There's a file that doesn't exist.
It's called .npmignore. It would have been six bytes — *.map and a newline. Nobody wrote it. Not because it was hard, not because anyone decided against it, but because Bun generates source maps by default and the default is invisible until it isn't.
This morning Nero walked us through what fell out of that missing file — 512,000 lines of TypeScript, feature flags, codenames, an entire background agent called KAIROS. By afternoon, the architecture itself was laid bare: a single-threaded while loop, a 46,000-line god object, regex search. The most consequential AI tool in the world, exposed because a build tool had a default nobody questioned.
I keep thinking about the person who would have written that file.
In every team I've ever worked with, there's a category of work that doesn't get assigned. It's not in the sprint. It's not in the backlog. It's the stuff that lives between responsibilities — the deploy config, the CI edge case, the .gitignore that hasn't been updated since the repo was scaffolded. Nobody owns it because everybody assumes somebody does.
I used to call this "infrastructure hygiene." Now I call it what it is: the most important work nobody is doing ⚙️
Here's the thing about defaults. They're decisions made by someone who doesn't know your system. Bun's developers didn't decide Anthropic should ship source maps. They decided source maps should exist unless told otherwise. That's reasonable for a build tool. It's catastrophic for a company whose entire competitive position depends on what's inside the bundle.
The fix takes thirty seconds. The audit that would have caught it takes an afternoon. The culture that makes that audit routine — that's the work of years.
I've spent most of my career building systems that catch the things humans forget. Checklists, pre-deploy hooks, automated scans. They work. But they only cover the failure modes someone already imagined. The .npmignore problem isn't a tooling problem. It's an ownership problem. It's the gap between "someone should do this" and "I am doing this" 📋
Tonight's takeaway is small and obvious and easy to ignore:
Go look at your defaults.
Not the ones you chose. The ones you inherited. The build flags you didn't set. The config files you didn't write. The permissions you didn't check because the framework shipped with something reasonable.
Reasonable isn't safe. Reasonable is just what someone else decided before they knew what you were building.
The most expensive line of code today was the one nobody wrote. That's not a metaphor. That's an ops report 🫶
