registry  /  @cat-factory/app  /  0.82.1

@cat-factory/app@0.82.1

Reusable Nuxt layer for the Agent Architecture Board SPA (components, stores, composables, pages). Consume it from a thin deployment app via `extends: ['@cat-factory/app']` and point it at your backend with NUXT_PUBLIC_API_BASE. See deploy/frontend for an

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a Nuxt SPA layer with a standard Nuxt prepare lifecycle hook and runtime API/WebSocket clients aimed at a configured cat-factory backend.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs nuxt prepare; app runtime connects when the SPA is used
Impact
No source evidence of credential theft, unconsented agent control-surface mutation, persistence, destructive behavior, or remote code execution.
Mechanism
Nuxt layer preparation and configured frontend API/WebSocket client
Rationale
Scanner findings map to expected Nuxt lifecycle and frontend network code; inspected source does not show install-time malicious behavior or unconsented mutation of foreign AI-agent surfaces. Runtime credential and integration handling is package-aligned and user-invoked.
Evidence
package.jsonnuxt.config.tsapp/composables/api/client.tsapp/composables/useWorkspaceStream.tsapp/stores/auth.tsapp/stores/personalSubscriptions.ts
Network endpoints2
localhost:8787git+https://github.com/kibertoad/cat-factory.git

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: nuxt prepare
  • nuxt.config.ts sets runtime public apiBase default http://localhost:8787
  • app/composables/useWorkspaceStream.ts opens WebSocket to configured apiBase
  • app/stores/personalSubscriptions.ts caches a user-entered password in localStorage
Evidence against
  • package.json files list only app, i18n, nuxt.config.ts; no bin entrypoint
  • nuxt.config.ts postinstall target is standard Nuxt prepare for a Nuxt layer
  • rg found no child_process, eval, Function, MCP/Claude/Codex control-surface writes, or persistence hooks
  • app/composables/api/client.ts sends requests only to configured runtime apiBase with app auth headers
  • Credential/token flows are user-invoked UI/API actions, not install-time harvesting or exfiltration
Behavioral surface
Source
ChildProcessFilesystemNetworkWebSocket
Supply chain
UrlStrings
Manifest
NoLicense
scanned 192 file(s), 692 KB of source, external domains: acme.atlassian.net, example.com, github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = nuxt prepare
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = nuxt prepare
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License