Docs/cookbook/graphql/checklists/code review

GraphQL Code Review Checklist

Version: 1.1.0 | Updated: 2026-07-16

Purpose

Gate correctness, security, operability, and maintainability of a GraphQL schema, resolver, request DataLoader, gateway, persisted operation, or federated subgraph.

Why

GraphQL correctness depends on source plus canonical SDL, generated schema, registry/composition result, and breaking-change report; validated operation document, variables, auth context, depth/complexity/cost, and persisted-operation ID; resolver trace tree, per-field errors, downstream query count, DataLoader batch/cache evidence. Diff-only review is insufficient.

How

Review the change with its target/version fingerprint, then execute applicable native commands: run the repository's schema generation and validation script from a clean checkout; execute the checked-in schema compatibility/composition command against the registry baseline; run integration tests with query counting and resolver tracing enabled; send the exact operation with curl -H 'content-type: application/json' --data @operation.json <endpoint> using sanitized credentials; capture introspection only where policy permits; production may intentionally disable ad hoc introspection. Findings must identify the violated GraphQL invariant.

Version-aware caution

Record GraphQL specification assumptions, server/framework, client, federation/directive versions, and schema registry revision. Nullability, incremental delivery, custom directives, and federation composition are implementation/version dependent.

Tradeoffs

Review must prove "field and type names model domain capabilities rather than database tables" using canonical SDL, generated schema, registry/composition result, and breaking-change report. That GraphQL evidence costs more than diff inspection but exposes non-null propagation and partial response before merge.

Anti-patterns

  • Mapping every table and unrestricted relation directly into GraphQL creates authorization gaps, cyclic queries, and unbounded resolver fan-out.
  • Do not remove a native warning, validator, policy, or safety limit merely to make generated output pass.
  • Do not claim a successful result without preserving the command, target, artifact/revision, and observed output.

Enterprise considerations

GraphQL governance assigns type/field ownership, schema review, operation registration, cost limits, deprecation windows, and controls introspection and trace payload retention.

Official sources

Checklist

  • field and type names model domain capabilities rather than database tables.
  • nullability communicates real absence and error propagation semantics.
  • schema change is additive/deprecated and validated against registered operations.
  • authorization is enforced for object/field access, not only at the gateway.
  • DataLoader is request-scoped and keys include tenant/auth dimensions.
  • lists require bounded pagination; depth, aliases, batches, and complexity are limited.
  • resolver errors use stable safe codes while internal causes remain in traces.
  • federated ownership, keys, entity resolution, and composition are tested across subgraph versions.
  • Route resolvers/subgraphs back to the previous implementation while leaving additive schema visible but safely unavailable/deprecated; remove schema only after registered clients no longer reference it.
  • Evidence identifies version, target, artifact/revision, command or manual method, UTC time, and result.

Changelog

  • 1.1.0 (2026-07-16): Replaced generic gates with native GraphQL evidence and failure controls.
  • 1.0.0 (2026-07-16): Added initial checklist.