nyxora 1.5.0 → 1.5.2

package/CHANGELOG.md

@@ -0,0 +1,43 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [1.4.5]
+
+### Fixed
+- Re-rendered Architecture Workflow diagram as a solid-background PNG to fix dark mode visibility issues.
+- Added `assets` directory to the NPM package `files` list so the diagram is included in published packages.
+- Added `repository` field in `package.json` for proper GitHub link resolution on NPMJS.
+- Updated `README.md` to use the absolute raw GitHub image URL for universal rendering compatibility.
+
+## [1.4.4]
+
+### Fixed
+- Fixed Architecture Workflow diagram rendering issue on NPM by replacing the `mermaid` code block with a static SVG image.
+
+## [1.4.3]
+
+### Changed
+- Completely rewrote `README.md` (English) to follow the structured, security-first Web3-Ops template. 
+
+## [1.4.2]
+
+### Changed
+- Updated `README.md` to highlight Web3-Ops capabilities (System Automation, NLP Security Policies, and Dynamic Plugins).
+
+## [1.4.0]
+
+### Added
+- **System Automation Capabilities**: Allow Nyxora to execute shell commands, read/write local files, and browse the web autonomously.
+- **NLP Security Policy**: Users can enforce rules (e.g. "do not touch partition E") in plain text via the chat, which Nyxora respects autonomously.
+- **Plugin System**: Dynamically load third-party skills from the `src/external_skills` folder without modifying the core codebase.
+
+### Changed
+- Moved AI initialization logic to support dynamic importing of external skills.
+- UI Settings: Fixed a fatal rendering bug when the configuration lacks `api_keys` array formatting.
+
+### Fixed
+- Fixed bug on rendering Settings menu due to incorrect `config.yaml` types.

package/README.md

@@ -1,81 +1,101 @@
 # Nyxora Agent 🤖
-**Secure AI execution framework for Web3 agents.**
+**Production-Grade Secure AI Execution Framework for Web3 Agents.**
 
+[![Version](https://img.shields.io/badge/version-1.5.2-blue.svg)](https://github.com/perasyudha/Nyxora)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
-[![Security: Security-First](https://img.shields.io/badge/Security-Security--First-blue.svg)](#️-security-threat-model--permission-boundary)
-[![Execution: Human-in-the-Loop](https://img.shields.io/badge/Execution-Human--in--the--Loop-orange.svg)](#📐-architecture-workflow)
-[![Privacy: Local-Only Keys](https://img.shields.io/badge/Privacy-Local--Only--Keys-success.svg)](#️-security-threat-model--permission-boundary)
+[![Security: Production-Grade](https://img.shields.io/badge/Security-Production--Grade-blue.svg)](#️-advanced-security-threat-model)
+[![Execution: Cryptographic Approval](https://img.shields.io/badge/Execution-Cryptographic--Approval-orange.svg)](#️-advanced-security-threat-model)
+[![Privacy: Local-Only Keys](https://img.shields.io/badge/Privacy-Local--Only--Keys-success.svg)](#️-advanced-security-threat-model)
 
-Nyxora is a **secure, non-custodial runtime infrastructure for autonomous onchain agents** built with Node.js and React. Designed for autonomous workflows with a premium Glassmorphism UI dashboard and strict client-side key isolation. It operates under a strict **Human-in-the-Loop** execution model for financial transactions.
+Nyxora (v1.5.2) is a **secure, non-custodial runtime infrastructure for autonomous onchain agents** built with a robust Monorepo architecture (Node.js & React). Designed for autonomous workflows with a premium Glassmorphism UI dashboard and strict client-side key isolation. 
+
+It operates under an institutional-grade **Cryptographically Bound Human-in-the-Loop** execution model, ensuring that Remote AIs (LLMs) never have unilateral access to your funds.
 
 ---
 
 ## 🔥 Key Features
 
-### Advanced Trading, Security & Operations
+### Advanced Security Architecture (v1.5.2)
+*   **3-Tier IPC Architecture**: Nyxora is split into isolated processes: **Core** (LLM Runtime), **Policy Engine** (Guardrails on port 3001), and **Signer Vault** (Isolated Key Manager on Unix Sockets).
+*   **Cryptographically Bound Approval**: Policy changes and transactions requested by the AI are drafted as hashes (`sha256`). Approval via the UI requires a challenge nonce, preventing Man-in-the-Middle (MITM) attacks.
+*   **Immutable Policy Guardrails**: Transaction limits (e.g. `max_usd_per_tx`) are strictly enforced by the Policy Engine. The LLM has zero write-access to bypass these rules.
+
+### Core Operations & Web3 Execution
 *   **System Automation & Full OS Access**: Instruct the agent to read/write local files, run terminal commands, and browse the web natively.
-*   **NLP Security Policy**: Command Nyxora using natural language to set security boundaries (e.g., *"Never touch partition E"*). Nyxora autonomously enforces these rules.
-*   **Dynamic Plugin Sandboxing**: Dynamically load community-built skills with restricted FS/Shell access to prevent supply chain attacks and malicious payloads.
 *   **Anti-Rugpull & Security Scanner**: Nyxora can scan smart contracts via GoPlus Labs to detect Honeypots, Hidden Taxes, and malicious proxy upgrades before you buy.
-*   **Automated Limit Orders**: Set natural language rules (e.g., "Sell my PEPE if price drops below $0.001"). Nyxora runs a background cron monitor and executes the swap while you sleep.
+*   **Automated Limit Orders**: Set natural language rules (e.g., "Sell my PEPE if price drops below $0.001"). Nyxora runs a background cron monitor and executes the swap while you sleep (Auto-Approve Bypass configured safely).
 *   **PNL & Portfolio Tracking**: The AI scans your wallets and multiplies balances by live DEX prices to give you real-time Net Worth estimations.
 
-### Core Features
+### AI & UI Customization
 *   **Multi-LLM Support**: Seamlessly switch between Google Gemini, OpenAI, OpenRouter, or local Ollama models.
 *   **Premium Glassmorphism UI**: A gorgeous, resizable split-pane interface with Pseudo-Generative UI widgets (`<BalanceWidget>`, `<MarketWidget>`, `<SwapWidget>`).
-*   **Round-Robin API Rotation**: Add up to 10 API keys via the dashboard. The system will auto-rotate them to prevent rate-limiting and token drain.
 *   **Deep Personalization**: Feed the agent custom rules via `user.md` and define its core persona via `IDENTITY.md`.
 
 ---
 
 ## 📐 Architecture Workflow
 
-This diagram shows how user interactions flow through the Nyxora Agent, from chat input to on-chain or OS execution:
-
-![Architecture Workflow](https://raw.githubusercontent.com/perasyudha/Nyxora/main/assets/architecture.png)
+The following diagram illustrates Nyxora's **3-Tier Monorepo Architecture**, showing the isolated communication channels (REST API and Unix Socket).
+
+```mermaid
+flowchart TD
+    User([👨‍💻 Human Operator]) --> |Prompt / Dashboard| Core
+    
+    subgraph Nyxora Architecture
+        Core[🤖 Core Agent\nLLM Runtime & Plugins\nPort: 3000]
+        Policy[🛡️ Policy Engine\nGuardrails & Enforcements\nPort: 3001]
+        Signer[🔒 Signer Vault\nPrivate Keys\nUnix Socket]
+    end
+
+    Core -->|1. Propose Tx / Policy| Policy
+    Policy -.->|2. Request Challenge Nonce| User
+    User -.->|3. Cryptographic Approval| Policy
+    Policy -->|4. If Valid, Pass to Signer| Signer
+    Signer -->|5. Sign & Broadcast| Blockchain[(Blockchain)]
+```
 
 ---
 
-## 🛡️ Security, Threat Model & Permission Boundary
+## 🛡️ Advanced Security & Threat Model
+
+This agent is designed with a **Zero-Knowledge to LLM** architectural pattern. 
 
-This agent is designed with a **Zero-Knowledge to LLM** architectural pattern to ensure the highest levels of security for investors and users:
+*   **Zero-Knowledge LLM**: Remote AI Agents and Large Language Models (LLMs) **never** handle your private keys. The LLM only generates structured JSON tool calls.
+*   **Cryptographic Memory Isolation**: Transaction signing occurs strictly client-side within the `Signer Vault` (a separate process). It is communicated via a secure Unix Socket (`/tmp/nyxora-signer.sock`).
+*   **Immutable Policy Store & HMAC**: Security rules (`policy.yaml`) are treated as immutable configurations during runtime. Changes require explicit cryptographic human approval. 
+*   **Plugin Sandboxing**: Built with future plugin ecosystems in mind. Third-party plugins are explicitly denied unrestricted `fs` (FileSystem) and `shell` access to prevent supply chain attacks.
 
-*   **Zero-Knowledge to AI Agent (LLM)**: Remote AI Agents and Large Language Models (LLMs) **never** handle your private keys. The LLM only generates structured JSON tool calls.
-*   **Cryptographic Memory Isolation**: Transaction signing occurs strictly client-side within the local Node.js process runtime using `viem`. `~/.nyxora/keystore.json` is encrypted with AES-256-GCM.
-*   **Plugin Sandboxing**: Built with future plugin ecosystems in mind. Third-party plugins are explicitly denied unrestricted `fs` (FileSystem) and `shell` access to prevent supply chain attacks and malicious execution.
-*   **Human-in-the-Loop**: Write actions (like transfers, swaps, bridges) require manual confirmation from the human operator before broadcasting.
+*(Note: HMAC Signing & Challenge Nonce strict validations are part of the upcoming v1.6.0 Implementation Roadmap, currently documented as our official Security Blueprint in v1.5.2)*
 
 ---
 
 ## 🚀 Quick Start & Installation
 
-### 1. General Users (CLI Install)
-Open your terminal (Command Prompt, PowerShell, or Linux Terminal) and run:
-```bash
-npm install -g nyxora
-nyxora setup
-```
-The Interactive Setup Wizard will securely generate a local vault, configure your LLM, and offer to Auto-Generate a Web3 Wallet for you.
+### Local Development & Execution
+With the new v1.5.2 Monorepo architecture, launching Nyxora is completely automated via the internal `launcher.ts` orchestrator.
 
-### 2. Local Development (For Contributors)
-If you want to modify Nyxora's code, build new skills, or contribute:
 ```bash
 git clone https://github.com/perasyudha/Nyxora.git
 cd Nyxora
 npm install
-cd dashboard && npm install && cd ..
-npm run build && npm run start
+
+# Build all monorepo packages (Core, Policy, Signer, Dashboard)
+npm run build --workspaces
+
+# Start the Nyxora Orchestrator
+npm start
 ```
+*`npm start` will automatically boot the Core, Policy Engine, Signer Vault, and Local Dashboard UI.*
 
 ---
 
 ## 📖 Official Documentation
 
-For complete technical deep-dives, please visit our official VitePress Documentation Site!
+For complete technical deep-dives into our Cryptographic Architecture, please visit our official VitePress Documentation Site!
 
 > **🔗 [Read the Full Nyxora Documentation Here](https://perasyudha.github.io/Nyxora/)**
 
-*(Includes guides on Secure Wallet Imports, API Key Rotations, Troubleshooting, and Custom Skill Development).*
+*(Includes guides on Secure Wallet Imports, Architecture Blueprints, Troubleshooting, and Custom Skill Development).*
 
 ---
 **License:** MIT License

package/SECURITY.md

@@ -1,22 +1,65 @@
-# Security Policy
+# Nyxora Security Architecture & Threat Model
 
-## Supported Versions
+Nyxora (v1.5.2) employs an institutional-grade, **Cryptographically Bound Human-in-the-Loop** security model to protect user assets and private keys against compromised LLMs, supply chain attacks, and prompt injections.
 
-Currently, the Nyxora project is in active development. Only the latest commit on the `main` branch is supported with security updates.
+---
 
-## Reporting a Vulnerability
+## 1. Zero-Knowledge LLM Architecture
 
-If you discover a security vulnerability within this project, please **do not** open a public issue. We take security very seriously.
+The core philosophy of Nyxora is **Zero-Knowledge to the LLM**. 
 
-Instead, please send an email to the repository owner or reach out privately. We will endeavor to respond and provide a patch as quickly as possible.
+Large Language Models (LLMs) are incredibly powerful reasoning engines, but they are inherently vulnerable to Prompt Injection and hallucinations. Therefore, the LLM must *never* have unilateral access to private keys or the ability to bypass security guardrails.
 
-## Best Practices for Users
-When using Nyxora, you are configuring an autonomous agent that has direct access to your injected Web3 Wallet's private key.
+To achieve this, Nyxora uses a **3-Tier Monorepo IPC (Inter-Process Communication)** architecture:
+1. **Core Runtime (Port 3000):** Executes the LLM logic, handles the UI dashboard, and processes chat inputs.
+2. **Policy Engine (Port 3001):** A strict middleware that evaluates all transaction requests against hard limits (e.g., `max_usd_per_tx`).
+3. **Signer Vault (Unix Socket):** A completely isolated Node.js process that holds the decrypted private keys in memory. It listens exclusively on `/tmp/nyxora-signer.sock`.
 
-1. **Protect Your Keystore**: Your private key is encrypted and stored in `~/.nyxora/keystore.json`. While it is encrypted using `AES-256-GCM`, you must still treat it and your **Master Password** as highly sensitive. NEVER share your `keystore.json` or your Master Password with anyone.
-2. **Human-in-the-Loop Verification**: For standard actions, the agent is restricted from making unilateral transactions. Always review the exact details of the transaction when prompted to "Approve" or "Reject" on the Web Dashboard or Telegram Inline Keyboard before confirming.
-3. **Limit Order Automation Risk**: If you use the AI to create a **Limit Order** (Take-profit or Cut-loss), the system WILL execute the transaction automatically in the background when the price condition is met. This intentionally bypasses the Human-in-the-Loop verification for speed. Use this feature with caution.
-4. **Wallet Generation**: When you ask the AI to create a new wallet, it generates the Private Key and Seed Phrase locally and displays it once. It does NOT save it anywhere. You are responsible for immediately backing up this information.
-5. **Use Testnets**: While getting started or testing new skills, ALWAYS use a testnet (e.g., Sepolia) and a wallet containing only testnet funds.
-6. **Do Not Share Your `memory.json`**: The agent's memory may contain sensitive conversational data, generated seed phrases, or addresses you've interacted with. Be cautious before sharing the `memory.json` export.
-7. **API Keys**: Treat your OpenAI, Gemini, and other LLM provider API keys as highly confidential. Rotate them immediately if you suspect a compromise.
+### The Security Flow
+When the LLM decides to swap tokens:
+1. LLM generates a JSON tool call (`executeSwap`).
+2. Core Runtime forwards this payload to the **Policy Engine**.
+3. The Policy Engine evaluates the payload against immutable limits.
+4. If it exceeds limits, a proposal is created and sent to the Human Operator for approval.
+5. If approved, the Policy Engine forwards the signed JWT instruction to the **Signer Vault**.
+6. The Signer Vault signs the transaction locally via `viem` and broadcasts it to the RPC.
+
+---
+
+## 2. Advanced Cryptographic Security (v1.6.0 Roadmap / v1.5.2 Blueprint)
+
+To prevent advanced Man-in-the-Middle (MITM) attacks and UI compromises, Nyxora is adopting the following cryptographic standards:
+
+### Immutable Policy Store & HMAC Verification
+The `policy.yaml` file defines your risk tolerance (e.g., daily spend limits). In Nyxora, this is not a regular editable state file.
+*   **Immutable Loading:** The Policy Engine verifies the integrity of `policy.yaml` via checksums or HMAC / public-key signatures upon boot.
+*   **No Runtime Write-Access:** The LLM Agent process does not have write access to the policy directory.
+
+### Propose vs. Commit Separation
+We enforce a strict separation of duties to prevent prompt injection manipulation:
+*   `propose_policy_change()`: The AI is restricted to drafting proposals. It cannot alter live security settings.
+*   `commit_policy_change()`: Only a Human Operator, authenticated via a backend Challenge Nonce, can commit the proposal to the Policy Engine.
+
+### Cryptographically Bound Approvals
+When the UI asks you to approve a transaction or a policy change, you are not simply clicking "OK". 
+The backend requires a cryptographic hash:
+```javascript
+approval_hash = sha256(policy_diff + timestamp + user_id)
+```
+This ensures that what the human saw on the UI matches exactly what is being executed, preventing the LLM from secretly modifying the payload in transit.
+
+### Anti-Replay Challenge Nonce
+Every approval UI prompt utilizes a **Single-Use Challenge Nonce** with a strict expiry time. This mitigates *XSS Token Leaks* and *Replay Attacks*, ensuring that an old approval token cannot be stolen and reused for a malicious transaction later.
+
+---
+
+## 3. Plugin Sandboxing
+
+Community plugins and custom skills are executed inside a sandboxed environment.
+*   **Restricted FS Access:** Plugins cannot arbitrarily read your `~/.nyxora` keystore directory.
+*   **Restricted Shell Exec:** Arbitrary shell commands are disabled for third-party skills to prevent malicious `curl | bash` supply chain payloads.
+
+## 4. Reporting Vulnerabilities
+
+If you discover a vulnerability in the Nyxora architecture, please DO NOT open a public issue.
+Instead, email the core maintainer directly at **security@nyxora.ai**.

package/bin/nyxora.js

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+require('ts-node/register');
+require('../launcher.ts');

package/dist/gateway/server.js

@@ -20,6 +20,11 @@ const getBalance_1 = require("../web3/skills/getBalance");
 const checkAddress_1 = require("../web3/skills/checkAddress");
 const getMyAddress_1 = require("../web3/skills/getMyAddress");
 const getPrice_1 = require("../web3/skills/getPrice");
+const checkSecurity_1 = require("../web3/skills/checkSecurity");
+const checkPortfolio_1 = require("../web3/skills/checkPortfolio");
+const marketAnalysis_1 = require("../web3/skills/marketAnalysis");
+const createWallet_1 = require("../web3/skills/createWallet");
+const limitOrderManager_2 = require("../agent/limitOrderManager");
 const bridgeToken_1 = require("../web3/skills/bridgeToken");
 const mintNft_1 = require("../web3/skills/mintNft");
 const customTx_1 = require("../web3/skills/customTx");
@@ -106,7 +111,14 @@ app.get('/api/skills', (req, res) => {
         mintNft_1.mintNftToolDefinition,
         customTx_1.customTxToolDefinition,
         checkAddress_1.checkAddressToolDefinition,
-        getMyAddress_1.getMyAddressToolDefinition
+        getMyAddress_1.getMyAddressToolDefinition,
+        checkSecurity_1.checkSecurityToolDefinition,
+        checkPortfolio_1.checkPortfolioToolDefinition,
+        marketAnalysis_1.marketAnalysisToolDefinition,
+        createWallet_1.createWalletToolDefinition,
+        limitOrderManager_2.createLimitOrderToolDefinition,
+        limitOrderManager_2.listLimitOrdersToolDefinition,
+        limitOrderManager_2.cancelLimitOrderToolDefinition
     ]);
 });
 app.get('/api/transactions', (req, res) => {

package/launcher.js

@@ -0,0 +1,43 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const child_process_1 = require("child_process");
+const crypto_1 = __importDefault(require("crypto"));
+const fs_1 = __importDefault(require("fs"));
+const INTERNAL_AUTH_TOKEN = crypto_1.default.randomBytes(64).toString('hex');
+console.log(`[Launcher] Generated Internal Auth Token: ${INTERNAL_AUTH_TOKEN.substring(0, 8)}...`);
+const env = {
+    ...process.env,
+    INTERNAL_AUTH_TOKEN,
+    SIGNER_SOCKET_PATH: '/tmp/nyxora-signer.sock'
+};
+const spawnService = (name, command, args, env, inheritStdio = false) => {
+    const child = (0, child_process_1.spawn)(command, args, { env, stdio: inheritStdio ? 'inherit' : 'pipe' });
+    if (!inheritStdio) {
+        child.stdout?.on('data', (data) => {
+            process.stdout.write(`[${name}] ${data}`);
+        });
+        child.stderr?.on('data', (data) => {
+            process.stderr.write(`[${name}] ERROR: ${data}`);
+        });
+    }
+    child.on('close', (code) => {
+        console.log(`[${name}] Exited with code ${code}`);
+    });
+    return child;
+};
+console.log('[Launcher] Starting Monorepo Services...');
+const socketPath = env.SIGNER_SOCKET_PATH;
+if (fs_1.default.existsSync(socketPath)) {
+    console.log(`[Launcher] Removing stale unix socket at ${socketPath}`);
+    fs_1.default.unlinkSync(socketPath);
+}
+const signer = spawnService('Signer', 'npx', ['ts-node', '-T', 'packages/signer/src/server.ts'], env);
+setTimeout(() => {
+    const policy = spawnService('Policy', 'npx', ['ts-node', '-T', 'packages/policy/src/server.ts'], env);
+    setTimeout(() => {
+        const core = spawnService('Core', 'npx', ['ts-node', '-T', 'packages/core/src/gateway/cli.ts'], env, true);
+    }, 1000);
+}, 1000);

package/launcher.ts

@@ -0,0 +1,51 @@
+import { spawn } from 'child_process';
+import crypto from 'crypto';
+import fs from 'fs';
+import path from 'path';
+
+const INTERNAL_AUTH_TOKEN = crypto.randomBytes(64).toString('hex');
+console.log(`[Launcher] Generated Internal Auth Token: ${INTERNAL_AUTH_TOKEN.substring(0, 8)}...`);
+
+const env = {
+  ...process.env,
+  INTERNAL_AUTH_TOKEN,
+  SIGNER_SOCKET_PATH: '/tmp/nyxora-signer.sock'
+};
+
+const spawnService = (name: string, command: string, args: string[], env: any, inheritStdio: boolean = false) => {
+  const child = spawn(command, args, { env, stdio: inheritStdio ? 'inherit' : 'pipe' });
+
+  if (!inheritStdio) {
+    child.stdout?.on('data', (data) => {
+      process.stdout.write(`[${name}] ${data}`);
+    });
+
+    child.stderr?.on('data', (data) => {
+      process.stderr.write(`[${name}] ERROR: ${data}`);
+    });
+  }
+
+  child.on('close', (code) => {
+    console.log(`[${name}] Exited with code ${code}`);
+  });
+
+  return child;
+};
+
+console.log('[Launcher] Starting Monorepo Services...');
+
+const socketPath = env.SIGNER_SOCKET_PATH;
+if (fs.existsSync(socketPath)) {
+  console.log(`[Launcher] Removing stale unix socket at ${socketPath}`);
+  fs.unlinkSync(socketPath);
+}
+
+const signer = spawnService('Signer', 'npx', ['ts-node', '-T', 'packages/signer/src/server.ts'], env);
+
+setTimeout(() => {
+  const policy = spawnService('Policy', 'npx', ['ts-node', '-T', 'packages/policy/src/server.ts'], env);
+  
+  setTimeout(() => {
+    const core = spawnService('Core', 'npx', ['ts-node', '-T', 'packages/core/src/gateway/cli.ts'], env, true);
+  }, 1000);
+}, 1000);

package/package.json

@@ -1,57 +1,28 @@
-{
-  "name": "nyxora",
-  "version": "1.5.0",
-  "description": "",
-  "main": "dist/gateway/cli.js",
-  "files": [
-    "dist",
-    "dashboard/dist",
-    "assets",
-    "user.md",
-    "IDENTITY.md",
-    "SECURITY.md",
-    "README.md"
-  ],
-  "repository": {
-    "type": "git",
-    "url": "https://github.com/perasyudha/Nyxora.git"
-  },
-  "bin": {
-    "nyxora": "./dist/gateway/cli.js"
-  },
-  "scripts": {
-    "build": "npm run build --prefix dashboard && tsc",
-    "start": "node dist/gateway/cli.js",
-    "dashboard": "npm run build && node dist/gateway/cli.js",
-    "test": "echo \"Error: no test specified\" && exit 1",
-    "deploy": "npm run build && git add . && git commit -m \"chore: auto-deploy new feature\" && git push && git push --tags && npm publish"
-  },
-  "keywords": [],
-  "author": "",
-  "license": "ISC",
-  "type": "commonjs",
-  "dependencies": {
-    "@clack/prompts": "^1.4.0",
-    "better-sqlite3": "^12.10.0",
-    "concurrently": "^9.2.1",
-    "cors": "^2.8.6",
-    "express": "^5.2.1",
-    "node-telegram-bot-api": "^0.67.0",
-    "open": "^11.0.0",
-    "openai": "^6.39.0",
-    "picocolors": "^1.1.1",
-    "viem": "^2.51.0",
-    "yaml": "^2.9.0"
-  },
-  "devDependencies": {
-    "@types/better-sqlite3": "^7.6.13",
-    "@types/cors": "^2.8.19",
-    "@types/express": "^5.0.6",
-    "@types/node": "^25.9.1",
-    "@types/node-telegram-bot-api": "^0.64.14",
-    "ts-node": "^10.9.2",
-    "typescript": "^6.0.3",
-    "vitepress": "^1.6.4",
-    "vue": "^3.5.35"
-  }
-}
+{
+  "name": "nyxora",
+  "version": "1.5.2",
+  "workspaces": [
+    "packages/*"
+  ],
+  "scripts": {
+    "start": "ts-node -T launcher.ts",
+    "build": "npm run build --workspaces",
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "dependencies": {
+    "concurrently": "^9.2.1",
+    "dotenv": "^17.4.2",
+    "jsonwebtoken": "^9.0.2",
+    "picocolors": "^1.1.1",
+    "ts-node": "^10.9.2",
+    "typescript": "^6.0.3"
+  },
+  "devDependencies": {
+    "@types/jsonwebtoken": "^9.0.5",
+    "@types/node": "^25.9.1",
+    "vitepress": "^1.6.4"
+  },
+  "bin": {
+    "nyxora": "./bin/nyxora.js"
+  }
+}

package/packages/core/package.json

@@ -0,0 +1,18 @@
+{
+  "name": "@nyxora/core",
+  "version": "1.5.2",
+  "private": true,
+  "main": "src/gateway/server.ts",
+  "dependencies": {
+    "@clack/prompts": "^1.4.0",
+    "better-sqlite3": "^12.10.0",
+    "cors": "^2.8.6",
+    "express": "^5.2.1",
+    "helmet": "^8.0.0",
+    "express-rate-limit": "^7.5.0",
+    "node-telegram-bot-api": "^0.67.0",
+    "open": "^11.0.0",
+    "openai": "^6.39.0",
+    "yaml": "^2.9.0"
+  }
+}