Instead of maintaining a hardcoded allowlist of native modules,
copy all optionalDependencies from the root package.json and
exclude only gemini-cli-devtools. Less brittle if new native
deps are added in the future.
The npm registry publish path ships unbundled dist/ plus full
node_modules/ (44,835 files), causing ~1-2 minute cold starts on
Windows due to Defender real-time scanning. The GitHub registry
path already ships a single-file bundle with zero dependencies.
Apply the same bundle transformation to the npm publish path:
- Add scripts/prepare-npm-release.js that rewrites the CLI
package.json to ship bundle/ instead of dist/, removes all
dependencies, and adds optionalDependencies for native modules
(node-pty, keytar) so platform-specific features keep working.
- Add a "Prepare bundled CLI for npm release" step in the publish
action, conditioned on non-GitHub registry URLs.
Result: npm package drops from 44,835 files to ~129 files (6.8 MB).
Closes#19169
Gen Zhang