registry  /  @cat-factory/server  /  0.65.2

@cat-factory/server@0.65.2

Runtime-neutral HTTP layer for the Agent Architecture Board: the Hono controllers, middleware (auth/authz/CORS/error), request helpers and the gateway seams shared by every deployment facade (Cloudflare Worker, Node service).

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Network and credential-handling code is part of the advertised runtime-neutral HTTP server/OAuth/search/GitHub integration layer and is activated by explicit server routes or service calls, not install/import.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports library and application mounts/uses exported server controllers or helper classes.
Impact
Handles configured OAuth/API tokens for intended backend integrations; no evidence of harvesting or exfiltration beyond configured providers.
Mechanism
Package-aligned HTTP controllers and fetch-based upstream clients
Rationale
Static inspection shows a published server library with no lifecycle execution and network calls aligned to documented OAuth, GitHub, LLM/search proxy, and controller functionality. Scanner hits are explained by route helper names, PEM parsing comments/types, and legitimate fetch clients rather than malicious behavior.
Evidence
package.jsondist/index.jsdist/modules/tasks/TaskSourceController.jsdist/crypto/encoding.jsdist/crypto/encoding.d.tsdist/modules/webSearch/upstreams.jsdist/auth/LinearOAuth.jsdist/github/FetchGitHubClient.js
Network endpoints4
api.search.brave.com/res/v1/web/searchlinear.appapi.linear.app/oauth/tokengithub.com/${repo.owner}/${repo.name}.git

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no lifecycle scripts and exports only ./dist/index.js.
    • dist/index.js is a barrel exporting server controllers/helpers; no import-time side effects found.
    • dist/modules/tasks/TaskSourceController.js uses Hono route handlers and Linear OAuth only on explicit HTTP routes.
    • dist/crypto/encoding.js only decodes caller-provided PEM/base64url data; no embedded secret exists in .d.ts.
    • dist/modules/webSearch/upstreams.js fetches configured Brave/SearXNG search providers for package-aligned proxy behavior.
    • No shell execution, native binaries, install hooks, or persistence files found in inspected paths.
    Behavioral surface
    Source
    ChildProcessDynamicRequireFilesystemNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    NoLicense
    scanned 123 file(s), 713 KB of source, external domains: accounts.google.com, api.github.com, api.linear.app, api.search.brave.com, github.com, linear.app, oauth2.googleapis.com, www.googleapis.com

    Source & flagged code

    7 flagged · loading source
    dist/crypto/encoding.d.tsView file
    7patternName = private_key_rsa severity = critical line = 7 matchedText = * (`----...CS#1
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    dist/crypto/encoding.d.tsView on unpkg · L7
    7patternName = private_key_rsa severity = critical line = 7 matchedText = * (`----...CS#1
    Critical
    Secret Pattern

    RSA private key in dist/crypto/encoding.d.ts

    dist/crypto/encoding.d.tsView on unpkg · L7
    8patternName = private_key_rsa severity = critical line = 8 matchedText = * (`----... via
    Critical
    Secret Pattern

    RSA private key in dist/crypto/encoding.d.ts

    dist/crypto/encoding.d.tsView on unpkg · L8
    dist/modules/tasks/TaskSourceController.jsView file
    162return unavailable(c); L163: const task = await tasks.importService.import(param(c, 'workspaceId'), sourceParam(c), c.req.valid('json').ref); L164: return c.json(task, 201);
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/modules/tasks/TaskSourceController.jsView on unpkg · L162
    dist/crypto/encoding.jsView file
    30patternName = private_key_rsa severity = critical line = 30 matchedText = * (`----...CS#1
    Critical
    Secret Pattern

    RSA private key in dist/crypto/encoding.js

    dist/crypto/encoding.jsView on unpkg · L30
    31patternName = private_key_rsa severity = critical line = 31 matchedText = * (`----... via
    Critical
    Secret Pattern

    RSA private key in dist/crypto/encoding.js

    dist/crypto/encoding.jsView on unpkg · L31
    dist/github/GitHubAppAuth.d.tsView file
    4patternName = private_key_rsa severity = critical line = 4 matchedText = /** App .... */
    Critical
    Secret Pattern

    RSA private key in dist/github/GitHubAppAuth.d.ts

    dist/github/GitHubAppAuth.d.tsView on unpkg · L4

    Findings

    6 Critical2 Medium5 Low
    CriticalCritical Secretdist/crypto/encoding.d.ts
    CriticalSecret Patterndist/crypto/encoding.d.ts
    CriticalSecret Patterndist/crypto/encoding.d.ts
    CriticalSecret Patterndist/crypto/encoding.js
    CriticalSecret Patterndist/crypto/encoding.js
    CriticalSecret Patterndist/github/GitHubAppAuth.d.ts
    MediumDynamic Requiredist/modules/tasks/TaskSourceController.js
    MediumNetwork
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License