fix(security): remove insecure self-update from cli.sh scripts [DEVA11Y-475]

[sunny-se]

Summary

• Removes script_self_update() function and its invocation from all 3 CLI scripts
• scripts/bash/cli.sh — removed function (lines 81-88) and call (line 95)
• scripts/zsh/cli.sh — removed function (lines 92-98) and call (line 106)
• scripts/fish/cli.sh — removed function (lines 93-99) and call (line 107)

Why: script_self_update() fetched the script from a mutable branch head (refs/heads/main) via curl with no integrity verification (CWE-494). The only guard was a ^#! regex — trivially bypassed by any attacker who controls the response. This ran unconditionally before any subcommand, making it a silent supply-chain vector.

Users should update scripts via git pull or their package manager.

Verification

grep -r "script_self_update" scripts/*/cli.sh
# returns nothing

Jira

DEVA11Y-475 — F-003

🤖 Generated with Claude Code

[sunny-se]

Suggestion: Keep self-update with HTTPS + SHA-256 integrity check instead of removing it.

Problem with full removal

The script_self_update() function is the only update mechanism for users who installed via the curl-based Xcode Build Phase path (per README). Removing it means those users run stale scripts forever — no way to receive security fixes, rule updates, or bug fixes without manually re-curling.

Proposed alternative

Keep self-update but harden it:

1. HTTPS-only (already covered by PR fix(security): use HTTPS for binary download in shell scripts [DEVA11Y-474] #13)
2. SHA-256 checksum verification before overwriting

script_self_update() {
  local remote_url="https://raw.githubusercontent.com/browserstack/AccessibilityDevTools/refs/heads/main/scripts/bash/cli.sh"
  local checksum_url="${remote_url}.sha256"

  local updated_script
  updated_script=$(curl -sfSL "$remote_url") || return 0
  local expected_hash
  expected_hash=$(curl -sfSL "$checksum_url") || return 0

  local actual_hash
  actual_hash=$(echo "$updated_script" | shasum -a 256 | cut -d' ' -f1)

  if [[ "$actual_hash" == "$expected_hash" ]] && [[ $updated_script =~ ^#! ]]; then
    echo "$updated_script" > "$SCRIPT_PATH"
  fi
}

This requires publishing .sha256 sidecar files alongside each script in the repo (one-time addition to release process).

Why this is sufficient

• HTTPS (PR fix(security): use HTTPS for binary download in shell scripts [DEVA11Y-474] #13) eliminates MitM/network-level tampering
• SHA-256 check catches CDN cache corruption or partial downloads
• Branch protection on main prevents unauthorized pushes to script source
• ^#! guard (existing) rejects empty/garbage responses
• || return 0 fails silently — broken update doesn't break the scan itself

Action

Ship .sha256 sidecar files for each script variant (bash/fish/zsh × cli.sh/spm.sh). Update this PR to use the hardened self-update instead of removing it. Closes F-003 while preserving the update channel for Xcode Build Phase users.

Same approach should apply to PR #18 (DEVA11Y-478 — spm.sh self-update).