registry  /  @cat-factory/app  /  0.92.2

@cat-factory/app@0.92.2

Reusable Nuxt layer for the Agent Architecture Board SPA (components, stores, composables, pages). Consume it from a thin deployment app via `extends: ['@cat-factory/app']` and point it at your backend with NUXT_PUBLIC_API_BASE. See deploy/frontend for an

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is a reusable Nuxt SPA layer whose runtime network access is directed at a configured cat-factory backend, defaulting to localhost for development.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs Nuxt prepare; browser runtime calls configured backend when the app is used
Impact
No install-time mutation, credential harvesting, remote payload execution, persistence, or destructive behavior found
Mechanism
Nuxt layer configuration plus typed frontend API/WebSocket client
Rationale
Static inspection found a normal Nuxt layer with framework postinstall preparation and package-aligned frontend API/WebSocket behavior. Suspicious scanner signals are explained by SPA networking/auth UI code and do not show unconsented install-time behavior or exfiltration.
Evidence
package.jsonnuxt.config.tsapp/composables/api/client.tsapp/composables/useWorkspaceStream.tsapp/stores/auth.ts
Network endpoints1
localhost:8787

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `package.json` has no `bin` and only `postinstall: nuxt prepare`, a Nuxt framework preparation step.
    • `nuxt.config.ts` is a Nuxt SPA layer config; it sets `ssr:false`, modules, i18n, CSS, and default `apiBase`.
    • `app/composables/api/client.ts` sends typed API requests only to configured `runtimeConfig.public.apiBase`.
    • `app/composables/useWorkspaceStream.ts` opens a workspace WebSocket derived from the same configured API base after minting a ticket.
    • No source-wide hits for child_process, eval/vm/Function, native/binary loading, or filesystem write APIs in package code.
    • Credential handling observed is UI/API flow to the package backend, not install-time harvesting or exfiltration.
    Behavioral surface
    Source
    ChildProcessFilesystemNetworkWebSocket
    Supply chain
    UrlStrings
    Manifest
    NoLicense
    scanned 195 file(s), 733 KB of source, external domains: acme.atlassian.net, example.com, github.com

    Source & flagged code

    2 flagged · loading source
    package.jsonView file
    scripts.postinstall = nuxt prepare
    High
    Install Time Lifecycle Scripts

    Package defines install-time lifecycle scripts.

    package.jsonView on unpkg
    scripts.postinstall = nuxt prepare
    Medium
    Ambiguous Install Lifecycle Script

    Install-time lifecycle script is not statically allowlisted and needs review.

    package.jsonView on unpkg

    Findings

    1 High2 Medium4 Low
    HighInstall Time Lifecycle Scriptspackage.json
    MediumAmbiguous Install Lifecycle Scriptpackage.json
    MediumNetwork
    LowScripts Present
    LowFilesystem
    LowUrl Strings
    LowNo License