controlled via OTEL_TRACING_ENABLED env var.
+ */
+function isTracingEnabled() {
+    const explicitSetting = process.env.OTEL_TRACING_ENABLED;
+    if (explicitSetting !== undefined) {
+        return explicitSetting === 'true' || explicitSetting === '1';
+    }
+    const env = process.env.NODE_ENV || 'development';
+    return env === 'production' || env === 'staging';
+}
+let sdk = null;
+/**
+ * Initializes OpenTelemetry tracing for the backend-legacy service.
+ *
+ * Configures:
+ * - HTTP instrumentation for incoming/outgoing HTTP requests
+ * - Express instrumentation for route-level spans
+ * - GraphQL instrumentation for resolver-level spans
+ * - OTLP HTTP exporter for sending traces to a collector (e.g., Jaeger, Grafana Tempo)
+ *
+ * Environment variables:
+ * - OTEL_TRACING_ENABLED: Explicit on/off ('true'/'false'). Defaults to on in production/staging.
+ * - OTEL_EXPORTER_OTLP_ENDPOINT: Collector endpoint (default: http://localhost:4318/v1/traces)
+ * - OTEL_SERVICE_NAME: Override service name (default: 'backend-legacy')
+ *
+ * Call this function before any other imports that need instrumentation (e.g., before Express/Apollo setup).
+ */
+export function initTracing() {
+    if (!isTracingEnabled()) {
+        logger.info('OpenTelemetry tracing is disabled', {
+            reason: 'OTEL_TRACING_ENABLED not set or environment is development',
+        });
+        return;
+    }
+    const endpoint = getOtlpEndpoint();
+    const serviceName = process.env.OTEL_SERVICE_NAME || SERVICE_NAME;
+    const serviceVersion = getPackageVersion();
+    const traceExporter = new OTLPTraceExporter({
+        url: endpoint,
+    });
+    const resource = resourceFromAttributes({
+        [ATTR_SERVICE_NAME]: serviceName,
+        [ATTR_SERVICE_VERSION]: serviceVersion,
+        'deployment.environment': process.env.NODE_ENV || 'development',
+    });
+    sdk = new NodeSDK({
+        resource,
+        spanProcessors: [new BatchSpanProcessor(traceExporter)],
+        instrumentations: [
+            new HttpInstrumentation({
+                ignoreIncomingRequestHook: (req) => {
+                    // Skip health check endpoints to reduce trace noise
+                    return req.url === '/health' || req.url === '/metrics';
+                },
+            }),
+            new ExpressInstrumentation(),
+            new GraphQLInstrumentation({
+                mergeItems: true,
+                allowValues: true,
+                depth: 5,
+            }),
+        ],
+    });
+    sdk.start();
+    logger.info('OpenTelemetry tracing initialized', {
+        endpoint,
+        serviceName,
+        serviceVersion,
+    });
+}
+/**
+ * Gracefully shuts down the OpenTelemetry SDK.
+ * Should be called during application shutdown (SIGTERM/SIGINT handlers).
+ * Flushes any pending spans before shutting down.
+ */
+export async function shutdownTracing() {
+    if (sdk) {
+        try {
+            await sdk.shutdown();
+            logger.info('OpenTelemetry tracing shut down successfully');
+        }
+        catch (shutdownError) {
+            logger.error('Error shutting down OpenTelemetry tracing', {
+                error: shutdownError instanceof Error ? shutdownError.message : String(shutdownError),
+            });
+        }
+    }
+}
+//# sourceMappingURL=tracing.js.map

package/esm/middleware/query-complexity.d.ts

@@ -0,0 +1,56 @@
+import { GraphQLSchema, DocumentNode } from 'graphql';
+/**
+ * Result of a query complexity check.
+ */
+interface ComplexityCheckResult {
+    /** The computed complexity score */
+    complexity: number;
+    /** Whether the query exceeds the maximum allowed complexity */
+    exceeded: boolean;
+    /** The maximum allowed complexity for this request */
+    maxComplexity: number;
+}
+/**
+ * Computes the complexity of a GraphQL document against a schema.
+ *
+ * Uses two estimators:
+ * 1. fieldExtensionsEstimator: Reads complexity from field extensions (set via schema directives)
+ * 2. simpleEstimator: Assigns a default cost of 1 per field as fallback
+ *
+ * @param schema - The GraphQL schema
+ * @param document - The parsed GraphQL document (AST)
+ * @param variables - Query variables (used for list size estimation)
+ * @param isAuthenticated - Whether the request is authenticated (affects limits)
+ * @returns The complexity check result
+ */
+export declare function checkQueryComplexity(schema: GraphQLSchema, document: DocumentNode, variables: Record<string, unknown>, isAuthenticated: boolean): ComplexityCheckResult;
+/**
+ * Creates an Apollo Server plugin that enforces query complexity and depth limits.
+ *
+ * The plugin runs before query execution and rejects queries that exceed
+ * configured complexity or depth thresholds.
+ *
+ * Environment variables:
+ * - GRAPHQL_MAX_COMPLEXITY_AUTH: Max complexity for authenticated users (default: 1000)
+ * - GRAPHQL_MAX_COMPLEXITY_UNAUTH: Max complexity for unauthenticated users (default: 200)
+ * - GRAPHQL_MAX_DEPTH: Max query depth (default: 10)
+ * - GRAPHQL_COMPLEXITY_ENABLED: Explicit on/off ('true'/'false'). Defaults to on in production/staging.
+ *
+ * @param schema - The GraphQL schema to validate against
+ * @returns Apollo Server plugin configuration
+ */
+export declare function createQueryComplexityPlugin(schema: GraphQLSchema): {
+    requestDidStart: () => Promise<{
+        didResolveOperation: (requestContext: {
+            document: DocumentNode;
+            request: {
+                variables?: Record<string, unknown> | null;
+            };
+            contextValue: {
+                user?: unknown;
+            };
+        }) => Promise<void>;
+    }>;
+};
+export {};
+//# sourceMappingURL=query-complexity.d.ts.map

package/esm/middleware/query-complexity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"query-complexity.d.ts","sourceRoot":"","sources":["../../../src/middleware/query-complexity.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AA+CtD;;GAEG;AACH,UAAU,qBAAqB;IAC7B,oCAAoC;IACpC,UAAU,EAAE,MAAM,CAAC;IACnB,+DAA+D;IAC/D,QAAQ,EAAE,OAAO,CAAC;IAClB,sDAAsD;IACtD,aAAa,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,aAAa,EACrB,QAAQ,EAAE,YAAY,EACtB,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAClC,eAAe,EAAE,OAAO,GACvB,qBAAqB,CA8BvB;AA6BD;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,2BAA2B,CAAC,MAAM,EAAE,aAAa,GAAG;IAClE,eAAe,EAAE,MAAM,OAAO,CAAC;QAC7B,mBAAmB,EAAE,CAAC,cAAc,EAAE;YACpC,QAAQ,EAAE,YAAY,CAAC;YACvB,OAAO,EAAE;gBAAE,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAA;aAAE,CAAC;YACxD,YAAY,EAAE;gBAAE,IAAI,CAAC,EAAE,OAAO,CAAA;aAAE,CAAC;SAClC,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;KACrB,CAAC,CAAC;CACJ,CAwDA"}

package/esm/middleware/query-complexity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"query-complexity.js","sourceRoot":"","sources":["../../../src/middleware/query-complexity.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,aAAa,EACb,eAAe,EACf,wBAAwB,GACzB,MAAM,0BAA0B,CAAC;AAElC,OAAO,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAC;AAEzC;;;GAGG;AACH,MAAM,oCAAoC,GAAG,IAAI,CAAC;AAClD,MAAM,sCAAsC,GAAG,GAAG,CAAC;AACnD,MAAM,iBAAiB,GAAG,EAAE,CAAC;AAE7B;;;;;GAKG;AACH,SAAS,gBAAgB,CAAC,eAAwB;IAChD,IAAI,eAAe,EAAE,CAAC;QACpB,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC;QACzD,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,MAAM,GAAG,QAAQ,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;YACtC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,MAAM,GAAG,CAAC;gBAAE,OAAO,MAAM,CAAC;QAClD,CAAC;QACD,OAAO,oCAAoC,CAAC;IAC9C,CAAC;IAED,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC;IAC3D,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,MAAM,GAAG,QAAQ,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;QACtC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,MAAM,GAAG,CAAC;YAAE,OAAO,MAAM,CAAC;IAClD,CAAC;IACD,OAAO,sCAAsC,CAAC;AAChD,CAAC;AAED;;GAEG;AACH,SAAS,WAAW;IAClB,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IAC/C,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,MAAM,GAAG,QAAQ,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;QACtC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,MAAM,GAAG,CAAC;YAAE,OAAO,MAAM,CAAC;IAClD,CAAC;IACD,OAAO,iBAAiB,CAAC;AAC3B,CAAC;AAcD;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,oBAAoB,CAClC,MAAqB,EACrB,QAAsB,EACtB,SAAkC,EAClC,eAAwB;IAExB,MAAM,aAAa,GAAG,gBAAgB,CAAC,eAAe,CAAC,CAAC;IAExD,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,aAAa,CAAC;YAC/B,MAAM;YACN,KAAK,EAAE,QAAQ;YACf,SAAS;YACT,UAAU,EAAE;gBACV,wBAAwB,EAAE;gBAC1B,eAAe,CAAC,EAAE,iBAAiB,EAAE,CAAC,EAAE,CAAC;aAC1C;SACF,CAAC,CAAC;QAEH,OAAO;YACL,UAAU;YACV,QAAQ,EAAE,UAAU,GAAG,aAAa;YACpC,aAAa;SACd,CAAC;IACJ,CAAC;IAAC,OAAO,eAAe,EAAE,CAAC;QACzB,MAAM,CAAC,IAAI,CAAC,qCAAqC,EAAE;YACjD,KAAK,EAAE,eAAe,YAAY,KAAK,CAAC,CAAC,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,eAAe,CAAC;SAC5F,CAAC,CAAC;QACH,+EAA+E;QAC/E,OAAO;YACL,UAAU,EAAE,CAAC;YACb,QAAQ,EAAE,KAAK;YACf,aAAa;SACd,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAS,iBAAiB,CAAC,QAAsB;IAC/C,IAAI,QAAQ,GAAG,CAAC,CAAC;IAEjB,SAAS,QAAQ,CAAC,IAAkF,EAAE,KAAa;QACjH,IAAI,KAAK,GAAG,QAAQ,EAAE,CAAC;YACrB,QAAQ,GAAG,KAAK,CAAC;QACnB,CAAC;QACD,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,KAAK,MAAM,SAAS,IAAI,IAAI,CAAC,YAAY,CAAC,UAAU,EAAE,CAAC;gBACrD,QAAQ,CAAC,SAAyF,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;YACjH,CAAC;QACH,CAAC;IACH,CAAC;IAED,KAAK,MAAM,UAAU,IAAI,QAAQ,CAAC,WAAW,EAAE,CAAC;QAC9C,QAAQ,CAAC,UAA0F,EAAE,CAAC,CAAC,CAAC;IAC1G,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,2BAA2B,CAAC,MAAqB;IAS/D,MAAM,SAAS,GAAG,GAAY,EAAE;QAC9B,MAAM,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC;QAC/D,IAAI,eAAe,KAAK,SAAS,EAAE,CAAC;YAClC,OAAO,eAAe,KAAK,MAAM,IAAI,eAAe,KAAK,GAAG,CAAC;QAC/D,CAAC;QACD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,aAAa,CAAC;QAClD,OAAO,GAAG,KAAK,YAAY,IAAI,GAAG,KAAK,SAAS,CAAC;IACnD,CAAC,CAAC;IAEF,OAAO;QACL,KAAK,CAAC,eAAe;YACnB,OAAO;gBACL,KAAK,CAAC,mBAAmB,CAAC,cAAc;oBACtC,IAAI,CAAC,SAAS,EAAE;wBAAE,OAAO;oBAEzB,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,YAAY,EAAE,GAAG,cAAc,CAAC;oBAC3D,MAAM,SAAS,GAAG,CAAC,OAAO,CAAC,SAAS,IAAI,EAAE,CAA4B,CAAC;oBACvE,MAAM,eAAe,GAAG,OAAO,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;oBAEnD,oBAAoB;oBACpB,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAC;oBAC/B,MAAM,KAAK,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;oBAC1C,IAAI,KAAK,GAAG,QAAQ,EAAE,CAAC;wBACrB,MAAM,CAAC,IAAI,CAAC,sBAAsB,EAAE;4BAClC,KAAK;4BACL,QAAQ;4BACR,eAAe;yBAChB,CAAC,CAAC;wBACH,MAAM,IAAI,KAAK,CACb,kBAAkB,KAAK,qCAAqC,QAAQ,EAAE,CACvE,CAAC;oBACJ,CAAC;oBAED,yBAAyB;oBACzB,MAAM,MAAM,GAAG,oBAAoB,CAAC,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;oBAClF,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;wBACpB,MAAM,CAAC,IAAI,CAAC,2BAA2B,EAAE;4BACvC,UAAU,EAAE,MAAM,CAAC,UAAU;4BAC7B,aAAa,EAAE,MAAM,CAAC,aAAa;4BACnC,eAAe;yBAChB,CAAC,CAAC;wBACH,MAAM,IAAI,KAAK,CACb,uBAAuB,MAAM,CAAC,UAAU,0CAA0C,MAAM,CAAC,aAAa,EAAE,CACzG,CAAC;oBACJ,CAAC;oBAED,MAAM,CAAC,KAAK,CAAC,+BAA+B,EAAE;wBAC5C,UAAU,EAAE,MAAM,CAAC,UAAU;wBAC7B,aAAa,EAAE,MAAM,CAAC,aAAa;wBACnC,KAAK;qBACN,CAAC,CAAC;gBACL,CAAC;aACF,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC"}

package/esm/middleware/query-complexity.mjs

@@ -0,0 +1,176 @@
+import { getComplexity, simpleEstimator, fieldExtensionsEstimator, } from 'graphql-query-complexity';
+import { logger } from '../utils/logger.mjs';
+/**
+ * Default query complexity limits per authentication level.
+ * These can be overridden via environment variables.
+ */
+const DEFAULT_MAX_COMPLEXITY_AUTHENTICATED = 1000;
+const DEFAULT_MAX_COMPLEXITY_UNAUTHENTICATED = 200;
+const DEFAULT_MAX_DEPTH = 10;
+/**
+ * Resolves the maximum allowed query complexity from environment variables or defaults.
+ *
+ * @param isAuthenticated - Whether the request is from an authenticated user
+ * @returns The maximum allowed complexity score
+ */
+function getMaxComplexity(isAuthenticated) {
+    if (isAuthenticated) {
+        const envValue = process.env.GRAPHQL_MAX_COMPLEXITY_AUTH;
+        if (envValue) {
+            const parsed = parseInt(envValue, 10);
+            if (!isNaN(parsed) && parsed > 0)
+                return parsed;
+        }
+        return DEFAULT_MAX_COMPLEXITY_AUTHENTICATED;
+    }
+    const envValue = process.env.GRAPHQL_MAX_COMPLEXITY_UNAUTH;
+    if (envValue) {
+        const parsed = parseInt(envValue, 10);
+        if (!isNaN(parsed) && parsed > 0)
+            return parsed;
+    }
+    return DEFAULT_MAX_COMPLEXITY_UNAUTHENTICATED;
+}
+/**
+ * Resolves the maximum allowed query depth.
+ */
+function getMaxDepth() {
+    const envValue = process.env.GRAPHQL_MAX_DEPTH;
+    if (envValue) {
+        const parsed = parseInt(envValue, 10);
+        if (!isNaN(parsed) && parsed > 0)
+            return parsed;
+    }
+    return DEFAULT_MAX_DEPTH;
+}
+/**
+ * Computes the complexity of a GraphQL document against a schema.
+ *
+ * Uses two estimators:
+ * 1. fieldExtensionsEstimator: Reads complexity from field extensions (set via schema directives)
+ * 2. simpleEstimator: Assigns a default cost of 1 per field as fallback
+ *
+ * @param schema - The GraphQL schema
+ * @param document - The parsed GraphQL document (AST)
+ * @param variables - Query variables (used for list size estimation)
+ * @param isAuthenticated - Whether the request is authenticated (affects limits)
+ * @returns The complexity check result
+ */
+export function checkQueryComplexity(schema, document, variables, isAuthenticated) {
+    const maxComplexity = getMaxComplexity(isAuthenticated);
+    try {
+        const complexity = getComplexity({
+            schema,
+            query: document,
+            variables,
+            estimators: [
+                fieldExtensionsEstimator(),
+                simpleEstimator({ defaultComplexity: 1 }),
+            ],
+        });
+        return {
+            complexity,
+            exceeded: complexity > maxComplexity,
+            maxComplexity,
+        };
+    }
+    catch (estimationError) {
+        logger.warn('Failed to estimate query complexity', {
+            error: estimationError instanceof Error ? estimationError.message : String(estimationError),
+        });
+        // On failure, allow the query to proceed to avoid blocking legitimate requests
+        return {
+            complexity: 0,
+            exceeded: false,
+            maxComplexity,
+        };
+    }
+}
+/**
+ * Checks query depth by counting nested selections.
+ *
+ * @param document - The parsed GraphQL document (AST)
+ * @returns The maximum depth found in the query
+ */
+function computeQueryDepth(document) {
+    let maxDepth = 0;
+    function traverse(node, depth) {
+        if (depth > maxDepth) {
+            maxDepth = depth;
+        }
+        if (node.selectionSet) {
+            for (const selection of node.selectionSet.selections) {
+                traverse(selection, depth + 1);
+            }
+        }
+    }
+    for (const definition of document.definitions) {
+        traverse(definition, 0);
+    }
+    return maxDepth;
+}
+/**
+ * Creates an Apollo Server plugin that enforces query complexity and depth limits.
+ *
+ * The plugin runs before query execution and rejects queries that exceed
+ * configured complexity or depth thresholds.
+ *
+ * Environment variables:
+ * - GRAPHQL_MAX_COMPLEXITY_AUTH: Max complexity for authenticated users (default: 1000)
+ * - GRAPHQL_MAX_COMPLEXITY_UNAUTH: Max complexity for unauthenticated users (default: 200)
+ * - GRAPHQL_MAX_DEPTH: Max query depth (default: 10)
+ * - GRAPHQL_COMPLEXITY_ENABLED: Explicit on/off ('true'/'false'). Defaults to on in production/staging.
+ *
+ * @param schema - The GraphQL schema to validate against
+ * @returns Apollo Server plugin configuration
+ */
+export function createQueryComplexityPlugin(schema) {
+    const isEnabled = () => {
+        const explicitSetting = process.env.GRAPHQL_COMPLEXITY_ENABLED;
+        if (explicitSetting !== undefined) {
+            return explicitSetting === 'true' || explicitSetting === '1';
+        }
+        const env = process.env.NODE_ENV || 'development';
+        return env === 'production' || env === 'staging';
+    };
+    return {
+        async requestDidStart() {
+            return {
+                async didResolveOperation(requestContext) {
+                    if (!isEnabled())
+                        return;
+                    const { document, request, contextValue } = requestContext;
+                    const variables = (request.variables || {});
+                    const isAuthenticated = Boolean(contextValue.user);
+                    // Check depth limit
+                    const maxDepth = getMaxDepth();
+                    const depth = computeQueryDepth(document);
+                    if (depth > maxDepth) {
+                        logger.warn('Query depth exceeded', {
+                            depth,
+                            maxDepth,
+                            isAuthenticated,
+                        });
+                        throw new Error(`Query depth of ${depth} exceeds maximum allowed depth of ${maxDepth}`);
+                    }
+                    // Check complexity limit
+                    const result = checkQueryComplexity(schema, document, variables, isAuthenticated);
+                    if (result.exceeded) {
+                        logger.warn('Query complexity exceeded', {
+                            complexity: result.complexity,
+                            maxComplexity: result.maxComplexity,
+                            isAuthenticated,
+                        });
+                        throw new Error(`Query complexity of ${result.complexity} exceeds maximum allowed complexity of ${result.maxComplexity}`);
+                    }
+                    logger.debug('Query complexity check passed', {
+                        complexity: result.complexity,
+                        maxComplexity: result.maxComplexity,
+                        depth,
+                    });
+                },
+            };
+        },
+    };
+}
+//# sourceMappingURL=query-complexity.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adaptic/backend-legacy",
-  "version": "0.0.48",
+  "version": "0.0.50",
   "description": "Backend executable CRUD functions with dynamic variables construction, and type definitions for the Adaptic AI platform.",
   "type": "module",
   "types": "index.d.ts",