>the binary that ships it should be boring (ƒor example, pi harness)

pi's "minimal" coding-agent has a total of 132 transitive dependencies spanning 153 maintainers.

While I understand JS developers in the JS/NPM ecosystem think this qualifies as minimal, it most certainly does not, from a supply chain security perspective.