You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
packages/cli/script/publish.ts is dead code. It's a complete npm publish orchestration script — build dist, write a wrapper package.json, bun pm pack, npm publish, plus AUR and Homebrew tap updates — but it's not invoked by any workflow or npm script.
Evidence:
$ grep -r "publish.ts\|publish\.ts" .github/ package.json packages/*/package.json
# (no output)
The actual publish pipeline is .github/workflows/publish.yml, which runs bun turbo build followed by inline bun pm pack && npm publish steps and does its own tarball generation via script/build.ts. It never touches script/publish.ts.
Why it's a problem, not just noise
The script publishes under a different package name: @aictrl/cli-ai (not @aictrl/cli):
// script/publish.ts:23-40awaitBun.file(`./dist/${pkg.name}/package.json`).write(JSON.stringify({name: pkg.name+"-ai",// ← note the -ai suffix// ...optionalDependencies: binaries,}))
If anyone ever wires this script into CI by mistake (or runs it locally thinking it's the real publisher), it would publish a parallel @aictrl/cli-ai package alongside the real @aictrl/cli, plus publish all @aictrl/cli-* platform binaries. Users installing @aictrl/cli-ai would get a fork that nobody maintains.
It's also a latent foot-gun I had to defend against in #46's regex filter for the publish workflow's dist/@aictrl/ scan — I specifically had to reject the @aictrl/cli-ai name that script/publish.ts would create if it ran before the strip step. Deleting the dead script would let me remove that guard (or keep it purely defensive).
What to delete
packages/cli/script/publish.ts
Any stale references to it (shouldn't be any — I checked — but worth a final grep before committing)
Verification the delete is safe
grep -rn 'publish\.ts\|script/publish' .github/ packages/*/package.json package.json
# → only packaged-tarball noise like "packed 6.50KB script/publish.ts"
The only "references" are bun pm pack packing it into the published tarball (because it's in the working directory), which is also cosmetic: the file shouldn't be shipped to users anyway, since it's a build-time script with no runtime value.
My regex filter at .github/workflows/publish.yml (the /^@aictrl\/cli-(linux|darwin|windows)(-[a-z0-9]+)+$/ pattern) exists partly to defend against this script's output. If the script is deleted, the filter is still worth keeping as a belt-and-suspenders, but it loses its primary justification.
Good first issue
Marked good first issue because it's a pure deletion with well-documented justification. Just verify the grep is clean, delete, commit, done.
Problem
packages/cli/script/publish.tsis dead code. It's a complete npm publish orchestration script — build dist, write a wrapper package.json,bun pm pack,npm publish, plus AUR and Homebrew tap updates — but it's not invoked by any workflow or npm script.Evidence:
The actual publish pipeline is
.github/workflows/publish.yml, which runsbun turbo buildfollowed by inlinebun pm pack && npm publishsteps and does its own tarball generation viascript/build.ts. It never touchesscript/publish.ts.Why it's a problem, not just noise
The script publishes under a different package name:
@aictrl/cli-ai(not@aictrl/cli):If anyone ever wires this script into CI by mistake (or runs it locally thinking it's the real publisher), it would publish a parallel
@aictrl/cli-aipackage alongside the real@aictrl/cli, plus publish all@aictrl/cli-*platform binaries. Users installing@aictrl/cli-aiwould get a fork that nobody maintains.It's also a latent foot-gun I had to defend against in #46's regex filter for the publish workflow's
dist/@aictrl/scan — I specifically had to reject the@aictrl/cli-ainame thatscript/publish.tswould create if it ran before the strip step. Deleting the dead script would let me remove that guard (or keep it purely defensive).What to delete
packages/cli/script/publish.tsVerification the delete is safe
The only "references" are
bun pm packpacking it into the published tarball (because it's in the working directory), which is also cosmetic: the file shouldn't be shipped to users anyway, since it's a build-time script with no runtime value.Related
.github/workflows/publish.yml(the/^@aictrl\/cli-(linux|darwin|windows)(-[a-z0-9]+)+$/pattern) exists partly to defend against this script's output. If the script is deleted, the filter is still worth keeping as a belt-and-suspenders, but it loses its primary justification.Good first issue
Marked
good first issuebecause it's a pure deletion with well-documented justification. Just verify the grep is clean, delete, commit, done.