registry  /  @cat-factory/app  /  0.92.0

@cat-factory/app@0.92.0

Reusable Nuxt layer for the Agent Architecture Board SPA (components, stores, composables, pages). Consume it from a thin deployment app via `extends: ['@cat-factory/app']` and point it at your backend with NUXT_PUBLIC_API_BASE. See deploy/frontend for an

AI Security Review

scanned 6h ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a Nuxt SPA layer that talks to a configurable cat-factory backend and runs a standard Nuxt prepare lifecycle hook.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm install runs nuxt prepare; runtime UI actions call configured backend APIs.
Impact
User-entered credentials and session tokens are sent to the configured application backend during explicit UI flows.
Mechanism
Nuxt app layer with typed REST/WebSocket client
Rationale
Static inspection supports the scanner hints as package-aligned frontend/backend behavior rather than malware: the only install hook is Nuxt prepare, and network/credential flows are explicit app features using a configurable API base. No source evidence shows credential exfiltration, remote payload execution, persistence, destructive behavior, or broad AI-agent control-surface mutation.
Evidence
package.jsonnuxt.config.tsapp/stores/documents.tsapp/composables/api/client.tsapp/composables/useApi.tsapp/composables/api/documents.tsapp/composables/useWorkspaceStream.ts
Network endpoints1
localhost:8787

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: "nuxt prepare".
  • app/stores/documents.ts accepts user-provided document-source credentials and sends them through api.connectDocumentSource.
  • app/composables/api/client.ts and useApi.ts attach bearer/session headers to configured API calls.
Evidence against
  • package.json lifecycle hook invokes Nuxt's normal prepare step; no custom install script file or shell command is present.
  • nuxt.config.ts is a Nuxt layer config with local default apiBase http://localhost:8787 and no foreign endpoint.
  • app/composables/api/documents.ts maps document actions to @cat-factory/contracts backend routes; no exfiltration endpoint or hidden credential sink found.
  • Search found no child_process, eval/vm/new Function, filesystem writes, native binaries, curl/wget, or AI-agent config mutation.
  • Credential/token handling is UI/backend-aligned and user-invoked, not import-time or install-time harvesting.
Behavioral surface
Source
ChildProcessFilesystemNetworkWebSocket
Supply chain
UrlStrings
Manifest
NoLicense
scanned 195 file(s), 733 KB of source, external domains: acme.atlassian.net, example.com, github.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = nuxt prepare
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = nuxt prepare
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
app/stores/documents.tsView file
matchType = previous_version_dangerous_delta matchedPackage = @cat-factory/app@0.91.0 matchedIdentity = npm:QGNhdC1mYWN0b3J5L2FwcA:0.91.0 similarity = 0.983 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

app/stores/documents.tsView on unpkg

Findings

2 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
HighPrevious Version Dangerous Deltaapp/stores/documents.ts
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License