{ "interval": { "intervalStart": "2026-04-30T00:00:00.000Z", "intervalEnd": "2026-05-01T00:00:00.000Z", "intervalType": "day" }, "repository": "elizaos/eliza", "overview": "From 2026-04-30 to 2026-05-01, elizaos/eliza had 7 new PRs (0 merged), 2 new issues, and 7 active contributors.", "topIssues": [ { "id": "I_kwDOMT5cIs8AAAABA8f7-w", "title": "Add SwarmScore — Portable Trust Rating for AI Agents", "author": "bkauto3", "number": 7213, "repository": "elizaos/eliza", "body": "## SwarmScore — Portable Reputation for AI Agents\n\nHi! I'm reaching out because this repo looks like an autonomous agent or agent framework that could benefit from SwarmScore.\n\n**What is SwarmScore?**\nSwarmScore is a portable trust rating built from verified execution history — volume, success rate, and consistency. It's cryptographically signed so it can travel with your agent across marketplaces and registries without restarting from zero.\n\nThe score is *not* self-reported. It's built downstream of real verified outcomes: `80 jobs at 95% beats 1 job at 100%`.\n\n---\n\n**For AI agents — ingest SwarmScore in one call:**\n\n```\nGET https://api.swarmsync.ai/v1/swarmscore/load-by-slug/{your-slug}\n```\n\nReturns: public passport, signed certificate, verify payload, and discovery URLs.\n\nTo confirm freshness of any score:\n```\nGET https://api.swarmsync.ai/v1/swarmscore/verify\n```\n\n**Discovery manifest** (machine-readable, for agent-to-agent lookup):\n```\nhttps://api.swarmsync.ai/.well-known/agent-card.json\n```\n\n---\n\n**For platform builders — add trust to your agent listings:**\n\n```\nPOST https://api.swarmsync.ai/v1/swarmscore/keys/enable\n```\n(Requires authenticated SwarmSync platform account — provisions the integration key pack.)\n\n**4-step quickstart:**\n1. Display the returned SwarmScore tier and value in your agent listing UI\n2. Persist the signed certificate for offline or delayed re-verification\n3. Replay the verify payload against `/v1/swarmscore/verify` to confirm freshness\n4. Use the machine-readable agent card to advertise SwarmScore support to other agents and registries\n\n---\n\n**Add the badge to your README:**\n\n```markdown\n[![SwarmScore](https://img.shields.io/badge/SwarmScore-Get%20Verified-blue)](https://swarmsync.ai/enable-swarmscore)\n```\n\n---\n\n**SDKs:**\n- `npm install @swarmsync/mcp-server` — MCP server\n- `npm install @swarmsync/langchain-tools` — LangChain\n- `npm install @swarmsync/crewai-tools` — CrewAI\n- Composio (91 tools): https://docs.composio.dev/tools/swarmsyncai\n- MCP Registry: https://mcpservers.org/servers/api-swarmsync-ai-mcp\n\n**Spec & docs:** https://swarmsync.ai/docs/protocol-specs/swarmscore\n**GitHub spec:** https://github.com/swarmsync-ai/swarmscore-spec\n\n---\n*SwarmSync.AI — infrastructure for AI agent commerce. AP2 escrow + SwarmScore trust + SkillProof verification.*\n*https://swarmsync.ai*\n", "createdAt": "2026-04-30T13:17:49Z", "closedAt": "2026-05-01T03:53:45Z", "state": "CLOSED", "commentCount": 0 }, { "id": "I_kwDOMT5cIs8AAAABA40oEA", "title": "Hive Civilization — character-callable x402 services for Eliza (notification)", "author": "srotzin", "number": 7211, "repository": "elizaos/eliza", "body": "Notification post — Hive Civilization runs 52 x402-wired services on Base mainnet (treasury 0x15184bf50b3d3f52b60434f8942b7d52f2eb436e, USDC settlement, x402 spec from coinbase/x402).\n\nWhy it's relevant to elizaOS:\n\n- Eliza characters can call Hive evaluator, classifier, summarizer, kycOracle, riskScorer, and 47 other services as paid actions with on-chain USDC settlement.\n- Each character can have its own Base wallet and operate autonomously with per-call payment.\n- Discovery is free.\n\nTwo open PRs adopting the same pattern on neighboring SDKs:\n- coinbase/agentkit#1157 — HiveActionProvider\n- goat-sdk/goat#575 — @goat-sdk/plugin-hive\n\nHappy to PR an `eliza-plugin-hive` package following Eliza plugin conventions, or any shape the team prefers. Partner posture.\n\n41 public MCP shims at github.com/srotzin (all v1.0.0). 51 entries on Anthropic MCP Registry. MEV leaderboard: https://hive-a2amev.onrender.com/leaderboard. Spectral receipt: rcpt_76fceca973da4ec0.\n\nSteve Rotzin, Hive\ngithub.com/srotzin", "createdAt": "2026-04-30T00:39:14Z", "closedAt": "2026-05-01T03:53:53Z", "state": "CLOSED", "commentCount": 0 } ], "topPRs": [ { "id": "PR_kwDOMT5cIs7XE9HC", "title": "feat(self-hosted): CORS + bearer auth + cross-platform build fixes", "author": "NubsCarson", "number": 7212, "body": "# Relates to\n\nSelf-hosting cross-platform connectivity. The runtime now serves browser dashboards over HTTPS at a custom domain, App Store-style mobile builds (Capacitor), and Electrobun desktop builds — all routed through a remote agent via the existing `RuntimeGate` \"Remote\" picker.\n\n# Risks\n\n**Medium.** Touches CORS allowlist, `/api/auth/me` response shape, the Electrobun build pipeline, and runtime branding defaults. Verified on Linux (VPS), Windows 11 desktop (Electrobun), and Android (Capacitor on a physical Samsung phone). All test files for the new behavior land in this PR.\n\n# Background\n\n## What does this PR do?\n\n**Self-hosted browser + mobile auth**\n\n- `server-cors.ts`: new `ELIZA_ALLOWED_ORIGINS` env adds operator-allowed hosts (e.g. `https://bot.example.com`) to the CORS allowlist; built-in Capacitor / Ionic WebView origins (`capacitor://localhost`, `ionic://localhost`, `https://localhost`) so App Store / Play Store mobile builds reach any self-hosted bot without per-operator config; `originString()` helper compares protocol+host (URL.origin returns \"null\" for non-special schemes like `capacitor:`)\n- `auth-session-routes.ts`: `/api/auth/me` accepts legacy bearer; returns synthetic `kind: \"machine\"` identity when no owner is configured (was incorrectly `kind: \"owner\"` in earlier draft)\n- `auth-pairing-compat-routes.ts`: `/api/auth/status` adds explicit `authenticated` field so clients can short-circuit pairing without overloading `required`\n- `csrf-client.ts`: `fetchWithCsrf` now layers cookie+CSRF + bearer-from-`getBootConfig()` in one place; old per-call bearer wiring removed\n- `client-base.ts`: `setToken()` mirrors to `__ELIZAOS_API_TOKEN__` / `__ELIZA_API_TOKEN__` window globals so the Capacitor `@elizaos/capacitor-agent` web fallback authenticates after RuntimeGate remote-connect; parallels existing `setBaseUrl()` mirror\n- `client-agent.ts`: `getAuthStatus()` typed `authenticated?: boolean`\n- `startup-phase-poll/restore/runtime.ts`: a transient 401 with a token set is treated as retry, not as a token-wipe-and-show-pairing event. Removes desktop/non-desktop branch since the new behavior is correct on both\n- `App.tsx`, `ChatView.tsx`, `state/persistence.ts`: 6 raw `/api/*` fetch sites converted to `fetchWithCsrf` so they pick up the bearer on self-hosted browsers and Capacitor builds\n- `RuntimeGate.tsx`: `onInput` + `onBlur` handlers on Remote-connect inputs (Capacitor WebView's `onChange` is unreliable on programmatic paste); `splash-bg.jpg` → `splash-bg.png` (wrong extension was 404); removed placeholder onboarding hero images (text-only cards until artwork exists)\n- mobile: safe-area inset padding on root container\n\n**Build infra**\n\n- `package.json` workspaces: added `packages/app-core/platforms/*` so `desktop-build.mjs`'s nested `bun install` resolves `@elizaos/shared@workspace:*` (was failing on Windows because bun's upward walk stopped at `eliza/package.json`)\n- `desktop-build.mjs`: `embedWindowsIcons()` post-build using local rcedit (electrobun@1.16.0's bundled rcedit references a `D:\\` CI path that doesn't exist on dev machines); cross-platform rcedit lookup via `fs.existsSync` instead of Unix `find`\n- `electrobun.config.ts`: removed duplicate null-coalesce on `ELIZA_APP_NAME`; copies `brand-config.json` into the build output\n- `brand-config.json`: ships **elizaOS defaults** (`appName: \"elizaOS\"`, `appId: \"ai.elizaos.app\"`, etc.); downstream wrappers override at build time via `ELIZA_APP_NAME` / `ELIZA_APP_ID` / `ELIZA_NAMESPACE` env vars, which `brand-config.ts`'s resolver checks before the JSON fallback\n- `variables.gradle` template: added `mavenCentralMirrorUrl` (16 native plugin `build.gradle` files referenced this; template never defined it, so `cap sync` regenerated a broken file every run)\n\n**Cross-package imports for packaged builds**\n\n- `plugin-lifecycle.ts`: import `resolveActionContexts` / `resolveProviderContexts` from `@elizaos/core` instead of cross-package relative TS paths (broke when tsdown tree-shook them out of the dist)\n- `experience-routes.ts`: inlined `ExperienceType` / `OutcomeType` enums (same tree-shaking issue)\n- `registry/index.ts`: graceful warn-and-continue when `entries/` directories are missing in packaged builds\n\n## What kind of change is this?\n\nBug fixes (CORS preflight blocking Capacitor, broken Windows desktop build, packaged-build crashes, `/api/auth/me` returning wrong identity kind) and Features (self-hosted browser/mobile auth flow, build-time branding via env, ELIZA_ALLOWED_ORIGINS env).\n\n# Documentation changes needed?\n\nNo upstream docs need to change. Operator-facing env var (`ELIZA_ALLOWED_ORIGINS`) is documented inline.\n\n# Testing\n\n## Where should a reviewer start?\n\n- Server changes: `packages/app-core/src/api/server-cors.ts` and the new test `packages/app-core/src/api/server-cors.test.ts`\n- Auth shape: `packages/app-core/src/api/auth-session-routes.ts` (synthetic-machine bearer path)\n- Bearer plumbing: `packages/app-core/src/api/csrf-client.ts` and the new test `csrf-client.test.ts`\n- Setup-side: `packages/app-core/src/api/client-base.ts` (window-globals mirror) and the new test `client-base.test.ts`\n\n## Detailed testing steps\n\n**Unit (in this PR)**\n\n- `bun run test packages/app-core/src/api/server-cors.test.ts` — covers Capacitor scheme allowlist, `ELIZA_ALLOWED_ORIGINS` env, rejected origins, `originString` for non-special schemes\n- `bun run test packages/app-core/src/api/csrf-client.test.ts` — covers bearer attachment from `getBootConfig`, no-overwrite of explicit Authorization, `x-milady-csrf` only on state-changing methods\n- `bun run test packages/app-core/src/api/client-base.test.ts` — covers `setToken` mirror to window globals + clear on null\n\n**Manual**\n\n- VPS (Linux): browser at `https://bot./#token=` → lands on chat directly, token persists in localStorage, second visit no fragment still authenticates\n- Windows 11: `bun run dev:desktop` → Electrobun window → Remote → enter `https://bot.` + token → connect → chat works; `bun run build:desktop` succeeds and installer launches\n- Android (Capacitor on a physical Samsung phone): `npx cap open android` → Run → onboarding → Remote → enter URL + token → connect → chat works; webhook + Discord reply roundtrip verified\n\n# Known limitations\n\n- CEF window title bar icon on Windows: Electrobun upstream hasn't implemented `WM_SETICON` for CEF windows. Out of scope.\n- electrobun@1.16.0 tar extraction references a `D:\\` CI path on Windows. Worked around with the `embedWindowsIcons()` post-build step in this PR; remove when Electrobun lands a fix.\n- The Windows-only typecheck noise from duplicate `drizzle-orm` versions (`auth-store.ts`) is a pre-existing transitive-dep dedup quirk, not caused by this PR. Left alone.\n\n\n\n

Greptile Summary

\n\nThis PR wires self-hosted browser, Capacitor mobile, and Electrobun desktop builds into the existing RuntimeGate \"Remote\" flow: CORS is extended to Capacitor WebView origins and operator-configured `ELIZA_ALLOWED_ORIGINS`, `fetchWithCsrf` auto-attaches Bearer tokens, `/api/auth/me` gains a bearer-only identity path, and the desktop-only 401-retry branch is unified across platforms. Build infrastructure fixes cover Windows icon embedding, duplicate null-coalesces in `electrobun.config.ts`, and a missing `mavenCentralMirrorUrl` in `variables.gradle`.\n\n

Confidence Score: 4/5

\n\nSafe to merge with awareness of two P2 edge cases in the 401/token-stale path.\n\nNo P0 or P1 findings beyond what was already raised in prior review threads. Three P2s: stale remote token persisting onto local connections via the removed setToken(null), a misleading no-op 'retry' comment in the outer-catch 401 block, and https://localhost being unconditionally CORS-allowed rather than Capacitor-scoped. All three are edge-case or documentation-level concerns.\n\npackages/app-core/src/state/startup-phase-restore.ts and packages/app-core/src/state/startup-phase-poll.ts (outer-catch 401 block) warrant a second look for the stale-token + silent-retry interaction.\n\n

Important Files Changed

\n\n\n\n\n| Filename | Overview |\n|----------|----------|\n| packages/app-core/src/api/server-cors.ts | Adds CAPACITOR_WEBVIEW_ORIGINS hardlist and ELIZA_ALLOWED_ORIGINS env parsing; https://localhost allowed unconditionally which is slightly broader than Capacitor-only. |\n| packages/app-core/src/state/startup-phase-poll.ts | Collapses desktop/non-desktop 401 handling into a unified retry; outer-catch 401 block is an empty no-op with a misleading comment; adds !auth.authenticated to pairing gate. |\n| packages/app-core/src/state/startup-phase-restore.ts | Removes setToken(null) for local connection restores; stale remote token can persist and be forwarded to the local agent by fetchWithCsrf's new auto-bearer logic. |\n| packages/app-core/src/api/csrf-client.ts | Adds automatic Bearer injection from getBootConfig(); preserves explicit Authorization header; CSRF header still only on state-changing methods. Clean. |\n| packages/app-core/src/api/auth-session-routes.ts | Adds bearer-only path to /api/auth/me: returns real owner identity or synthetic machine identity when no owner is configured. Correct kind field. |\n| packages/app-core/src/api/auth-pairing-compat-routes.ts | Adds explicit authenticated field to /api/auth/status response so clients can short-circuit pairing check. Uses existing tokenMatches for secure comparison. |\n| packages/app-core/src/api/client-base.ts | setToken() now mirrors to window globals via setElizaApiToken/clearElizaApiToken for Capacitor web fallback. Parallels existing setBaseUrl() pattern. |\n| packages/app-core/src/api/server.ts | Swaps isAllowedLocalOrigin calls for isAllowedOrigin; passes corsAllowedPorts but not remoteOrigins (defaults to getCachedRemoteOrigins). Correct. |\n| packages/agent/src/api/experience-routes.ts | Inlines ExperienceType/OutcomeType enums to work around tree-shaking; risk of silent drift from upstream source-of-truth (flagged in previous thread). |\n| packages/app-core/scripts/desktop-build.mjs | Adds embedWindowsIcons() post-build step using locally resolved rcedit-x64.exe to work around Electrobun CI-path rcedit reference. Cross-platform safe. |\n| packages/app-core/src/state/startup-phase-runtime.ts | Removes isElectrobunRuntime() branch; 401+hasToken now retries silently, matching the unified poll approach. Clean. |\n| packages/app-core/src/components/shell/RuntimeGate.tsx | Adds onInput/onBlur handlers for Capacitor paste reliability, fixes splash-bg extension to .png, conditionally renders choice card images. |\n| packages/app-core/src/registry/index.ts | Wraps readdirSync in try/catch to gracefully handle missing entries/ directories in packaged builds instead of crashing. |\n\n\n\n\n\n

Flowchart

\n\n```mermaid\n%%{init: {'theme': 'neutral'}}%%\nflowchart TD\n A[Capacitor or Browser request] --> B{Origin in CORS allowlist?}\n B -->|Capacitor WebView origins| C[Allow preflight]\n B -->|ELIZA_ALLOWED_ORIGINS match| C\n B -->|localhost on configured port| C\n B -->|anything else| D[Reject]\n\n C --> E[fetchWithCsrf]\n E --> F{API token in boot config?}\n F -->|yes| G[Attach Authorization header]\n F -->|no| H[Cookie-only mode]\n G --> I[auth status endpoint]\n H --> I\n\n I --> J{auth required?}\n J -->|no| K[Proceed to app]\n J -->|yes| L{authenticated and token stored?}\n L -->|yes| K\n L -->|no token stored| M[Show pairing UI]\n L -->|token stored but invalid| N[Retry loop until deadline]\n```\n\n\n

Comments Outside Diff (1)

\n\n1. `packages/app-core/src/state/startup-phase-poll.ts`, line 187-201 ([link](https://github.com/elizaos/eliza/blob/539909338fd701a85f99441c03b750eccde6925e/packages/app-core/src/state/startup-phase-poll.ts#L187-L201)) \n\n \"P1\" **Invalid token silently times out instead of showing pairing UI**\n\n The `!client.hasToken()` guard means that when a stored token is *invalid* (`auth.authenticated === false`, `auth.required === true`, but `client.hasToken() === true`), this branch is never entered. Execution falls through to the backend connection loop, which receives 401s and retries until `deadline` is hit, after which the user sees a generic \"backend timeout\" error — never the pairing/re-auth UI.\n\n The old non-desktop path handled this explicitly: on a 401 with a token it cleared the token and dispatched `BACKEND_AUTH_REQUIRED`. That recovery path was removed here without a replacement for the invalid-token case. A minimal fix would drop the `!client.hasToken()` guard when the server has already confirmed the token is invalid:\n\n ```ts\n // If the server says the token is bad, don't require \"no token\" to show pairing\n if (auth.required && !auth.authenticated) {\n if (auth.loginRequired) {\n // ...existing loginRequired branch...\n }\n deps.setAuthRequired(true);\n deps.setPairingEnabled(auth.pairingEnabled);\n deps.setPairingExpiresAt(auth.expiresAt);\n deps.setOnboardingLoading(false);\n dispatch({ type: \"BACKEND_AUTH_REQUIRED\" });\n return;\n }\n ```\n
\n\n\n\nReviews (2): Last reviewed commit: [\"perf(server-cors): cache getAllowedRemot...\"](https://github.com/elizaos/eliza/commit/9ce7a62d77f9065d85560a4b61063c5278e37243) | [Re-trigger Greptile](https://app.greptile.com/api/retrigger?id=30313367)\n\n", "repository": "elizaos/eliza", "createdAt": "2026-04-30T11:20:43Z", "mergedAt": "2026-05-01T03:12:42Z", "additions": 653, "deletions": 161 }, { "id": "PR_kwDOMT5cIs7XSL0g", "title": "chore(deps): update supabase/postgres docker tag to v17.6.1.113", "author": "renovate", "number": 7219, "body": "This PR contains the following updates:\n\n| Package | Update | Change |\n|---|---|---|\n| supabase/postgres | patch | `17.6.1.112` → `17.6.1.113` |\n\n---\n\n> [!WARNING]\n> Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/79) for more information.\n\n---\n\n### Configuration\n\n📅 **Schedule**: (UTC)\n\n- Branch creation\n - At any time (no schedule defined)\n- Automerge\n - At any time (no schedule defined)\n\n🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.\n\n♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.\n\n🔕 **Ignore**: Close this PR and you won't be reminded about this update again.\n\n---\n\n - [ ] If you want to rebase/retry this PR, check this box\n\n---\n\nThis PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/elizaOS/eliza).\n\n", "repository": "elizaos/eliza", "createdAt": "2026-04-30T22:39:46Z", "mergedAt": "2026-05-01T03:12:42Z", "additions": 1, "deletions": 1 }, { "id": "PR_kwDOMT5cIs7XQDfl", "title": "fix(deps): update dependency @anthropic-ai/sdk to ^0.92.0", "author": "renovate", "number": 7218, "body": "This PR contains the following updates:\n\n| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |\n|---|---|---|---|\n| [@anthropic-ai/sdk](https://redirect.github.com/anthropics/anthropic-sdk-typescript) | [`^0.91.0` → `^0.92.0`](https://renovatebot.com/diffs/npm/@anthropic-ai%2fsdk/0.91.1/0.92.0) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@anthropic-ai%2fsdk/0.92.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@anthropic-ai%2fsdk/0.91.1/0.92.0?slim=true) |\n\n---\n\n> [!WARNING]\n> Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/79) for more information.\n\n---\n\n### Release Notes\n\n
\nanthropics/anthropic-sdk-typescript (@​anthropic-ai/sdk)\n\n### [`v0.92.0`](https://redirect.github.com/anthropics/anthropic-sdk-typescript/blob/HEAD/CHANGELOG.md#0920-2026-04-30)\n\nFull Changelog: [sdk-v0.91.1...sdk-v0.92.0](https://redirect.github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.91.1...sdk-v0.92.0)\n\n##### Features\n\n- **api:** improve Managed Agents APIs ([ca1bf4a](https://redirect.github.com/anthropics/anthropic-sdk-typescript/commit/ca1bf4a9b278fddc7f082b1c4f2b3a3e4e20298d))\n- support setting headers via env ([32f67d4](https://redirect.github.com/anthropics/anthropic-sdk-typescript/commit/32f67d47952b12bb930c8bbfe87ab2ba2aee1882))\n\n##### Bug Fixes\n\n- **bedrock:** throw APIError for error events delivered in chunk frames ([#​1021](https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/1021)) ([3ae887b](https://redirect.github.com/anthropics/anthropic-sdk-typescript/commit/3ae887b89bde1721c75dc9c9812cb9ac191ffc92))\n\n##### Chores\n\n- **format:** run eslint and prettier separately ([7ce257c](https://redirect.github.com/anthropics/anthropic-sdk-typescript/commit/7ce257c1b1ad9ff4e1cee19e82851bcb65e0e044))\n- **internal:** codegen related update ([f08cc77](https://redirect.github.com/anthropics/anthropic-sdk-typescript/commit/f08cc771efd596026f4247ecff418e7ef6a3b38a))\n\n
\n\n---\n\n### Configuration\n\n📅 **Schedule**: (UTC)\n\n- Branch creation\n - At any time (no schedule defined)\n- Automerge\n - At any time (no schedule defined)\n\n🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.\n\n♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.\n\n🔕 **Ignore**: Close this PR and you won't be reminded about this update again.\n\n---\n\n - [ ] If you want to rebase/retry this PR, check this box\n\n---\n\nThis PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/elizaOS/eliza).\n\n", "repository": "elizaos/eliza", "createdAt": "2026-04-30T20:19:28Z", "mergedAt": "2026-05-01T03:12:42Z", "additions": 1, "deletions": 1 }, { "id": "PR_kwDOMT5cIs7XPZlL", "title": "chore(deps): update dependency ai to v6.0.172", "author": "renovate", "number": 7217, "body": "This PR contains the following updates:\n\n| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |\n|---|---|---|---|\n| [ai](https://ai-sdk.dev/docs) ([source](https://redirect.github.com/vercel/ai/tree/HEAD/packages/ai)) | [`6.0.170` → `6.0.172`](https://renovatebot.com/diffs/npm/ai/6.0.170/6.0.172) | ![age](https://developer.mend.io/api/mc/badges/age/npm/ai/6.0.172?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/ai/6.0.170/6.0.172?slim=true) |\n\n---\n\n> [!WARNING]\n> Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/79) for more information.\n\n---\n\n### Release Notes\n\n
\nvercel/ai (ai)\n\n### [`v6.0.172`](https://redirect.github.com/vercel/ai/compare/ai@6.0.171...ai@6.0.172)\n\n[Compare Source](https://redirect.github.com/vercel/ai/compare/ai@6.0.171...ai@6.0.172)\n\n### [`v6.0.171`](https://redirect.github.com/vercel/ai/releases/tag/ai%406.0.171)\n\n[Compare Source](https://redirect.github.com/vercel/ai/compare/ai@6.0.170...ai@6.0.171)\n\n##### Patch Changes\n\n- [`48f842a`](https://redirect.github.com/vercel/ai/commit/48f842a): fix(ai): enforce `callOptionsSchema` at runtime in `ToolLoopAgent`\n\n `ToolLoopAgentSettings.callOptionsSchema` was declared and documented as a runtime schema for `options`, but `tool-loop-agent.ts` never invoked it. Any invariant a developer encoded in the schema was silently bypassed at runtime, and unchecked `options` flowed straight into `prepareCall` and any `instructions` template that interpolated them.\n\n `ToolLoopAgent.prepareCall` now validates caller-supplied `options` against `callOptionsSchema` (when set) via `safeValidateTypes`, throwing `InvalidArgumentError` on failure before forwarding to `prepareCall` / `generateText` / `streamText`.\n\n- [`a727da4`](https://redirect.github.com/vercel/ai/commit/a727da4): chore: ensure consistent import handling and avoid import duplicates or cycles\n\n- [`5fee301`](https://redirect.github.com/vercel/ai/commit/5fee301): fix(mcp): prevent prototype pollution by using secureJsonParse\n\n- Updated dependencies \\[[`a727da4`](https://redirect.github.com/vercel/ai/commit/a727da4)]\n - [@​ai-sdk/provider-utils](https://redirect.github.com/ai-sdk/provider-utils)@​4.0.25\n - [@​ai-sdk/provider](https://redirect.github.com/ai-sdk/provider)@​3.0.10\n - [@​ai-sdk/gateway](https://redirect.github.com/ai-sdk/gateway)@​3.0.106\n\n
\n\n---\n\n### Configuration\n\n📅 **Schedule**: (UTC)\n\n- Branch creation\n - At any time (no schedule defined)\n- Automerge\n - At any time (no schedule defined)\n\n🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.\n\n♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.\n\n🔕 **Ignore**: Close this PR and you won't be reminded about this update again.\n\n---\n\n - [ ] If you want to rebase/retry this PR, check this box\n\n---\n\nThis PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/elizaOS/eliza).\n\n", "repository": "elizaos/eliza", "createdAt": "2026-04-30T19:46:28Z", "mergedAt": "2026-05-01T03:12:42Z", "additions": 1, "deletions": 1 }, { "id": "PR_kwDOMT5cIs7XPZdk", "title": "chore(deps): update dependency @ai-sdk/provider-utils to v4.0.25", "author": "renovate", "number": 7216, "body": "This PR contains the following updates:\n\n| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |\n|---|---|---|---|\n| [@ai-sdk/provider-utils](https://ai-sdk.dev/docs) ([source](https://redirect.github.com/vercel/ai/tree/HEAD/packages/provider-utils)) | [`4.0.24` → `4.0.25`](https://renovatebot.com/diffs/npm/@ai-sdk%2fprovider-utils/4.0.24/4.0.25) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@ai-sdk%2fprovider-utils/4.0.25?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@ai-sdk%2fprovider-utils/4.0.24/4.0.25?slim=true) |\n\n---\n\n> [!WARNING]\n> Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/79) for more information.\n\n---\n\n### Release Notes\n\n
\nvercel/ai (@​ai-sdk/provider-utils)\n\n### [`v4.0.25`](https://redirect.github.com/vercel/ai/releases/tag/%40ai-sdk/provider-utils%404.0.25)\n\n[Compare Source](https://redirect.github.com/vercel/ai/compare/@ai-sdk/provider-utils@4.0.24...@ai-sdk/provider-utils@4.0.25)\n\n##### Patch Changes\n\n- [`a727da4`](https://redirect.github.com/vercel/ai/commit/a727da4): chore: ensure consistent import handling and avoid import duplicates or cycles\n- Updated dependencies \\[[`a727da4`](https://redirect.github.com/vercel/ai/commit/a727da4)]\n - [@​ai-sdk/provider](https://redirect.github.com/ai-sdk/provider)@​3.0.10\n\n
\n\n---\n\n### Configuration\n\n📅 **Schedule**: (UTC)\n\n- Branch creation\n - At any time (no schedule defined)\n- Automerge\n - At any time (no schedule defined)\n\n🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.\n\n♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.\n\n🔕 **Ignore**: Close this PR and you won't be reminded about this update again.\n\n---\n\n - [ ] If you want to rebase/retry this PR, check this box\n\n---\n\nThis PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/elizaOS/eliza).\n\n", "repository": "elizaos/eliza", "createdAt": "2026-04-30T19:46:21Z", "mergedAt": "2026-05-01T03:12:42Z", "additions": 1, "deletions": 1 } ], "codeChanges": { "additions": 0, "deletions": 0, "files": 0, "commitCount": 82 }, "completedItems": [], "topContributors": [ { "username": "NubsCarson", "avatarUrl": "https://avatars.githubusercontent.com/u/192162056?u=d2be9082dbee60fcbad21d32bf6e662ab1af3674&v=4", "totalScore": 47.9555073446838, "prScore": 47.7555073446838, "issueScore": 0, "reviewScore": 0, "commentScore": 0.2, "summary": null }, { "username": "standujar", "avatarUrl": "https://avatars.githubusercontent.com/u/16385918?u=718bdcd1585be8447bdfffb8c11ce249baa7532d&v=4", "totalScore": 20, "prScore": 0, "issueScore": 0, "reviewScore": 20, "commentScore": 0, "summary": null }, { "username": "greptile-apps", "avatarUrl": "https://avatars.githubusercontent.com/in/867647?v=4", "totalScore": 18, "prScore": 0, "issueScore": 0, "reviewScore": 18, "commentScore": 0, "summary": null }, { "username": "srotzin", "avatarUrl": "https://avatars.githubusercontent.com/u/140019476?u=4afff7c0f6603a8301374438c61471cb77500f0e&v=4", "totalScore": 2, "prScore": 0, "issueScore": 2, "reviewScore": 0, "commentScore": 0, "summary": null }, { "username": "bkauto3", "avatarUrl": "https://avatars.githubusercontent.com/u/255684383?v=4", "totalScore": 2, "prScore": 0, "issueScore": 2, "reviewScore": 0, "commentScore": 0, "summary": null } ], "newPRs": 7, "mergedPRs": 0, "newIssues": 2, "closedIssues": 0, "activeContributors": 7 }