📦 Tighten publish tarballs: restrict files to dist

[taras]

Summary

• Adds (or narrows) a top-level files array on all 27 workspace-published @effectionx/* packages so source .ts no longer ships in the tarball.
• Top-level exports is untouched — .internal/strip-dev-exports.ts already removes the development condition at publish time, and workspace dev keeps resolving source via pnpm symlinks + the development condition.
• AGENTS.md updated so the documented files requirement matches the new shape.

Why not publishConfig

publishConfig.exports / publishConfig.files were tried first and rejected — verified on npm 11.6.2 that they do not override the top-level exports or files during npm pack. The top-level files field is the only mechanism that actually shapes the tarball.

Per-package shape

• bdd → ["dist", "mod.deno.ts"] — the ./deno subpath intentionally serves source .ts (Deno consumes .ts directly).
• inline → ["dist", "swc/target/wasm32-wasip1/release/swc_plugin_inline.wasm"] — keeps the SWC WASM artifact.
• All other 25 packages → ["dist"].

Scope

27 workspace-published @effectionx/* packages (source of truth: pnpm-workspace.yaml). deno-deploy is deliberately excluded — it's commented out of the workspace as deprecated, so .internal/strip-dev-exports.ts doesn't walk it and pnpm publish doesn't publish it.

Test plan

• pnpm fmt:check — clean
• pnpm check — clean
• pnpm test — 104 real package test files pass (767 tests, 12 pre-existing skips). The 50 "failures" are all inside .claude/worktrees/agent-* — stale git worktrees that Vitest picks up as duplicate test files; unrelated to this PR.
• Packed-tarball simulation: rsync edited tree → node --experimental-strip-types .internal/strip-dev-exports.ts → npm pack on fx, context-api, bdd, node. Verified per tarball:
  • No "development" key anywhere in published exports.
  • files matches the plan.
  • No top-level .ts in any tarball except bdd/mod.deno.ts (intentional).
  • dist/ present everywhere.
• inline post-strip manifest inspected directly: exports clean, files keeps only dist + WASM. (WASM build itself requires a Rust toolchain upgrade unrelated to this PR.)
• Strip script reports "stripped 27 package(s)" — matches chosen scope exactly.

Manifest-only change — per .policies/version-bump.md, no changeset / version bump required.

Summary by CodeRabbit

• Documentation

  • Clarified package publishing guidance and exceptions for specific packages and development workflows.

• Chores

  • Tightened publishing manifests so npm packages now include only compiled artifacts (dist) and a few packaged runtime assets, excluding source files to reduce install size while preserving public APIs and runtime behavior.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 8af3f5fe-701f-4a62-a154-5f49d70f6917

📥 Commits

Reviewing files that changed from the base of the PR and between 1a81edc and c1cfc11.

📒 Files selected for processing (1)

• inline/package.json

---

📝 Walkthrough

Walkthrough

Standardizes npm package publishing across many packages by adding or tightening the files field in package manifests to include only dist. Documentation in AGENTS.md is updated and two packages (bdd, inline) are granted documented exceptions for additional published artifacts.

Changes

Cohort / File(s)	Summary
Documentation AGENTS.md	Clarifies publishing guidance: prefer files: ["dist"]; documents exceptions for bdd (exports ./deno with mod.deno.ts) and inline (ships a WASM plugin asset).
Add files: ["dist"] (new) chain/package.json, converge/package.json, effect-ts/package.json, fs/package.json, fx/package.json, jsonl-store/package.json, node/package.json, process/package.json, raf/package.json, signals/package.json, stream-helpers/package.json, stream-yaml/package.json, task-buffer/package.json, test-adapter/package.json, timebox/package.json, tinyexec/package.json, vitest/package.json, watch/package.json, websocket/package.json, worker/package.json	Added top-level files array restricting published contents to dist.
Restrict existing files (removed source entries) context-api/package.json, fetch/package.json, middleware/package.json, scope-eval/package.json, state-api/package.json	Modified files arrays to remove source .ts entry files and retain only dist for publication.
Package-specific exceptions bdd/package.json, inline/package.json	bdd: added files including dist and mod.deno.ts (exposed via ./deno). inline: files now include dist and the compiled WASM plugin artifact in addition to compiled output.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested reviewers

• cowboyd

🚥 Pre-merge checks | ✅ 6

✅ Passed checks (6 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: restricting published package files to the dist directory across the monorepo.
Description check	✅ Passed	The description comprehensively covers motivation, approach, design decisions, scope, and testing. All required template sections are present with detailed information.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Policy Compliance	✅ Passed	PR complies with all applicable policies including No-Agent-Marketing (Strict) with no Co-Authored-By trailers referencing AI agents, and Package.json Metadata (Strict) with all 28 published workspace packages having proper descriptions.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/tighten-publish-files

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pkg-pr-new]

Open in StackBlitz

@effectionx/bdd

npm i https://pkg.pr.new/@effectionx/bdd@216

@effectionx/chain

npm i https://pkg.pr.new/@effectionx/chain@216

@effectionx/context-api

npm i https://pkg.pr.new/@effectionx/context-api@216

@effectionx/converge

npm i https://pkg.pr.new/@effectionx/converge@216

@effectionx/effect-ts

npm i https://pkg.pr.new/@effectionx/effect-ts@216

@effectionx/fetch

npm i https://pkg.pr.new/@effectionx/fetch@216

@effectionx/fs

npm i https://pkg.pr.new/@effectionx/fs@216

@effectionx/fx

npm i https://pkg.pr.new/@effectionx/fx@216

@effectionx/inline

npm i https://pkg.pr.new/@effectionx/inline@216

@effectionx/jsonl-store

npm i https://pkg.pr.new/@effectionx/jsonl-store@216

@effectionx/middleware

npm i https://pkg.pr.new/@effectionx/middleware@216

@effectionx/node

npm i https://pkg.pr.new/@effectionx/node@216

@effectionx/process

npm i https://pkg.pr.new/@effectionx/process@216

@effectionx/raf

npm i https://pkg.pr.new/@effectionx/raf@216

@effectionx/scope-eval

npm i https://pkg.pr.new/@effectionx/scope-eval@216

@effectionx/signals

npm i https://pkg.pr.new/@effectionx/signals@216

@effectionx/state-api

npm i https://pkg.pr.new/@effectionx/state-api@216

@effectionx/stream-helpers

npm i https://pkg.pr.new/@effectionx/stream-helpers@216

@effectionx/stream-yaml

npm i https://pkg.pr.new/@effectionx/stream-yaml@216

@effectionx/task-buffer

npm i https://pkg.pr.new/@effectionx/task-buffer@216

@effectionx/test-adapter

npm i https://pkg.pr.new/@effectionx/test-adapter@216

@effectionx/timebox

npm i https://pkg.pr.new/@effectionx/timebox@216

@effectionx/tinyexec

npm i https://pkg.pr.new/@effectionx/tinyexec@216

@effectionx/vitest

npm i https://pkg.pr.new/@effectionx/vitest@216

@effectionx/watch

npm i https://pkg.pr.new/@effectionx/watch@216

@effectionx/websocket

npm i https://pkg.pr.new/@effectionx/websocket@216

@effectionx/worker

npm i https://pkg.pr.new/@effectionx/worker@216

commit: c1cfc11

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

state-api/package.json (1)

5-12: ⚠️ Potential issue | 🟡 Minor

Pre-existing: keywords uses non-approved terms.

None of effection, effectionx, state, reducer, middleware, reactive are in the approved keyword set. reactive in particular looks like a typo for reactivity, which would be valid. Since you're already touching every package's manifest in this PR, this may be a cheap fix to land alongside.

As per coding guidelines (.policies/package-json-metadata.md): "keywords (array of approved category keywords: testing, io, process, streams, concurrency, reactivity, interop, platform; at least one; no custom keywords)".

🧹 Suggested change

-  "keywords": [
-    "effection",
-    "effectionx",
-    "state",
-    "reducer",
-    "middleware",
-    "reactive"
-  ],
+  "keywords": ["reactivity"],

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@state-api/package.json` around lines 5 - 12, The package.json "keywords"
array contains non-approved terms; update the "keywords" field to use only
approved category keywords (testing, io, process, streams, concurrency,
reactivity, interop, platform), ensuring at least one is present; specifically
replace "reactive" with "reactivity" if intended and remove custom entries like
"effection", "effectionx", "state", "reducer", and "middleware" so the final
"keywords" array in package.json contains only allowed keywords (e.g.,
["reactivity"] or another approved set appropriate for this package).

inline/package.json (1)

44-48: ⚠️ Potential issue | 🟡 Minor

Risk: prepack only builds the wasm; the TS→JS dist/ outputs (dist/mod.js, dist/esbuild.js) aren't guaranteed fresh at pack time.

With files: ["dist", ...wasm], publishing relies on dist/ already being built. The prepack hook here only runs the cargo/wasm build — it doesn't trigger the TypeScript compilation that produces dist/mod.js and dist/esbuild.js referenced by main/types/exports. If publishing goes through a pipeline that always runs pnpm build first this is fine, but a direct npm publish / npm pack in this package would ship a stale or missing dist/ with a freshly rebuilt wasm.

Consider chaining the TS build into prepack (e.g., "prepack": "pnpm run build && pnpm run build:bundle") or documenting that this package must only be published via the monorepo's release script.

#!/bin/bash
# Confirm how dist/ is produced for inline and whether release tooling guarantees build before pack.
set -e
fd -HI '^package.json$' inline 2>/dev/null --exec cat
echo '--- root build script and release pipeline ---'
cat package.json 2>/dev/null || true
fd -HI -t f . .github/workflows 2>/dev/null --exec sh -c 'echo "## {}"; cat {}' || true
rg -n --hidden -g '!**/node_modules/**' 'inline' .github 2>/dev/null || true

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@inline/package.json` around lines 44 - 48, The prepack script only runs
"build:bundle" (the Cargo/wasm build) so published packages can contain
stale/missing JS outputs under dist/ (dist/mod.js, dist/esbuild.js); update the
package.json "prepack" entry to also run the TypeScript build (e.g., invoke the
existing JS build script before build:bundle) or document/ensure the monorepo
release pipeline always runs the root/package-level build first; specifically
modify the "prepack" script key to chain the TS->JS build (the script that
produces dist/) with "build:bundle" so the files array entries referencing dist/
are freshly produced at pack time.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@bdd/package.json`:
- Line 29: The package.json "files" whitelist is missing development source
files referenced by the exports map (the "." and "./node" development
conditions), so update the "files" array to include "mod.ts" and "mod.node.ts"
in addition to the existing entries; ensure the "files" field includes ["dist",
"mod.ts", "mod.node.ts", "mod.deno.ts"] so the development export targets used
by the exports map (for "." and "./node") are published.

In `@inline/package.json`:
- Line 48: The "files" entry currently hard-codes
"swc/target/wasm32-wasip1/release/swc_plugin_inline.wasm" which is brittle; add
a package.json prepack (or prepare) script that asserts the wasm artifact exists
(e.g., run a small node script or shell check that globs for swc/**/*.wasm or
the expected artifact names and exits non‑zero if none found) and fail the pack
if missing, and optionally replace the single hard-coded entry with a stable
pattern (e.g., include the directory "swc" or "swc/**/*.wasm" in the "files"
array) so changes to target triple/profile/crate name won’t silently drop the
artifact; reference the "files" array entry and add a "prepack" script key to
package.json that runs the existence check.

---

Outside diff comments:
In `@inline/package.json`:
- Around line 44-48: The prepack script only runs "build:bundle" (the Cargo/wasm
build) so published packages can contain stale/missing JS outputs under dist/
(dist/mod.js, dist/esbuild.js); update the package.json "prepack" entry to also
run the TypeScript build (e.g., invoke the existing JS build script before
build:bundle) or document/ensure the monorepo release pipeline always runs the
root/package-level build first; specifically modify the "prepack" script key to
chain the TS->JS build (the script that produces dist/) with "build:bundle" so
the files array entries referencing dist/ are freshly produced at pack time.

In `@state-api/package.json`:
- Around line 5-12: The package.json "keywords" array contains non-approved
terms; update the "keywords" field to use only approved category keywords
(testing, io, process, streams, concurrency, reactivity, interop, platform),
ensuring at least one is present; specifically replace "reactive" with
"reactivity" if intended and remove custom entries like "effection",
"effectionx", "state", "reducer", and "middleware" so the final "keywords" array
in package.json contains only allowed keywords (e.g., ["reactivity"] or another
approved set appropriate for this package).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 111d2dc7-d126-4a61-80ad-60be06da6a7c

📥 Commits

Reviewing files that changed from the base of the PR and between 6982b1c and 1a81edc.

📒 Files selected for processing (28)

• AGENTS.md
• bdd/package.json
• chain/package.json
• context-api/package.json
• converge/package.json
• effect-ts/package.json
• fetch/package.json
• fs/package.json
• fx/package.json
• inline/package.json
• jsonl-store/package.json
• middleware/package.json
• node/package.json
• process/package.json
• raf/package.json
• scope-eval/package.json
• signals/package.json
• state-api/package.json
• stream-helpers/package.json
• stream-yaml/package.json
• task-buffer/package.json
• test-adapter/package.json
• timebox/package.json
• tinyexec/package.json
• vitest/package.json
• watch/package.json
• websocket/package.json
• worker/package.json

[cowboyd]

Sometimes it is nice to have the sources for debugging, but I get the desire to have smaller packages. What's the reason?