pluribus-context 0.3.4 → 0.3.5

package/CHANGELOG.md

@@ -4,6 +4,13 @@
 
 All notable changes to Pluribus are documented here.
 
+## 0.3.5 — trust copy package-page refresh
+
+### Changed
+
+- Clarify installation, uninstallation, and network behavior in the README and quickstart so first-run reviewers can verify the CLI without guessing what persists or when remote imports make network requests.
+- Add release-gate checks for uninstall/network transparency copy before future docs or package-page updates.
+
 ## 0.3.4 — npm package page README refresh prep
 
 ### Changed

package/README.md

@@ -105,19 +105,32 @@ Pluribus is intentionally narrow about filesystem changes:
 
 When in doubt, run `npx --yes pluribus-context@latest audit` or `npx --yes pluribus-context@latest sync --dry-run` first.
 
-### Install
+### Install, uninstall, and network behavior
 
 ```bash
 # Install globally if you prefer a persistent `pluribus` command
 npm install -g pluribus-context@latest
 pluribus --help
 
-# Or clone and link locally
+# Remove the global CLI later
+npm uninstall -g pluribus-context
+```
+
+For local development:
+
+```bash
 git clone https://github.com/caioribeiroclw-pixel/pluribus.git
 cd pluribus
 npm link
+
+# Remove the local global link later
+npm unlink -g pluribus-context
 ```
 
+One-off `npx --yes pluribus-context@latest ...` commands install into npm's normal temporary cache and do not create a persistent global `pluribus` command.
+
+Pluribus does **not** make network requests during normal `audit`, `validate`, `sync`, or `sync --dry-run` runs. Network access is opt-in for remote imports only when you explicitly pass `--update-imports`; those fetches are limited to `github:`/HTTPS imports, then pinned in `pluribus.lock.json` and cached locally for deterministic offline syncs. Private GitHub imports may use `GH_TOKEN`/`GITHUB_TOKEN` or `gh auth token` during that explicit refresh, but tokens are never written to the lockfile or cache.
+
 ### 60-second smoke test
 
 Want to see exactly what gets generated before adding it to a real project?

package/docs/quickstart.md

@@ -18,6 +18,20 @@ The safest path is audit → validate → `sync --dry-run` → `sync`. The first
 
 Remote imports do not refresh silently; Pluribus writes `pluribus.lock.json` and `.pluribus/cache/remote/` only when you explicitly pass `--update-imports`.
 
+## Install, uninstall, and network behavior
+
+For one-off use, keep using `npx --yes pluribus-context@latest ...`; npm stores that in its normal temporary cache and does not create a persistent global `pluribus` command.
+
+If you want a persistent CLI:
+
+```bash
+npm install -g pluribus-context@latest
+pluribus --help
+npm uninstall -g pluribus-context
+```
+
+Normal `audit`, `validate`, `sync`, and `sync --dry-run` runs do not make network requests. Network access only happens when remote imports are present and you explicitly pass `--update-imports`; Pluribus then fetches `github:`/HTTPS imports, pins them in `pluribus.lock.json`, and uses the local cache for later offline syncs. Private GitHub imports can use `GH_TOKEN`/`GITHUB_TOKEN` or `gh auth token` during that explicit refresh, but tokens are never stored in the lockfile or cache.
+
 ## 1. Create a disposable demo project
 
 ```bash

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pluribus-context",
-  "version": "0.3.4",
+  "version": "0.3.5",
   "description": "Sync intentional AI context and rules across Claude Code, Cursor, Copilot, OpenClaw, Windsurf, Continue, and Zed.",
   "type": "module",
   "homepage": "https://github.com/caioribeiroclw-pixel/pluribus#readme",

package/src/utils/version.js

@@ -1 +1 @@
-export const VERSION = '0.3.4'
+export const VERSION = '0.3.5'