nyxora 26.6.28 → 26.6.29

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md ADDED
@@ -0,0 +1,560 @@
1
+ # Changelog
2
+
3
+ All notable changes to this project will be documented in this file.
4
+
5
+ The format is based on [Keep a Changelog](https://keepashangelog.com/en/1.0.0/),
6
+ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
7
+
8
+ ## [26.6.29]
9
+ ### Release & Stability
10
+ - **Beta Phase**: Nyxora officially enters the stable Beta phase for wider public testing.
11
+ - **NPM Publishing Integrity**: Explicitly whitelisted `CHANGELOG.md` within the `package.json` files array to guarantee release notes are synchronized onto the public NPM registry.
12
+
13
+ ## [26.6.28]
14
+ ### Features & Personalization
15
+ - **Global Fiat Currency Converter:** Integrated a dynamic fiat currency selector in `Settings.tsx` that fetches live `supported_vs_currencies` from CoinGecko. The `Portfolio.tsx` dashboard now seamlessly converts and renders all balances in the selected global fiat (IDR, EUR, GBP, JPY, etc.) using client-side processing, while safely preserving core backend trading logic in pure USD.
16
+ - **Episodic Memory Panic Button:** Introduced a dedicated "Wipe All Episodic Memory" trigger in the UI that routes to `DELETE /api/memory/all`. This systematically purges SQLite records and instantly resynchronizes the LLM `user.md` prompt.
17
+ - **Dashboard Theme Selection:** Hard-wired the Theme Selector (Light, Dark, Auto) directly into the Settings panel for greater visibility.
18
+ - **Dynamic Log Level Toggle:** Exposed `log_level` (`info`, `debug`) configuration in `NyxoraConfig.agent` to natively control backend verbosity via the Settings UI.
19
+
20
+ ### Security, MCP & Documentation
21
+ - **On-Chain Kill-Switch Enforcement:** Moved the `checkRegistryStatus()` Base Sepolia interceptor directly into the core Policy Engine (`/request-tx` and `/approve-tx/:id`). This seals a critical bypass vulnerability, ensuring that all external transactions (including those via Telegram, MCP, or CRON) are strictly blocked if the Kill-Switch is thrown on-chain.
22
+ - **MCP Server Hardening:** Refactored MCP Server IPC from TCP (`port 3001`) to Unix Domain Socket (`/tmp/nyxora-policy.sock`) for hyper-optimized security. Enforced End-to-End HMAC Signing on all internal `/request-tx` payloads to protect against request manipulation. Added a strict HTTP Timeout (`10000ms`) to prevent hanging clients.
23
+ - **Standalone MCP CLI:** Added a native `nyxora mcp` command to the CLI manager for isolated developer testing, accompanied by dynamically resolved SDK versions (`^1.29.0`).
24
+ - **NVM & GUI PATH Troubleshooting:** Overhauled the `docs/guide/mcp-integration.md` to cleanly separate global `nyxora start` and source `npm start` instructions. Appended a dedicated Warning block documenting Node Version Manager (NVM/Volta) PATH failures specific to Claude Desktop.
25
+ - **Installation Docs Refinement:** Synchronized `README.md` and VitePress documentation with accurate Smart Wrapper `curl` instructions for Windows, macOS, and Linux, complete with proper uninstallation guidelines.
26
+
27
+ ### Bug Fixes & Optimizations
28
+ - **Uniswap V3 LP UX Overhaul:** Significantly lowered the technical barrier for `provideLiquidityV3.ts`. If an AI agent or user does not specify a strict `tickLower` and `tickUpper`, the contract simulation now automatically defaults to **Full Range** (`MIN_TICK` to `MAX_TICK`) based on the selected fee tier's tick spacing.
29
+ - **Market Watch Persistence Engine:** Engineered a robust auto-resume sequence for `createMarketWatchAgent.ts`. Background tasks are now serialized to `~/.nyxora/data/market_tasks.json` upon creation and seamlessly resurrected by the Gateway `server.ts` upon daemon restart.
30
+ - **RPC Fallback Integrity:** Fixed an edge-case bug in `rpcEngine.ts` where empty array definitions bypassed fallback transports. Added HTTP and WSS failovers for the `base_sepolia` network.
31
+ - **DeFi Keys Architecture:** Stripped legacy `envKey` dependencies in `/api/defi-keys`. Replaced it with pure `id` lookups and injected a `Set` deduplication algorithm to prevent duplicated API key requirements rendering in the UI.
32
+ - **OpenOcean Decimal Parsing:** Resolved a critical application crash where `OpenOceanProvider.ts` incorrectly parsed fractional `amount` inputs directly into `BigInt`. It now strictly targets raw wei values.
33
+ - **Market Oracles Lazy Loading:** Relocated the global `MARKET_KEYS_FILE` declaration within `marketConfigManager.ts` to execute lazily, resolving startup path resolution race conditions.
34
+ - **Waterfall Fallback Engine:** Rewired `marketEngine.ts` to gracefully cascade across CoinGecko, CoinMarketCap, and DexScreener. If a token fails to resolve globally, the Engine now returns a clean, LLM-friendly diagnostic error instead of silently defaulting.
35
+ - **Transparent Key Storage Security:** Eliminated misleading "Encrypted Locally" notices across `DefiKeys.tsx`, `MarketOracles.tsx`, and `Settings.tsx`. Disabled `explorer_api_key` decryption inside `parser.ts` to strictly enforce isolated Plain Text storage as per design constraints.
36
+ - **Etherscan V2 Compatibility:** Emptied the legacy `YourApiKeyToken` default placeholder in `getTxHistory.ts` to ensure the Etherscan public fallback gracefully defaults to rate-limited public access.
37
+ - **Dev Mode Authentication Loop:** Introduced an interactive `AuthModal` inside `App.tsx` that automatically traps HTTP 401/403 responses and prompts developers to input their `x-nyxora-token`, terminating the silent failure loop.
38
+ - **Vite Local Proxying:** Configured `server.proxy` within `vite.config.ts` to seamlessly tunnel `/api` requests to port `3000`. Stripped hardcoded loopbacks from `API_BASE_URL` to completely eliminate Dev CORS errors and resolve production relative-path resolution.
39
+ - **Concurrent Transaction Race Conditions:** Upgraded `loadingId` state architecture in `PendingTransactions.tsx` from a single string to a `Set<string>`. The UI now accurately renders independent spinner states when executing parallel "Approve All" routines.
40
+ - **WebSocket Gateway Security:** Patched a dangerous type coercion vulnerability inside `WebSocketManager.ts` where `validateToken()` returned an object. The handshake now properly unwraps `.valid` to strictly reject unauthorized socket upgrades.
41
+ - **Global Chat Search Integration:** Added a native `GET /api/sessions/search?q=` SQLite query endpoint. Re-wired `SearchChat.tsx` to utilize a debounced remote API instead of purely filtering local session titles.
42
+ - **Settings Race Condition:** Segregated secondary `apiFetch` dispatches (Profile, Policy) within their own localized `try/catch` enclosures inside `Settings.tsx` to prevent localized failures from blocking the primary config persistence notification.
43
+ - **Dynamic Model Verification:** Eliminated the hardcoded "1 ok" text on the `Overview.tsx` dashboard panel. The UI now dynamically infers LLM readiness by securely checking for API Key presence.
44
+ - **Modular DeFi Keys Removal:** Added full lifecycle support for DeFi aggregator keys by exposing a `DELETE /api/defi-keys/:id` endpoint on the server, paired with a dynamic Delete button in the frontend.
45
+ - **Excessive Polling Memory Leaks:** Architected a `usePolling.ts` custom hook incorporating the `Page Visibility API`. Globally migrated HTTP polling intervals (`Overview`, `App`, `PendingTransactions`) from aggressive 2-second ticks down to efficient 5-second intervals that automatically sleep when the browser tab is hidden.
46
+ - **Reflection Engine Provider Agnosticism:** Migrated `getOpenAI()` to a dynamic `getLLMClient()` resolution. Dropped hardcoded `json_object` enforcement in favor of strict system prompts to natively support Anthropic, Gemini, and OpenRouter implementations.
47
+ - **Reflection Engine Noise Filtering:** Hard-filtered `role === 'tool'` messages from the episodic history payload to prevent the LLM from falsely treating background RPC/blockchain logs as user behavioral preferences.
48
+ - **Background Memory Synchronization:** Patched a severe lifecycle bug where memory updates (`user.md`) only compiled when users manually deleted a memory in the UI. `PromotionEngine` now executes automatically in the background milliseconds after `ReflectionEngine` completes its analysis.
49
+ - **Memory Confidence Overflow Limits:** Introduced an aggressive `.min(1.0, confidence)` clamp at the `episodic.ts` `INSERT` & `UPDATE` boundary. This prevents permanent memory overrides from pushing confidence ratios to mathematically impossible boundaries.
50
+ - **SearchSessions SQL Target Fix:** Shifted `ORDER BY s.updated_at` to `s.timestamp` within `logger.ts` to align with the active schema layout and prevent SQLite termination errors.
51
+ - **Reflection Engine Session Binding:** Bound `ReflectionEngine` directly to the active `sessionId` pipeline and introduced an early-return safeguard, properly restoring episodic extraction which previously failed due to NULL session targets.
52
+ - **Relaxed Cryptographic Sanitization:** Disarmed the extremely aggressive 12-word regex heuristic in `validator.ts` that historically flagged standard conversational text inputs as security violations.
53
+
54
+ ## [26.6.27]
55
+ ### Bug Fixes & Security
56
+ - **Aggregator Decimal Normalization:** Fixed a critical overflow bug in `swapToken.ts` and `bridgeToken.ts` where token amounts were hardcoded to 18 decimals (`parseUnits(amountStr, 18)`). The system now strictly queries `getTokenMetadata` via `viem` to fetch the true on-chain decimals (e.g., 6 for USDC/USDT) before transaction construction.
57
+ - **Native Token Consistency:** Standardized the Native Token fallback address inside `tokens.ts` (`TOKEN_MAP`). The application now strictly utilizes `0xeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee` across all layers instead of blending it with `0x000...`, which fixes execution anomalies with KyberSwap and 1inch resolvers.
58
+ - **Circuit Breaker Health Checks:** Patched `routeSelector.ts` to actively invoke `healthService.recordFailure()` on rejected promises, successfully restoring the circuit-breaker logic to ban persistently failing DeFi endpoints.
59
+ - **Sandwich Attack Protection (Expiry):** Implemented a rigorous check within the inner `submitTransaction` boundary (`vaultClient.ts`) to re-validate `expiresAt`. If the user leaves the UI confirmation prompt idle and the market shifts past the quote expiration window, the core engine will now violently abort to protect from extreme slippage / MEV attacks.
60
+ - **Deterministic Routing Engine:** Repaired the `providerName` pass-through parameter from the AI `swapToken` intention down to the `routeSelector.ts`. When users explicitly specify an aggregator (e.g., "Swap using 1inch"), Nyxora now forcefully filters out all other providers.
61
+ - **RelayProvider Output Integrity:** Mitigated a silent-failure condition in `RelayProvider.ts` by explicitly throwing errors when the output amounts equal zero.
62
+ - **Module Auto-Discovery Safety:** Re-wrote the Aggregator `providerRegistry.ts` scanner to dynamically evaluate its execution environment (`dist/` vs `src/`) to ensure `.ts` files aren't blindly imported during production execution.
63
+ - **OpenOcean Capabilities & LIFI Pathing:** Stripped inaccurate cross-chain capabilities from the `OpenOceanProvider` mock to save compute cycles, and migrated `LifiProvider.ts` to securely utilize strict numeric `Chain IDs` instead of loose string nomenclature.
64
+ - **Aggregator Connection Bloat (Memory Leak):** Enforced `controller.abort()` in `routeSelector.ts` instantly after the optimal `routeScorer` quote is decided. This kills lingering background HTTP connections to slower, unselected aggregators.
65
+ - **LLM Dashboard Cost Tracking (Tokens Recovery):** Fixed an issue in `llmProvider.ts` where LLM usage statistics (`total_tokens`) were stripped during the adapter standardization process. The system now perfectly propagates token counts from Gemini, OpenAI, and Anthropic back to the Tracker, ensuring accurate real-time cost accumulation on the Nyxora Dashboard.
66
+ - **Optimistic UI Chat Flickering:** Fixed an edge-case visual bug in `App.tsx` where user messages would temporarily disappear (flicker) while waiting for the AI response. The dashboard now properly safeguards optimistic state injections from being blindly overwritten by delayed server sync pulses.
67
+ - **Chat History Sliding Window Layout Jump:** Fixed a critical bug in `logger.ts` where the `LIMIT 40` hard constraint (designed for LLM context optimization) was also inadvertently restricting the Dashboard UI data feed. This caused the entire chat interface to dramatically shift/flicker up by one message each time a new message pushed the oldest one out of the 40-message sliding window. The UI now securely pulls up to 1000 messages, eliminating layout shifts completely.
68
+ - **Real-Time Aggregator Race Engine:** Repaired `httpClient.ts` (`safeFetch`) to natively inherit and honor external `AbortSignal` chains, unconditionally terminating zombie network threads once the 4-second parallel race concludes. Enforced aggressive `retries: 0` constraints across all 6 Mainnet providers (1inch, 0x, KyberSwap, LIFI, Relay, OpenOcean) to guarantee millisecond-level routing without suffering from exponential sleep-backoffs during external API rate-limits.
69
+ - **OpenOcean Precision Normalization:** Added architectural support for formatting human-readable decimals (`amountFormatted`) across the `QuoteRequest` interface to properly serve OpenOcean's API, resolving a critical logic inversion where it previously interpreted inputs as raw wei.
70
+ - **Aggregator Endpoint Patches:** Fixed `KyberSwapProvider` payload targeting to extract calldata from `buildData.data.data`, mapped `OpenOceanProvider` requests with enforced `gasPrice` thresholds, and migrated the `RelayProvider` HTTP method from the deprecated `/quote/v2` namespace down to `/quote` (POST).
71
+
72
+ ## [26.6.26]
73
+ ### Bug Fixes & Improvements
74
+ - **Comprehensive Workspace Hardening**: Fixed missing workspace dependencies across `policy`, `signer`, `mcp-server`, and `dashboard` packages. Removed unused endpoints (`/sign-typed-data` in policy) and dead code (`decryptKey` in signer). Strengthened error handling by wrapping all JSON parsing of signer responses with robust `try/catch` blocks in the policy engine. Upgraded transaction IDs to use secure `crypto.randomUUID()`. Addressed critical frontend type safety by implementing optional chaining in `SwapWidget` to prevent React crashes and correcting `default_slippage` types in `Settings.tsx`. Improved Dashboard TypeScript configuration by adding `DOM.Iterable` support.
75
+ - **LLM Architecture Refactor (Bypass Prevention)**: Extracted and centralized LLM provider instantiation (`getLLMClient` & `getOpenAI`) and generic retry logic into `llmUtils.ts`. Eliminated dangerous anti-patterns in `osAgent.ts` and `web3Agent.ts` where the `LLMProvider` adapter was being bypassed by direct OpenAI client calls, which broke multi-provider support (Gemini/Anthropic).
76
+ - **History Sanitizer Amnesia Fix**: Modified `historySanitizer.ts` to be provider-aware. Unconditionally stripping `tool_calls` is now correctly isolated only to the `gemini` provider (to prevent 400 Bad Request on empty payloads), whereas OpenAI and Anthropic will now properly retain tool call history and maintain deep conversational context.
77
+ - **General Agent Identity Recovery**: Overhauled the orchestrator's *General Agent* fallback branch (`reasoning.ts`). Replaced the hardcoded, context-blind prompt with `getSystemPrompt('general')`, fully restoring the AI's episodic memories, persona (`user.md` & `IDENTITY.md`), and risk profiles. Fixed inconsistent memory synchronization that previously injected `contents: []` to Gemini on fresh sessions.
78
+ - **Gemini Adapter Payload Hardening**: Hardened `GeminiAdapter` (`llmProvider.ts`) to intercept and drop empty `parts` arrays triggered by `content_len: 0` assistant messages, preventing catastrophic API rejections.
79
+ - **Zero-Latency Config & Security Caching**: Implemented an aggressive 5-second TTL in-memory cache for `loadConfig()` inside `parser.ts`. This wholly eradicates the massive synchronous cryptographic overhead (AES-256-GCM decryption) and disk I/O bottlenecks that previously executed 10-20 times per user message, resulting in lightning-fast response times.
80
+ - **LLM Client Singleton Optimization**: Introduced a client reuse architecture (`cachedLLMClient`) in `llmUtils.ts`. Eliminates redundant OpenAI/Gemini/Anthropic client instantiations during the multi-stage intent processing (Router → Execution → Synthesis), which completely solves the spammy duplication of `[LLM] Using API Key securely unlocked...` console logs.
81
+ - **CoinGecko UI Integration**: Restored the missing official CoinGecko logo inside the Market Oracles configuration dashboard. Added explicit image mapping for both `coingecko_key` and `coingecko_pro_key` directly to the static CDN.
82
+ - **NPM Package Optimization**: Fully sterilized the distribution pipeline by automatically purging unused development testing scripts (`test_security.ts`, `test.ts`) prior to publishing.
83
+
84
+ ## [26.6.25]
85
+ ### Architecture Updates
86
+ - **Market Oracles & Smart Fallback Engine:** Decoupled Data Oracles (Market Intelligence) from Transaction Routers (DeFi Aggregators) into a dedicated `marketConfigManager.ts`. Upgraded the `analyzeMarket` and `getPrice` AI skills with an extreme dual-tier Smart Routing fallback architecture. Tier 1 dynamically intercepts and prioritizes premium endpoints (`pro-api.coingecko.com` & `pro-api.coinmarketcap.com`) if API keys are configured in the new Zero-Trust "Market Oracles" Dashboard. If unconfigured, Tier 2 gracefully cascades to CoinGecko Public, CoinMarketCap Public, and finally DexScreener, ensuring robust, error-free token intelligence discovery even for obscure unlisted memecoins.
87
+ - **Extensible DeFi Liquidity-Routing Runtime (Meta-Aggregator v2):** Replaced hardcoded aggregator scripts with a highly modular `DefiAggregatorProvider` interface. Introduced an IoC registry (`AggregatorRegistry`) with Auto-Discovery for loading providers (1inch, 0x, Relay, LIFI, KyberSwap, ArbitrumBridge, OpBridge).
88
+ - **Zero-Trust Wallet Architecture:** Implemented a strict security boundary via `ProviderManifest`. Providers are completely blocked during registration if they request `walletAccess: 'sign'`. Providers are isolated to merely generating `CanonicalRouteQuote` data payloads, guaranteeing that actual transaction signing and private key execution remain strictly locked inside Nyxora's core Vault Client.
89
+ - **Hedged Routing Engine & Timeout Guardrails:** Upgraded the legacy sequential router to `routeSelector.ts`, utilizing `Promise.allSettled` for parallel hedged fetching across all active providers. Guarded by `AbortSignal` timeouts and a `ProviderHealthService` circuit breaker.
90
+ - **Dynamic API Key Dashboard Schema:** Revamped the `DefiKeys.tsx` Dashboard component and the backend gateway. API Key configuration fields are now schema-driven and auto-generated dynamically based on the specific requirements declared by the currently active DeFi providers.
91
+ - **Inversion of Control Plugin System:** Completely overhauled the agent execution architecture (`web3Agent.ts` and `osAgent.ts`) from a static, hardcoded `switch-case` paradigm to a dynamic `PluginManager` architecture. Successfully migrated over 30+ disparate skills into 8 distinct modular plugins (`Web3DefiPlugin`, `SystemCorePlugin`, `GoogleWorkspacePlugin`, etc.). This major refactoring dramatically improves the Developer Experience (DX) by allowing third-party developers to inject new capabilities seamlessly without modifying the core agent brains, while maintaining Zero-Trust Local Execution boundaries.
92
+ - **Zero-Dependency Gemini Engine:** Completely removed the `@google/genai` SDK and its heavy dependency tree (`protobufjs`, `google-auth-library`, `node-fetch`, etc.) in favor of a zero-dependency, native `fetch` REST implementation. This architectural refactor definitively eradicates both the `npm warn allow-scripts` security warning and the deprecated `node-domexception` warning during global installations, resulting in a cleaner, faster, and more secure dependency footprint.
93
+
94
+ ## [26.6.24]
95
+ ### Features & Architectural Upgrades
96
+ - **Base Sepolia Registry Migration:** Successfully deployed and verified the `NyxoraAgentRegistry` smart contract on the Base Sepolia network. Shifted the global On-Chain Kill-Switch architecture from Arbitrum to Base. Synchronized all local Gateway configurations and VitePress documentation.
97
+ - **Physical Tri-Core Agent Architecture:** Radically restructured the monolithic `reasoning.ts` engine into three physically isolated files (`reasoning.ts`, `web3Agent.ts`, and `osAgent.ts`). Implemented a Facade Router pattern in `reasoning.ts` to intelligently route user intents without breaking external API contracts (`server.ts`, `telegram.ts`, `cli.ts`). This guarantees True Capability Isolation where the Web3 Agent is physically incapable of accessing OS tools, and completely eliminates context and tool bleeding between domains.
98
+ - **Multi-SDK Adapter Architecture:** Broke free from OpenAI-exclusive lock-in by implementing a Unified LLM Provider interface (Adapter Pattern). Nyxora can now natively utilize `@anthropic-ai/sdk` (Claude) and `@google/genai` (Gemini Native) without breaking its internal Web3/OS tool ecosystem. All tool schemas and message arrays are translated on-the-fly, allowing end-users to securely configure `claude-4.6` directly via `nyxora setup`.
99
+ - **Hybrid Audio Fallback:** Added a dynamic failover safety net for audio transcription. If a user utilizes a non-audio capable model (like Anthropic Claude) as their core agent, Nyxora's `nyxora audio` CLI command will intelligently fallback to OpenAI/Groq's Whisper API in the background.
100
+ - **Zero-Warning NPM Global Install:** Migrated the core Zero-Copy MessagePack Serialization engine from `msgpackr` to `@msgpack/msgpack`. This eliminates the annoying `allow-scripts` NPM security warning caused by C++ native add-ons during global installation (`npm install -g nyxora`), while still maintaining native memory-speed serialization for the Unix Domain Sockets IPC pipeline.
101
+ - **Grammy Telegram Rewrite & Throttler:** Completely rewrote the Telegram Bot module from `telegraf` to `grammy` (saving over 300 lines of legacy code) and implemented `@grammyjs/transformer-throttler` to prevent Telegram API rate limits during heavy agent activities. The bot now natively supports multi-threaded long polling via `@grammyjs/runner`.
102
+ - **Timezone-Aware Cron Engine:** Replaced `node-cron` with `croner` for the AI Scheduler. This fixes C++ compilation issues and provides mathematically precise timezone evaluation for background cron tasks.
103
+ - **DOM Parsing for Web Search:** Upgraded the `searchWeb` AI skill to use `@mozilla/readability` and `linkedom` for raw HTML DOM parsing. The LLM now receives clean, article-extracted text (without menus/footers) instead of raw HTML or short snippets, significantly improving deep research quality and saving context window tokens.
104
+ - **Policy Engine Security & Hot-Reload:** Fortified the Unix Domain Socket Policy Daemon by integrating `zod` for strict payload structure validation, preventing LLM-generated malformed JSON from crashing the Daemon. Additionally integrated `chokidar.watch` to instantly hot-reload `policy.yaml` rules into memory without rebooting the server.
105
+ - **Race Condition Immunity:** Wrapped the `tracker.ts` metric gateway using `proper-lockfile`. This fully secures real-time cost and token tracking across the UI Dashboard and Background Daemon, making Nyxora immune to parallel write corruption on `tracker.json`.
106
+ - **Vitest & Oxlint Dev Ecosystem:** Migrated the monolithic testing ecosystem to `vitest` for lightning-fast unit tests and integrated `oxlint` into the deployment scripts for instant syntax validation.
107
+
108
+ ### Bug Fixes
109
+ - **Policy Engine Zombie Socket:** Patched a critical bug where the Policy Engine lacked a graceful shutdown hook. Previously, stopping the daemon would orphan the Unix Domain Socket (`/tmp/nyxora-policy.sock`) and trigger an `EADDRINUSE` lockup on the next boot. The Policy Engine now safely unlinks its IPC socket upon receiving `SIGTERM`/`SIGINT`.
110
+ - **Doctor CLI Port & UDS Calibration:** Updated the `nyxora doctor` utility to properly identify Port 3000 as `Core/Gateway API` and Port 3001 as `Policy Engine Fallback`. Additionally injected a UDS health-check module that proactively scans for and warns users about stale/zombie sockets (`/tmp/nyxora-*.sock`).
111
+ - **Documentation Restructure:** Synchronized the VitePress technical documentation (`index.md`, `architecture.md`, `troubleshooting.md`) to accurately reflect the new Unix Domain Sockets (UDS) architecture, removing outdated references to Port 3001. Relocated `bridge-routing.md` to `docs/guide/` and eliminated empty artifact folders.
112
+
113
+ ## [26.6.23]
114
+ ### Features & Architectural Upgrades
115
+ - **Hybrid API Gateway (HTTP + WebSocket):** Upgraded the core API Gateway (`server.ts`) to operate on a dual HTTP and WebSocket architecture. UI clients now initiate asynchronous tasks via instant HTTP `POST /api/v1/trade` and receive real-time, zero-latency streaming terminal logs via WebSocket (`ws://.../ws/stream?traceId=...`). This definitively eliminates 504 Gateway Timeouts during heavy Web3 transaction analysis.
116
+ - **WebSocket Anti-Race Condition (Ring Buffer):** Engineered a 5-second, `traceId`-bound memory Ring Buffer inside the new `WebSocketManager`. This acts as a critical guardrail, caching high-speed logs emitted by the Core Runtime and instantly flushing them to the UI upon WS handshake, guaranteeing zero dropped logs during the microsecond gap between HTTP response and WS connection.
117
+ - **Hyper-Optimized IPC (Unix Domain Sockets):** Drastically slashed internal communication latency by migrating the pipeline between `Core Runtime` and `Policy Engine` from standard TCP Loopback (`127.0.0.1:3001`) to native Unix Domain Sockets (`/tmp/nyxora-policy.sock`), routing IPC traffic directly through kernel memory for `< 1ms` hop times.
118
+ - **Zero-Copy MessagePack Serialization:** Eliminated Node.js Event Loop blocking caused by massive `JSON.stringify()` operations. The UDS IPC pipeline natively encodes and decodes binary payloads at memory speed.
119
+ - **L3 Web Search Failover (Free Built-in Search):** Reintegrated `duck-duck-scrape` as a native Layer-3 fallback safety net for the `searchWeb` skill. The CLI `nyxora setup` now offers "DuckDuckGo (Free & Built-in)" as a zero-configuration provider, enabling rapid onboarding without API keys while acting as an automatic fallback if Tavily/Brave premium keys hit rate limits (HTTP 429).
120
+
121
+ ## [26.6.22-1]
122
+ ### Bug Fixes
123
+ - **Hotfix: Missing Core Dependency:** Patched a severe global installation crash by explicitly injecting the missing `node-cron` module into the root `package.json` dependency tree. The AI Scheduler background daemon now correctly resolves its dependencies in global NPM environments, fully restoring the `nyxora dashboard` routing capability that was collateral damage from the crash.
124
+
125
+ ## [26.6.22]
126
+ ### Features & Enhancements
127
+ - **Intelligent First-Time Onboarding:** Introduced a dynamic AI onboarding flow. When a user installs Nyxora for the first time, the `reasoning.ts` engine automatically detects the absence of identity files and enforces an Onboarding Mode. The AI will warmly welcome the user and refuse to execute any commands until it collects 4 essential variables: User's Name, AI's Name, User's Hobbies/Job, and AI's Persona.
128
+ - **Persistent Tracker State (Cost & Logs):** Engineered a persistent state caching mechanism for the core `tracker.ts` gateway metric system. Real-time cost, token counts, and terminal Gateway Logs are now asynchronously serialized to disk (`tracker.json`). This ensures runtime state is securely preserved across daemon reboots (`nyxora restart`). Additionally, hooked into the `nyxora stop` lifecycle event to physically purge the cache file, ensuring clean state wipes when the daemon is intentionally shut down.
129
+ - **Identity Isolation & Update Tool:** Engineered a brand new `update_identity` LLM tool strictly dedicated to managing the core AI personality (`IDENTITY.md`). This enforces a clean separation of concerns, ensuring `user.md` is strictly for user preferences (via `update_profile`), while the AI's core persona is safely isolated.
130
+ - **AI Scheduler (CRON Jobs):** Introduced a new background execution engine using `node-cron`. The Nyxora AI now has `schedule_task` and `cancel_task` system skills, allowing it to understand natural language scheduling prompts (e.g., "Check BTC price every hour" or "Stop monitoring"). The backend `CronManager` autonomously executes these AI prompts in the background and pushes clean, refined analysis reports directly to the user's smartphone via the Nyxora Telegram Bot integration.
131
+
132
+ ### Bug Fixes
133
+ - **Idle Server LLM Error 400:** Fixed a critical memory leak causing the AI to crash with an OpenAI 400 Bad Request error when the server was left running 24/7. Background Cron jobs were cross-contaminating the default chat session query, causing the sliding context window to aggressively truncate tool execution sequences in half. Implemented strict `WHERE session_id IS NULL` SQL filtering and a proactive orphaned tool message filter to stabilize 24/7 continuous memory context.
134
+ - **Global Reflection Engine (Memory Log) Sync:** Fixed a critical architectural blindspot where the autonomous Reflection Engine (`Memory Log`) failed to extract habits from the Dashboard chat. The Engine was historically designed for a single-session CLI environment and queried the database with `WHERE session_id IS NULL`, rendering it blind to the modern Multi-Session Dashboard chats. The extraction query has been upgraded to a global scope, allowing the AI's Subconscious Brain to holistically analyze the user's latest interactions across all active dashboard tabs.
135
+ - **CLI Chat Transaction UI:** Fixed a critical bug in `nyxora chat` where the CLI would blindly skip over transaction approvals (e.g. bridging, swapping). Injected an asynchronous transaction interceptor into the chat loop that actively polls `/api/transactions` and uses `@clack/prompts` to freeze the terminal and render a pop-up confirmation `Approve Transaction [TYPE] on [CHAIN]? (y/n)` directly inside the CLI.
136
+ - **Dashboard Metric Desync:** Fixed a UI desynchronization issue on the Dashboard Overview page where the active Chat Sessions count and CRON Jobs count were completely hardcoded to static values. The metrics are now dynamically synced with the active frontend state and the backend `/api/cron` endpoint.
137
+
138
+ ### UI/UX & Layout Fixes
139
+ - **Collapsible Sidebar (Hidden Mode):** Introduced a completely new space-saving "Collapsed" mode for the Dashboard sidebar. Users can now toggle the sidebar to hide text labels and recent chat history, retaining only a sleek, icon-only vertical navigation bar with seamless CSS animations and `localStorage` state persistence.
140
+ - **Search Chat & Session Filter:** Deployed a new "Search Chat" navigation menu inside the Dashboard. Users can now instantly search and filter their entire historical chat session list in real-time by title, jumping straight back into specific conversations with a single click.
141
+ - **Dynamic Theme Integration (Light, Dark, & Auto Mode):** Added full Light Mode, Dark Mode, and Auto (System Default) theme options to the dashboard, complete with dynamic color palettes and improved contrast for terminal logs.
142
+
143
+ ## [26.6.21]
144
+ ### Security Fixes
145
+ - **Disabled Skill Execution Blocker:** Patched a critical vulnerability where the AI agent (e.g. Gemini) could hallucinate and illegally execute Web3 skills that were explicitly toggled off by the user. The `reasoning.ts` engine now actively intercepts and blocks unauthorized skill calls before execution.
146
+ - **On-Chain Parameter Safeguards:** Implemented strict `undefined` parameter validation across all 10 On-Chain skills (Transfer, Swap, Bridge, Mint NFT, Custom Tx, DeFi Yield/Supply, etc.). This prevents the Node.js process from crashing with `TypeError` when the AI provides incomplete or hallucinated JSON tool payloads.
147
+ - **Config State Synchronization:** The skill toggle state in the UI is now fully synchronized with `config.yaml`. Disabling a skill securely removes it from the configuration, preventing the LLM from accessing its schema.
148
+ - **Cross-Chain Routing Breakdown Prevention:** Patched a severe routing logic flaw in the Mainnet Meta-Aggregator where the KyberSwap provider API (which only supports same-chain swaps) was inadvertently exposed to cross-chain bridging requests. Injected a strict `!isCrossChain` constraint to prevent user funds from being mistakenly swapped into spoofed destination-chain token addresses on the origin network.
149
+
150
+ ### Features & Enhancements
151
+ - **Custom Token Whitelist & Auto-Fetch:** Unified the custom token storage architecture by migrating legacy JSON formats into a centralized `user_whitelist.yaml`. Introduced an elegant "Add Custom Crypto" Modal UI in the Dashboard Portfolio with an auto-fetch mechanism that instantly retrieves token symbols and decimals from the blockchain upon pasting a contract address. The AI (LLM) parser now intrinsically reads this YAML whitelist, enabling natural language swaps for manually added memecoins by symbol.
152
+ - **Clean Uninstallation Wizard:** Added the `nyxora uninstall` command. Users can now safely and cleanly remove all traces of Nyxora from their system. This wizard securely clears the AI's SQLite memory database, purges stored credentials from the OS Native Keyring, and completely deletes the `~/.nyxora` configuration directory.
153
+ - **Interactive CLI Chat (`nyxora chat`):** Introduced a new terminal-based interactive chat interface. Users who prefer the command line can now converse directly with the Nyxora background daemon using `@clack/prompts` without needing to open the web dashboard. Features graceful background-safe exits.
154
+ - **Dynamic Dashboard Status Metrics:** Obliterated hardcoded mock values from the Dashboard's Overview page. The Gateway API (`/api/stats`) has been redesigned to actively calculate the total number of loaded Web3 and OS skills in real-time. Additionally, the Memory Storage directory indicator is now dynamically injected based on the user's OS architecture (e.g., `~/.nyxora/data/memory.db`).
155
+
156
+ ## [26.6.20]
157
+ ### Features & Enhancements
158
+ - **Unified Portfolio Scanner Redesign:** Completely overhauled the `Portfolio.tsx` Dashboard UI to provide a denser, more data-rich aesthetic. Token balances across all chains are now aggregated, flattened, and sorted globally by total USD value, replacing the old tabbed per-chain layout.
159
+ - **Dynamic 24h Percentage Change:** Upgraded the core backend (`server.ts`) to actively fetch and cache 24-hour percentage price changes (`h24`) via the DexScreener API. The frontend now dynamically calculates and displays a live, weighted average portfolio change instead of a hardcoded placeholder.
160
+ - **Unified Global Chain Filtering:** Integrated a new custom `<NetworkSelector>` into the Portfolio page that syncs seamlessly with the global top-bar. It natively supports an "All Chains" wildcard option, allowing users to instantly filter the aggregated token list by a specific network without losing the unified cross-chain view.
161
+ - **Wallet Address Exposure API:** Deployed a new `/api/wallet` core endpoint, allowing the Dashboard frontend to securely fetch and display the user's primary connected wallet address directly inside the Portfolio scanner header.
162
+ - **Dynamic Fiat Currency Support:** Upgraded the AI's `get_price` semantic skill to recognize and accept a dynamic `currency` parameter. The system can now instantly translate and format cryptocurrency prices into any global fiat currency (such as IDR, EUR, JPY) based on the user's natural language request.
163
+
164
+ ### UI/UX & Layout Fixes
165
+ - **Full-Width Fluid Dashboard Containers:** Stripped legacy `max-width` hard-limiters (1200px) from the root `overview.css` and all primary sidebar panels (`Overview`, `Portfolio`, `Web3 Skills`, `OS Skills`, `Settings`, `RPC`, `DeFi`). The dashboard now natively spans the full horizontal resolution of any monitor edge-to-edge.
166
+ - **Flexbox Overlap Patch:** Patched a responsive layout bug in the Portfolio header where long network names (e.g., "Base Sepolia (Testnet)") would physically overlap and bleed into the "Portfolio Scanner" title. Added proper `flexWrap: 'wrap'` and flexible gap spacing to guarantee clean degradation on smaller viewports.
167
+
168
+ ## [26.6.19]
169
+ ### Bug Fixes
170
+ - **Dashboard Skill Toggle Sync:** Fixed a bug where disabling skills in the `setup` wizard (CLI) did not reflect on the web Dashboard UI. The wizard stored skill names in `camelCase`, but the core AI engine checked for `snake_case` definitions, bypassing the blacklist. A dictionary mapping was added to `setup.ts` to translate names correctly before saving to `disabled_skills.json`.
171
+ - **Third-Party LLM Provider Unblocking:** Removed a legacy, hardcoded restriction block in `reasoning.ts` that artificially rejected LLM providers other than OpenAI, Gemini, Ollama, and OpenRouter. Users can now seamlessly connect Groq, xAI (Grok), Mistral, and DeepSeek via the setup wizard, utilizing their native OpenAI SDK compatibility.
172
+ - **Google Workspace OAuth Callback Routing:** Fixed a critical bug in the core `server.ts` global authentication middleware where Express.js path mounting behavior implicitly stripped the `/api` prefix from `req.path`. This caused the Google OAuth callback whitelist exception to fail, resulting in an `Unauthorized: Invalid or missing token` error during dashboard login. The middleware now correctly utilizes `req.originalUrl` for accurate bypass verification.
173
+
174
+
175
+ ## [26.6.18]
176
+ ### Bug Fixes & Build Pipeline
177
+ - **NPM Publish Recompilation Fix:** Fixed a critical bug in the NPM `prepare` hook where `npm publish` would skip compiling the core backend TypeScript files. This caused versions `v26.6.16` and `v26.6.17` to inadvertently ship with stale, uncompiled JavaScript `dist/` artifacts. The root `tsc` build step is now explicitly injected into the pre-publish hook to ensure the CLI uses the latest codebase.
178
+
179
+ ## [26.6.17]
180
+ ### Bug Fixes
181
+ - **CLI Setup API Key Overwrite Bug:** Fixed a race condition during `nyxora setup` where newly entered LLM API keys were successfully written to the config file but instantly overwritten by a stale in-memory config save sequence.
182
+ - **Removed Zombie `installSkill` CLI Option:** Removed the legacy `installSkill` selection option from the CLI setup wizard to correctly align with the new fully-native, sandbox-free architecture (introduced in v26.6.15).
183
+
184
+ ## [26.6.16]
185
+ ### Bug Fixes & Stability
186
+ - **Global `nyxora start` `ENOENT` Crash Fix:** Resolved a critical bug where launching the daemon on a completely fresh install (or after deleting `~/.nyxora`) would instantly crash due to missing nested log and auth directories. The CLI now gracefully auto-creates all deeply nested required structures before attempting to access them.
187
+ - **Node.js ESM Compilation Crash (`launcher.ts`):** Stripped out legacy `import.meta.url` syntax in favor of bulletproof CommonJS `__filename` globals. This permanently eliminates the fatal `exports is not defined` parsing crash on newer Node.js versions running compiled production builds.
188
+ - **`nyxora unlock` Missing Dependency Panic:** Refactored the dashboard unlock CLI command to utilize native Node.js 18+ `fetch()` APIs, completely removing the hazardous dynamic import to `node-fetch` (which was missing from NPM `dependencies`).
189
+ - **NPM Monorepo Resolution Fix:** Stripped the hardcoded `.ts` extension from `safeLogger` imports to prevent `MODULE_NOT_FOUND` errors on compiled production artifacts.
190
+ - **`mcp-server` Publishing:** Wired the `mcp-server` into the root compilation step and included its `dist/` artifacts in the `files` array, ensuring the Universal Bridge is fully operational out-of-the-box for NPM installations.
191
+
192
+ ## [26.6.15]
193
+ ### Security & Architecture
194
+ - **Policy Engine Hard-coded Firewall**: Extracted security constraints (`whitelist_only`, `max_usd_per_tx`, `require_approval`) from `config.yaml` and implemented a fully decoupled backend `policy.yaml` evaluation engine running on a secure local port (3001). This solidifies the Zero-Trust Architecture by guaranteeing rules are enforced prior to cryptographic signing.
195
+ - **Unified NLP Semantic Rules**: Migrated `security_policy.md` directly into the `policy.yaml` state (`custom_llm_rules`). AI native skills (`updateSecurityPolicy`) now dynamically append human-language constraints to the centralized policy module, providing a single source of truth for both hard-coded and semantic safeguards.
196
+
197
+ ### UI/UX Enhancements
198
+ - **Policy Engine Configuration Panel**: Added a dedicated "Policy Engine (Hard-coded Firewall)" module to the Dashboard Settings page. Users can now easily toggle transaction approvals, strict whitelists, and input custom semantic NLP rules directly from the GUI.
199
+ - **Pristine Local Development Logs**: Injected `NODE_NO_WARNINGS=1` environment variables into the core `launcher.ts` monorepo runner. This entirely suppresses noisy `MODULE_TYPELESS_PACKAGE_JSON` CommonJS/ESM reparsing warnings during `npm run dev`, providing a flawless, 100% clean boot log for presentation and development purposes.
200
+ - **Internal Version Synchronization**: Synced all sub-packages (`core`, `signer`, `policy`, `mcp-server`) explicitly to `v26.6.15` for consistent NPM publishing.
201
+
202
+ ### Bug Fixes
203
+ - **Rapid Graceful Shutdown**: Refactored the core gateway server shutdown sequence to aggressively call `server.closeAllConnections()`. This eliminates the 10-second hang caused by persistent UI polling / SSE connections when stopping the daemon via `CTRL+C`.
204
+ - **Market Analysis Cascade Architecture**: Rewired the AI `analyzeMarket` capability in `reasoning.ts` to correctly route through the advanced `analyzeMarketEngine`. This strictly enforces the 3-Tier Cascading Fallback logic (CoinMarketCap CoinGecko DexScreener), maximizing market data resilience against API rate-limits.
205
+
206
+ ## [26.6.14]
207
+ ### Security & Privacy
208
+ - **Isolated Private RPC Vault**: Extracted `web3.rpc_urls` from the main `config.yaml` and moved them into a highly isolated `~/.nyxora/config/rpc_key.yaml` file. This guarantees zero risk of leaking Premium Node Endpoints (Alchemy, Infura) when sharing config files or prompts.
209
+ - **Auto-Migration Engine**: Implemented a background migration routine (`parser.ts`) that automatically detects legacy RPC setups and seamlessly extracts, transfers, and wipes them from `config.yaml` during the next daemon boot without data loss.
210
+ - **Frontend Key Masking**: Upgraded the new "RPC Configuration" UI to strictly use `type="password"`, ensuring sensitive API keys are never visible in plaintext during screen-sharing or recordings.
211
+
212
+ ### UI/UX Enhancements
213
+ - **Dedicated RPC Dashboard**: Added a brand-new "RPC Configuration" tab to the Web Dashboard sidebar, complete with Public Fallback awareness and full support for all Mainnet and Testnet environments.
214
+ - **DeFi Configuration Refactor**: Overhauled the "DeFi Configuration" interface layout to utilize a clean, elegant horizontal list design, achieving absolute visual consistency with the new RPC module.
215
+ - **Clean Daemon Boot (NPM Suppression)**: Refactored `launcher.ts` and `package.json` to directly invoke local binaries (`./node_modules/.bin/ts-node`), completely bypassing `npx`. This definitively eliminates the annoying `npm warn allow-scripts` console spam during the multi-service boot sequence.
216
+
217
+ ## [26.6.13]
218
+ ### Bug Fixes & UX Hardening
219
+ - **Telegram Reasoning Leak**: Implemented a strict Regex pre-processor within the Telegram `formatToTelegramHTML` pipeline to silently intercept and annihilate raw `<think>` and `<thought>` Chain of Thought XML tags. This guarantees a clean, distraction-free user experience when integrating reasoning models (like DeepSeek R1) via the Telegram Bot interface.
220
+ - **Zero-LLM Fast Return (Instant UI Popups)**: Re-enabled the `fastReturnTools` bypass architecture for all transactional Web3 skills (transfer, swap, bridge, etc.). This optimization skips the redundant secondary LLM summarization phase, cutting transaction generation latency by 3-10 seconds and delivering the UI Approve/Reject popup instantly upon tool completion.
221
+ - **One-Liner Transaction UX**: Radically refactored the raw `TRANSACTION_PENDING` LLM string outputs across 9 Web3 modules (Bridge, Swap, Transfer, DeFi Lending, etc.) into ultra-sleek, single-line Markdown formats. This maximizes screen real-estate and delivers an HFT (High-Frequency Trading) aesthetic to the Dashboard and Telegram chat interfaces.
222
+ - **Critical KyberSwap Vulnerability Patch**: Fixed a fatal logic bug in the Mainnet Meta-Aggregator where the `txPayload.value` for KyberSwap routes was erroneously mapped to `amountInUsd`. This bug would cause Native ETH swaps to revert (due to insufficient WEI value mismatch) and ERC20 swaps to leak dust ETH. The aggregator now dynamically calculates strict WEI values based on the asset type.
223
+
224
+ ### Cross-Chain Architecture
225
+ - **L2 Asynchronous Watcher**: Built a robust Node.js background daemon (`bridgeWatcher.ts`) to autonomously track the 7-day L2-to-L1 challenge periods. This completely modernizes withdrawal operations from blocking UI threads to a passive, state-managed background cron-job.
226
+ - **Push Notifications with Inline Actions**: Telegram gateway now natively supports pushing spontaneous server-to-client alerts. The L2 Watcher triggers an immediate Telegram push notification the exact minute an L1 Claim becomes valid, complete with an inline `[ Approve Claim ]` callback button.
227
+ - **Universal OP Stack Native Bridge**: Implemented a dedicated `nativeOpBridge.ts` module hardcoded with strictly validated (EIP-55 fully lowercased) `L1StandardBridgeProxy` addresses for both Base Sepolia and OP Sepolia. Nyxora can now encode and simulate native OP Stack portal deposits without relying on external APIs.
228
+ - **Testnet Meta-Aggregator Hierarchy**: Overhauled the logic inside `aggregatorTestnet.ts`. The router now intelligently prioritizes the `nativeOpBridge` for all OP Stack chains, gracefully degrading to `fetchRelayTestnet` for Base and `fetchArbitrumBridgeTestnet` for Arbitrum exclusively.
229
+
230
+ ## [26.6.12]
231
+ ### Security & Web3 Routing
232
+ - **Relay API Mainnet Fallback**: Fixed a critical routing bug for native ETH. The aggregator now precisely translates the native token identifier (`0xeeee...`) into the Zero Address (`0x0000...`) exclusively when communicating with Relay's cross-chain API. This completely neutralizes "Invalid input currency" rejections on mainnet bridges.
233
+
234
+ ### Documentation & Architecture
235
+ - **Guarded Autonomy Reboot**: Completely rewrote the core conceptual architecture documents (`guarded_autonomy.md`). Eradicated legacy "Quantitative Scoring Engine" hallucinations, solidly aligning the documentation with Nyxora's actual defense-in-depth architecture: a free-thinking AI sandboxed by an immutable, local NLP Policy Engine interceptor.
236
+ - **Slippage & Security Guide**: Added a dedicated, comprehensive page (`slippage.md`) clearly delineating the operational differences between the AI's *Default Slippage* and the strict *Max Allowed Slippage* security hard-limit to educate users on MEV and honeypot attack vectors.
237
+ - **Roadmap Cleansing**: Removed completed technical milestones (e.g., Universal MCP Client Integration) from the `roadmap.md`. The roadmap now exclusively highlights high-tier enterprise visions such as the Rust-Native Signer and Multi-VM Solana architecture.
238
+
239
+ ### Maintenance & Refactor
240
+ - **Clean Installation Initiative**: Completely removed `exceljs` to eliminate all `npm warn deprecated` warnings (e.g., `inflight`, `rimraf@2`, `glob@7`) during global installations.
241
+ - **Modernized Excel/CSV Engine**: Refactored `generateExcel.ts` and `analyzeDocument.ts` to use ultra-lightweight, zero-dependency modern libraries (`write-excel-file` and `csv-parse`), ensuring a 100% warning-free and vulnerability-free `npm install -g nyxora` experience.
242
+
243
+ ### Dashboard & UI Refactoring
244
+ - **Clean Agent Reasoning UI**: Restructured the frontend message rendering (`App.tsx`) to completely isolate and strip out raw `<think>` blocks from the AI's internal Chain of Thought. The user interface is now 100% focused on final outputs, keeping the conversation view clean.
245
+ - **Strict Think Block Escaping**: Hardened the system prompt in `reasoning.ts` with a new Anti-Hallucination rule. The AI is now strictly forbidden from injecting conversational text or final answers inside the `<think>` block, completely neutralizing the bug where the UI appeared to be "stuck" due to missing output.
246
+
247
+ ## [26.6.11-2]
248
+ ### Hotfixes
249
+ - **Monorepo Dependency Resolver**: Fixed an NPM workspace bug by elevating internal package dependencies (`playwright`, `twitter-api-v2`, `@notionhq/client`) directly to the root `package.json`, completely resolving `Error: Cannot find module` crashes during daemon boot.
250
+
251
+ ## [26.6.11-1]
252
+ ### Hotfixes
253
+ - **Global Installation Path Fix**: Included the compiled `dist/` directory into the NPM tarball, preventing `ts-node` fallback crashes during `nyxora start`.
254
+
255
+ ## [26.6.11]
256
+ ### Security
257
+ - **Foundry Registry Migration**: Successfully migrated the `NyxoraAgentRegistry` Arbitrum Smart Contract from Hardhat to Foundry, stripping out hundreds of vulnerable NPM dependencies and drastically reducing the attack surface.
258
+
259
+ ### Core AI Engine (Reasoning V2)
260
+ - **Zero-Hallucination Framework**: Injected 11 new advanced Critical Rules into the core System Prompt (`reasoning.ts`). The AI is now explicitly forbidden from guessing or hallucinating missing parameters (tokens, chains, amounts) and will gracefully ask for user clarification.
261
+ - **Transaction Intent Confirmation**: Mandated a strict 4-step execution flow for all state-changing actions. The AI must gather details, display a markdown summary, await UI approval, and only then execute.
262
+ - **Network Safety & Risk Disclosure**: For high-level financial strategies (e.g., "Find yield"), the AI is now required to draft a plan and explicitly disclose major DeFi risks (Impermanent Loss, Smart Contract Risk) before requesting execution approval.
263
+
264
+ ### Web3 Architecture Restructuring
265
+ - **Separation of Concerns (SoC)**: Completely restructured the `web3` engine into isolated domains (`aggregator/`, `skills/`, and `config`). The AI business logic (`skills/`) is now entirely decoupled from the routing execution layer, enabling massive scalability without spaghetti code.
266
+ - **Testnet/Mainnet Contamination Shield**: Aggregator logic is now strictly split between `aggregatorMainnet.ts` (1inch/0x/LI.FI) and `aggregatorTestnet.ts` (Relay). This absolute physical separation ensures experimental testnet logic can never leak into or crash production mainnet operations.
267
+ - **Zero-Trust AI Sandbox**: The AI no longer has direct access to execution paths. It can only call functions within `skills/` to prepare transaction drafts, which are then passed to `defiRouter.ts` for strictly controlled optimal routing.
268
+
269
+ ### Performance & Security
270
+ - **Native EOA Transfer Fast-Path**: Integrated a strict `getCode` verification check in `transfer.ts`. If the recipient is confirmed as a pure EOA (`0x`), the AI immediately bypasses costly `estimateGas` dry-runs and injects a raw `21000` gas limit, achieving instant P2P Native Transfers. ZK-aware.
271
+ - **JSON-RPC Rate Limit Optimization**: Implemented `batchSize: 100` chunking for all `createPublicClient` HTTP transports, coupled with a WSS Auto-Reconnect mechanism that gracefully degrades to HTTP polling.
272
+ - **Multicall Chunking & Self-Healing Cache**: Refactored `tokens.ts` metadata fetching using batched `multicall` with persistent self-healing caching. Added Background Preload Allowance dynamic checking on boot.
273
+ - **Independent Parallel Execution**: Refactored `swapToken.ts` to perform Quote fetching and Balance checking in strict parallel via `Promise.all`.
274
+ - **Safe-Path Enforcement**: Added mandatory `estimateGas()` dry-runs in complex DeFi transactions to detect reverts before broadcasting, saving user gas fees.
275
+ - **Meta-Aggregator Architecture**: Built `defiRouter.ts` to seamlessly route Mainnet transactions to 6 competing APIs (1inch, 0x, LI.FI, Relay, OpenOcean, KyberSwap) for best quotes, while exclusively routing all Testnets (e.g. `base_sepolia`) via Relay to prevent conflicts.
276
+ - **DeFi Keys (BYOK) Security**: Added a unified `defiConfigManager.ts` securely saving API Keys in `~/.nyxora/defi_keys.yaml` to prevent leaks. Integrated a Dashboard UI panel with `IS_SET` masking so sensitive keys never return to the browser frontend. Removed all insecure `process.env` dependencies.
277
+ - **Unified Chain Registry**: Consolidated all supported Mainnet and Testnet network IDs into a single `chains.ts` registry, completely eliminating hardcoded chain bugs across the Dashboard UI and CLI logic.
278
+
279
+ ## [26.6.10] - 2026-06-09
280
+
281
+ ### The DeFi Optimization Update
282
+ - **DeFi Lending Engine**: Integrated native Aave V3 support across all EVM chains. The AI can now autonomously fetch dynamic `Pool` addresses via `PoolAddressesProvider` and securely draft `supply` payloads to earn yield on idle assets.
283
+ - **DeFi Security Guard (Revoke)**: Shipped a critical security skill allowing users to purge "Infinite Approvals". The AI can now construct 0-value `approve()` payloads to instantly revoke access from malicious or vulnerable smart contracts across any chain.
284
+ - **DEX LP Manager**: Integrated Uniswap V3 (and PancakeSwap V3 for BSC) liquidity provision. Enforces strict safety barriers by mandating human-in-the-loop input for `tickLower` and `tickUpper` price ranges, completely neutralizing AI hallucination risks in complex liquidity deployments.
285
+ - **Auto-Compounder Vaults**: Integrated Beefy Finance (Primary) and Yearn Finance (Secondary). The AI can seamlessly route idle LP tokens into auto-compounding smart contracts to automatically maximize yield.
286
+ - **Transaction Chaining (Smart Approve)**: Upgraded the `viem` contract simulator to intelligently read user allowances prior to execution. If a user attempts to supply Aave or deposit to Beefy without prior authorization, the AI will autonomously intercept the request and draft a precise `approve` payload first, drastically improving UX.
287
+ ### Enterprise Reporting & History
288
+ - **Automated Excel Reporting**: The AI can now autonomously generate formatted `.xlsx` reports from raw JSON data (e.g., PnL, token balances) via the new `generate_excel_file` OS Skill.
289
+ - **Deep Transaction History**: Integrated `get_tx_history` Web3 skill to fetch complete 30-day (or N-day) history for Native and ERC-20 transfers using the new Unified Etherscan API V2. A single API key now powers cross-chain fetching across 60+ Mainnets and Testnets, featuring a graceful fallback mechanism to public endpoints.
290
+
291
+ ### The Masterpiece Memory Architecture
292
+ - **Air-Gapped Security Vault**: Implemented a strict 4-Layer Memory Architecture. The LLM Reflection Engine is now completely air-gapped from the OS Keyring and Wallet System, establishing absolute immunity against memory-based Private Key leakage.
293
+ - **Hard-Coded Anti-Injection Validator**: Deployed a rule-based RegExp Validator (`validator.ts`) acting as the ultimate gatekeeper before SQLite insertion. It autonomously detects and annihilates Private Keys, 12/24 BIP-39 Seed Phrases, API Tokens, and System Prompt Override attempts without relying on LLM behavior.
294
+ - **Smart Suggestion Engine**: The Agent Reasoning Pipeline now natively hooks into the Layer-2 Episodic Database. By injecting the top 10 most confident habits directly into the System Prompt, Nyxora can now autonomously autocomplete repetitive transaction parameters (e.g., preferred network, preferred token) slashing human-in-the-loop latency by up to 90%.
295
+ - **Persistent Background Reflection**: Eliminated static interval timers. The Reflection Engine is now seamlessly triggered via 3 infallible hooks: a 3-minute Idle Timer, an N-Message threshold (every 5 messages), and a `SIGTERM` Graceful Shutdown hook, ensuring resilient memory retention across daemon lifecycles.
296
+ - **Real-Time Memory Log Dashboard**: Exposed a robust `/api/memory` CRUD endpoint and integrated a sleek "Memory Log" panel directly into the Web Dashboard Overview tab. Users can now audit, review confidence scores, and forcefully delete false observations in real-time with zero state desynchronization.
297
+
298
+ ## [26.6.9]
299
+ ### Security & UX Hardening
300
+ - **Zero-Trust Auto-Lock (Passwordless)**: Implemented a robust idle timeout mechanism in the React Dashboard with an elegant glassmorphism blur overlay. The dashboard securely locks after periods of inactivity, requiring the user to authorize unlock directly via the CLI (`nyxora unlock`) to prevent unauthorized local access.
301
+ - **Approval Replay Protection (Nonce Guard)**: Hardened the `transactionManager` to cryptographically sign all pending transaction payloads with a randomized 16-byte Nonce. The `/api/transactions/:id/approve` endpoint now strictly enforces Nonce matching and immediately marks it as `used_` upon first validation, completely eliminating double-spending and Replay Attack vectors.
302
+ - **Graceful Shutdown (SQLite WAL Guard)**: Integrated deep `SIGTERM` and `SIGINT` signal listeners within the Gateway server. When the daemon is halted, the system now safely terminates active incoming requests and explicitly invokes `logger.close()` to securely flush SQLite Write-Ahead Logs (WAL) before exiting, completely eliminating the risk of database corruption.
303
+ - **Resilient UI (Reconnect Overlay)**: Engineered a global network interceptor inside the Dashboard's React `apiFetch` utility. If the daemon goes offline unexpectedly or is restarting, the UI instantly pauses and deploys a transparent, pulsing "Nyxora Daemon Offline" screen. Once the daemon is revived, the overlay automatically lifts, preserving the user's workflow seamlessly.
304
+
305
+ ### Architecture & System Stability
306
+ - **Dynamic Port Anti-Collision**: Replaced the hardcoded `3001` Policy Server port with a dynamic `process.env.POLICY_PORT` fallback. All Web3 Agents (Bridge, Swap, Transfer, etc.) are now dynamically linked to this environment variable, completely eliminating `ECONNREFUSED` crashes when port 3001 is occupied by other local developer applications.
307
+ - **Robust Path Resolution**: Eliminated hardcoded `process.cwd()` dependencies across the Gateway, Dashboard, and Plugin Manager. The CLI now utilizes robust absolute `__dirname` and `getAppDir()` traversal, guaranteeing the Dashboard UI and External Skills load flawlessly regardless of where the global CLI command is executed from.
308
+
309
+
310
+ ## [26.6.8]
311
+ ### Enterprise Features & Web3 Enhancements
312
+ - **Zero-Downtime Directory Migration**: Restructured the root `~/.nyxora` local data directory into a strict `config/`, `data/`, `auth/`, and `run/` subdirectory architecture. Implemented a Lazy Auto-Migration Engine (`getPath()`) that seamlessly relocates legacy files to their new secure zones instantly upon access, ensuring zero-downtime and zero-data-loss upgrades for existing users.
313
+ ### Security & UX Updates
314
+ - **Proactive Anti-Crash Engine**: Implemented `Max Retry` & `Exponential Backoff` auto-respawn logic inside the Monorepo Launcher. The daemon now features robust global `unhandledRejection` and `uncaughtException` guards across the Core, Policy, and Signer subsystems, ensuring sporadic Web3 network timeouts can no longer crash the main reasoning engine.
315
+ - **Death Loop Telegram Alerts**: Integrated a critical emergency monitoring system into the Launcher. If a core microservice crashes catastrophically (5 times within 1 minute), the daemon will autonomously initiate an emergency lock-down to protect the system state and immediately broadcast a high-priority alert directly to the administrator's Telegram.
316
+ - **Unix Socket Anti-EADDRINUSE Guard**: Implemented aggressive pre-flight cleanup routines for the `nyxora-signer.sock` IPC channel. The system now guarantees secure file unlinking before rebinding, eliminating recurring `EADDRINUSE` daemon failures upon rapid restart commands.
317
+
318
+ ### Bug Fixes & Optimizations
319
+ - **NPM Package Optimization**: Added `assets/` to `.npmignore` to exclude large architectural diagrams and images from the NPM registry tarball, reducing the total package download size by over 11 MB.
320
+ - **Docker Multi-Stage Build**: Radically refactored `Dockerfile` to a Multi-Stage architecture. The production image now exclusively installs runtime dependencies (`--omit=dev`) and leaves behind heavy build tools (`python3`, `make`, `g++`), dramatically shrinking the final container image size.
321
+ - **Docker Security Patch**: Hardened `.dockerignore` to explicitly block local keystores (`keystore.json`), persistent memory (`memory.db`), and local credentials from accidentally leaking into Docker image layers during local builds.
322
+
323
+ ## [26.6.7]
324
+ ### Enterprise Features & Web3 Enhancements
325
+ - **Enterprise Portfolio Scanner**: Integrated a fully decentralized, real-time Dashboard UI (Nord Theme) to scan all native and ERC-20 token balances across 8 EVM chains natively, without relying on centralized third-party APIs.
326
+ - **Real-Time USD Valuation**: Integrated DexScreener API into the Portfolio Scanner backend to actively compute and display USD portfolio values in real-time. Features an adaptive 2-minute memory cache system to ensure complete immunity against API rate-limits and eliminate LLM token consumption.
327
+ - **Official Web3 Branding**: Integrated TrustWallet and CovalentHQ CDNs to automatically resolve and render official Native Chain icons and ERC-20 Token logos with dynamic address casing, delivering an authentic Tier-1 exchange aesthetic.
328
+ - **Custom Token Management (AI Skill)**: Deployed the new `manage_custom_tokens` Web3 skill. The AI agent can now autonomously recognize, store, and manage user-specified custom token addresses (e.g., obscure/degen tokens) to `~/.nyxora/custom_tokens.json`. These are instantly synced with the Portfolio Scanner.
329
+ - **MEV-Blocker Integration**: Upgraded the Ethereum mainnet routing core in `config.ts` to strictly prioritize `rpc.mevblocker.io` and `rpc.flashbots.net` as primary transports. All user transactions are now forcefully routed through Private Mempools, establishing complete immunity against sandwich attacks and front-running bots.
330
+ - **System Diagnosis (`nyxora doctor`)**: Added a new CLI tool `nyxora doctor` to automatically verify OS requirements, node versions, filesystem permissions, SQLite database r/w access, Keyring vault security, and network port availability for seamless troubleshooting.
331
+
332
+ ### Security & UX Updates
333
+ - **CLI Wallet Management (`nyxora wallet update`)**: Added a highly requested sub-command to allow users to securely overwrite their OS Keyring Web3 wallet directly via the CLI without having to re-run the full LLM setup wizard. Features an aggressive visual confirmation step to prevent accidental Private Key destruction.
334
+ - **Terminal UI Resilience**: Replaced dynamic `note()` text rendering with static linear console logs in the `nyxora setup` wizard. This completely eliminates a UI truncation bug where the `clack` prompter would swallow the 12-word mnemonic phrase on small terminal windows.
335
+ - **Helmet CSP Optimization**: Adjusted the Gateway Server's Content Security Policy (CSP) to securely whitelist decentralized image repositories (GitHub raw, CovalentHQ) without compromising strict anti-XSS protection protocols.
336
+ - **BIP-39 Mnemonic Generation**: Upgraded the `nyxora setup` CLI wizard. When auto-generating a new wallet, the system now provides a standard 12-word Seed Phrase (Mnemonic) instead of a raw hex Private Key, vastly improving user security and cross-wallet compatibility (e.g., MetaMask). The private key is still autonomously extracted and locked in the OS Keyring.
337
+ - **One-Liner Install Script**: Added a new hacker-style `curl | bash` installation method at `https://nyxoraai.github.io/Nyxora/install.sh` for Linux/macOS, and a native PowerShell script `install.ps1` for Windows, providing an instant, frictionless setup experience across all major operating systems.
338
+ - **Global Localization Standardization**: Swept and translated the entire AI reasoning log engine (`reasoning.ts`) from Indonesian to standardized English to maintain strict international professional standards across console output and UI feedback.
339
+
340
+ ### Bug Fixes & Optimizations
341
+ - **ERC-20 Decimals Resolution**: Completely eradicated a critical math bug where all custom tokens were assumed to have 18 decimals. The backend now executes parallel `decimals()` on-chain queries alongside `balanceOf()`, guaranteeing 100% mathematical precision for tokens like USDC/USDT (6 decimals).
342
+ - **NPM Monorepo Build Fix**: Fixed the `packages/core` workspace `package.json` to correctly include the `"build": "tsc"` script and aligned its internal versioning (`v26.6.7`). This resolves the NPM workspace lifecycle crash during global build triggers.
343
+ - **NPM Optimization**: Added official keywords (`web3`, `ai`, `agent`, `crypto`, `mcp`, `automation`, `defi`, `zero-trust`) to the root `package.json` to significantly improve Nyxora's discoverability and SEO on the NPM Registry.
344
+
345
+ ## [26.6.6]
346
+ ### Enterprise Stability Upgrades
347
+ - **Strict LLM Output Validation**: Added robust try-catch parsing for LLM tool arguments in `reasoning.ts`. If the AI outputs malformed JSON, the error is fed back into the reasoning loop, allowing the model to autonomously self-correct without crashing the agent pipeline.
348
+ - **Transaction Simulation (Dry-Run)**: Integrated `publicClient.estimateGas` in the Signer Vault before broadcasting transactions. This ensures all Web3 transactions are simulated at the node level, preventing users from wasting gas fees on reverted transactions (e.g., due to insufficient slippage or balance).
349
+ - **Graceful Shutdown (Keyring Security)**: Replaced `SIGKILL` with `SIGTERM` in `launcher.ts` and added explicit process termination listeners in the Signer server. When a user exits the CLI using `Ctrl+C`, the system elegantly clears the in-memory `vaultPrivateKey` reference and unlinks unix sockets, securing the local Keyring vault before terminating.
350
+ - **Undefined Function Fix**: Fixed a silent `TypeError` bug in `reasoning.ts` where a failed LLM parsing attempt would call an undefined `executeReasoningLoop` function. Now gracefully loops via standard `logger.addEntry` continuation.
351
+
352
+ ### Bug Fixes & UX Enhancements
353
+ - **Destructive Config Overwrite Fix**: Fixed a critical bug in `/api/config` where saving settings via the Dashboard UI would silently delete the user's Telegram Bot token and system permissions. The API now performs a deep merge with `config.yaml`.
354
+ - **Asynchronous Transaction UI**: Detached the Web3 transaction execution loop from the Dashboard UI `/approve` endpoint. Approvals now instantly return a success state to the UI (preventing 3-minute freezes) while the transaction safely confirms in the background and reports back via chat.
355
+
356
+ ### Performance & Speed Optimizations
357
+ - **SQLite Indexing (O(1) Lookup)**: Added an automatic `CREATE INDEX` for `session_id` in the memory logger database, drastically reducing query latency from O(n) full table scans to instantaneous lookups for large chat histories.
358
+ - **Sliding Window Context Limit**: Overhauled `getHistory()` with an SQL subquery `LIMIT 40` approach. The agent now only feeds the most recent 40 messages to the LLM context, massively reducing API token costs and preventing latency bloat.
359
+ - **Pre-Compiled Runtime (ts-node Elimination)**: Replaced on-the-fly TypeScript compilation (`ts-node`) with ahead-of-time compilation (`tsc`). `launcher.ts` and `nyxora.mjs` now natively detect and execute compiled `.js` files from the `dist/` directory, resulting in near-instant daemon startup times.
360
+ - **Global Token Metadata Cache (OOM Protected)**: Implemented an in-memory Bounded LRU Cache (max 1000 items) in `tokens.ts` for caching `decimals` and `symbol`. This eliminates repetitive RPC calls for immutable token data, shielding the system from Out-Of-Memory crashes if spammed with fake tokens.
361
+ - **Web3 RPC Parallelization**: Refactored `transfer.ts`, `swapToken.ts`, `bridgeToken.ts`, and `getBalance.ts` to replace slow, sequential `readContract` calls with `Promise.all` fetching via `getTokenMetadata()`. Web3 action preparation latency has been reduced to near 0ms for cached tokens.
362
+
363
+ ## [26.6.5-1.0]
364
+ ### Bug Fixes & Improvements
365
+ - **Transaction Stability**: Added 30-second `AbortSignal` timeout safety net across all Web3 skills (`swapToken`, `transfer`, `bridgeToken`, `mintNft`, `customTx`) to prevent UI hanging when RPC nodes are unresponsive.
366
+ - **Multi-Session Transaction Logs**: Fixed an issue where Web3 transaction status messages (Approve/Reject/Success/Failure) were logged to the `default` session instead of the user's active session window, by attaching the correct `sessionId` with `Content-Type: application/json` headers in dashboard API requests.
367
+ - **UI Tool Rendering Bug**: Fixed a React rendering bug in `App.tsx` where the AI's internal tool execution notification (green bubble) would be hidden if the AI generated both conversational text and a tool execution in the same response.
368
+ - **Base Sepolia Support**: Officially added `base_sepolia` testnet to the supported networks list and `bridgeToken` mappings to prevent AI confusion when resolving bridge destinations.
369
+ - **Default Policy Override (Plug & Play)**: Adjusted the default `config.yaml` template and internal Policy Engine defaults to set `allow_transfer`, `allow_swap`, `allow_shell_execution`, and `allow_file_write` to `true`. Also uncapped `max_usd_per_tx` to `$999,999,999` by default, ensuring a seamless "plug and play" experience for new users without needing manual configuration edits.
370
+ - **Viem RPC Timeout**: Injected a strict 15-second timeout inside the `signer` vault's `viem` HTTP transport to prevent indefinite freezing during blockchain gas estimation when the node is heavily rate-limited.
371
+ - **Auto-Approve Signature Fix**: Added internal HMAC signature generation across all Web3 transaction execution modules (Transfer, Bridge, Mint, CustomTx) to resolve the `Missing internal signature for autoApprove` error during manual dashboard approvals or policy bypasses.
372
+ - **LayerZero Testnet Route**: Upgraded the testnet Bridge mock implementation to utilize LayerZero's V2 Endpoint router (`0x1a44...`) for simulated testnet bridging transactions.
373
+ - **Transaction Result Formatting**: Fixed an issue where the AI would output raw JSON stringified payloads for successful transactions. The chat notification is now properly formatted to clearly display the transaction hash.
374
+ - **Base Sepolia UI Integration**: Synchronized the Dashboard's Network Selector dropdown and Default Web3 Chain settings menu to include the newly added `Base Sepolia (Testnet)` network.
375
+ - **LayerZero Mainnet Removal (Stargate V2)**: Completely removed the experimental LayerZero/Stargate V2 integration from the core bridging engine to prevent interaction with potentially outdated or unverified mainnet smart contracts. Removed the corresponding "LayerZero" routing option from the Dashboard UI dropdown to ensure a highly stable and secure bridging experience exclusively via Li.Fi and Relay.
376
+ - **Relay MEV Protection (Slippage)**: Hardened the `getRelayQuote` HTTP POST request by injecting a strict `slippageTolerance` parameter (default 0.5%). This closes a critical vulnerability where unbounded Relay executions could expose user funds to front-running and MEV attacks during volatile market conditions.
377
+ - **Strict NLP Exactness (Rule 8)**: Injected CRITICAL RULE 8 into the core reasoning pipeline (`reasoning.ts`). The AI is now strictly forbidden from hallucinating or guessing ambiguous transaction parameters (tokens, amounts, or destination networks). It will automatically halt and politely ask the user for explicit clarification before constructing any Web3 payloads.
378
+ - **NLP Context Override System**: Documented the NLP fallback override mechanism in `README.md` and Vitepress documentation to clarify how explicit user chat instructions dynamically bypass Dashboard configurations.
379
+
380
+ ### UI/UX Fixes
381
+ - **Pending Transactions Widget**: Fixed a rendering bug where the Approve/Reject popup was not being injected into the DOM, preventing users from signing transactions.
382
+
383
+ ### Core AI Engine
384
+ - **Strict Language Matching**: Optimized CRITICAL RULE 2 in the System Prompt. The AI now completely ignores historical chat language context and strictly matches the language of the user's latest prompt.
385
+
386
+ ## [26.6.5] - 2026-06-04 (Hotfix Patch)
387
+ ### Fixed
388
+ - **NPM Monorepo Resolution:** Synced `@inquirer/search` and `duck-duck-scrape` to root `package.json` to prevent `MODULE_NOT_FOUND` and `ERR_CONNECTION_REFUSED` on global installations.
389
+
390
+ ## [26.6.4]
391
+
392
+ ### AI Engine Optimizations
393
+ - **Semantic Keyword Router (Zero-Latency)**: Restructured the `reasoning.ts` pipeline to dynamically group tools into specific clusters (`WEB3`, `SYSTEM`, `GOOGLE`). The engine now intercepts the user's prompt using highly optimized Regex keyword-matching. This eliminates "Context Bloat" by only injecting relevant tools into the LLM payload, dramatically increasing LLM responsiveness and minimizing API token consumption.
394
+ - **Zero-LLM Fast Return Expansion**: Expanded the V2 `Fast Return` optimization (which skips the redundant secondary LLM summarization step) to include 7 additional data-heavy read-only tools: `get_price`, `get_my_address`, `analyze_market`, `check_token_security`, `search_web`, `read_gmail_inbox`, and `list_calendar_events`. For these queries, the agent now returns the raw markdown payload instantaneously, cutting response latency by 50-80%.
395
+
396
+ ### Universal LLM Expansion
397
+ - **Dictionary Mapping Refactor**: Completely flattened the massive `if-else` blocks in `reasoning.ts` into a highly dynamic 15-line dictionary map. Adding new LLM providers in the future now only takes a single line of code.
398
+ - **Expanded Provider Ecosystem**: Added native support for **Groq, Mistral AI, xAI (Grok), dan DeepSeek**, seamlessly integrated into the React Dashboard UI's dropdown.
399
+
400
+ ### CLI Enhancements
401
+ - **Searchable Model Prompt**: Replaced the static `@clack/prompts` list with `@inquirer/search` inside `nyxora setup`. Users can now instantly fuzzy-search their desired AI model out of dozens of variants using their keyboard.
402
+ - **2026 Model Roster**: Injected an exhaustive list of the latest frontier models into the CLI (including `gpt-5.5`, `o3-mini`, `gemini-3.1-pro`, `deepseek-reasoner`). A fail-safe `[Tulis Manual / Custom Model]` option is also hardcoded at the bottom of every list.
403
+
404
+ ### Backend Stability (Core Engine)
405
+ - **Zero-Crash SQLite (WAL Mode)**: Enabled `PRAGMA journal_mode = WAL` and `busy_timeout = 5000` on the `node:sqlite` database engine (`logger.ts`). This allows parallel reads and writes without throwing fatal `SQLITE_BUSY` (database locked) errors during high-concurrency operations.
406
+ - **Anti-Zombie LLM Timeout**: Hardcoded a `timeout: 120000` (120 seconds) limit on the core OpenAI SDK instantiation (`reasoning.ts`). If an external AI provider (e.g., local Ollama or OpenRouter) hangs, the system will now correctly severe the connection and trigger Exponential Backoff rather than freezing indefinitely. Disabled internal SDK retries (`maxRetries: 0`) to prevent retry collisions with Nyxora's native retry wrapper.
407
+
408
+ ### UI & Developer Experience
409
+ - **CLI Memory Purge**: Introduced a new developer utility command: `nyxora clear`. It instantly and atomically resets the AI's short-term/long-term memory SQLite database. Includes a mandatory `--force` flag safeguard to prevent accidental data destruction.
410
+ ## [1.7.3]
411
+
412
+ ### Web3 Routing & Integrations
413
+ - **Multi-Router Selection (DeFi)**: Added a dynamic Router dropdown to the Dashboard UI, allowing users to forcefully route transactions through specific protocols natively. Supported routers include `1inch`, `CowSwap (MEV-Protected)`, `Li.Fi`, `Relay`, `Uniswap V2`, `Uniswap V3`, and `PancakeSwap`. This integration heavily relies on deep aggregator proxying (bypassing the need for complex V2/V3 ABI calldata overhead) to ensure 100% smooth, anti-fail execution without requiring additional API keys.
414
+
415
+ ### Security & Polish
416
+ - **Dashboard:** Redacted the sensitive Nyxora Auth Token from appearing in the Gateway Logs component on the frontend to prevent visual leakage during screen sharing or screenshots.
417
+
418
+ ## [1.7.2]
419
+
420
+ ### UI/UX Enhancements
421
+ - **Google Workspace Logout**: Users can now easily disconnect their Google Workspace accounts directly from the Dashboard (OS Skills tab). This triggers a secure token purge from both the OS Keyring and local storage, ensuring privacy and seamless account switching.
422
+
423
+ ### Cloud-Native Deployment
424
+ - **Official Docker & GHCR Support**: Added comprehensive Docker containerization support (`Dockerfile`) and automated publishing pipelines to GitHub Container Registry (GHCR).
425
+ - **Docker Documentation**: Added a dedicated `DOCKER.md` guide explaining how to pull, interactively configure, and run the Nyxora daemon via Docker with isolated Volume storage (`/root/.nyxora`).
426
+
427
+ ### Documentation & Compliance
428
+ - **Legal Infrastructure**: Added standard `Privacy Policy` (`privacy.md`) and `Terms of Service` (`terms.md`) to the VitePress documentation to prepare for official Google OAuth App Verification.
429
+ - **Enterprise Roadmap Evolution**: Updated the documentation roadmap to reflect our "Nyxora Next Update" vision, outlining future plans for a Rust-Native Signer, Idempotent Policy Engine, Multi-VM Architecture, and Google App Verification.
430
+
431
+ ## [1.7.1]
432
+
433
+ ### CLI Enhancements
434
+ - **Global Version Checker**: Implemented native version checking for the global CLI manager. Users can now run `nyxora -v`, `nyxora --version`, or `nyxora version` to instantly check their installed daemon version without starting the application.
435
+ - **Smart Web Search Setup Wizard**: The `nyxora setup` command now includes an interactive prompt allowing users to choose their preferred Web Search Engine (Tavily, Brave, or Decentralized Mesh) and configure their API keys.
436
+ - **Fast CLI Shortcuts**: Added the `nyxora set-key <provider> <key>` global command shortcut allowing developers to quickly inject or override any API Key (OpenAI, Gemini, OpenRouter, Tavily, Brave) directly into the secure vault without traversing the wizard.
437
+
438
+ ### AI Engine Optimizations
439
+
440
+ - **Web Search Smart Memory Cache**: Embedded a local Memory Cache (`Map`) into the `searchWeb` skill with a 5-minute (300,000ms) TTL. Exact duplicate queries now execute in 0ms and consume 0 API quota, dramatically improving conversation flow.
441
+ - **Deep Research Mode**: The `search_web` tool definition now accepts a dynamic `depth` parameter (1 to 3). If users instruct the AI to conduct comprehensive research, Nyxora will automatically trigger `advanced` API payloads and extract up to 15 top web snippets simultaneously.
442
+ - **Strict Skill Prioritization**: Added CRITICAL RULE 7 to the core NLP System Prompt. The AI is now hard-coded to prioritize native Web3 Skills (e.g. `get_price`, `analyze_market`, `check_security`) for all crypto-related queries, using `search_web` exclusively as a fallback mechanism.
443
+ - **Dual-Engine Web Search (L3 Failover)**: Completely removed the fragile `duck-duck-scrape` dependency. The `search_web` skill is now powered by a robust L3 Auto-Failover architecture. Users can configure enterprise-grade search providers (Tavily or Brave). If the primary provider hits a rate limit (429) or invalid key (401/403), Nyxora seamlessly falls back to the secondary provider, and ultimately to a Decentralized SearXNG Mesh as a final safety net, guaranteeing 100% uptime.
444
+
445
+
446
+ ## [1.7.0]
447
+
448
+ ### Bug Fixes & Optimizations
449
+ - **Time Sync Hallucination**: Fixed a critical issue where the AI hallucinates the current date and time. Nyxora now dynamically injects the host OS's exact `new Date().toLocaleString()` into the system prompt upon every execution.
450
+ - **Aggressive UI Auto-Scroll**: Resolved a severe React rendering bug in the dashboard where the 2-second history polling forced the chat window to aggressively scroll to the bottom. Auto-scroll is now strictly isolated to new message arrivals (`messages.length`).
451
+ - **Orphaned OS Skills**: Re-wired the `search_web` (Internet Search) and `analyze_document` (PDF/DOCX Extractor) skills back into the core reasoning engine. These skills were previously orphaned and inaccessible to the AI despite being active in the dashboard.
452
+ - **Multicall3 Portfolio Engine**: Fully replaced parallel `client.getBalance` and ERC20 fetching with a hyper-efficient `Multicall3` architecture. Balances are now chunked (max 30 tokens per batch) to guarantee zero rate-limits and payload errors on public RPCs.
453
+ - **ChatGPT-Level NLP Persona**: Upgraded the AI's core reasoning engine to natively understand unstructured text, slang, and informal contexts. Rigidly enforced Markdown Table generation for all financial data.
454
+ - **Telegram HTML Parser**: Implemented a custom `formatToTelegramHTML` function. Nyxora now escapes dangerous characters (`<`, `>`, `&`) and automatically wraps AI-generated Markdown tables into `<pre>` monospaced blocks, completely eliminating the "Bad Request" rendering crash on Telegram.
455
+ - **Dynamic Tx Formatter (Tap-to-Copy)**: The post-transaction approval message is now bilingual (auto-detecting English/Indonesian from chat history). Transaction Hashes and wallet addresses are wrapped in `<code>` tags for seamless tap-to-copy UX on mobile devices.
456
+ - **CLI Setup Typography**: Updated outdated CLI prompts that falsely referenced legacy `AES-256-GCM` encryption. The CLI now correctly informs the user that Private Keys are securely locked inside the OS Native Keyring Vault.
457
+
458
+ ## [1.6.7]
459
+
460
+ ### UI/UX
461
+ - **New Nyxora Brand Logo**: Replaced the standard dashboard `Bot` icon with a native, 100% transparent SVG component of the Nyxora Cosmic Star.
462
+ - **Dashboard Avatar Overhaul**: Removed the rigid box border/shadow surrounding the agent avatar and maximized the logo scale (from 28px to 48px) for a bold, premium aesthetic.
463
+ - **SVG Optimization**: Cropped the internal viewBox (padding) of the logo to ensure it renders with maximum density and solidity at any resolution.
464
+ - **Favicon Update**: Synchronized the browser tab favicon with the newly optimized Nyxora logo.
465
+ - **Network Sync**: Synchronized network dropdown ordering (ETH > BSC > Base > Optimism > Arbitrum > Sepolia) across Dashboard UI, Settings, and CLI setup.
466
+
467
+ ### Developer Experience
468
+ - **Single-Command Boot**: Introduced `npm run dev` in the root workspace utilizing `concurrently` to launch the backend orchestrator (Vault/Policy/Core) and the Vite frontend simultaneously, providing a seamless "Plug & Play" dev experience.
469
+
470
+ ### Agent Intelligence
471
+ - **Cross-Chain Context**: Upgraded the core LLM prompt to automatically detect network mentions in chat (e.g., "on BNB") and override the default chain dynamically.
472
+ - **Portfolio Enforcement**: Instructed the agent to prioritize the comprehensive `check_portfolio` tool when users ask for general balances, while providing polite network confirmations.
473
+ - **Dust Asset Precision**: Improved portfolio USD calculations to render micro-assets (< $0.01) up to 4 decimal places (e.g., ~$0.0050) preventing inaccurate $0.00 rounding.
474
+ - **"Lean Degen" Auto-Whitelist**: AI now automatically intercepts and permanently saves Contract Addresses (CAs) into `user_whitelist.json` whenever users execute token swaps or check specific balances.
475
+ - **Dynamic Portfolio Merging**: The `checkPortfolio` engine now executes a hyper-fast, 0% rate-limit risk Multicall that merges standard tokens, user-defined CAs, and CoinGecko's daily trending list into a clean, unified dashboard report.
476
+
477
+ ### Dual-Engine & OS Skills (Google Workspace MVP)
478
+ - **Native Google Integration**: Agent can now autonomously interact with Gmail (`read_gmail_inbox`), Google Calendar (`list_calendar_events`), Google Docs (`read_google_docs`), Google Sheets (`append_row_to_sheets`), and Google Forms (`read_google_form_responses`).
479
+ - **Security Upgrade (OS Keyring)**: Completely migrated OAuth token storage to the OS-Native Keyring Vault. Google Refresh Tokens are now securely locked and encrypted by the host OS, preventing plaintext credential theft.
480
+ - **Performance Optimization**: Scrapped the heavy `googleapis` dependency in favor of lightweight Native `fetch`, resulting in zero NPM install warnings, smaller footprint, and faster execution.
481
+ - **Bugfix**: Resolved TypeScript compilation errors (TS2349) related to the `pdf-parse` ESM dependency.
482
+ ## [1.6.6]
483
+
484
+ ### Hotfix: Global Monorepo Dependencies
485
+
486
+ This release patches a critical bug where global installations via `npm install -g nyxora` would fail to start the daemon due to missing C++ native modules.
487
+
488
+ #### Fixes
489
+ - **Dependency Hoisting Fix**: Explicitly bundled essential runtime modules (isolated-vm, telegraf, @modelcontextprotocol/sdk) into the root package.json to support monolithic publishing.
490
+ - **Zero-Crash Boot**: Resolves the MODULE_NOT_FOUND fatal error for isolated-vm when starting the daemon after a clean global install.
491
+ - **Dashboard Stability**: Ensures the background API server connects flawlessly to the React Dashboard without encountering Connection Refused.
492
+ ## [1.6.5]
493
+
494
+ ### The Universal Bridge (MCP Integration)
495
+
496
+ Nyxora now natively supports the Model Context Protocol (MCP). This massive upgrade transforms Nyxora from a standalone agent into a Universal Web3 Middleware. External AI clients (like Claude Desktop or Cursor IDE) can now securely interact with the Nyxora ecosystem out-of-the-box.
497
+
498
+ #### Key Features
499
+ - **StdioServerTransport**: Deep integration allowing Claude Desktop to securely spawn Nyxora as a child process.
500
+ - **Universal Bridge**: Exposes Nyxora's core crypto actions (swap, transfer, market analysis) as standard MCP Tools.
501
+ - **Enterprise Security**: All external MCP commands are strictly routed through Nyxora's battle-tested Policy Engine, ensuring no unauthorized transactions occur.
502
+ ## [1.6.4]
503
+
504
+ ### Added
505
+ - **Node.js Native Database Engine**: Migrated the core `logger.ts` memory subsystem to use the built-in `node:sqlite` engine (Node 22+), maintaining ultra-fast 100% synchronous operations while dramatically reducing dependency bloat.
506
+ - **Next-Gen OS Keyring (N-API)**: Migrated `keytar` to `@napi-rs/keyring`. This replaces legacy C++ bindings with modern Rust/NAPI-RS, retaining identical OS-level security (Mac Keychain, Windows Credential Manager) while eliminating the `prebuild-install` deprecation warning and streamlining global installation.
507
+
508
+ ### Removed
509
+ - `better-sqlite3` and `keytar` dependencies entirely removed from the monorepo architecture.
510
+
511
+ ## [1.6.3]
512
+
513
+ ### Added
514
+ - Implemented **Zero-Click Multi-Session** for instantaneous chat creation and switching.
515
+ - Introduced **Smart Auto-Naming** for automatic contextual session titles.
516
+
517
+ ### Changed
518
+ - **Redesigned Sidebar Architecture**: enhanced utility-centric design, significantly reducing gaps for a compact, elegant look.
519
+ - Integrated **OS-Native Keyring**, replacing legacy AES-256-GCM and Master Password mechanics.
520
+ - Updated and cleaned up legacy cryptography references in VitePress guides and README.
521
+
522
+ ### Fixed
523
+ - Resolved deeply-nested monorepo CI/CD deployment failures by isolating `package-lock.json` and mitigating peer-dependency conflicts.
524
+
525
+ ## [1.4.5]
526
+
527
+ ### Fixed
528
+ - Re-rendered Architecture Workflow diagram as a solid-background PNG to fix dark mode visibility issues.
529
+ - Added `assets` directory to the NPM package `files` list so the diagram is included in published packages.
530
+ - Added `repository` field in `package.json` for proper GitHub link resolution on NPMJS.
531
+ - Updated `README.md` to use the absolute raw GitHub image URL for universal rendering compatibility.
532
+
533
+ ## [1.4.4]
534
+
535
+ ### Fixed
536
+ - Fixed Architecture Workflow diagram rendering issue on NPM by replacing the `mermaid` code block with a static SVG image.
537
+
538
+ ## [1.4.3]
539
+
540
+ ### Changed
541
+ - Completely rewrote `README.md` (English) to follow the structured, security-first Web3-Ops template.
542
+
543
+ ## [1.4.2]
544
+
545
+ ### Changed
546
+ - Updated `README.md` to highlight Web3-Ops capabilities (System Automation, NLP Security Policies, and Dynamic Plugins).
547
+
548
+ ## [1.4.0]
549
+
550
+ ### Added
551
+ - **System Automation Capabilities**: Allow Nyxora to execute shell commands, read/write local files, and browse the web autonomously.
552
+ - **NLP Security Policy**: Users can enforce rules (e.g. "do not touch partition E") in plain text via the chat, which Nyxora respects autonomously.
553
+ - **Plugin System**: Dynamically load third-party skills from the `src/external_skills` folder without modifying the core codebase.
554
+
555
+ ### Changed
556
+ - Moved AI initialization logic to support dynamic importing of external skills.
557
+ - UI Settings: Fixed a fatal rendering bug when the configuration lacks `api_keys` array formatting.
558
+
559
+ ### Fixed
560
+ - Fixed bug on rendering Settings menu due to incorrect `config.yaml` types.
package/README.md CHANGED
@@ -2,7 +2,7 @@
2
2
  **Your Personal Web3 Assistant.**
3
3
 
4
4
 
5
- [![Status: Alpha](https://img.shields.io/badge/Status-Alpha-red.svg)](#)
5
+ [![Status: Beta](https://img.shields.io/badge/Status-Beta-green.svg)](#)
6
6
  [![Built on Base](https://img.shields.io/badge/Built_on-Base-0052FF?style=flat&logo=base&logoColor=white)](https://base.org/)
7
7
  [![MCP Supported](https://img.shields.io/badge/MCP-Supported-blue.svg)](#)
8
8
  [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
@@ -171,12 +171,14 @@ app.post('/sign-transaction', async (req, res) => {
171
171
  const rpcNonce = await client.getTransactionCount({ address: account.address, blockTag: 'pending' });
172
172
  let nextNonce = Math.max(rpcNonce, nonceCache[chainId] || 0);
173
173
  const txRequest = txPayload.details?.txRequest || txPayload.details?.txData || txPayload;
174
+ const toAddress = txRequest.to || txRequest.target;
175
+ const txDataStr = txRequest.data || txRequest.calldata;
174
176
  // Phase 2: Transaction Simulation (Dry-Run / Anti-Fail)
175
177
  try {
176
178
  await client.estimateGas({
177
179
  account,
178
- to: txRequest.to,
179
- data: txRequest.data,
180
+ to: toAddress,
181
+ data: txDataStr,
180
182
  value: txRequest.value ? BigInt(txRequest.value) : 0n
181
183
  });
182
184
  }
@@ -186,8 +188,8 @@ app.post('/sign-transaction', async (req, res) => {
186
188
  // @ts-ignore
187
189
  const hash = await client.sendTransaction({
188
190
  account,
189
- to: txRequest.to,
190
- data: txRequest.data,
191
+ to: toAddress,
192
+ data: txDataStr,
191
193
  value: txRequest.value ? BigInt(txRequest.value) : 0n,
192
194
  nonce: nextNonce,
193
195
  gas: txRequest.gas ? BigInt(txRequest.gas) : undefined,
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "nyxora",
3
- "version": "26.6.28",
3
+ "version": "26.6.29",
4
4
  "description": "Your Personal Web3 Assistant",
5
5
  "keywords": [
6
6
  "web3",
@@ -19,6 +19,7 @@
19
19
  "files": [
20
20
  "bin",
21
21
  "dist",
22
+ "CHANGELOG.md",
22
23
  "launcher.ts",
23
24
  "packages/core/src",
24
25
  "packages/core/package.json",
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "nyxora-agent-core",
3
- "version": "26.6.28",
3
+ "version": "26.6.29",
4
4
  "private": true,
5
5
  "main": "src/gateway/server.ts",
6
6
  "dependencies": {
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "nyxora-dashboard",
3
3
  "private": true,
4
- "version": "26.6.28",
4
+ "version": "26.6.29",
5
5
  "type": "module",
6
6
  "scripts": {
7
7
  "dev": "vite",
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "nyxora-mcp-server",
3
- "version": "26.6.28",
3
+ "version": "26.6.29",
4
4
  "description": "Nyxora MCP Subserver, for external AI clients",
5
5
  "main": "dist/server.js",
6
6
  "scripts": {
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "nyxora-policy-engine",
3
- "version": "26.6.28",
3
+ "version": "26.6.29",
4
4
  "private": true,
5
5
  "main": "src/server.ts",
6
6
  "dependencies": {
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "nyxora-signer",
3
- "version": "26.6.28",
3
+ "version": "26.6.29",
4
4
  "private": true,
5
5
  "main": "src/server.ts",
6
6
  "dependencies": {
@@ -145,13 +145,15 @@ app.post('/sign-transaction', async (req, res) => {
145
145
  let nextNonce = Math.max(rpcNonce, nonceCache[chainId] || 0);
146
146
 
147
147
  const txRequest = txPayload.details?.txRequest || txPayload.details?.txData || txPayload;
148
+ const toAddress = txRequest.to || txRequest.target;
149
+ const txDataStr = txRequest.data || txRequest.calldata;
148
150
 
149
151
  // Phase 2: Transaction Simulation (Dry-Run / Anti-Fail)
150
152
  try {
151
153
  await client.estimateGas({
152
154
  account,
153
- to: txRequest.to,
154
- data: txRequest.data,
155
+ to: toAddress,
156
+ data: txDataStr,
155
157
  value: txRequest.value ? BigInt(txRequest.value) : 0n
156
158
  });
157
159
  } catch (simError: any) {
@@ -161,8 +163,8 @@ app.post('/sign-transaction', async (req, res) => {
161
163
  // @ts-ignore
162
164
  const hash = await client.sendTransaction({
163
165
  account,
164
- to: txRequest.to,
165
- data: txRequest.data,
166
+ to: toAddress,
167
+ data: txDataStr,
166
168
  value: txRequest.value ? BigInt(txRequest.value) : 0n,
167
169
  nonce: nextNonce,
168
170
  gas: txRequest.gas ? BigInt(txRequest.gas) : undefined,