nope, its open for you to decide, a common pattern is provide some auth-token on the environment so the resolvers can use it

Alright, we have been using the environment to handle our concern, and had a false start by trying to incorporate some of the grant/role information as ::pc/input properties

And, thank you!

I was looking into a way to tag mutations/resolvers with auth needs, and came across the transform https://wilkerlucio.github.io/pathom/v2/pathom/2.2.0/connect/shared-resolvers.html#connect-transform helper. I think something like this shape would get there

(defn simple-tform
  [{::pc/keys [mutate resolve] :as env}]
  (log/info "ENV is: ") (pprint env)
  (if resolve
    (assoc env ::pc/resolve
               (fn [en params]
                 (log/info "IN simple tform resolve")
                 (resolve en params)))
    (assoc env ::pc/mutate
               (fn [en params]
                 (log/info "IN simple tform mutate")
                 (log/info "env is: ")
                 (pprint (keys en))
                 (mutate en params)))))

(pc/defresolver res1 [_ _]
  {::pc/output    [::test]
   ::pc/transform simple-tform
   ::my-ns/require-auth? true
   ::my-ns/auth-roles #{:admin}}
  (log/info "Hello")
  {::test "hello this is my name"})

I like the extension to defresolver to incorporate expected roles here

Thank you, will continue to learn about this