registry  /  @cat-factory/app  /  0.87.4

@cat-factory/app@0.87.4

Reusable Nuxt layer for the Agent Architecture Board SPA (components, stores, composables, pages). Consume it from a thin deployment app via `extends: ['@cat-factory/app']` and point it at your backend with NUXT_PUBLIC_API_BASE. See deploy/frontend for an

AI Security Review

scanned 20h ago · by lpm-firewall-ai

No confirmed malicious attack surface found. The package is a Nuxt SPA layer with a standard Nuxt prepare lifecycle and runtime API/WebSocket client behavior aligned with the app.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs Nuxt prepare; runtime browser use calls configured backend
Impact
No install-time persistence, credential exfiltration, or agent control-surface mutation identified
Mechanism
Nuxt layer configuration and browser API client
Rationale
Static inspection shows package-aligned Nuxt frontend code; the scanner signals are explained by a standard postinstall Nuxt prepare hook and browser REST/WebSocket functionality. No concrete malicious behavior or unconsented lifecycle mutation was found.
Evidence
package.jsonnuxt.config.tsREADME.mdapp/composables/useApi.tsapp/composables/api/client.tsapp/composables/useWorkspaceStream.tsapp/stores/personalSubscriptions.tsapp/stores/vendorCredentials.ts
Network endpoints1
localhost:8787

Decision evidence

public snapshot
AI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has only postinstall "nuxt prepare" and main "./nuxt.config.ts" for a Nuxt layer.
    • nuxt.config.ts configures SPA layer assets/i18n and default public apiBase "http://localhost:8787".
    • app/composables/api/client.ts and useApi.ts send REST requests only to configured runtime apiBase with bearer headers from app auth state.
    • app/composables/useWorkspaceStream.ts opens a WebSocket to configured apiBase after minting a workspace events ticket.
    • rg found no child_process, shell execution, filesystem writes, native/binary loading, or AI-agent control-surface writes.
    • Credential/API-key handling appears user-invoked UI/backend API flow; no install/import-time harvesting or exfiltration found.
    Behavioral surface
    Source
    ChildProcessFilesystemNetworkWebSocket
    Supply chain
    UrlStrings
    Manifest
    NoLicense
    scanned 193 file(s), 720 KB of source, external domains: acme.atlassian.net, example.com, github.com

    Source & flagged code

    2 flagged · loading source
    package.jsonView file
    scripts.postinstall = nuxt prepare
    High
    Install Time Lifecycle Scripts

    Package defines install-time lifecycle scripts.

    package.jsonView on unpkg
    scripts.postinstall = nuxt prepare
    Medium
    Ambiguous Install Lifecycle Script

    Install-time lifecycle script is not statically allowlisted and needs review.

    package.jsonView on unpkg

    Findings

    1 High2 Medium4 Low
    HighInstall Time Lifecycle Scriptspackage.json
    MediumAmbiguous Install Lifecycle Scriptpackage.json
    MediumNetwork
    LowScripts Present
    LowFilesystem
    LowUrl Strings
    LowNo License