registry  /  @cat-factory/app  /  0.116.10

@cat-factory/app@0.116.10

Reusable Nuxt layer for the Agent Architecture Board SPA (components, stores, composables, pages). Consume it from a thin deployment app via `extends: ['@cat-factory/app']` and point it at your backend with NUXT_PUBLIC_API_BASE. See deploy/frontend for an

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a client-side Nuxt layer that communicates with its configured backend after runtime/UI activation.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
`nuxt prepare` at install, or user interaction with the rendered SPA
Impact
No unconsented persistence, credential harvesting, destructive action, or foreign control-surface mutation identified.
Mechanism
Nuxt build preparation and configured backend API client
Rationale
Scanner findings map to normal Nuxt lifecycle setup and a user-driven document-integration UI store. Direct inspection found no concrete malicious chain.
Evidence
package.jsonnuxt.config.tsapp/composables/api/client.tsapp/stores/auth.tsapp/stores/documents.ts
Network endpoints1
localhost:8787

Decision evidence

public snapshot
AI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `package.json` postinstall only runs `nuxt prepare`; no package install script or binary payload is present.
    • `nuxt.config.ts` defines a Nuxt SPA layer with configured API base `http://localhost:8787`.
    • `app/composables/api/client.ts` sends authenticated requests only to consumer-configured `apiBase`.
    • `app/stores/documents.ts` performs explicit UI actions against that backend; it does not harvest or exfiltrate credentials.
    • No child-process, eval/vm, Node filesystem, native binary, or remote-payload loading was found in package source.
    Behavioral surface
    Source
    ChildProcessFilesystemNetworkWebSocket
    Supply chain
    UrlStrings
    Manifest
    NoLicense
    scanned 232 file(s), 924 KB of source, external domains: acme.atlassian.net, example.com, github.com

    Source & flagged code

    3 flagged · loading source
    package.jsonView file
    scripts.postinstall = nuxt prepare
    High
    Install Time Lifecycle Scripts

    Package defines install-time lifecycle scripts.

    package.jsonView on unpkg
    scripts.postinstall = nuxt prepare
    Medium
    Ambiguous Install Lifecycle Script

    Install-time lifecycle script is not statically allowlisted and needs review.

    package.jsonView on unpkg
    app/stores/documents.tsView file
    matchType = previous_version_dangerous_delta matchedPackage = @cat-factory/app@0.116.6 matchedIdentity = npm:QGNhdC1mYWN0b3J5L2FwcA:0.116.6 similarity = 0.950 summary = stored previous version shares package body but lacks this dangerous source file
    High
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    app/stores/documents.tsView on unpkg

    Findings

    2 High2 Medium4 Low
    HighInstall Time Lifecycle Scriptspackage.json
    HighPrevious Version Dangerous Deltaapp/stores/documents.ts
    MediumAmbiguous Install Lifecycle Scriptpackage.json
    MediumNetwork
    LowScripts Present
    LowFilesystem
    LowUrl Strings
    LowNo License