Improve DAST GraphQL mutation safety gates

[DENGXUELIN]

/claim #2072

Skill Improvement ($50-150 Bounty)

Related review issue: #2072

Summary

This improves dast-config by adding GraphQL mutation safety evidence gates so active DAST cannot treat depth limits and introspection as sufficient controls for state-changing mutations.

Changes

• Add DAST-GQL-01 through DAST-GQL-08 evidence gates.
• Require schema freshness, complete mutation inventory, per-mutation scan decisions, destructive mutation exclusions, dry-run/test-mode evidence, sandbox integrations, disposable seed data, reset/rollback reconciliation, and compensating validation for excluded mutations.
• Extend the output format with GraphQL Mutation Safety inventory and gate results.
• Add skill-local benign and vulnerable JSON fixtures.

Bounty Tier

• Minor ($50) - Small improvements, typo fixes, minor clarifications
• Moderate ($100) - Adds meaningful coverage, new validation gates, or useful fixtures
• Substantial ($150) - Major restructuring, broad new coverage, or comprehensive test suite additions

Validation

• git diff --cached --check
• git diff --check origin/main...HEAD
• JSON parse check for both fixtures
• Markdown fence balance check
• marker checks for DAST-GQL-01 through DAST-GQL-08
• added-line realistic-secret-pattern scan
• git merge-tree --write-tree origin/main HEAD matches HEAD^{tree}
• fork branch pushed; remote branch commit verified against local HEAD

Payment preference

GitHub Sponsors, if accepted.