registry  /  @cat-factory/app  /  0.89.0

@cat-factory/app@0.89.0

Reusable Nuxt layer for the Agent Architecture Board SPA (components, stores, composables, pages). Consume it from a thin deployment app via `extends: ['@cat-factory/app']` and point it at your backend with NUXT_PUBLIC_API_BASE. See deploy/frontend for an

AI Security Review

scanned 17h ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a Nuxt frontend layer whose suspicious signals are a standard Nuxt prepare lifecycle and runtime browser API calls to its configured backend.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs nuxt prepare; app runtime calls backend when user uses the SPA
Impact
No install-time persistence, exfiltration, destructive action, or AI-agent control hijack found by source inspection.
Mechanism
Nuxt layer configuration plus typed REST/WebSocket client
Rationale
The lifecycle hook delegates to Nuxt prepare and inspected package code does not write foreign control surfaces, spawn processes, harvest files, or contact unrelated endpoints. Runtime credential and network behavior is consistent with the documented cat-factory SPA/backend product flow and is user-invoked.
Evidence
package.jsonnuxt.config.tsapp/composables/useApi.tsapp/composables/api/client.tsapp/composables/useWorkspaceStream.tsapp/stores/personalSubscriptions.ts
Network endpoints1
localhost:8787

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: nuxt prepare
  • Runtime SPA sends bearer/personal-password headers to configured apiBase
  • app/stores/personalSubscriptions.ts caches a user-entered password in localStorage for 40h
Evidence against
  • package.json files publish only app, i18n, nuxt.config.ts; no bundled install helper scripts
  • nuxt.config.ts only configures a Nuxt SPA layer and default local API base
  • No child_process, fs writes, shell, native binary, or agent control-surface writes found
  • API/WebSocket code is package-aligned frontend backend communication
  • Credential inputs are user-invoked UI flows and write-only backend calls, not import/install-time harvesting
Behavioral surface
Source
ChildProcessFilesystemNetworkWebSocket
Supply chain
UrlStrings
Manifest
NoLicense
scanned 195 file(s), 728 KB of source, external domains: acme.atlassian.net, example.com, github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = nuxt prepare
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = nuxt prepare
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License