Add query complexity guard

[kesne]

It's pretty simple to create an incredibly complex query that you can execute against our API. We should guard against this. TypeGraphQL has some helpers that make this not too bad.

I thought about persisted queries, but this significantly limits what we can provide to our external API if we want to allow for easy use of our API externally. An option would be to impose pretty aggressive limits on external API use (cap the maximum depth, pagination limits, query complexity, and rate limiting), and then have no limits on anything that's been persisted (a "trusted" query).

The only possible downside would be that you could just rip the persisted query from the codebase and use that, but ideally the queries in the codebase aren't too sloppy.