Summary

• Problem: Knip reported @urbit/http-api as unused in the Tlon extension manifest.
• Why it matters: removing only the genuinely unused package keeps the dead-code cleanup moving without disturbing the extension's bundled runtime dependencies.
• What changed: removed @urbit/http-api from extensions/tlon/package.json and cleaned the matching lockfile entries.
• What did NOT change (scope boundary): kept acpx bundled in ACPX, kept @tloncorp/tlon-skill bundled in Tlon, and preserved the git-based @tloncorp/api lock resolution.

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes #
• Related Dependencies: remove unused core and UI packages #38316
• Related Dead code: remove unused helper modules #38318

User-visible / Behavior Changes

None.

Security Impact (required)

• New permissions/capabilities? (No)
• Secrets/tokens handling changed? (No)
• New/changed network calls? (No)
• Command/tool execution surface changed? (No)
• Data access scope changed? (No)
• If any Yes, explain risk + mitigation:

Repro + Verification

Environment

• OS: macOS
• Runtime/container: pnpm / Node 22 workspace
• Model/provider: N/A
• Integration/channel (if any): Tlon
• Relevant config (redacted): none

Steps

1. Run pnpm deadcode:knip on main after the Knip config lands.
2. Observe @urbit/http-api in the Tlon extension dependency findings.
3. Remove only that package and rerun Knip.

Expected

• @urbit/http-api disappears from the unused dependency findings while bundled runtime dependencies remain untouched.

Actual

• On this branch, @urbit/http-api is no longer reported; acpx and @tloncorp/tlon-skill are intentionally retained.

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios: searched for @urbit/http-api imports and reran pnpm deadcode:knip after the narrow cleanup.
• Edge cases checked: restored ACPX/Tlon bundled dependencies and removed the accidental codeload tarball resolution from the lockfile.
• What you did not verify: full Tlon integration tests.

Compatibility / Migration

• Backward compatible? (Yes)
• Config/env changes? (No)
• Migration needed? (No)
• If yes, exact upgrade steps:

Failure Recovery (if this breaks)

• How to disable/revert this change quickly: revert the Tlon manifest cleanup commit.
• Files/config to restore: extensions/tlon/package.json, pnpm-lock.yaml.
• Known bad symptoms reviewers should watch for: missing Tlon module resolution during install.

Risks and Mitigations

• Risk: @urbit/http-api could be used by an unsearched generated/runtime path.
  • Mitigation: repo-wide search found no imports, and the branch intentionally keeps the runtime-critical ACPX and Tlon bundled dependencies unchanged.