From 5595e4674750d6b2fe9de593d24765627e0af53f Mon Sep 17 00:00:00 2001 From: NiveditJain Date: Tue, 7 Apr 2026 18:14:01 +0000 Subject: [PATCH 1/2] [ef-34] feat: verify all 14 alias packages in post-publish smoke test Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/smoke-test.yml | 70 ++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) diff --git a/.github/workflows/smoke-test.yml b/.github/workflows/smoke-test.yml index a26782d2..25c80d32 100644 --- a/.github/workflows/smoke-test.yml +++ b/.github/workflows/smoke-test.yml @@ -188,3 +188,73 @@ jobs: name: smoke-html-${{ matrix.os }} path: ${{ runner.temp }}/*.html retention-days: 3 + + verify-aliases: + name: Verify alias packages on npm + runs-on: ubuntu-latest + if: > + github.event_name == 'workflow_dispatch' || + github.event.workflow_run.conclusion == 'success' + + steps: + - uses: actions/checkout@v6 + + - uses: actions/setup-node@v6 + with: + node-version: "20" + registry-url: "https://registry.npmjs.org" + + - name: Resolve version + run: | + if [ -n "${{ github.event.inputs.version }}" ]; then + echo "VERSION=${{ github.event.inputs.version }}" >> "$GITHUB_ENV" + else + echo "VERSION=$(node -p "require('./package.json').version")" >> "$GITHUB_ENV" + fi + + - name: Wait for all alias packages on npm + run: | + ALIASES=( + failproof + failproof-ai + fail-proof-ai + failproof_ai + fail_proof_ai + fail-proofai + failprof + failprof-ai + failprofai + fail-prof-ai + failprof_ai + faliproof + faliproof-ai + faliproofai + ) + DELAYS=(0 5 10 20 40 80) + FAILED=() + + for ALIAS in "${ALIASES[@]}"; do + PUBLISHED="" + for delay in "${DELAYS[@]}"; do + if [ "$delay" -gt 0 ]; then + echo "[$ALIAS] Waiting ${delay}s before retry..." + sleep "$delay" + fi + PUBLISHED=$(npm view "${ALIAS}@${VERSION}" version 2>/dev/null || true) + if [ "$PUBLISHED" = "$VERSION" ]; then + echo "[$ALIAS] OK — ${VERSION}" + break + fi + echo "[$ALIAS] Not yet available (attempt after ${delay}s)" + done + if [ "$PUBLISHED" != "$VERSION" ]; then + echo "::error::[$ALIAS] version ${VERSION} never appeared on npm after all retries" + FAILED+=("$ALIAS") + fi + done + + if [ "${#FAILED[@]}" -gt 0 ]; then + echo "::error::Failed aliases: ${FAILED[*]}" + exit 1 + fi + echo "All ${#ALIASES[@]} alias packages verified at version ${VERSION}" From 0bde16706f7c4094dffe18b4177e0b8d394e2550 Mon Sep 17 00:00:00 2001 From: NiveditJain Date: Tue, 7 Apr 2026 18:16:06 +0000 Subject: [PATCH 2/2] [ef-34] docs: add package-aliases page explaining typosquatting protection Co-Authored-By: Claude Sonnet 4.6 --- docs/index.md | 1 + docs/package-aliases.md | 74 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 75 insertions(+) create mode 100644 docs/package-aliases.md diff --git a/docs/index.md b/docs/index.md index 05ef1c9a..6c2bb7f0 100644 --- a/docs/index.md +++ b/docs/index.md @@ -16,6 +16,7 @@ Open-source hooks, policies, and session visualization for **Claude Code** and t | [Dashboard](./dashboard.md) | Session viewer, policy management, and activity log | | [Architecture](./architecture.md) | How the hook handler, config loading, and policy evaluation work | | [Testing](./testing.md) | Unit tests, E2E tests, and test helpers | +| [Package Aliases](./package-aliases.md) | Registered typosquat-prevention aliases and how they work | --- diff --git a/docs/package-aliases.md b/docs/package-aliases.md new file mode 100644 index 00000000..cfca852c --- /dev/null +++ b/docs/package-aliases.md @@ -0,0 +1,74 @@ +# Package Aliases & Typosquatting Protection + +## Official package + +The canonical npm package is **`failproofai`**: + +```bash +npm install -g failproofai +``` + +--- + +## Why we own the alias names + +Typosquatting is a common supply-chain attack where a malicious actor registers a package name that is one keystroke away from a popular package. Unsuspecting users who mistype the install command end up running attacker-controlled code with full system access — exactly the kind of threat Failproof AI is designed to defend against. + +To eliminate this surface, **we pre-emptively own all common misspellings and formatting variants** of `failproofai` on npm. None of these names can be registered by a third party. Each one is a thin proxy that installs and delegates to the real `failproofai` package. + +--- + +## Registered aliases + +**Formatting variants** — different ways to write "failproof ai": + +| Package | Install command | +|---------|----------------| +| `failproof` | `npm install -g failproof` | +| `failproof-ai` | `npm install -g failproof-ai` | +| `fail-proof-ai` | `npm install -g fail-proof-ai` | +| `failproof_ai` | `npm install -g failproof_ai` | +| `fail_proof_ai` | `npm install -g fail_proof_ai` | +| `fail-proofai` | `npm install -g fail-proofai` | + +**`failprof*` typos** — missing one `o` from "proof": + +| Package | Install command | +|---------|----------------| +| `failprof` | `npm install -g failprof` | +| `failprof-ai` | `npm install -g failprof-ai` | +| `failprofai` | `npm install -g failprofai` | +| `fail-prof-ai` | `npm install -g fail-prof-ai` | +| `failprof_ai` | `npm install -g failprof_ai` | + +**`faliproof*` typos** — transposed `a` and `i`: + +| Package | Install command | +|---------|----------------| +| `faliproof` | `npm install -g faliproof` | +| `faliproof-ai` | `npm install -g faliproof-ai` | +| `faliproofai` | `npm install -g faliproofai` | + +All 14 aliases are published by **ExosphereHost Inc.** (the same npm account as `failproofai`). You can verify any of them: + +```bash +npm info failproof-ai +# Look for: "ExosphereHost Inc." in the maintainers field +``` + +--- + +## How the aliases work + +Each alias package: + +1. Lists `failproofai` as a dependency — so the real package (including its `postinstall` hook setup) runs on install +2. Exposes a binary matching its own name (e.g. `failproof-ai`) that proxies all arguments to the `failproofai` binary + +The proxy is a two-line Node script; there is no logic, no network calls, and no data collection beyond what `failproofai` itself does. + +--- + +## If you find a name we missed + +Open an issue at [exospherehost/failproofai](https://github.com/exospherehost/failproofai/issues) and we will register it.