# ElizaOS Weekly Newsletter
**December 5 - December 11, 2025**

## Executive Summary
This week has been pivotal for the ElizaOS ecosystem with significant developments across security, infrastructure, and developer tooling. Key milestones include:

- **Critical security vulnerability identified and fixed** in the server authentication system that could have allowed attackers to extract sensitive data via API endpoints
- **Jeju testnet deployment** introducing cross-chain liquidity pools (XLP) that enable using ElizaOS tokens as gas across multiple chains without bridging
- **Major code quality improvements** through a comprehensive cleanup PR that fixed type issues, removed unnecessary error handling, and improved overall code structure

## Development Updates

### Security Enhancements
A critical security audit conducted by Jin using Claude skills uncovered a vulnerability in elizaOS where servers weren't requiring the `ELIZA_SERVER_AUTH_TOKEN`, allowing attackers to extract secrets via API endpoints. The issue stemmed from `process.env` being stored in unencrypted settings rather than encrypted `settings.secrets`. Stan identified that this was introduced in version 1.6.4 and fixed in 1.6.5-alpha.8 (commit a1941c6). The team has agreed to make authentication mandatory by default with explicit opt-out options for development environments only.

```bash
# Security best practice for all production deployments
ELIZA_SERVER_AUTH_TOKEN=your-secure-token
SECRET_SALT=your-secure-salt
```

### Database Improvements
Several users reported foreign key constraint errors with the `plugin-sql` and `plugin-twitter` components, particularly when creating memories. Stan has developed a comprehensive fix (PR #6215) that:
- Optimizes migration from pre-1.6.5 (camelCase) to 1.6.5+ (snake_case) database schema
- Improves RLS (Row-Level Security) handling for multi-tenant deployments 
- Cleans up migration code and fixes schema indexes and foreign key definitions

A migration guide will be published soon to help users resolve any existing database issues.

### Code Quality Initiative
A major code cleanup effort (PR #6213) by Shaw has been merged, addressing numerous quality issues across the codebase:
- Replaced `any` and `unknown` types with proper TypeScript types
- Removed excessive try/catch blocks that were obscuring real errors
- Eliminated dead code and outdated comments
- Enhanced test coverage with 9,246 additions and 7,105 deletions

### Performance Optimization
Work has begun on parallel action execution (PR #6209) that will allow multiple actions within a single response batch to execute simultaneously while sharing the same initial state. This will significantly improve performance for multi-action responses while maintaining proper state management between batches.

## Community Spotlight
The community has been actively collaborating on both security and developer experience improvements:

Jin shared a methodology for using Claude to perform code security reviews, which proved instrumental in identifying the authentication vulnerability. This approach is now recommended for all security-sensitive code contributions.

Several community members have been testing alternative LLM integrations, with Odilitime providing guidance on integrating Perplexity's Sonar-Pro through either `plugin-openai` or `plugin-openrouter` by adjusting environment variables:

```bash
# For using Perplexity Sonar-Pro
OPENAI_API_BASE_URL=https://api.perplexity.ai
OPENAI_API_KEY=your-perplexity-api-key
```

The community also discussed various cryptocurrency API options beyond Dexscreener, with jin recommending CoinGecko, DeFiLlama, and Codex as alternatives depending on budget constraints and required data points.

## Token Economics
The token migration from AI16Z to ElizaOS continues to be a focus for many community members. Users who purchased AI16Z tokens before the 11th are being directed to the dedicated migration support channel for assistance.

Shaw announced a significant development with the Jeju testnet deployment featuring cross-chain liquidity pools (XLP). This innovation allows elizaOS tokens to be used as gas across multiple chains including Base, BSC, Optimism, Arbitrum, and Ethereum without requiring bridging operations - a major advancement for token utility and accessibility.

## Coming Soon
Several exciting developments are on the horizon:

1. **JWT Authentication System**: A comprehensive JWT authentication system (PR #6200) is nearing completion, supporting multiple verification strategies including Ed25519, JWKS, and HS256. This will provide robust security while being compatible with external providers like Auth0, Clerk, Privy, and Supabase.

2. **ElizaOS Cloud Integration**: Work is progressing on tight integration between the elizaOS CLI and cloud services (PR #6216), making it easier for users to get started with elizaOS cloud as a database and storage provider. The new flow will automatically log users in, provision API keys, and ensure proper project setup.

3. **Plugin Migration Guide**: A comprehensive guide for resolving the foreign key constraint issues in plugin-sql will be published, helping users migrate smoothly between versions.

4. **Babylon Security Audit**: Following the successful audit of the core platform, a security review of Babylon is planned to ensure all components meet the same high-security standards.

## Resources
- Plugin SQL Repository: https://github.com/elizaOS/eliza/tree/develop/packages/plugin-sql
- Telegram Plugin Repository: https://github.com/elizaos-plugins/plugin-telegram
- Security Vulnerability Fix (commit a1941c6): https://github.com/elizaOS/eliza/commit/a1941c6
- Code Cleanup PR: https://github.com/elizaOS/eliza/pull/6213
- JWT Authentication PR: https://github.com/elizaOS/eliza/pull/6200
- Plugin SQL Optimization PR: https://github.com/elizaOS/eliza/pull/6215

Stay connected and keep building with ElizaOS!