registry  /  @cat-factory/app  /  0.114.1

@cat-factory/app@0.114.1

Reusable Nuxt layer for the Agent Architecture Board SPA (components, stores, composables, pages). Consume it from a thin deployment app via `extends: ['@cat-factory/app']` and point it at your backend with NUXT_PUBLIC_API_BASE. See deploy/frontend for an

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a Nuxt SPA layer whose runtime requests target the consuming deployment's configured backend; its install hook performs Nuxt preparation only.

Static reason
One or more suspicious static signals were detected.
Trigger
Installation runs `nuxt prepare`; browser use initiates configured API and WebSocket requests.
Impact
No unconsented file mutation, remote payload execution, or third-party exfiltration is established.
Mechanism
Nuxt layer setup plus authenticated client API calls.
Rationale
Direct source inspection shows a package-aligned Nuxt frontend layer with a standard `nuxt prepare` postinstall hook and configurable backend communication. No concrete malicious chain or suspicious install-time behavior was found.
Evidence
package.jsonnuxt.config.tsapp/composables/api/client.tsapp/composables/useWorkspaceStream.tsapp/composables/api/userSecrets.tsapp/composables/useApi.tsapp/stores/auth.tsapp/composables/api/auth.ts
Network endpoints1
localhost:8787

Decision evidence

public snapshot
AI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `package.json` declares `postinstall: nuxt prepare`.
  • `app/composables/api/client.ts` sends an auth bearer token to configured API requests.
Evidence against
  • `postinstall` is only Nuxt build preparation; no package script files or shell payloads are shipped.
  • `nuxt.config.ts` defaults API traffic to `http://localhost:8787` and exposes an override for the consuming deployment.
  • `app/composables/api/client.ts` constructs a contract-validated client for that configured backend.
  • `app/composables/useWorkspaceStream.ts` derives its WebSocket from the same configured API base.
  • No child-process, eval/vm, filesystem-write, binary, or credential-harvesting primitive was found in shipped source.
  • `app/composables/api/userSecrets.ts` sends user-entered secrets to explicit backend API routes and documents them as write-only server-side.
Behavioral surface
Source
ChildProcessFilesystemNetworkWebSocket
Supply chain
UrlStrings
Manifest
NoLicense
scanned 220 file(s), 858 KB of source, external domains: acme.atlassian.net, example.com, github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = nuxt prepare
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = nuxt prepare
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License