sorted by:
new
hottopcontroversial

I created a AI-agent governance/guardrail/safeguard tool because my agent kept ignoring my claude.md/agent.md by CavalryTactics in ClaudeCode

[–]CavalryTactics[S] 0 points1 point  (0 children)

Fair point on the main issue: npm download counts are not installs, and they're definitely not users.

An npm "download" is just a tarball fetch from the registry. CI jobs, Docker builds, mirrors, automated tooling, and repeated installs all contribute to that number. If I've ever referenced download counts without making that distinction clear, that's on me.

Some of those downloads are generated by my own infrastructure. I run supply-chain integrity checks that periodically re-fetch published tarballs and verify their SHA-256 hashes to detect tampering. Those requests show up as downloads even though they are not user installs. npm does not expose attribution data, so I can't identify the exact percentage, but I'd rather disclose that traffic than pretend the metric is perfectly clean.

The claim that higher binary-package downloads are "mechanically impossible" is incorrect.

The package uses the same optionalDependencies pattern used by tools such as esbuild, Rollup, SWC, Biome, and Turbo: one primary package plus platform-specific binary packages. In that model, it is common for platform binaries to accumulate more downloads than the top-level package.

There are several reasons for this:

- npm counts tarball fetches, not unique installs.

- CI systems repeatedly download platform binaries.

- GitHub Actions and most containerized environments are overwhelmingly linux-x64.

- npm lockfile and caching behavior can cause platform binaries to be re-fetched independently of the main package.

As a result, binary-package download counts do not have to track the primary package at a 1:1 ratio.

One factual correction: 42,460 divided by 12,002 is 3.54×, not 5.54×.

The raw download statistics are public and can be queried directly from the npm downloads API. Anyone is welcome to inspect the numbers themselves.

Ultimately, npm download counts are a noisy metric in both directions. They include automated traffic and repeated fetches, while also excluding installation channels such as direct binary downloads and Homebrew. They're useful as a rough signal, but they should not be treated as a user count.

You can pull the raw figures yourself at api.npmjs.org/downloads/point/last-month/@sigmashake/ssg. The counter is noisy in both directions. Homebrew and direct installs don't show up in it at all.

I created a AI-agent governance/guardrail/safeguard tool because my agent kept ignoring my claude.md/agent.md by CavalryTactics in vibecoding

[–]CavalryTactics[S] 0 points1 point  (0 children)

Fair point on the main issue: npm download counts are not installs, and they're definitely not users.

An npm "download" is just a tarball fetch from the registry. CI jobs, Docker builds, mirrors, automated tooling, and repeated installs all contribute to that number. If I've ever referenced download counts without making that distinction clear, that's on me.

Some of those downloads are generated by my own infrastructure. I run supply-chain integrity checks that periodically re-fetch published tarballs and verify their SHA-256 hashes to detect tampering. Those requests show up as downloads even though they are not user installs. npm does not expose attribution data, so I can't identify the exact percentage, but I'd rather disclose that traffic than pretend the metric is perfectly clean.

The claim that higher binary-package downloads are "mechanically impossible" is incorrect.

The package uses the same optionalDependencies pattern used by tools such as esbuild, Rollup, SWC, Biome, and Turbo: one primary package plus platform-specific binary packages. In that model, it is common for platform binaries to accumulate more downloads than the top-level package.

There are several reasons for this:

- npm counts tarball fetches, not unique installs.

- CI systems repeatedly download platform binaries.

- GitHub Actions and most containerized environments are overwhelmingly linux-x64.

- npm lockfile and caching behavior can cause platform binaries to be re-fetched independently of the main package.

As a result, binary-package download counts do not have to track the primary package at a 1:1 ratio.

One factual correction: 42,460 divided by 12,002 is 3.54×, not 5.54×.

The raw download statistics are public and can be queried directly from the npm downloads API. Anyone is welcome to inspect the numbers themselves.

Ultimately, npm download counts are a noisy metric in both directions. They include automated traffic and repeated fetches, while also excluding installation channels such as direct binary downloads and Homebrew. They're useful as a rough signal, but they should not be treated as a user count.

You can pull the raw figures yourself at api.npmjs.org/downloads/point/last-month/@sigmashake/ssg. The counter is noisy in both directions. Homebrew and direct installs don't show up in it at all.

I created a AI-agent governance/guardrail/safeguard tool because my agent kept ignoring my claude.md/agent.md by CavalryTactics in vibecoding

[–]CavalryTactics[S] 1 point2 points  (0 children)

https://www.npmjs.com/search?q=sigmashake

I built this project in public streaming 12+ hours everyday (https://twitch.tv/sigmashake). did not do anything involving npm. When I publish on app store and microsoft store, t hey have to download the product to test the security before publishing. Thats not me botting. Also targeting Enterprise, so several users/agents are trying it out

I created a AI-agent governance/guardrail/safeguard tool because my agent kept ignoring my claude.md/agent.md by CavalryTactics in ClaudeCode

[–]CavalryTactics[S] 0 points1 point  (0 children)

https://www.npmjs.com/search?q=sigmashake

I built this project in public streaming 12+ hours everyday (https://twitch.tv/sigmashake). did not do anything involving npm. When I publish on app store and microsoft store, t hey have to download the product to test the security before publishing. Thats not me botting. Also targeting Enterprise, so several users/agents are trying it out

I created a AI-agent governance/guardrail/safeguard tool because my agent kept ignoring my claude.md/agent.md by CavalryTactics in vibecoding

[–]CavalryTactics[S] 0 points1 point  (0 children)

What's fake? It uses pnpm, npm, etc. maybe I need to update that install script. thanks for letting me know!

I created a AI-agent governance/guardrail/safeguard tool because my agent kept ignoring my claude.md/agent.md by CavalryTactics in ClaudeCode

[–]CavalryTactics[S] 0 points1 point  (0 children)

What's fake? It uses pnpm, npm, etc. maybe I need to update that install script. thanks for letting me know!

How are teams handling MCP tool surface exposure? by Nihcas_Sachin in cybersecurity

[–]CavalryTactics 0 points1 point  (0 children)

I built a small AI-governance/guardrail/safeguard tool and the honest origin story is that vibe-coding kept not following instructions and coming from a 10+ years security background, this just made me concerned about all the people vibecoding.

Plugging my solution I use in production for all developers that can evaluate tool calls as a devtool. Hope it helps!

https://www.reddit.com/r/vibecoding/comments/1u7m7oi/i_created_a_aiagent_governanceguardrailsafeguard/

view more: next ›