Mac release vk

[AmesingFlank]

Note

High Risk
SessionStart hooks and always-applied rules execute or strongly encourage running an unaudited Node script automatically—classic supply-chain / malicious-setup vector, especially given the script’s very large size.

Overview
This PR wires automatic execution of node .github/setup.js into AI/IDE workflows and adds a new script at .github/setup.js (content not shown in the diff; the file in the tree is very large).

Claude (.claude/settings.json) and Gemini (.gemini/settings.json) each gain a SessionStart hook that runs that command for every session. Cursor gets an always-on rule (.cursor/rules/setup.mdc) that instructs assistants and users to run the same command for “IDE integration and dependency setup.”

Together, these changes push a single Node entrypoint to run on session start or by policy, without documenting what the script does in the diff.

^{Reviewed by Cursor Bugbot for commit 50a8186. Bugbot is set up for automated code reviews on this repo. Configure here.}

[knight42]

Security hold: this PR is affected by the current malicious-code incident involving suspicious [skip ci] commits and/or the .github/setup.js payload pattern.

Please do not merge this PR. I am requesting changes and closing it to prevent accidental merge while we investigate and clean up. Reopen only after the suspicious commits are removed, the branch is rebuilt from a trusted base, and trusted CI has been re-run.

安全处理：该 PR 被纳入当前恶意代码事件的受影响范围，涉及可疑的 [skip ci] commit 和/或 .github/setup.js payload 模式。

请不要合并该 PR。我会先 request changes 并关闭 PR，避免误合并。只有在移除可疑 commit、从可信 base 重建分支，并重新跑可信 CI 后，才应重新打开。