registry  /  @cat-factory/server  /  0.66.3

@cat-factory/server@0.66.3

Runtime-neutral HTTP layer for the Agent Architecture Board: the Hono controllers, middleware (auth/authz/CORS/error), request helpers and the gateway seams shared by every deployment facade (Cloudflare Worker, Node service).

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a runtime-neutral HTTP server library exposing controllers and clients for cat-factory integrations; network calls are user/runtime-invoked and aligned with documented OAuth, GitHub, search, and LLM proxy behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
Importing the package only loads ESM exports; behavior is activated by host application HTTP routes and configured services.
Impact
No unconsented install-time/import-time execution, credential exfiltration, persistence, or destructive behavior identified.
Mechanism
Hono controllers and fetch-based integration clients
Rationale
Static source inspection found a server package with expected route registration, OAuth/token exchange helpers, GitHub REST calls, and proxy logic, but no lifecycle hooks or hidden execution paths. Scanner findings are explainable as package-aligned network/client functionality and a false positive on PEM documentation.
Evidence
package.jsondist/index.jsdist/crypto/encoding.jsdist/crypto/encoding.d.tsdist/modules/tasks/TaskSourceController.jsdist/modules/llmProxy/LlmProxyController.jsdist/modules/webSearch/upstreams.jsdist/auth/GitHubOAuth.jsdist/auth/GoogleOAuth.jsdist/auth/LinearOAuth.jsdist/github/GitHubAppAuth.jsdist/github/ensureWorkBranch.js
Network endpoints8
github.comapi.github.comaccounts.google.comwww.googleapis.comoauth2.googleapis.com/tokenlinear.appapi.linear.app/oauth/tokenapi.search.brave.com/res/v1/web/search

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall/prepare hooks; main is dist/index.js exports only.
    • dist/crypto/encoding.d.ts secret hit is documentation for PEM parsing, not an embedded secret.
    • dist/modules/tasks/TaskSourceController.js contains Hono route handlers and service calls, not dynamic require/import execution.
    • Network use is package-aligned: OAuth, GitHub API, web search, and LLM proxy endpoints are invoked from HTTP controllers/services.
    • No child_process, eval, Function, native binary loading, filesystem credential harvesting, or AI-agent control-surface writes found by rg inspection.
    Behavioral surface
    Source
    ChildProcessDynamicRequireFilesystemNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    NoLicense
    scanned 123 file(s), 713 KB of source, external domains: accounts.google.com, api.github.com, api.linear.app, api.search.brave.com, github.com, linear.app, oauth2.googleapis.com, www.googleapis.com

    Source & flagged code

    7 flagged · loading source
    dist/crypto/encoding.d.tsView file
    7patternName = private_key_rsa severity = critical line = 7 matchedText = * (`----...CS#1
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    dist/crypto/encoding.d.tsView on unpkg · L7
    7patternName = private_key_rsa severity = critical line = 7 matchedText = * (`----...CS#1
    Critical
    Secret Pattern

    RSA private key in dist/crypto/encoding.d.ts

    dist/crypto/encoding.d.tsView on unpkg · L7
    8patternName = private_key_rsa severity = critical line = 8 matchedText = * (`----... via
    Critical
    Secret Pattern

    RSA private key in dist/crypto/encoding.d.ts

    dist/crypto/encoding.d.tsView on unpkg · L8
    dist/modules/tasks/TaskSourceController.jsView file
    188return unavailable(c); L189: const task = await tasks.importService.import(param(c, 'workspaceId'), sourceParam(c), c.req.valid('json').ref); L190: return c.json(task, 201);
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/modules/tasks/TaskSourceController.jsView on unpkg · L188
    dist/crypto/encoding.jsView file
    30patternName = private_key_rsa severity = critical line = 30 matchedText = * (`----...CS#1
    Critical
    Secret Pattern

    RSA private key in dist/crypto/encoding.js

    dist/crypto/encoding.jsView on unpkg · L30
    31patternName = private_key_rsa severity = critical line = 31 matchedText = * (`----... via
    Critical
    Secret Pattern

    RSA private key in dist/crypto/encoding.js

    dist/crypto/encoding.jsView on unpkg · L31
    dist/github/GitHubAppAuth.d.tsView file
    4patternName = private_key_rsa severity = critical line = 4 matchedText = /** App .... */
    Critical
    Secret Pattern

    RSA private key in dist/github/GitHubAppAuth.d.ts

    dist/github/GitHubAppAuth.d.tsView on unpkg · L4

    Findings

    6 Critical2 Medium5 Low
    CriticalCritical Secretdist/crypto/encoding.d.ts
    CriticalSecret Patterndist/crypto/encoding.d.ts
    CriticalSecret Patterndist/crypto/encoding.d.ts
    CriticalSecret Patterndist/crypto/encoding.js
    CriticalSecret Patterndist/crypto/encoding.js
    CriticalSecret Patterndist/github/GitHubAppAuth.d.ts
    MediumDynamic Requiredist/modules/tasks/TaskSourceController.js
    MediumNetwork
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License