registry  /  @cat-factory/app  /  0.88.0

@cat-factory/app@0.88.0

Reusable Nuxt layer for the Agent Architecture Board SPA (components, stores, composables, pages). Consume it from a thin deployment app via `extends: ['@cat-factory/app']` and point it at your backend with NUXT_PUBLIC_API_BASE. See deploy/frontend for an

AI Security Review

scanned 16h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a Nuxt SPA layer with a framework postinstall and runtime REST/WebSocket calls to its configured backend.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs Nuxt prepare; browser runtime uses configured backend after app use
Impact
No evidence of unconsented install-time mutation, exfiltration, persistence, or remote code execution
Mechanism
Nuxt layer frontend API client
Rationale
Static inspection shows scanner hits are package-aligned Nuxt/frontend behavior: postinstall only runs nuxt prepare, and network/credential flows go through the declared backend API at runtime. No source evidence shows install-time exfiltration, shell execution, persistence, destructive behavior, or AI-agent control hijacking.
Evidence
package.jsonnuxt.config.tsREADME.mdapp/composables/useApi.tsapp/composables/api/client.tsapp/composables/useWorkspaceStream.tsapp/stores/auth.tsapp/stores/personalSubscriptions.ts
Network endpoints3
localhost:8787ws://localhost:8787github.com/kibertoad/cat-factory.git

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: nuxt prepare
  • Runtime frontend sends bearer and personal-password headers to configured apiBase
  • useWorkspaceStream opens WebSocket to configured apiBase
Evidence against
  • postinstall is a standard Nuxt prepare hook; no package install script file is present
  • rg found no child_process, eval/vm, fs writes, native binaries, or agent control-surface writes
  • nuxt.config.ts defaults apiBase to http://localhost:8787 and documents NUXT_PUBLIC_API_BASE override
  • README describes a Nuxt SPA layer talking to a cat-factory backend over REST/WebSocket
  • Auth and credential handling are user-flow/runtime API calls, not install-time harvesting
Behavioral surface
Source
ChildProcessFilesystemNetworkWebSocket
Supply chain
UrlStrings
Manifest
NoLicense
scanned 195 file(s), 728 KB of source, external domains: acme.atlassian.net, example.com, github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = nuxt prepare
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = nuxt prepare
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License