Published .vsix contains ccusageIntegration.js not present in the GitHub source

[andrew-west-empromptu]

Hi Jack, thanks for building this extension — it's one of the more useful Claude Code usage trackers out there.

I was doing a routine security review before installing, and noticed that the published .vsix on the VS Code Marketplace contains a compiled file out/ccusageIntegration.js that doesn't have a corresponding TypeScript source file in this repo.

That file imports child_process and uses spawn to execute commands (ccusage, bunx ccusage, npx ccusage, and a hardcoded local path /Users/jack/Workspace/ccusage/src/index.ts). None of the other modules in the package import it, so it appears to be dead code — looks like it may have been compiled locally and accidentally included when packaging.

A couple of minor things I also noticed:

• .claude/settings.local.json (your local dev settings) is included in the .vsix — you may want to add it to .vscodeignore
• The npx ccusage fallback could be a latent supply chain concern if that package name were ever squatted on npm

Suggested fixes:

1. Add the source file to the repo, or remove the compiled output before packaging
2. Add out/ccusageIntegration.js and .claude/ to .vscodeignore if they're not needed
3. Republish a clean .vsix build

Happy to help if any of this is unclear. Just flagging it so users can verify that the published package matches the source. Cheers!