registry  /  @cat-factory/app  /  0.79.0

@cat-factory/app@0.79.0

Reusable Nuxt layer for the Agent Architecture Board SPA (components, stores, composables, pages). Consume it from a thin deployment app via `extends: ['@cat-factory/app']` and point it at your backend with NUXT_PUBLIC_API_BASE. See deploy/frontend for an

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface established. Observed network and credential handling are aligned with a Nuxt frontend client talking to its configured backend, with a standard Nuxt prepare lifecycle hook.

Static reason
One or more suspicious static signals were detected.
Trigger
install runs nuxt prepare; runtime browser use contacts configured backend
Impact
No evidence of unconsented exfiltration, persistence, destructive behavior, or control-surface mutation
Mechanism
Nuxt SPA layer with typed REST/WebSocket client
Rationale
Static source inspection shows a legitimate Nuxt layer frontend; the lifecycle and network indicators are package-aligned and no concrete malicious behavior was found. Credential-related code stores or transmits user-provided values only to the configured application backend as part of documented app workflows.
Evidence
package.jsonnuxt.config.tsREADME.mdapp/composables/api/client.tsapp/composables/useApi.tsapp/composables/useWorkspaceStream.tsapp/stores/personalSubscriptions.tsapp/stores/auth.ts
Network endpoints1
localhost:8787

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: nuxt prepare, an install-time lifecycle hook.
  • app/stores/personalSubscriptions.ts caches a user-entered personal password in localStorage and sends it via API helper.
  • app/composables/useWorkspaceStream.ts opens WebSocket to configured apiBase workspace events endpoint.
Evidence against
  • package.json files list only app, i18n, and nuxt.config.ts; no packaged custom lifecycle script files were present.
  • postinstall runs standard Nuxt prepare, not package-local shell/download code.
  • nuxt.config.ts is a Nuxt SPA layer with runtimeConfig public apiBase defaulting to http://localhost:8787.
  • app/composables/api/client.ts and useApi.ts send bearer tokens only to configured backend apiBase for app API calls.
  • rg found no child_process, eval, vm, native/binary loading, destructive filesystem operations, or AI-agent control-surface writes.
  • README.md describes a browser SPA frontend that talks to its backend over REST/WebSocket, matching observed source.
Behavioral surface
Source
ChildProcessFilesystemNetworkWebSocket
Supply chain
UrlStrings
Manifest
NoLicense
scanned 184 file(s), 666 KB of source, external domains: acme.atlassian.net, example.com, github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = nuxt prepare
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = nuxt prepare
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License