graphql-java
diff --git a/‎src/main/java/graphql/GraphQL.java‎
Lines changed: 4 additions & 2 deletions b/‎src/main/java/graphql/GraphQL.java‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎src/main/java/graphql/ParseAndValidate.java‎
Lines changed: 17 additions & 1 deletion b/‎src/main/java/graphql/ParseAndValidate.java‎
Lines changed: 17 additions & 1 deletion
diff --git a/‎src/main/java/graphql/validation/FragmentComplexityInfo.java‎
Lines changed: 44 additions & 0 deletions b/‎src/main/java/graphql/validation/FragmentComplexityInfo.java‎
Lines changed: 44 additions & 0 deletions
diff --git a/‎src/main/java/graphql/validation/OperationValidator.java‎
Lines changed: 95 additions & 4 deletions b/‎src/main/java/graphql/validation/OperationValidator.java‎
Lines changed: 95 additions & 4 deletions
@@ -26,6 +26,7 @@
 import graphql.language.Document;
 import graphql.schema.GraphQLSchema;
 import graphql.validation.OperationValidationRule;
+import graphql.validation.QueryComplexityLimits;
 import graphql.validation.ValidationError;
 import org.jspecify.annotations.NullMarked;
 import org.jspecify.annotations.NullUnmarked;
@@ -600,8 +601,9 @@ private List<ValidationError> validate(ExecutionInput executionInput, Document d
         validationCtx.onDispatched();
 
         Predicate<OperationValidationRule> validationRulePredicate = executionInput.getGraphQLContext().getOrDefault(ParseAndValidate.INTERNAL_VALIDATION_PREDICATE_HINT, r -> true);
-        Locale locale = executionInput.getLocale();
-        List<ValidationError> validationErrors = ParseAndValidate.validate(graphQLSchema, document, validationRulePredicate, locale);
+        Locale locale = executionInput.getLocale() != null ? executionInput.getLocale() : Locale.getDefault();
+        QueryComplexityLimits limits = executionInput.getGraphQLContext().get(QueryComplexityLimits.KEY);
+        List<ValidationError> validationErrors = ParseAndValidate.validate(graphQLSchema, document, validationRulePredicate, locale, limits);
 
         validationCtx.onCompleted(validationErrors, null);
         return validationErrors;
 
@@ -7,6 +7,7 @@
 import graphql.parser.ParserOptions;
 import graphql.schema.GraphQLSchema;
 import graphql.validation.OperationValidationRule;
+import graphql.validation.QueryComplexityLimits;
 import graphql.validation.ValidationError;
 import graphql.validation.Validator;
 import org.jspecify.annotations.NonNull;
@@ -118,8 +119,23 @@ public static List<ValidationError> validate(@NonNull GraphQLSchema graphQLSchem
      * @return a result object that indicates how this operation went
      */
     public static List<ValidationError> validate(@NonNull GraphQLSchema graphQLSchema, @NonNull Document parsedDocument, @NonNull Predicate<OperationValidationRule> rulePredicate, @NonNull Locale locale) {
+        return validate(graphQLSchema, parsedDocument, rulePredicate, locale, null);
+    }
+
+    /**
+     * This can be called to validate a parsed graphql query.
+     *
+     * @param graphQLSchema  the graphql schema to validate against
+     * @param parsedDocument the previously parsed document
+     * @param rulePredicate  this predicate is used to decide what validation rules will be applied
+     * @param locale         the current locale
+     * @param limits         optional query complexity limits to enforce
+     *
+     * @return a result object that indicates how this operation went
+     */
+    public static List<ValidationError> validate(@NonNull GraphQLSchema graphQLSchema, @NonNull Document parsedDocument, @NonNull Predicate<OperationValidationRule> rulePredicate, @NonNull Locale locale, QueryComplexityLimits limits) {
         Validator validator = new Validator();
-        return validator.validateDocument(graphQLSchema, parsedDocument, rulePredicate, locale);
+        return validator.validateDocument(graphQLSchema, parsedDocument, rulePredicate, locale, limits);
     }
 
     /**
 
@@ -0,0 +1,44 @@
+package graphql.validation;
+
+import graphql.Internal;
+import org.jspecify.annotations.NullMarked;
+
+/**
+ * Holds pre-calculated complexity metrics for a fragment definition.
+ * This is used to efficiently track query complexity when fragments are spread
+ * at multiple locations in a query.
+ */
+@Internal
+@NullMarked
+class FragmentComplexityInfo {
+
+    private final int fieldCount;
+    private final int maxDepth;
+
+    FragmentComplexityInfo(int fieldCount, int maxDepth) {
+        this.fieldCount = fieldCount;
+        this.maxDepth = maxDepth;
+    }
+
+    /**
+     * @return the total number of fields in this fragment, including fields from nested fragments
+     */
+    int getFieldCount() {
+        return fieldCount;
+    }
+
+    /**
+     * @return the maximum depth of fields within this fragment
+     */
+    int getMaxDepth() {
+        return maxDepth;
+    }
+
+    @Override
+    public String toString() {
+        return "FragmentComplexityInfo{" +
+                "fieldCount=" + fieldCount +
+                ", maxDepth=" + maxDepth +
+                '}';
+    }
+}
@@ -328,6 +328,16 @@ public class OperationValidator implements DocumentVisitor {
     // --- State: SubscriptionUniqueRootField ---
     private final FieldCollector fieldCollector = new FieldCollector();
 
+    // --- State: Query Complexity Limits ---
+    private int fieldCount = 0;
+    private int currentFieldDepth = 0;
+    private int maxFieldDepthSeen = 0;
+    private final QueryComplexityLimits complexityLimits;
+    // Fragment complexity calculated lazily during first spread
+    private final Map<String, FragmentComplexityInfo> fragmentComplexityMap = new HashMap<>();
+    // Max depth seen during current fragment traversal (for calculating fragment's internal depth)
+    private int fragmentTraversalMaxDepth = 0;
+
     // --- Track whether we're in a context where fragment spread rules should run ---
     // fragmentRetraversalDepth == 0 means we're NOT inside a manually-traversed fragment => run non-fragment-spread checks
     // operationScope means we're inside an operation => can trigger fragment traversal
@@ -340,6 +350,7 @@ public OperationValidator(ValidationContext validationContext, ValidationErrorCo
         this.validationUtil = new ValidationUtil();
         this.rulePredicate = rulePredicate;
         this.allRulesEnabled = detectAllRulesEnabled(rulePredicate);
+        this.complexityLimits = validationContext.getQueryComplexityLimits();
         prepareFragmentSpreadsMap();
     }
 
@@ -388,6 +399,29 @@ private boolean shouldRunOperationScopedRules() {
         return operationScope;
     }
 
+    // ==================== Query Complexity Limit Helpers ====================
+
+    private void checkFieldCountLimit() {
+        if (fieldCount > complexityLimits.getMaxFieldsCount()) {
+            throw new QueryComplexityLimitsExceeded(
+                    ValidationErrorType.MaxQueryFieldsExceeded,
+                    complexityLimits.getMaxFieldsCount(),
+                    fieldCount);
+        }
+    }
+
+    private void checkDepthLimit(int depth) {
+        if (depth > maxFieldDepthSeen) {
+            maxFieldDepthSeen = depth;
+            if (maxFieldDepthSeen > complexityLimits.getMaxDepth()) {
+                throw new QueryComplexityLimitsExceeded(
+                        ValidationErrorType.MaxQueryDepthExceeded,
+                        complexityLimits.getMaxDepth(),
+                        maxFieldDepthSeen);
+            }
+        }
+    }
+
     @Override
     public void enter(Node node, List<Node> ancestors) {
         validationContext.getTraversalContext().enter(node, ancestors);
@@ -401,6 +435,17 @@ public void enter(Node node, List<Node> ancestors) {
         } else if (node instanceof VariableDefinition) {
             checkVariableDefinition((VariableDefinition) node);
         } else if (node instanceof Field) {
+            // Track complexity only during operation scope
+            if (operationScope) {
+                fieldCount++;
+                currentFieldDepth++;
+                checkFieldCountLimit();
+                checkDepthLimit(currentFieldDepth);
+                // Track max depth during fragment traversal for storing later
+                if (fragmentRetraversalDepth > 0 && currentFieldDepth > fragmentTraversalMaxDepth) {
+                    fragmentTraversalMaxDepth = currentFieldDepth;
+                }
+            }
             checkField((Field) node);
         } else if (node instanceof InlineFragment) {
             checkInlineFragment((InlineFragment) node);
@@ -433,6 +478,10 @@ public void leave(Node node, List<Node> ancestors) {
             leaveSelectionSet();
         } else if (node instanceof FragmentDefinition) {
             leaveFragmentDefinition();
+        } else if (node instanceof Field) {
+            if (operationScope) {
+                currentFieldDepth--;
+            }
         }
     }
 
@@ -611,14 +660,50 @@ private void checkFragmentSpread(FragmentSpread node, List<Node> ancestors) {
             }
         }
 
-        // Manually traverse into fragment definition during operation scope
+        // Handle complexity tracking and fragment traversal
         if (operationScope) {
-            FragmentDefinition fragment = validationContext.getFragment(node.getName());
-            if (fragment != null && !visitedFragmentSpreads.contains(node.getName())) {
-                visitedFragmentSpreads.add(node.getName());
+            String fragmentName = node.getName();
+            FragmentDefinition fragment = validationContext.getFragment(fragmentName);
+
+            if (visitedFragmentSpreads.contains(fragmentName)) {
+                // Subsequent spread - add stored complexity (don't traverse again)
+                FragmentComplexityInfo info = fragmentComplexityMap.get(fragmentName);
+                if (info != null) {
+                    fieldCount += info.getFieldCount();
+                    checkFieldCountLimit();
+                    int potentialDepth = currentFieldDepth + info.getMaxDepth();
+                    checkDepthLimit(potentialDepth);
+                    // Update max depth if we're inside a fragment traversal
+                    if (fragmentRetraversalDepth > 0 && potentialDepth > fragmentTraversalMaxDepth) {
+                        fragmentTraversalMaxDepth = potentialDepth;
+                    }
+                }
+            } else if (fragment != null) {
+                // First spread - traverse and track complexity
+                visitedFragmentSpreads.add(fragmentName);
+
+                int fieldCountBefore = fieldCount;
+                int depthAtEntry = currentFieldDepth;
+                int previousFragmentMaxDepth = fragmentTraversalMaxDepth;
+
+                // Initialize max depth tracking for this fragment
+                fragmentTraversalMaxDepth = currentFieldDepth;
+
                 fragmentRetraversalDepth++;
                 new LanguageTraversal(ancestors).traverse(fragment, this);
                 fragmentRetraversalDepth--;
+
+                // Calculate and store fragment complexity
+                int fragmentFieldCount = fieldCount - fieldCountBefore;
+                int fragmentMaxInternalDepth = fragmentTraversalMaxDepth - depthAtEntry;
+
+                fragmentComplexityMap.put(fragmentName,
+                        new FragmentComplexityInfo(fragmentFieldCount, fragmentMaxInternalDepth));
+
+                // Restore max depth for outer fragment (if nested)
+                if (fragmentRetraversalDepth > 0 && previousFragmentMaxDepth > fragmentTraversalMaxDepth) {
+                    fragmentTraversalMaxDepth = previousFragmentMaxDepth;
+                }
             }
         }
     }
@@ -724,6 +809,12 @@ private void leaveOperationDefinition() {
                 }
             }
         }
+
+        // Reset complexity counters for next operation
+        fieldCount = 0;
+        currentFieldDepth = 0;
+        maxFieldDepthSeen = 0;
+        fragmentTraversalMaxDepth = 0;
     }
 
     private void leaveSelectionSet() {