From e02aa3d7dff45b04fc261bc33555f63c9eb5c764 Mon Sep 17 00:00:00 2001 From: Conal <33135619+Conalh@users.noreply.github.com> Date: Fri, 22 May 2026 17:54:26 -0700 Subject: [PATCH] Revert PolicyMesh npm-publish prep; remain Action-only distribution MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Deliberate scoping decision: agent-gov-core is the suite's library publish on npm; tools (PolicyMesh, ScopeTrail, CapabilityEcho, TaskBound, SessionTrail) stay as GitHub Actions consumed via `uses: Conalh/@vX.Y.Z`. Adding 5 separate CLI publishes multiplies the version-skew surface and the publish-ceremony load without a real demand signal yet — we can revisit if Reddit launch feedback shows non-GHA users asking for npx paths. Adding CLI distribution later is non-breaking; removing it after publishing would be messy. Reverts only the npm-publish-prep portions of 343e297, keeping everything else from that commit (SARIF output, suite workflow template, build/test surface, action.yml work). Removed: - package.json files allowlist - package.json publishConfig - package.json scripts.prepublishOnly - README "npx policymesh@latest" lines and the surrounding install- from-npm framing in Local Use and the SARIF example - Two tests that pinned the publish-prep shape Replaced the publishability assertion with a negative-space test that fails if files / publishConfig / prepublishOnly get re-introduced without an explicit decision. Future contributors running into that test get a clear signal that this is a deliberate choice, not an oversight. The `bin` field stays in package.json — it's harmless for the non-published case and avoids touching anything that would also affect a future decision to publish. The SARIF output, the suite workflow template, and the v0.4.0 release artefacts are untouched. Co-Authored-By: Claude Opus 4.7 --- README.md | 22 ++++++++++------------ package.json | 12 +----------- test/workflow.test.mjs | 26 ++++++++------------------ 3 files changed, 19 insertions(+), 41 deletions(-) diff --git a/README.md b/README.md index 036981d..6ee58a7 100644 --- a/README.md +++ b/README.md @@ -77,12 +77,6 @@ PolicyMesh reports `HIGH` policy conflicts and emits GitHub warning annotations ## Local Use -```powershell -npx policymesh@latest audit --repo . --format markdown -``` - -Or, if you have the repo checked out and want to hack on it: - ```powershell npm install npm run build @@ -91,12 +85,16 @@ node dist/index.js audit --repo . --format markdown Supported formats: `text` (default, ANSI-coloured in a TTY), `markdown`, `json`, `github` (PR annotations), and `sarif` (SARIF 2.1.0 for the GitHub Security tab and other SAST consumers). -```powershell -npx policymesh@latest audit --repo . --format sarif > policymesh.sarif -# Then in a workflow: -# - uses: github/codeql-action/upload-sarif@v3 -# with: -# sarif_file: policymesh.sarif +To emit SARIF for the GitHub Security tab, point the bundled CLI at the audit and upload the result via `github/codeql-action/upload-sarif`: + +```yaml +- uses: Conalh/PolicyMesh@v0.4.0 + with: + fail-on: none +- run: node "$GITHUB_ACTION_PATH/dist/index.js" audit --repo . --format sarif > policymesh.sarif +- uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: policymesh.sarif ``` ### Auto-fix mode diff --git a/package.json b/package.json index f46ab36..e2c7c2c 100644 --- a/package.json +++ b/package.json @@ -28,17 +28,7 @@ }, "scripts": { "build": "tsc -p tsconfig.json", - "test": "node --test", - "prepublishOnly": "npm run build && npm test" - }, - "files": [ - "dist/", - "action.yml", - "README.md", - "LICENSE" - ], - "publishConfig": { - "access": "public" + "test": "node --test" }, "dependencies": { "agent-gov-core": "^0.7.0" diff --git a/test/workflow.test.mjs b/test/workflow.test.mjs index 7178cfe..75fd79a 100644 --- a/test/workflow.test.mjs +++ b/test/workflow.test.mjs @@ -46,25 +46,15 @@ test('package metadata supports OSS discovery', async () => { ]); }); -test('package.json is publishable to npm with the right allowlist', async () => { +test('package.json does not carry npm-publish prep — PolicyMesh ships only as a GitHub Action', async () => { + // Deliberate scoping decision: agent-gov-core is the suite's npm artefact; + // tools (PolicyMesh, ScopeTrail, CapabilityEcho) ship as GitHub Actions + // consumed via `uses: Conalh/@vX.Y.Z`. Re-introducing publish prep + // here means adopting a second distribution surface — discuss before re-adding. const packageJson = JSON.parse(await readFile(join(packageRoot, 'package.json'), 'utf8')); - - // CLI binary registration so `npx policymesh@latest audit` works without install. - assert.deepEqual(packageJson.bin, { policymesh: './dist/index.js' }); - - // Public-by-default; first publish under @scope would otherwise fail. - assert.deepEqual(packageJson.publishConfig, { access: 'public' }); - - // Only the runtime artefacts ship. No src/, no test/, no fixtures. - assert.deepEqual(packageJson.files, ['dist/', 'action.yml', 'README.md', 'LICENSE']); - - // prepublishOnly builds and tests before any version reaches the registry. - assert.equal(packageJson.scripts.prepublishOnly, 'npm run build && npm test'); -}); - -test('dist/index.js preserves the executable shebang so npm-installed bin works', async () => { - const first = (await readFile(join(packageRoot, 'dist', 'index.js'), 'utf8')).split('\n', 1)[0]; - assert.equal(first, '#!/usr/bin/env node'); + assert.equal(packageJson.files, undefined); + assert.equal(packageJson.publishConfig, undefined); + assert.equal(packageJson.scripts.prepublishOnly, undefined); }); test('docs/workflows/agent-governance.yml composes the suite for adopters', async () => {