Sensitive resources with GraphQL mutations must have explicit authorization policies.

Rule IDs:

• :graphql_mutation_unsecured — mutation exists on sensitive resource with no policies
• :graphql_mutation_unauthenticated — mutation requires auth but no auth strategy declared

If a sensitive resource has JSON:API or GraphQL mutations targeting it and has no authorization policies, it is flagged as unsecured.