@pikku/inspector 0.12.12 → 0.12.14

package/CHANGELOG.md

@@ -1,3 +1,48 @@
+## 0.12.14
+
+### Patch Changes
+
+- 4b5c75b: feat(auth-js): wire OIDC config (issuer/tenantId) as variables, expand provider registry
+  - Move `issuer` and `tenantId` out of the secret blob for OIDC providers (auth0, okta, azure-ad, keycloak, cognito, microsoft-entra-id) — they are public config URLs, not secrets. Now registered via `wireVariable` and loaded at runtime via `services.variables.get()`.
+  - Expand provider registry from 13 to 31 providers: reddit, notion, instagram, zoom, figma, tiktok, threads, patreon, dropbox, bitbucket, hubspot, salesforce, atlassian, strava, keycloak, cognito, microsoft-entra-id added.
+  - `serialize-auth-gen` emits `wireVariable({...})` declarations and `services.variables.get()` calls in the generated factory for OIDC providers.
+  - Integration verifier exercises real `/auth/providers` endpoint with `LocalSecretService` + `LocalVariablesService`, including a spy test proving `services.variables.get('AUTH0_ISSUER')` is called at request time.
+
+- 4b5c75b: Add end-to-end data classification for SQLite and Postgres projects.
+
+  **Core (`@pikku/core`):** New `Private<T>` and `Secret<T>` intersection brands, `ClassificationManifest`, `ColumnClassification`, and `AnonymizeStrategy` types exported from `data-classification.ts`.
+
+  **CLI (`@pikku/cli`):**
+  - SQL comment annotations: `-- @public`, `-- @private[:strategy]`, `-- @secret[:strategy]` on `CREATE TABLE` columns and `ALTER TABLE ... ADD COLUMN` statements. Unannotated columns default to `private`.
+  - `pikku db migrate` now emits a `classification.gen.ts` manifest alongside `schema.d.ts`.
+  - New `pikku db audit` command — prints a per-column classification summary and warns on `private`/`secret` columns with no anonymize strategy.
+  - Postgres dialect support in `resolveDb`, `PostgresMigrationExecutor`, and `PostgresIntrospector`.
+
+  **Inspector (`@pikku/inspector`):** New PKU910 check — `findPiiPaths()` walks inferred function return types looking for `__pii__` brands (including inside `Array<T>`, `Record<K,V>`, and index signatures) and fails the build if a function exposes branded fields in its output.
+
+- Updated dependencies [4b5c75b]
+- Updated dependencies [4b5c75b]
+  - @pikku/core@0.12.27
+
+## 0.12.13
+
+### Patch Changes
+
+- 665bdb0: Add end-to-end data classification for SQLite and Postgres projects.
+
+  **Core (`@pikku/core`):** New `Private<T>` and `Secret<T>` intersection brands, `ClassificationManifest`, `ColumnClassification`, and `AnonymizeStrategy` types exported from `data-classification.ts`.
+
+  **CLI (`@pikku/cli`):**
+  - SQL comment annotations: `-- @public`, `-- @private[:strategy]`, `-- @secret[:strategy]` on `CREATE TABLE` columns and `ALTER TABLE ... ADD COLUMN` statements. Unannotated columns default to `private`.
+  - `pikku db migrate` now emits a `classification.gen.ts` manifest alongside `schema.d.ts`.
+  - New `pikku db audit` command — prints a per-column classification summary and warns on `private`/`secret` columns with no anonymize strategy.
+  - Postgres dialect support in `resolveDb`, `PostgresMigrationExecutor`, and `PostgresIntrospector`.
+
+  **Inspector (`@pikku/inspector`):** New PKU910 check — `findPiiPaths()` walks inferred function return types looking for `__pii__` brands (including inside `Array<T>`, `Record<K,V>`, and index signatures) and fails the build if a function exposes branded fields in its output.
+
+- Updated dependencies [665bdb0]
+  - @pikku/core@0.12.25
+
 ## 0.12.12
 
 ### Patch Changes

package/dist/add/add-auth.d.ts

@@ -0,0 +1,2 @@
+import type { AddWiring } from '../types.js';
+export declare const addAuth: AddWiring;

package/dist/add/add-auth.js

@@ -0,0 +1,34 @@
+import * as ts from 'typescript';
+import { ErrorCode } from '../error-codes.js';
+export const addAuth = (logger, node, _checker, state) => {
+    if (!ts.isCallExpression(node))
+        return;
+    const expression = node.expression;
+    if (!ts.isIdentifier(expression) || expression.text !== 'wireAuth')
+        return;
+    const firstArg = node.arguments[0];
+    if (!firstArg || !ts.isObjectLiteralExpression(firstArg))
+        return;
+    const providersProp = firstArg.properties.find((p) => ts.isPropertyAssignment(p) &&
+        (ts.isIdentifier(p.name) || ts.isStringLiteral(p.name)) &&
+        p.name.text === 'providers');
+    const sourceFile = node.getSourceFile().fileName;
+    state.auth.files.add(sourceFile);
+    if (!providersProp) {
+        return;
+    }
+    if (!ts.isArrayLiteralExpression(providersProp.initializer)) {
+        logger.critical(ErrorCode.MISSING_NAME, 'wireAuth: providers must be an array literal of string literals.');
+        return;
+    }
+    for (const element of providersProp.initializer
+        .elements) {
+        if (!ts.isStringLiteral(element)) {
+            logger.critical(ErrorCode.NON_LITERAL_WIRE_NAME, `wireAuth: each provider must be a string literal. Found: ${element.getText()}`);
+            return;
+        }
+        if (!state.auth.providers.includes(element.text)) {
+            state.auth.providers.push(element.text);
+        }
+    }
+};

package/dist/add/add-functions.js

@@ -10,6 +10,7 @@ import { resolveMiddleware } from '../utils/middleware.js';
 import { resolvePermissions } from '../utils/permissions.js';
 import { extractWireNames } from '../utils/post-process.js';
 import { ErrorCode } from '../error-codes.js';
+import { findPiiPaths } from '../utils/check-pii-output.js';
 const isValidVariableName = (name) => {
     const regex = /^[a-zA-Z_$][a-zA-Z0-9_$]*$/;
     return regex.test(name);
@@ -626,6 +627,25 @@ export const addFunctions = (logger, node, checker, state, options) => {
             }
         }
     }
+    // ── PII brand check ───────────────────────────────────────────────────────
+    // Walk the function body's ACTUAL inferred return type looking for Private<T>
+    // / Pii<T> / Secret<T> brands (__classification__ property).  This runs for every function,
+    // including those with a Zod output schema, because the TS return type
+    // reflects what the body actually returns before any Zod coercion.
+    {
+        const sig = checker.getSignatureFromDeclaration(handler);
+        if (sig) {
+            const rawRet = checker.getReturnTypeOfSignature(sig);
+            const unwrapped = unwrapPromise(checker, rawRet);
+            const piiPaths = findPiiPaths(checker, unwrapped);
+            if (piiPaths.length > 0) {
+                logger.critical(ErrorCode.PII_IN_OUTPUT, `Function '${name}' exposes PII-classified field(s) in its return type: ` +
+                    piiPaths.map((p) => `'${p}'`).join(', ') +
+                    `.\n  Either strip these fields before returning or mark the column ` +
+                    `@public in the migration if it is safe to expose.`);
+            }
+        }
+    }
     // --- resolve middleware ---
     let middleware = objectNode
         ? resolveMiddleware(state, objectNode, tags, checker)

package/dist/error-codes.d.ts

@@ -54,5 +54,6 @@ export declare enum ErrorCode {
     SCHEMA_AND_WIRING_COLOCATED = "PKU490",
     SERVICES_NOT_DESTRUCTURED = "PKU410",
     WIRES_NOT_DESTRUCTURED = "PKU411",
-    WORKFLOW_MULTI_QUEUE_NOT_SUPPORTED = "PKU901"
+    WORKFLOW_MULTI_QUEUE_NOT_SUPPORTED = "PKU901",
+    PII_IN_OUTPUT = "PKU910"
 }

package/dist/error-codes.js

@@ -67,4 +67,6 @@ export var ErrorCode;
     ErrorCode["WIRES_NOT_DESTRUCTURED"] = "PKU411";
     // Feature Flag
     ErrorCode["WORKFLOW_MULTI_QUEUE_NOT_SUPPORTED"] = "PKU901";
+    // Data classification errors
+    ErrorCode["PII_IN_OUTPUT"] = "PKU910";
 })(ErrorCode || (ErrorCode = {}));

package/dist/inspector.js

@@ -115,6 +115,10 @@ export function getInitialInspectorState(rootDir) {
             meta: {},
             files: new Set(),
         },
+        auth: {
+            providers: [],
+            files: new Set(),
+        },
         secrets: {
             definitions: [],
             files: new Set(),

package/dist/types.d.ts

@@ -339,6 +339,10 @@ export interface InspectorState {
         meta: NodesMeta;
         files: Set<string>;
     };
+    auth: {
+        providers: string[];
+        files: Set<string>;
+    };
     secrets: {
         definitions: SecretDefinitions;
         files: Set<string>;

package/dist/utils/check-pii-output.d.ts

@@ -0,0 +1,14 @@
+import * as ts from 'typescript';
+/**
+ * Recursively walks a resolved TypeScript type looking for `__classification__` brands —
+ * the structural marker emitted by `Private<T>` and `Secret<T>`.
+ *
+ * `Private<T> = T & { readonly __classification__: 'private' }` shows up in the TS type
+ * system as an intersection whose constituents include a type with a `__classification__`
+ * property.  We detect that by checking whether any constituent of an
+ * intersection exposes a property named `__classification__`.
+ *
+ * Returns the list of dotted field paths where a brand was found
+ * (e.g. `['email', 'address.phone']`).  An empty array means clean.
+ */
+export declare function findPiiPaths(checker: ts.TypeChecker, type: ts.Type, path?: string, depth?: number, seen?: Set<ts.Type>): string[];

package/dist/utils/check-pii-output.js

@@ -0,0 +1,63 @@
+import * as ts from 'typescript';
+/**
+ * Recursively walks a resolved TypeScript type looking for `__classification__` brands —
+ * the structural marker emitted by `Private<T>` and `Secret<T>`.
+ *
+ * `Private<T> = T & { readonly __classification__: 'private' }` shows up in the TS type
+ * system as an intersection whose constituents include a type with a `__classification__`
+ * property.  We detect that by checking whether any constituent of an
+ * intersection exposes a property named `__classification__`.
+ *
+ * Returns the list of dotted field paths where a brand was found
+ * (e.g. `['email', 'address.phone']`).  An empty array means clean.
+ */
+export function findPiiPaths(checker, type, path = '', depth = 0, seen = new Set()) {
+    if (depth > 8 || seen.has(type))
+        return [];
+    seen.add(type);
+    // ── Is this type itself branded? ─────────────────────────────────────────
+    // Private<T> = T & { readonly __classification__: 'private' }  →  isIntersection()
+    // where one constituent has a `__classification__` property.
+    if (type.isIntersection()) {
+        const branded = type.types.some((t) => t.getProperties().some((p) => p.name === '__classification__'));
+        if (branded) {
+            return [path || '<return value>'];
+        }
+    }
+    const violations = [];
+    // ── Union: check every branch ─────────────────────────────────────────────
+    if (type.isUnion()) {
+        for (const branch of type.types) {
+            violations.push(...findPiiPaths(checker, branch, path, depth, seen));
+        }
+        return violations;
+    }
+    // ── Object: recurse into named properties ─────────────────────────────────
+    if (type.flags & ts.TypeFlags.Object) {
+        const ref = type;
+        for (const arg of ref.typeArguments ?? []) {
+            violations.push(...findPiiPaths(checker, arg, path, depth + 1, seen));
+        }
+        const numberIndex = checker.getIndexTypeOfType(type, ts.IndexKind.Number);
+        if (numberIndex) {
+            const idxPath = path ? `${path}[]` : '[]';
+            violations.push(...findPiiPaths(checker, numberIndex, idxPath, depth + 1, seen));
+        }
+        const stringIndex = checker.getIndexTypeOfType(type, ts.IndexKind.String);
+        if (stringIndex) {
+            const idxPath = path ? `${path}[*]` : '[*]';
+            violations.push(...findPiiPaths(checker, stringIndex, idxPath, depth + 1, seen));
+        }
+        for (const prop of type.getProperties()) {
+            if (prop.name.startsWith('__'))
+                continue;
+            const decl = prop.valueDeclaration ?? prop.declarations?.[0];
+            if (!decl)
+                continue;
+            const propType = checker.getTypeOfSymbolAtLocation(prop, decl);
+            const subPath = path ? `${path}.${prop.name}` : prop.name;
+            violations.push(...findPiiPaths(checker, propType, subPath, depth + 1, seen));
+        }
+    }
+    return violations;
+}

package/dist/utils/serialize-inspector-state.d.ts

@@ -203,6 +203,10 @@ export interface SerializableInspectorState {
         meta: InspectorState['nodes']['meta'];
         files: string[];
     };
+    auth: {
+        providers: string[];
+        files: string[];
+    };
     secrets: {
         definitions: InspectorState['secrets']['definitions'];
         files: string[];

package/dist/utils/serialize-inspector-state.js

@@ -98,6 +98,10 @@ export function serializeInspectorState(state) {
             meta: state.nodes.meta,
             files: Array.from(state.nodes.files),
         },
+        auth: {
+            providers: state.auth.providers,
+            files: Array.from(state.auth.files),
+        },
         secrets: {
             definitions: state.secrets.definitions,
             files: Array.from(state.secrets.files),
@@ -246,6 +250,10 @@ export function deserializeInspectorState(data) {
             meta: data.nodes?.meta || {},
             files: new Set(data.nodes?.files || []),
         },
+        auth: {
+            providers: data.auth?.providers || [],
+            files: new Set(data.auth?.files || []),
+        },
         secrets: {
             definitions: data.secrets?.definitions || [],
             files: new Set(data.secrets?.files || []),

package/dist/visit.js

@@ -17,6 +17,7 @@ import { addWireAddon } from './add/add-wire-addon.js';
 import { addMiddleware } from './add/add-middleware.js';
 import { addPermission } from './add/add-permission.js';
 import { addCLI, addCLIRenderers } from './add/add-cli.js';
+import { addAuth } from './add/add-auth.js';
 import { addSecret } from './add/add-secret.js';
 import { addCredential } from './add/add-credential.js';
 import { addVariable } from './add/add-variable.js';
@@ -41,6 +42,7 @@ export const visitSetup = (logger, checker, node, state, options) => {
 };
 export const visitRoutes = (logger, checker, node, state, options) => {
     addFunctions(logger, node, checker, state, options);
+    addAuth(logger, node, checker, state, options);
     addSecret(logger, node, checker, state, options);
     addCredential(logger, node, checker, state, options);
     addVariable(logger, node, checker, state, options);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pikku/inspector",
-  "version": "0.12.12",
+  "version": "0.12.14",
   "author": "yasser.fadl@gmail.com",
   "license": "BUSL-1.1",
   "type": "module",
@@ -35,7 +35,7 @@
   },
   "dependencies": {
     "@openapi-contrib/json-schema-to-openapi-schema": "^4.3.1",
-    "@pikku/core": "^0.12.21",
+    "@pikku/core": "^0.12.27",
     "path-to-regexp": "^8.3.0",
     "ts-json-schema-generator": "^2.5.0",
     "tsx": "^4.21.0",

package/src/add/add-auth.test.ts

@@ -0,0 +1,175 @@
+import { strict as assert } from 'assert'
+import { describe, test } from 'node:test'
+import { mkdtemp, rm, writeFile } from 'node:fs/promises'
+import { tmpdir } from 'node:os'
+import { join } from 'node:path'
+import { inspect } from '../inspector.js'
+import { ErrorCode } from '../error-codes.js'
+import type { InspectorLogger } from '../types.js'
+
+const makeLogger = (criticals: Array<{ code: ErrorCode; message: string }>) =>
+  ({
+    debug: () => {},
+    info: () => {},
+    warn: () => {},
+    error: () => {},
+    critical: (code: ErrorCode, message: string) => {
+      criticals.push({ code, message })
+    },
+    hasCriticalErrors: () => criticals.length > 0,
+  }) satisfies InspectorLogger
+
+describe('addAuth inspector', () => {
+  test('extracts provider string literals from wireAuth call', async () => {
+    const rootDir = await mkdtemp(join(tmpdir(), 'pikku-add-auth-'))
+    const file = join(rootDir, 'auth.ts')
+
+    await writeFile(
+      file,
+      [
+        "import { wireAuth } from '@pikku/auth-js'",
+        "wireAuth({ providers: ['github', 'google'] })",
+      ].join('\n')
+    )
+
+    const criticals: Array<{ code: ErrorCode; message: string }> = []
+    try {
+      const state = await inspect(makeLogger(criticals), [file], { rootDir })
+      assert.equal(criticals.length, 0)
+      assert.deepEqual(state.auth.providers, ['github', 'google'])
+    } finally {
+      await rm(rootDir, { recursive: true, force: true })
+    }
+  })
+
+  test('deduplicates providers across multiple wireAuth calls', async () => {
+    const rootDir = await mkdtemp(join(tmpdir(), 'pikku-add-auth-dedup-'))
+    const file = join(rootDir, 'auth.ts')
+
+    await writeFile(
+      file,
+      [
+        "import { wireAuth } from '@pikku/auth-js'",
+        "wireAuth({ providers: ['github'] })",
+        "wireAuth({ providers: ['github', 'google'] })",
+      ].join('\n')
+    )
+
+    const criticals: Array<{ code: ErrorCode; message: string }> = []
+    try {
+      const state = await inspect(makeLogger(criticals), [file], { rootDir })
+      assert.equal(criticals.length, 0)
+      assert.deepEqual(state.auth.providers, ['github', 'google'])
+    } finally {
+      await rm(rootDir, { recursive: true, force: true })
+    }
+  })
+
+  test('logs critical error when a provider is a non-literal reference', async () => {
+    const rootDir = await mkdtemp(join(tmpdir(), 'pikku-add-auth-nonlit-'))
+    const file = join(rootDir, 'auth.ts')
+
+    await writeFile(
+      file,
+      [
+        "import { wireAuth } from '@pikku/auth-js'",
+        "const PROVIDER = 'github'",
+        'wireAuth({ providers: [PROVIDER] })',
+      ].join('\n')
+    )
+
+    const criticals: Array<{ code: ErrorCode; message: string }> = []
+    try {
+      await inspect(makeLogger(criticals), [file], { rootDir })
+      const hit = criticals.find(
+        (e) => e.code === ErrorCode.NON_LITERAL_WIRE_NAME
+      )
+      assert.ok(hit, 'expected NON_LITERAL_WIRE_NAME critical')
+      assert.match(hit!.message, /PROVIDER/)
+    } finally {
+      await rm(rootDir, { recursive: true, force: true })
+    }
+  })
+
+  test('does not error when providers is absent (credentials-only wireAuth)', async () => {
+    const rootDir = await mkdtemp(join(tmpdir(), 'pikku-add-auth-creds-only-'))
+    const file = join(rootDir, 'auth.ts')
+
+    await writeFile(
+      file,
+      [
+        "import { wireAuth } from '@pikku/auth-js'",
+        'wireAuth({ credentials: { authorize: async () => null } })',
+      ].join('\n')
+    )
+
+    const criticals: Array<{ code: ErrorCode; message: string }> = []
+    try {
+      const state = await inspect(makeLogger(criticals), [file], { rootDir })
+      assert.equal(
+        criticals.length,
+        0,
+        'credentials-only wireAuth must not produce errors'
+      )
+      assert.deepEqual(
+        state.auth.providers,
+        [],
+        'no providers should be extracted'
+      )
+      assert.ok(state.auth.files.has(file), 'source file still tracked')
+    } finally {
+      await rm(rootDir, { recursive: true, force: true })
+    }
+  })
+
+  test('logs critical error when providers is not an array literal', async () => {
+    const rootDir = await mkdtemp(join(tmpdir(), 'pikku-add-auth-nonarray-'))
+    const file = join(rootDir, 'auth.ts')
+
+    await writeFile(
+      file,
+      [
+        "import { wireAuth } from '@pikku/auth-js'",
+        "const PROVIDERS = ['github']",
+        'wireAuth({ providers: PROVIDERS })',
+      ].join('\n')
+    )
+
+    const criticals: Array<{ code: ErrorCode; message: string }> = []
+    try {
+      await inspect(makeLogger(criticals), [file], { rootDir })
+      const hit = criticals.find((e) => e.code === ErrorCode.MISSING_NAME)
+      assert.ok(
+        hit,
+        'expected MISSING_NAME critical for non-array-literal providers'
+      )
+    } finally {
+      await rm(rootDir, { recursive: true, force: true })
+    }
+  })
+
+  test('tracks source file in state.auth.files', async () => {
+    const rootDir = await mkdtemp(join(tmpdir(), 'pikku-add-auth-files-'))
+    const file = join(rootDir, 'auth.wiring.ts')
+
+    await writeFile(
+      file,
+      [
+        "import { wireAuth } from '@pikku/auth-js'",
+        "wireAuth({ providers: ['discord'] })",
+      ].join('\n')
+    )
+
+    const criticals: Array<{ code: ErrorCode; message: string }> = []
+    try {
+      const state = await inspect(makeLogger(criticals), [file], { rootDir })
+      assert.equal(criticals.length, 0)
+      assert.ok(
+        state.auth.files.has(file),
+        'source file should be tracked in state.auth.files'
+      )
+    } finally {
+      await rm(rootDir, { recursive: true, force: true })
+    }
+  })
+})

package/src/add/add-auth.ts

@@ -0,0 +1,49 @@
+import * as ts from 'typescript'
+import type { AddWiring } from '../types.js'
+import { ErrorCode } from '../error-codes.js'
+
+export const addAuth: AddWiring = (logger, node, _checker, state) => {
+  if (!ts.isCallExpression(node)) return
+
+  const expression = node.expression
+  if (!ts.isIdentifier(expression) || expression.text !== 'wireAuth') return
+
+  const firstArg = node.arguments[0]
+  if (!firstArg || !ts.isObjectLiteralExpression(firstArg)) return
+
+  const providersProp = firstArg.properties.find(
+    (p) =>
+      ts.isPropertyAssignment(p) &&
+      (ts.isIdentifier(p.name) || ts.isStringLiteral(p.name)) &&
+      p.name.text === 'providers'
+  ) as ts.PropertyAssignment | undefined
+
+  const sourceFile = node.getSourceFile().fileName
+  state.auth.files.add(sourceFile)
+
+  if (!providersProp) {
+    return
+  }
+
+  if (!ts.isArrayLiteralExpression(providersProp.initializer)) {
+    logger.critical(
+      ErrorCode.MISSING_NAME,
+      'wireAuth: providers must be an array literal of string literals.'
+    )
+    return
+  }
+
+  for (const element of (providersProp.initializer as ts.ArrayLiteralExpression)
+    .elements) {
+    if (!ts.isStringLiteral(element)) {
+      logger.critical(
+        ErrorCode.NON_LITERAL_WIRE_NAME,
+        `wireAuth: each provider must be a string literal. Found: ${element.getText()}`
+      )
+      return
+    }
+    if (!state.auth.providers.includes(element.text)) {
+      state.auth.providers.push(element.text)
+    }
+  }
+}

package/src/add/add-functions.ts

@@ -19,6 +19,7 @@ import { resolveMiddleware } from '../utils/middleware.js'
 import { resolvePermissions } from '../utils/permissions.js'
 import { extractWireNames } from '../utils/post-process.js'
 import { ErrorCode } from '../error-codes.js'
+import { findPiiPaths } from '../utils/check-pii-output.js'
 import type { NodeType } from '@pikku/core/node'
 
 const isValidVariableName = (name: string) => {
@@ -882,6 +883,29 @@ export const addFunctions: AddWiring = (
     }
   }
 
+  // ── PII brand check ───────────────────────────────────────────────────────
+  // Walk the function body's ACTUAL inferred return type looking for Private<T>
+  // / Pii<T> / Secret<T> brands (__classification__ property).  This runs for every function,
+  // including those with a Zod output schema, because the TS return type
+  // reflects what the body actually returns before any Zod coercion.
+  {
+    const sig = checker.getSignatureFromDeclaration(handler)
+    if (sig) {
+      const rawRet = checker.getReturnTypeOfSignature(sig)
+      const unwrapped = unwrapPromise(checker, rawRet)
+      const piiPaths = findPiiPaths(checker, unwrapped)
+      if (piiPaths.length > 0) {
+        logger.critical(
+          ErrorCode.PII_IN_OUTPUT,
+          `Function '${name}' exposes PII-classified field(s) in its return type: ` +
+            piiPaths.map((p) => `'${p}'`).join(', ') +
+            `.\n  Either strip these fields before returning or mark the column ` +
+            `@public in the migration if it is safe to expose.`
+        )
+      }
+    }
+  }
+
   // --- resolve middleware ---
   let middleware = objectNode
     ? resolveMiddleware(state, objectNode, tags, checker)