Plan masters #2685-#2689 covering server runtime GA, OpenCode integration, data-pipeline integrity, build/artifact hygiene, and observer output fidelity. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2.6 KiB
[plan-10] Build / Bundle / CI Artifact Hygiene — enforce a boundary on what we ship
Defect
There is no enforced discipline on the contents, size, or correctness of published artifacts, so dead weight and maintainer files leak into what users install, and main can ship with a broken typecheck. The worker bundler reaches past the plugin's declared dependency boundary and pulls in code that is never used; there is no CI guard to catch the resulting bloat; the published npm tarball ships maintainer CLAUDE.md files because there is no files allowlist; and npm run typecheck is red on main. Each is a symptom of the same missing contract: the build must declare and enforce its boundaries — externals, size, tarball contents, and a green typecheck — in CI.
Children
- #2584 —
worker-service.cjsbundles unusedbetter-auth(94 OAuth URLs, ~3.7MB); bundler reaches past the dep boundary - #2570 — no bundle-size guardrail in CI; bash-only marketplace-sync breaks on Windows (non-idempotent)
- #2538 — 24 pre-existing TypeScript errors block
npm run typecheckonmain(Express 5 / React 19 / logger union drift) - #2537 — published npm tarball ships five
CLAUDE.mdfiles (nofilesallowlist /.npmignore)
Fix sequence
- Externalize / treeshake: mark
better-auth(and any other server-only dep) external to the worker bundle, or gate it behind the server runtime so it never enters the worker artifact (#2584). - Bundle-size canary in CI: record a baseline and fail CI when the worker bundle grows past a threshold; port the marketplace-sync step to a cross-platform, idempotent script (#2570).
- Green typecheck gate: fix the 24 drift errors (Express 5, React 19, logger union) and make
npm run typechecka required CI check somaincan't go red again (#2538). - Tarball allowlist: add a
filesallowlist (and/or.npmignore) so only intended artifacts publish; assert tarball contents in CI (#2537).
Test matrix
| Artifact | Check | Required behavior |
|---|---|---|
worker-service.cjs |
bundle size vs baseline | no better-auth; size under threshold or CI fails |
Repo main |
npm run typecheck |
exit 0; required check |
| npm tarball | npm pack contents |
only allowlisted files; no maintainer CLAUDE.md |
| Marketplace sync | run on Windows + POSIX | idempotent; succeeds on both |
The matrix lives in CI. An artifact-hygiene regression must fail CI before a user can install it.
Out of scope
- Missing-runtime-dependency-on-install (node_modules / zod not shipped) → plan-04 (install/dependency completeness).
- Worker runtime crashes → plan-03.