nyxora 26.6.6 → 26.6.8-2

package/.dockerignore

@@ -10,3 +10,12 @@ build
 .nyxora
 vault.key
 api_vault.key
+keystore.json
+memory.json
+memory.db*
+credentials.json
+google-*.json
+*.token
+config.yaml
+custom_tokens.json
+dynamic_tokens.json

package/CHANGELOG.md

@@ -5,6 +5,41 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepashangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [26.6.8-1] - Unreleased
+### Enterprise Features & Web3 Enhancements
+- **Zero-Downtime Directory Migration**: Restructured the root `~/.nyxora` local data directory into a strict `config/`, `data/`, `auth/`, and `run/` subdirectory architecture. Implemented a Lazy Auto-Migration Engine (`getPath()`) that seamlessly relocates legacy files to their new secure zones instantly upon access, ensuring zero-downtime and zero-data-loss upgrades for existing users.
+### Security & UX Updates
+- **Proactive Anti-Crash Engine**: Implemented `Max Retry` & `Exponential Backoff` auto-respawn logic inside the Monorepo Launcher. The daemon now features robust global `unhandledRejection` and `uncaughtException` guards across the Core, Policy, and Signer subsystems, ensuring sporadic Web3 network timeouts can no longer crash the main reasoning engine.
+- **Death Loop Telegram Alerts**: Integrated a critical emergency monitoring system into the Launcher. If a core microservice crashes catastrophically (5 times within 1 minute), the daemon will autonomously initiate an emergency lock-down to protect the system state and immediately broadcast a high-priority alert directly to the administrator's Telegram.
+- **Unix Socket Anti-EADDRINUSE Guard**: Implemented aggressive pre-flight cleanup routines for the `nyxora-signer.sock` IPC channel. The system now guarantees secure file unlinking before rebinding, eliminating recurring `EADDRINUSE` daemon failures upon rapid restart commands.
+
+### Bug Fixes & Optimizations
+- **NPM Package Optimization**: Added `assets/` to `.npmignore` to exclude large architectural diagrams and images from the NPM registry tarball, reducing the total package download size by over 11 MB.
+- **Docker Multi-Stage Build**: Radically refactored `Dockerfile` to a Multi-Stage architecture. The production image now exclusively installs runtime dependencies (`--omit=dev`) and leaves behind heavy build tools (`python3`, `make`, `g++`), dramatically shrinking the final container image size.
+- **Docker Security Patch**: Hardened `.dockerignore` to explicitly block local keystores (`keystore.json`), persistent memory (`memory.db`), and local credentials from accidentally leaking into Docker image layers during local builds.
+
+## [26.6.7] - 2026-06-07
+### Enterprise Features & Web3 Enhancements
+- **Enterprise Portfolio Scanner**: Integrated a fully decentralized, real-time Dashboard UI (Nord Theme) to scan all native and ERC-20 token balances across 8 EVM chains natively, without relying on centralized third-party APIs.
+- **Real-Time USD Valuation**: Integrated DexScreener API into the Portfolio Scanner backend to actively compute and display USD portfolio values in real-time. Features an adaptive 2-minute memory cache system to ensure complete immunity against API rate-limits and eliminate LLM token consumption.
+- **Official Web3 Branding**: Integrated TrustWallet and CovalentHQ CDNs to automatically resolve and render official Native Chain icons and ERC-20 Token logos with dynamic address casing, delivering an authentic Tier-1 exchange aesthetic.
+- **Custom Token Management (AI Skill)**: Deployed the new `manage_custom_tokens` Web3 skill. The AI agent can now autonomously recognize, store, and manage user-specified custom token addresses (e.g., obscure/degen tokens) to `~/.nyxora/custom_tokens.json`. These are instantly synced with the Portfolio Scanner.
+- **MEV-Blocker Integration**: Upgraded the Ethereum mainnet routing core in `config.ts` to strictly prioritize `rpc.mevblocker.io` and `rpc.flashbots.net` as primary transports. All user transactions are now forcefully routed through Private Mempools, establishing complete immunity against sandwich attacks and front-running bots.
+- **System Diagnosis (`nyxora doctor`)**: Added a new CLI tool `nyxora doctor` to automatically verify OS requirements, node versions, filesystem permissions, SQLite database r/w access, Keyring vault security, and network port availability for seamless troubleshooting.
+
+### Security & UX Updates
+- **CLI Wallet Management (`nyxora wallet update`)**: Added a highly requested sub-command to allow users to securely overwrite their OS Keyring Web3 wallet directly via the CLI without having to re-run the full LLM setup wizard. Features an aggressive visual confirmation step to prevent accidental Private Key destruction.
+- **Terminal UI Resilience**: Replaced dynamic `note()` text rendering with static linear console logs in the `nyxora setup` wizard. This completely eliminates a UI truncation bug where the `clack` prompter would swallow the 12-word mnemonic phrase on small terminal windows.
+- **Helmet CSP Optimization**: Adjusted the Gateway Server's Content Security Policy (CSP) to securely whitelist decentralized image repositories (GitHub raw, CovalentHQ) without compromising strict anti-XSS protection protocols.
+- **BIP-39 Mnemonic Generation**: Upgraded the `nyxora setup` CLI wizard. When auto-generating a new wallet, the system now provides a standard 12-word Seed Phrase (Mnemonic) instead of a raw hex Private Key, vastly improving user security and cross-wallet compatibility (e.g., MetaMask). The private key is still autonomously extracted and locked in the OS Keyring.
+- **One-Liner Install Script**: Added a new hacker-style `curl | bash` installation method at `https://nyxoraai.github.io/Nyxora/install.sh` for Linux/macOS, and a native PowerShell script `install.ps1` for Windows, providing an instant, frictionless setup experience across all major operating systems.
+- **Global Localization Standardization**: Swept and translated the entire AI reasoning log engine (`reasoning.ts`) from Indonesian to standardized English to maintain strict international professional standards across console output and UI feedback.
+
+### Bug Fixes & Optimizations
+- **ERC-20 Decimals Resolution**: Completely eradicated a critical math bug where all custom tokens were assumed to have 18 decimals. The backend now executes parallel `decimals()` on-chain queries alongside `balanceOf()`, guaranteeing 100% mathematical precision for tokens like USDC/USDT (6 decimals).
+- **NPM Monorepo Build Fix**: Fixed the `packages/core` workspace `package.json` to correctly include the `"build": "tsc"` script and aligned its internal versioning (`v26.6.7`). This resolves the NPM workspace lifecycle crash during global build triggers.
+- **NPM Optimization**: Added official keywords (`web3`, `ai`, `agent`, `crypto`, `mcp`, `automation`, `defi`, `zero-trust`) to the root `package.json` to significantly improve Nyxora's discoverability and SEO on the NPM Registry.
+
 ## [26.6.6] - 2026-06-05
 ### Enterprise Stability Upgrades
 - **Strict LLM Output Validation**: Added robust try-catch parsing for LLM tool arguments in `reasoning.ts`. If the AI outputs malformed JSON, the error is fed back into the reasoning loop, allowing the model to autonomously self-correct without crashing the agent pipeline.
@@ -99,8 +134,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **Fast CLI Shortcuts**: Added the `nyxora set-key <provider> <key>` global command shortcut allowing developers to quickly inject or override any API Key (OpenAI, Gemini, OpenRouter, Tavily, Brave) directly into the secure vault without traversing the wizard.
 
 ### AI Engine Optimizations
-- **Hybrid API Vault (Security)**: API Keys are no longer stored in plain text inside `config.yaml`. Nyxora now encrypts and stores them via `@napi-rs/keyring` utilizing OS-native credential management. For Headless/VPS Linux environments lacking DBUS/Secret Service, it automatically falls back to an isolated `api_vault.key` with strict `0600` permissions.
-- **Root-Level Config Auto-Migration**: Restructured `config.yaml` to move all API keys out of the nested `llm.credentials` into a logical, root-level `credentials` object. Implemented a silent auto-migration routine in `parser.ts` that safely upgrades legacy config files on boot without breaking existing setups.
+
 - **Web Search Smart Memory Cache**: Embedded a local Memory Cache (`Map`) into the `searchWeb` skill with a 5-minute (300,000ms) TTL. Exact duplicate queries now execute in 0ms and consume 0 API quota, dramatically improving conversation flow.
 - **Deep Research Mode**: The `search_web` tool definition now accepts a dynamic `depth` parameter (1 to 3). If users instruct the AI to conduct comprehensive research, Nyxora will automatically trigger `advanced` API payloads and extract up to 15 top web snippets simultaneously.
 - **Strict Skill Prioritization**: Added CRITICAL RULE 7 to the core NLP System Prompt. The AI is now hard-coded to prioritize native Web3 Skills (e.g. `get_price`, `analyze_market`, `check_security`) for all crypto-related queries, using `search_web` exclusively as a fallback mechanism.

package/README.md

@@ -1,4 +1,4 @@
-# Nyxora Agent 🤖
+# Nyxora Agent <img src="./packages/dashboard/public/favicon.svg" width="36" align="top" />
 **Your Personal Web3 Assistant.**
 
 
@@ -10,7 +10,7 @@
 
 Nyxora is a **secure, non-custodial runtime infrastructure for autonomous onchain agents** built with a robust Monorepo architecture (Node.js & React). Designed for autonomous workflows with a premium Utility-Centric dark-themed UI and strict client-side key isolation. 
 
-**Nyxora now natively supports the Model Context Protocol (MCP)**. You can transform your external AI agents (like Claude Desktop and Cursor) into secure Web3 actors that execute swaps and fetch balances using Nyxora's secure signer vault. [View the MCP Integration Guide](https://nyxoraAI.github.io/Nyxora/guide/mcp-integration)
+**Nyxora now natively supports the Model Context Protocol (MCP)**. You can transform your external AI agents (like Claude Desktop and Cursor) into secure Web3 actors that execute swaps and fetch balances using Nyxora's secure signer vault. [View the MCP Integration Guide](https://nyxoraai.github.io/Nyxora/guide/mcp-integration)
 
 It operates under an institutional-grade **Cryptographically Bound Human-in-the-Loop** execution model, ensuring that Remote AIs (LLMs) never have unilateral access to your funds.
 
@@ -66,7 +66,7 @@ The following diagram illustrates Nyxora's **3-Tier Monorepo Architecture**, sho
 
 ## 🛡️ Advanced Security & Threat Model
 
-To dive deeper into the technical details of our Zero-Knowledge security architecture, please visit the [Nyxora Security Blueprint](https://nyxoraAI.github.io/Nyxora/).
+To dive deeper into the technical details of our Zero-Knowledge security architecture, please visit the [Nyxora Security Blueprint](https://nyxoraai.github.io/Nyxora/).
 
 ---
 
@@ -75,20 +75,41 @@ To dive deeper into the technical details of our Zero-Knowledge security archite
 ### Global Installation via NPM (Recommended)
 The easiest and fastest way to use Nyxora is to install it globally via NPM. This ensures you get the latest version and can run Nyxora from anywhere on your machine.
 
+The fastest way to install Nyxora is via our automated installation script:
+
+**For Linux & macOS (Bash):**
+```bash
+curl -fsSL https://nyxoraai.github.io/Nyxora/install.sh | bash
+```
+
+**For Windows (PowerShell):**
+```powershell
+iwr https://nyxoraai.github.io/Nyxora/install.ps1 -useb | iex
+```
+
+Alternatively, you can install it manually on any operating system using NPM:
+
 ```bash
-# 1. Install Nyxora globally
 npm install -g nyxora@latest
+```
 
-# 2. Run the Interactive Setup Wizard (API Keys, Wallet, Telegram)
+### 2. Run the Interactive Setup Wizard (API Keys, Wallet, Telegram)
+```bash
 nyxora setup
+```
 
-# 3. Start the Nyxora background daemon
+### 3. Start the Nyxora background daemon
+```bash
 nyxora start
+```
 
-# 4. Open the Web Dashboard
+### 4. Open the Web Dashboard
+```bash
 nyxora dashboard
+```
 
-# Utility: Atomically clear the AI's short-term and long-term memory
+### Utility: Atomically clear the AI's short-term and long-term memory
+```bash
 nyxora clear --force
 ```
 > **⚠️ IMPORTANT:** Whenever you re-run `nyxora setup` or manually edit the config files, you **must restart the daemon** by running `nyxora restart` for the changes to take effect.
@@ -121,7 +142,7 @@ npm start
 
 For complete technical deep-dives into our Cryptographic Architecture, please visit our official VitePress Documentation Site!
 
-> **🔗 [Read the Full Nyxora Documentation Here](https://nyxoraAI.github.io/Nyxora/)**
+> **🔗 [Read the Full Nyxora Documentation Here](https://nyxoraai.github.io/Nyxora/)**
 
 *(Includes guides on Secure Wallet Imports, Architecture Blueprints, Troubleshooting, and Custom Skill Development).*
 

package/SECURITY.md

@@ -38,7 +38,9 @@ Nyxora completely eliminates the need for manual "Master Passwords" or custom AE
 When the background daemon boots via `nyxora start`, the Signer Vault process reads the Private Key directly from the OS Keyring without requiring human intervention. This ensures the daemon can safely persist across reboots while maintaining institutional-grade encryption at rest.
 
 ### Secure Fallback Storage
-In headless server environments (e.g., VPS, Docker) where a GUI Keyring is unavailable, Nyxora gracefully falls back to a strictly permissioned `.env` / `vault.key` file mechanism. This file is programmatically enforced with `chmod 0600` permissions (Read/Write for owner only), preventing access by other system users.
+In headless server environments (e.g., VPS, Docker) where a GUI Keyring is unavailable, Nyxora gracefully falls back to a strictly permissioned `vault.key` file mechanism. This file is programmatically enforced with `chmod 0600` permissions (Read/Write for owner only), preventing access by other system users.
+
+> **Note:** This OS-level keyring protection is strictly reserved for your Web3 Wallet Private Keys. Standard integration credentials (like LLM API Keys or Telegram tokens) are managed separately via the `config.yaml` file for transparent developer access.
 
 ---
 

package/bin/nyxora.mjs

@@ -11,9 +11,9 @@ const __dirname = path.dirname(__filename);
 const projectRoot = path.join(__dirname, '..');
 
 const appDir = path.join(os.homedir(), '.nyxora');
-const pidFile = path.join(appDir, 'daemon.pid');
-const logFile = path.join(appDir, 'gateway.log');
-const tokenFile = path.join(appDir, 'auth.token');
+const pidFile = path.join(appDir, 'run', 'daemon.pid');
+const logFile = path.join(appDir, 'run', 'gateway.log');
+const tokenFile = path.join(appDir, 'auth', 'auth.token');
 
 if (!fs.existsSync(appDir)) {
   fs.mkdirSync(appDir, { recursive: true });
@@ -247,11 +247,41 @@ async function setKey(cliArgs) {
   await new Promise(resolve => child.on('close', resolve));
 }
 
+async function wallet(cliArgs) {
+  const compiledCli = path.join(projectRoot, 'dist', 'packages/core/src/gateway/cli.js');
+  const useCompiled = fs.existsSync(compiledCli);
+  const cmd = useCompiled ? 'node' : 'npx';
+  const args = useCompiled ? [compiledCli, 'wallet', ...cliArgs] : ['ts-node', '-T', 'packages/core/src/gateway/cli.ts', 'wallet', ...cliArgs];
+  const child = spawn(cmd, args, {
+    cwd: projectRoot,
+    stdio: 'inherit',
+    env: { ...process.env, TS_NODE_CACHE: 'false' }
+  });
+  
+  await new Promise(resolve => child.on('close', resolve));
+}
+
+async function runDoctor() {
+  const compiledCli = path.join(projectRoot, 'dist', 'packages/core/src/gateway/doctor.js');
+  const useCompiled = fs.existsSync(compiledCli);
+  const cmd = useCompiled ? 'node' : 'npx';
+  const args = useCompiled ? [compiledCli] : ['ts-node', '-T', 'packages/core/src/gateway/doctor.ts'];
+  const child = spawn(cmd, args, {
+    cwd: projectRoot,
+    stdio: 'inherit',
+    env: { ...process.env, TS_NODE_CACHE: 'false' }
+  });
+  
+  await new Promise(resolve => child.on('close', resolve));
+}
+
 async function main() {
   switch (command) {
+    case 'doctor': await runDoctor(); break;
     case 'setup': await setup(); break;
     case 'clear': await clearMemory(process.argv.slice(3)); break;
     case 'set-key': await setKey(process.argv.slice(3)); break;
+    case 'wallet': await wallet(process.argv.slice(3)); break;
     case 'start': await start(); break;
     case 'stop': await stop(); break;
     case 'restart': await restart(); break;
@@ -277,10 +307,12 @@ Commands:
   restart        Restart the daemon
   setup          Run the interactive Setup Wizard
   dashboard      Open the dashboard in your browser
+  doctor         Run system diagnostics and check requirements
   clear          Atomically clear the AI's short/long-term memory SQLite database
   clean-logs     Clear the daemon logs
   autostart      Enable/disable autostart on boot (usage: nyxora autostart enable)
   set-key        Securely save API Key (usage: nyxora set-key <provider> <key>)
+  wallet         Manage your Web3 Wallet (usage: nyxora wallet update)
 
 Options:
   -v, --version  Show current version

package/dist/launcher.js

@@ -0,0 +1,137 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const safeLogger_1 = require("./packages/core/src/utils/safeLogger");
+(0, safeLogger_1.initSafeLogger)();
+const child_process_1 = require("child_process");
+const crypto_1 = __importDefault(require("crypto"));
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+const INTERNAL_AUTH_TOKEN = crypto_1.default.randomBytes(64).toString('hex');
+console.log(`[Launcher] Generated Internal Auth Token: ${INTERNAL_AUTH_TOKEN.substring(0, 8)}...`);
+const nyxoraDir = path_1.default.join(process.env.HOME || process.env.USERPROFILE || '', '.nyxora');
+const authDir = path_1.default.join(nyxoraDir, 'auth');
+if (!fs_1.default.existsSync(authDir))
+    fs_1.default.mkdirSync(authDir, { recursive: true, mode: 0o700 });
+const tokenPath = path_1.default.join(authDir, 'runtime.token');
+fs_1.default.writeFileSync(tokenPath, INTERNAL_AUTH_TOKEN, { mode: 0o600 });
+console.log(`[Launcher] Secured runtime token at ${tokenPath} (0600)`);
+const env = {
+    ...process.env,
+    INTERNAL_AUTH_TOKEN,
+    SIGNER_SOCKET_PATH: '/tmp/nyxora-signer.sock',
+    TS_NODE_CACHE: 'false'
+};
+const spawnService = (name, command, args, env, inheritStdio = false) => {
+    let child;
+    let crashCount = 0;
+    let crashWindowStart = Date.now();
+    let isShuttingDown = false;
+    const startProcess = () => {
+        child = (0, child_process_1.spawn)(command, args, { env, stdio: inheritStdio ? 'inherit' : 'pipe' });
+        if (!inheritStdio) {
+            child.stdout?.on('data', (data) => process.stdout.write(`[${name}] ${data}`));
+            child.stderr?.on('data', (data) => process.stderr.write(`[${name}] ERROR: ${data}`));
+        }
+        child.on('close', async (code) => {
+            console.log(`[${name}] Exited with code ${code}`);
+            if (isShuttingDown)
+                return;
+            const now = Date.now();
+            if (now - crashWindowStart > 60000) {
+                crashCount = 0;
+                crashWindowStart = now;
+            }
+            crashCount++;
+            if (crashCount > 5) {
+                console.error(`[Launcher] FATAL: ${name} crashed 5 times in 1 minute. Initiating emergency shutdown.`);
+                isShuttingDown = true;
+                try {
+                    const yaml = require('yaml');
+                    const configPath = path_1.default.join(process.env.HOME || process.env.USERPROFILE || '', '.nyxora', 'config', 'config.yaml');
+                    // Fallback check just in case it hasn't migrated yet
+                    const actualConfigPath = fs_1.default.existsSync(configPath) ? configPath : path_1.default.join(process.env.HOME || process.env.USERPROFILE || '', '.nyxora', 'config.yaml');
+                    if (fs_1.default.existsSync(actualConfigPath)) {
+                        const configStr = fs_1.default.readFileSync(actualConfigPath, 'utf8');
+                        const config = yaml.parse(configStr);
+                        const tgToken = config?.telegram?.bot_token;
+                        const tgChatId = config?.telegram?.admin_chat_id;
+                        if (tgToken && tgChatId) {
+                            const alertText = config?.alerts?.emergency_text || "🚨 FATAL ERROR: A critical process has crashed repeatedly. Nyxora is executing an emergency auto-shutdown to protect your system. Please check the server logs.";
+                            await fetch(`https://api.telegram.org/bot${tgToken}/sendMessage`, {
+                                method: 'POST',
+                                headers: { 'Content-Type': 'application/json' },
+                                body: JSON.stringify({ chat_id: tgChatId, text: alertText })
+                            }).catch(() => { });
+                        }
+                    }
+                }
+                catch (e) { }
+                process.exit(1);
+                return;
+            }
+            console.log(`[Launcher] Restarting ${name} in 3 seconds... (Attempt ${crashCount}/5)`);
+            setTimeout(startProcess, 3000);
+        });
+    };
+    startProcess();
+    return {
+        kill: () => {
+            isShuttingDown = true;
+            if (child && !child.killed && child.pid) {
+                try {
+                    process.kill(child.pid, 'SIGTERM');
+                }
+                catch (e) { }
+            }
+        }
+    };
+};
+console.log('[Launcher] Starting Monorepo Services...');
+const socketPath = env.SIGNER_SOCKET_PATH;
+if (fs_1.default.existsSync(socketPath)) {
+    console.log(`[Launcher] Removing stale unix socket at ${socketPath}`);
+    fs_1.default.unlinkSync(socketPath);
+}
+const children = [];
+const isCompiled = __filename.endsWith('.js');
+const ext = isCompiled ? '.js' : '.ts';
+const cmd = isCompiled ? 'node' : 'npx';
+const baseArgs = isCompiled ? [] : ['ts-node', '-T'];
+const signerPath = path_1.default.join(__dirname, `packages/signer/src/server${ext}`);
+const signer = spawnService('Signer', cmd, [...baseArgs, signerPath], env);
+children.push(signer);
+setTimeout(() => {
+    const policyPath = path_1.default.join(__dirname, `packages/policy/src/server${ext}`);
+    const policy = spawnService('Policy', cmd, [...baseArgs, policyPath], env);
+    children.push(policy);
+    setTimeout(() => {
+        const corePath = path_1.default.join(__dirname, `packages/core/src/gateway/cli${ext}`);
+        const args = process.argv.slice(2);
+        const core = spawnService('Core', cmd, [...baseArgs, corePath, ...args], env, true);
+        children.push(core);
+    }, 1000);
+}, 1000);
+// Ensure all child processes are killed when launcher exits
+let isCleaningUp = false;
+const cleanup = () => {
+    if (isCleaningUp)
+        return;
+    isCleaningUp = true;
+    console.log('\n[Launcher] Shutting down all services...');
+    children.forEach(c => c.kill());
+    // Give them a moment to cleanup
+    setTimeout(() => {
+        try {
+            require('child_process').execSync('pkill -f ts-node');
+        }
+        catch (e) { }
+        process.exit(0);
+    }, 1000);
+};
+process.on('SIGINT', cleanup);
+process.on('SIGTERM', cleanup);
+process.on('SIGTERM', cleanup);
+process.on('exit', cleanup);

package/dist/packages/core/src/agent/reasoning.js

@@ -24,6 +24,7 @@ const marketAnalysis_1 = require("../web3/skills/marketAnalysis");
 const checkPortfolio_1 = require("../web3/skills/checkPortfolio");
 const checkAddress_1 = require("../web3/skills/checkAddress");
 const getMyAddress_1 = require("../web3/skills/getMyAddress");
+const manageCustomTokens_1 = require("../web3/skills/manageCustomTokens");
 const limitOrderManager_1 = require("./limitOrderManager");
 const updateProfile_1 = require("./updateProfile");
 const updateSecurityPolicy_1 = require("../system/skills/updateSecurityPolicy");
@@ -39,7 +40,6 @@ const pluginManager_1 = require("../system/pluginManager");
 const paths_1 = require("../config/paths");
 const picocolors_1 = __importDefault(require("picocolors"));
 exports.logger = new logger_1.Logger();
-let currentKeyIndex = 0;
 const PROVIDER_CONFIGS = {
     ollama: { baseURL: process.env.OLLAMA_BASE_URL ? `${process.env.OLLAMA_BASE_URL}/v1` : 'http://localhost:11434/v1', requiresApiKey: false },
     gemini: { baseURL: 'https://generativelanguage.googleapis.com/v1beta/openai/', requiresApiKey: true },
@@ -58,27 +58,12 @@ async function getOpenAI() {
     let apiKey = 'local';
     if (providerConf.requiresApiKey) {
         apiKey = '';
-        let configuredKeys = config.llm.api_keys;
-        if (typeof configuredKeys === 'string') {
-            configuredKeys = [configuredKeys];
-        }
-        if (Array.isArray(configuredKeys) && configuredKeys.length > 0) {
-            const keys = configuredKeys.filter(k => typeof k === 'string' && k.trim() !== '');
-            if (keys.length > 0) {
-                currentKeyIndex = currentKeyIndex % keys.length;
-                apiKey = keys[currentKeyIndex];
-                console.log(`[LLM] Using rotated API Key (${currentKeyIndex + 1}/${keys.length}): ${apiKey.substring(0, 4)}...`);
-                currentKeyIndex++;
-            }
-        }
+        const keyName = `${providerName}_key`;
+        apiKey = vaultKeys[keyName] || config.credentials?.[keyName] || '';
         if (!apiKey) {
-            const fallbackKeyName = `${providerName}_key`;
-            apiKey = vaultKeys[fallbackKeyName] || config.credentials?.[fallbackKeyName] || '';
-            if (!apiKey) {
-                throw new Error(`No API Key found for ${providerName}. Please run 'nyxora setup' to configure it.`);
-            }
-            console.log(`[LLM] Using API Key from secure vault`);
+            throw new Error(`[Security] No API Key found for ${providerName} in OS Keyring. Please run 'nyxora set-key ${providerName} <key>' or 'nyxora setup'.`);
         }
+        console.log(`[LLM] Using API Key securely unlocked from OS Keyring vault.`);
     }
     return new openai_1.OpenAI({
         baseURL: providerConf.baseURL,
@@ -207,7 +192,7 @@ async function processUserInput(input, role = 'user', onProgress, sessionId) {
         const lowerInput = input.toLowerCase();
         const hasWeb3Keyword = /swap|transfer|price|token|crypto|bridge|wallet|balance|portfolio|buy|sell|send|receive|address|market|limit|mint|nft/i.test(lowerInput);
         const hasGoogleKeyword = /email|gmail|calendar|sheet|doc|form|event/i.test(lowerInput);
-        const WEB3_TOOLS = [getBalance_1.getBalanceToolDefinition, transfer_1.transferToolDefinition, getPrice_1.getPriceToolDefinition, swapToken_1.swapTokenToolDefinition, bridgeToken_1.bridgeTokenToolDefinition, mintNft_1.mintNftToolDefinition, customTx_1.customTxToolDefinition, createWallet_1.createWalletToolDefinition, checkSecurity_1.checkSecurityToolDefinition, marketAnalysis_1.marketAnalysisToolDefinition, checkPortfolio_1.checkPortfolioToolDefinition, checkAddress_1.checkAddressToolDefinition, getMyAddress_1.getMyAddressToolDefinition, limitOrderManager_1.createLimitOrderToolDefinition, limitOrderManager_1.listLimitOrdersToolDefinition, limitOrderManager_1.cancelLimitOrderToolDefinition];
+        const WEB3_TOOLS = [getBalance_1.getBalanceToolDefinition, transfer_1.transferToolDefinition, getPrice_1.getPriceToolDefinition, swapToken_1.swapTokenToolDefinition, bridgeToken_1.bridgeTokenToolDefinition, mintNft_1.mintNftToolDefinition, customTx_1.customTxToolDefinition, createWallet_1.createWalletToolDefinition, checkSecurity_1.checkSecurityToolDefinition, marketAnalysis_1.marketAnalysisToolDefinition, checkPortfolio_1.checkPortfolioToolDefinition, checkAddress_1.checkAddressToolDefinition, getMyAddress_1.getMyAddressToolDefinition, manageCustomTokens_1.manageCustomTokensDefinition, limitOrderManager_1.createLimitOrderToolDefinition, limitOrderManager_1.listLimitOrdersToolDefinition, limitOrderManager_1.cancelLimitOrderToolDefinition];
         const SYSTEM_TOOLS = [updateProfile_1.updateProfileToolDefinition, updateSecurityPolicy_1.updateSecurityPolicyToolDefinition, analyzeDocument_1.analyzeDocumentToolDefinition, readFile_1.readLocalFileToolDefinition, writeFile_1.writeLocalFileToolDefinition, executeShell_1.runTerminalCommandToolDefinition, browseWeb_1.browseWebsiteToolDefinition, searchWeb_1.searchWebToolDefinition, installSkill_1.installExternalSkillToolDefinition];
         const GOOGLE_TOOLS = [googleWorkspace_1.readGmailInboxToolDefinition, googleWorkspace_1.listCalendarEventsToolDefinition, googleWorkspace_1.appendRowToSheetsToolDefinition, googleWorkspace_1.readGoogleDocsToolDefinition, googleWorkspace_1.readGoogleFormResponsesToolDefinition];
         let activeTools = [];
@@ -251,9 +236,9 @@ async function processUserInput(input, role = 'user', onProgress, sessionId) {
                 let result = "";
                 let args = {};
                 const toolName = toolCall.function.name;
-                console.log(picocolors_1.default.yellow(`[⚡ Eksekusi Tool] AI memanggil ${toolName}...`));
+                console.log(picocolors_1.default.yellow(`[⚡ Tool Execution] AI is calling ${toolName}...`));
                 if (onProgress)
-                    onProgress(`_⚡ Menjalankan alat: ${toolName}..._`);
+                    onProgress(`_⚡ Running tool: ${toolName}..._`);
                 // Phase 1: LLM Output Validation (Anti-Halusinasi)
                 try {
                     args = JSON.parse(toolCall.function.arguments);
@@ -342,6 +327,10 @@ async function processUserInput(input, role = 'user', onProgress, sessionId) {
                             result = await (0, getMyAddress_1.getMyAddress)();
                             break;
                         }
+                        case 'manage_custom_tokens': {
+                            result = await (0, manageCustomTokens_1.executeManageCustomTokens)(args);
+                            break;
+                        }
                         case 'create_limit_order': {
                             if (config.permissions?.web3?.allow_swap === false) {
                                 result = `[Security Blocked] Runtime Permission Denied: Limit orders require swap permissions. Update config.yaml to allow.`;
@@ -434,15 +423,15 @@ async function processUserInput(input, role = 'user', onProgress, sessionId) {
                         }
                     }
                     if (result.includes('[Security Blocked]') || result.startsWith('Error:')) {
-                        console.log(picocolors_1.default.red(`[❌ Gagal] Tool ${toolName} mengembalikan error atau diblokir.`));
+                        console.log(picocolors_1.default.red(`[❌ Failed] Tool ${toolName} returned an error or was blocked.`));
                     }
                     else {
-                        console.log(picocolors_1.default.green(`[✅ Sukses] Tool ${toolName} berhasil dieksekusi.`));
+                        console.log(picocolors_1.default.green(`[✅ Success] Tool ${toolName} executed successfully.`));
                     }
                 }
                 catch (toolError) {
                     result = `Error executing ${toolName}: ${toolError.message}`;
-                    console.log(picocolors_1.default.red(`[❌ Error Crash] Eksekusi ${toolName} gagal total: ${toolError.message}`));
+                    console.error(picocolors_1.default.red(`[❌ Error Crash] Execution of ${toolName} failed completely: ${toolError.message}`));
                 }
                 exports.logger.addEntry({
                     role: 'tool',

package/dist/packages/core/src/config/parser.js

@@ -11,38 +11,15 @@ const fs_1 = __importDefault(require("fs"));
 const yaml_1 = __importDefault(require("yaml"));
 const paths_1 = require("./paths");
 async function loadApiKeys() {
-    const vaultPath = (0, paths_1.getPath)('api_vault.key');
-    try {
-        const { Entry } = require('@napi-rs/keyring');
-        const entry = new Entry('nyxora', 'api_keys');
-        const data = await entry.getPassword();
-        if (data)
-            return JSON.parse(data);
-    }
-    catch (e) {
-        if (fs_1.default.existsSync(vaultPath)) {
-            try {
-                const file = fs_1.default.readFileSync(vaultPath, 'utf8');
-                return JSON.parse(file);
-            }
-            catch (err) { }
-        }
-    }
-    return {};
+    const config = loadConfig();
+    return config.credentials || {};
 }
 async function saveApiKeys(newKeys) {
-    const vaultPath = (0, paths_1.getPath)('api_vault.key');
-    const currentKeys = await loadApiKeys();
-    const mergedKeys = { ...currentKeys, ...newKeys };
-    const dataString = JSON.stringify(mergedKeys);
-    try {
-        const { Entry } = require('@napi-rs/keyring');
-        const entry = new Entry('nyxora', 'api_keys');
-        await entry.setPassword(dataString);
-    }
-    catch (e) {
-        fs_1.default.writeFileSync(vaultPath, dataString, { mode: 0o600 });
-    }
+    const config = loadConfig();
+    if (!config.credentials)
+        config.credentials = {};
+    config.credentials = { ...config.credentials, ...newKeys };
+    saveConfig(config);
 }
 function loadConfig() {
     const configPath = (0, paths_1.getPath)('config.yaml');
@@ -74,21 +51,6 @@ function loadConfig() {
                 console.error('[Config] Failed to auto-migrate config file', e);
             }
         }
-        // Auto-migrate from config.yaml to Keyring/Vault
-        if (parsed.credentials && Object.keys(parsed.credentials).length > 0) {
-            const credsToMigrate = { ...parsed.credentials };
-            saveApiKeys(credsToMigrate).then(() => {
-                console.log('[Config] Auto-migrated API keys to secure vault.');
-                delete parsed.credentials;
-                try {
-                    const yamlStr = yaml_1.default.stringify(parsed);
-                    fs_1.default.writeFileSync(configPath, yamlStr, 'utf8');
-                }
-                catch (e) { }
-            }).catch(e => {
-                console.error('[Config] Failed to migrate API keys to secure vault', e);
-            });
-        }
         return {
             agent: parsed.agent || { name: 'Nyxora-Default', description: 'Your Personal Web3 Assistant.', default_chain: 'base', default_router: 'auto', default_slippage: 0.5 },
             llm: parsed.llm || {

package/dist/packages/core/src/config/paths.js

@@ -30,6 +30,44 @@ function getAppDir() {
     }
     return process.cwd();
 }
+function ensureDir(dir) {
+    if (!fs_1.default.existsSync(dir)) {
+        fs_1.default.mkdirSync(dir, { recursive: true });
+    }
+}
 function getPath(filename) {
-    return path_1.default.join(getAppDir(), filename);
+    const baseDir = getAppDir();
+    // Determine subdirectory based on filename
+    let subDir = '';
+    const lowerFile = filename.toLowerCase();
+    if (lowerFile.endsWith('.db') || lowerFile.endsWith('.db-wal') || lowerFile.endsWith('.db-shm') || lowerFile.endsWith('.json') && lowerFile.includes('memory') || lowerFile.endsWith('.md') || lowerFile.includes('orders')) {
+        subDir = 'data';
+    }
+    else if (lowerFile.endsWith('.yaml') || lowerFile.includes('config') || lowerFile.includes('skills') || lowerFile.includes('whitelist') || lowerFile.includes('tokens')) {
+        subDir = 'config';
+    }
+    else if (lowerFile.endsWith('.token') || lowerFile.includes('vault') || lowerFile.includes('credentials')) {
+        subDir = 'auth';
+    }
+    else if (lowerFile.endsWith('.log') || lowerFile.includes('pid')) {
+        subDir = 'run';
+    }
+    const targetDir = path_1.default.join(baseDir, subDir);
+    ensureDir(targetDir);
+    const fullPath = path_1.default.join(targetDir, filename);
+    // AUTO-MIGRATION: If file exists in root but not in subdir, move it
+    const oldRootPath = path_1.default.join(baseDir, filename);
+    if (subDir !== '') {
+        if (fs_1.default.existsSync(oldRootPath) && !fs_1.default.existsSync(fullPath)) {
+            try {
+                fs_1.default.renameSync(oldRootPath, fullPath);
+                console.log(`[Migration] Moved ${filename} to ${subDir}/ directory.`);
+            }
+            catch (err) {
+                console.warn(`[Migration] Failed to move ${filename} to ${subDir}/`, err);
+                return oldRootPath; // fallback to root if migration fails
+            }
+        }
+    }
+    return fullPath;
 }