@nexus_js/graphql 0.9.3

package/dist/handler.d.ts

@@ -0,0 +1,142 @@
+/**
+ * Nexus GraphQL Handler — createGraphQLHandler()
+ *
+ * Returns a (request: Request, ctx: NexusContext) → Promise<Response> function
+ * compatible with the Nexus server `mounts` option.
+ *
+ * What this handler does
+ * ──────────────────────
+ *  1. Handles CORS preflight (OPTIONS) so browser clients don't get blocked.
+ *     Important: Nexus's own CSP/security headers are added by the server on
+ *     top — we never fight over the same header names.
+ *
+ *  2. Parses and validates the incoming GraphQL request (GET, POST JSON,
+ *     POST application/graphql) — no Express, no middleware.
+ *
+ *  3. Rejects introspection in production mode (configurable).
+ *
+ *  4. Runs the Shield complexity & depth analysis on the parsed AST *before*
+ *     calling execute() — saves CPU on malicious queries.
+ *
+ *  5. Calls graphql.execute() with the context you provide.
+ *
+ *  6. Applies field masking on the result.
+ *
+ *  7. Limits per-operation request rate using the built-in rate-limit helpers.
+ *
+ * Usage (in nexus.config.ts / server startup)
+ * ─────────────────────────────────────────────
+ *  import { createGraphQLHandler } from '@nexus_js/graphql';
+ *  import { schema } from './graphql/schema.js';
+ *  import { createBatchLoader } from '@nexus_js/graphql';
+ *
+ *  const gqlHandler = createGraphQLHandler({
+ *    schema,
+ *    dev: process.env.NODE_ENV !== 'production',
+ *    cors: { origins: ['https://app.example.com'], credentials: true },
+ *    shield: { maxCost: 500, maxDepth: 8 },
+ *    mask: {
+ *      'User.passwordHash': null,
+ *      'PaymentCard.cvv':   'REDACTED',
+ *    },
+ *    context: (request, nexusCtx) => ({
+ *      ...nexusCtx,
+ *      loaders: {
+ *        user: createBatchLoader(ids => db.users.findMany({ where: { id: { in: ids } } })),
+ *      },
+ *    }),
+ *  });
+ *
+ *  // In createNexusServer():
+ *  mounts: [{ path: '/graphql', handler: gqlHandler }]
+ *
+ * CORS notes
+ * ──────────
+ *  - `cors.origins: '*'` + `cors.credentials: true` is rejected (browser security requirement).
+ *  - For non-CORS requests (same-origin or CLI tools) the `Access-Control-*` headers are not added.
+ *  - Nexus's hardened security headers are added by the server on top; they don't override CORS.
+ */
+import type { GraphQLSchema } from 'graphql';
+import { type ComplexityConfig } from './complexity.js';
+import { type MaskPolicy } from './mask.js';
+export interface MinimalNexusContext {
+    request: Request;
+    secrets: ReadonlyMap<string, string>;
+    locals: Record<string, unknown>;
+    [key: string]: unknown;
+}
+export interface CorsConfig {
+    /**
+     * Allowed origins. Use `'*'` for open access (incompatible with `credentials: true`).
+     * Can also be an array of exact origin strings, or a predicate.
+     */
+    origins: '*' | string[] | ((origin: string) => boolean);
+    /**
+     * Whether to allow cookies / auth headers.
+     * Cannot be combined with `origins: '*'` — the browser will reject this.
+     */
+    credentials?: boolean;
+    /** Extra headers allowed in the request (merged with GraphQL defaults). */
+    allowHeaders?: string[];
+    /** Cache preflight result for this many seconds. Default: 86400. */
+    maxAge?: number;
+}
+export type GraphQLContextFn<Ctx = MinimalNexusContext> = (request: Request, nexusCtx: MinimalNexusContext) => Ctx | Promise<Ctx>;
+export interface RateLimitPerOperation {
+    /** Maximum requests per window. */
+    max: number;
+    /** Window in ms. Default: 60 000 (1 minute). */
+    windowMs?: number;
+}
+export interface GraphQLHandlerOptions<Ctx = MinimalNexusContext> {
+    /** The compiled GraphQL schema. */
+    schema: GraphQLSchema;
+    /**
+     * `true` in dev mode:
+     *  - Enables GraphiQL at the endpoint
+     *  - Allows introspection regardless of `shield.allowIntrospection`
+     *  - Exposes full error stack traces in responses
+     */
+    dev?: boolean;
+    /**
+     * CORS configuration. Omit to disable CORS headers (same-origin only).
+     * Required when your API and frontend are on different origins.
+     */
+    cors?: CorsConfig;
+    /**
+     * Shield configuration for complexity + depth + introspection.
+     * Omit to skip complexity analysis (not recommended for public APIs).
+     */
+    shield?: ComplexityConfig;
+    /**
+     * Field masking policy applied to every response.
+     * See `MaskPolicy` from `@nexus_js/graphql/mask`.
+     */
+    mask?: MaskPolicy<Ctx>;
+    /**
+     * Factory to build the GraphQL execution context per request.
+     * Receives the raw `Request` and the Nexus context (`ctx.secrets`, etc.).
+     * Return whatever your resolvers expect on `context`.
+     */
+    context?: GraphQLContextFn<Ctx>;
+    /**
+     * Max request body size in bytes. Default: 1 MB.
+     * Prevents memory exhaustion via oversized query documents.
+     */
+    maxBodyBytes?: number;
+    /**
+     * Per-IP rate limiting for the GraphQL endpoint.
+     * Applies across all operations (use resolver-level limits for per-operation).
+     */
+    rateLimit?: RateLimitPerOperation;
+}
+/**
+ * Create a Nexus-compatible GraphQL handler.
+ *
+ * Mount with:
+ * ```ts
+ * mounts: [{ path: '/graphql', handler: createGraphQLHandler({ schema, ... }) }]
+ * ```
+ */
+export declare function createGraphQLHandler<Ctx = MinimalNexusContext>(opts: GraphQLHandlerOptions<Ctx>): (request: Request, nexusCtx: MinimalNexusContext) => Promise<Response>;
+//# sourceMappingURL=handler.d.ts.map

package/dist/handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["../src/handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyDG;AAEH,OAAO,KAAK,EACV,aAAa,EAEd,MAAM,SAAS,CAAC;AACjB,OAAO,EAAqB,KAAK,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAC3E,OAAO,EAAc,KAAK,UAAU,EAAE,MAAM,WAAW,CAAC;AAKxD,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,WAAW,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACrC,MAAM,EAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAID,MAAM,WAAW,UAAU;IACzB;;;OAGG;IACH,OAAO,EAAE,GAAG,GAAG,MAAM,EAAE,GAAG,CAAC,CAAC,MAAM,EAAE,MAAM,KAAK,OAAO,CAAC,CAAC;IACxD;;;OAGG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,2EAA2E;IAC3E,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,oEAAoE;IACpE,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,MAAM,gBAAgB,CAAC,GAAG,GAAG,mBAAmB,IAAI,CACxD,OAAO,EAAE,OAAO,EAChB,QAAQ,EAAE,mBAAmB,KAC1B,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;AAExB,MAAM,WAAW,qBAAqB;IACpC,mCAAmC;IACnC,GAAG,EAAE,MAAM,CAAC;IACZ,gDAAgD;IAChD,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,qBAAqB,CAAC,GAAG,GAAG,mBAAmB;IAC9D,mCAAmC;IACnC,MAAM,EAAE,aAAa,CAAC;IAEtB;;;;;OAKG;IACH,GAAG,CAAC,EAAE,OAAO,CAAC;IAEd;;;OAGG;IACH,IAAI,CAAC,EAAE,UAAU,CAAC;IAElB;;;OAGG;IACH,MAAM,CAAC,EAAE,gBAAgB,CAAC;IAE1B;;;OAGG;IACH,IAAI,CAAC,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC;IAEvB;;;;OAIG;IACH,OAAO,CAAC,EAAE,gBAAgB,CAAC,GAAG,CAAC,CAAC;IAEhC;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB;;;OAGG;IACH,SAAS,CAAC,EAAE,qBAAqB,CAAC;CACnC;AA0OD;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAAC,GAAG,GAAG,mBAAmB,EAC5D,IAAI,EAAE,qBAAqB,CAAC,GAAG,CAAC,GAC/B,CAAC,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,mBAAmB,KAAK,OAAO,CAAC,QAAQ,CAAC,CA6NxE"}

package/dist/handler.js

@@ -0,0 +1,420 @@
+/**
+ * Nexus GraphQL Handler — createGraphQLHandler()
+ *
+ * Returns a (request: Request, ctx: NexusContext) → Promise<Response> function
+ * compatible with the Nexus server `mounts` option.
+ *
+ * What this handler does
+ * ──────────────────────
+ *  1. Handles CORS preflight (OPTIONS) so browser clients don't get blocked.
+ *     Important: Nexus's own CSP/security headers are added by the server on
+ *     top — we never fight over the same header names.
+ *
+ *  2. Parses and validates the incoming GraphQL request (GET, POST JSON,
+ *     POST application/graphql) — no Express, no middleware.
+ *
+ *  3. Rejects introspection in production mode (configurable).
+ *
+ *  4. Runs the Shield complexity & depth analysis on the parsed AST *before*
+ *     calling execute() — saves CPU on malicious queries.
+ *
+ *  5. Calls graphql.execute() with the context you provide.
+ *
+ *  6. Applies field masking on the result.
+ *
+ *  7. Limits per-operation request rate using the built-in rate-limit helpers.
+ *
+ * Usage (in nexus.config.ts / server startup)
+ * ─────────────────────────────────────────────
+ *  import { createGraphQLHandler } from '@nexus_js/graphql';
+ *  import { schema } from './graphql/schema.js';
+ *  import { createBatchLoader } from '@nexus_js/graphql';
+ *
+ *  const gqlHandler = createGraphQLHandler({
+ *    schema,
+ *    dev: process.env.NODE_ENV !== 'production',
+ *    cors: { origins: ['https://app.example.com'], credentials: true },
+ *    shield: { maxCost: 500, maxDepth: 8 },
+ *    mask: {
+ *      'User.passwordHash': null,
+ *      'PaymentCard.cvv':   'REDACTED',
+ *    },
+ *    context: (request, nexusCtx) => ({
+ *      ...nexusCtx,
+ *      loaders: {
+ *        user: createBatchLoader(ids => db.users.findMany({ where: { id: { in: ids } } })),
+ *      },
+ *    }),
+ *  });
+ *
+ *  // In createNexusServer():
+ *  mounts: [{ path: '/graphql', handler: gqlHandler }]
+ *
+ * CORS notes
+ * ──────────
+ *  - `cors.origins: '*'` + `cors.credentials: true` is rejected (browser security requirement).
+ *  - For non-CORS requests (same-origin or CLI tools) the `Access-Control-*` headers are not added.
+ *  - Nexus's hardened security headers are added by the server on top; they don't override CORS.
+ */
+import { analyseComplexity } from './complexity.js';
+import { maskResult } from './mask.js';
+const rateLimitStore = new Map();
+function checkRateLimit(key, max, windowMs) {
+    const now = Date.now();
+    let win = rateLimitStore.get(key);
+    if (!win) {
+        win = { timestamps: [] };
+        rateLimitStore.set(key, win);
+    }
+    // Evict timestamps outside the window
+    win.timestamps = win.timestamps.filter(t => t > now - windowMs);
+    const resetAt = win.timestamps[0] ? win.timestamps[0] + windowMs : now + windowMs;
+    if (win.timestamps.length >= max) {
+        return { allowed: false, remaining: 0, resetAt };
+    }
+    win.timestamps.push(now);
+    return { allowed: true, remaining: max - win.timestamps.length, resetAt };
+}
+// Prune stale rate-limit entries every 5 min to prevent unbounded growth
+let _pruneTimer = null;
+function ensurePruneTimer() {
+    if (_pruneTimer)
+        return;
+    _pruneTimer = setInterval(() => {
+        const cutoff = Date.now() - 300_000;
+        for (const [key, win] of rateLimitStore) {
+            if (!win.timestamps.length || win.timestamps[win.timestamps.length - 1] < cutoff) {
+                rateLimitStore.delete(key);
+            }
+        }
+    }, 300_000);
+    if (_pruneTimer && typeof _pruneTimer === 'object' && 'unref' in _pruneTimer) {
+        _pruneTimer.unref();
+    }
+}
+async function parseGqlRequest(request, maxBodyBytes) {
+    const method = request.method.toUpperCase();
+    if (method === 'GET') {
+        const url = new URL(request.url);
+        const query = url.searchParams.get('query');
+        if (!query) {
+            return { error: 'Missing "query" search parameter.', status: 400 };
+        }
+        let variables;
+        const rawVars = url.searchParams.get('variables');
+        if (rawVars) {
+            try {
+                variables = JSON.parse(rawVars);
+            }
+            catch {
+                return { error: 'Invalid JSON in "variables" parameter.', status: 400 };
+            }
+        }
+        return { query, variables, operationName: url.searchParams.get('operationName') ?? undefined };
+    }
+    if (method === 'POST') {
+        const ct = (request.headers.get('content-type') ?? '').toLowerCase();
+        // Body size guard
+        const contentLength = parseInt(request.headers.get('content-length') ?? '0', 10);
+        if (contentLength > maxBodyBytes) {
+            return { error: `Request body exceeds maximum size of ${maxBodyBytes} bytes.`, status: 413 };
+        }
+        let rawBody;
+        try {
+            const buf = await request.arrayBuffer();
+            if (buf.byteLength > maxBodyBytes) {
+                return { error: `Request body exceeds maximum size of ${maxBodyBytes} bytes.`, status: 413 };
+            }
+            rawBody = new TextDecoder().decode(buf);
+        }
+        catch {
+            return { error: 'Failed to read request body.', status: 400 };
+        }
+        if (ct.includes('application/graphql')) {
+            return { query: rawBody };
+        }
+        if (ct.includes('application/json')) {
+            let body;
+            try {
+                body = JSON.parse(rawBody);
+            }
+            catch {
+                return { error: 'Invalid JSON body.', status: 400 };
+            }
+            if (typeof body !== 'object' || body === null) {
+                return { error: 'Body must be a JSON object.', status: 400 };
+            }
+            const b = body;
+            if (typeof b['query'] !== 'string') {
+                return { error: 'Body must include a "query" string field.', status: 400 };
+            }
+            let variables;
+            if (b['variables'] !== undefined && b['variables'] !== null) {
+                if (typeof b['variables'] !== 'object') {
+                    return { error: '"variables" must be an object.', status: 400 };
+                }
+                variables = b['variables'];
+            }
+            return {
+                query: b['query'],
+                variables,
+                operationName: typeof b['operationName'] === 'string' ? b['operationName'] : undefined,
+            };
+        }
+        return { error: `Unsupported Content-Type: ${ct}`, status: 415 };
+    }
+    return { error: `Method ${method} not allowed. Use GET or POST.`, status: 405 };
+}
+// ── CORS helpers ─────────────────────────────────────────────────────────────
+function resolveOrigin(corsConfig, origin) {
+    if (!origin)
+        return null;
+    const { origins } = corsConfig;
+    if (origins === '*') {
+        if (corsConfig.credentials)
+            return null; // cannot combine * + credentials
+        return '*';
+    }
+    if (Array.isArray(origins)) {
+        return origins.includes(origin) ? origin : null;
+    }
+    if (typeof origins === 'function') {
+        return origins(origin) ? origin : null;
+    }
+    return null;
+}
+const GQL_ALLOW_HEADERS = [
+    'Content-Type',
+    'Authorization',
+    'X-Requested-With',
+    'Accept',
+    'Origin',
+].join(', ');
+function buildCorsHeaders(corsConfig, origin, extra = []) {
+    const allowed = resolveOrigin(corsConfig, origin);
+    if (!allowed)
+        return {};
+    const allowHeaders = [GQL_ALLOW_HEADERS, ...extra].join(', ');
+    const headers = {
+        'access-control-allow-origin': allowed,
+        'access-control-allow-methods': 'GET, POST, OPTIONS',
+        'access-control-allow-headers': allowHeaders,
+        'access-control-max-age': String(corsConfig.maxAge ?? 86400),
+    };
+    if (corsConfig.credentials) {
+        headers['access-control-allow-credentials'] = 'true';
+    }
+    if (allowed !== '*') {
+        headers['vary'] = 'Origin';
+    }
+    return headers;
+}
+// ── GraphiQL HTML ────────────────────────────────────────────────────────────
+function graphiqlHtml(endpoint) {
+    return `<!DOCTYPE html>
+<html lang="en"><head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width,initial-scale=1">
+  <title>◆ Nexus GraphiQL</title>
+  <link rel="stylesheet" href="https://unpkg.com/graphiql@3/graphiql.min.css">
+  <style>
+    * { box-sizing: border-box; margin: 0; }
+    body { height: 100dvh; display: flex; flex-direction: column; background: #0a0a0f; }
+    #graphiql { flex: 1; overflow: hidden; }
+    .graphiql-container { background: #0f0f14 !important; }
+  </style>
+</head>
+<body>
+  <div id="graphiql">Loading GraphiQL…</div>
+  <script crossorigin src="https://unpkg.com/react@18/umd/react.development.js"></script>
+  <script crossorigin src="https://unpkg.com/react-dom@18/umd/react-dom.development.js"></script>
+  <script crossorigin src="https://unpkg.com/graphiql@3/graphiql.min.js"></script>
+  <script>
+    const root = ReactDOM.createRoot(document.getElementById('graphiql'));
+    const fetcher = GraphiQL.createFetcher({ url: ${JSON.stringify(endpoint)} });
+    root.render(React.createElement(GraphiQL, { fetcher }));
+  </script>
+</body></html>`;
+}
+// ── Error response helper ────────────────────────────────────────────────────
+function errorResponse(errors, status, extraHeaders = {}) {
+    return new Response(JSON.stringify({ errors: errors.map(e => ({ message: e.message, extensions: e.extensions })) }), {
+        status,
+        headers: {
+            'content-type': 'application/json; charset=utf-8',
+            ...extraHeaders,
+        },
+    });
+}
+// ── Main factory ─────────────────────────────────────────────────────────────
+/**
+ * Create a Nexus-compatible GraphQL handler.
+ *
+ * Mount with:
+ * ```ts
+ * mounts: [{ path: '/graphql', handler: createGraphQLHandler({ schema, ... }) }]
+ * ```
+ */
+export function createGraphQLHandler(opts) {
+    const { schema, dev = false, cors: corsOpts, shield: shieldConfig, mask: maskPolicy, context: contextFn, maxBodyBytes = 1_048_576, // 1 MB
+    rateLimit: rlConfig, } = opts;
+    // Validate CORS config
+    if (corsOpts?.credentials && corsOpts.origins === '*') {
+        throw new Error('[Nexus GraphQL] `cors.credentials: true` cannot be used with `cors.origins: "*"`. ' +
+            'Browsers will reject this combination. Specify exact allowed origins instead.');
+    }
+    if (rlConfig)
+        ensurePruneTimer();
+    return async function graphqlRequestHandler(request, nexusCtx) {
+        const method = request.method.toUpperCase();
+        const origin = request.headers.get('origin');
+        const corsHeaders = corsOpts ? buildCorsHeaders(corsOpts, origin, opts.cors?.allowHeaders) : {};
+        // ── 1. CORS preflight ────────────────────────────────────────────────────
+        if (method === 'OPTIONS') {
+            return new Response(null, {
+                status: 204,
+                headers: {
+                    'content-length': '0',
+                    ...corsHeaders,
+                },
+            });
+        }
+        // ── 2. GraphiQL (dev GET with Accept: text/html) ─────────────────────────
+        if (method === 'GET' && dev) {
+            const accept = request.headers.get('accept') ?? '';
+            const url = new URL(request.url);
+            if (accept.includes('text/html') && !url.searchParams.has('query')) {
+                return new Response(graphiqlHtml(url.pathname), {
+                    status: 200,
+                    headers: { 'content-type': 'text/html; charset=utf-8', ...corsHeaders },
+                });
+            }
+        }
+        // ── 3. Rate limiting ─────────────────────────────────────────────────────
+        if (rlConfig) {
+            const ip = request.headers.get('x-forwarded-for')?.split(',')[0]?.trim()
+                ?? request.headers.get('cf-connecting-ip')
+                ?? request.headers.get('x-real-ip')
+                ?? 'unknown';
+            const rl = checkRateLimit(`gql:${ip}`, rlConfig.max, rlConfig.windowMs ?? 60_000);
+            if (!rl.allowed) {
+                const retryAfter = Math.ceil((rl.resetAt - Date.now()) / 1000);
+                return errorResponse([{ message: 'Too many requests. Please retry later.', extensions: { code: 'RATE_LIMITED' } }], 429, {
+                    ...corsHeaders,
+                    'retry-after': String(retryAfter),
+                    'x-ratelimit-limit': String(rlConfig.max),
+                    'x-ratelimit-remaining': '0',
+                    'x-ratelimit-reset': String(Math.ceil(rl.resetAt / 1000)),
+                });
+            }
+        }
+        // ── 4. Parse GraphQL request ─────────────────────────────────────────────
+        const parsed = await parseGqlRequest(request, maxBodyBytes);
+        if ('error' in parsed) {
+            return errorResponse([{ message: parsed.error, extensions: { code: 'BAD_REQUEST' } }], parsed.status, corsHeaders);
+        }
+        // ── 5. Parse + validate GraphQL document ─────────────────────────────────
+        // Lazy-import graphql to keep it as a true peer dep
+        const gql = await import('graphql');
+        let document;
+        try {
+            document = gql.parse(parsed.query);
+        }
+        catch (err) {
+            return errorResponse([{ message: err.message, extensions: { code: 'GRAPHQL_PARSE_FAILED' } }], 400, corsHeaders);
+        }
+        const validationErrors = gql.validate(schema, document);
+        if (validationErrors.length > 0) {
+            return errorResponse(validationErrors.map(e => ({
+                message: e.message,
+                extensions: { code: 'GRAPHQL_VALIDATION_FAILED' },
+            })), 400, corsHeaders);
+        }
+        // ── 6. Shield: complexity + depth analysis ───────────────────────────────
+        if (shieldConfig) {
+            const shieldWithDev = {
+                ...shieldConfig,
+                // Always allow introspection in dev
+                allowIntrospection: dev ? true : (shieldConfig.allowIntrospection ?? false),
+            };
+            const { errors: complexityErrors } = analyseComplexity(document, schema, shieldWithDev);
+            if (complexityErrors.length > 0) {
+                return errorResponse(complexityErrors, 400, corsHeaders);
+            }
+        }
+        else if (!dev) {
+            // Even without explicit shield config: block introspection in production
+            for (const def of document.definitions) {
+                if (def.kind === 'OperationDefinition') {
+                    for (const sel of def.selectionSet.selections) {
+                        if (sel.kind === 'Field' && sel.name.value === '__schema') {
+                            return errorResponse([{ message: 'Introspection is disabled.', extensions: { code: 'INTROSPECTION_DISABLED' } }], 403, corsHeaders);
+                        }
+                    }
+                }
+            }
+        }
+        // ── 7. Build execution context ───────────────────────────────────────────
+        let execContext;
+        if (contextFn) {
+            try {
+                execContext = await contextFn(request, nexusCtx);
+            }
+            catch (err) {
+                return errorResponse([{ message: 'Failed to build request context.', extensions: { code: 'CONTEXT_ERROR' } }], 500, corsHeaders);
+            }
+        }
+        else {
+            execContext = nexusCtx;
+        }
+        // ── 8. Execute ───────────────────────────────────────────────────────────
+        let rawResult;
+        try {
+            const execResult = await gql.execute({
+                schema,
+                document,
+                contextValue: execContext,
+                variableValues: parsed.variables,
+                operationName: parsed.operationName,
+            });
+            const errs = execResult.errors
+                ? execResult.errors.map(e => ({ message: e.message, extensions: e.extensions, path: e.path, locations: e.locations }))
+                : undefined;
+            rawResult = {
+                data: execResult.data,
+                ...(errs ? { errors: errs } : {}),
+                ...(execResult.extensions ? { extensions: execResult.extensions } : {}),
+            };
+        }
+        catch (err) {
+            const msg = dev
+                ? `Execution error: ${err.message}`
+                : 'Internal server error';
+            return errorResponse([{ message: msg, extensions: { code: 'INTERNAL_SERVER_ERROR' } }], 500, corsHeaders);
+        }
+        // ── 9. Field masking ─────────────────────────────────────────────────────
+        const finalResult = maskPolicy
+            ? maskResult(rawResult, maskPolicy, execContext)
+            : rawResult;
+        // Strip stack traces in production
+        if (!dev && finalResult.errors) {
+            finalResult.errors = finalResult.errors.map(e => ({
+                message: String(e['message'] ?? ''),
+                ...(e['extensions'] ? { extensions: e['extensions'] } : {}),
+                ...(e['path'] ? { path: e['path'] } : {}),
+                ...(e['locations'] ? { locations: e['locations'] } : {}),
+            }));
+        }
+        const hasErrors = Array.isArray(finalResult.errors) && finalResult.errors.length > 0;
+        const httpStatus = hasErrors && !finalResult.data ? 400 : 200;
+        return new Response(JSON.stringify(finalResult), {
+            status: httpStatus,
+            headers: {
+                'content-type': 'application/json; charset=utf-8',
+                'cache-control': 'no-store',
+                ...corsHeaders,
+            },
+        });
+    };
+}
+//# sourceMappingURL=handler.js.map

package/dist/handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler.js","sourceRoot":"","sources":["../src/handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyDG;AAMH,OAAO,EAAE,iBAAiB,EAAyB,MAAM,iBAAiB,CAAC;AAC3E,OAAO,EAAE,UAAU,EAAmB,MAAM,WAAW,CAAC;AAmGxD,MAAM,cAAc,GAAG,IAAI,GAAG,EAAyB,CAAC;AAExD,SAAS,cAAc,CACrB,GAAW,EACX,GAAW,EACX,QAAgB;IAEhB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,IAAI,GAAG,GAAG,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,GAAG,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;QACzB,cAAc,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAC/B,CAAC;IACD,sCAAsC;IACtC,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,GAAG,GAAG,QAAQ,CAAC,CAAC;IAChE,MAAM,OAAO,GAAG,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAC,GAAG,GAAG,QAAQ,CAAC;IAElF,IAAI,GAAG,CAAC,UAAU,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC;QACjC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC;IACnD,CAAC;IACD,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACzB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,GAAG,GAAG,CAAC,UAAU,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC;AAC5E,CAAC;AAED,yEAAyE;AACzE,IAAI,WAAW,GAA0C,IAAI,CAAC;AAC9D,SAAS,gBAAgB;IACvB,IAAI,WAAW;QAAE,OAAO;IACxB,WAAW,GAAG,WAAW,CAAC,GAAG,EAAE;QAC7B,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC;QACpC,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,cAAc,EAAE,CAAC;YACxC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,CAAE,GAAG,MAAM,EAAE,CAAC;gBAClF,cAAc,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC7B,CAAC;QACH,CAAC;IACH,CAAC,EAAE,OAAO,CAAC,CAAC;IACZ,IAAI,WAAW,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,OAAO,IAAI,WAAW,EAAE,CAAC;QAC5E,WAAiC,CAAC,KAAK,EAAE,CAAC;IAC7C,CAAC;AACH,CAAC;AAUD,KAAK,UAAU,eAAe,CAC5B,OAAgB,EAChB,YAAoB;IAEpB,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;IAE5C,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;QACrB,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,EAAE,KAAK,EAAE,mCAAmC,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;QACrE,CAAC;QACD,IAAI,SAA8C,CAAC;QACnD,MAAM,OAAO,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QAClD,IAAI,OAAO,EAAE,CAAC;YACZ,IAAI,CAAC;gBAAC,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAA4B,CAAC;YAAC,CAAC;YACnE,MAAM,CAAC;gBAAC,OAAO,EAAE,KAAK,EAAE,wCAAwC,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;YAAC,CAAC;QACpF,CAAC;QACD,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,aAAa,EAAE,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,SAAS,EAAE,CAAC;IACjG,CAAC;IAED,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,MAAM,EAAE,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;QAErE,kBAAkB;QAClB,MAAM,aAAa,GAAG,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,IAAI,GAAG,EAAE,EAAE,CAAC,CAAC;QACjF,IAAI,aAAa,GAAG,YAAY,EAAE,CAAC;YACjC,OAAO,EAAE,KAAK,EAAE,wCAAwC,YAAY,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;QAC/F,CAAC;QAED,IAAI,OAAe,CAAC;QACpB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,WAAW,EAAE,CAAC;YACxC,IAAI,GAAG,CAAC,UAAU,GAAG,YAAY,EAAE,CAAC;gBAClC,OAAO,EAAE,KAAK,EAAE,wCAAwC,YAAY,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;YAC/F,CAAC;YACD,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC1C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,KAAK,EAAE,8BAA8B,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;QAChE,CAAC;QAED,IAAI,EAAE,CAAC,QAAQ,CAAC,qBAAqB,CAAC,EAAE,CAAC;YACvC,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;QAC5B,CAAC;QAED,IAAI,EAAE,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;YACpC,IAAI,IAAa,CAAC;YAClB,IAAI,CAAC;gBAAC,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAAC,CAAC;YACnC,MAAM,CAAC;gBAAC,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;YAAC,CAAC;YAE9D,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;gBAC9C,OAAO,EAAE,KAAK,EAAE,6BAA6B,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;YAC/D,CAAC;YACD,MAAM,CAAC,GAAG,IAA+B,CAAC;YAC1C,IAAI,OAAO,CAAC,CAAC,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;gBACnC,OAAO,EAAE,KAAK,EAAE,2CAA2C,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;YAC7E,CAAC;YACD,IAAI,SAA8C,CAAC;YACnD,IAAI,CAAC,CAAC,WAAW,CAAC,KAAK,SAAS,IAAI,CAAC,CAAC,WAAW,CAAC,KAAK,IAAI,EAAE,CAAC;gBAC5D,IAAI,OAAO,CAAC,CAAC,WAAW,CAAC,KAAK,QAAQ,EAAE,CAAC;oBACvC,OAAO,EAAE,KAAK,EAAE,gCAAgC,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;gBAClE,CAAC;gBACD,SAAS,GAAG,CAAC,CAAC,WAAW,CAA4B,CAAC;YACxD,CAAC;YACD,OAAO;gBACL,KAAK,EAAW,CAAC,CAAC,OAAO,CAAC;gBAC1B,SAAS;gBACT,aAAa,EAAG,OAAO,CAAC,CAAC,eAAe,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,SAAS;aACxF,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,6BAA6B,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;IACnE,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,UAAU,MAAM,gCAAgC,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;AAClF,CAAC;AAED,gFAAgF;AAEhF,SAAS,aAAa,CAAC,UAAsB,EAAE,MAAqB;IAClE,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,MAAM,EAAE,OAAO,EAAE,GAAG,UAAU,CAAC;IAC/B,IAAI,OAAO,KAAK,GAAG,EAAE,CAAC;QACpB,IAAI,UAAU,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC,CAAC,iCAAiC;QAC1E,OAAO,GAAG,CAAC;IACb,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAC3B,OAAO,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC;IAClD,CAAC;IACD,IAAI,OAAO,OAAO,KAAK,UAAU,EAAE,CAAC;QAClC,OAAO,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC;IACzC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,iBAAiB,GAAG;IACxB,cAAc;IACd,eAAe;IACf,kBAAkB;IAClB,QAAQ;IACR,QAAQ;CACT,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAEb,SAAS,gBAAgB,CACvB,UAAsB,EACtB,MAAqB,EACrB,QAAkB,EAAE;IAEpB,MAAM,OAAO,GAAG,aAAa,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IAClD,IAAI,CAAC,OAAO;QAAE,OAAO,EAAE,CAAC;IAExB,MAAM,YAAY,GAAG,CAAC,iBAAiB,EAAE,GAAG,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC9D,MAAM,OAAO,GAA2B;QACtC,6BAA6B,EAAG,OAAO;QACvC,8BAA8B,EAAE,oBAAoB;QACpD,8BAA8B,EAAE,YAAY;QAC5C,wBAAwB,EAAQ,MAAM,CAAC,UAAU,CAAC,MAAM,IAAI,KAAK,CAAC;KACnE,CAAC;IACF,IAAI,UAAU,CAAC,WAAW,EAAE,CAAC;QAC3B,OAAO,CAAC,kCAAkC,CAAC,GAAG,MAAM,CAAC;IACvD,CAAC;IACD,IAAI,OAAO,KAAK,GAAG,EAAE,CAAC;QACpB,OAAO,CAAC,MAAM,CAAC,GAAG,QAAQ,CAAC;IAC7B,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,gFAAgF;AAEhF,SAAS,YAAY,CAAC,QAAgB;IACpC,OAAO;;;;;;;;;;;;;;;;;;;;oDAoB2C,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC;;;eAG7D,CAAC;AAChB,CAAC;AAED,gFAAgF;AAEhF,SAAS,aAAa,CACpB,MAAwE,EACxE,MAAc,EACd,eAAuC,EAAE;IAEzC,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,UAAU,EAAE,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC,EAAE,CAAC,EAC/F;QACE,MAAM;QACN,OAAO,EAAE;YACP,cAAc,EAAE,iCAAiC;YACjD,GAAG,YAAY;SAChB;KACF,CACF,CAAC;AACJ,CAAC;AAED,gFAAgF;AAEhF;;;;;;;GAOG;AACH,MAAM,UAAU,oBAAoB,CAClC,IAAgC;IAEhC,MAAM,EACJ,MAAM,EACN,GAAG,GAAY,KAAK,EACpB,IAAI,EAAG,QAAQ,EACf,MAAM,EAAE,YAAY,EACpB,IAAI,EAAG,UAAU,EACjB,OAAO,EAAE,SAAS,EAClB,YAAY,GAAI,SAAS,EAAE,OAAO;IAClC,SAAS,EAAE,QAAQ,GACpB,GAAG,IAAI,CAAC;IAET,uBAAuB;IACvB,IAAI,QAAQ,EAAE,WAAW,IAAI,QAAQ,CAAC,OAAO,KAAK,GAAG,EAAE,CAAC;QACtD,MAAM,IAAI,KAAK,CACb,oFAAoF;YACpF,+EAA+E,CAChF,CAAC;IACJ,CAAC;IAED,IAAI,QAAQ;QAAE,gBAAgB,EAAE,CAAC;IAEjC,OAAO,KAAK,UAAU,qBAAqB,CACzC,OAAgB,EAChB,QAA6B;QAE7B,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;QAC5C,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC7C,MAAM,WAAW,GAAG,QAAQ,CAAC,CAAC,CAAC,gBAAgB,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAEhG,4EAA4E;QAC5E,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;gBACxB,MAAM,EAAE,GAAG;gBACX,OAAO,EAAE;oBACP,gBAAgB,EAAE,GAAG;oBACrB,GAAG,WAAW;iBACf;aACF,CAAC,CAAC;QACL,CAAC;QAED,4EAA4E;QAC5E,IAAI,MAAM,KAAK,KAAK,IAAI,GAAG,EAAE,CAAC;YAC5B,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YACjC,IAAI,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;gBACnE,OAAO,IAAI,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE;oBAC9C,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,EAAE,cAAc,EAAE,0BAA0B,EAAE,GAAG,WAAW,EAAE;iBACxE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,4EAA4E;QAC5E,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE;mBACnE,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;mBACvC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC;mBAChC,SAAS,CAAC;YAEf,MAAM,EAAE,GAAG,cAAc,CACvB,OAAO,EAAE,EAAE,EACX,QAAQ,CAAC,GAAG,EACZ,QAAQ,CAAC,QAAQ,IAAI,MAAM,CAC5B,CAAC;YAEF,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC;gBAChB,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;gBAC/D,OAAO,aAAa,CAClB,CAAC,EAAE,OAAO,EAAE,wCAAwC,EAAE,UAAU,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,EAAE,CAAC,EAC7F,GAAG,EACH;oBACE,GAAG,WAAW;oBACd,aAAa,EAAW,MAAM,CAAC,UAAU,CAAC;oBAC1C,mBAAmB,EAAK,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC;oBAC5C,uBAAuB,EAAE,GAAG;oBAC5B,mBAAmB,EAAK,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;iBAC7D,CACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,4EAA4E;QAC5E,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QAC5D,IAAI,OAAO,IAAI,MAAM,EAAE,CAAC;YACtB,OAAO,aAAa,CAClB,CAAC,EAAE,OAAO,EAAE,MAAM,CAAC,KAAK,EAAE,UAAU,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE,EAAE,CAAC,EAChE,MAAM,CAAC,MAAM,EACb,WAAW,CACZ,CAAC;QACJ,CAAC;QAED,4EAA4E;QAC5E,oDAAoD;QACpD,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,CAAC;QAEpC,IAAI,QAAsB,CAAC;QAC3B,IAAI,CAAC;YACH,QAAQ,GAAG,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACrC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,aAAa,CAClB,CAAC,EAAE,OAAO,EAAG,GAAa,CAAC,OAAO,EAAE,UAAU,EAAE,EAAE,IAAI,EAAE,sBAAsB,EAAE,EAAE,CAAC,EACnF,GAAG,EACH,WAAW,CACZ,CAAC;QACJ,CAAC;QAED,MAAM,gBAAgB,GAAG,GAAG,CAAC,QAAQ,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QACxD,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAChC,OAAO,aAAa,CAClB,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;gBACzB,OAAO,EAAE,CAAC,CAAC,OAAO;gBAClB,UAAU,EAAE,EAAE,IAAI,EAAE,2BAA2B,EAAE;aAClD,CAAC,CAAC,EACH,GAAG,EACH,WAAW,CACZ,CAAC;QACJ,CAAC;QAED,4EAA4E;QAC5E,IAAI,YAAY,EAAE,CAAC;YACjB,MAAM,aAAa,GAAqB;gBACtC,GAAG,YAAY;gBACf,oCAAoC;gBACpC,kBAAkB,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,kBAAkB,IAAI,KAAK,CAAC;aAC5E,CAAC;YAEF,MAAM,EAAE,MAAM,EAAE,gBAAgB,EAAE,GAAG,iBAAiB,CAAC,QAAQ,EAAE,MAAM,EAAE,aAAa,CAAC,CAAC;YACxF,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAChC,OAAO,aAAa,CAAC,gBAAgB,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;YAC3D,CAAC;QACH,CAAC;aAAM,IAAI,CAAC,GAAG,EAAE,CAAC;YAChB,yEAAyE;YACzE,KAAK,MAAM,GAAG,IAAI,QAAQ,CAAC,WAAW,EAAE,CAAC;gBACvC,IAAI,GAAG,CAAC,IAAI,KAAK,qBAAqB,EAAE,CAAC;oBACvC,KAAK,MAAM,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,UAAU,EAAE,CAAC;wBAC9C,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,IAAI,GAAG,CAAC,IAAI,CAAC,KAAK,KAAK,UAAU,EAAE,CAAC;4BAC1D,OAAO,aAAa,CAClB,CAAC,EAAE,OAAO,EAAE,4BAA4B,EAAE,UAAU,EAAE,EAAE,IAAI,EAAE,wBAAwB,EAAE,EAAE,CAAC,EAC3F,GAAG,EACH,WAAW,CACZ,CAAC;wBACJ,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,4EAA4E;QAC5E,IAAI,WAAoB,CAAC;QACzB,IAAI,SAAS,EAAE,CAAC;YACd,IAAI,CAAC;gBACH,WAAW,GAAG,MAAM,SAAS,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;YACnD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,aAAa,CAClB,CAAC,EAAE,OAAO,EAAE,kCAAkC,EAAE,UAAU,EAAE,EAAE,IAAI,EAAE,eAAe,EAAE,EAAE,CAAC,EACxF,GAAG,EACH,WAAW,CACZ,CAAC;YACJ,CAAC;QACH,CAAC;aAAM,CAAC;YACN,WAAW,GAAG,QAAQ,CAAC;QACzB,CAAC;QAED,4EAA4E;QAC5E,IAAI,SAAiC,CAAC;QACtC,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC;gBACnC,MAAM;gBACN,QAAQ;gBACR,YAAY,EAAI,WAAW;gBAC3B,cAAc,EAAE,MAAM,CAAC,SAAS;gBAChC,aAAa,EAAG,MAAM,CAAC,aAAa;aACrC,CAAC,CAAC;YAEH,MAAM,IAAI,GAAG,UAAU,CAAC,MAAM;gBAC5B,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,UAAU,EAAE,CAAC,CAAC,UAAiD,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC;gBAC7J,CAAC,CAAC,SAAS,CAAC;YACd,SAAS,GAAG;gBACV,IAAI,EAAE,UAAU,CAAC,IAAsC;gBACvD,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACjC,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,UAAU,CAAC,UAAqC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACnG,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,GAAG,GAAG,GAAG;gBACb,CAAC,CAAC,oBAAqB,GAAa,CAAC,OAAO,EAAE;gBAC9C,CAAC,CAAC,uBAAuB,CAAC;YAC5B,OAAO,aAAa,CAClB,CAAC,EAAE,OAAO,EAAE,GAAG,EAAE,UAAU,EAAE,EAAE,IAAI,EAAE,uBAAuB,EAAE,EAAE,CAAC,EACjE,GAAG,EACH,WAAW,CACZ,CAAC;QACJ,CAAC;QAED,4EAA4E;QAC5E,MAAM,WAAW,GAAG,UAAU;YAC5B,CAAC,CAAC,UAAU,CAAC,SAAS,EAAE,UAAiC,EAAE,WAAsB,CAAC;YAClF,CAAC,CAAC,SAAS,CAAC;QAEd,mCAAmC;QACnC,IAAI,CAAC,GAAG,IAAI,WAAW,CAAC,MAAM,EAAE,CAAC;YAC/B,WAAW,CAAC,MAAM,GAAI,WAAW,CAAC,MAAyC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;gBACpF,OAAO,EAAK,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;gBACtC,GAAG,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,CAAC,YAAY,CAA4B,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACtF,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,CAAO,CAAC,CAAC,EAAE,IAAI,EAAQ,CAAC,CAAC,MAAM,CAAc,EAAE,CAAE,CAAC,CAAC,EAAE,CAAC;gBACnE,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,CAAE,CAAC,CAAC,EAAE,SAAS,EAAG,CAAC,CAAC,WAAW,CAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACxE,CAAC,CAAC,CAAC;QACN,CAAC;QAED,MAAM,SAAS,GAAI,KAAK,CAAC,OAAO,CAAC,WAAW,CAAC,MAAM,CAAC,IAAI,WAAW,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC;QACtF,MAAM,UAAU,GAAG,SAAS,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;QAE9D,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,EAAE;YAC/C,MAAM,EAAE,UAAU;YAClB,OAAO,EAAE;gBACP,cAAc,EAAG,iCAAiC;gBAClD,eAAe,EAAE,UAAU;gBAC3B,GAAG,WAAW;aACf;SACF,CAAC,CAAC;IACL,CAAC,CAAC;AACJ,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,56 @@
+/**
+ * @nexus_js/graphql — GraphQL integration for Nexus.js
+ *
+ * Provides a security-first GraphQL adapter that integrates with the Nexus
+ * server pipeline without Express, without CORS conflicts, and without
+ * external runtime dependencies beyond `graphql` itself.
+ *
+ * Quick-start
+ * ───────────
+ *  ```ts
+ *  // nexus.config.ts or server startup
+ *  import { createGraphQLHandler, createBatchLoader, createJwtService } from '@nexus_js/graphql';
+ *  import { nexusVault } from '@nexus_js/security';
+ *  import { schema } from './graphql/schema.js';
+ *
+ *  const jwtSvc = createJwtService(nexusVault, { vaultKey: 'JWT_SECRET', issuer: 'my-app' });
+ *
+ *  const gqlHandler = createGraphQLHandler({
+ *    schema,
+ *    dev:    process.env.NODE_ENV !== 'production',
+ *    cors:   { origins: ['https://app.example.com'], credentials: true },
+ *    shield: { maxCost: 500, maxDepth: 8, allowIntrospection: false },
+ *    mask:   { 'User.passwordHash': null, 'PaymentCard.cvv': 'REDACTED' },
+ *    context: (req, ctx) => ({
+ *      ...ctx,
+ *      user:    jwtSvc.verify(req.headers.get('authorization')?.replace('Bearer ', '') ?? ''),
+ *      loaders: { user: createBatchLoader(ids => db.users.findMany(ids)) },
+ *    }),
+ *  });
+ *
+ *  // Add to createNexusServer:
+ *  mounts: [{ path: '/graphql', handler: gqlHandler }]
+ *  ```
+ *
+ * Architecture
+ * ────────────
+ *  Handler pipeline per request:
+ *  1. CORS preflight (OPTIONS) → 204 with Access-Control headers
+ *  2. GraphiQL HTML (dev GET with Accept: text/html)
+ *  3. Rate limiting (sliding window, per IP)
+ *  4. Parse GET/POST JSON/application/graphql body
+ *  5. graphql.parse() + graphql.validate()
+ *  6. Shield: complexity + depth + introspection gate
+ *  7. Context factory call
+ *  8. graphql.execute()
+ *  9. Field masking
+ * 10. JSON response
+ */
+export { createGraphQLHandler, type GraphQLHandlerOptions, type CorsConfig, type GraphQLContextFn, type MinimalNexusContext, type RateLimitPerOperation, } from './handler.js';
+export { analyseComplexity, type ComplexityConfig, type ComplexityResult, } from './complexity.js';
+export { maskResult, allowWhen, redactUnless, type MaskPolicy, type MaskFn, type GraphQLExecutionResult, } from './mask.js';
+export { createJwtService, signJwt, verifyJwt, type JwtService, type JwtServiceOptions, type JwtPayload, } from './jwt.js';
+export { BatchLoader, createBatchLoader, createLoaderRegistry, type BatchFn, type BatchLoaderOptions, } from './dataloader.js';
+export { createRemoteExecutor, createRemoteExecutorWithSchema, type RemoteExecutorOptions, type RemoteExecutionContext, type RemoteExecutionResult, } from './remote-executor.js';
+export { stitchSchemas, createGatewayResolver, type SubschemaConfig, type StitchSchemasOptions, } from './stitching.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+CG;AAGH,OAAO,EACL,oBAAoB,EACpB,KAAK,qBAAqB,EAC1B,KAAK,UAAU,EACf,KAAK,gBAAgB,EACrB,KAAK,mBAAmB,EACxB,KAAK,qBAAqB,GAC3B,MAAM,cAAc,CAAC;AAGtB,OAAO,EACL,iBAAiB,EACjB,KAAK,gBAAgB,EACrB,KAAK,gBAAgB,GACtB,MAAM,iBAAiB,CAAC;AAGzB,OAAO,EACL,UAAU,EACV,SAAS,EACT,YAAY,EACZ,KAAK,UAAU,EACf,KAAK,MAAM,EACX,KAAK,sBAAsB,GAC5B,MAAM,WAAW,CAAC;AAGnB,OAAO,EACL,gBAAgB,EAChB,OAAO,EACP,SAAS,EACT,KAAK,UAAU,EACf,KAAK,iBAAiB,EACtB,KAAK,UAAU,GAChB,MAAM,UAAU,CAAC;AAGlB,OAAO,EACL,WAAW,EACX,iBAAiB,EACjB,oBAAoB,EACpB,KAAK,OAAO,EACZ,KAAK,kBAAkB,GACxB,MAAM,iBAAiB,CAAC;AAGzB,OAAO,EACL,oBAAoB,EACpB,8BAA8B,EAC9B,KAAK,qBAAqB,EAC1B,KAAK,sBAAsB,EAC3B,KAAK,qBAAqB,GAC3B,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACL,aAAa,EACb,qBAAqB,EACrB,KAAK,eAAe,EACpB,KAAK,oBAAoB,GAC1B,MAAM,gBAAgB,CAAC"}