plans/10-build-artifact-hygiene.md
There is no enforced discipline on the contents, size, or correctness of published artifacts, so dead weight and maintainer files leak into what users install, and main can ship with a broken typecheck. The worker bundler reaches past the plugin's declared dependency boundary and pulls in code that is never used; there is no CI guard to catch the resulting bloat; the published npm tarball ships maintainer CLAUDE.md files because there is no files allowlist; and npm run typecheck is red on main. Each is a symptom of the same missing contract: the build must declare and enforce its boundaries — externals, size, tarball contents, and a green typecheck — in CI.
worker-service.cjs bundles unused better-auth (94 OAuth URLs, ~3.7MB); bundler reaches past the dep boundarynpm run typecheck on main (Express 5 / React 19 / logger union drift)CLAUDE.md files (no files allowlist / .npmignore)better-auth (and any other server-only dep) external to the worker bundle, or gate it behind the server runtime so it never enters the worker artifact (#2584).npm run typecheck a required CI check so main can't go red again (#2538).files allowlist (and/or .npmignore) so only intended artifacts publish; assert tarball contents in CI (#2537).| Artifact | Check | Required behavior |
|---|---|---|
worker-service.cjs | bundle size vs baseline | no better-auth; size under threshold or CI fails |
Repo main | npm run typecheck | exit 0; required check |
| npm tarball | npm pack contents | only allowlisted files; no maintainer CLAUDE.md |
| Marketplace sync | run on Windows + POSIX | idempotent; succeeds on both |
The matrix lives in CI. An artifact-hygiene regression must fail CI before a user can install it.