[TASK] Import-graph analysis job for S8 enforcement

[kirich1409]

Context

Static analysis of SwiftPM build graph or .swiftdeps. Fail CI if DevsweepModules references Foundation.Process, Darwin.posix_spawn, FileManager.removeItem, trashItem, or imports DevsweepCorePrivate.

Acceptance criteria

• Script runs on CI.
• Positive test: inject banned import, job fails.
• Clean repo passes.

Files to touch (estimate)

best-effort estimate; agent refines during implementation

Implementation notes

• See research report §S8 Module-level isolation.

Dependencies

• Blocked by [TASK] Enforce internal import for DevsweepCorePrivate #20
• Blocked by [TASK] Base GitHub Actions build workflow #22

Safety checklist

See .github/ISSUE_TEMPLATE/task.yml — tick applicable invariants in the issue if any destructive path is touched.

Definition of Done

• Acceptance criteria satisfied and verifiable
• Tests added or updated
• No build / lint / test regressions
• Self-review against research-report invariants
• Code review approved