nemoris 0.1.0 → 0.1.2

package/SECURITY.md

@@ -1,119 +1,59 @@
-# Security Policy
-
-Nemoris is a local-first agent runtime for a single operator on a machine they control. It is powerful software: it can execute tools, talk to remote model providers, store local state, and deliver messages through channels like Telegram and Slack. Please read this file before deploying it on a machine that holds sensitive data.
-
-## Supported Versions
-
-Security fixes are currently targeted at:
-
-- the latest `main` branch
-- the latest published npm release
-
-Older versions may not receive backported fixes.
-
-## Reporting a Vulnerability
-
-Please do not open public GitHub issues for security vulnerabilities.
-
-Use one of these private channels instead:
-
-- GitHub Security Advisories: [Report a vulnerability](https://github.com/amzer24/nemoris/security/advisories/new)
-- Email fallback: `amzer24@gmail.com`
-
-Please include:
-
-- what you observed
-- affected version or commit
-- the smallest reliable reproduction
-- impact assessment
-- any mitigations you already tested
-
-I will acknowledge a good-faith report as quickly as possible and work toward a coordinated fix before public disclosure.
-
-## Threat Model
-
-Nemoris is designed for:
-
-- a single user
-- a machine or account they control
-- explicitly configured workspaces and delivery channels
-- operator-reviewed tool use and provider configuration
-
-Nemoris is not designed to be:
-
-- a hardened multi-tenant sandbox
-- a safe environment for arbitrary untrusted users
-- a drop-in remote execution service for strangers
-
-If you need those guarantees, isolate Nemoris at the OS, VM, or container level rather than relying on prompt rules alone.
-
-## What Stays Local vs What Leaves the Machine
-
-By default, Nemoris stores its runtime state locally under the install root, including:
-
-- config manifests
-- local state and SQLite databases
-- auth profiles in `state/auth-profiles.json`
-- daemon logs
-
-Data leaves the machine when you enable external integrations, including:
-
-- LLM provider calls to Anthropic, OpenRouter, OpenAI Codex, or other configured providers
-- Telegram or Slack delivery and inbound messaging
-- MCP servers or other network-capable tools
-
-Treat those integrations as trust boundaries. Only enable the ones you intend to use.
-
-## Security Expectations and Non-Goals
-
-Nemoris aims to be secure by default for a personal local runtime, but there are important limits:
-
-- tool access is policy-bounded, but the runtime is still operating on your machine
-- remote providers can receive prompt content, tool output, and uploaded content needed to complete a turn
-- delivery adapters can send content to third-party services once enabled
-- local state files should be treated as sensitive operator data
-
-This means Nemoris should be run with the least privilege that still lets it do useful work.
-
-## Safe Deployment Guidance
-
-Recommended:
-
-- run Nemoris as your own user account, not a shared account
-- keep workspaces narrow and intentional
-- use least-privilege provider tokens
-- leave delivery gates disabled until you are ready for live sends
-- keep `.env` and `state/auth-profiles.json` private
-- use explicit allowlists for Telegram/Slack users rather than broad access
-- keep the runtime updated
-
-Not recommended:
-
-- pointing it at your whole home directory as a workspace
-- running it as root
-- sharing one install across untrusted users
-- enabling remote delivery channels before validating auth and allowlists
-
-## Sensitive Files
-
-Handle these as secrets:
-
-- `.env`
-- `state/auth-profiles.json`
-- any provider or delivery tokens
-- daemon logs that may contain identifiers or operational details
-
-Do not paste those files into public issues.
-
-## Security-Focused Operations
-
-Useful commands when validating a setup:
-
-```bash
-nemoris doctor
-nemoris status
-nemoris logs
-npm run publish:check
-```
-
-If you are recovering from a token, install, or daemon problem, see [`docs/RECOVERY-FLOWS.md`](docs/RECOVERY-FLOWS.md).
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 0.1.x   | ✅ Current release |
+
+## Reporting a Vulnerability
+
+**Do not open a public GitHub issue for security vulnerabilities.**
+
+Instead, email **nemoris@proton.me** with:
+
+- Description of the vulnerability
+- Steps to reproduce
+- Impact assessment (what an attacker could do)
+- Your suggested fix, if any
+
+You will receive an acknowledgement within 48 hours. We aim to provide a substantive response within 7 days.
+
+## Security Model
+
+Nemoris runs locally on your machine. Key security properties:
+
+- **API keys** are stored in `~/.nemoris/.env` with `0600` permissions (owner read/write only)
+- **Keys are never logged** — the runtime redacts secrets from all log output
+- **Exec approval gates** require human confirmation before shell commands execute
+- **SSRF protection** on all URL-intake surfaces
+- **Input sanitisation** with injection detection and boundary tagging
+- **No telemetry** — Nemoris does not phone home or collect usage data
+
+## Responsible Disclosure
+
+We follow responsible disclosure practices. If you report a vulnerability:
+
+- We will not take legal action against you for good-faith research
+- We will credit you in the release notes (unless you prefer anonymity)
+- We will coordinate disclosure timing with you
+
+## Deployment Boundaries
+
+Nemoris is a single operator, single-user runtime designed to run on your own machine.
+
+It is not designed to be:
+
+- a hardened multi-tenant sandbox
+- a public-facing web service
+- a shared server runtime
+
+For recovery procedures, see [docs/RECOVERY-FLOWS.md](docs/RECOVERY-FLOWS.md).
+
+## Vulnerability Tracking
+
+Known vulnerabilities are tracked via GitHub Security Advisories on this repository.
+
+## Dependencies
+
+Nemoris keeps dependencies minimal by design. We monitor for known vulnerabilities via `npm audit` and update promptly.

package/bin/nemoris

@@ -1,46 +1,46 @@
-#!/bin/sh
-set -eu
-
-SCRIPT_PATH=$0
-while [ -L "$SCRIPT_PATH" ]; do
-  SCRIPT_DIR=$(CDPATH= cd -- "$(dirname -- "$SCRIPT_PATH")" && pwd)
-  LINK_TARGET=$(readlink "$SCRIPT_PATH")
-  case "$LINK_TARGET" in
-    /*) SCRIPT_PATH="$LINK_TARGET" ;;
-    *) SCRIPT_PATH="$SCRIPT_DIR/$LINK_TARGET" ;;
-  esac
-done
-
-ROOT_DIR=$(CDPATH= cd -- "$(dirname -- "$SCRIPT_PATH")/.." && pwd)
-FILTERED_NODE_OPTIONS=""
-SKIP_NEXT=0
-
-for ARG in ${NODE_OPTIONS-}; do
-  if [ "$SKIP_NEXT" = "1" ]; then
-    SKIP_NEXT=0
-    case "$ARG" in
-      *disable_autoselectfamily.js*) continue ;;
-      *) FILTERED_NODE_OPTIONS="$FILTERED_NODE_OPTIONS $ARG"; continue ;;
-    esac
-  fi
-
-  case "$ARG" in
-    --require)
-      SKIP_NEXT=1
-      ;;
-    --require=*disable_autoselectfamily.js*)
-      ;;
-    *)
-      FILTERED_NODE_OPTIONS="$FILTERED_NODE_OPTIONS $ARG"
-      ;;
-  esac
-done
-
-FILTERED_NODE_OPTIONS=$(printf "%s" "$FILTERED_NODE_OPTIONS" | sed 's/^ //')
-if [ -n "$FILTERED_NODE_OPTIONS" ]; then
-  export NODE_OPTIONS="$FILTERED_NODE_OPTIONS"
-else
-  unset NODE_OPTIONS
-fi
-
-exec node "$ROOT_DIR/src/cli.js" "$@"
+#!/bin/sh
+set -eu
+
+SCRIPT_PATH=$0
+while [ -L "$SCRIPT_PATH" ]; do
+  SCRIPT_DIR=$(CDPATH= cd -- "$(dirname -- "$SCRIPT_PATH")" && pwd)
+  LINK_TARGET=$(readlink "$SCRIPT_PATH")
+  case "$LINK_TARGET" in
+    /*) SCRIPT_PATH="$LINK_TARGET" ;;
+    *) SCRIPT_PATH="$SCRIPT_DIR/$LINK_TARGET" ;;
+  esac
+done
+
+ROOT_DIR=$(CDPATH= cd -- "$(dirname -- "$SCRIPT_PATH")/.." && pwd)
+FILTERED_NODE_OPTIONS=""
+SKIP_NEXT=0
+
+for ARG in ${NODE_OPTIONS-}; do
+  if [ "$SKIP_NEXT" = "1" ]; then
+    SKIP_NEXT=0
+    case "$ARG" in
+      *disable_autoselectfamily.js*) continue ;;
+      *) FILTERED_NODE_OPTIONS="$FILTERED_NODE_OPTIONS $ARG"; continue ;;
+    esac
+  fi
+
+  case "$ARG" in
+    --require)
+      SKIP_NEXT=1
+      ;;
+    --require=*disable_autoselectfamily.js*)
+      ;;
+    *)
+      FILTERED_NODE_OPTIONS="$FILTERED_NODE_OPTIONS $ARG"
+      ;;
+  esac
+done
+
+FILTERED_NODE_OPTIONS=$(printf "%s" "$FILTERED_NODE_OPTIONS" | sed 's/^ //')
+if [ -n "$FILTERED_NODE_OPTIONS" ]; then
+  export NODE_OPTIONS="$FILTERED_NODE_OPTIONS"
+else
+  unset NODE_OPTIONS
+fi
+
+exec node "$ROOT_DIR/src/cli.js" "$@"

package/config/agents/agent.toml.example

@@ -1,28 +1,28 @@
-# Example agent configuration — copy this to create your own agent.
-#
-# cp agent.example.toml myagent.toml
-# Then edit the values below.
-
-id = "myagent"
-primary_lane = "interactive_primary"
-memory_policy = "default"
-tool_policy = "interactive_safe"
-soul_ref = "config/identity/myagent-soul.md"
-purpose_ref = "config/identity/myagent-purpose.md"
-
-# Where this agent reads/writes workspace files.
-# Relative to the Nemoris install directory.
-workspace_root = "workspace"
-
-# Files loaded into context at the start of each turn (optional).
-# workspace_context_files = ["MEMORY.md"]
-# workspace_context_cap = 8000
-
-[limits]
-max_tokens_per_turn = 16000
-max_tool_calls_per_turn = 6
-max_runtime_seconds = 120
-
-[access]
-workspace = "rw"
-network = "restricted"
+# Example agent configuration — copy this to create your own agent.
+#
+# cp agent.example.toml myagent.toml
+# Then edit the values below.
+
+id = "myagent"
+primary_lane = "interactive_primary"
+memory_policy = "default"
+tool_policy = "interactive_safe"
+soul_ref = "config/identity/myagent-soul.md"
+purpose_ref = "config/identity/myagent-purpose.md"
+
+# Where this agent reads/writes workspace files.
+# Relative to the Nemoris install directory.
+workspace_root = "workspace"
+
+# Files loaded into context at the start of each turn (optional).
+# workspace_context_files = ["MEMORY.md"]
+# workspace_context_cap = 8000
+
+[limits]
+max_tokens_per_turn = 16000
+max_tool_calls_per_turn = 6
+max_runtime_seconds = 120
+
+[access]
+workspace = "rw"
+network = "restricted"

package/config/agents/content.toml

@@ -0,0 +1,23 @@
+# Generated by nemoris migrate — edit to personalise
+# openclaw_model = "anthropic/claude-sonnet-4-6"
+id = "content"
+primary_lane = "interactive_primary"
+memory_policy = "default"
+tool_policy = "interactive_safe"
+soul_ref = "config/identity/content-soul.md"
+purpose_ref = "config/identity/content-purpose.md"
+workspace_root = "workspace"
+workspace_context_files = ["MEMORY.md", "AGENTS.md"]
+workspace_context_cap = 8000
+checkpoint_policy = "compact"
+skills = ["humanizer", "lee-content-writer", "obsidian", "gog", "agent-browser", "notebooklm"]
+tools_deny = ["cron"]
+
+[limits]
+max_tokens_per_turn = 16000
+max_tool_calls_per_turn = 6
+max_runtime_seconds = 120
+
+[access]
+workspace = "rw"
+network = "restricted"

package/config/agents/default.toml

@@ -1,22 +1,22 @@
-id = "assistant"
-primary_lane = "interactive_primary"
-memory_policy = "default"
-tool_policy = "interactive_safe"
-soul_ref = "config/identity/default-soul.md"
-purpose_ref = "config/identity/default-purpose.md"
-workspace_root = "~/.nemoris/workspace"
-
-[interaction_contract]
-ack_mode = "immediate"
-progress_mode = "milestone"
-notify_on_done = true
-notify_on_error = true
-
-[limits]
-max_tokens_per_turn = 16000
-max_tool_calls_per_turn = 6
-max_runtime_seconds = 120
-
-[access]
-workspace = "rw"
-network = "restricted"
+id = "assistant"
+primary_lane = "interactive_primary"
+memory_policy = "default"
+tool_policy = "interactive_safe"
+soul_ref = "config/identity/default-soul.md"
+purpose_ref = "config/identity/default-purpose.md"
+workspace_root = "~/.nemoris/workspace"
+
+[interaction_contract]
+ack_mode = "immediate"
+progress_mode = "milestone"
+notify_on_done = true
+notify_on_error = true
+
+[limits]
+max_tokens_per_turn = 16000
+max_tool_calls_per_turn = 6
+max_runtime_seconds = 120
+
+[access]
+workspace = "rw"
+network = "restricted"

package/config/agents/heartbeat.toml

@@ -0,0 +1,35 @@
+id = "heartbeat"
+workspace_root = "$HOME/Documents/Obsidian_Vault"
+primary_lane = "local_cheap"
+memory_policy = "heartbeat"
+tool_policy = "heartbeat_minimal"
+checkpoint_policy = "none"
+allow_jobs = ["heartbeat-check", "workspace-health"]
+soul_ref = "config/identity/heartbeat-soul.md"
+purpose_ref = "config/identity/heartbeat-purpose.md"
+memory_backends = ["file", "qmd"]
+qmd_supplement_limit = 2
+
+[interaction_contract]
+ack_mode = "silent"
+progress_mode = "none"
+notify_on_done = false
+notify_on_error = true
+requires_pingback = false
+pingback_target = "scheduler_log"
+completion_signal = "heartbeat_ok"
+failure_signal = "heartbeat_error"
+handoff_format = "concise_status"
+completion_sections = ["status"]
+
+[delivery]
+profile = "shadow_scheduler"
+
+[limits]
+max_tokens_per_turn = 4000
+max_tool_calls_per_turn = 3
+max_runtime_seconds = 30
+
+[access]
+workspace = "ro"
+network = "restricted"

package/config/agents/iris.toml

@@ -0,0 +1,23 @@
+# Generated by nemoris migrate — edit to personalise
+# openclaw_model = "anthropic/claude-haiku-4-5"
+id = "iris"
+primary_lane = "local_cheap"
+memory_policy = "default"
+tool_policy = "interactive_safe"
+soul_ref = "config/identity/iris-soul.md"
+purpose_ref = "config/identity/iris-purpose.md"
+workspace_root = "workspace"
+workspace_context_files = ["MEMORY.md", "AGENTS.md"]
+workspace_context_cap = 8000
+checkpoint_policy = "compact"
+skills = ["agent-review", "implementation-safety", "release-handoff", "self-improvement", "ux-flow-audit", "verification-evidence", "agent-browser", "notebooklm"]
+tools_deny = ["cron"]
+
+[limits]
+max_tokens_per_turn = 16000
+max_tool_calls_per_turn = 6
+max_runtime_seconds = 120
+
+[access]
+workspace = "rw"
+network = "restricted"

package/config/agents/lab.toml

@@ -0,0 +1,23 @@
+# Generated by nemoris migrate — edit to personalise
+# openclaw_model = "openrouter/openai/gpt-5.2"
+id = "lab"
+primary_lane = "interactive_primary"
+memory_policy = "default"
+tool_policy = "interactive_safe"
+soul_ref = "config/identity/lab-soul.md"
+purpose_ref = "config/identity/lab-purpose.md"
+workspace_root = "workspace"
+workspace_context_files = ["MEMORY.md", "AGENTS.md"]
+workspace_context_cap = 8000
+checkpoint_policy = "compact"
+skills = ["model-usage", "self-improvement", "verification-evidence"]
+tools_deny = ["cron"]
+
+[limits]
+max_tokens_per_turn = 16000
+max_tool_calls_per_turn = 6
+max_runtime_seconds = 120
+
+[access]
+workspace = "rw"
+network = "restricted"

package/config/agents/main.toml

@@ -0,0 +1,45 @@
+id = "main"
+name = "Kodi"
+workspace_root = "workspace"
+primary_lane = "interactive_primary"
+memory_policy = "default"
+tool_policy = "interactive_safe"
+checkpoint_policy = "compact"
+allow_jobs = ["memory-rollup"]
+soul_ref = "config/identity/main-soul.md"
+purpose_ref = "config/identity/main-purpose.md"
+user_ref = "config/identity/main-user.md"
+workspace_context_files = ["MEMORY.md", "AGENTS.md", "SOUL.md", "IDENTITY.md", "USER.md", "TOOLS.md"]
+workspace_context_cap = 12000
+memory_backends = ["file", "qmd"]
+qmd_supplement_limit = 2
+
+[interaction_contract]
+ack_mode = "immediate"
+progress_mode = "milestone"
+progress_after_seconds = 120
+max_silence_seconds = 240
+notify_on_done = true
+notify_on_error = true
+requires_pingback = true
+pingback_target = "same_thread"
+completion_signal = "completed"
+failure_signal = "blocked"
+handoff_format = "coding_completion"
+completion_sections = ["status", "changes", "verification", "next_actions"]
+
+[delivery]
+profile = "gateway_telegram_main"
+
+[limits]
+max_tokens_per_turn = 24000
+max_tool_calls_per_turn = 6
+max_runtime_seconds = 120
+compaction_condensed_fanout = 10
+compaction_threshold_turns = 24
+
+exec_approvals = true
+
+[access]
+workspace = "rw"
+network = "restricted"

package/config/agents/nemo.toml

@@ -0,0 +1,21 @@
+id = "nemo"
+primary_lane = "interactive_primary"
+memory_policy = "default"
+tool_policy = "interactive_safe"
+soul_ref = "config/identity/default-soul.md"
+purpose_ref = "config/identity/default-purpose.md"
+workspace_root = "workspace"
+workspace_context_files = ["MEMORY.md", "USER.md", "AGENTS.md"]
+workspace_context_cap = 8000
+checkpoint_policy = "compact"
+
+[limits]
+max_tokens_per_turn = 16000
+max_tool_calls_per_turn = 6
+max_runtime_seconds = 120
+
+exec_approvals = false
+
+[access]
+workspace = "rw"
+network = "restricted"

package/config/agents/ops.toml

@@ -0,0 +1,38 @@
+id = "ops"
+workspace_root = "$HOME/.openclaw"
+primary_lane = "local_cheap"
+fallback_lane = "job_heavy"
+memory_policy = "ops"
+tool_policy = "ops_bounded"
+checkpoint_policy = "resumable"
+allow_jobs = ["workspace-health", "memory-rollup"]
+soul_ref = "config/identity/ops-soul.md"
+purpose_ref = "config/identity/ops-purpose.md"
+memory_backends = ["file", "qmd"]
+qmd_supplement_limit = 2
+
+[interaction_contract]
+ack_mode = "immediate"
+progress_mode = "long_running"
+progress_after_seconds = 90
+max_silence_seconds = 180
+notify_on_done = true
+notify_on_error = true
+requires_pingback = true
+pingback_target = "same_thread"
+completion_signal = "done"
+failure_signal = "error"
+handoff_format = "structured_handoff"
+completion_sections = ["status", "evidence", "next_actions"]
+
+[delivery]
+profile = "gateway_telegram_main"
+
+[limits]
+max_tokens_per_turn = 8000
+max_tool_calls_per_turn = 5
+max_runtime_seconds = 90
+
+[access]
+workspace = "rw"
+network = "restricted"

package/config/agents/orchestrator.toml

@@ -1,18 +1,18 @@
-id = "orchestrator"
-soul_ref = "config/identity/orchestrator-soul.md"
-purpose_ref = "config/identity/orchestrator-purpose.md"
-primary_lane = "local_cheap"
-fallback_lane = "interactive_fallback"
-tool_policy = "orchestrator"
-memory_policy = "orchestrator"
-
-[limits]
-max_tokens_per_turn = 2700
-
-[routing.static]
-"heartbeat-check" = "heartbeat"
-
-[routing.dynamic]
-enabled = true
-model_lane = "local_cheap"
-max_routing_tokens = 500
+id = "orchestrator"
+soul_ref = "config/identity/orchestrator-soul.md"
+purpose_ref = "config/identity/orchestrator-purpose.md"
+primary_lane = "local_cheap"
+fallback_lane = "interactive_fallback"
+tool_policy = "orchestrator"
+memory_policy = "orchestrator"
+
+[limits]
+max_tokens_per_turn = 2700
+
+[routing.static]
+"heartbeat-check" = "heartbeat"
+
+[routing.dynamic]
+enabled = true
+model_lane = "local_cheap"
+max_routing_tokens = 500

package/config/agents/revenue.toml

@@ -0,0 +1,23 @@
+# Generated by nemoris migrate — edit to personalise
+# openclaw_model = "anthropic/claude-haiku-4-5"
+id = "revenue"
+primary_lane = "local_cheap"
+memory_policy = "default"
+tool_policy = "interactive_safe"
+soul_ref = "config/identity/revenue-soul.md"
+purpose_ref = "config/identity/revenue-purpose.md"
+workspace_root = "workspace"
+workspace_context_files = ["MEMORY.md", "AGENTS.md"]
+workspace_context_cap = 8000
+checkpoint_policy = "compact"
+skills = ["github", "gog", "obsidian", "agent-review", "business-advisor", "codex-agent", "coding-cli-stack", "cursor-agent", "frontend-design", "gemini-agent", "implementation-safety", "lemonsqueezy", "product-autopilot", "reddit-engage", "release-handoff", "self-improvement", "ux-flow-audit", "verification-evidence", "webapp-testing", "agent-browser", "notebooklm"]
+tools_deny = ["cron"]
+
+[limits]
+max_tokens_per_turn = 16000
+max_tool_calls_per_turn = 6
+max_runtime_seconds = 120
+
+[access]
+workspace = "rw"
+network = "restricted"