npm - @lenne.tech/nest-server - Versions diffs - 11.17.0 → 11.18.0 - Mend

@lenne.tech/nest-server 11.17.0 → 11.18.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (91) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@lenne.tech/nest-server",
-  "version": "11.17.0",
+  "version": "11.18.0",
   "description": "Modern, fast, powerful Node.js web framework in TypeScript based on Nest with a GraphQL API and a connection to MongoDB (or other databases).",
   "keywords": [
     "node",
@@ -75,33 +75,33 @@
   "dependencies": {
     "@apollo/server": "5.4.0",
     "@as-integrations/express5": "1.1.2",
-    "@better-auth/passkey": "1.4.18",
+    "@better-auth/passkey": "1.5.4",
     "@getbrevo/brevo": "3.0.1",
     "@nestjs/apollo": "13.2.4",
-    "@nestjs/common": "11.1.13",
-    "@nestjs/core": "11.1.13",
+    "@nestjs/common": "11.1.16",
+    "@nestjs/core": "11.1.16",
     "@nestjs/graphql": "13.2.4",
     "@nestjs/jwt": "11.0.2",
     "@nestjs/mongoose": "11.0.4",
     "@nestjs/passport": "11.0.5",
-    "@nestjs/platform-express": "11.1.13",
+    "@nestjs/platform-express": "11.1.16",
     "@nestjs/schedule": "6.1.1",
     "@nestjs/swagger": "11.2.6",
-    "@nestjs/terminus": "11.0.0",
-    "@nestjs/websockets": "11.1.13",
+    "@nestjs/terminus": "11.1.1",
+    "@nestjs/websockets": "11.1.16",
     "@tus/file-store": "2.0.0",
     "@tus/server": "2.3.0",
-    "apollo-server-core": "3.13.0",
     "bcrypt": "6.0.0",
-    "better-auth": "1.4.18",
+    "better-auth": "1.5.4",
     "class-transformer": "0.5.1",
     "class-validator": "0.14.3",
     "compression": "1.8.1",
     "cookie-parser": "1.4.7",
-    "dotenv": "17.2.4",
-    "ejs": "4.0.1",
+    "dotenv": "17.3.1",
+    "ejs": "5.0.1",
     "express": "5.2.1",
-    "graphql": "16.12.0",
+    "graphql": "16.13.1",
     "graphql-query-complexity": "1.1.0",
     "graphql-subscriptions": "3.0.0",
     "graphql-upload": "15.0.2",
@@ -109,8 +109,8 @@
     "json-to-graphql-query": "2.3.0",
     "lodash": "4.17.23",
     "mongodb": "7.0.0",
-    "mongoose": "9.1.6",
-    "multer": "2.0.2",
+    "mongoose": "9.2.4",
+    "multer": "2.1.1",
     "node-mailjet": "6.0.11",
     "nodemailer": "8.0.1",
     "passport": "0.7.0",
@@ -124,32 +124,31 @@
     "@compodoc/compodoc": "1.2.1",
     "@nestjs/cli": "11.0.16",
     "@nestjs/schematics": "11.0.9",
-    "@nestjs/testing": "11.1.13",
-    "@swc/cli": "0.7.10",
-    "@swc/core": "1.15.11",
+    "@nestjs/testing": "11.1.16",
+    "@swc/cli": "0.8.0",
+    "@swc/core": "1.15.18",
     "@types/compression": "1.8.1",
     "@types/cookie-parser": "1.4.10",
     "@types/ejs": "3.1.5",
-    "@types/express": "4.17.21",
-    "@types/lodash": "4.17.23",
-    "@types/multer": "2.0.0",
-    "@types/node": "25.2.2",
-    "@types/nodemailer": "7.0.9",
+    "@types/express": "5.0.6",
+    "@types/lodash": "4.17.24",
+    "@types/multer": "2.1.0",
+    "@types/node": "25.3.5",
+    "@types/nodemailer": "7.0.11",
     "@types/passport": "1.0.17",
-    "@types/supertest": "6.0.3",
+    "@types/supertest": "7.2.0",
     "@vitest/coverage-v8": "4.0.18",
     "@vitest/ui": "4.0.18",
     "ansi-colors": "4.1.3",
     "find-file-up": "2.0.1",
     "husky": "9.1.7",
-    "nodemon": "3.1.11",
+    "nodemon": "3.1.14",
     "npm-watch": "0.13.0",
     "otpauth": "9.5.0",
-    "oxfmt": "0.28.0",
-    "oxlint": "1.43.0",
-    "rimraf": "6.1.2",
+    "oxfmt": "0.36.0",
+    "oxlint": "1.51.0",
+    "rimraf": "6.1.3",
     "supertest": "7.2.2",
-    "ts-loader": "9.5.4",
     "ts-morph": "27.0.2",
     "ts-node": "10.9.2",
     "tsconfig-paths": "4.2.0",
@@ -158,7 +157,7 @@
     "unplugin-swc": "1.5.9",
     "vite": "7.3.1",
     "vite-plugin-node": "7.0.0",
-    "vite-tsconfig-paths": "6.1.0",
+    "vite-tsconfig-paths": "6.1.1",
     "vitest": "4.0.18"
   },
   "main": "dist/index.js",
@@ -178,7 +177,13 @@
   "packageManager": "pnpm@10.29.2",
   "pnpm": {
     "overrides": {
-      "qs": "6.14.2"
+      "minimatch@<3.1.4": "3.1.4",
+      "minimatch@>=9.0.0 <9.0.7": "9.0.7",
+      "minimatch@>=10.0.0 <10.2.3": "10.2.4",
+      "rollup@>=4.0.0 <4.59.0": "4.59.0",
+      "serialize-javascript@<=7.0.2": "7.0.4",
+      "ajv@<6.14.0": "6.14.0",
+      "ajv@>=7.0.0-alpha.0 <8.18.0": "8.18.0"
     },
     "onlyBuiltDependencies": [
       "bcrypt",

package/src/config.env.ts CHANGED Viewed

@@ -123,7 +123,7 @@ const config: { [env: string]: IServerOptions } = {
       collation: {
         locale: 'de',
       },
-      modelDocumentation: true,
+      modelDocumentation: false,
       uri: 'mongodb://127.0.0.1/nest-server-ci',
     },
     permissions: true,
@@ -369,7 +369,7 @@ const config: { [env: string]: IServerOptions } = {
       collation: {
         locale: 'de',
       },
-      modelDocumentation: true,
+      modelDocumentation: false,
       uri: 'mongodb://127.0.0.1/nest-server-e2e',
     },
     permissions: true,

package/src/core/common/decorators/response-model.decorator.ts ADDED Viewed

@@ -0,0 +1,31 @@
+import { SetMetadata } from '@nestjs/common';
+import { CoreModel } from '../models/core-model.model';
+/**
+ * Metadata key used to store the explicit response model class on a handler.
+ * Shared between the @ResponseModel() decorator and interceptor.helper.ts.
+ */
+export const RESPONSE_MODEL_KEY = 'response_model_class';
+/**
+ * Decorator to explicitly specify the model class for automatic response conversion.
+ *
+ * In most cases this is NOT needed because the type is resolved automatically:
+ * - GraphQL: from @Query/@Mutation return type metadata
+ * - REST: from @ApiOkResponse({ type: Model }) / @ApiCreatedResponse({ type: Model })
+ *
+ * Use this decorator only when automatic resolution fails or when no Swagger
+ * decorators are present on a REST endpoint.
+ *
+ * @example
+ * ```typescript
+ * @ResponseModel(User)
+ * @Get(':id')
+ * async getUser(@Param('id') id: string): Promise<User> {
+ *   return this.userService.mainDbModel.findById(id).exec();
+ * }
+ * ```
+ */
+export const ResponseModel = (modelClass: new (...args: any[]) => CoreModel) =>
+  SetMetadata(RESPONSE_MODEL_KEY, modelClass);

package/src/core/common/helpers/db.helper.ts CHANGED Viewed

@@ -626,8 +626,8 @@ export async function setPopulates<T = Document | Query<any, any>>(
   // Query => Chaining
   if (queryOrDocument instanceof Query) {
-    for (const options of populateOptions) {
-      queryOrDocument = (queryOrDocument as any).populate(options);
+    for (const populateOption of populateOptions) {
+      queryOrDocument = (queryOrDocument as any).populate(populateOption);
     }
     // Document => Non chaining

package/src/core/common/helpers/filter.helper.ts CHANGED Viewed

@@ -177,7 +177,7 @@ export function generateFilterQuery<T = any>(
   // Process single filter
   if (filter.singleFilter) {
     // Init variables
-    const { convertToObjectId, isReference, not, options } = filter.singleFilter;
+    const { convertToObjectId, isReference, not, options: filterOptions } = filter.singleFilter;
     let field = filter.singleFilter.field;
     let value = filter.singleFilter.value;
@@ -232,11 +232,11 @@ export function generateFilterQuery<T = any>(
         result[field] = not
           ? {
               $not: {
-                $options: options || '',
+                $options: filterOptions || '',
                 $regex: new RegExp(value),
               },
             }
-          : { $options: options || '', $regex: new RegExp(value) };
+          : { $options: filterOptions || '', $regex: new RegExp(value) };
         break;
     }
   }

package/src/core/common/helpers/input.helper.ts CHANGED Viewed

@@ -388,9 +388,9 @@ export function clone(object: any, options?: { checkResult?: boolean; circles?:
           throw new Error('Cloned object differs from original object', { cause: e });
         }
         return clonedWithCircles;
-      } catch (e) {
+      } catch (innerError) {
         if (config.debug) {
-          console.debug(e, 'rfcd with circles did not work => automatic use of _.clone!');
+          console.debug(innerError, 'rfcd with circles did not work => automatic use of _.clone!');
         }
         return _.cloneDeep(object);
       }

package/src/core/common/helpers/interceptor.helper.ts ADDED Viewed

@@ -0,0 +1,132 @@
+import { ExecutionContext } from '@nestjs/common';
+import { GqlExecutionContext } from '@nestjs/graphql';
+import { RESPONSE_MODEL_KEY } from '../decorators/response-model.decorator';
+import { CoreModel } from '../models/core-model.model';
+// Cache: handler function → resolved model class (or null)
+// Handler references are stable per route, so the cache is bounded by the number of routes.
+const resolvedModelCache = new Map<Function, (new (...args: any[]) => CoreModel) | null>();
+/**
+ * Resolve the expected model class for a handler's response.
+ * Results are cached per handler function for zero-cost subsequent lookups.
+ *
+ * Priority:
+ * 1. Explicit @ResponseModel(ModelClass) decorator
+ * 2. GraphQL TypeMetadataStorage lookup (automatic for @Query/@Mutation)
+ * 3. Swagger @ApiOkResponse / @ApiCreatedResponse type (automatic for REST)
+ * 4. null (no auto-mapping)
+ */
+export function resolveResponseModelClass(context: ExecutionContext): (new (...args: any[]) => CoreModel) | null {
+  const handler = context.getHandler();
+  // Return cached result (hit after first request per route)
+  if (resolvedModelCache.has(handler)) {
+    return resolvedModelCache.get(handler);
+  }
+  const result = resolveResponseModelClassUncached(context, handler);
+  resolvedModelCache.set(handler, result);
+  return result;
+}
+function resolveResponseModelClassUncached(
+  context: ExecutionContext,
+  handler: Function,
+): (new (...args: any[]) => CoreModel) | null {
+  // 1. Explicit @ResponseModel decorator
+  const explicit = Reflect.getMetadata(RESPONSE_MODEL_KEY, handler);
+  if (explicit) {
+    return explicit;
+  }
+  // 2. GraphQL TypeMetadataStorage lookup
+  try {
+    const gqlContext = GqlExecutionContext.create(context);
+    const info = gqlContext.getInfo?.();
+    if (info) {
+      return resolveFromGraphQlMetadata(context);
+    }
+  } catch {
+    // Not a GraphQL context
+  }
+  // 3. Swagger @ApiOkResponse / @ApiCreatedResponse type (for REST controllers)
+  const swaggerType = resolveFromSwaggerMetadata(handler);
+  if (swaggerType) {
+    return swaggerType;
+  }
+  return null;
+}
+/**
+ * Resolve model class from GraphQL @Query/@Mutation metadata
+ */
+function resolveFromGraphQlMetadata(context: ExecutionContext): (new (...args: any[]) => CoreModel) | null {
+  try {
+    // Uses @nestjs/graphql internal path to access TypeMetadataStorage — the only way to resolve
+    // @Query/@Mutation return types at runtime. This path has been stable since @nestjs/graphql v10.
+    // Wrapped in try/catch so a path change in a future version degrades gracefully (returns null).
+    // eslint-disable-next-line @typescript-eslint/no-require-imports
+    const { TypeMetadataStorage } = require('@nestjs/graphql/dist/schema-builder/storages/type-metadata.storage');
+    const handler = context.getHandler();
+    const target = context.getClass();
+    const methodName = handler.name;
+    // Search queries and mutations
+    const allMetadata = [...TypeMetadataStorage.getQueriesMetadata(), ...TypeMetadataStorage.getMutationsMetadata()];
+    const meta = allMetadata.find((m: any) => m.target === target && m.methodName === methodName);
+    if (meta?.typeFn) {
+      const resolvedType = meta.typeFn();
+      if (resolvedType && typeof resolvedType === 'function' && isCoreModelSubclass(resolvedType)) {
+        return resolvedType as new (...args: any[]) => CoreModel;
+      }
+    }
+  } catch {
+    // TypeMetadataStorage not available or other issue
+  }
+  return null;
+}
+/**
+ * Resolve model class from Swagger @ApiOkResponse / @ApiCreatedResponse metadata.
+ * Reads the `type` from the response metadata stored by @nestjs/swagger decorators.
+ */
+function resolveFromSwaggerMetadata(handler: Function): (new (...args: any[]) => CoreModel) | null {
+  try {
+    const SWAGGER_API_RESPONSE_KEY = 'swagger/apiResponse';
+    const responses = Reflect.getMetadata(SWAGGER_API_RESPONSE_KEY, handler);
+    if (!responses || typeof responses !== 'object') {
+      return null;
+    }
+    // Check common success status codes (200 OK, 201 Created)
+    for (const statusCode of [200, 201]) {
+      const responseMeta = responses[statusCode];
+      if (responseMeta?.type && typeof responseMeta.type === 'function' && isCoreModelSubclass(responseMeta.type)) {
+        return responseMeta.type as new (...args: any[]) => CoreModel;
+      }
+    }
+  } catch {
+    // Swagger not available or metadata not found
+  }
+  return null;
+}
+function isCoreModelSubclass(cls: Function): boolean {
+  let proto = cls.prototype;
+  while (proto) {
+    if (proto.constructor === CoreModel || proto.constructor?.name === 'CoreModel') {
+      return true;
+    }
+    proto = Object.getPrototypeOf(proto);
+  }
+  return false;
+}

package/src/core/common/helpers/service.helper.ts CHANGED Viewed

@@ -336,7 +336,7 @@ export function prepareServiceOptions(
   return serviceOptions;
 }
-function applyTranslationsRecursively(obj: any, language: string, visited: WeakSet<object> = new WeakSet()) {
+export function applyTranslationsRecursively(obj: any, language: string, visited: WeakSet<object> = new WeakSet()) {
   if (typeof obj !== 'object' || obj === null) {
     return;
   }

package/src/core/common/interceptors/check-security.interceptor.ts CHANGED Viewed

@@ -15,6 +15,8 @@ export class CheckSecurityInterceptor implements NestInterceptor {
   config = {
     debug: false,
     noteCheckedObjects: true,
+    removeSecretFields: true,
+    secretFields: ['password', 'verificationToken', 'passwordResetToken', 'refreshTokens', 'tempTokens'],
   };
   constructor(private readonly configService: ConfigService) {
@@ -22,6 +24,11 @@ export class CheckSecurityInterceptor implements NestInterceptor {
     if (typeof configuration === 'object') {
       this.config = { ...this.config, ...configuration };
     }
+    // Allow overriding secretFields from security config
+    const globalSecretFields = this.configService.getFastButReadOnly('security.secretFields');
+    if (Array.isArray(globalSecretFields)) {
+      this.config.secretFields = globalSecretFields;
+    }
   }
   intercept(context: ExecutionContext, next: CallHandler): Observable<any> {
@@ -99,8 +106,44 @@ export class CheckSecurityInterceptor implements NestInterceptor {
       );
     };
+    // Fallback: Remove known secret fields regardless of model type (recursive into plain objects)
+    const isPlainLike = (val: any): boolean => {
+      if (!val || typeof val !== 'object' || Array.isArray(val)) return false;
+      // Skip Streams, Buffers, Dates, RegExps and other special objects
+      if (typeof val.pipe === 'function') return false;
+      if (Buffer.isBuffer(val)) return false;
+      if (val instanceof Date || val instanceof RegExp) return false;
+      const proto = Object.getPrototypeOf(val);
+      return proto === null || proto === Object.prototype || typeof val.constructor === 'function';
+    };
+    const removeSecrets = (data: any) => {
+      if (!this.config.removeSecretFields || !data || typeof data !== 'object') {
+        return data;
+      }
+      if (Array.isArray(data)) {
+        data.forEach(removeSecrets);
+        return data;
+      }
+      if (!isPlainLike(data)) {
+        return data;
+      }
+      for (const field of this.config.secretFields) {
+        if (field in data && data[field] !== undefined) {
+          data[field] = undefined;
+        }
+      }
+      // Recurse into nested plain objects
+      for (const key of Object.keys(data)) {
+        const value = data[key];
+        if (value && typeof value === 'object' && !this.config.secretFields.includes(key)) {
+          removeSecrets(value);
+        }
+      }
+      return data;
+    };
     // Check response
-    const result = next.handle().pipe(map(check));
+    const result = next.handle().pipe(map(check), map(removeSecrets));
     if (this.config.debug && Date.now() - start >= (typeof this.config.debug === 'number' ? this.config.debug : 100)) {
       console.warn(
         `Duration for CheckResponseInterceptor is too long: ${Date.now() - start}ms`,

package/src/core/common/interceptors/response-model.interceptor.ts ADDED Viewed

@@ -0,0 +1,135 @@
+import { CallHandler, ExecutionContext, Injectable, Logger, NestInterceptor } from '@nestjs/common';
+import { Observable } from 'rxjs';
+import { map } from 'rxjs/operators';
+import { resolveResponseModelClass } from '../helpers/interceptor.helper';
+import { CoreModel } from '../models/core-model.model';
+import { ConfigService } from '../services/config.service';
+import { ModelRegistry } from '../services/model-registry.service';
+/**
+ * Interceptor that automatically converts plain objects and Mongoose documents
+ * to CoreModel instances, enabling securityCheck() and @Restricted metadata.
+ *
+ * This is the safety net that ensures output security even when developers
+ * bypass CrudService.process() and use direct Mongoose queries.
+ *
+ * Execution order on response (NestJS runs APP_INTERCEPTOR in reverse registration order):
+ * 1. ResponseModelInterceptor (registered last → runs first on response)
+ * 2. CheckSecurityInterceptor (processes securityCheck())
+ * 3. CheckResponseInterceptor (filters @Restricted fields)
+ */
+@Injectable()
+export class ResponseModelInterceptor implements NestInterceptor {
+  private readonly logger = new Logger(ResponseModelInterceptor.name);
+  private config = {
+    debug: false,
+  };
+  constructor(private readonly configService: ConfigService) {
+    const configuration = this.configService.getFastButReadOnly('security.responseModelInterceptor');
+    if (typeof configuration === 'object') {
+      this.config = { ...this.config, ...configuration };
+    }
+  }
+  intercept(context: ExecutionContext, next: CallHandler): Observable<any> {
+    const modelClass = resolveResponseModelClass(context);
+    return next.handle().pipe(
+      map((data) => {
+        if (!modelClass || data === null || data === undefined || typeof data !== 'object') {
+          return data;
+        }
+        // Already the correct model instance
+        if (data instanceof modelClass) {
+          return data;
+        }
+        // Already processed by another interceptor
+        if (data._objectAlreadyCheckedForRestrictions) {
+          return data;
+        }
+        return this.convertToModel(data, modelClass, context);
+      }),
+    );
+  }
+  private convertToModel(data: any, modelClass: new (...args: any[]) => CoreModel, context: ExecutionContext): any {
+    // Scalars/primitives pass through
+    if (typeof data !== 'object' || data === null) {
+      return data;
+    }
+    // Array of items
+    if (Array.isArray(data)) {
+      return data.map((item) => this.convertSingleItem(item, modelClass, context));
+    }
+    // Paginated wrapper objects from CrudService (e.g. { items: [...], totalCount, pagination })
+    // Identified by 'items' array + pagination markers to avoid false positives on models with 'items' field
+    if (Array.isArray(data.items) && ('totalCount' in data || 'pagination' in data)) {
+      data.items = data.items.map((item: any) => this.convertSingleItem(item, modelClass, context));
+      return data;
+    }
+    // Single object
+    return this.convertSingleItem(data, modelClass, context);
+  }
+  private convertSingleItem(item: any, modelClass: new (...args: any[]) => CoreModel, context: ExecutionContext): any {
+    if (item === null || item === undefined || typeof item !== 'object') {
+      return item;
+    }
+    // Already the correct type
+    if (item instanceof modelClass) {
+      return item;
+    }
+    // Already processed
+    if (item._objectAlreadyCheckedForRestrictions) {
+      return item;
+    }
+    // Convert Mongoose document to plain object first
+    const plain = typeof item.toObject === 'function' ? item.toObject() : item;
+    try {
+      const mapped = (modelClass as any).map(plain);
+      if (this.config.debug) {
+        const className = context.getClass()?.name;
+        const methodName = context.getHandler()?.name;
+        this.logger.warn(
+          `Auto-converted plain object to ${modelClass.name} in ${className}.${methodName}. Consider using CrudService methods.`,
+        );
+      }
+      return mapped;
+    } catch {
+      // If mapping fails, try resolving via ModelRegistry using the Mongoose model name
+      return this.tryRegistryFallback(plain) || item;
+    }
+  }
+  private tryRegistryFallback(item: any): any {
+    // Mongoose documents have a collection property with modelName
+    const modelName = item?.constructor?.modelName || item?.collection?.modelName;
+    if (!modelName) {
+      return null;
+    }
+    const registeredClass = ModelRegistry.getModelClass(modelName);
+    if (!registeredClass) {
+      return null;
+    }
+    try {
+      const plain = typeof item.toObject === 'function' ? item.toObject() : item;
+      return (registeredClass as any).map(plain);
+    } catch {
+      return null;
+    }
+  }
+}

package/src/core/common/interceptors/translate-response.interceptor.ts ADDED Viewed

@@ -0,0 +1,104 @@
+import { CallHandler, ExecutionContext, Injectable, NestInterceptor } from '@nestjs/common';
+import { GqlContextType, GqlExecutionContext } from '@nestjs/graphql';
+import { Observable } from 'rxjs';
+import { map } from 'rxjs/operators';
+import { applyTranslationsRecursively } from '../helpers/service.helper';
+/**
+ * Interceptor that automatically applies translations from _translations
+ * based on the Accept-Language header of the request.
+ *
+ * This ensures translations work even when developers bypass CrudService.process()
+ * and use direct Mongoose operations.
+ *
+ * Execution order on response:
+ * 1. ResponseModelInterceptor (plain → model)
+ * 2. TranslateResponseInterceptor (applies translations) ← THIS
+ * 3. CheckSecurityInterceptor (securityCheck())
+ * 4. CheckResponseInterceptor (@Restricted fields)
+ */
+@Injectable()
+export class TranslateResponseInterceptor implements NestInterceptor {
+  intercept(context: ExecutionContext, next: CallHandler): Observable<any> {
+    const language = this.getLanguage(context);
+    if (!language) {
+      return next.handle();
+    }
+    return next.handle().pipe(
+      map((data) => {
+        if (!data || typeof data !== 'object') {
+          return data;
+        }
+        this.applyTranslations(data, language);
+        return data;
+      }),
+    );
+  }
+  private applyTranslations(data: any, language: string): void {
+    // Early bailout: skip if no _translations anywhere in the response
+    if (!this.hasTranslations(data)) {
+      return;
+    }
+    if (Array.isArray(data)) {
+      for (const item of data) {
+        if (item && typeof item === 'object') {
+          applyTranslationsRecursively(item, language);
+        }
+      }
+    } else if (data.items && Array.isArray(data.items)) {
+      // Wrapper objects (e.g. { items: [...], totalCount })
+      for (const item of data.items) {
+        if (item && typeof item === 'object') {
+          applyTranslationsRecursively(item, language);
+        }
+      }
+    } else {
+      applyTranslationsRecursively(data, language);
+    }
+  }
+  /**
+   * Quick check if _translations exists at the top level of the response.
+   * Avoids expensive recursive traversal when no translations are present.
+   */
+  private hasTranslations(data: any): boolean {
+    if (!data || typeof data !== 'object') {
+      return false;
+    }
+    if (Array.isArray(data)) {
+      return data.length > 0 && data[0] && typeof data[0] === 'object' && '_translations' in data[0];
+    }
+    if (data.items && Array.isArray(data.items)) {
+      return (
+        data.items.length > 0 && data.items[0] && typeof data.items[0] === 'object' && '_translations' in data.items[0]
+      );
+    }
+    return '_translations' in data;
+  }
+  private getLanguage(context: ExecutionContext): string | null {
+    // GraphQL context
+    try {
+      if (context.getType<GqlContextType>() === 'graphql') {
+        const gqlContext = GqlExecutionContext.create(context);
+        const req = gqlContext.getContext()?.req;
+        return req?.headers?.['accept-language'] || null;
+      }
+    } catch {
+      // Not a GraphQL context
+    }
+    // HTTP context
+    try {
+      const req = context.switchToHttp()?.getRequest();
+      return req?.headers?.['accept-language'] || null;
+    } catch {
+      return null;
+    }
+  }
+}