registry  /  @cat-factory/server  /  0.84.3

@cat-factory/server@0.84.3

Runtime-neutral HTTP layer for the Agent Architecture Board: the Hono controllers, middleware (auth/authz/CORS/error), request helpers and the gateway seams shared by every deployment facade (Cloudflare Worker, Node service).

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a runtime HTTP server layer with controllers, OAuth clients, GitHub clients, and web-search proxy code activated by application routes.

Static reason
One or more suspicious static signals were detected.
Trigger
Importing server exports or invoking configured Hono HTTP routes at runtime.
Impact
Expected server-side integration behavior; no evidence of unconsented install-time execution, credential harvesting, exfiltration, persistence, or destructive actions.
Mechanism
Route-driven OAuth/API proxy and GitHub integration logic.
Rationale
Static inspection found suspicious-looking primitives only in normal server integration paths, with no lifecycle hooks, hidden execution, filesystem mutation, shell/eval, payload loading, or exfiltration behavior. The scanner's secret and dynamic-require hints appear to be false positives based on documentation/comments and ordinary controller imports.
Evidence
package.jsondist/index.jsdist/crypto/encoding.jsdist/crypto/encoding.d.tsdist/modules/tasks/TaskSourceController.jsdist/modules/webSearch/upstreams.jsdist/github/GitHubAppAuth.jsdist/github/FetchGitHubClient.jsdist/auth/GitHubOAuth.jsdist/auth/GoogleOAuth.jsdist/auth/LinearOAuth.jsdist/agents/ContainerAgentExecutor.js
Network endpoints8
api.search.brave.com/res/v1/web/searchgithub.comapi.github.comaccounts.google.comwww.googleapis.comoauth2.googleapis.com/tokenlinear.appapi.linear.app/oauth/token

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • Runtime code performs user-invoked fetches to OAuth/GitHub/search providers.
  • Container executor builds job specs for runner transports, but delegates dispatch to supplied transport.
  • Package handles credentials/tokens as part of server auth and integration flows.
Evidence against
  • package.json has no preinstall/install/postinstall hooks or bin entrypoints.
  • dist/index.js only re-exports server modules; no import-time execution beyond module definitions observed.
  • dist/crypto/encoding.d.ts secret finding is documentation for PEM formats, not an embedded key.
  • dist/modules/tasks/TaskSourceController.js exposes Hono routes and OAuth callback; no dynamic require or hidden loader found.
  • No fs writes, shell execution, eval/vm, native binary loading, or AI-agent control-surface mutation found by source search.
  • Network use is package-aligned: GitHub/Google/Linear OAuth, GitHub API, Brave/SearXNG web search with configured credentials and SSRF guard for SearXNG.
Behavioral surface
Source
ChildProcessDynamicRequireFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 131 file(s), 847 KB of source, external domains: accounts.google.com, api.github.com, api.linear.app, api.search.brave.com, github.com, linear.app, oauth2.googleapis.com, www.googleapis.com

Source & flagged code

7 flagged · loading source
dist/crypto/encoding.d.tsView file
7patternName = private_key_rsa severity = critical line = 7 matchedText = * (`----...CS#1
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/crypto/encoding.d.tsView on unpkg · L7
7patternName = private_key_rsa severity = critical line = 7 matchedText = * (`----...CS#1
Critical
Secret Pattern

RSA private key in dist/crypto/encoding.d.ts

dist/crypto/encoding.d.tsView on unpkg · L7
8patternName = private_key_rsa severity = critical line = 8 matchedText = * (`----... via
Critical
Secret Pattern

RSA private key in dist/crypto/encoding.d.ts

dist/crypto/encoding.d.tsView on unpkg · L8
dist/modules/tasks/TaskSourceController.jsView file
188return unavailable(c); L189: const task = await tasks.importService.import(param(c, 'workspaceId'), sourceParam(c), c.req.valid('json').ref); L190: return c.json(task, 201);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/modules/tasks/TaskSourceController.jsView on unpkg · L188
dist/crypto/encoding.jsView file
30patternName = private_key_rsa severity = critical line = 30 matchedText = * (`----...CS#1
Critical
Secret Pattern

RSA private key in dist/crypto/encoding.js

dist/crypto/encoding.jsView on unpkg · L30
31patternName = private_key_rsa severity = critical line = 31 matchedText = * (`----... via
Critical
Secret Pattern

RSA private key in dist/crypto/encoding.js

dist/crypto/encoding.jsView on unpkg · L31
dist/github/GitHubAppAuth.d.tsView file
4patternName = private_key_rsa severity = critical line = 4 matchedText = /** App .... */
Critical
Secret Pattern

RSA private key in dist/github/GitHubAppAuth.d.ts

dist/github/GitHubAppAuth.d.tsView on unpkg · L4

Findings

6 Critical2 Medium5 Low
CriticalCritical Secretdist/crypto/encoding.d.ts
CriticalSecret Patterndist/crypto/encoding.d.ts
CriticalSecret Patterndist/crypto/encoding.d.ts
CriticalSecret Patterndist/crypto/encoding.js
CriticalSecret Patterndist/crypto/encoding.js
CriticalSecret Patterndist/github/GitHubAppAuth.d.ts
MediumDynamic Requiredist/modules/tasks/TaskSourceController.js
MediumNetwork
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License