registry  /  @cat-factory/server  /  0.75.0

@cat-factory/server@0.75.0

Runtime-neutral HTTP layer for the Agent Architecture Board: the Hono controllers, middleware (auth/authz/CORS/error), request helpers and the gateway seams shared by every deployment facade (Cloudflare Worker, Node service).

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is a runtime HTTP/server library with route controllers, OAuth clients, GitHub integration, web search proxying, and container job dispatch that activate only when the hosting app mounts and configures them.

Static reason
One or more suspicious static signals were detected.
Trigger
Runtime import and application mounting of exported controllers/services.
Impact
No install-time execution, persistence, credential harvesting, exfiltration, or foreign AI-agent control-surface mutation found.
Mechanism
Package-aligned server integrations and authenticated proxy/controller routes.
Rationale
Static inspection shows a package-aligned server module; scanner hints map to documented PEM parsing, runtime HTTP routes, and expected service integrations. No lifecycle mutation, import-time payload, or concrete exfiltration behavior was found.
Evidence
package.jsondist/index.jsdist/app.jsdist/modules/tasks/TaskSourceController.jsdist/crypto/encoding.jsdist/modules/webSearch/upstreams.jsdist/agents/ContainerAgentExecutor.jsdist/modules/llmProxy/LlmProxyController.jsdist/github/GitHubAppAuth.jsdist/auth/GitHubOAuth.jsdist/auth/GoogleOAuth.jsdist/auth/LinearOAuth.js
Network endpoints8
api.search.brave.com/res/v1/web/searchgithub.comapi.github.comaccounts.google.comwww.googleapis.comoauth2.googleapis.com/tokenlinear.appapi.linear.app/oauth/token

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no lifecycle hooks or bin entry; main is dist/index.js only.
    • dist/index.js is an export barrel for server controllers/helpers, not import-time execution.
    • dist/modules/tasks/TaskSourceController.js defines Hono routes and delegates to configured task services; no dynamic require found.
    • dist/crypto/encoding.d.ts secret hit is PEM marker documentation, not an embedded private key.
    • Search found no child_process, eval/Function, native binaries, or AI-agent control-surface writes.
    • Network use is package-aligned OAuth/GitHub/search/LLM proxy behavior gated by runtime configuration and auth.
    Behavioral surface
    Source
    ChildProcessDynamicRequireFilesystemNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    NoLicense
    scanned 127 file(s), 785 KB of source, external domains: accounts.google.com, api.github.com, api.linear.app, api.search.brave.com, github.com, linear.app, oauth2.googleapis.com, www.googleapis.com

    Source & flagged code

    7 flagged · loading source
    dist/crypto/encoding.d.tsView file
    7patternName = private_key_rsa severity = critical line = 7 matchedText = * (`----...CS#1
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    dist/crypto/encoding.d.tsView on unpkg · L7
    7patternName = private_key_rsa severity = critical line = 7 matchedText = * (`----...CS#1
    Critical
    Secret Pattern

    RSA private key in dist/crypto/encoding.d.ts

    dist/crypto/encoding.d.tsView on unpkg · L7
    8patternName = private_key_rsa severity = critical line = 8 matchedText = * (`----... via
    Critical
    Secret Pattern

    RSA private key in dist/crypto/encoding.d.ts

    dist/crypto/encoding.d.tsView on unpkg · L8
    dist/modules/tasks/TaskSourceController.jsView file
    188return unavailable(c); L189: const task = await tasks.importService.import(param(c, 'workspaceId'), sourceParam(c), c.req.valid('json').ref); L190: return c.json(task, 201);
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/modules/tasks/TaskSourceController.jsView on unpkg · L188
    dist/crypto/encoding.jsView file
    30patternName = private_key_rsa severity = critical line = 30 matchedText = * (`----...CS#1
    Critical
    Secret Pattern

    RSA private key in dist/crypto/encoding.js

    dist/crypto/encoding.jsView on unpkg · L30
    31patternName = private_key_rsa severity = critical line = 31 matchedText = * (`----... via
    Critical
    Secret Pattern

    RSA private key in dist/crypto/encoding.js

    dist/crypto/encoding.jsView on unpkg · L31
    dist/github/GitHubAppAuth.d.tsView file
    4patternName = private_key_rsa severity = critical line = 4 matchedText = /** App .... */
    Critical
    Secret Pattern

    RSA private key in dist/github/GitHubAppAuth.d.ts

    dist/github/GitHubAppAuth.d.tsView on unpkg · L4

    Findings

    6 Critical2 Medium5 Low
    CriticalCritical Secretdist/crypto/encoding.d.ts
    CriticalSecret Patterndist/crypto/encoding.d.ts
    CriticalSecret Patterndist/crypto/encoding.d.ts
    CriticalSecret Patterndist/crypto/encoding.js
    CriticalSecret Patterndist/crypto/encoding.js
    CriticalSecret Patterndist/github/GitHubAppAuth.d.ts
    MediumDynamic Requiredist/modules/tasks/TaskSourceController.js
    MediumNetwork
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License