nyxora 26.6.7 → 26.6.8-2

package/.dockerignore

@@ -10,3 +10,12 @@ build
 .nyxora
 vault.key
 api_vault.key
+keystore.json
+memory.json
+memory.db*
+credentials.json
+google-*.json
+*.token
+config.yaml
+custom_tokens.json
+dynamic_tokens.json

package/CHANGELOG.md

@@ -5,7 +5,20 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepashangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [26.6.7] - Unreleased
+## [26.6.8-1] - Unreleased
+### Enterprise Features & Web3 Enhancements
+- **Zero-Downtime Directory Migration**: Restructured the root `~/.nyxora` local data directory into a strict `config/`, `data/`, `auth/`, and `run/` subdirectory architecture. Implemented a Lazy Auto-Migration Engine (`getPath()`) that seamlessly relocates legacy files to their new secure zones instantly upon access, ensuring zero-downtime and zero-data-loss upgrades for existing users.
+### Security & UX Updates
+- **Proactive Anti-Crash Engine**: Implemented `Max Retry` & `Exponential Backoff` auto-respawn logic inside the Monorepo Launcher. The daemon now features robust global `unhandledRejection` and `uncaughtException` guards across the Core, Policy, and Signer subsystems, ensuring sporadic Web3 network timeouts can no longer crash the main reasoning engine.
+- **Death Loop Telegram Alerts**: Integrated a critical emergency monitoring system into the Launcher. If a core microservice crashes catastrophically (5 times within 1 minute), the daemon will autonomously initiate an emergency lock-down to protect the system state and immediately broadcast a high-priority alert directly to the administrator's Telegram.
+- **Unix Socket Anti-EADDRINUSE Guard**: Implemented aggressive pre-flight cleanup routines for the `nyxora-signer.sock` IPC channel. The system now guarantees secure file unlinking before rebinding, eliminating recurring `EADDRINUSE` daemon failures upon rapid restart commands.
+
+### Bug Fixes & Optimizations
+- **NPM Package Optimization**: Added `assets/` to `.npmignore` to exclude large architectural diagrams and images from the NPM registry tarball, reducing the total package download size by over 11 MB.
+- **Docker Multi-Stage Build**: Radically refactored `Dockerfile` to a Multi-Stage architecture. The production image now exclusively installs runtime dependencies (`--omit=dev`) and leaves behind heavy build tools (`python3`, `make`, `g++`), dramatically shrinking the final container image size.
+- **Docker Security Patch**: Hardened `.dockerignore` to explicitly block local keystores (`keystore.json`), persistent memory (`memory.db`), and local credentials from accidentally leaking into Docker image layers during local builds.
+
+## [26.6.7] - 2026-06-07
 ### Enterprise Features & Web3 Enhancements
 - **Enterprise Portfolio Scanner**: Integrated a fully decentralized, real-time Dashboard UI (Nord Theme) to scan all native and ERC-20 token balances across 8 EVM chains natively, without relying on centralized third-party APIs.
 - **Real-Time USD Valuation**: Integrated DexScreener API into the Portfolio Scanner backend to actively compute and display USD portfolio values in real-time. Features an adaptive 2-minute memory cache system to ensure complete immunity against API rate-limits and eliminate LLM token consumption.
@@ -121,8 +134,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **Fast CLI Shortcuts**: Added the `nyxora set-key <provider> <key>` global command shortcut allowing developers to quickly inject or override any API Key (OpenAI, Gemini, OpenRouter, Tavily, Brave) directly into the secure vault without traversing the wizard.
 
 ### AI Engine Optimizations
-- **Hybrid API Vault (Security)**: API Keys are no longer stored in plain text inside `config.yaml`. Nyxora now encrypts and stores them via `@napi-rs/keyring` utilizing OS-native credential management. For Headless/VPS Linux environments lacking DBUS/Secret Service, it automatically falls back to an isolated `api_vault.key` with strict `0600` permissions.
-- **Root-Level Config Auto-Migration**: Restructured `config.yaml` to move all API keys out of the nested `llm.credentials` into a logical, root-level `credentials` object. Implemented a silent auto-migration routine in `parser.ts` that safely upgrades legacy config files on boot without breaking existing setups.
+
 - **Web Search Smart Memory Cache**: Embedded a local Memory Cache (`Map`) into the `searchWeb` skill with a 5-minute (300,000ms) TTL. Exact duplicate queries now execute in 0ms and consume 0 API quota, dramatically improving conversation flow.
 - **Deep Research Mode**: The `search_web` tool definition now accepts a dynamic `depth` parameter (1 to 3). If users instruct the AI to conduct comprehensive research, Nyxora will automatically trigger `advanced` API payloads and extract up to 15 top web snippets simultaneously.
 - **Strict Skill Prioritization**: Added CRITICAL RULE 7 to the core NLP System Prompt. The AI is now hard-coded to prioritize native Web3 Skills (e.g. `get_price`, `analyze_market`, `check_security`) for all crypto-related queries, using `search_web` exclusively as a fallback mechanism.

package/README.md

@@ -10,7 +10,7 @@
 
 Nyxora is a **secure, non-custodial runtime infrastructure for autonomous onchain agents** built with a robust Monorepo architecture (Node.js & React). Designed for autonomous workflows with a premium Utility-Centric dark-themed UI and strict client-side key isolation. 
 
-**Nyxora now natively supports the Model Context Protocol (MCP)**. You can transform your external AI agents (like Claude Desktop and Cursor) into secure Web3 actors that execute swaps and fetch balances using Nyxora's secure signer vault. [View the MCP Integration Guide](https://nyxoraAI.github.io/Nyxora/guide/mcp-integration)
+**Nyxora now natively supports the Model Context Protocol (MCP)**. You can transform your external AI agents (like Claude Desktop and Cursor) into secure Web3 actors that execute swaps and fetch balances using Nyxora's secure signer vault. [View the MCP Integration Guide](https://nyxoraai.github.io/Nyxora/guide/mcp-integration)
 
 It operates under an institutional-grade **Cryptographically Bound Human-in-the-Loop** execution model, ensuring that Remote AIs (LLMs) never have unilateral access to your funds.
 
@@ -66,7 +66,7 @@ The following diagram illustrates Nyxora's **3-Tier Monorepo Architecture**, sho
 
 ## 🛡️ Advanced Security & Threat Model
 
-To dive deeper into the technical details of our Zero-Knowledge security architecture, please visit the [Nyxora Security Blueprint](https://nyxoraAI.github.io/Nyxora/).
+To dive deeper into the technical details of our Zero-Knowledge security architecture, please visit the [Nyxora Security Blueprint](https://nyxoraai.github.io/Nyxora/).
 
 ---
 
@@ -93,16 +93,23 @@ Alternatively, you can install it manually on any operating system using NPM:
 npm install -g nyxora@latest
 ```
 
-# 2. Run the Interactive Setup Wizard (API Keys, Wallet, Telegram)
+### 2. Run the Interactive Setup Wizard (API Keys, Wallet, Telegram)
+```bash
 nyxora setup
+```
 
-# 3. Start the Nyxora background daemon
+### 3. Start the Nyxora background daemon
+```bash
 nyxora start
+```
 
-# 4. Open the Web Dashboard
+### 4. Open the Web Dashboard
+```bash
 nyxora dashboard
+```
 
-# Utility: Atomically clear the AI's short-term and long-term memory
+### Utility: Atomically clear the AI's short-term and long-term memory
+```bash
 nyxora clear --force
 ```
 > **⚠️ IMPORTANT:** Whenever you re-run `nyxora setup` or manually edit the config files, you **must restart the daemon** by running `nyxora restart` for the changes to take effect.
@@ -135,7 +142,7 @@ npm start
 
 For complete technical deep-dives into our Cryptographic Architecture, please visit our official VitePress Documentation Site!
 
-> **🔗 [Read the Full Nyxora Documentation Here](https://nyxoraAI.github.io/Nyxora/)**
+> **🔗 [Read the Full Nyxora Documentation Here](https://nyxoraai.github.io/Nyxora/)**
 
 *(Includes guides on Secure Wallet Imports, Architecture Blueprints, Troubleshooting, and Custom Skill Development).*
 

package/SECURITY.md

@@ -38,7 +38,9 @@ Nyxora completely eliminates the need for manual "Master Passwords" or custom AE
 When the background daemon boots via `nyxora start`, the Signer Vault process reads the Private Key directly from the OS Keyring without requiring human intervention. This ensures the daemon can safely persist across reboots while maintaining institutional-grade encryption at rest.
 
 ### Secure Fallback Storage
-In headless server environments (e.g., VPS, Docker) where a GUI Keyring is unavailable, Nyxora gracefully falls back to a strictly permissioned `.env` / `vault.key` file mechanism. This file is programmatically enforced with `chmod 0600` permissions (Read/Write for owner only), preventing access by other system users.
+In headless server environments (e.g., VPS, Docker) where a GUI Keyring is unavailable, Nyxora gracefully falls back to a strictly permissioned `vault.key` file mechanism. This file is programmatically enforced with `chmod 0600` permissions (Read/Write for owner only), preventing access by other system users.
+
+> **Note:** This OS-level keyring protection is strictly reserved for your Web3 Wallet Private Keys. Standard integration credentials (like LLM API Keys or Telegram tokens) are managed separately via the `config.yaml` file for transparent developer access.
 
 ---
 

package/bin/nyxora.mjs

@@ -11,9 +11,9 @@ const __dirname = path.dirname(__filename);
 const projectRoot = path.join(__dirname, '..');
 
 const appDir = path.join(os.homedir(), '.nyxora');
-const pidFile = path.join(appDir, 'daemon.pid');
-const logFile = path.join(appDir, 'gateway.log');
-const tokenFile = path.join(appDir, 'auth.token');
+const pidFile = path.join(appDir, 'run', 'daemon.pid');
+const logFile = path.join(appDir, 'run', 'gateway.log');
+const tokenFile = path.join(appDir, 'auth', 'auth.token');
 
 if (!fs.existsSync(appDir)) {
   fs.mkdirSync(appDir, { recursive: true });

package/dist/launcher.js

@@ -0,0 +1,137 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const safeLogger_1 = require("./packages/core/src/utils/safeLogger");
+(0, safeLogger_1.initSafeLogger)();
+const child_process_1 = require("child_process");
+const crypto_1 = __importDefault(require("crypto"));
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+const INTERNAL_AUTH_TOKEN = crypto_1.default.randomBytes(64).toString('hex');
+console.log(`[Launcher] Generated Internal Auth Token: ${INTERNAL_AUTH_TOKEN.substring(0, 8)}...`);
+const nyxoraDir = path_1.default.join(process.env.HOME || process.env.USERPROFILE || '', '.nyxora');
+const authDir = path_1.default.join(nyxoraDir, 'auth');
+if (!fs_1.default.existsSync(authDir))
+    fs_1.default.mkdirSync(authDir, { recursive: true, mode: 0o700 });
+const tokenPath = path_1.default.join(authDir, 'runtime.token');
+fs_1.default.writeFileSync(tokenPath, INTERNAL_AUTH_TOKEN, { mode: 0o600 });
+console.log(`[Launcher] Secured runtime token at ${tokenPath} (0600)`);
+const env = {
+    ...process.env,
+    INTERNAL_AUTH_TOKEN,
+    SIGNER_SOCKET_PATH: '/tmp/nyxora-signer.sock',
+    TS_NODE_CACHE: 'false'
+};
+const spawnService = (name, command, args, env, inheritStdio = false) => {
+    let child;
+    let crashCount = 0;
+    let crashWindowStart = Date.now();
+    let isShuttingDown = false;
+    const startProcess = () => {
+        child = (0, child_process_1.spawn)(command, args, { env, stdio: inheritStdio ? 'inherit' : 'pipe' });
+        if (!inheritStdio) {
+            child.stdout?.on('data', (data) => process.stdout.write(`[${name}] ${data}`));
+            child.stderr?.on('data', (data) => process.stderr.write(`[${name}] ERROR: ${data}`));
+        }
+        child.on('close', async (code) => {
+            console.log(`[${name}] Exited with code ${code}`);
+            if (isShuttingDown)
+                return;
+            const now = Date.now();
+            if (now - crashWindowStart > 60000) {
+                crashCount = 0;
+                crashWindowStart = now;
+            }
+            crashCount++;
+            if (crashCount > 5) {
+                console.error(`[Launcher] FATAL: ${name} crashed 5 times in 1 minute. Initiating emergency shutdown.`);
+                isShuttingDown = true;
+                try {
+                    const yaml = require('yaml');
+                    const configPath = path_1.default.join(process.env.HOME || process.env.USERPROFILE || '', '.nyxora', 'config', 'config.yaml');
+                    // Fallback check just in case it hasn't migrated yet
+                    const actualConfigPath = fs_1.default.existsSync(configPath) ? configPath : path_1.default.join(process.env.HOME || process.env.USERPROFILE || '', '.nyxora', 'config.yaml');
+                    if (fs_1.default.existsSync(actualConfigPath)) {
+                        const configStr = fs_1.default.readFileSync(actualConfigPath, 'utf8');
+                        const config = yaml.parse(configStr);
+                        const tgToken = config?.telegram?.bot_token;
+                        const tgChatId = config?.telegram?.admin_chat_id;
+                        if (tgToken && tgChatId) {
+                            const alertText = config?.alerts?.emergency_text || "🚨 FATAL ERROR: A critical process has crashed repeatedly. Nyxora is executing an emergency auto-shutdown to protect your system. Please check the server logs.";
+                            await fetch(`https://api.telegram.org/bot${tgToken}/sendMessage`, {
+                                method: 'POST',
+                                headers: { 'Content-Type': 'application/json' },
+                                body: JSON.stringify({ chat_id: tgChatId, text: alertText })
+                            }).catch(() => { });
+                        }
+                    }
+                }
+                catch (e) { }
+                process.exit(1);
+                return;
+            }
+            console.log(`[Launcher] Restarting ${name} in 3 seconds... (Attempt ${crashCount}/5)`);
+            setTimeout(startProcess, 3000);
+        });
+    };
+    startProcess();
+    return {
+        kill: () => {
+            isShuttingDown = true;
+            if (child && !child.killed && child.pid) {
+                try {
+                    process.kill(child.pid, 'SIGTERM');
+                }
+                catch (e) { }
+            }
+        }
+    };
+};
+console.log('[Launcher] Starting Monorepo Services...');
+const socketPath = env.SIGNER_SOCKET_PATH;
+if (fs_1.default.existsSync(socketPath)) {
+    console.log(`[Launcher] Removing stale unix socket at ${socketPath}`);
+    fs_1.default.unlinkSync(socketPath);
+}
+const children = [];
+const isCompiled = __filename.endsWith('.js');
+const ext = isCompiled ? '.js' : '.ts';
+const cmd = isCompiled ? 'node' : 'npx';
+const baseArgs = isCompiled ? [] : ['ts-node', '-T'];
+const signerPath = path_1.default.join(__dirname, `packages/signer/src/server${ext}`);
+const signer = spawnService('Signer', cmd, [...baseArgs, signerPath], env);
+children.push(signer);
+setTimeout(() => {
+    const policyPath = path_1.default.join(__dirname, `packages/policy/src/server${ext}`);
+    const policy = spawnService('Policy', cmd, [...baseArgs, policyPath], env);
+    children.push(policy);
+    setTimeout(() => {
+        const corePath = path_1.default.join(__dirname, `packages/core/src/gateway/cli${ext}`);
+        const args = process.argv.slice(2);
+        const core = spawnService('Core', cmd, [...baseArgs, corePath, ...args], env, true);
+        children.push(core);
+    }, 1000);
+}, 1000);
+// Ensure all child processes are killed when launcher exits
+let isCleaningUp = false;
+const cleanup = () => {
+    if (isCleaningUp)
+        return;
+    isCleaningUp = true;
+    console.log('\n[Launcher] Shutting down all services...');
+    children.forEach(c => c.kill());
+    // Give them a moment to cleanup
+    setTimeout(() => {
+        try {
+            require('child_process').execSync('pkill -f ts-node');
+        }
+        catch (e) { }
+        process.exit(0);
+    }, 1000);
+};
+process.on('SIGINT', cleanup);
+process.on('SIGTERM', cleanup);
+process.on('SIGTERM', cleanup);
+process.on('exit', cleanup);

package/dist/packages/core/src/agent/reasoning.js

@@ -40,7 +40,6 @@ const pluginManager_1 = require("../system/pluginManager");
 const paths_1 = require("../config/paths");
 const picocolors_1 = __importDefault(require("picocolors"));
 exports.logger = new logger_1.Logger();
-let currentKeyIndex = 0;
 const PROVIDER_CONFIGS = {
     ollama: { baseURL: process.env.OLLAMA_BASE_URL ? `${process.env.OLLAMA_BASE_URL}/v1` : 'http://localhost:11434/v1', requiresApiKey: false },
     gemini: { baseURL: 'https://generativelanguage.googleapis.com/v1beta/openai/', requiresApiKey: true },
@@ -59,27 +58,12 @@ async function getOpenAI() {
     let apiKey = 'local';
     if (providerConf.requiresApiKey) {
         apiKey = '';
-        let configuredKeys = config.llm.api_keys;
-        if (typeof configuredKeys === 'string') {
-            configuredKeys = [configuredKeys];
-        }
-        if (Array.isArray(configuredKeys) && configuredKeys.length > 0) {
-            const keys = configuredKeys.filter(k => typeof k === 'string' && k.trim() !== '');
-            if (keys.length > 0) {
-                currentKeyIndex = currentKeyIndex % keys.length;
-                apiKey = keys[currentKeyIndex];
-                console.log(`[LLM] Using rotated API Key (${currentKeyIndex + 1}/${keys.length}): ${apiKey.substring(0, 4)}...`);
-                currentKeyIndex++;
-            }
-        }
+        const keyName = `${providerName}_key`;
+        apiKey = vaultKeys[keyName] || config.credentials?.[keyName] || '';
         if (!apiKey) {
-            const fallbackKeyName = `${providerName}_key`;
-            apiKey = vaultKeys[fallbackKeyName] || config.credentials?.[fallbackKeyName] || '';
-            if (!apiKey) {
-                throw new Error(`No API Key found for ${providerName}. Please run 'nyxora setup' to configure it.`);
-            }
-            console.log(`[LLM] Using API Key from secure vault`);
+            throw new Error(`[Security] No API Key found for ${providerName} in OS Keyring. Please run 'nyxora set-key ${providerName} <key>' or 'nyxora setup'.`);
         }
+        console.log(`[LLM] Using API Key securely unlocked from OS Keyring vault.`);
     }
     return new openai_1.OpenAI({
         baseURL: providerConf.baseURL,

package/dist/packages/core/src/config/parser.js

@@ -11,38 +11,15 @@ const fs_1 = __importDefault(require("fs"));
 const yaml_1 = __importDefault(require("yaml"));
 const paths_1 = require("./paths");
 async function loadApiKeys() {
-    const vaultPath = (0, paths_1.getPath)('api_vault.key');
-    try {
-        const { Entry } = require('@napi-rs/keyring');
-        const entry = new Entry('nyxora', 'api_keys');
-        const data = await entry.getPassword();
-        if (data)
-            return JSON.parse(data);
-    }
-    catch (e) {
-        if (fs_1.default.existsSync(vaultPath)) {
-            try {
-                const file = fs_1.default.readFileSync(vaultPath, 'utf8');
-                return JSON.parse(file);
-            }
-            catch (err) { }
-        }
-    }
-    return {};
+    const config = loadConfig();
+    return config.credentials || {};
 }
 async function saveApiKeys(newKeys) {
-    const vaultPath = (0, paths_1.getPath)('api_vault.key');
-    const currentKeys = await loadApiKeys();
-    const mergedKeys = { ...currentKeys, ...newKeys };
-    const dataString = JSON.stringify(mergedKeys);
-    try {
-        const { Entry } = require('@napi-rs/keyring');
-        const entry = new Entry('nyxora', 'api_keys');
-        await entry.setPassword(dataString);
-    }
-    catch (e) {
-        fs_1.default.writeFileSync(vaultPath, dataString, { mode: 0o600 });
-    }
+    const config = loadConfig();
+    if (!config.credentials)
+        config.credentials = {};
+    config.credentials = { ...config.credentials, ...newKeys };
+    saveConfig(config);
 }
 function loadConfig() {
     const configPath = (0, paths_1.getPath)('config.yaml');
@@ -74,21 +51,6 @@ function loadConfig() {
                 console.error('[Config] Failed to auto-migrate config file', e);
             }
         }
-        // Auto-migrate from config.yaml to Keyring/Vault
-        if (parsed.credentials && Object.keys(parsed.credentials).length > 0) {
-            const credsToMigrate = { ...parsed.credentials };
-            saveApiKeys(credsToMigrate).then(() => {
-                console.log('[Config] Auto-migrated API keys to secure vault.');
-                delete parsed.credentials;
-                try {
-                    const yamlStr = yaml_1.default.stringify(parsed);
-                    fs_1.default.writeFileSync(configPath, yamlStr, 'utf8');
-                }
-                catch (e) { }
-            }).catch(e => {
-                console.error('[Config] Failed to migrate API keys to secure vault', e);
-            });
-        }
         return {
             agent: parsed.agent || { name: 'Nyxora-Default', description: 'Your Personal Web3 Assistant.', default_chain: 'base', default_router: 'auto', default_slippage: 0.5 },
             llm: parsed.llm || {

package/dist/packages/core/src/config/paths.js

@@ -30,6 +30,44 @@ function getAppDir() {
     }
     return process.cwd();
 }
+function ensureDir(dir) {
+    if (!fs_1.default.existsSync(dir)) {
+        fs_1.default.mkdirSync(dir, { recursive: true });
+    }
+}
 function getPath(filename) {
-    return path_1.default.join(getAppDir(), filename);
+    const baseDir = getAppDir();
+    // Determine subdirectory based on filename
+    let subDir = '';
+    const lowerFile = filename.toLowerCase();
+    if (lowerFile.endsWith('.db') || lowerFile.endsWith('.db-wal') || lowerFile.endsWith('.db-shm') || lowerFile.endsWith('.json') && lowerFile.includes('memory') || lowerFile.endsWith('.md') || lowerFile.includes('orders')) {
+        subDir = 'data';
+    }
+    else if (lowerFile.endsWith('.yaml') || lowerFile.includes('config') || lowerFile.includes('skills') || lowerFile.includes('whitelist') || lowerFile.includes('tokens')) {
+        subDir = 'config';
+    }
+    else if (lowerFile.endsWith('.token') || lowerFile.includes('vault') || lowerFile.includes('credentials')) {
+        subDir = 'auth';
+    }
+    else if (lowerFile.endsWith('.log') || lowerFile.includes('pid')) {
+        subDir = 'run';
+    }
+    const targetDir = path_1.default.join(baseDir, subDir);
+    ensureDir(targetDir);
+    const fullPath = path_1.default.join(targetDir, filename);
+    // AUTO-MIGRATION: If file exists in root but not in subdir, move it
+    const oldRootPath = path_1.default.join(baseDir, filename);
+    if (subDir !== '') {
+        if (fs_1.default.existsSync(oldRootPath) && !fs_1.default.existsSync(fullPath)) {
+            try {
+                fs_1.default.renameSync(oldRootPath, fullPath);
+                console.log(`[Migration] Moved ${filename} to ${subDir}/ directory.`);
+            }
+            catch (err) {
+                console.warn(`[Migration] Failed to move ${filename} to ${subDir}/`, err);
+                return oldRootPath; // fallback to root if migration fails
+            }
+        }
+    }
+    return fullPath;
 }

package/dist/packages/core/src/gateway/cli.js

@@ -106,7 +106,7 @@ async function main() {
         };
         const mappedKey = keyMap[provider.toLowerCase()] || `${provider.toLowerCase()}_key`;
         await (0, parser_1.saveApiKeys)({ [mappedKey]: key });
-        console.log(picocolors_1.default.green(`✅ API Key for ${provider} saved securely to vault.`));
+        console.log(picocolors_1.default.green(`✅ API Key for ${provider} saved successfully.`));
         process.exit(0);
     }
     // Check for wallet command
@@ -146,9 +146,9 @@ async function main() {
     // 2. Setup boilerplate files if in global mode and they don't exist
     let isFirstBoot = false;
     if (isGlobalMode) {
-        const globalConfigPath = path_1.default.join(appDir, 'config.yaml');
-        const globalUserMdPath = path_1.default.join(appDir, 'user.md');
-        const globalIdentityMdPath = path_1.default.join(appDir, 'IDENTITY.md');
+        const globalConfigPath = (0, paths_1.getPath)('config.yaml');
+        const globalUserMdPath = (0, paths_1.getPath)('user.md');
+        const globalIdentityMdPath = (0, paths_1.getPath)('IDENTITY.md');
         // Copy default config.yaml
         if (!fs_1.default.existsSync(globalConfigPath)) {
             isFirstBoot = true;
@@ -157,7 +157,7 @@ async function main() {
                 fs_1.default.copyFileSync(exampleConfigPath, globalConfigPath);
             }
             else {
-                fs_1.default.writeFileSync(globalConfigPath, 'agent:\n  name: Nyxora-Agent\n  default_chain: base\nllm:\n  provider: openai\n  model: gpt-4o-mini\n  temperature: 0.2\n  api_keys: []\nmemory:\n  type: file\n  path: memory.json\n');
+                fs_1.default.writeFileSync(globalConfigPath, 'agent:\n  name: Nyxora-Agent\n  default_chain: base\nllm:\n  provider: openai\n  model: gpt-4\n  temperature: 0.7\nmemory:\n  type: file\n  path: memory.json\n');
             }
         }
         if (!fs_1.default.existsSync(globalUserMdPath)) {

package/dist/packages/core/src/gateway/doctor.js

@@ -5,7 +5,6 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.runDoctor = runDoctor;
 const fs_1 = __importDefault(require("fs"));
-const path_1 = __importDefault(require("path"));
 const net_1 = __importDefault(require("net"));
 const picocolors_1 = __importDefault(require("picocolors"));
 const paths_1 = require("../config/paths");
@@ -29,8 +28,7 @@ async function runDoctor() {
     const majorVer = parseInt(nodeVer.split('.')[0], 10);
     printStatus(`Node.js Version (${nodeVer})`, majorVer >= 22, `Please upgrade to Node.js v22 or higher.`);
     // 2. Check App Directory & Config
-    const appDir = (0, paths_1.getAppDir)();
-    const configPath = path_1.default.join(appDir, 'config.yaml');
+    const configPath = (0, paths_1.getPath)('config.yaml');
     let configOk = false;
     let configErr = '';
     if (fs_1.default.existsSync(configPath)) {
@@ -47,7 +45,7 @@ async function runDoctor() {
     }
     printStatus(`Configuration File`, configOk, configErr);
     // 3. Check SQLite DB access
-    const dbPath = path_1.default.join(appDir, 'memory.db');
+    const dbPath = (0, paths_1.getPath)('memory.db');
     let dbOk = false;
     let dbErr = '';
     try {
@@ -96,7 +94,7 @@ async function runDoctor() {
     const port3000Free = await checkPort(3000);
     const port3001Free = await checkPort(3001);
     let isDaemonRunning = false;
-    const pidPath = path_1.default.join(appDir, 'daemon.pid');
+    const pidPath = (0, paths_1.getPath)('daemon.pid');
     if (fs_1.default.existsSync(pidPath)) {
         try {
             const pidStr = fs_1.default.readFileSync(pidPath, 'utf8').trim();

package/dist/packages/core/src/gateway/googleAuthModule.js

@@ -10,10 +10,9 @@ exports.isAuthenticated = isAuthenticated;
 exports.getAccessToken = getAccessToken;
 exports.logoutGoogle = logoutGoogle;
 const fs_1 = __importDefault(require("fs"));
-const path_1 = __importDefault(require("path"));
 const paths_1 = require("../config/paths");
-const CREDENTIALS_PATH = path_1.default.join((0, paths_1.getAppDir)(), 'google-credentials.json');
-const FALLBACK_TOKEN_PATH = path_1.default.join((0, paths_1.getAppDir)(), 'google-tokens.json');
+const CREDENTIALS_PATH = (0, paths_1.getPath)('google-credentials.json');
+const FALLBACK_TOKEN_PATH = (0, paths_1.getPath)('google-tokens.json');
 const SCOPES = [
     'https://www.googleapis.com/auth/gmail.readonly',
     'https://www.googleapis.com/auth/calendar.readonly',
@@ -154,37 +153,19 @@ async function logoutGoogle() {
 }
 // ---- Secure Storage for Refresh Token ----
 async function saveRefreshToken(token) {
-    try {
-        const { Entry } = require('@napi-rs/keyring');
-        const entry = new Entry('nyxora', 'google_refresh_token');
-        await entry.setPassword(token);
-        console.log('[Google Auth] Refresh token saved securely to OS Keyring.');
-    }
-    catch (error) {
-        console.warn('[Google Auth] Keyring failed, falling back to local tokens.json');
-        fs_1.default.writeFileSync(FALLBACK_TOKEN_PATH, JSON.stringify({ refresh_token: token }), { mode: 0o600 });
-    }
+    fs_1.default.writeFileSync(FALLBACK_TOKEN_PATH, JSON.stringify({ refresh_token: token }), { mode: 0o600 });
+    console.log('[Google Auth] Refresh token saved to local tokens.json');
 }
 async function getRefreshToken() {
-    try {
-        const { Entry } = require('@napi-rs/keyring');
-        const entry = new Entry('nyxora', 'google_refresh_token');
-        const password = await entry.getPassword();
-        if (password)
-            return password;
-    }
-    catch (error) {
-        // Fallback to file
-        if (fs_1.default.existsSync(FALLBACK_TOKEN_PATH)) {
-            try {
-                const content = fs_1.default.readFileSync(FALLBACK_TOKEN_PATH, 'utf8');
-                const parsed = JSON.parse(content);
-                if (parsed.refresh_token)
-                    return parsed.refresh_token;
-            }
-            catch (e) {
-                return null;
-            }
+    if (fs_1.default.existsSync(FALLBACK_TOKEN_PATH)) {
+        try {
+            const content = fs_1.default.readFileSync(FALLBACK_TOKEN_PATH, 'utf8');
+            const parsed = JSON.parse(content);
+            if (parsed.refresh_token)
+                return parsed.refresh_token;
+        }
+        catch (e) {
+            return null;
         }
     }
     return null;

package/dist/packages/core/src/gateway/legalGenerator.js

@@ -0,0 +1,88 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generatePrivacyPolicyHtml = generatePrivacyPolicyHtml;
+exports.generateTosHtml = generateTosHtml;
+function generatePrivacyPolicyHtml() {
+    return `
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Nyxora Local Agent - Privacy Policy</title>
+  <style>
+    body { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif; line-height: 1.6; color: #eceff4; background-color: #2e3440; max-width: 800px; margin: 0 auto; padding: 40px 20px; }
+    h1, h2 { color: #88c0d0; }
+    a { color: #81a1c1; text-decoration: none; }
+    a:hover { text-decoration: underline; }
+    .container { background-color: #3b4252; padding: 32px; border-radius: 8px; box-shadow: 0 4px 6px rgba(0,0,0,0.1); }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <h1>Privacy Policy for Nyxora Local Agent</h1>
+    <p><em>Last Updated: June 2026</em></p>
+    
+    <h2>1. Introduction</h2>
+    <p>Nyxora ("we", "our", or "us") is a self-hosted, local-first automation software. This Privacy Policy explains how your information is handled when you use the Nyxora software and its Google Workspace integrations.</p>
+
+    <h2>2. Local-First Data Processing</h2>
+    <p>Nyxora is designed with absolute privacy in mind. Unlike traditional cloud services, <strong>Nyxora does not operate a centralized backend server that collects your data.</strong> All data fetched from your connected Google accounts (including Gmail, Google Drive, and Google Sheets) is processed and stored strictly on your local machine.</p>
+
+    <h2>3. Google Workspace APIs Usage</h2>
+    <p>Nyxora's use and transfer of information received from Google APIs to any other app will adhere to <a href="https://developers.google.com/terms/api-services-user-data-policy" target="_blank">Google API Services User Data Policy</a>, including the Limited Use requirements.</p>
+    <ul>
+      <li><strong>What we access:</strong> We access your emails (<code>gmail.readonly</code>) and spreadsheets (<code>spreadsheets</code>, <code>drive.file</code>) solely to perform automations you explicitly request (e.g., summarizing emails or logging data to sheets).</li>
+      <li><strong>What we store:</strong> OAuth tokens are stored locally on your device in secure encrypted vaults. We do not store your data on any external servers.</li>
+      <li><strong>Third-Party Sharing:</strong> We <strong>do not</strong> share, sell, or transmit your Google user data to any third-party services, advertisers, or external LLM training databases.</li>
+    </ul>
+
+    <h2>4. Data Retention and Deletion</h2>
+    <p>Because your data is stored locally on your own hardware, you maintain 100% control over it. You can delete all your data, including Google OAuth tokens, at any time by running the <code>nyxora clear --force</code> command or by deleting the <code>~/.nyxora</code> directory on your device.</p>
+
+    <h2>5. Contact Us</h2>
+    <p>If you have any questions regarding this Privacy Policy, please refer to the <a href="https://github.com/nyxoraAI/Nyxora">Nyxora GitHub Repository</a>.</p>
+  </div>
+</body>
+</html>
+  `;
+}
+function generateTosHtml() {
+    return `
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Nyxora Local Agent - Terms of Service</title>
+  <style>
+    body { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif; line-height: 1.6; color: #eceff4; background-color: #2e3440; max-width: 800px; margin: 0 auto; padding: 40px 20px; }
+    h1, h2 { color: #88c0d0; }
+    a { color: #81a1c1; text-decoration: none; }
+    .container { background-color: #3b4252; padding: 32px; border-radius: 8px; box-shadow: 0 4px 6px rgba(0,0,0,0.1); }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <h1>Terms of Service for Nyxora Local Agent</h1>
+    <p><em>Last Updated: June 2026</em></p>
+
+    <h2>1. Acceptance of Terms</h2>
+    <p>By downloading, installing, and using the Nyxora software, you agree to be bound by these Terms of Service. If you do not agree to these terms, do not use the software.</p>
+
+    <h2>2. Nature of the Software (Self-Hosted)</h2>
+    <p>Nyxora is provided as a self-hosted, local-first software application. You are solely responsible for the hardware, environment, and security of the device where Nyxora is installed.</p>
+
+    <h2>3. Google Workspace Integrations</h2>
+    <p>Nyxora allows you to connect your personal Google Workspace accounts to automate tasks. By utilizing these features, you authorize your local instance of Nyxora to access your data. You acknowledge that Nyxora does not control Google's services and is not liable for any changes, outages, or data loss occurring on Google's end.</p>
+
+    <h2>4. Limitation of Liability</h2>
+    <p>Nyxora is provided "AS IS" without any warranties of any kind. Under no circumstances shall the creators of Nyxora be liable for any direct, indirect, incidental, or consequential damages (including but not limited to financial losses, data loss, or unauthorized access) arising from your use of the software.</p>
+
+    <h2>5. User Responsibilities</h2>
+    <p>You are strictly responsible for maintaining the security of your local machine, your private keys, and your API credentials. You agree not to use Nyxora for any illegal activities or to violate the terms of service of any integrated third-party platforms.</p>
+  </div>
+</body>
+</html>
+  `;
+}