registry  /  @cat-factory/app  /  0.79.1

@cat-factory/app@0.79.1

Reusable Nuxt layer for the Agent Architecture Board SPA (components, stores, composables, pages). Consume it from a thin deployment app via `extends: ['@cat-factory/app']` and point it at your backend with NUXT_PUBLIC_API_BASE. See deploy/frontend for an

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a Nuxt SPA layer that communicates with a configured cat-factory backend and runs Nuxt's standard prepare step on install.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; app runtime after user opens SPA
Impact
Expected frontend behavior; no exfiltration, persistence, destructive action, or AI-agent control-surface mutation confirmed
Mechanism
Nuxt layer configuration and browser API/WebSocket client
Rationale
Static source inspection supports a benign Nuxt frontend layer; the lifecycle script is the standard Nuxt prepare command and network/credential flows are aligned with the documented backend client. Scanner hits are explained by normal SPA API/WebSocket usage and UI-managed credentials, with no concrete malicious behavior found.
Evidence
package.jsonnuxt.config.tsapp/composables/useApi.tsapp/composables/api/client.tsapp/composables/useWorkspaceStream.tsapp/stores/auth.tsapp/stores/personalSubscriptions.tsREADME.md
Network endpoints1
localhost:8787

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: nuxt prepare
  • Runtime client sends user-supplied credentials/tokens to configured backend API
Evidence against
  • package.json files list only app, i18n, nuxt.config.ts; main is Nuxt layer config
  • nuxt.config.ts only configures Nuxt SPA layer, i18n, CSS, Vite optimizeDeps, and default apiBase
  • No child_process, fs writes, eval/vm, native/binary loading, or obfuscated payloads found
  • Network use is package-aligned REST/WebSocket client to runtimeConfig public.apiBase
  • Credential handling appears user-invoked UI/API flow; no harvesting of local files or ambient secrets found
  • Codex credential strings are localized instructions shown to users, not filesystem reads
Behavioral surface
Source
ChildProcessFilesystemNetworkWebSocket
Supply chain
UrlStrings
Manifest
NoLicense
scanned 185 file(s), 670 KB of source, external domains: acme.atlassian.net, example.com, github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = nuxt prepare
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = nuxt prepare
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License