nyxora 1.0.8 → 1.0.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (19) hide show
  1. package/README.md +8 -2
  2. package/SECURITY.md +5 -4
  3. package/config.yaml +2 -1
  4. package/dashboard/dist/assets/index-DR9Ii-ZU.js +9 -0
  5. package/dashboard/dist/index.html +1 -1
  6. package/dist/agent/reasoning.js +6 -41
  7. package/dist/agent/transactionManager.js +38 -0
  8. package/dist/gateway/cli.js +30 -37
  9. package/dist/gateway/server.js +53 -41
  10. package/dist/gateway/setup.js +26 -16
  11. package/dist/gateway/telegram.js +62 -2
  12. package/dist/gateway/test.js +0 -35
  13. package/dist/utils/crypto.js +35 -0
  14. package/dist/utils/state.js +30 -0
  15. package/dist/web3/config.js +3 -41
  16. package/dist/web3/skills/swapToken.js +6 -0
  17. package/dist/web3/skills/transfer.js +7 -2
  18. package/package.json +1 -2
  19. package/dashboard/dist/assets/index-BJ1Hl0fx.js +0 -9
package/README.md CHANGED
@@ -12,6 +12,12 @@ With a beautiful, real-time dashboard inspired by modern control centers, Nyxora
12
12
  * **Deep Personalization**: Feed the agent custom rules via `user.md` and define its core persona via `IDENTITY.md`.
13
13
  * **Multi-Lingual Auto-Sync**: The agent natively detects your language and replies in the exact same language automatically.
14
14
 
15
+ ### 🛡️ Production-Ready Security (NEW in v1.0.9)
16
+ * **Encrypted Local Keystore**: No more `.env` leaks. Your Private Key is encrypted using `AES-256-GCM` and locked behind a custom **Master Password**.
17
+ * **Human-in-the-Loop Sandboxing**: The agent CANNOT execute transactions on its own. All transactions (Transfers & Swaps) are queued in a **Transaction Manager** and require explicit 1-click Approval from you.
18
+ * **Omnichannel Approvals**: Approve or reject pending transactions directly from the Web Dashboard's UI or via Telegram Inline Keyboard buttons on the go!
19
+ * **Strict API Auth**: The local Express server is protected via ephemeral Session Tokens (`x-nyxora-token`) and Strict CORS, preventing unauthorized local API requests.
20
+
15
21
  ### ⛓️ Web3 DeFi Skills
16
22
  * **Multi-Chain Support**: Operate across Ethereum, Base, BSC, Arbitrum, Optimism, and Sepolia Testnet.
17
23
  * **Native Wallet Operations**: Autonomously check balances and transfer native tokens using securely injected wallets.
@@ -45,9 +51,9 @@ On first launch, Nyxora will greet you with an **Interactive Setup Wizard**. Thi
45
51
 
46
52
  Nyxora will automatically:
47
53
  1. Initialize a secure vault in your `~/.nyxora/` directory.
48
- 2. Store your Wallet Private Key securely in `~/.nyxora/.env`.
54
+ 2. Store your Wallet Private Key securely in an encrypted `~/.nyxora/keystore.json` locked by your Master Password.
49
55
  3. Store operational data (API Keys, RPCs) in `~/.nyxora/config.yaml`.
50
- 4. Start the local server and open the Web Dashboard automatically!
56
+ 4. Start the local server, generate a secure Session Token, and open the Web Dashboard automatically!
51
57
 
52
58
  > 💡 **Tip:** You can invoke the setup wizard at any time to update your keys by running `nyxora setup`.
53
59
 
package/SECURITY.md CHANGED
@@ -13,7 +13,8 @@ Instead, please send an email to the repository owner or reach out privately. We
13
13
  ## Best Practices for Users
14
14
  When using Nyxora, you are configuring an autonomous agent that has direct access to your injected Web3 Wallet's private key.
15
15
 
16
- 1. **NEVER commit your `.env` file**. The `.gitignore` in this repository explicitly ignores `.env` files to prevent accidental leakage.
17
- 2. **Use Testnets**: While getting started or testing new skills, ALWAYS use a testnet (e.g., Sepolia) and a wallet containing only testnet funds.
18
- 3. **Do Not Share Your `memory.json`**: The agent's memory may contain sensitive conversational data or addresses you've interacted with. Be cautious before sharing the `memory.json` export.
19
- 4. **API Keys**: Treat your OpenAI, Gemini, and other LLM provider API keys as highly confidential. Rotate them immediately if you suspect a compromise.
16
+ 1. **Protect Your Keystore**: Your private key is encrypted and stored in `~/.nyxora/keystore.json`. While it is encrypted using `AES-256-GCM`, you must still treat it and your **Master Password** as highly sensitive. NEVER share your `keystore.json` or your Master Password with anyone.
17
+ 2. **Human-in-the-Loop Verification**: The agent is restricted from making unilateral transactions. Always review the exact details of the transaction when prompted to "Approve" or "Reject" on the Web Dashboard or Telegram Inline Keyboard before confirming.
18
+ 3. **Use Testnets**: While getting started or testing new skills, ALWAYS use a testnet (e.g., Sepolia) and a wallet containing only testnet funds.
19
+ 4. **Do Not Share Your `memory.json`**: The agent's memory may contain sensitive conversational data or addresses you've interacted with. Be cautious before sharing the `memory.json` export.
20
+ 5. **API Keys**: Treat your OpenAI, Gemini, and other LLM provider API keys as highly confidential. Rotate them immediately if you suspect a compromise.
package/config.yaml CHANGED
@@ -5,7 +5,8 @@ llm:
5
5
  provider: gemini
6
6
  model: gemini-2.5-flash
7
7
  temperature: 0.2
8
- credentials: {}
8
+ credentials:
9
+ gemini_key: AIzaSyDBlde1SSp_kbTweW1QXHknwzRTYHp98IQ
9
10
  memory:
10
11
  type: file
11
12
  path: ./memory.json