{ "interval": { "intervalStart": "2026-02-08T00:00:00.000Z", "intervalEnd": "2026-02-09T00:00:00.000Z", "intervalType": "day" }, "repository": "elizaos/eliza", "overview": "From 2026-02-08 to 2026-02-09, elizaos/eliza had 11 new PRs (12 merged), 0 new issues, and 11 active contributors.", "topIssues": [ { "id": "I_kwDOMT5cIs7EHaJb", "title": "document eliza_auth_header env + ui disable env if not already", "author": "linear", "number": 5716, "repository": "elizaos/eliza", "body": "", "createdAt": "2025-08-04T17:36:02Z", "closedAt": "2026-02-08T18:17:09Z", "state": "CLOSED", "commentCount": 0 }, { "id": "I_kwDOMT5cIs7EDQic", "title": "elizaos agent command doesnt work for remote server if ELIZA_SERVER_AUTH_TOKEN is set", "author": "linear", "number": 5707, "repository": "elizaos/eliza", "body": "```\nMoreover, the command does not work if the server have \"ELIZA_SERVER_AUTH_TOKEN\" set\nWARN: Unauthorized access attempt: Missing or invalid X-API-KEY from 127.0.0.1\n```\n\n[https://discord.com/channels/1253563208833433701/1300025221834739744/1401894078378938408](https://discord.com/channels/1253563208833433701/1300025221834739744/1401894078378938408)", "createdAt": "2025-08-04T12:14:35Z", "closedAt": "2026-02-08T18:17:03Z", "state": "CLOSED", "commentCount": 0 } ], "topPRs": [ { "id": "PR_kwDOMT5cIs7CJoKo", "title": "next", "author": "lalalune", "number": 6474, "body": "This is the next version of eliza\r\n\r\nRust, python and typescript\r\n\r\n\r\n# Major Updates\r\n\r\n- Add complete Python and Rust core packages, extending Eliza to these languages\r\n- Add Python and Rust native versions of popular plugins\r\n- Remove default application, client and server infrastructure\r\n- Add examples for all major frameworks\r\n- Bootstrap is integrated into core, enabled with basicCapabilities by default and optionally extendedCapabiltiies\r\n- Core plugins are also rust, python and typescript\r\n- Comes with a WIP code agent\r\n\r\n# Minor updates\r\n\r\n- Agents can now respond without needing a roomId or worldId\r\n- Initial message memory is created inside the message handler service (was confusing and not that way)\r\n- Can running planningMode true or false, on false skips planning and calls single action (good for games and simple agents)\r\n- Actions can have arguments, and can be called with arguments. This way they can be called like tools without needing a separate step\r\n\r\nTODO\r\n- LLM mode -- can be SMALL, LARGE or DEFAULT -- SMALL and LARGE override the LLM small or large so all use the small or all use the large\r\n- checkShouldRespond defaults to true but can be turned off for ChatGPT mode", "repository": "elizaos/eliza", "createdAt": "2026-02-07T08:00:35Z", "mergedAt": null, "additions": 591239, "deletions": 282388 }, { "id": "PR_kwDOMT5cIs7CUyZi", "title": "feat: next generation multi-language Eliza with Rust, Python and TypeScript support", "author": "lalalune", "number": 6485, "body": "This is the next version of eliza\r\n\r\nRust, python and typescript\r\n\r\n\r\n# Major Updates\r\n\r\n- Add complete Python and Rust core packages, extending Eliza to these languages\r\n- Add Python and Rust native versions of popular plugins\r\n- Remove default application, client and server infrastructure\r\n- Add examples for all major frameworks\r\n- Bootstrap is integrated into core, enabled with basicCapabilities by default and optionally extendedCapabiltiies\r\n- Core plugins are also rust, python and typescript\r\n- Comes with a WIP code agent\r\n\r\n# Minor updates\r\n\r\n- Agents can now respond without needing a roomId or worldId\r\n- Initial message memory is created inside the message handler service (was confusing and not that way)\r\n- Can running planningMode true or false, on false skips planning and calls single action (good for games and simple agents)\r\n- Actions can have arguments, and can be called with arguments. This way they can be called like tools without needing a separate step\r\n\r\nTODO\r\n- LLM mode -- can be SMALL, LARGE or DEFAULT -- SMALL and LARGE override the LLM small or large so all use the small or all use the large\r\n- checkShouldRespond defaults to true but can be turned off for ChatGPT mode", "repository": "elizaos/eliza", "createdAt": "2026-02-08T18:44:21Z", "mergedAt": null, "additions": 588697, "deletions": 303204 }, { "id": "PR_kwDOMT5cIs7CDViG", "title": "fix: Add null/undefined checks to prevent Object.entries errors in plugin-bootstrap", "author": "anchapin", "number": 6470, "body": "## Summary\n\nFixes critical runtime errors in `plugin-bootstrap` providers when metadata or values are null/undefined.\n\n## Problem\n\nThe agent crashes with the error:\n```\nObject.entries requires that input parameter not be null or undefined\n```\n\nThis occurs in several providers:\n1. **relationshipsProvider**: When `entity.metadata` is null/undefined\n2. **actionStateProvider**: When `result.values` or `workingMemory` are not objects\n3. **recentMessagesProvider**: Similar issues with null values\n\n## Solution\n\nAdded proper null/undefined checks before calling `Object.entries()`:\n\n### 1. `src/providers/relationships.ts`\n- Added null/undefined check in `formatMetadata()`\n- Returns `'{}'` for null/undefined metadata instead of crashing\n\n### 2. `src/providers/actionState.ts` \n- Added type check for `result.values` before calling `Object.entries()`\n- Added type/null check for `workingMemory` before calling `Object.keys()`\n\n## Changes\n\n- **packages/plugin-bootstrap/src/providers/relationships.ts**: Guard `formatMetadata()` against null metadata\n- **packages/plugin-bootstrap/src/providers/actionState.ts**: Add type guards for `result.values` and `workingMemory`\n\n## Testing\n\n1. Started ElizaOS agent\n2. Sent messages via web interface (http://localhost:3000)\n3. Verified no more `Object.entries` errors\n4. Confirmed agent responds properly instead of showing IGNORE action\n\n## Impact\n\n- ✅ Prevents agent crashes when entities have null metadata\n- ✅ Improves stability for action result processing\n- ✅ Fixes \"IGNORE\" action issue when agent can't retrieve conversation context\n- ✅ No breaking changes - only adds safety checks\n\nCo-Authored-By: Claude Sonnet 4.5 \n\n\n\n

Greptile Overview

\n\n

Greptile Summary

\n\nThis PR fixes critical `Object.entries` runtime errors in plugin-bootstrap providers that caused agent crashes when metadata or values were null/undefined. However, **the PR contains significantly more changes than described in the title and description**.\n\n## What's Actually in This PR\n\n### 1. Plugin-Bootstrap Fixes (Matches PR Description)\n- `actionState.ts`: Added type guards before `Object.entries()` on `result.values` and `workingMemory`\n- `relationships.ts`: Added null check in `formatMetadata()` to prevent crashes\n\n### 2. Major New Feature (Not Mentioned in PR Description)\n- **Request Context System**: New per-entity settings infrastructure for multi-tenant deployments\n - Added `packages/core/src/request-context.ts` and `request-context.node.ts` (856+ lines)\n - Modified `runtime.ts` `getSetting()` to check request context first\n - Enables different users sharing the same runtime to have different API keys, OAuth tokens, etc.\n\n### 3. Message Service Changes (Not Mentioned in PR Description)\n- Refactored message creation logic in `message.ts`\n- Added `MESSAGE_SENT` event emission after sending to central server\n\n### 4. Version Bumps\n- All packages bumped to `1.7.3-alpha.3`\n\n## Concerns\n\nThe PR title says \"fix: Add null/undefined checks\" but this PR includes:\n- A major architectural feature (request context system)\n- Message service refactoring\n- 30 files changed, 1107 insertions, 52 deletions\n\n**This should have been split into separate PRs** for better review, testing, and rollback capability. The plugin-bootstrap fixes are straightforward and safe, but bundling them with a major new feature makes it difficult to:\n- Review each change independently\n- Test each feature in isolation\n- Roll back if issues arise with one component\n\n## Technical Review\n\nThe actual code changes are well-implemented:\n- Null checks are correctly placed and handle edge cases\n- Request context system follows AsyncLocalStorage patterns appropriately\n- Message service changes maintain event emission order\n\nThe plugin-bootstrap fixes will definitely prevent the `Object.entries` crashes described in the PR.\n\n

Confidence Score: 3/5

\n\n- This PR contains well-implemented code but has significant scope creep beyond its stated purpose\n- Score of 3 reflects that while the code quality is good and the plugin-bootstrap fixes are safe, the PR includes undocumented major features (request context system, message service changes) that should have been separate PRs. This makes comprehensive testing difficult and increases risk. The PR description is misleading about the actual scope of changes.\n- Pay close attention to `packages/core/src/runtime.ts` and `packages/core/src/request-context.ts` as these introduce a new architectural pattern for per-entity settings that affects how settings are resolved throughout the system\n\n

Important Files Changed

\n\n\n\n\n| Filename | Overview |\n|----------|----------|\n| packages/plugin-bootstrap/src/providers/actionState.ts | Added type guards for `result.values` and `workingMemory` before calling `Object.keys()` to prevent runtime errors when these values are null/undefined |\n| packages/plugin-bootstrap/src/providers/relationships.ts | Added null/undefined check in `formatMetadata()` to return `'{}'` when metadata is null/undefined instead of crashing on `Object.entries()` |\n| packages/core/src/runtime.ts | Added request context lookup in `getSetting()` for per-entity settings support - enables multi-tenant deployments with per-user API keys |\n| packages/server/src/services/message.ts | Refactored message creation to emit MESSAGE_SENT event after successfully sending to central server, improving event lifecycle tracking |\n| packages/core/src/request-context.ts | New file implementing request context system for per-entity settings in multi-tenant deployments |\n\n\n\n\n\n

Sequence Diagram

\n\n```mermaid\nsequenceDiagram\n participant User\n participant MessageService\n participant Runtime\n participant Provider\n participant Database\n\n Note over User,Database: Object.entries Error Flow (Before Fix)\n User->>MessageService: Send message\n MessageService->>Runtime: Process message\n Runtime->>Provider: Get context (actionStateProvider)\n Provider->>Provider: Access result.values (null)\n Provider->>Provider: Object.entries(null) ❌\n Provider-->>Runtime: CRASH\n\n Note over User,Database: Fixed Flow (After This PR)\n User->>MessageService: Send message\n MessageService->>Runtime: Process message\n Runtime->>Provider: Get context (actionStateProvider)\n Provider->>Provider: Check if result.values is object\n alt result.values is null/undefined\n Provider->>Provider: Skip Object.entries\n else result.values is valid object\n Provider->>Provider: Object.entries(result.values) ✓\n end\n Provider-->>Runtime: Return formatted context\n Runtime->>Runtime: Generate response\n Runtime->>Database: Create memory\n MessageService->>MessageService: Emit MESSAGE_SENT event\n MessageService-->>User: Response delivered\n\n Note over User,Database: Request Context Feature (New)\n User->>Runtime: getSetting(key)\n Runtime->>Runtime: Check request context\n alt Entity-specific setting exists\n Runtime-->>User: Return entity setting\n else No entity setting\n Runtime->>Runtime: Fall back to agent setting\n Runtime-->>User: Return agent setting\n end\n```\n\n\n\n(2/5) Greptile learns from your feedback when you react with thumbs up/down!\n\n", "repository": "elizaos/eliza", "createdAt": "2026-02-06T17:51:12Z", "mergedAt": null, "additions": 9596, "deletions": 54 }, { "id": "PR_kwDOMT5cIs620Si3", "title": "feat(auth): implement JWT authentication and user management", "author": "standujar", "number": 6200, "body": "## Relates to\r\n\r\n- Data isolation / multi-entity support\r\n- External JWT provider integration (Privy, Auth0, Clerk, Supabase, Google, Embbeded)\r\n\r\n## Risks\r\n\r\n**Low**\r\n\r\n- Requires `ENABLE_DATA_ISOLATION=true` to activate JWT auth mode\r\n\r\n## Background\r\n\r\n### What does this PR do?\r\n\r\nImplements a complete JWT authentication system for ElizaOS with support for multiple verification strategies:\r\n\r\n1. **JWT Verifier Factory** - Priority-based verifier selection:\r\n - Ed25519 (highest priority) - For self-signed JWTs with Ed25519 keys\r\n - JWKS (medium priority) - For external providers (Auth0, Clerk, Privy, Supabase, Google)\r\n - Secret (lowest priority) - For simple HS256 symmetric key verification\r\n\r\n2. **Entity ID derivation from JWT `sub` claim**:\r\n - `entityId = stringToUuid(payload.sub)`\r\n - Compatible with ANY JWT provider since `sub` is a standard claim\r\n - No custom claims needed in external JWTs\r\n\r\n3. **Dual authentication modes**:\r\n - `ENABLE_DATA_ISOLATION=true` → JWT authentication required\r\n - `ENABLE_DATA_ISOLATION=false` → X-Entity-Id header (legacy mode)\r\n\r\n4. **Internal service bypass** - Process-local UUID secret for service-to-service calls\r\n\r\n5. **Credentials-based auth endpoints** (`/api/auth/*`) - only in custom - JWT-SECRET mode:\r\n - `POST /register` - User registration with bcrypt password hashing\r\n - `POST /login` - User login with JWT generation\r\n - `POST /refresh` - Token refresh\r\n - `GET /me` - Current user info\r\n\r\n6. **Client UI default implementation using self mode (Secret)\r\n\r\n### What kind of change is this?\r\n\r\n**Features** (non-breaking change which adds functionality)\r\n\r\n## Architecture\r\n\r\n```\r\n┌─────────────────────────────────────────────────────────────────┐\r\n│ JWT Verification Flow │\r\n├─────────────────────────────────────────────────────────────────┤\r\n│ Request with Bearer token │\r\n│ ↓ │\r\n│ JWTVerifierFactory.create() │\r\n│ ↓ │\r\n│ Priority: Ed25519 > JWKS > Secret > Disabled │\r\n│ ↓ │\r\n│ verifier.verify(token) │\r\n│ ↓ │\r\n│ Extract payload.sub │\r\n│ ↓ │\r\n│ entityId = stringToUuid(sub) ← Derived, NOT stored in JWT │\r\n│ ↓ │\r\n│ req.entityId = entityId │\r\n└─────────────────────────────────────────────────────────────────┘\r\n```\r\n\r\n## Environment Variables\r\n\r\n| Variable | Description | Example |\r\n|----------|-------------|---------|\r\n| `ENABLE_DATA_ISOLATION` | Enable JWT auth mode | `true` |\r\n| `JWT_SECRET` (optional) | HS256 symmetric secret | `your-secret-key` |\r\n| `JWT_PUBLIC_KEY_ED25519` (optional) | Ed25519 public key (base64) | `MCowBQYDK2Vw...` |\r\n| `JWT_JWKS_URI` (optional) | JWKS endpoint URL | `https://auth0.com/.well-known/jwks.json` |\r\n| `JWT_ISSUER_WHITELIST` (optional) | Allowed issuers (comma-separated) | `https://auth0.com/,https://clerk.dev` |\r\n\r\n## Documentation changes needed?\r\n\r\nYes - Documentation should be added for:\r\n- Environment variable configuration\r\n- External provider setup (Auth0, Clerk, Privy examples)\r\n\r\n## Testing\r\n\r\n### Where should a reviewer start?\r\n\r\n1. `packages/server/src/services/jwt-verifiers/factory.ts` - Core factory logic\r\n2. `packages/server/src/middleware/jwtMiddleware.ts` - HTTP middleware\r\n3. `packages/server/src/socketio/index.ts` - SocketIO authentication\r\n\r\n### Detailed testing steps\r\n\r\n**Unit Tests:**\r\n```bash\r\ncd packages/server\r\nbun run test:unit\r\n```\r\n\r\n**Integration Tests:**\r\n```bash\r\ncd packages/server\r\nbun run test:integration\r\n```\r\n\r\n**Results:** 489 unit tests pass, 6 integration test files pass\r\n\r\n### Manual Testing\r\n\r\n1. **Test with JWT_SECRET (HS256):**\r\n```bash\r\nENABLE_DATA_ISOLATION=true JWT_SECRET=test-secret bun run dev\r\n```\r\n\r\n2. **Register a user:**\r\n```bash\r\ncurl -X POST http://localhost:3000/api/auth/register \\\r\n -H \"Content-Type: application/json\" \\\r\n -d '{\"email\":\"test@example.com\",\"username\":\"testuser\",\"password\":\"password123\"}'\r\n```\r\n\r\n3. **Use returned token:**\r\n```bash\r\ncurl http://localhost:3000/api/agents \\\r\n -H \"Authorization: Bearer \"\r\n```\r\n\r\n## External Provider Compatibility\r\n\r\nTested JWT formats:\r\n- **Auth0**: `sub: \"auth0|1234567890\"`\r\n- **Clerk**: `sub: \"user_2abcdefgh123456\"`\r\n- **Google**: `sub: \"1234567890\"` with `email`, `email_verified`\r\n- **Supabase**: `sub: \"uuid\"` with `role: \"authenticated\"`\r\n- **Privy**: `sub: \"did:privy:...\"`\r\n\r\nAll providers work because we only require the standard `sub` claim.\r\n\r\n## Next Idea Steps: Access Control Layer (ACL)\r\n\r\nThe next phase will add access control on agents and rooms: \r\n\r\nAgents:\r\n- Each user can create their own agents (ownerId = entityId)\r\n- Visibility: public or private\r\n- Private = only the owner can chat with it\r\n- Public = everyone can chat, but only the owner can modify/delete\r\n\r\nRooms:\r\n- Each room has an owner\r\nOnly the owner can:\r\n- Delete the room (DELETE /rooms/:id)\r\n- Clear message history (DELETE /rooms/:id/messages)\r\n- Change visibility\r\n\r\nThis will enable true multi-tenant mode where each user manages their resources in isolation.", "repository": "elizaos/eliza", "createdAt": "2025-12-03T11:55:47Z", "mergedAt": "2026-02-08T18:18:09Z", "additions": 6079, "deletions": 347 }, { "id": "PR_kwDOMT5cIs7CUyZL", "title": "feat(auth): implement JWT authentication and user management", "author": "lalalune", "number": 6484, "body": "Reopened from #6200 (was merged then rolled back)\n\nMade with [Cursor](https://cursor.com)\n\n\n\n

Greptile Overview

\n\n

Greptile Summary

\n\nThis PR implements comprehensive JWT authentication and user management for ElizaOS, adding support for multiple authentication providers (Ed25519/Privy, JWKS, and custom secret-based auth).\n\n## Key Changes\n\n- **Universal JWT Verifier**: Pluggable architecture supporting Ed25519, JWKS (Auth0/Clerk/Supabase), and shared secret verification with configurable priority\n- **Dual Authentication Modes**: Legacy mode (X-Entity-Id header) vs secure mode (JWT with data isolation) controlled by `ENABLE_DATA_ISOLATION` flag\n- **User Management**: Complete registration/login/refresh endpoints with bcrypt password hashing, rate limiting (10 attempts/15min), and database schema\n- **WebSocket Security**: JWT authentication in handshake middleware with channel access control and permission verification\n- **Client Integration**: React authentication context with token persistence, auto-reconnection, and auth dialog with form validation\n- **Database Layer**: Added user management methods to IDatabaseAdapter and BaseDrizzleAdapter with case-insensitive email queries\n- **Comprehensive Testing**: 476-line integration test suite covering all JWT providers, issuer whitelists, and entity ID consistency\n\n## Issues Found\n\n1. **Inconsistent JWT Verification**: `/auth/refresh` and `/auth/me` endpoints bypass the universal JWT verifier and hardcode secret-based verification, breaking compatibility with Ed25519/JWKS providers and skipping issuer whitelist validation\n2. **Limited Token Generation**: `generateAuthToken` only supports `JWT_SECRET` mode and cannot generate tokens for external providers, making refresh tokens incompatible with multi-provider setups\n3. **Type Safety**: Database user methods use `any` instead of `User` type in core/database.ts (fixed in plugin-sql but not in abstract class)\n4. **Breaking Change**: `getLogs` changed `entityId` from optional to required without migration guide\n\n## Security Posture\n\nThe implementation includes strong security foundations: rate limiting on auth endpoints, bcrypt with cost factor 10, internal service authentication with runtime-generated secrets, proper disconnection guards in WebSocket handling, and issuer whitelist validation. However, the inconsistent JWT verification in refresh endpoints creates a security gap where tokens from external providers cannot be properly validated.\n\n

Confidence Score: 3/5

\n\n- Safe to merge with issues that need addressing in follow-up\n- Score reflects solid architecture and comprehensive testing but with critical logic issues in auth/credentials.ts that break multi-provider JWT support. The core authentication infrastructure is well-designed with proper rate limiting and security measures, but the hardcoded JWT verification in refresh endpoints bypasses the universal verifier, making those endpoints incompatible with Ed25519/JWKS providers. These issues don't introduce security vulnerabilities but will cause runtime failures when using non-secret authentication providers.\n- packages/server/src/api/auth/credentials.ts (refresh and me endpoints need to use universal JWT verifier), packages/core/src/database.ts (type signatures should use User instead of any)\n\n

Important Files Changed

\n\n\n\n\n| Filename | Overview |\n|----------|----------|\n| packages/server/src/api/auth/credentials.ts | Implements custom credential-based authentication with registration, login, refresh, and user info endpoints. Uses bcrypt for password hashing and JWT_SECRET for token signing. Contains hardcoded JWT verification logic in refresh/me endpoints that doesn't use the universal JWT verifier. |\n| packages/server/src/middleware/entity-auth.ts | Implements dual-mode authentication middleware (legacy header-based vs JWT-based). Includes internal service authentication using runtime-generated secret. Properly handles data isolation mode with JWT verification and entityId extraction. |\n| packages/server/src/services/jwt-verifier.ts | Universal JWT verifier factory that creates appropriate verifier (Ed25519, JWKS, or Secret) based on environment configuration. Clean architecture with singleton pattern and backwards compatibility. |\n| packages/server/src/socketio/index.ts | Implements WebSocket authentication with JWT verification in handshake middleware. Includes channel access control, permission verification, and proper disconnection guards. Handles both legacy and data isolation modes. |\n| packages/client/src/context/AuthContext.tsx | Client-side authentication context managing JWT tokens, login/logout, and socket reconnection. Handles token persistence in localStorage with origin-specific keys. Auto-opens auth dialog when server requires authentication. |\n| packages/plugin-sql/src/base.ts | Added user management methods to database adapter (getUserByEmail, getUserByUsername, getUserById, createUser, updateUserLastLogin). Email queries use toLowerCase() for case-insensitive matching. |\n| packages/server/src/middleware/rate-limit.ts | Comprehensive rate limiting for auth endpoints (10 attempts per 15 min), API endpoints (1000 per 15 min), uploads (50 per 15 min), and channel validation (200 per 10 min). Includes skipSuccessfulRequests for auth to prevent legitimate logins from counting. |\n| packages/core/src/types/database.ts | Added user management methods to IDatabaseAdapter interface (getUserByEmail, getUserByUsername, getUserById, createUser, updateUserLastLogin). Changed getLogs entityId parameter from optional to required. |\n\n\n\n\n\n

Sequence Diagram

\n\n```mermaid\nsequenceDiagram\n participant Client\n participant AuthDialog\n participant API as Express API\n participant AuthMiddleware as Entity Auth Middleware\n participant JWTVerifier as Universal JWT Verifier\n participant DB as Database\n participant Socket as Socket.IO Server\n participant AgentRuntime as Agent Runtime\n\n Note over Client,AgentRuntime: User Registration Flow\n Client->>AuthDialog: Open auth dialog\n AuthDialog->>API: POST /api/auth/register
{email, username, password}\n API->>API: Validate input (email format, password length ≥8)\n API->>DB: Check if email/username exists\n DB-->>API: User not found\n API->>API: Hash password with bcrypt (cost=10)\n API->>DB: Create user with UUID\n DB-->>API: User created\n API->>API: Generate JWT (HS256, 7d expiry)\n API-->>AuthDialog: {token, entityId, username}\n AuthDialog->>Client: Store token in localStorage\n Client->>Client: Update API client config with JWT\n\n Note over Client,AgentRuntime: HTTP Request with JWT\n Client->>API: GET /api/agents (with Bearer token)\n API->>AuthMiddleware: Authenticate request\n AuthMiddleware->>AuthMiddleware: Check ENABLE_DATA_ISOLATION flag\n alt Data Isolation Enabled\n AuthMiddleware->>JWTVerifier: verify(token)\n JWTVerifier->>JWTVerifier: Select verifier
(Ed25519/JWKS/Secret)\n JWTVerifier->>JWTVerifier: Validate issuer whitelist\n JWTVerifier-->>AuthMiddleware: {entityId, sub, payload}\n AuthMiddleware->>AuthMiddleware: Set req.entityId\n else Legacy Mode\n AuthMiddleware->>AuthMiddleware: Extract X-Entity-Id header\n end\n AuthMiddleware->>API: Continue to route handler\n API-->>Client: Response data\n\n Note over Client,AgentRuntime: WebSocket Connection Flow\n Client->>Socket: Connect with auth token in handshake\n Socket->>Socket: Authentication middleware\n alt Data Isolation Enabled\n Socket->>JWTVerifier: verify(token)\n JWTVerifier-->>Socket: {entityId, sub, payload}\n else Legacy Mode\n Socket->>Socket: Use client-provided entityId\n end\n Socket->>Socket: Store entityId in socket.data\n Socket->>Socket: Track entity→sockets mapping\n Socket-->>Client: Emit 'authenticated' event\n\n Note over Client,AgentRuntime: Channel Join with Permission Check\n Client->>Socket: ROOM_JOINING {channelId, agentId}\n Socket->>DB: isChannelParticipant(channelId, entityId)\n DB-->>Socket: Permission result\n alt Permission Granted\n Socket->>Socket: Join socket room\n Socket->>AgentRuntime: Emit ENTITY_JOINED event\n Socket-->>Client: 'channel_joined' event\n else Permission Denied\n Socket-->>Client: Error: Access denied\n end\n\n Note over Client,AgentRuntime: Message Submission\n Client->>Socket: SEND_MESSAGE {channelId, message, senderId}\n Socket->>DB: verifyChannelAccess(channelId, entityId)\n Socket->>DB: Create message\n DB-->>Socket: Message created\n Socket->>Client: Broadcast message to channel\n Socket->>AgentRuntime: Emit to message bus for agent processing\n AgentRuntime->>AgentRuntime: Process message with agent\n AgentRuntime->>Socket: Stream response chunks\n Socket-->>Client: MESSAGE_STREAM_EVENT chunks\n```\n\n\n\n", "repository": "elizaos/eliza", "createdAt": "2026-02-08T18:44:19Z", "mergedAt": null, "additions": 6079, "deletions": 347 } ], "codeChanges": { "additions": 12326, "deletions": 1520, "files": 111, "commitCount": 16 }, "completedItems": [ { "title": "feat(auth): implement JWT authentication and user management", "prNumber": 6200, "type": "feature", "body": "## Relates to\r\n\r\n- Data isolation / multi-entity support\r\n- External JWT provider integration (Privy, Auth0, Clerk, Supabase, Google, Embbeded)\r\n\r\n## Risks\r\n\r\n**Low**\r\n\r\n- Requires `ENABLE_DATA_ISOLATION=true` to activate JWT auth mode\r\n\r\n#", "files": [ ".github/workflows/client-cypress-tests.yml", "packages/client/cypress/e2e/auth/01-auth-flow.cy.ts", "packages/client/cypress/e2e/auth/02-protected-features.cy.ts", "packages/client/src/App.tsx", "packages/client/src/components/ProtectedRoute.tsx", "packages/client/src/components/ai-elements/response.tsx", "packages/client/src/components/app-sidebar.tsx", "packages/client/src/components/auth-dialog.tsx", "packages/client/src/components/connection-error-banner.tsx", "packages/client/src/components/connection-status.tsx", "packages/client/src/components/group-card.tsx", "packages/client/src/components/group-panel.tsx", "packages/client/src/context/AuthContext.tsx", "packages/client/src/context/ConnectionContext.tsx", "packages/client/src/context/ServerConfigContext.tsx", "packages/client/src/hooks/use-query-hooks.ts", "packages/client/src/hooks/use-socket-chat.ts", "packages/client/src/index.css", "packages/client/src/lib/api-client-config.ts", "packages/client/src/lib/auth-utils.ts", "packages/client/src/lib/socketio-manager.ts", "packages/client/src/routes/chat.tsx", "packages/client/src/routes/group.tsx", "packages/client/src/routes/home.tsx", "packages/config/src/eslint/eslint.config.base.js", "packages/core/src/database.ts", "packages/core/src/runtime.ts", "packages/core/src/types/database.ts", "packages/core/src/types/index.ts", "packages/core/src/types/user.ts", "packages/plugin-sql/src/base.ts", "packages/plugin-sql/src/schema/index.ts", "packages/plugin-sql/src/schema/user.ts", "packages/server/src/__tests__/integration/jwt-workflow.test.ts", "packages/server/src/__tests__/test-utils/jwt-helper.ts", "packages/server/src/__tests__/unit/api/auth/credentials.test.ts", "packages/server/src/__tests__/unit/middleware/auth-middleware-chain.test.ts", "packages/server/src/__tests__/unit/middleware/auth-middleware.test.ts", "packages/server/src/__tests__/unit/middleware/jwtMiddleware.test.ts", "packages/server/src/__tests__/unit/services/jwt-verifiers/ed25519-verifier.test.ts", "packages/server/src/__tests__/unit/services/jwt-verifiers/factory.test.ts", "packages/server/src/__tests__/unit/services/jwt-verifiers/jwks-verifier.test.ts", "packages/server/src/__tests__/unit/services/jwt-verifiers/secret-verifier.test.ts", "packages/server/src/__tests__/unit/socketio/authentication.test.ts", "packages/server/src/api/agents/logs.ts", "packages/server/src/api/agents/runs.ts", "packages/server/src/api/auth/credentials.ts", "packages/server/src/api/auth/index.ts", "packages/server/src/api/index.ts", "packages/server/src/api/memory/agents.ts", "packages/server/src/index.ts" ] }, { "title": "fix(cli): always use 'latest' for @elizaos deps in created projects", "prNumber": 6362, "type": "bugfix", "body": "## Summary\n\n- Fixes issue where `elizaos create` fails when CLI is linked from monorepo because packages with version like `1.7.2-alpha.0` couldn't be found on npm\n- Both build-time and runtime scripts now use `'latest'` for `@elizaos/*` de", "files": [ "packages/cli/src/scripts/copy-templates.ts", "packages/cli/src/utils/copy-template.ts", "packages/cli/tests/integration/local-development.test.ts", "packages/cli/tests/utils/copy-template.test.ts", ".github/workflows/cli-tests.yml", "packages/cli/bunfig.toml", "packages/cli/tests/commands/update.test.ts", "packages/cli/tests/test-timeouts.ts" ] }, { "title": "fix(cli): validate directory path in ensureDir to prevent ENOENT error", "prNumber": 6379, "type": "bugfix", "body": "This PR adds validation to the `ensureDir` function to prevent unclear ENOENT errors when an empty directory path is provided.\n\n## Problem\n\nWhen `ensureDir` was called with an empty string or whitespace-only path, it would attempt to execut", "files": [ "packages/cli/src/utils/get-config.ts" ] }, { "title": "docs: add environment variables documentation", "prNumber": 6377, "type": "docs", "body": "This PR adds comprehensive documentation for server environment variables, addressing #5716.\n\n## Summary\n\nAdded `docs/environment-variables.md` with detailed documentation for:\n- `ELIZA_SERVER_AUTH_TOKEN` - API authentication for securing e", "files": [ "docs/environment-variables.md" ] }, { "title": "fix(cli): load .env files in agent commands for authentication", "prNumber": 6376, "type": "bugfix", "body": "This PR fixes #5707 - an issue where `elizaos agent` commands would fail when connecting to a remote server that uses `ELIZA_SERVER_AUTH_TOKEN`.\n\n## Problem\n\nWhen running `elizaos agent list` (or other agent commands) against a remote serve", "files": [ "packages/cli/src/commands/agent/utils/validation.ts" ] }, { "title": "fix(plugin-bootstrap): add null check for runtime.providers", "prNumber": 6473, "type": "bugfix", "body": "## Summary\n\n- **Fix**: Add null check for `runtime.providers` in `providersProvider`\n- **Impact**: Prevents `TypeError: Cannot read properties of null (reading 'filter')`\n\n## Problem\n\nWhen `runtime.providers` is `null` or `undefined`, the c", "files": [ "packages/plugin-bootstrap/src/providers/providers.ts" ] }, { "title": "fix: add null checks to Object.entries calls in settings utilities", "prNumber": 6471, "type": "bugfix", "body": "## Summary\n\nThis PR adds defensive null/undefined checks before Object.entries() calls in the @elizaos/core package's settings utilities to prevent runtime errors.\n\n## Changes\n\n### packages/core/src/settings.ts\n\nAdded null/undefined guards ", "files": [ "packages/core/src/settings.ts" ] }, { "title": "chore(examples-art): v2 update dependencies, training pipeline, and tests for 2048 game", "prNumber": 6461, "type": "tests", "body": "# Relates to\r\n\r\nRelated to ART (Agentic Reinforcement Training) example improvements for v2.0.0\r\n\r\n# Risks\r\n\r\nLow. Changes are isolated to the `examples/art` directory and root `.gitignore`. Only adds new dependencies, enhances existing fun", "files": [ ".gitignore", "examples/art/.gitignore", "examples/art/README.md", "examples/art/elizaos_art/games/game_2048/__init__.py", "examples/art/elizaos_art/games/game_2048/cli.py", "examples/art/elizaos_art/trainer.py", "examples/art/pyproject.toml", "examples/art/tests/test_games.py", "examples/art/tests/test_integration.py" ] }, { "title": "chore(deps): bump the cargo group across 3 directories with 3 updates", "prNumber": 6479, "type": "other", "body": "Bumps the cargo group with 1 update in the /packages/computeruse directory: [bytes](https://github.com/tokio-rs/bytes).\nBumps the cargo group with 1 update in the /packages/rust directory: [bytes](https://github.com/tokio-rs/bytes).\nBumps t", "files": [ "packages/computeruse/Cargo.lock", "packages/computeruse/crates/computeruse-cli/Cargo.toml", "packages/rust/Cargo.lock", "packages/sweagent/rust/Cargo.lock" ] }, { "title": "chore(deps): bump the npm_and_yarn group across 3 directories with 3 updates", "prNumber": 6478, "type": "other", "body": "Bumps the npm_and_yarn group with 1 update in the /packages/computeruse/crates/computeruse-mcp-agent directory: [@modelcontextprotocol/sdk](https://github.com/modelcontextprotocol/typescript-sdk).\nBumps the npm_and_yarn group with 1 update ", "files": [ "packages/computeruse/crates/computeruse-mcp-agent/package-lock.json", "packages/computeruse/crates/computeruse-mcp-agent/package.json", "packages/computeruse/crates/computeruse-mcp-agent/tests/integration/package-lock.json", "packages/computeruse/crates/computeruse-mcp-agent/tests/integration/package.json", "packages/computeruse/examples/mcp-client-elicitation/package-lock.json", "packages/computeruse/examples/mcp-client-elicitation/package.json" ] }, { "title": "feat(plugin-bootstrap): comprehensive optimization and robustness imp…", "prNumber": 6476, "type": "feature", "body": "…rovements\r\n\r\nThis commit merges critical performance optimizations, caching improvements, and robustness enhancements while preserving type safety improvements from upstream.\r\n\r\n## New Features\r\n- Added plugin initialization banner with co", "files": [ "bun.lock", "packages/plugin-bootstrap/src/banner.ts", "packages/plugin-bootstrap/src/evaluators/reflection.ts", "packages/plugin-bootstrap/src/index.ts", "packages/plugin-bootstrap/src/providers/actionState.ts", "packages/plugin-bootstrap/src/providers/actions.ts", "packages/plugin-bootstrap/src/providers/anxiety.ts", "packages/plugin-bootstrap/src/providers/attachments.ts", "packages/plugin-bootstrap/src/providers/character.ts", "packages/plugin-bootstrap/src/providers/choice.ts", "packages/plugin-bootstrap/src/providers/entities.ts", "packages/plugin-bootstrap/src/providers/evaluators.ts", "packages/plugin-bootstrap/src/providers/index.ts", "packages/plugin-bootstrap/src/providers/plugin-info.ts", "packages/plugin-bootstrap/src/providers/recentMessages.ts", "packages/plugin-bootstrap/src/providers/relationships.ts", "packages/plugin-bootstrap/src/providers/roles.ts", "packages/plugin-bootstrap/src/providers/settings.ts", "packages/plugin-bootstrap/src/providers/shared-cache.ts", "packages/plugin-bootstrap/src/providers/world.ts" ] }, { "title": "feat: ActionFilterService — vector search + BM25 reranking for action/provider filtering", "prNumber": 6475, "type": "feature", "body": "## Summary\n\n- Adds `ActionFilterService` that dynamically filters which actions are shown to the LLM based on relevance, reducing prompt bloat from 200+ actions to ~15 relevant ones\n- Two-tier ranking: vector search (cosine similarity on em", "files": [ "packages/typescript/src/__tests__/action-filter.test.ts", "packages/typescript/src/bootstrap/index.ts", "packages/typescript/src/bootstrap/providers/actions.ts", "packages/typescript/src/runtime.ts", "packages/typescript/src/services/action-filter.ts", "packages/typescript/src/services/bm25.ts", "packages/typescript/src/services/cosine-similarity.ts", "packages/typescript/src/types/plugin.ts" ] } ], "topContributors": [ { "username": "lalalune", "avatarUrl": "https://avatars.githubusercontent.com/u/18633264?u=e2e906c3712c2506ebfa98df01c2cfdc50050b30&v=4", "totalScore": 288.52580791948094, "prScore": 288.08780791948095, "issueScore": 0, "reviewScore": 0, "commentScore": 0.43799999999999994, "summary": "lalalune: Focused on expanding core platform capabilities and addressing immediate needs, notably merging significant feature PRs like elizaos-plugins/plugin-evm#25, which introduced multi-provider RPC support, and elizaos-plugins/plugin-solana#26, enhancing cloud proxy routing, while also initiating several new features and fixes across the `elizaos/eliza` repository. Their work primarily involved feature development and bug fixes, touching a substantial amount of code across 189 files." }, { "username": "odilitime", "avatarUrl": "https://avatars.githubusercontent.com/u/16395496?u=c9bac48e632aae594a0d85aaf9e9c9c69b674d8b&v=4", "totalScore": 103.0875477931522, "prScore": 103.0875477931522, "issueScore": 0, "reviewScore": 0, "commentScore": 0, "summary": "odilitime: Focused on significant feature development and bug fixes, notably merging a comprehensive optimization and robust feature in elizaos/eliza#6476 (+2119/-823 lines) and addressing a bootstrap cache memory leak in elizaos/eliza#6477, demonstrating a balanced contribution to both new functionality and system stability." }, { "username": "greptile-apps", "avatarUrl": "https://avatars.githubusercontent.com/in/867647?v=4", "totalScore": 58.84, "prScore": 0, "issueScore": 0, "reviewScore": 58.5, "commentScore": 0.33999999999999997, "summary": "greptile-apps: No activity today." }, { "username": "tdnupe3", "avatarUrl": "https://avatars.githubusercontent.com/u/25161668?u=94680b6bcbcfce954c7a9dd09d667a3919953041&v=4", "totalScore": 0.2, "prScore": 0, "issueScore": 0, "reviewScore": 0, "commentScore": 0.2, "summary": null } ], "newPRs": 11, "mergedPRs": 12, "newIssues": 0, "closedIssues": 2, "activeContributors": 11 }