bunsane 0.2.10 → 0.3.1

package/core/cache/RedisCache.ts

@@ -35,12 +35,25 @@ export interface RedisCacheConfig {
     password?: string;
     db?: number;
     keyPrefix?: string;
-    retryStrategy?: (times: number) => number | void;
+    retryStrategy?: (times: number) => number | null | void;
     maxRetriesPerRequest?: number;
     lazyConnect?: boolean;
     enableReadyCheck?: boolean;
     connectTimeout?: number;
     commandTimeout?: number;
+    /**
+     * When true (default false), ioredis queues commands while offline. This
+     * can grow unboundedly during a Redis outage and exhaust heap. Keep false
+     * so cache operations fail fast and the caller's try/catch treats it as
+     * a cache miss instead of a hang.
+     */
+    enableOfflineQueue?: boolean;
+    /**
+     * Maximum reconnect attempts before the retry strategy returns null and
+     * ioredis gives up. Prevents infinite reconnect storms when Redis is
+     * permanently unreachable. Default 20 attempts (~ 40s at 2s cap).
+     */
+    maxReconnectAttempts?: number;
 }
 
 /**
@@ -65,18 +78,40 @@ export class RedisCache implements CacheProvider {
         this.config = config;
         this.keyPrefix = config.keyPrefix || 'bunsane:';
 
+        const maxReconnectAttempts = config.maxReconnectAttempts ?? 20;
+        const userRetryStrategy = config.retryStrategy;
+
+        // Wrap caller's retry strategy (or default) with a hard attempt cap so
+        // a permanently unreachable Redis cannot spin forever (C03).
+        const retryStrategy = (times: number): number | null => {
+            if (times > maxReconnectAttempts) {
+                logger.error({ scope: 'cache', provider: 'redis', attempts: times, msg: 'Redis retry cap reached — giving up reconnect attempts' });
+                return null;
+            }
+            if (userRetryStrategy) {
+                const result = userRetryStrategy(times);
+                if (result === null || result === undefined) return null;
+                return result as number;
+            }
+            return Math.min(times * 200, 2000);
+        };
+
         const redisOptions: RedisOptions = {
             host: config.host,
             port: config.port,
             password: config.password,
             db: config.db || 0,
-            retryStrategy: config.retryStrategy,
+            retryStrategy,
             maxRetriesPerRequest: config.maxRetriesPerRequest || 3,
             lazyConnect: config.lazyConnect || false,
             enableReadyCheck: config.enableReadyCheck || false,
             connectTimeout: config.connectTimeout ?? 5000,
             commandTimeout: config.commandTimeout ?? 3000,
-            enableOfflineQueue: true,
+            // Fail-fast when Redis is down. Unbounded offline queue → heap
+            // exhaustion under sustained load during outage (C02). Callers
+            // already wrap cache ops in try/catch and treat failures as
+            // cache miss; bounded failure is better than buildup.
+            enableOfflineQueue: config.enableOfflineQueue ?? false,
         };
 
         this.client = new Redis(redisOptions);

package/core/components/BaseComponent.ts

@@ -55,8 +55,18 @@ export class BaseComponent {
         this.properties().forEach((prop: string) => {
             let value = (this as any)[prop];
             const propMeta = props?.find(p => p.propertyKey === prop);
-            if (propMeta?.propertyType === Date && value instanceof Date) {
-                value = value.toISOString();
+            if (value !== null && value !== undefined) {
+                if (propMeta?.propertyType === Date) {
+                    if (!(value instanceof Date)) {
+                        throw new Error(`Type mismatch for property '${prop}' on component '${this._comp_name}': expected Date, got ${typeof value}`);
+                    }
+                    if (Number.isNaN(value.getTime())) {
+                        throw new Error(`Invalid Date for property '${prop}' on component '${this._comp_name}'`);
+                    }
+                    value = value.toISOString();
+                } else if (propMeta?.propertyType === Number && typeof value === 'number' && !Number.isFinite(value)) {
+                    throw new Error(`Invalid number for property '${prop}' on component '${this._comp_name}': ${value}`);
+                }
             }
             data[prop] = value;
         });

package/core/decorators/EntityHooks.ts

@@ -114,6 +114,10 @@ export function ComponentTargetHook(
     };
 }
 
+/** Per-instance registry of hook IDs created by registerDecoratedHooks.
+ *  Used by unregisterDecoratedHooks to undo registration (H-HOOK-3). */
+const REGISTERED_IDS = new WeakMap<object, string[]>();
+
 /**
  * Register all decorated hooks for a service class
  * Call this method after instantiating a service to register its decorated hooks
@@ -121,17 +125,18 @@ export function ComponentTargetHook(
  */
 export function registerDecoratedHooks(serviceInstance: any): void {
     const constructor = serviceInstance.constructor;
+    const ids: string[] = REGISTERED_IDS.get(serviceInstance) ?? [];
 
     // Register entity hooks
     if (constructor.__entityHooks) {
         for (const hookInfo of constructor.__entityHooks) {
             const hookMethod = serviceInstance[hookInfo.methodName].bind(serviceInstance);
 
-            EntityHookManager.registerEntityHook(
+            ids.push(EntityHookManager.registerEntityHook(
                 hookInfo.eventType,
                 hookMethod,
                 hookInfo.options
-            );
+            ));
         }
     }
 
@@ -140,11 +145,11 @@ export function registerDecoratedHooks(serviceInstance: any): void {
         for (const hookInfo of constructor.__componentHooks) {
             const hookMethod = serviceInstance[hookInfo.methodName].bind(serviceInstance);
 
-            EntityHookManager.registerComponentHook(
+            ids.push(EntityHookManager.registerComponentHook(
                 hookInfo.eventType,
                 hookMethod,
                 hookInfo.options
-            );
+            ));
         }
     }
 
@@ -153,14 +158,14 @@ export function registerDecoratedHooks(serviceInstance: any): void {
         for (const hookInfo of constructor.__componentTargetHooks) {
             const hookMethod = serviceInstance[hookInfo.methodName].bind(serviceInstance);
 
-            EntityHookManager.registerEntityHook(
+            ids.push(EntityHookManager.registerEntityHook(
                 hookInfo.eventType,
                 hookMethod,
                 {
                     ...hookInfo.options,
                     componentTarget: hookInfo.componentTarget
                 }
-            );
+            ));
         }
     }
 
@@ -169,19 +174,26 @@ export function registerDecoratedHooks(serviceInstance: any): void {
         for (const hookInfo of constructor.__lifecycleHooks) {
             const hookMethod = serviceInstance[hookInfo.methodName].bind(serviceInstance);
 
-            EntityHookManager.registerLifecycleHook(
+            ids.push(EntityHookManager.registerLifecycleHook(
                 hookMethod,
                 hookInfo.options
-            );
+            ));
         }
     }
+
+    REGISTERED_IDS.set(serviceInstance, ids);
 }
 
 /**
- * Unregister all decorated hooks for a service class
- * Call this method before destroying a service to clean up its hooks
- * @param serviceInstance The service instance to unregister hooks for
+ * Unregister all decorated hooks for a service instance.
+ * Call during teardown (service destruction, test isolation) to prevent
+ * hook leaks across repeated instantiations (H-HOOK-3).
  */
 export function unregisterDecoratedHooks(serviceInstance: any): void {
-    console.warn('unregisterDecoratedHooks is not fully implemented. Use EntityHookManager.removeHook() for individual hook removal.');
+    const ids = REGISTERED_IDS.get(serviceInstance);
+    if (!ids) return;
+    for (const id of ids) {
+        EntityHookManager.removeHook(id);
+    }
+    REGISTERED_IDS.delete(serviceInstance);
 }

package/core/middleware/RateLimit.ts

@@ -0,0 +1,105 @@
+import type { Middleware } from '../Middleware';
+import { logger as MainLogger } from '../Logger';
+
+const logger = MainLogger.child({ scope: 'RateLimit' });
+
+export type RateLimitOptions = {
+    /** Maximum requests in the window. Default: 100 */
+    max?: number;
+    /** Window length in milliseconds. Default: 60_000 (1 min) */
+    windowMs?: number;
+    /** Only apply to paths matching this prefix list. Default: all */
+    pathPrefixes?: string[];
+    /** Extract client key (override default: X-Forwarded-For → remote). */
+    keyExtractor?: (req: Request) => string;
+    /** Response status for rejection. Default: 429 */
+    status?: number;
+    /** Trust X-Forwarded-For header. Default: false */
+    trustProxy?: boolean;
+};
+
+type Bucket = {
+    count: number;
+    resetAt: number;
+};
+
+/**
+ * In-memory token-bucket rate limiter. Per-instance only — for multi-instance
+ * deployments use a shared Redis-backed limiter. Sweeps expired buckets on
+ * each increment to keep memory bounded.
+ */
+export function rateLimit(options: RateLimitOptions = {}): Middleware {
+    const max = options.max ?? 100;
+    const windowMs = options.windowMs ?? 60_000;
+    const pathPrefixes = options.pathPrefixes;
+    const status = options.status ?? 429;
+    const trustProxy = options.trustProxy ?? false;
+    const keyExtractor = options.keyExtractor ?? ((req: Request) => {
+        if (trustProxy) {
+            const xff = req.headers.get('x-forwarded-for');
+            if (xff) return xff.split(',')[0]!.trim();
+        }
+        const realIp = req.headers.get('x-real-ip');
+        if (realIp) return realIp;
+        return 'anonymous';
+    });
+
+    const buckets = new Map<string, Bucket>();
+    let lastSweep = Date.now();
+
+    return async (req, next) => {
+        if (pathPrefixes && pathPrefixes.length > 0) {
+            const url = new URL(req.url);
+            const match = pathPrefixes.some((p) => url.pathname.startsWith(p));
+            if (!match) return next();
+        }
+
+        const now = Date.now();
+        const key = keyExtractor(req);
+
+        if (now - lastSweep > windowMs) {
+            for (const [k, v] of buckets) {
+                if (v.resetAt <= now) buckets.delete(k);
+            }
+            lastSweep = now;
+        }
+
+        let bucket = buckets.get(key);
+        if (!bucket || bucket.resetAt <= now) {
+            bucket = { count: 0, resetAt: now + windowMs };
+            buckets.set(key, bucket);
+        }
+
+        bucket.count++;
+        const remaining = Math.max(0, max - bucket.count);
+        const retryAfterSec = Math.ceil((bucket.resetAt - now) / 1000);
+
+        if (bucket.count > max) {
+            logger.warn({ key, path: new URL(req.url).pathname, count: bucket.count, max }, 'rate limit exceeded');
+            return new Response(
+                JSON.stringify({ error: 'Too many requests', retryAfter: retryAfterSec }),
+                {
+                    status,
+                    headers: {
+                        'Content-Type': 'application/json',
+                        'Retry-After': String(retryAfterSec),
+                        'X-RateLimit-Limit': String(max),
+                        'X-RateLimit-Remaining': '0',
+                        'X-RateLimit-Reset': String(Math.floor(bucket.resetAt / 1000)),
+                    },
+                },
+            );
+        }
+
+        const response = await next();
+        const newHeaders = new Headers(response.headers);
+        newHeaders.set('X-RateLimit-Limit', String(max));
+        newHeaders.set('X-RateLimit-Remaining', String(remaining));
+        newHeaders.set('X-RateLimit-Reset', String(Math.floor(bucket.resetAt / 1000)));
+        return new Response(response.body, {
+            status: response.status,
+            statusText: response.statusText,
+            headers: newHeaders,
+        });
+    };
+}

package/core/middleware/index.ts

@@ -1,3 +1,4 @@
 export { securityHeaders, type SecurityHeadersOptions } from './SecurityHeaders';
 export { requestId, getRequestId, requestStore } from './RequestId';
 export { accessLog, type AccessLogOptions } from './AccessLog';
+export { rateLimit, type RateLimitOptions } from './RateLimit';

package/core/remote/OutboxWorker.ts

@@ -13,7 +13,7 @@
  */
 
 import type Redis from "ioredis";
-import type { SQL } from "bun";
+import { sql as sqlHelper, type SQL } from "bun";
 import { logger } from "../Logger";
 import type { RemoteMetrics } from "./metrics";
 
@@ -126,49 +126,56 @@ export class OutboxWorker {
                 loggerInstance.debug(`Claimed ${rows.length} outbox rows`);
             }
 
-            const successIds: string[] = [];
+            // Publish concurrently rather than serially. Each xadd is bounded
+            // by the publisher client's `commandTimeout`; with serial awaits a
+            // batch of N slow rows would hold PG row locks for N × timeout.
+            // Parallel keeps worst-case lock hold ≈ single-xadd timeout.
+            // (H-DB-1 partial — full fix requires a claim-via-column design
+            // so Redis latency no longer sits inside a PG transaction at all.)
+            const publishResults = await Promise.allSettled(
+                rows.map((row) => {
+                    const stream = `${this.config.streamPrefix}${row.target}`;
+                    const envelope = JSON.stringify({
+                        kind: "event",
+                        sourceApp: this.config.sourceApp,
+                        event: row.event,
+                        data: row.data,
+                        emittedAt: row.created_at.getTime(),
+                    });
+                    return this.publisher.xadd(stream, "*", "data", envelope);
+                })
+            );
 
-            for (const row of rows) {
-                const stream = `${this.config.streamPrefix}${row.target}`;
-                const envelope = JSON.stringify({
-                    kind: "event",
-                    sourceApp: this.config.sourceApp,
-                    event: row.event,
-                    data: row.data,
-                    emittedAt: row.created_at.getTime(),
-                });
-                try {
-                    await this.publisher.xadd(
-                        stream,
-                        "*",
-                        "data",
-                        envelope
-                    );
+            const successIds: string[] = [];
+            for (let i = 0; i < publishResults.length; i++) {
+                const r = publishResults[i];
+                const row = rows[i]!;
+                if (r!.status === "fulfilled") {
                     successIds.push(row.id);
-                } catch (err: any) {
+                } else {
                     this.metrics?.outboxPublishFailed();
-                    loggerInstance.error(
-                        {
-                            err,
-                            outboxId: row.id,
-                            target: row.target,
-                            event: row.event,
-                            msg: "Outbox XADD failed — row will retry next tick",
-                        }
-                    );
+                    loggerInstance.error({
+                        err: r!.reason,
+                        outboxId: row.id,
+                        target: row.target,
+                        event: row.event,
+                        msg: "Outbox XADD failed — row will retry next tick",
+                    });
                     // Leave row unpublished; SKIP LOCKED releases on tx end
                     // so next tick (or another instance) picks it up.
                 }
             }
 
             if (successIds.length > 0) {
-                for (const id of successIds) {
-                    await trx`
-                        UPDATE remote_outbox
-                        SET published_at = NOW()
-                        WHERE id = ${id}::uuid
-                    `;
-                }
+                // Single bulk UPDATE instead of N round-trips holding row
+                // locks (H-DB-3). Previously each success fired its own
+                // UPDATE statement serially. Uses Bun SQL's `sql(...)` helper
+                // for the IN-list so ids are parameterised individually.
+                await trx`
+                    UPDATE remote_outbox
+                    SET published_at = NOW()
+                    WHERE id IN ${sqlHelper(successIds)}
+                `;
                 this.metrics?.outboxPublished(successIds.length);
             }
         });

package/core/scheduler/DistributedLock.ts

@@ -83,11 +83,20 @@ export class DistributedLock {
     private async ensureReserved(): Promise<ReservedSQL> {
         if (this.reservedConn) return this.reservedConn;
         if (!this.reservePromise) {
-            this.reservePromise = db.reserve().then((conn) => {
-                this.reservedConn = conn;
-                this.reservePromise = null;
-                return conn;
-            });
+            // On reject (pool exhausted, shutdown mid-reserve), null the
+            // promise so subsequent callers retry a fresh reserve instead of
+            // receiving the same rejected promise forever (H-DB-2).
+            this.reservePromise = db.reserve().then(
+                (conn) => {
+                    this.reservedConn = conn;
+                    this.reservePromise = null;
+                    return conn;
+                },
+                (err) => {
+                    this.reservePromise = null;
+                    throw err;
+                }
+            );
         }
         return this.reservePromise;
     }
@@ -122,12 +131,18 @@ export class DistributedLock {
         const lockKey = this.generateLockKey(taskId);
 
         if (this.heldLocks.has(taskId)) {
+            // Defense in depth: if this instance already holds the lock for
+            // taskId, a second concurrent acquirer would mean overlapping
+            // execution (retry firing while previous run is still in the
+            // finally → release step, for example). Return acquired:false so
+            // the second caller skips, even if caller-side guards missed it.
+            // (H-SCHED-4).
             if (this.config.enableLogging) {
                 loggerInstance.debug(
-                    `Lock for ${taskId} already held locally, returning acquired`
+                    `Lock for ${taskId} already held locally — reporting overlap (acquired:false)`
                 );
             }
-            return { acquired: true, lockKey, taskId };
+            return { acquired: false, lockKey, taskId };
         }
 
         const startTime = Date.now();

package/database/PreparedStatementCache.ts

@@ -111,19 +111,11 @@ export class PreparedStatementCache {
      * Execute a prepared statement with parameters
      */
     public async execute(statement: any, params: any[], db: any): Promise<any[]> {
-        // Validate params to catch empty strings that would cause UUID parsing errors
-        for (let i = 0; i < params.length; i++) {
-            const param = params[i];
-            if (param === '' || (typeof param === 'string' && param.trim() === '')) {
-                logger.error(`[PreparedStatementCache] Empty string parameter at position ${i + 1}`);
-                logger.error(`[PreparedStatementCache] SQL: ${statement.sql}`);
-                logger.error(`[PreparedStatementCache] All params: ${JSON.stringify(params)}`);
-                throw new Error(`PreparedStatementCache.execute: Parameter $${i + 1} is an empty string. SQL: ${statement.sql.substring(0, 100)}...`);
-            }
-        }
-        
-        // For Bun's SQL, we still use db.unsafe() but with the prepared statement concept
-        // In a real implementation, this might use a prepared statement pool
+        // Empty-string params are legitimate for text-field filters
+        // (`c.data->>'field' = ''`). UUID-typed params never reach this
+        // point empty — callers (Query.findById etc.) guard at entry. PG
+        // emits a clear error at execution time if a UUID cast meets an
+        // empty string.
         return await db.unsafe(statement.sql, params);
     }
 

package/gql/builders/ResolverBuilder.ts

@@ -87,7 +87,7 @@ export class ResolverBuilder {
         throw new GraphQLError(`Internal error`, {
           extensions: {
             code: "INTERNAL_ERROR",
-            originalError: process.env.NODE_ENV === 'development' ? error : undefined
+            originalError: process.env.NODE_ENV !== 'production' ? error : undefined
           }
         });
       }
@@ -111,7 +111,7 @@ export class ResolverBuilder {
         throw new GraphQLError(`Internal error`, {
           extensions: {
             code: "INTERNAL_ERROR",
-            originalError: process.env.NODE_ENV === 'development' ? error : undefined
+            originalError: process.env.NODE_ENV !== 'production' ? error : undefined
           }
         });
       }
@@ -151,7 +151,7 @@ export class ResolverBuilder {
           throw new GraphQLError(`Internal error in subscription`, {
             extensions: {
               code: "INTERNAL_ERROR",
-              originalError: process.env.NODE_ENV === 'development' ? error : undefined
+              originalError: process.env.NODE_ENV !== 'production' ? error : undefined
             }
           });
         }
@@ -177,7 +177,7 @@ export class ResolverBuilder {
           throw new GraphQLError(`Internal error in subscription`, {
             extensions: {
               code: "INTERNAL_ERROR",
-              originalError: process.env.NODE_ENV === 'development' ? error : undefined
+              originalError: process.env.NODE_ENV !== 'production' ? error : undefined
             }
           });
         }

package/gql/complexityLimit.ts

@@ -0,0 +1,95 @@
+import {
+    type ASTVisitor,
+    type DocumentNode,
+    type FragmentDefinitionNode,
+    type ValidationContext,
+    GraphQLError,
+    Kind,
+} from "graphql";
+
+/**
+ * Lightweight GraphQL query complexity validator. Assigns each selected field
+ * a base cost of 1, multiplied by the value of a `first` / `limit` / `take`
+ * argument when present. Nested selections contribute their (multiplied) cost.
+ * Fragments are followed and deduped. Introspection queries are exempt.
+ *
+ * Not as expressive as `graphql-query-complexity` (no per-field estimators,
+ * no custom weights). Enough to block obviously abusive nested archetype
+ * relations without a heavyweight dep.
+ */
+export function complexityLimitRule(maxComplexity: number) {
+    return function ComplexityLimitValidationRule(
+        context: ValidationContext,
+    ): ASTVisitor {
+        const document: DocumentNode = context.getDocument();
+
+        const fragments = new Map<string, FragmentDefinitionNode>();
+        for (const def of document.definitions) {
+            if (def.kind === Kind.FRAGMENT_DEFINITION) {
+                fragments.set(def.name.value, def);
+            }
+        }
+
+        const MULTIPLIER_ARGS = new Set(["first", "limit", "take"]);
+
+        function readMultiplier(args: readonly any[] | undefined): number {
+            if (!args) return 1;
+            for (const arg of args) {
+                if (!MULTIPLIER_ARGS.has(arg.name.value)) continue;
+                const v = arg.value;
+                if (v.kind === Kind.INT) {
+                    const n = parseInt(v.value, 10);
+                    if (Number.isFinite(n) && n > 0) return n;
+                }
+            }
+            return 1;
+        }
+
+        function cost(
+            node: { selectionSet?: { selections: readonly any[] } },
+            visited: Set<string>,
+        ): number {
+            if (!node.selectionSet) return 0;
+
+            let total = 0;
+            for (const selection of node.selectionSet.selections) {
+                if (selection.kind === Kind.FIELD) {
+                    const multiplier = readMultiplier(selection.arguments);
+                    const childCost = cost(selection, visited);
+                    total += multiplier * (1 + childCost);
+                } else if (selection.kind === Kind.INLINE_FRAGMENT) {
+                    total += cost(selection, visited);
+                } else if (selection.kind === Kind.FRAGMENT_SPREAD) {
+                    const name = selection.name.value;
+                    if (visited.has(name)) continue;
+                    visited.add(name);
+                    const fragment = fragments.get(name);
+                    if (fragment) total += cost(fragment, visited);
+                }
+            }
+            return total;
+        }
+
+        return {
+            OperationDefinition(node) {
+                if (node.selectionSet) {
+                    const isIntrospection = node.selectionSet.selections.every(
+                        (sel) =>
+                            sel.kind === Kind.FIELD &&
+                            sel.name.value.startsWith("__"),
+                    );
+                    if (isIntrospection) return;
+                }
+
+                const total = cost(node, new Set());
+                if (total > maxComplexity) {
+                    context.reportError(
+                        new GraphQLError(
+                            `Query complexity ${total} exceeds maximum allowed complexity of ${maxComplexity}`,
+                        ),
+                    );
+                }
+            },
+        };
+    };
+}

package/gql/index.ts

@@ -2,6 +2,7 @@ import {createSchema, createYoga, type Plugin} from 'graphql-yoga';
 import { useValidationRule } from '@envelop/core';
 import { GraphQLSchema, GraphQLError } from 'graphql';
 import { depthLimitRule } from './depthLimit';
+import { complexityLimitRule } from './complexityLimit';
 import { GraphQLObjectType, GraphQLField, GraphQLOperation, GraphQLScalarType, GraphQLSubscription } from './Generator';
 import {GraphQLFieldTypes} from "./types"
 import {logger as MainLogger} from "../core/Logger"
@@ -144,6 +145,8 @@ export interface YogaInstanceOptions {
         methods?: string[];
     };
     maxDepth?: number;
+    /** Maximum query complexity (default: 1000). 0 disables. */
+    maxComplexity?: number;
 }
 
 export function createYogaInstance(
@@ -152,10 +155,19 @@ export function createYogaInstance(
     contextFactory?: (context: any) => any,
     options?: YogaInstanceOptions
 ) {
-    // Prepend depth limit plugin if configured
+    // Prepend depth limit plugin. Enforce a hard minimum so maxDepth: 0 or
+    // undefined cannot silently disable the guard (C06). If a deployment
+    // explicitly needs a higher bound, raise it — but we never allow it off.
+    const HARD_MIN_DEPTH = 15;
+    const effectiveDepth = Math.max(options?.maxDepth ?? HARD_MIN_DEPTH, HARD_MIN_DEPTH);
     const allPlugins: Plugin[] = [];
-    if (options?.maxDepth) {
-        allPlugins.push(useValidationRule(depthLimitRule(options.maxDepth)) as Plugin);
+    allPlugins.push(useValidationRule(depthLimitRule(effectiveDepth)) as Plugin);
+
+    // Complexity budget: count per-field cost with `first`/`limit`/`take`
+    // multipliers. 0 disables, undefined defaults to 1000.
+    const complexityBudget = options?.maxComplexity ?? 1000;
+    if (complexityBudget > 0) {
+        allPlugins.push(useValidationRule(complexityLimitRule(complexityBudget)) as Plugin);
     }
     allPlugins.push(...plugins);