Inspects response headers (not just body) to tell apart a WAF/rate-limit edge block from a real GraphQL-layer error, since the body alone ("WHITELIST_ERROR") looks identical either way.
Step 1 — Inspect response headers
Runs the known-good minimal query and dumps every response header. Look for things like Retry-After, X-RateLimit-*, cf-ray, Server, or anything mentioning a WAF/CDN vendor.
Not run yet.
Headers
—
Body
—
Step 2 — Single retry after a pause
Waits 8 seconds, then sends ONE single request. If this succeeds where rapid-fire testing failed, that strongly suggests rate-limiting / cooldown rather than a permanent block.
Not run yet.
—
Step 3 — Compare: does a totally different field set still fail?
Tries the GraphQL built-in __typename field only — about as minimal and harmless as a query can be. If even this fails identically, the block is happening before GraphQL parses anything (confirms edge/WAF-level, not query-content-based).