fix(graphql): publish apm:graphql:resolve:start for IAST taint tracking

The IAST plugin subscribes to 'apm:graphql:resolve:start' to taint
resolver args when they originate from a tainted query source (e.g.
hardcoded query literals like books(title: "ls")). The orchestrion
resolve.js was only publishing to the AppSec channel, so IAST never
received field args for hardcoded arguments — only variable args were
tainted via HTTP request body tracking.

Publish { rootCtx, args, info, path, pathString } to the IAST channel
from bindStart to restore parity with the shimmer instrumentation.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: crysmags

packages/datadog-plugin-graphql/src/resolve.js

@@ -20,6 +20,7 @@ class GraphQLResolvePlugin extends TracingPlugin {
     super(...args)
 
     this.resolverStartCh = dc.channel('datadog:graphql:resolver:start')
+    this.iastResolveCh = dc.channel('apm:graphql:resolve:start')
   }
 
   bindStart (ctx) {
@@ -144,6 +145,10 @@ class GraphQLResolvePlugin extends TracingPlugin {
       this.resolverStartCh.publish({ abortController, resolverInfo: getResolverInfo(info, resolverArgs) })
     }
 
+    if (this.iastResolveCh.hasSubscribers) {
+      this.iastResolveCh.publish({ rootCtx, args: resolverArgs, info, path: computedPath, pathString: computedPathString })
+    }
+
     return ctx.currentStore
   }