feat(service): add pagination and result limits to Query endpoints (#265)

Add QueryPageRequest/QueryPageResponse types and automatic pagination
to all query endpoints. Response format changes from bare JSON array
to paginated object with items, total, hasMore, and effectiveLimit.

- New Service.Query.Pagination module with types and parsing
- Query typeclass extended with maxResultsImpl for per-query limits
- Default limit: 100, absolute max: 1000
- Offset capped at 10M to prevent arithmetic overflow
- Web transport parses ?limit=N&offset=M query parameters
- Security: total count computed after auth filtering only
- effectiveLimit field surfaces any silent capping to clients

Author: NickSeagull

core/nhcore.cabal

@@ -249,6 +249,7 @@ library
     Service.Query.Core
     Service.Query.Definition
     Service.Query.Endpoint
+    Service.Query.Pagination
     Service.Query.Registry
     Service.Query.Subscriber
     Service.Query.TH
@@ -416,6 +417,7 @@ test-suite nhcore-test
     IntegrationSpec
     IntSpec
     OutboundIntegrationSpec
+    EventVariantOfSpec
     LogSpec
     DecimalSpec
     Service.ApplicationSpec
@@ -428,6 +430,7 @@ test-suite nhcore-test
     Service.EventStore.PostgresSpec
     Service.MockTransport
     Service.Query.EndpointSpec
+    Service.Query.PaginationSpec
     Service.Query.RegistrySpec
     Service.Query.SubscriberSpec
     Service.Query.THSpec
@@ -527,6 +530,7 @@ test-suite nhcore-test-service
     Service.FileUpload.RoutesSpec
     Service.MockTransport
     Service.Query.EndpointSpec
+    Service.Query.PaginationSpec
     Service.Query.RegistrySpec
     Service.Query.SubscriberSpec
     Service.Query.THSpec

core/service/Service/Query/Core.hs

@@ -19,6 +19,7 @@ import Basics
 import Maybe (Maybe)
 import Service.Entity.Core (Entity)
 import Service.Query.Auth (QueryAuthError)
+import Service.Query.Pagination (absoluteMaxLimit)
 import Uuid (Uuid)
 
 
@@ -86,6 +87,13 @@ class Query query where
   -- This is called AFTER data is fetched, allowing ownership checks.
   canViewImpl :: Maybe UserClaims -> query -> Maybe QueryAuthError
 
+  -- | Maximum results this query type will return in a single page.
+  --
+  -- Default: 'absoluteMaxLimit' (1000). To override, define
+  -- @maxResults :: Int@ in your query module before calling @deriveQuery@.
+  maxResultsImpl :: Int
+  maxResultsImpl = absoluteMaxLimit
+
 
 -- | Defines how an entity contributes to a query (read model).
 --

core/service/Service/Query/Definition.hs

@@ -146,8 +146,8 @@ createDefinitionWithStore storeFactory = do
         -- 2. Wire all entities and collect their registries
         registry <- wireEntities @entities @query queryNameText rawEventStore queryStore
 
-        -- 3. Create endpoint handler (lambda accepts Maybe UserClaims and Maybe NeoQL.Expr)
-        let endpoint userClaims maybeExpr = Endpoint.createQueryEndpoint queryStore userClaims maybeExpr
+        -- 3. Create endpoint handler (lambda accepts Maybe UserClaims, Maybe NeoQL.Expr, and QueryPageRequest)
+        let endpoint userClaims maybeExpr pageRequest = Endpoint.createQueryEndpoint queryStore userClaims maybeExpr pageRequest
 
         Task.yield (registry, (queryNameText, endpoint, endpointSchema))
     }

core/service/Service/Query/Endpoint.hs

@@ -10,6 +10,7 @@ import Maybe (Maybe (..))
 import Service.Query.Auth (QueryEndpointError)
 import Service.Query.Auth qualified as Auth
 import Service.Query.Core (Query (..))
+import Service.Query.Pagination (QueryPageRequest (..), QueryPageResponse (..))
 import Service.QueryObjectStore.Core (Error (..), QueryObjectStore (..))
 import Task (Task)
 import Task qualified
@@ -20,20 +21,21 @@ import NeoQL qualified
 
 -- | Create an endpoint handler for a query type.
 --
--- Returns all instances of the query as a JSON array.
--- Used for the HTTP endpoint: GET /queries/{query-name}
+-- Returns a paginated response with items, total count, hasMore flag,
+-- and the effective limit that was applied.
 --
 -- This handler performs two-phase authorization:
 -- 1. canAccessImpl (pre-fetch): "Can this user access this query type at all?"
 -- 2. canViewImpl (post-fetch): "Can this user view this specific instance?"
 --
--- Returns typed QueryEndpointError for proper HTTP status mapping.
+-- Pagination is applied AFTER authorization and NeoQL filtering.
+-- The @total@ count reflects only authorized, filtered results.
 --
 -- Example:
 --
 -- @
 -- handler <- Endpoint.createQueryEndpoint @UserOrders queryStore
--- -- Returns: "[{\"userId\":\"...\",\"orders\":[...]}, ...]"
+-- -- Returns: "{\"items\":[...],\"total\":142,\"hasMore\":true,\"effectiveLimit\":100}"
 -- @
 createQueryEndpoint ::
   forall query.
@@ -43,8 +45,9 @@ createQueryEndpoint ::
   QueryObjectStore query ->
   Maybe UserClaims ->
   Maybe Expr ->
+  QueryPageRequest ->
   Task QueryEndpointError Text
-createQueryEndpoint queryStore userClaims maybeExpr = do
+createQueryEndpoint queryStore userClaims maybeExpr pageRequest = do
   -- Phase 1: Pre-fetch authorization
   case canAccessImpl @query userClaims of
     Just authErr -> Task.throw (Auth.AuthorizationError authErr)
@@ -66,7 +69,23 @@ createQueryEndpoint queryStore userClaims maybeExpr = do
                 authorizedQueries
                   |> Array.takeIf (\query -> NeoQL.execute expr (Json.toJSON query))
 
-      let responseText = filteredQueries |> Json.encodeText
+      -- SECURITY: total computed AFTER canViewImpl and NeoQL filtering.
+      -- Exposing pre-auth count would leak record existence to unauthorized users.
+      let total = Array.length filteredQueries
+      let effectiveLimit = min pageRequest.limit (maxResultsImpl @query)
+      let pagedItems =
+            filteredQueries
+              |> Array.drop pageRequest.offset
+              |> Array.take effectiveLimit
+      let hasMore = pageRequest.offset + effectiveLimit < total
+      let response = QueryPageResponse
+            { items = pagedItems
+            , total = total
+            , hasMore = hasMore
+            , effectiveLimit = effectiveLimit
+            }
+
+      let responseText = response |> Json.encodeText
 
       Task.yield responseText
 

core/service/Service/Query/Pagination.hs

@@ -0,0 +1,112 @@
+-- | Pagination types and utilities for query endpoints.
+--
+-- Provides 'QueryPageRequest' for parsing client pagination parameters
+-- and 'QueryPageResponse' for wrapping paginated results with metadata.
+--
+-- Pagination is applied automatically by the query endpoint handler.
+-- Jess doesn't need to do anything — all query endpoints are paginated
+-- by default with sensible limits.
+--
+-- To override the maximum results per page for a specific query, define
+-- @maxResults :: Int@ in the query module before calling @deriveQuery@.
+module Service.Query.Pagination (
+  -- * Types
+  QueryPageRequest (..),
+  QueryPageResponse (..),
+
+  -- * Constants
+  defaultLimit,
+  absoluteMaxLimit,
+
+  -- * Parsing
+  parsePageRequest,
+) where
+
+import Array (Array)
+import Basics
+import Json qualified
+import Maybe (Maybe (..))
+import Maybe qualified
+import Text (Text)
+import Text qualified
+
+
+-- | Pagination request parameters parsed from query string.
+--
+-- @
+-- -- Parse from raw query params:
+-- let pageRequest = parsePageRequest (Just "25") (Just "50")
+-- -- QueryPageRequest { limit = 25, offset = 50 }
+-- @
+data QueryPageRequest = QueryPageRequest
+  { limit :: !Int
+  , offset :: !Int
+  }
+  deriving (Eq, Show, Generic)
+
+
+-- | Paginated response wrapper with metadata.
+--
+-- The @total@ field reflects the count of items AFTER authorization filtering.
+-- It never exposes counts of records the user is not authorized to see.
+--
+-- The @effectiveLimit@ field surfaces any capping that was applied.
+-- When the client requests @limit=5000@ but the server caps to 1000,
+-- @effectiveLimit@ will be 1000 so the client can detect the difference.
+--
+-- @
+-- -- Example response:
+-- -- { "items": [...], "total": 142, "hasMore": true, "effectiveLimit": 100 }
+-- @
+data QueryPageResponse a = QueryPageResponse
+  { items :: !(Array a)
+  , total :: !Int
+  , hasMore :: !Bool
+  , effectiveLimit :: !Int
+  }
+  deriving (Eq, Show, Generic)
+
+instance (Json.ToJSON a) => Json.ToJSON (QueryPageResponse a)
+instance (Json.FromJSON a) => Json.FromJSON (QueryPageResponse a)
+
+
+-- | Default page size when no limit is specified (100).
+defaultLimit :: Int
+defaultLimit = 100
+
+
+-- | Absolute maximum page size — hard cap (1000).
+absoluteMaxLimit :: Int
+absoluteMaxLimit = 1000
+
+
+-- | Parse pagination parameters from raw query string values.
+--
+-- Invalid or missing values fall back to defaults.
+-- Limit is clamped to @[1, absoluteMaxLimit]@.
+-- Offset is clamped to @[0, 10_000_000]@.
+--
+-- @
+-- parsePageRequest (Just "25") (Just "50")
+-- -- QueryPageRequest { limit = 25, offset = 50 }
+--
+-- parsePageRequest Nothing Nothing
+-- -- QueryPageRequest { limit = 100, offset = 0 }
+--
+-- parsePageRequest (Just "abc") (Just "-5")
+-- -- QueryPageRequest { limit = 100, offset = 0 }
+-- @
+parsePageRequest :: Maybe Text -> Maybe Text -> QueryPageRequest
+parsePageRequest maybeLimitText maybeOffsetText = do
+  let parsedLimit =
+        maybeLimitText
+          |> Maybe.andThen Text.toInt
+          |> Maybe.withDefault defaultLimit
+  let parsedOffset =
+        maybeOffsetText
+          |> Maybe.andThen Text.toInt
+          |> Maybe.withDefault 0
+  QueryPageRequest
+    { limit = parsedLimit |> max 1 |> min absoluteMaxLimit
+    , offset = parsedOffset |> max 0 |> min 10_000_000
+    }

core/service/Service/Transport.hs

@@ -16,6 +16,7 @@ import Schema (Schema)
 import Service.Auth (RequestContext, UserClaims)
 import Service.Command.Core (Command, NameOf)
 import Service.Query.Auth (QueryEndpointError)
+import Service.Query.Pagination (QueryPageRequest)
 import Service.Response (CommandResponse)
 import Task (Task)
 import Text (Text)
@@ -44,7 +45,7 @@ type EndpointHandler = RequestContext -> Bytes -> ((CommandResponse, Bytes) -> T
 -- - StorageError -> 500
 --
 -- Used for GET /queries/{query-name} endpoints.
-type QueryEndpointHandler = Maybe UserClaims -> Maybe Expr -> Task QueryEndpointError Text
+type QueryEndpointHandler = Maybe UserClaims -> Maybe Expr -> QueryPageRequest -> Task QueryEndpointError Text
 
 
 -- | Schema information for an endpoint (command or query).

core/service/Service/Transport/Web.hs

@@ -53,6 +53,7 @@ import Service.FileUpload.Core qualified as FileUpload
 import Service.FileUpload.Web (FileUploadRoutes (..))
 import Service.CommandExecutor.TH (deriveKnownHash)
 import Service.Query.Auth (QueryAuthError (..), QueryEndpointError (..))
+import Service.Query.Pagination qualified as Pagination
 import Service.Response (CommandResponse)
 import Service.Response qualified as Response
 import Service.Transport (EndpointHandler, Endpoints (..), Transport (..))
@@ -616,11 +617,15 @@ instance Transport WebTransport where
                 let errBody = [fmt|{"error":"parse_error","message":#{safeMsg}}|]
                 badRequest errBody respond
               Result.Ok maybeExpr -> do
+                -- Parse pagination parameters
+                let pageRequest = Pagination.parsePageRequest
+                      (getQueryParam "limit")
+                      (getQueryParam "offset")
                 -- Helper to process query with given user claims
                 let processQueryWithClaims userClaims = do
                       -- Execute the query handler with error recovery
                       -- Handler performs internal canAccess/canView checks
-                      result <- handler userClaims maybeExpr |> Task.asResult
+                      result <- handler userClaims maybeExpr pageRequest |> Task.asResult
                       case result of
                         Result.Ok responseText -> okJson responseText
                         Result.Err endpointError ->