access control validation and merge logic updates

.changeset/orange-yaks-double.md

@@ -0,0 +1,5 @@
+---
+"@apollo/composition": patch
+---
+
+Fixed access control verification of transitive requirements (through `@requires` and/or `@fromContext`) to ensure it works with chains of transitive dependencies.

.changeset/shaggy-adults-help.md

@@ -0,0 +1,9 @@
+---
+"@apollo/composition": patch
+"@apollo/federation-internals": patch
+---
+Allow interface object fields to specify access control
+
+Update composition logic to allow specifying access control directives (`@authenticated`, `@requiresScopes` and `@policy`) on `@interfaceObject` fields. While we disallow access control on interface types and fields, we decided to support it on `@interfaceObject` as it is a useful pattern to define a single resolver (that may need access controls) for common interface fields. Alternative would require our users to explicitly define resolvers for all implementations which defeats the purpose of `@interfaceObject`.
+
+This PR refactors in how we propagate access control by providing additional merge sources when merging directives on interfaces, interface fields and object fields.

.changeset/smart-crabs-jump.md

@@ -0,0 +1,5 @@
+---
+"@apollo/federation-internals": patch
+---
+
+Fixed demand control validations to unwrap non-nullable composite types and fields when performing validations.