Dependencies: remove unused core and UI packages

[vincentkoc]

Summary

• Problem: Knip reported several unused root runtime packages.
• Why it matters: keeping unused root deps around increases install surface and obscures the remaining dead-code findings.
• What changed: removed unused root runtime packages from the top-level manifest and refreshed the lockfile.
• What did NOT change (scope boundary): no UI dependency changes, no Control UI build behavior changes, and no extension manifest cleanup.

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes #
• Related Dependencies: remove unused extension packages #38317
• Related Dead code: remove unused helper modules #38318

User-visible / Behavior Changes

None.

Security Impact (required)

• New permissions/capabilities? (No)
• Secrets/tokens handling changed? (No)
• New/changed network calls? (No)
• Command/tool execution surface changed? (No)
• Data access scope changed? (No)
• If any Yes, explain risk + mitigation:

Repro + Verification

Environment

• OS: macOS
• Runtime/container: pnpm / Node 22 workspace
• Model/provider: N/A
• Integration/channel (if any): N/A
• Relevant config (redacted): none

Steps

1. Run pnpm deadcode:knip on main after the Knip config lands.
2. Observe the root unused dependency findings.
3. Apply the manifest cleanup and rerun Knip.

Expected

• Root unused dependency findings disappear without changing unrelated lockfile resolution behavior.

Actual

• On this branch, the root dependency group disappears while UI and extension dependency groups remain for their own PRs.

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios: reran pnpm deadcode:knip after narrowing the PR.
• Edge cases checked: restored UI runtime deps and preserved the git-based @tloncorp/api lock resolution.
• What you did not verify: full repo build/test matrix.

Compatibility / Migration

• Backward compatible? (Yes)
• Config/env changes? (No)
• Migration needed? (No)
• If yes, exact upgrade steps:

Failure Recovery (if this breaks)

• How to disable/revert this change quickly: revert the root manifest cleanup commit(s).
• Files/config to restore: package.json, pnpm-lock.yaml.
• Known bad symptoms reviewers should watch for: missing root package resolution during install.

Risks and Mitigations

• Risk: a package could still be consumed by a path not covered by static search.
  • Mitigation: reran Knip after narrowing; unrelated UI/runtime and lockfile behavior were explicitly restored.

[greptile-apps]

Greptile Summary

This PR removes genuinely unused dependencies from the root package.json and the ui/package.json, and correctly repositions vite from dependencies to devDependencies in the UI package. All removals (@snazzah/davey, gaxios, long, node-domexception, strip-ansi at root; @lit-labs/signals, @lit/context, signal-polyfill, signal-utils in UI) were verified to have no import sites anywhere in the codebase.

Key changes:

• Root package.json: 5 unused runtime dependencies removed
• ui/package.json: 4 unused Lit/signals runtime dependencies removed; vite correctly moved to devDependencies (it is only consumed by vite.config.ts during build)
• pnpm-lock.yaml: Reflects all manifest removals correctly, but also includes an unintended resolution change for @tloncorp/api — the specifier is unchanged, but pnpm resolved it via HTTP tarball (codeload.github.com) instead of git clone. The commit hash is the same so code content is identical, but this silent format shift is outside the stated PR scope and should be acknowledged.

Confidence Score: 4/5

• Safe to merge — all removed packages are confirmed unused and no runtime behavior changes; one out-of-scope lockfile resolution change warrants a quick acknowledgement.
• All dependency removals are verified clean (no import sites found anywhere in the repository). The vite move to devDependencies is correct. The only concern is an unintended side-effect in pnpm-lock.yaml where @tloncorp/api's resolution silently shifted from git-clone to HTTP tarball format — functionally identical at the same commit hash, but the change was not mentioned in the PR description and merits a conscious sign-off.
• pnpm-lock.yaml — the unintended @tloncorp/api resolution format change (git → tarball) should be acknowledged before merging.

_{Last reviewed commit: e46c5d0}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e46c5d091c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0b04b0469d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".