Two coupled concerns
1 — Multi-package install is non-standard
Today the plugin has two independent Node packages:
- `plugin/mcp/trajectory-server/package.json`
- `plugin/monitors/package.json`
No root `package.json`. `bun install` at the repo root fails — users have to cd into each subpackage. Industry norm for monorepo-style repos is a workspace root:
```json
{
"name": "tmb-plugin",
"private": true,
"workspaces": ["mcp/trajectory-server", "monitors"]
}
```
One `bun install` at plugin root installs every subpackage, dedups shared deps (`better-sqlite3` is in both today), produces a single root `bun.lock`. `bun --filter '*' run build` builds every package that has a build script.
2 — Dogfood inside the plugin repo shouldn't pollute git
If a contributor runs CC inside the plugin repo (instead of a `/tmp/tmb-scratch`), the plugin generates:
- `.claude/tmb/trajectory.db` — already gitignored via `.claude/` ✓
- `.claude/worktrees/` — same ✓
- `docs/trustmybot/snapshots/.md` — NOT gitignored today; would track
- `docs/trustmybot/architecture/auto/*.md` + `manual/...` — NOT gitignored; would track
These are supposed to live in downstream user projects, not in the plugin repo itself. Safety net: add `docs/trustmybot/` to the plugin-root `.gitignore`. The plugin's own contributor docs live at `docs/architecture/` (not `docs/trustmybot/`), so no legitimate content is shadowed.
Proposal
- Add `plugin/package.json` with `workspaces: ["mcp/trajectory-server", "monitors"]`.
- Run `bun install` at plugin root to generate root `bun.lock`; delete subpackage `bun.lock` files (workspaces consolidates).
- Add `docs/trustmybot/` to `.gitignore`.
- Update `docs/local-testing.md` prereqs: `bun install` at plugin root (one command).
- Update `.github/workflows/test.yml` to use root-level install.
- Verify all 235 MCP + 16 hook + 4 lint tests pass.
Acceptance criteria
Two coupled concerns
1 — Multi-package install is non-standard
Today the plugin has two independent Node packages:
No root `package.json`. `bun install` at the repo root fails — users have to cd into each subpackage. Industry norm for monorepo-style repos is a workspace root:
```json
{
"name": "tmb-plugin",
"private": true,
"workspaces": ["mcp/trajectory-server", "monitors"]
}
```
One `bun install` at plugin root installs every subpackage, dedups shared deps (`better-sqlite3` is in both today), produces a single root `bun.lock`. `bun --filter '*' run build` builds every package that has a build script.
2 — Dogfood inside the plugin repo shouldn't pollute git
If a contributor runs CC inside the plugin repo (instead of a `/tmp/tmb-scratch`), the plugin generates:
These are supposed to live in downstream user projects, not in the plugin repo itself. Safety net: add `docs/trustmybot/` to the plugin-root `.gitignore`. The plugin's own contributor docs live at `docs/architecture/` (not `docs/trustmybot/`), so no legitimate content is shadowed.
Proposal
Acceptance criteria