fix(kimi-vl): gate dynamic imports on remote code trust

[chtruong814]

Summary

• propagate the AutoBridge trust_remote_code setting into the Kimi K2.5 VL provider
• reject Kimi VL vision construction before dynamic Hugging Face module imports when remote code is not trusted
• pass the trust flag through Kimi dynamic module and config loading paths

Tests

• PRE_COMMIT_HOME=.cache/pre-commit UV_CACHE_DIR=.uv-cache uv run --no-sync pre-commit run --all-files
• UV_CACHE_DIR=.uv-cache uv run --no-sync ruff check src/megatron/bridge/models/kimi_vl/kimi_k25_vl_provider.py src/megatron/bridge/models/kimi_vl/kimi_k25_vl_bridge.py src/megatron/bridge/models/kimi_vl/modeling_kimi_k25_vl.py tests/unit_tests/models/kimi_vl/test_kimi_k25_vl_bridge.py tests/unit_tests/models/kimi_vl/test_modeling_kimi_k25_vl.py
• python3 -c 'import ast, pathlib; files=["src/megatron/bridge/models/kimi_vl/kimi_k25_vl_provider.py","src/megatron/bridge/models/kimi_vl/kimi_k25_vl_bridge.py","src/megatron/bridge/models/kimi_vl/modeling_kimi_k25_vl.py","tests/unit_tests/models/kimi_vl/test_kimi_k25_vl_bridge.py","tests/unit_tests/models/kimi_vl/test_modeling_kimi_k25_vl.py"]; [ast.parse(pathlib.Path(f).read_text(), filename=f) for f in files]; print("syntax ok")'

Note: targeted pytest could not be run locally on macOS arm64 because uv cannot install nvidia-resiliency-ext for this platform, and the existing --no-sync environment does not include pytest.

[claude]

Review: fix(kimi-vl): gate dynamic imports on remote code trust -- Clean, well-scoped security hardening. The trust flag is propagated correctly through the bridge, provider, and model chain, and the guard in KimiK25VLModel.init fires before any get_class_from_dynamic_module call. Tests cover both the happy path and the rejection path at both layers (bridge and model init). No issues found -- LGTM. -- Suggested test cases: No perf tests impacted.