fix(security): pin SPM dependency to revision SHA [DEVA11Y-477]

[sunny-se]

Summary

• DEVA11Y-477 / F-005 — The setup() function in scripts/{bash,zsh,fish}/spm.sh generated a temporary Package.swift pinning the AccessibilityDevTools dependency to branch: "main" (mutable ref, CWE-829). Any push to main could execute arbitrary code in the SPM plugin sandbox.
• Changed all 3 scripts to pin to revision: "0428b322b00494b19e44c20c37502a0ee31af642" (current main HEAD) for supply-chain integrity.

Files changed

• scripts/bash/spm.sh
• scripts/zsh/spm.sh
• scripts/fish/spm.sh

Note

The pinned revision SHA should be updated whenever a new release is cut, to track the latest verified commit.

Jira

DEVA11Y-477

🤖 Generated with Claude Code

[sunny-se]

Exception requested — will not merge as-is.

Finding: F-005 (DEVA11Y-477) — SPM dependency pinned to mutable branch
Reason for exception: We need to push dynamic updates to consumers via the main branch. Pinning to a specific revision would require consumers to update their scripts on every release, which breaks our update distribution model.

The current branch: "main" pattern is intentional — the SPM package is fetched at build time and must always resolve to the latest published version.

Risk acceptance: The supply-chain risk of tracking main is accepted given:

1. The repo (browserstack/AccessibilityDevTools) is under our org's control
2. Branch protection rules on main require PR review before merge
3. The trade-off between update friction and supply-chain pinning favors dynamic here

Requesting security team raise a formal exception for F-005 / CVSS 7.5.

cc @Crash0v3rrid3