nyxora 1.0.7 → 1.0.9

package/README.md

@@ -7,11 +7,17 @@ With a beautiful, real-time dashboard inspired by modern control centers, Nyxora
 ## Features ✨
 
 ### 🧠 Core Agent Capabilities
-*   **Multi-LLM Support**: Seamlessly switch between Google Gemini, OpenAI, or local Ollama models dynamically.
+*   **Multi-LLM Support**: Seamlessly switch between Google Gemini, OpenAI, OpenRouter (unlimited models!), or local Ollama models dynamically.
 *   **Round-Robin API Rotation**: Add up to 10 API keys via the dashboard. The system will auto-rotate them to prevent rate-limiting and token drain.
 *   **Deep Personalization**: Feed the agent custom rules via `user.md` and define its core persona via `IDENTITY.md`.
 *   **Multi-Lingual Auto-Sync**: The agent natively detects your language and replies in the exact same language automatically.
 
+### 🛡️ Production-Ready Security (NEW in v1.0.9)
+*   **Encrypted Local Keystore**: No more `.env` leaks. Your Private Key is encrypted using `AES-256-GCM` and locked behind a custom **Master Password**.
+*   **Human-in-the-Loop Sandboxing**: The agent CANNOT execute transactions on its own. All transactions (Transfers & Swaps) are queued in a **Transaction Manager** and require explicit 1-click Approval from you.
+*   **Omnichannel Approvals**: Approve or reject pending transactions directly from the Web Dashboard's UI or via Telegram Inline Keyboard buttons on the go!
+*   **Strict API Auth**: The local Express server is protected via ephemeral Session Tokens (`x-nyxora-token`) and Strict CORS, preventing unauthorized local API requests.
+
 ### ⛓️ Web3 DeFi Skills
 *   **Multi-Chain Support**: Operate across Ethereum, Base, BSC, Arbitrum, Optimism, and Sepolia Testnet.
 *   **Native Wallet Operations**: Autonomously check balances and transfer native tokens using securely injected wallets.
@@ -41,15 +47,18 @@ No need to navigate to any specific folder! Just type:
 ```bash
 nyxora
 ```
+On first launch, Nyxora will greet you with an **Interactive Setup Wizard**. This CLI wizard will guide you to securely configure your LLM providers, API keys, and Web3 Wallet.
+
 Nyxora will automatically:
-1. Initialize a secure vault in your `~/.nyxora/` directory (where your `.env` and `memory.json` will safely live).
-2. Start the local server.
-3. Open the gorgeous Web Dashboard automatically in your default browser!
+1. Initialize a secure vault in your `~/.nyxora/` directory.
+2. Store your Wallet Private Key securely in an encrypted `~/.nyxora/keystore.json` locked by your Master Password.
+3. Store operational data (API Keys, RPCs) in `~/.nyxora/config.yaml`.
+4. Start the local server, generate a secure Session Token, and open the Web Dashboard automatically!
 
-### 3. Configuration
-When the dashboard opens, simply enter your **OpenAI/Gemini API Key** and your **Wallet Private Key** in the Settings tab. These are securely saved in your local OS environment (`~/.nyxora/.env`) and never exposed to the internet.
+> 💡 **Tip:** You can invoke the setup wizard at any time to update your keys by running `nyxora setup`.
 
----
+### 3. Configuration
+When the dashboard opens, you can modify any operational parameters in the **Settings** tab. The dashboard allows you to type custom model names, switch RPCs, and rotate your API keys effortlessly.
 
 ## Local Development (For Contributors) 🏗️
 

package/SECURITY.md

@@ -13,7 +13,8 @@ Instead, please send an email to the repository owner or reach out privately. We
 ## Best Practices for Users
 When using Nyxora, you are configuring an autonomous agent that has direct access to your injected Web3 Wallet's private key.
 
-1. **NEVER commit your `.env` file**. The `.gitignore` in this repository explicitly ignores `.env` files to prevent accidental leakage.
-2. **Use Testnets**: While getting started or testing new skills, ALWAYS use a testnet (e.g., Sepolia) and a wallet containing only testnet funds.
-3. **Do Not Share Your `memory.json`**: The agent's memory may contain sensitive conversational data or addresses you've interacted with. Be cautious before sharing the `memory.json` export.
-4. **API Keys**: Treat your OpenAI, Gemini, and other LLM provider API keys as highly confidential. Rotate them immediately if you suspect a compromise.
+1. **Protect Your Keystore**: Your private key is encrypted and stored in `~/.nyxora/keystore.json`. While it is encrypted using `AES-256-GCM`, you must still treat it and your **Master Password** as highly sensitive. NEVER share your `keystore.json` or your Master Password with anyone.
+2. **Human-in-the-Loop Verification**: The agent is restricted from making unilateral transactions. Always review the exact details of the transaction when prompted to "Approve" or "Reject" on the Web Dashboard or Telegram Inline Keyboard before confirming.
+3. **Use Testnets**: While getting started or testing new skills, ALWAYS use a testnet (e.g., Sepolia) and a wallet containing only testnet funds.
+4. **Do Not Share Your `memory.json`**: The agent's memory may contain sensitive conversational data or addresses you've interacted with. Be cautious before sharing the `memory.json` export.
+5. **API Keys**: Treat your OpenAI, Gemini, and other LLM provider API keys as highly confidential. Rotate them immediately if you suspect a compromise.

package/config.yaml

@@ -5,6 +5,11 @@ llm:
   provider: gemini
   model: gemini-2.5-flash
   temperature: 0.2
+  credentials:
+    gemini_key: AIzaSyDBlde1SSp_kbTweW1QXHknwzRTYHp98IQ
 memory:
   type: file
   path: ./memory.json
+integrations:
+  telegram:
+    enabled: false