nyxora 1.4.6 → 1.4.8

package/README.md

@@ -2,9 +2,9 @@
 **Secure AI execution framework for Web3 agents.**
 
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
-[![Security: Security-First](https://img.shields.io/badge/Security-Security--First-blue.svg)](#)
-[![Execution: Human-in-the-Loop](https://img.shields.io/badge/Execution-Human--in--the--Loop-orange.svg)](#)
-[![Privacy: Local-Only Keys](https://img.shields.io/badge/Privacy-Local--Only--Keys-success.svg)](#)
+[![Security: Security-First](https://img.shields.io/badge/Security-Security--First-blue.svg)](#️-security-threat-model--permission-boundary)
+[![Execution: Human-in-the-Loop](https://img.shields.io/badge/Execution-Human--in--the--Loop-orange.svg)](#📐-architecture-workflow)
+[![Privacy: Local-Only Keys](https://img.shields.io/badge/Privacy-Local--Only--Keys-success.svg)](#️-security-threat-model--permission-boundary)
 
 Nyxora is a **secure, non-custodial runtime infrastructure for autonomous onchain agents** built with Node.js and React. Designed for autonomous workflows with a premium Glassmorphism UI dashboard and strict client-side key isolation. It operates under a strict **Human-in-the-Loop** execution model for financial transactions.
 
@@ -73,7 +73,7 @@ npm run build && npm run start
 
 For complete technical deep-dives, please visit our official VitePress Documentation Site!
 
-> **🔗 [Read the Full Nyxora Documentation Here](#)**
+> **🔗 [Read the Full Nyxora Documentation Here](https://perasyudha.github.io/Nyxora/)**
 
 *(Includes guides on Secure Wallet Imports, API Key Rotations, Troubleshooting, and Custom Skill Development).*
 

package/dist/system/pluginManager.js

@@ -6,6 +6,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.pluginManager = exports.PluginManager = void 0;
 const fs_1 = __importDefault(require("fs"));
 const path_1 = __importDefault(require("path"));
+const vm_1 = __importDefault(require("vm"));
 class PluginManager {
     skills = new Map();
     async loadPlugins() {
@@ -18,20 +19,43 @@ class PluginManager {
         for (const file of files) {
             if (file.endsWith('.js') || file.endsWith('.ts')) {
                 try {
-                    // Dynamic import requires relative path from this file or absolute path
-                    // For TS compiled to JS, absolute path is safer
                     const absolutePath = path_1.default.resolve(pluginsDir, file);
-                    // Note: In development with ts-node, requiring .ts works. 
-                    // In production, we need compiled .js files.
-                    const module = require(absolutePath);
-                    if (module.toolDefinition && module.execute) {
-                        const toolName = module.toolDefinition.function.name;
-                        this.skills.set(toolName, module);
-                        console.log(`[PluginManager] Loaded external skill: ${toolName}`);
+                    const code = fs_1.default.readFileSync(absolutePath, 'utf8');
+                    // Construct a restricted require function for the sandbox
+                    const restrictedRequire = (moduleName) => {
+                        const blockedModules = ['fs', 'child_process', 'os', 'net', 'tls', 'cluster', 'worker_threads'];
+                        if (blockedModules.includes(moduleName)) {
+                            throw new Error(`Sandboxing error: Access to the '${moduleName}' module is blocked for security reasons.`);
+                        }
+                        // Allow fetch and other safe modules by delegating to actual require
+                        return require(moduleName);
+                    };
+                    // Create the sandbox environment
+                    const sandbox = {
+                        require: restrictedRequire,
+                        console: console,
+                        module: { exports: {} },
+                        exports: {},
+                        process: { env: {} }, // Hide actual environment variables
+                        Buffer: Buffer,
+                        setTimeout: setTimeout,
+                        clearTimeout: clearTimeout,
+                        setInterval: setInterval,
+                        clearInterval: clearInterval,
+                    };
+                    const context = vm_1.default.createContext(sandbox);
+                    const script = new vm_1.default.Script(code, { filename: file });
+                    // Execute the plugin code inside the VM
+                    script.runInContext(context);
+                    const moduleExports = sandbox.module.exports;
+                    if (moduleExports.toolDefinition && moduleExports.execute) {
+                        const toolName = moduleExports.toolDefinition.function.name;
+                        this.skills.set(toolName, moduleExports);
+                        console.log(`[PluginManager] Loaded sandboxed external skill: ${toolName}`);
                     }
                 }
                 catch (error) {
-                    console.error(`[PluginManager] Failed to load plugin ${file}:`, error);
+                    console.error(`[PluginManager] Failed to load sandboxed plugin ${file}:`, error.message);
                 }
             }
         }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nyxora",
-  "version": "1.4.6",
+  "version": "1.4.8",
   "description": "",
   "main": "dist/gateway/cli.js",
   "files": [