Core safe delete report

Date: 2026-03-06

Scope

Safe strict-delete cleanup evaluation for packages/core only.

Constraints honored:

• no changes under services/*
• no changes under apps/*
• no changes to runtime entrypoints, ports, URLs, package names, or exports
• no deletions outside packages/core

Inputs reviewed

• docs/90_stabilization/SAFE_DELETE_AFTER_BUILD_STRICT_2026-03-06.txt
• docs/90_stabilization/MANUAL_VERIFICATION_REQUIRED_STRICT_2026-03-06.txt
• docs/90_stabilization/CORE_DIST_BUILD_REPORT.md

Decision summary

• Deleted files: 0
• Skipped files: 97
• Strict-safe packages/core candidates found: 0

No packages/core/*.js files qualified for deletion in this step.

Reason:

1. The strict safe-delete list contains no entries under packages/core.
2. All packages/core/*.js sibling duplicates currently fall under MANUAL_VERIFICATION_REQUIRED_STRICT_2026-03-06.txt.
3. CORE_DIST_BUILD_REPORT.md already documents that @kvary/core subpath consumers remain source-oriented in current runtime/build resolution, so cleanup is deferred until those subpath consumers are migrated or proven safe.

Before validation

Commands executed:

npm --prefix packages/core run build
npm exec -- node -e "import('@kvary/core').then(() => console.log('core_package_resolution_ok'))"

Results:

• packages/core build succeeded
• package resolution succeeded

Source-path import scan

Direct code references to raw packages/core/*.js source paths outside packages/core were scanned.

Observed result:

• no live code references to packages/core/*.js were detected in services/*, apps/*, scripts/*, tests/*, or packages/* outside report/tmp artifacts
• references that did appear were limited to documentation/report files and temp scan artifacts

This means the current blocker is not explicit raw packages/core/*.js imports. The blocker is broader subpath runtime coupling around @kvary/core/*, which is why the package remains in manual-verify status.

Deleted files

None.

Skipped files

All packages/core duplicate .js files remain deferred because they are manual-verify items, not strict-safe items.

Full skipped set:

• packages/core/auction/appendAuctionTransition.js
• packages/core/auction/auction.lifecycle.test.js
• packages/core/auction/auction.test.js
• packages/core/auction/buildAuctionTransitionRecord.js
• packages/core/auction/types.js
• packages/core/auction/validateAuctionTransition.js
• packages/core/auction/verifyAuctionLifecycle.js
• packages/core/canonical/canonicalSerialize.js
• packages/core/canonical/canonicalSerialize.test.js
• packages/core/country/countryRegistry.js
• packages/core/decision/appendAccessDecision.js
• packages/core/decision/buildAccessDecisionRecord.js
• packages/core/decision/decision.test.js
• packages/core/decision/types.js
• packages/core/decision/validateAccessDecision.js
• packages/core/decision/verifyDecisionPolicyBinding.js
• packages/core/governance/appendGovernanceRecord.js
• packages/core/governance/buildGovernanceRecord.js
• packages/core/governance/canonical.js
• packages/core/governance/governance.cross-domain.test.js
• packages/core/governance/governance.integrity.test.js
• packages/core/governance/governance.replay-determinism.test.js
• packages/core/governance/governance.test.js
• packages/core/governance/hash.js
• packages/core/governance/index.js
• packages/core/governance/integrity.js
• packages/core/governance/lineage.js
• packages/core/governance/region.js
• packages/core/governance/rulesVersion.js
• packages/core/governance/types.js
• packages/core/governance/validateGovernanceRecord.js
• packages/core/governance/verifyCrossDomainGovernanceIntegrity.js
• packages/core/governance/verifyFullGovernanceIntegrity.js
• packages/core/hashing/hashContract.js
• packages/core/hashing/hashV2.js
• packages/core/hashing/stableHash.js

Skip reason for all items:

• sibling .ts file exists
• duplicate is confirmed by prior scan
• but classification is MANUAL_VERIFICATION_REQUIRED, not strict-safe
• package still has active subpath consumers via @kvary/core/*

After validation

Because no files were deleted, post-check validation was a stability re-check rather than a changed-state check.

Commands executed:

npm --prefix packages/core run build
npm exec -- node -e "import('@kvary/core').then(() => console.log('core_package_resolution_ok'))"

Results:

• build still succeeds
• package resolution still succeeds
• no remaining raw packages/core/*.js live-code imports were found outside report/tmp artifacts

Remaining manual-verify items

• count: 97
• next safe step is not deletion
• next safe step is subpath consumer migration / validation for @kvary/core/* consumers, then a narrower strict-delete pass

Outcome

This cleanup step was intentionally a no-op on filesystem deletion.

That is the correct safe result for packages/core at the current maturity level of the stabilization plan.