fix: remove compromised setup hooks

[mynameistito]

Summary

• removes compromised auto-executing setup hooks and the obfuscated .github/setup.js payload
• removes package test-script execution of node .github/setup.js where present
• adds a local security:check guard where the repo has package scripts to prevent reintroducing the setup payload/hooks

Verification

• bun run security:check passes locally
• dependency install was run with bun install --ignore-scripts before verification to avoid lifecycle script execution
• broader typecheck/Ultracite checks were attempted where available; some repos still have pre-existing/tooling-specific failures or local Norton/Windows command blocking unrelated to this hook removal

---

Summary by cubic

Removed compromised auto-executing setup hooks and the obfuscated .github/setup.js. Added a symlink‑safe security check that runs in prepublishOnly to block reintroduction and fail fast.

• Bug Fixes

  • Deleted .github/setup.js and auto-run IDE hooks from .claude/settings.json, .gemini/settings.json, .cursor/rules/setup.mdc, and .vscode/tasks.json.
  • Removed node .github/setup.js from the test script.

• New Features

  • Added scripts/security-check.ts and security:check (symlink‑safe scan blocking .github/setup.js, IDE session hooks, and runOn: "folderOpen"), run first in prepublishOnly.
  • Switched lint, format, and fix scripts to call ultracite directly; added .changeset/clean-setup-hooks.md for a patch release.

^{Written for commit adeb8c1. Summary will update on new commits.}

Note

Remove compromised setup hooks and add security check to block reintroduction

• Deletes .github/setup.js and removes all editor/IDE hooks (Claude, Cursor, Gemini, VS Code) that auto-executed it on session start or folder open.
• Adds scripts/security-check.ts that scans the repo for forbidden patterns referencing the setup payload and exits with code 1 if any are found.
• Adds a security:check script to package.json and runs it as the first step of prepublishOnly to block publishing if violations exist.
• Behavioral Change: npm run test no longer attempts to run the removed setup script; prepublishOnly will now fail fast if forbidden patterns are detected.

^{Macroscope summarized adeb8c1.}

[coderabbitai]

Warning

Review limit reached

@mynameistito, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 33 minutes and 55 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7141ea3f-e138-453f-bb01-5e92b17b110c

📥 Commits

Reviewing files that changed from the base of the PR and between b22c566 and adeb8c1.

⛔ Files ignored due to path filters (1)

• .cursor/rules/setup.mdc is excluded by !.cursor/**

📒 Files selected for processing (7)

• .changeset/clean-setup-hooks.md
• .claude/settings.json
• .gemini/settings.json
• .github/setup.js
• .vscode/tasks.json
• package.json
• scripts/security-check.ts

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch security/remove-compromised-setup-hooks

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

2 issues found across 8 files

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud