feat(laravel): graphql policies

Author: soyuka

src/Laravel/ApiPlatformProvider.php

@@ -927,6 +927,10 @@ public function register(): void
             );
         });
 
+        if (interface_exists(FieldsBuilderEnumInterface::class)) {
+            $this->registerGraphQl($this->app);
+        }
+
         $this->app->singleton(JsonApiObjectNormalizer::class, function (Application $app) {
             return new JsonApiObjectNormalizer(
                 $app->make(ObjectNormalizer::class),
@@ -936,51 +940,6 @@ public function register(): void
             );
         });
 
-        if ($this->app['config']->get('api-platform.graphql.enabled')) {
-            $this->app->singleton(GraphQlItemNormalizer::class, function (Application $app) {
-                return new GraphQlItemNormalizer(
-                    $app->make(PropertyNameCollectionFactoryInterface::class),
-                    $app->make(PropertyMetadataFactoryInterface::class),
-                    $app->make(IriConverterInterface::class),
-                    $app->make(IdentifiersExtractorInterface::class),
-                    $app->make(ResourceClassResolverInterface::class),
-                    $app->make(PropertyAccessorInterface::class),
-                    $app->make(NameConverterInterface::class),
-                    $app->make(SerializerClassMetadataFactory::class),
-                    null,
-                    $app->make(ResourceMetadataCollectionFactoryInterface::class),
-                    $app->make(ResourceAccessCheckerInterface::class)
-                );
-            });
-
-            $this->app->singleton(GraphQlObjectNormalizer::class, function (Application $app) {
-                return new GraphQlObjectNormalizer(
-                    $app->make(ObjectNormalizer::class),
-                    $app->make(IriConverterInterface::class),
-                    $app->make(IdentifiersExtractorInterface::class),
-                );
-            });
-        }
-
-        $this->app->singleton(GraphQlErrorNormalizer::class, function () {
-            return new GraphQlErrorNormalizer();
-        });
-
-        $this->app->singleton(GraphQlValidationExceptionNormalizer::class, function (Application $app) {
-            /** @var ConfigRepository */
-            $config = $app['config'];
-
-            return new GraphQlValidationExceptionNormalizer($config->get('api-platform.exception_to_status'));
-        });
-
-        $this->app->singleton(GraphQlHttpExceptionNormalizer::class, function () {
-            return new GraphQlHttpExceptionNormalizer();
-        });
-
-        $this->app->singleton(GraphQlRuntimeExceptionNormalizer::class, function () {
-            return new GraphQlHttpExceptionNormalizer();
-        });
-
         $this->app->bind(SerializerInterface::class, Serializer::class);
         $this->app->bind(NormalizerInterface::class, Serializer::class);
         $this->app->singleton(Serializer::class, function (Application $app) {
@@ -1009,7 +968,7 @@ public function register(): void
             $list->insert($app->make(JsonApiItemNormalizer::class), -890);
             $list->insert($app->make(JsonApiObjectNormalizer::class), -995);
 
-            if ($config->get('api-platform.graphql.enabled')) {
+            if (interface_exists(FieldsBuilderEnumInterface::class)) {
                 $list->insert($app->make(GraphQlItemNormalizer::class), -890);
                 $list->insert($app->make(GraphQlObjectNormalizer::class), -995);
                 $list->insert($app->make(GraphQlErrorNormalizer::class), -790);
@@ -1033,7 +992,8 @@ public function register(): void
                     new JsonEncoder('jsonapi'),
                     new JsonEncoder('jsonhal'),
                     new CsvEncoder(),
-                ]);
+                ]
+            );
         });
 
         $this->app->singleton(JsonLdItemNormalizer::class, function (Application $app) {
@@ -1078,17 +1038,56 @@ function (Application $app) {
             return new Inflector();
         });
 
-        if ($this->app['config']->get('api-platform.graphql.enabled')) {
-            $this->registerGraphQl($this->app);
-        }
-
         if ($this->app->runningInConsole()) {
             $this->commands([Console\InstallCommand::class]);
         }
     }
 
     private function registerGraphQl(Application $app): void
     {
+        $this->app->singleton(GraphQlItemNormalizer::class, function (Application $app) {
+            return new GraphQlItemNormalizer(
+                $app->make(PropertyNameCollectionFactoryInterface::class),
+                $app->make(PropertyMetadataFactoryInterface::class),
+                $app->make(IriConverterInterface::class),
+                $app->make(IdentifiersExtractorInterface::class),
+                $app->make(ResourceClassResolverInterface::class),
+                $app->make(PropertyAccessorInterface::class),
+                $app->make(NameConverterInterface::class),
+                $app->make(SerializerClassMetadataFactory::class),
+                null,
+                $app->make(ResourceMetadataCollectionFactoryInterface::class),
+                $app->make(ResourceAccessCheckerInterface::class)
+            );
+        });
+
+        $this->app->singleton(GraphQlObjectNormalizer::class, function (Application $app) {
+            return new GraphQlObjectNormalizer(
+                $app->make(ObjectNormalizer::class),
+                $app->make(IriConverterInterface::class),
+                $app->make(IdentifiersExtractorInterface::class),
+            );
+        });
+
+        $this->app->singleton(GraphQlErrorNormalizer::class, function () {
+            return new GraphQlErrorNormalizer();
+        });
+
+        $this->app->singleton(GraphQlValidationExceptionNormalizer::class, function (Application $app) {
+            /** @var ConfigRepository */
+            $config = $app['config'];
+
+            return new GraphQlValidationExceptionNormalizer($config->get('api-platform.exception_to_status'));
+        });
+
+        $this->app->singleton(GraphQlHttpExceptionNormalizer::class, function () {
+            return new GraphQlHttpExceptionNormalizer();
+        });
+
+        $this->app->singleton(GraphQlRuntimeExceptionNormalizer::class, function () {
+            return new GraphQlHttpExceptionNormalizer();
+        });
+
         $app->singleton('api_platform.graphql.type_locator', function (Application $app) {
             $tagged = iterator_to_array($app->tagged('api_platform.graphql.type'));
 
@@ -1130,44 +1129,78 @@ private function registerGraphQl(Application $app): void
             return new GraphQlSerializerContextBuilder($app->make(NameConverterInterface::class));
         });
 
-        $app->singleton('api_platform.graphql.state_provider', function (Application $app) {
+        $app->singleton(GraphQlReadProvider::class, function (Application $app) {
             /** @var ConfigRepository */
             $config = $app['config'];
-            $tagged = iterator_to_array($app->tagged(ParameterProviderInterface::class));
-            $resolvers = iterator_to_array($app->tagged('api_platform.graphql.resolver'));
 
             return new GraphQlReadProvider(
-                new GraphQlDenormalizeProvider(
-                    new ResolverProvider(
-                        new ParameterProvider(
-                            $app->make(CallableProvider::class),
-                            new ServiceLocator($tagged)
-                        ),
-                        new ServiceLocator($resolvers),
-                    ),
-                    $app->make(SerializerInterface::class),
-                    $app->make(GraphQlSerializerContextBuilder::class)
-                ),
+                $this->app->make(CallableProvider::class),
                 $app->make(IriConverterInterface::class),
                 $app->make(GraphQlSerializerContextBuilder::class),
                 $config->get('api-platform.graphql.nesting_separator') ?? '__'
             );
         });
+        $app->alias(GraphQlReadProvider::class, 'api_platform.graphql.state_provider.read');
+
+        $app->singleton(ResolverProvider::class, function (Application $app) {
+            $resolvers = iterator_to_array($app->tagged('api_platform.graphql.resolver'));
+
+            return new ResolverProvider(
+                $app->make(GraphQlReadProvider::class),
+                new ServiceLocator($resolvers),
+            );
+        });
+
+        $app->alias(ResolverProvider::class, 'api_platform.graphql.state_provider.resolver');
+
+        $app->singleton(GraphQlDenormalizeProvider::class, function (Application $app) {
+            return new GraphQlDenormalizeProvider(
+                $this->app->make(ResolverProvider::class),
+                $app->make(SerializerInterface::class),
+                $app->make(GraphQlSerializerContextBuilder::class)
+            );
+        });
+
+        $app->alias(GraphQlDenormalizeProvider::class, 'api_platform.graphql.state_provider.denormalize');
+
+        $app->singleton('api_platform.graphql.state_provider.parameter', function (Application $app) {
+            $tagged = iterator_to_array($app->tagged(ParameterProviderInterface::class));
+            $tagged['api_platform.serializer.filter_parameter_provider'] = $app->make(SerializerFilterParameterProvider::class);
+
+            return new ParameterProvider(
+                new ParameterValidatorProvider(
+                    new SecurityParameterProvider(
+                        $app->make(GraphQlDenormalizeProvider::class),
+                        $app->make(ResourceAccessCheckerInterface::class)
+                    ),
+                ),
+                new ServiceLocator($tagged)
+            );
+        });
+
+        $app->singleton('api_platform.graphql.state_provider.access_checker', function (Application $app) {
+            return new AccessCheckerProvider($app->make('api_platform.graphql.state_provider.parameter'), $app->make(ResourceAccessCheckerInterface::class));
+        });
+
+        $app->singleton(NormalizeProcessor::class, function (Application $app) {
+            return new NormalizeProcessor(
+                $app->make(SerializerInterface::class),
+                $app->make(GraphQlSerializerContextBuilder::class),
+                $app->make(Pagination::class)
+            );
+        });
+        $app->alias(NormalizeProcessor::class, 'api_platform.graphql.state_processor.normalize');
 
         $app->singleton('api_platform.graphql.state_processor', function (Application $app) {
             return new WriteProcessor(
-                new NormalizeProcessor(
-                    $app->make(SerializerInterface::class),
-                    $app->make(GraphQlSerializerContextBuilder::class),
-                    $app->make(Pagination::class)
-                ),
+                $app->make('api_platform.graphql.state_processor.normalize'),
                 $app->make(CallableProcessor::class),
             );
         });
 
         $app->singleton(ResolverFactoryInterface::class, function (Application $app) {
             return new ResolverFactory(
-                $app->make('api_platform.graphql.state_provider'),
+                $app->make('api_platform.graphql.state_provider.access_checker'),
                 $app->make('api_platform.graphql.state_processor')
             );
         });
@@ -1227,7 +1260,8 @@ private function registerGraphQl(Application $app): void
                 $app->make(SerializerInterface::class),
                 $app->make(ErrorHandlerInterface::class),
                 debug: $config->get('app.debug'),
-                negotiator: $app->make(Negotiator::class)
+                negotiator: $app->make(Negotiator::class),
+                formats: $config->get('api-platform.formats')
             );
         });
     }

src/Laravel/Eloquent/Metadata/Factory/Resource/EloquentResourceCollectionMetadataFactory.php

@@ -22,6 +22,11 @@
 use ApiPlatform\Metadata\DeleteOperationInterface;
 use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\GraphQl\DeleteMutation;
+use ApiPlatform\Metadata\GraphQl\Mutation;
+use ApiPlatform\Metadata\GraphQl\Query;
+use ApiPlatform\Metadata\GraphQl\QueryCollection;
+use ApiPlatform\Metadata\GraphQl\Subscription;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
 use ApiPlatform\Metadata\Put;
@@ -39,6 +44,12 @@ final class EloquentResourceCollectionMetadataFactory implements ResourceMetadat
         GetCollection::class => 'viewAny',
         Delete::class => 'delete',
         Patch::class => 'update',
+
+        Query::class => 'view',
+        QueryCollection::class => 'viewAny',
+        Mutation::class => 'update',
+        DeleteMutation::class => 'delete',
+        Subscription::class => 'viewAny',
     ];
 
     public function __construct(
@@ -94,6 +105,12 @@ public function create(string $resourceClass): ResourceMetadataCollection
             $graphQlOperations = $resourceMetadata->getGraphQlOperations();
 
             foreach ($graphQlOperations ?? [] as $operationName => $graphQlOperation) {
+                if (!$graphQlOperation->getPolicy() && ($policy = Gate::getPolicyFor($model))) {
+                    if (($policyMethod = self::POLICY_METHODS[$graphQlOperation::class] ?? null) && method_exists($policy, $policyMethod)) {
+                        $graphQlOperation = $graphQlOperation->withPolicy($policyMethod);
+                    }
+                }
+
                 if (!$graphQlOperation->getProvider()) {
                     $graphQlOperation = $graphQlOperation->withProvider($graphQlOperation instanceof CollectionOperationInterface ? CollectionProvider::class : ItemProvider::class);
                 }

src/Laravel/GraphQl/Controller/EntrypointController.php

@@ -32,6 +32,9 @@ final class EntrypointController
     use ContentNegotiationTrait;
     private int $debug;
 
+    /**
+     * @param array<string, string[]> $formats
+     */
     public function __construct(
         private readonly SchemaBuilderInterface $schemaBuilder,
         private readonly ExecutorInterface $executor,
@@ -40,6 +43,7 @@ public function __construct(
         private readonly ErrorHandlerInterface $errorHandler,
         bool $debug = false,
         ?Negotiator $negotiator = null,
+        private readonly array $formats = [],
     ) {
         $this->debug = $debug ? DebugFlag::INCLUDE_DEBUG_MESSAGE | DebugFlag::INCLUDE_TRACE : DebugFlag::NONE;
         $this->negotiator = $negotiator ?? new Negotiator();
@@ -48,14 +52,23 @@ public function __construct(
     public function __invoke(Request $request): Response
     {
         $formats = ['json' => ['application/json'], 'html' => ['text/html']];
+
+        foreach ($this->formats as $k => $f) {
+            if (!isset($formats[$k])) {
+                $formats[$k] = $f;
+            }
+        }
+
+        $this->addRequestFormats($request, $formats);
         $format = $this->getRequestFormat($request, $formats, false);
+        $request->setRequestFormat($format);
 
         try {
             if ($request->isMethod('GET') && 'html' === $format) {
                 return ($this->graphiQlAction)();
             }
 
-            [$query, $operationName, $variables] = $this->parseRequest($request);
+            [$query, $operationName, $variables] = $this->parseRequest($request, $format);
             if (null === $query) {
                 throw new BadRequestHttpException('GraphQL query is not valid.');
             }
@@ -78,7 +91,7 @@ public function __invoke(Request $request): Response
      *
      * @return array{0: array<string, mixed>|null, 1: string, 2: array<string, mixed>}
      */
-    private function parseRequest(Request $request): array
+    private function parseRequest(Request $request, string $format): array
     {
         $queryParameters = $request->query->all();
         $query = $queryParameters['query'] ?? null;
@@ -91,16 +104,15 @@ private function parseRequest(Request $request): array
             return [$query, $operationName, $variables];
         }
 
-        $contentType = method_exists(Request::class, 'getContentTypeFormat') ? $request->getContentTypeFormat() : $request->getContentType();
-        if ('json' === $contentType) {
+        if ('json' === $format) {
             return $this->parseData($query, $operationName, $variables, $request->getContent());
         }
 
-        if ('graphql' === $contentType) {
+        if ('graphql' === $format) {
             $query = $request->getContent();
         }
 
-        if (\in_array($contentType, ['multipart', 'form'], true)) {
+        if ('multipart' === $format) {
             return $this->parseMultipartRequest($query, $operationName, $variables, $request->request->all(), $request->files->all());
         }
 

src/Laravel/State/AccessCheckerProvider.php

@@ -13,10 +13,12 @@
 
 namespace ApiPlatform\Laravel\State;
 
+use ApiPlatform\Metadata\HttpOperation;
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\Metadata\ResourceAccessCheckerInterface;
 use ApiPlatform\State\ProviderInterface;
 use Illuminate\Auth\Access\AuthorizationException;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 
 /**
  * Allows access based on the ApiPlatform\Symfony\Security\ResourceAccessCheckerInterface.
@@ -54,7 +56,7 @@ public function provide(Operation $operation, array $uriVariables = [], array $c
         ];
 
         if (!$this->resourceAccessChecker->isGranted($operation->getClass(), $policy, $resourceAccessCheckerContext)) {
-            throw new AuthorizationException($message ?? 'Access Denied.');
+            throw $operation instanceof HttpOperation ? new AuthorizationException($message ?? 'Access Denied.') : new AccessDeniedHttpException($message ?? 'Access Denied.');
         }
 
         return $body;

src/Laravel/Tests/GraphQlAuthTest.php

@@ -0,0 +1,109 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <dunglas@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Laravel\Tests;
+
+use ApiPlatform\Laravel\Test\ApiTestAssertionsTrait;
+use Illuminate\Contracts\Config\Repository;
+use Illuminate\Foundation\Application;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Orchestra\Testbench\Attributes\DefineEnvironment;
+use Orchestra\Testbench\Concerns\WithWorkbench;
+use Orchestra\Testbench\TestCase;
+
+class GraphQlAuthTest extends TestCase
+{
+    use ApiTestAssertionsTrait;
+    use RefreshDatabase;
+    use WithWorkbench;
+
+    /**
+     * @param Application $app
+     */
+    protected function defineEnvironment($app): void
+    {
+        tap($app['config'], function (Repository $config): void {
+            $config->set('api-platform.routes.middleware', ['auth:sanctum']);
+            $config->set('api-platform.graphql.enabled', true);
+        });
+    }
+
+    public function testUnauthenticated(): void
+    {
+        $response = $this->postJson('/api/graphql', [], []);
+        $response->assertStatus(401);
+    }
+
+    public function testAuthenticated(): void
+    {
+        $response = $this->post('/tokens/create');
+        $token = $response->json()['token'];
+        $response = $this->get('/api/graphql', ['accept' => ['text/html'], 'authorization' => 'Bearer '.$token]);
+        $response->assertStatus(200);
+        $response = $this->postJson('/api/graphql', [
+            'query' => '{books { edges { node {id, name, publicationDate, author {id, name }}}}}',
+        ], [
+            'content-type' => 'application/json',
+            'authorization' => 'Bearer '.$token,
+        ]);
+        $response->assertStatus(200);
+        $data = $response->json();
+        $this->assertArrayHasKey('data', $data);
+        $this->assertArrayNotHasKey('errors', $data);
+    }
+
+    public function testPolicy(): void
+    {
+        $response = $this->post('/tokens/create');
+        $token = $response->json()['token'];
+        $response = $this->postJson('/api/graphql', ['query' => 'mutation {
+    updateVault(input: {secret: "secret", id: "/api/vaults/1"}) {
+      vault {id}
+    }
+  }
+'], ['accept' => ['application/json'], 'authorization' => 'Bearer '.$token]);
+        $response->assertStatus(200);
+        $data = $response->json();
+        $this->assertArrayHasKey('errors', $data);
+        $this->assertEquals('Access Denied.', $data['errors'][0]['message']);
+    }
+
+    /**
+     * @param Application $app
+     */
+    protected function useProductionMode($app): void
+    {
+        tap($app['config'], function (Repository $config): void {
+            $config->set('api-platform.routes.middleware', ['auth:sanctum']);
+            $config->set('api-platform.graphql.enabled', true);
+            $config->set('app.debug', false);
+        });
+    }
+
+    #[DefineEnvironment('useProductionMode')]
+    public function testProductionError(): void
+    {
+        $response = $this->post('/tokens/create');
+        $token = $response->json()['token'];
+        $response = $this->postJson('/api/graphql', ['query' => 'mutation {
+    updateVault(input: {secret: "secret", id: "/api/vaults/1"}) {
+      vault {id}
+    }
+  }
+'], ['accept' => ['application/json'], 'authorization' => 'Bearer '.$token]);
+        $response->assertStatus(200);
+        $data = $response->json();
+        $this->assertArrayHasKey('errors', $data);
+        $this->assertArrayNotHasKey('trace', $data['errors'][0]);
+    }
+}

src/Laravel/Tests/GraphQlTest.php

@@ -0,0 +1,47 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <dunglas@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Laravel\Tests;
+
+use ApiPlatform\Laravel\Test\ApiTestAssertionsTrait;
+use Illuminate\Contracts\Config\Repository;
+use Illuminate\Foundation\Application;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Orchestra\Testbench\Concerns\WithWorkbench;
+use Orchestra\Testbench\TestCase;
+
+class GraphQlTest extends TestCase
+{
+    use ApiTestAssertionsTrait;
+    use RefreshDatabase;
+    use WithWorkbench;
+
+    /**
+     * @param Application $app
+     */
+    protected function defineEnvironment($app): void
+    {
+        tap($app['config'], function (Repository $config): void {
+            $config->set('api-platform.graphql.enabled', true);
+        });
+    }
+
+    public function testGetBooks(): void
+    {
+        $response = $this->postJson('/api/graphql', ['query' => '{books { edges { node {id, name, publicationDate, author {id, name }}}}}'], ['accept' => ['application/json']]);
+        $response->assertStatus(200);
+        $data = $response->json();
+        $this->assertArrayHasKey('data', $data);
+        $this->assertArrayNotHasKey('errors', $data);
+    }
+}

src/Laravel/composer.json

@@ -47,7 +47,6 @@
         "illuminate/routing": "^11.0",
         "illuminate/support": "^11.0",
         "illuminate/container": "^11.0",
-        "laravel/sanctum": "^4.0",
         "symfony/web-link": "^6.4 || ^7.1",
         "willdurand/negotiation": "^3.1",
         "phpstan/phpdoc-parser": "^1.29",
@@ -58,7 +57,8 @@
         "larastan/larastan": "^2.0",
         "orchestra/testbench": "^9.1",
         "phpunit/phpunit": "^11.2",
-        "api-platform/graphql": "^4.0"
+        "api-platform/graphql": "^4.0",
+        "laravel/sanctum": "^4.0"
     },
     "autoload": {
         "psr-4": {

src/Laravel/workbench/app/Models/Vault.php

@@ -16,6 +16,7 @@
 use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Delete;
 use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\GraphQl\Mutation;
 use ApiPlatform\Metadata\Post;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Model;
@@ -33,7 +34,8 @@
             write: false
         ),
         new Delete(middleware: 'auth:sanctum', rules: VaultFormRequest::class, provider: [self::class, 'provide']),
-    ]
+    ],
+    graphQlOperations: [new Mutation(name: 'update', policy: 'update')]
 )]
 class Vault extends Model
 {

src/Laravel/workbench/database/factories/VaultFactory.php

@@ -14,6 +14,7 @@
 namespace Workbench\Database\Factories;
 
 use Illuminate\Database\Eloquent\Factories\Factory;
+use Illuminate\Support\Str;
 use Workbench\App\Models\Vault;
 
 /**

src/Laravel/workbench/database/seeders/DatabaseSeeder.php

@@ -20,6 +20,7 @@
 use Workbench\Database\Factories\PostFactory;
 use Workbench\Database\Factories\SluggableFactory;
 use Workbench\Database\Factories\UserFactory;
+use Workbench\Database\Factories\VaultFactory;
 use Workbench\Database\Factories\WithAccessorFactory;
 
 class DatabaseSeeder extends Seeder
@@ -34,5 +35,6 @@ public function run(): void
         SluggableFactory::new()->count(10)->create();
         UserFactory::new()->create();
         WithAccessorFactory::new()->create();
+        VaultFactory::new()->count(10)->create();
     }
 }

src/Metadata/GraphQl/Operation.php

@@ -90,6 +90,8 @@ public function __construct(
         ?OptionsInterface $stateOptions = null,
         array|Parameters|null $parameters = null,
         ?bool $queryParameterValidationEnabled = null,
+        mixed $rules = null,
+        ?string $policy = null,
         array $extraProperties = [],
     ) {
         parent::__construct(
@@ -139,6 +141,8 @@ class: $class,
             stateOptions: $stateOptions,
             parameters: $parameters,
             queryParameterValidationEnabled: $queryParameterValidationEnabled,
+            rules: $rules,
+            policy: $policy,
             extraProperties: $extraProperties
         );
     }

src/Metadata/GraphQl/Query.php

@@ -73,6 +73,8 @@ public function __construct(
         ?OptionsInterface $stateOptions = null,
         array|Parameters|null $parameters = null,
         ?bool $queryParameterValidationEnabled = null,
+        mixed $rules = null,
+        ?string $policy = null,
         array $extraProperties = [],
 
         protected ?bool $nested = null,
@@ -130,6 +132,8 @@ class: $class,
             stateOptions: $stateOptions,
             parameters: $parameters,
             queryParameterValidationEnabled: $queryParameterValidationEnabled,
+            policy: $policy,
+            rules: $rules,
             extraProperties: $extraProperties
         );
     }

src/Metadata/GraphQl/QueryCollection.php

@@ -74,6 +74,8 @@ public function __construct(
         protected ?OptionsInterface $stateOptions = null,
         array|Parameters|null $parameters = null,
         ?bool $queryParameterValidationEnabled = null,
+        mixed $rules = null,
+        ?string $policy = null,
         array $extraProperties = [],
 
         ?bool $nested = null,
@@ -130,6 +132,8 @@ class: $class,
             processor: $processor,
             parameters: $parameters,
             queryParameterValidationEnabled: $queryParameterValidationEnabled,
+            policy: $policy,
+            rules: $rules,
             extraProperties: $extraProperties,
             nested: $nested,
         );

src/Metadata/GraphQl/Subscription.php

@@ -73,6 +73,8 @@ public function __construct(
         ?OptionsInterface $stateOptions = null,
         array|Parameters|null $parameters = null,
         ?bool $queryParameterValidationEnabled = null,
+        mixed $rules = null,
+        ?string $policy = null,
         array $extraProperties = [],
     ) {
         parent::__construct(
@@ -128,6 +130,8 @@ class: $class,
             stateOptions: $stateOptions,
             parameters: $parameters,
             queryParameterValidationEnabled: $queryParameterValidationEnabled,
+            policy: $policy,
+            rules: $rules,
             extraProperties: $extraProperties,
         );
     }