fix(security): restrict SPM plugin network scope [DEVA11Y-481] (#14)

* fix(security): restrict SPM plugin network scope to .all(ports: [])

F-012 / DEVA11Y-481 — The plugin declared unrestricted .all() network
scope (CWE-250) which amplifies blast radius of other findings.
Switch to .all(ports: []) matching what shell scripts already enforce.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(security): restrict network scope to ports 80 and 443

.all(ports: []) is semantically identical to .all() in SPM — empty
array means "all ports allowed". Change to .all(ports: [80, 443])
to actually restrict the plugin to HTTP/HTTPS ports only, blocking
port scanning and access to internal services on non-standard ports.

Verified end-to-end: plugin downloads CLI v1.34.2 over port 443 and
runs scan successfully with restricted scope.

DEVA11Y-481

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: sunny-se

Package.swift

@@ -19,8 +19,7 @@ let package = Package(
                 ),
                 permissions: [
                     .allowNetworkConnections(
-                        // scope: .all(ports: []),
-                        scope: .all(),
+                        scope: .all(ports: [80, 443]),
                         reason: "Please allow network connection permission to authenticate and run accessibility rules."
                     ),
                     .writeToPackageDirectory(reason: "Please allow writing to package directory for logging.")