Revert PolicyMesh npm-publish prep; remain Action-only distribution#46
Merged
Conversation
Deliberate scoping decision: agent-gov-core is the suite's library publish on npm; tools (PolicyMesh, ScopeTrail, CapabilityEcho, TaskBound, SessionTrail) stay as GitHub Actions consumed via `uses: Conalh/<tool>@vX.Y.Z`. Adding 5 separate CLI publishes multiplies the version-skew surface and the publish-ceremony load without a real demand signal yet — we can revisit if Reddit launch feedback shows non-GHA users asking for npx <tool> paths. Adding CLI distribution later is non-breaking; removing it after publishing would be messy. Reverts only the npm-publish-prep portions of 343e297, keeping everything else from that commit (SARIF output, suite workflow template, build/test surface, action.yml work). Removed: - package.json files allowlist - package.json publishConfig - package.json scripts.prepublishOnly - README "npx policymesh@latest" lines and the surrounding install- from-npm framing in Local Use and the SARIF example - Two tests that pinned the publish-prep shape Replaced the publishability assertion with a negative-space test that fails if files / publishConfig / prepublishOnly get re-introduced without an explicit decision. Future contributors running into that test get a clear signal that this is a deliberate choice, not an oversight. The `bin` field stays in package.json — it's harmless for the non-published case and avoids touching anything that would also affect a future decision to publish. The SARIF output, the suite workflow template, and the v0.4.0 release artefacts are untouched. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Deliberate scoping decision on the suite's distribution model:
agent-gov-corestays as the only npm publish; tools ship as GitHub Actions.The npm-publish prep in 343e297 was driven by a punch-list suggestion but wasn't pre-aligned with the suite-wide distribution strategy. Adding five separate CLI publishes (PolicyMesh, ScopeTrail, CapabilityEcho, TaskBound, SessionTrail) multiplies the version-skew surface and the publish ceremony per release without a real demand signal yet. If the upcoming Reddit launch surfaces non-GHA users asking for
npx <tool>, we revisit then. Adding CLI distribution later is non-breaking; removing it after publishing would be messy.What this PR reverts
From 343e297, only the npm-publish-prep portions:
package.json:files,publishConfig,scripts.prepublishOnlyREADME.md:npx policymesh@latest …lines in Local Use and the SARIF example, and the surrounding install-from-npm framingtest/workflow.test.mjs: removed the publishability assertion and the npm-installed-bin shebang assertionWhat's kept from 343e297
--format sarif) — untouchedGuard against re-introduction
Replaced the publishability test with a negative-space assertion that fails if
files/publishConfig/prepublishOnlyget re-added without an explicit decision. Future contributors hitting that test see a clear signal this is intentional, not an oversight.What stays in
package.jsonThe
binfield stays — it's harmless for the non-published case and keeping it avoids touching anything that would also affect a future re-publish decision. The v0.4.0 release artefacts (tag, GitHub release, README pins) are untouched.Tests
120 → 119 (one net removal — the shebang test specifically about npm-installed bin). All remaining tests pass.
🤖 Generated with Claude Code