fix(security): harden self-update with tagged refs + SHA-256 verification [DEVA11Y-478]

[sunny-se]

Summary

• Replaces insecure self-update (CWE-494, CVSS 7.8) across all 6 shell scripts (bash/zsh/fish × spm/cli)
• Issue [JIRA DEVA11Y-128] SPM Plugin implementation #1 fixed: Executable code now fetched from immutable tagged ref (refs/tags/vX.Y.Z) instead of mutable refs/heads/main
• Issue [JIRA DEVA11Y-128] Added permission to write to package directory for logging #2 fixed: SHA-256 checksum verification before overwriting script — rejects tampered or corrupted downloads

How it works

1. Script has embedded SCRIPT_VERSION="v1.0.0"
2. On startup, fetches lightweight scripts/latest-version.txt from main (metadata only, not executable)
3. If remote version differs: fetches script + SHA256SUMS from the immutable tagged ref
4. Verifies SHA-256 checksum of downloaded script against SHA256SUMS
5. Only overwrites if checksum matches — warns and aborts on mismatch

Migration (backwards compat)

Old scripts on dev machines still have the old self-update pointing at refs/heads/main. When this merges, they'll self-update from main one last time (final insecure fetch), pulling the new secure mechanism. All subsequent updates go through the verified tagged path.

Post-merge action required

Immediately after merge, create and push the v1.0.0 tag:

git tag v1.0.0 <merge-commit-sha>
git push origin v1.0.0

Files changed

File	Change
scripts/{bash,zsh,fish}/{spm,cli}.sh (6 files)	Add SCRIPT_VERSION, replace script_self_update()
scripts/latest-version.txt	New — version pointer (fetched from main)
scripts/SHA256SUMS	New — checksums for all 6 scripts (fetched from tag)

Test plan

• grep -r "refs/heads/main" scripts/ --include="*.sh" — no mutable refs in download URLs
• SCRIPT_VERSION present in all 6 scripts
• shasum -a 256 verification in all 6 scripts
• cd scripts && shasum -a 256 -c SHA256SUMS — all 6 OK

Jira

DEVA11Y-478

🤖 Generated with Claude Code