security: vendor modifiers-napi locally (PR paoloanzn#3 core fix)

The npm package 'modifiers-napi' was squatting (published by disposable
email). Replace runtime npm dependency with a local vendored stub.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: David-c0degeek

src/utils/modifiers.ts

@@ -18,9 +18,10 @@ function loadNativeModifiersModule(): NativeModifiersModule | null {
   }
 
   try {
+    // Use local vendored stub instead of npm package (original was squatting target)
     nativeModifiersModule =
       // eslint-disable-next-line @typescript-eslint/no-require-imports
-      (require('modifiers-napi') as NativeModifiersModule) ?? null
+      (require('../vendor/modifiers-napi') as NativeModifiersModule) ?? null
   } catch {
     nativeModifiersModule = null
   }

src/vendor/modifiers-napi.ts

@@ -0,0 +1,11 @@
+// Vendored stub for modifiers-napi (malicious package squatted on npm)
+// Original was a native macOS module for keyboard modifier detection.
+// This stub provides no-op implementations for safety.
+
+export function prewarm(): void {
+  // no-op
+}
+
+export function isModifierPressed(_modifier: string): boolean {
+  return false
+}