bunsane 0.2.10 → 0.3.0

package/core/decorators/EntityHooks.ts

@@ -114,6 +114,10 @@ export function ComponentTargetHook(
     };
 }
 
+/** Per-instance registry of hook IDs created by registerDecoratedHooks.
+ *  Used by unregisterDecoratedHooks to undo registration (H-HOOK-3). */
+const REGISTERED_IDS = new WeakMap<object, string[]>();
+
 /**
  * Register all decorated hooks for a service class
  * Call this method after instantiating a service to register its decorated hooks
@@ -121,17 +125,18 @@ export function ComponentTargetHook(
  */
 export function registerDecoratedHooks(serviceInstance: any): void {
     const constructor = serviceInstance.constructor;
+    const ids: string[] = REGISTERED_IDS.get(serviceInstance) ?? [];
 
     // Register entity hooks
     if (constructor.__entityHooks) {
         for (const hookInfo of constructor.__entityHooks) {
             const hookMethod = serviceInstance[hookInfo.methodName].bind(serviceInstance);
 
-            EntityHookManager.registerEntityHook(
+            ids.push(EntityHookManager.registerEntityHook(
                 hookInfo.eventType,
                 hookMethod,
                 hookInfo.options
-            );
+            ));
         }
     }
 
@@ -140,11 +145,11 @@ export function registerDecoratedHooks(serviceInstance: any): void {
         for (const hookInfo of constructor.__componentHooks) {
             const hookMethod = serviceInstance[hookInfo.methodName].bind(serviceInstance);
 
-            EntityHookManager.registerComponentHook(
+            ids.push(EntityHookManager.registerComponentHook(
                 hookInfo.eventType,
                 hookMethod,
                 hookInfo.options
-            );
+            ));
         }
     }
 
@@ -153,14 +158,14 @@ export function registerDecoratedHooks(serviceInstance: any): void {
         for (const hookInfo of constructor.__componentTargetHooks) {
             const hookMethod = serviceInstance[hookInfo.methodName].bind(serviceInstance);
 
-            EntityHookManager.registerEntityHook(
+            ids.push(EntityHookManager.registerEntityHook(
                 hookInfo.eventType,
                 hookMethod,
                 {
                     ...hookInfo.options,
                     componentTarget: hookInfo.componentTarget
                 }
-            );
+            ));
         }
     }
 
@@ -169,19 +174,26 @@ export function registerDecoratedHooks(serviceInstance: any): void {
         for (const hookInfo of constructor.__lifecycleHooks) {
             const hookMethod = serviceInstance[hookInfo.methodName].bind(serviceInstance);
 
-            EntityHookManager.registerLifecycleHook(
+            ids.push(EntityHookManager.registerLifecycleHook(
                 hookMethod,
                 hookInfo.options
-            );
+            ));
         }
     }
+
+    REGISTERED_IDS.set(serviceInstance, ids);
 }
 
 /**
- * Unregister all decorated hooks for a service class
- * Call this method before destroying a service to clean up its hooks
- * @param serviceInstance The service instance to unregister hooks for
+ * Unregister all decorated hooks for a service instance.
+ * Call during teardown (service destruction, test isolation) to prevent
+ * hook leaks across repeated instantiations (H-HOOK-3).
  */
 export function unregisterDecoratedHooks(serviceInstance: any): void {
-    console.warn('unregisterDecoratedHooks is not fully implemented. Use EntityHookManager.removeHook() for individual hook removal.');
+    const ids = REGISTERED_IDS.get(serviceInstance);
+    if (!ids) return;
+    for (const id of ids) {
+        EntityHookManager.removeHook(id);
+    }
+    REGISTERED_IDS.delete(serviceInstance);
 }

package/core/middleware/RateLimit.ts

@@ -0,0 +1,105 @@
+import type { Middleware } from '../Middleware';
+import { logger as MainLogger } from '../Logger';
+
+const logger = MainLogger.child({ scope: 'RateLimit' });
+
+export type RateLimitOptions = {
+    /** Maximum requests in the window. Default: 100 */
+    max?: number;
+    /** Window length in milliseconds. Default: 60_000 (1 min) */
+    windowMs?: number;
+    /** Only apply to paths matching this prefix list. Default: all */
+    pathPrefixes?: string[];
+    /** Extract client key (override default: X-Forwarded-For → remote). */
+    keyExtractor?: (req: Request) => string;
+    /** Response status for rejection. Default: 429 */
+    status?: number;
+    /** Trust X-Forwarded-For header. Default: false */
+    trustProxy?: boolean;
+};
+
+type Bucket = {
+    count: number;
+    resetAt: number;
+};
+
+/**
+ * In-memory token-bucket rate limiter. Per-instance only — for multi-instance
+ * deployments use a shared Redis-backed limiter. Sweeps expired buckets on
+ * each increment to keep memory bounded.
+ */
+export function rateLimit(options: RateLimitOptions = {}): Middleware {
+    const max = options.max ?? 100;
+    const windowMs = options.windowMs ?? 60_000;
+    const pathPrefixes = options.pathPrefixes;
+    const status = options.status ?? 429;
+    const trustProxy = options.trustProxy ?? false;
+    const keyExtractor = options.keyExtractor ?? ((req: Request) => {
+        if (trustProxy) {
+            const xff = req.headers.get('x-forwarded-for');
+            if (xff) return xff.split(',')[0]!.trim();
+        }
+        const realIp = req.headers.get('x-real-ip');
+        if (realIp) return realIp;
+        return 'anonymous';
+    });
+
+    const buckets = new Map<string, Bucket>();
+    let lastSweep = Date.now();
+
+    return async (req, next) => {
+        if (pathPrefixes && pathPrefixes.length > 0) {
+            const url = new URL(req.url);
+            const match = pathPrefixes.some((p) => url.pathname.startsWith(p));
+            if (!match) return next();
+        }
+
+        const now = Date.now();
+        const key = keyExtractor(req);
+
+        if (now - lastSweep > windowMs) {
+            for (const [k, v] of buckets) {
+                if (v.resetAt <= now) buckets.delete(k);
+            }
+            lastSweep = now;
+        }
+
+        let bucket = buckets.get(key);
+        if (!bucket || bucket.resetAt <= now) {
+            bucket = { count: 0, resetAt: now + windowMs };
+            buckets.set(key, bucket);
+        }
+
+        bucket.count++;
+        const remaining = Math.max(0, max - bucket.count);
+        const retryAfterSec = Math.ceil((bucket.resetAt - now) / 1000);
+
+        if (bucket.count > max) {
+            logger.warn({ key, path: new URL(req.url).pathname, count: bucket.count, max }, 'rate limit exceeded');
+            return new Response(
+                JSON.stringify({ error: 'Too many requests', retryAfter: retryAfterSec }),
+                {
+                    status,
+                    headers: {
+                        'Content-Type': 'application/json',
+                        'Retry-After': String(retryAfterSec),
+                        'X-RateLimit-Limit': String(max),
+                        'X-RateLimit-Remaining': '0',
+                        'X-RateLimit-Reset': String(Math.floor(bucket.resetAt / 1000)),
+                    },
+                },
+            );
+        }
+
+        const response = await next();
+        const newHeaders = new Headers(response.headers);
+        newHeaders.set('X-RateLimit-Limit', String(max));
+        newHeaders.set('X-RateLimit-Remaining', String(remaining));
+        newHeaders.set('X-RateLimit-Reset', String(Math.floor(bucket.resetAt / 1000)));
+        return new Response(response.body, {
+            status: response.status,
+            statusText: response.statusText,
+            headers: newHeaders,
+        });
+    };
+}

package/core/middleware/index.ts

@@ -1,3 +1,4 @@
 export { securityHeaders, type SecurityHeadersOptions } from './SecurityHeaders';
 export { requestId, getRequestId, requestStore } from './RequestId';
 export { accessLog, type AccessLogOptions } from './AccessLog';
+export { rateLimit, type RateLimitOptions } from './RateLimit';

package/core/remote/OutboxWorker.ts

@@ -13,7 +13,7 @@
  */
 
 import type Redis from "ioredis";
-import type { SQL } from "bun";
+import { sql as sqlHelper, type SQL } from "bun";
 import { logger } from "../Logger";
 import type { RemoteMetrics } from "./metrics";
 
@@ -126,49 +126,56 @@ export class OutboxWorker {
                 loggerInstance.debug(`Claimed ${rows.length} outbox rows`);
             }
 
-            const successIds: string[] = [];
+            // Publish concurrently rather than serially. Each xadd is bounded
+            // by the publisher client's `commandTimeout`; with serial awaits a
+            // batch of N slow rows would hold PG row locks for N × timeout.
+            // Parallel keeps worst-case lock hold ≈ single-xadd timeout.
+            // (H-DB-1 partial — full fix requires a claim-via-column design
+            // so Redis latency no longer sits inside a PG transaction at all.)
+            const publishResults = await Promise.allSettled(
+                rows.map((row) => {
+                    const stream = `${this.config.streamPrefix}${row.target}`;
+                    const envelope = JSON.stringify({
+                        kind: "event",
+                        sourceApp: this.config.sourceApp,
+                        event: row.event,
+                        data: row.data,
+                        emittedAt: row.created_at.getTime(),
+                    });
+                    return this.publisher.xadd(stream, "*", "data", envelope);
+                })
+            );
 
-            for (const row of rows) {
-                const stream = `${this.config.streamPrefix}${row.target}`;
-                const envelope = JSON.stringify({
-                    kind: "event",
-                    sourceApp: this.config.sourceApp,
-                    event: row.event,
-                    data: row.data,
-                    emittedAt: row.created_at.getTime(),
-                });
-                try {
-                    await this.publisher.xadd(
-                        stream,
-                        "*",
-                        "data",
-                        envelope
-                    );
+            const successIds: string[] = [];
+            for (let i = 0; i < publishResults.length; i++) {
+                const r = publishResults[i];
+                const row = rows[i]!;
+                if (r!.status === "fulfilled") {
                     successIds.push(row.id);
-                } catch (err: any) {
+                } else {
                     this.metrics?.outboxPublishFailed();
-                    loggerInstance.error(
-                        {
-                            err,
-                            outboxId: row.id,
-                            target: row.target,
-                            event: row.event,
-                            msg: "Outbox XADD failed — row will retry next tick",
-                        }
-                    );
+                    loggerInstance.error({
+                        err: r!.reason,
+                        outboxId: row.id,
+                        target: row.target,
+                        event: row.event,
+                        msg: "Outbox XADD failed — row will retry next tick",
+                    });
                     // Leave row unpublished; SKIP LOCKED releases on tx end
                     // so next tick (or another instance) picks it up.
                 }
             }
 
             if (successIds.length > 0) {
-                for (const id of successIds) {
-                    await trx`
-                        UPDATE remote_outbox
-                        SET published_at = NOW()
-                        WHERE id = ${id}::uuid
-                    `;
-                }
+                // Single bulk UPDATE instead of N round-trips holding row
+                // locks (H-DB-3). Previously each success fired its own
+                // UPDATE statement serially. Uses Bun SQL's `sql(...)` helper
+                // for the IN-list so ids are parameterised individually.
+                await trx`
+                    UPDATE remote_outbox
+                    SET published_at = NOW()
+                    WHERE id IN ${sqlHelper(successIds)}
+                `;
                 this.metrics?.outboxPublished(successIds.length);
             }
         });

package/core/scheduler/DistributedLock.ts

@@ -83,11 +83,20 @@ export class DistributedLock {
     private async ensureReserved(): Promise<ReservedSQL> {
         if (this.reservedConn) return this.reservedConn;
         if (!this.reservePromise) {
-            this.reservePromise = db.reserve().then((conn) => {
-                this.reservedConn = conn;
-                this.reservePromise = null;
-                return conn;
-            });
+            // On reject (pool exhausted, shutdown mid-reserve), null the
+            // promise so subsequent callers retry a fresh reserve instead of
+            // receiving the same rejected promise forever (H-DB-2).
+            this.reservePromise = db.reserve().then(
+                (conn) => {
+                    this.reservedConn = conn;
+                    this.reservePromise = null;
+                    return conn;
+                },
+                (err) => {
+                    this.reservePromise = null;
+                    throw err;
+                }
+            );
         }
         return this.reservePromise;
     }
@@ -122,12 +131,18 @@ export class DistributedLock {
         const lockKey = this.generateLockKey(taskId);
 
         if (this.heldLocks.has(taskId)) {
+            // Defense in depth: if this instance already holds the lock for
+            // taskId, a second concurrent acquirer would mean overlapping
+            // execution (retry firing while previous run is still in the
+            // finally → release step, for example). Return acquired:false so
+            // the second caller skips, even if caller-side guards missed it.
+            // (H-SCHED-4).
             if (this.config.enableLogging) {
                 loggerInstance.debug(
-                    `Lock for ${taskId} already held locally, returning acquired`
+                    `Lock for ${taskId} already held locally — reporting overlap (acquired:false)`
                 );
             }
-            return { acquired: true, lockKey, taskId };
+            return { acquired: false, lockKey, taskId };
         }
 
         const startTime = Date.now();

package/gql/builders/ResolverBuilder.ts

@@ -87,7 +87,7 @@ export class ResolverBuilder {
         throw new GraphQLError(`Internal error`, {
           extensions: {
             code: "INTERNAL_ERROR",
-            originalError: process.env.NODE_ENV === 'development' ? error : undefined
+            originalError: process.env.NODE_ENV !== 'production' ? error : undefined
           }
         });
       }
@@ -111,7 +111,7 @@ export class ResolverBuilder {
         throw new GraphQLError(`Internal error`, {
           extensions: {
             code: "INTERNAL_ERROR",
-            originalError: process.env.NODE_ENV === 'development' ? error : undefined
+            originalError: process.env.NODE_ENV !== 'production' ? error : undefined
           }
         });
       }
@@ -151,7 +151,7 @@ export class ResolverBuilder {
           throw new GraphQLError(`Internal error in subscription`, {
             extensions: {
               code: "INTERNAL_ERROR",
-              originalError: process.env.NODE_ENV === 'development' ? error : undefined
+              originalError: process.env.NODE_ENV !== 'production' ? error : undefined
             }
           });
         }
@@ -177,7 +177,7 @@ export class ResolverBuilder {
           throw new GraphQLError(`Internal error in subscription`, {
             extensions: {
               code: "INTERNAL_ERROR",
-              originalError: process.env.NODE_ENV === 'development' ? error : undefined
+              originalError: process.env.NODE_ENV !== 'production' ? error : undefined
             }
           });
         }

package/gql/complexityLimit.ts

@@ -0,0 +1,95 @@
+import {
+    type ASTVisitor,
+    type DocumentNode,
+    type FragmentDefinitionNode,
+    type ValidationContext,
+    GraphQLError,
+    Kind,
+} from "graphql";
+
+/**
+ * Lightweight GraphQL query complexity validator. Assigns each selected field
+ * a base cost of 1, multiplied by the value of a `first` / `limit` / `take`
+ * argument when present. Nested selections contribute their (multiplied) cost.
+ * Fragments are followed and deduped. Introspection queries are exempt.
+ *
+ * Not as expressive as `graphql-query-complexity` (no per-field estimators,
+ * no custom weights). Enough to block obviously abusive nested archetype
+ * relations without a heavyweight dep.
+ */
+export function complexityLimitRule(maxComplexity: number) {
+    return function ComplexityLimitValidationRule(
+        context: ValidationContext,
+    ): ASTVisitor {
+        const document: DocumentNode = context.getDocument();
+
+        const fragments = new Map<string, FragmentDefinitionNode>();
+        for (const def of document.definitions) {
+            if (def.kind === Kind.FRAGMENT_DEFINITION) {
+                fragments.set(def.name.value, def);
+            }
+        }
+
+        const MULTIPLIER_ARGS = new Set(["first", "limit", "take"]);
+
+        function readMultiplier(args: readonly any[] | undefined): number {
+            if (!args) return 1;
+            for (const arg of args) {
+                if (!MULTIPLIER_ARGS.has(arg.name.value)) continue;
+                const v = arg.value;
+                if (v.kind === Kind.INT) {
+                    const n = parseInt(v.value, 10);
+                    if (Number.isFinite(n) && n > 0) return n;
+                }
+            }
+            return 1;
+        }
+
+        function cost(
+            node: { selectionSet?: { selections: readonly any[] } },
+            visited: Set<string>,
+        ): number {
+            if (!node.selectionSet) return 0;
+
+            let total = 0;
+            for (const selection of node.selectionSet.selections) {
+                if (selection.kind === Kind.FIELD) {
+                    const multiplier = readMultiplier(selection.arguments);
+                    const childCost = cost(selection, visited);
+                    total += multiplier * (1 + childCost);
+                } else if (selection.kind === Kind.INLINE_FRAGMENT) {
+                    total += cost(selection, visited);
+                } else if (selection.kind === Kind.FRAGMENT_SPREAD) {
+                    const name = selection.name.value;
+                    if (visited.has(name)) continue;
+                    visited.add(name);
+                    const fragment = fragments.get(name);
+                    if (fragment) total += cost(fragment, visited);
+                }
+            }
+            return total;
+        }
+
+        return {
+            OperationDefinition(node) {
+                if (node.selectionSet) {
+                    const isIntrospection = node.selectionSet.selections.every(
+                        (sel) =>
+                            sel.kind === Kind.FIELD &&
+                            sel.name.value.startsWith("__"),
+                    );
+                    if (isIntrospection) return;
+                }
+
+                const total = cost(node, new Set());
+                if (total > maxComplexity) {
+                    context.reportError(
+                        new GraphQLError(
+                            `Query complexity ${total} exceeds maximum allowed complexity of ${maxComplexity}`,
+                        ),
+                    );
+                }
+            },
+        };
+    };
+}

package/gql/index.ts

@@ -2,6 +2,7 @@ import {createSchema, createYoga, type Plugin} from 'graphql-yoga';
 import { useValidationRule } from '@envelop/core';
 import { GraphQLSchema, GraphQLError } from 'graphql';
 import { depthLimitRule } from './depthLimit';
+import { complexityLimitRule } from './complexityLimit';
 import { GraphQLObjectType, GraphQLField, GraphQLOperation, GraphQLScalarType, GraphQLSubscription } from './Generator';
 import {GraphQLFieldTypes} from "./types"
 import {logger as MainLogger} from "../core/Logger"
@@ -144,6 +145,8 @@ export interface YogaInstanceOptions {
         methods?: string[];
     };
     maxDepth?: number;
+    /** Maximum query complexity (default: 1000). 0 disables. */
+    maxComplexity?: number;
 }
 
 export function createYogaInstance(
@@ -152,10 +155,19 @@ export function createYogaInstance(
     contextFactory?: (context: any) => any,
     options?: YogaInstanceOptions
 ) {
-    // Prepend depth limit plugin if configured
+    // Prepend depth limit plugin. Enforce a hard minimum so maxDepth: 0 or
+    // undefined cannot silently disable the guard (C06). If a deployment
+    // explicitly needs a higher bound, raise it — but we never allow it off.
+    const HARD_MIN_DEPTH = 15;
+    const effectiveDepth = Math.max(options?.maxDepth ?? HARD_MIN_DEPTH, HARD_MIN_DEPTH);
     const allPlugins: Plugin[] = [];
-    if (options?.maxDepth) {
-        allPlugins.push(useValidationRule(depthLimitRule(options.maxDepth)) as Plugin);
+    allPlugins.push(useValidationRule(depthLimitRule(effectiveDepth)) as Plugin);
+
+    // Complexity budget: count per-field cost with `first`/`limit`/`take`
+    // multipliers. 0 disables, undefined defaults to 1000.
+    const complexityBudget = options?.maxComplexity ?? 1000;
+    if (complexityBudget > 0) {
+        allPlugins.push(useValidationRule(complexityLimitRule(complexityBudget)) as Plugin);
     }
     allPlugins.push(...plugins);
 

package/gql/visitors/ResolverGeneratorVisitor.ts

@@ -1,6 +1,8 @@
 import { GraphVisitor } from "./GraphVisitor";
 import { TypeNode, OperationNode, FieldNode, InputNode, ScalarNode } from "../graph/GraphNode";
 import { ResolverBuilder } from "../builders/ResolverBuilder";
+import { isSchemaInput } from "../schema";
+import * as z from "zod";
 import { logger } from "../../core/Logger";
 
 /**
@@ -54,9 +56,21 @@ export class ResolverGeneratorVisitor extends GraphVisitor {
 
         const type = node.operationType.charAt(0).toUpperCase() + node.operationType.slice(1).toLowerCase() as "Query" | "Mutation" | "Subscription";
 
-        // Extract Zod schema from input if it's a Zod type (check for '_def' property)
+        // Extract Zod schema from input. If it's already a Zod type (`_def`),
+        // use directly. If it's a Schema DSL input (`t.` API), convert each
+        // field `.toZod()` into a Zod object so the resolver validates it
+        // instead of passing raw args through (H-GQL-4).
         const input = node.metadata.input;
-        const zodSchema = (input && typeof input === 'object' && '_def' in input) ? input as any : null;
+        let zodSchema: any = null;
+        if (input && typeof input === 'object' && '_def' in input) {
+            zodSchema = input;
+        } else if (isSchemaInput(input)) {
+            const zodShape: Record<string, z.ZodType> = {};
+            for (const [key, field] of Object.entries(input)) {
+                zodShape[key] = (field as any).toZod();
+            }
+            zodSchema = z.object(zodShape);
+        }
 
         // Create resolver definitions for operations
         const resolverDef = {

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "bunsane",
-    "version": "0.2.10",
+    "version": "0.3.0",
     "author": {
         "name": "yaaruu"
     },

package/query/ComponentInclusionNode.ts

@@ -5,6 +5,7 @@ import { shouldUseLateralJoins, shouldUseDirectPartition } from "../core/Config"
 import { FilterBuilderRegistry } from "./FilterBuilderRegistry";
 import { ComponentRegistry } from "../core/components";
 import { getMetadataStorage } from "../core/metadata";
+import { assertIdentifier } from "./SqlIdentifier";
 
 /**
  * Check if a component property is numeric based on metadata
@@ -331,12 +332,16 @@ export class ComponentInclusionNode extends QueryNode {
             const sortComponentTableName = this.getComponentTableName(typeId);
             const nullsClause = sortOrder.nullsFirst ? 'NULLS FIRST' : 'NULLS LAST';
             const isNumeric = isNumericProperty(sortOrder.component, sortOrder.property);
+            // Validate property name before interpolating into JSON path.
+            // Without this, a malicious or malformed sortOrder.property could
+            // inject SQL through the template (C08).
+            const safeProperty = assertIdentifier(sortOrder.property, 'sortOrder.property');
 
             // Build scalar subquery to get sort value for each entity
             // This avoids nested loop join by forcing row-by-row evaluation
             const sortExpr = isNumeric
-                ? `(sort_c.data->>'${sortOrder.property}')::numeric`
-                : `sort_c.data->>'${sortOrder.property}'`;
+                ? `(sort_c.data->>'${safeProperty}')::numeric`
+                : `sort_c.data->>'${safeProperty}'`;
 
             const subquery = `(
                 SELECT ${sortExpr}
@@ -454,9 +459,10 @@ export class ComponentInclusionNode extends QueryNode {
 
         const nullsClause = sortOrder.nullsFirst ? 'NULLS FIRST' : 'NULLS LAST';
         const isNumeric = isNumericProperty(sortOrder.component, sortOrder.property);
+        const safeProperty = assertIdentifier(sortOrder.property, 'sortOrder.property');
         const sortExpr = isNumeric
-            ? `(c.data->>'${sortOrder.property}')::numeric`
-            : `c.data->>'${sortOrder.property}'`;
+            ? `(c.data->>'${safeProperty}')::numeric`
+            : `c.data->>'${safeProperty}'`;
 
         let sql: string;
         if (useDirectPartition) {
@@ -508,9 +514,10 @@ export class ComponentInclusionNode extends QueryNode {
 
         const nullsClause = sortOrder.nullsFirst ? 'NULLS FIRST' : 'NULLS LAST';
         const isNumeric = isNumericProperty(sortOrder.component, sortOrder.property);
+        const safeProperty = assertIdentifier(sortOrder.property, 'sortOrder.property');
         const sortExpr = isNumeric
-            ? `(sort_c.data->>'${sortOrder.property}')::numeric`
-            : `sort_c.data->>'${sortOrder.property}'`;
+            ? `(sort_c.data->>'${safeProperty}')::numeric`
+            : `sort_c.data->>'${safeProperty}'`;
 
         // Use scalar subquery to avoid cartesian product explosion
         // This forces PostgreSQL to evaluate sort value per-entity, preventing

package/query/OrNode.ts

@@ -305,15 +305,13 @@ export class OrNode extends QueryNode {
     public execute(context: QueryContext): QueryResult {
         // Try optimized UNION ALL path for direct partition access
         // This avoids the slow multi-partition scanning by querying each partition directly
+        // (Verbose console.log debug traces removed — H-QUERY-2. Re-enable via
+        // a framework logger at debug level if needed.)
         const canUseOptimized = this.canUseUnionAllOptimization() && this.dependencies.length === 0;
-        console.log(`OrNode: Using optimized path: ${canUseOptimized}, dependencies: ${this.dependencies.length}, direct partition: ${require("../core/Config").shouldUseDirectPartition()}`);
-        console.log(`OrNode: Component types:`, Array.from(this.orQuery.getComponentTypes()));
 
         if (canUseOptimized) {
-            console.log("OrNode: Using optimized UNION path");
             return this.executeUnionAllOptimized(context);
         }
-        console.log("OrNode: Using fallback path");
 
         // Fall back to original implementation for:
         // - HASH partitioning (no direct partition access)