Conalh · Conalh · May 23, 2026 · May 23, 2026
diff --git a/README.md b/README.md
@@ -77,12 +77,6 @@ PolicyMesh reports `HIGH` policy conflicts and emits GitHub warning annotations
 
 ## Local Use
 
-```powershell
-npx policymesh@latest audit --repo . --format markdown
-```
-
-Or, if you have the repo checked out and want to hack on it:
-
 ```powershell
 npm install
 npm run build
@@ -91,12 +85,16 @@ node dist/index.js audit --repo . --format markdown
 
 Supported formats: `text` (default, ANSI-coloured in a TTY), `markdown`, `json`, `github` (PR annotations), and `sarif` (SARIF 2.1.0 for the GitHub Security tab and other SAST consumers).
 
-```powershell
-npx policymesh@latest audit --repo . --format sarif > policymesh.sarif
-# Then in a workflow:
-# - uses: github/codeql-action/upload-sarif@v3
-#   with:
-#     sarif_file: policymesh.sarif
+To emit SARIF for the GitHub Security tab, point the bundled CLI at the audit and upload the result via `github/codeql-action/upload-sarif`:
+
+```yaml
+- uses: Conalh/PolicyMesh@v0.4.0
+  with:
+    fail-on: none
+- run: node "$GITHUB_ACTION_PATH/dist/index.js" audit --repo . --format sarif > policymesh.sarif
+- uses: github/codeql-action/upload-sarif@v3
+  with:
+    sarif_file: policymesh.sarif
 ```
 
 ### Auto-fix mode

diff --git a/package.json b/package.json
@@ -28,17 +28,7 @@
   },
   "scripts": {
     "build": "tsc -p tsconfig.json",
-    "test": "node --test",
-    "prepublishOnly": "npm run build && npm test"
-  },
-  "files": [
-    "dist/",
-    "action.yml",
-    "README.md",
-    "LICENSE"
-  ],
-  "publishConfig": {
-    "access": "public"
+    "test": "node --test"
   },
   "dependencies": {
     "agent-gov-core": "^0.7.0"

diff --git a/test/workflow.test.mjs b/test/workflow.test.mjs
@@ -46,25 +46,15 @@ test('package metadata supports OSS discovery', async () => {
   ]);
 });
 
-test('package.json is publishable to npm with the right allowlist', async () => {
+test('package.json does not carry npm-publish prep — PolicyMesh ships only as a GitHub Action', async () => {
+  // Deliberate scoping decision: agent-gov-core is the suite's npm artefact;
+  // tools (PolicyMesh, ScopeTrail, CapabilityEcho) ship as GitHub Actions
+  // consumed via `uses: Conalh/<tool>@vX.Y.Z`. Re-introducing publish prep
+  // here means adopting a second distribution surface — discuss before re-adding.
   const packageJson = JSON.parse(await readFile(join(packageRoot, 'package.json'), 'utf8'));
-
-  // CLI binary registration so `npx policymesh@latest audit` works without install.
-  assert.deepEqual(packageJson.bin, { policymesh: './dist/index.js' });
-
-  // Public-by-default; first publish under @scope would otherwise fail.
-  assert.deepEqual(packageJson.publishConfig, { access: 'public' });
-
-  // Only the runtime artefacts ship. No src/, no test/, no fixtures.
-  assert.deepEqual(packageJson.files, ['dist/', 'action.yml', 'README.md', 'LICENSE']);
-
-  // prepublishOnly builds and tests before any version reaches the registry.
-  assert.equal(packageJson.scripts.prepublishOnly, 'npm run build && npm test');
-});
-
-test('dist/index.js preserves the executable shebang so npm-installed bin works', async () => {
-  const first = (await readFile(join(packageRoot, 'dist', 'index.js'), 'utf8')).split('\n', 1)[0];
-  assert.equal(first, '#!/usr/bin/env node');
+  assert.equal(packageJson.files, undefined);
+  assert.equal(packageJson.publishConfig, undefined);
+  assert.equal(packageJson.scripts.prepublishOnly, undefined);
 });
 
 test('docs/workflows/agent-governance.yml composes the suite for adopters', async () => {