GraphQL N+1: batch and harden an API

Build (or take) a GraphQL API over a relational schema with nested lists, reproduce its N+1 storm under load, collapse it with DataLoader, and add query-shape defences — proving each step with measured SQL counts, resolver counts, and latency.

• Stand up a small GraphQL server (Apollo Server, GraphQL Yoga, or equivalent) over a relational DB with at least three nested relationships, e.g. Query.posts → Post.author (one-to-one), Post.tags (one-to-many), and Post.likeCount (count).
• Instrument SQL query count and per-resolver call count per request — log every DB statement and wire OpenTelemetry (or a counter) so you can read resolver calls by type.field. This is your evidence harness, build it first.
• Reproduce the N+1: run posts { title author { name } tags } over 50 posts and capture the baseline — total SQL queries (expect ~1 + 50 + 50), resolver call counts, and p99 latency.
• Add per-request DataLoaders in the context factory for author, tags, and likeCount. Write each batchLoadFn to the contract: same length and order as keys (Map by id, walk input keys), null for missing one-to-one rows, empty array for tagless posts, 0 for no likes.
• Prove correctness, not just speed: add a test that loads the same author from two paths in one document (dedup) and a test that intentionally returns rows out of DB order to confirm your Map-by-key reordering holds.
• Add query-shape defences: a depth limit (7–10), multiplicative complexity scoring that multiplies field cost by the first/last list argument, and a per-document alias/root-field cap (≤20). Show each rejects a crafted attack query at validation, before any resolver fires.
• Re-run the identical 50-post query and record after numbers next to before; SQL queries should drop to ~3 (1 + 1 + 1 + 1 grouped) and resolver-driven DB trips should no longer scale with post count.

• A before/after table: total SQL queries, resolver call counts, and p99 latency for the same 50-post query under the same load — measured from your harness, not estimated.
• DataLoaders are instantiated per request in the context factory (demonstrated), and a test proves a module-scope instance would leak across two simulated tenants or serve a stale row.
• The batch-contract tests pass: dedup returns one SQL trip for a doubly-referenced author, and the out-of-order-rows test still maps every author correctly.
• Three crafted attack queries (a deep recursive query, a 5-level first:100 query, and a 1000-alias document) are each rejected at validation with the defence that caught them named.