{ "prompt_name": "weekly-newsletter", "category": "comms", "date": "2026-05-02", "generated_text": "# ElizaOS Weekly Newsletter (2026-04-26 \u2192 2026-05-02)\n\n## 1) Executive Summary\n\nThis week was a \u201cplatform hardening + roadmap clarity\u201d combo:\n\n1. **Cross-platform foundations leveled up**: a major modernization push continued across the stack (TypeScript/Node/Bun upgrades, modular architecture work, and Cloud platform migration), setting ElizaOS up for more predictable builds and smoother cross-device deployments.\n\n2. **Secrets management got a serious upgrade**: `@elizaos/vault` landed upstream, bringing **encrypted-at-rest, OS-keychain-backed secret storage** with **Settings UI integration**\u2014a big step toward safer self-hosting and better developer ergonomics.\n\n3. **Self-hosted connectivity improved across web + mobile + desktop**: new CORS controls, bearer auth plumbing, and packaged-build fixes make it much easier to run agents remotely via HTTPS dashboards, Capacitor mobile, and Electrobun desktop builds.\n\n---\n\n## 2) Development Updates (Technical Highlights)\n\n### Secure secrets: `@elizaos/vault` (new package + UI wiring)\nThe biggest dev win this week was the merge of **`@elizaos/vault`** into `elizaos/eliza`:\n\n- **Encryption-at-rest (AES-256-GCM)** with OS keychain master key support (macOS Keychain / Windows Credential Manager / Linux Secret Service).\n- **Headless server fallback** via passphrase-derived master keys (useful for CI and Linux boxes without a secrets service).\n- **Settings UI integration** so saving provider keys no longer defaults to plaintext storage.\n- Vault-first reveal behavior and write-through mirroring (so the UI shows the real stored secret).\n- New CI coverage to validate cross-platform keychain behavior.\n\n**Why it matters:** this reduces one of the most common foot-guns in agent deployments\u2014leaky API keys\u2014and makes self-hosting more production-friendly.\n\n**Merged PR:** `elizaos/eliza#7197`\n\n---\n\n### Self-hosted runtime connectivity: web dashboards, Capacitor, Electrobun\nSelf-hosting got more robust with improvements that span server, client, and build tooling:\n\n- New `ELIZA_ALLOWED_ORIGINS` support to control which domains can access a self-hosted agent over HTTPS.\n- Better handling for Capacitor/Ionic WebView origins.\n- Bearer token support unified into `fetchWithCsrf`, plus improved auth status signaling (`authenticated` field).\n- Build fixes for Windows desktop packaging, branding defaults, and missing template vars for Android builds.\n- Packaged build resilience (graceful handling when registry directories are absent).\n\n**Net effect:** fewer \u201cworks on my machine\u201d problems when connecting to a remote runtime from different shells (browser, mobile wrapper, desktop wrapper).\n\n**Merged PR:** `elizaos/eliza#7212`\n\n---\n\n### Reliability + bug fixes that unblock real usage\nA few issues that can quietly break new installs were identified and closed quickly:\n\n- **Anthropic subscription auth path**: missing preload reference prevented the stealth interceptor from installing, leading to confusing 401s. (Now closed.)\n - **Issue:** `elizaos/eliza#7210` (closed)\n- **plugin-sql runtime migrator**: missing Drizzle `pgTable` definitions for `entity_identities`, `entity_merge_candidates`, and `fact_candidates` caused fresh PGLite databases to boot without required tables\u2014prompt composition degraded and chat became unreliable.\n - **Issue:** `elizaos/eliza#7222` (closed)\n- **Test stability**: removed API module mocks in `app-core` tests to improve reliability and reduce brittle assumptions.\n - **Merged PR:** `elizaos/eliza#7226`\n\n---\n\n### Dependency + CI refresh\nOngoing maintenance work continued across the stack:\n\n- Updates to key SDKs and tooling (e.g., `@anthropic-ai/sdk`, `@electric-sql/pglite`, `@biomejs/biome`, AI SDK packages).\n- CI/CD updates including Supabase Postgres docker tag bumps and GitHub action version refreshes.\n\nThese aren\u2019t flashy, but they reduce integration drift and keep builds reproducible.\n\n---\n\n## 3) Community Spotlight (Discord)\n\n### \u201cElizaOS vs Orbofi\u201d \u2014 positioning explained in plain language\nA great thread this week clarified ElizaOS\u2019s role in the ecosystem:\n\n- **ElizaOS = developer-first agent framework / operating system** (the \u201cLinux\u201d analogy): open-source, extensible, designed for building serious agents from scratch.\n- **Orbofi = consumer-facing platform** (the \u201cShopify/App Store\u201d analogy): marketplace + monetization + distribution layers for creators.\n- Also noted: with **Milady**, ElizaOS now has an **app-store layer** too\u2014without losing its \u201cfull control\u201d dev foundation.\n\nThis is useful framing for newcomers evaluating where to build.\n\n**Discussion reference:** Discord `#discussion` (2026-05-01)\n\n---\n\n### Field report: \u201cmemory rot\u201d in long-lived agents (and a production fix)\nIn `#coders`, **sentient_dawn** shared a high-signal report on a failure mode that shows up after ~3 months in retrieval-heavy architectures (RAG/vector-store + LLM):\n\n- Old facts persist and become stale\n- Agents drift from the true state without noticing\n- Humans usually detect it only after contradictions accumulate\n\nA proposed (and reportedly production-proven) mitigation:\n\n- A **reconciliation pass**\n- **Freshness gates** on outward claims\n- **Periodic cross-source diffs**\n- **Re-embedding under the current ontology**\n\nThe community asked for the full write-up\u2014expect more here soon.\n\n**Discussion reference:** Discord `#coders` (2026-05-01)\n\n---\n\n### Robotics demo: ElizaOS in a Unitree robot\nShaw shared a practical integration: ElizaOS wired into a **~$4k Unitree robot**, able to walk on command. It\u2019s a strong reminder that \u201cagent OS\u201d doesn\u2019t have to mean \u201cchat-only\u201d\u2014hardware loops are on the table.\n\n---\n\n### AMA + community lifecycle moments\n- A **Twitter Space AMA** featuring Shaw (via Botdick) drew ~20 listeners.\n- One community member announced they\u2019re stepping away due to a new job\u2014wishing them well.\n\n---\n\n## 4) Token Economics (AI16z token + auto.fun)\n\n- **Exchange listings:** community asked about Coinbase / exchange expansion post-swap. The response was clear: **exchange conversations are under NDA and cannot be discussed publicly**.\n- **Buyback strategy:** Shaw reiterated that a **token buyback is planned, but contingent on profitability**\u2014the emphasis is on building sustainable revenue first.\n- **Token philosophy:** the project is explicitly leaning away from \u201cforced utility\u201d mechanics and toward **culture + product + monetizable agent apps** (notably via Eliza Cloud).\n\n**auto.fun:** no concrete product updates surfaced in the provided activity this week. If there are specific auto.fun ship logs you want highlighted next time, share links and we\u2019ll include them.\n\n---\n\n## 5) Coming Soon (What to Watch)\n\nBased on roadmap discussion and current merges:\n\n- **ElizaOS v3 runtime direction**: a full application runtime across devices/platforms, deeper social integrations (including iMessage), workflow creation/editing/execution, and subscription management.\n- **Eliza Cloud monetization**: continued work on hosting + monetizing runtime apps and agent workflows.\n- **Security + reliability initiatives**: local LLM data storage patterns, agent key security, and red-team swarm testing methodologies were raised\u2014likely areas for upcoming engineering focus.\n- **Memory maintenance patterns**: expect follow-ups on the \u201cmemory rot\u201d mitigation and a shareable field report.\n\n---\n\n## 6) Resources (Links & Pointers)\n\n### Key PRs / Engineering\n- `@elizaos/vault` secrets vault + Settings UI: https://github.com/elizaos/eliza/pull/7197 \n- Self-hosted CORS + bearer auth + cross-platform build fixes: https://github.com/elizaos/eliza/pull/7212 \n- Test reliability (remove API mocks): https://github.com/elizaos/eliza/pull/7226 \n\n### Notable closed issues\n- Missing Claude stealth preload / Anthropic subscription auth: https://github.com/elizaos/eliza/issues/7210 \n- plugin-sql migrator missing tables: https://github.com/elizaos/eliza/issues/7222 \n\n### Weekly engineering summary (broader scope)\n- Overall Project Weekly Summary (Apr 26 \u2013 May 2): `github_summaries_week_latest_2026-04-26.md` (includes references like `elizaos/eliza#7172`, `elizaos/eliza#7204`, `elizaos/cloud#484`, and plugin work such as `registry#352`)\n\n### Discord threads (for context)\n- `#discussion` (ElizaOS vs Orbofi; exchange NDA reminder): \n https://discord.com/channels/1253563208833433701/1253563209462448241 \n- `#coders` (memory rot field report): \n https://discord.com/channels/1253563208833433701/1300025221834739744", "source_references": [ "2026-05-02\n---\n2026-05-01.md\n---\n# elizaOS Discord - 2026-05-01\n\n## Summary\n\n### ElizaOS Platform Architecture and Positioning\n\nodilitime provided a comprehensive comparison between ElizaOS and Orbofi, clarifying that ElizaOS is an open-source agentic framework that is more mature and robust. The fundamental distinction is that ElizaOS functions as a developer-focused AI agent framework and operating system (comparable to Linux), while Orbofi is a consumer-facing AI and Web3 platform with marketplace and monetization layers (comparable to Shopify or App Store). ElizaOS provides full control and extensibility for building serious AI agents from scratch, targeting technical users exploring autonomous agents, trading, and automation. odilitime also noted that with Milady, ElizaOS now includes an app store component.\n\n### Practical Implementations and Hardware Integration\n\nshawmakesmagic demonstrated a practical implementation by integrating Eliza into a smaller robot, specifically a $4k Unitree robot, enabling it to walk around on command. This showcases the framework's capability to interface with physical hardware and robotics platforms.\n\n### AI Model Access and Limitations\n\nshawmakesmagic discussed experiencing ChatGPT cyber refusals on version 5.5 and mentioned he should apply for chatgpt/cyber access. There were brief mentions of ChatGPT flagging conversations for multiple violations, indicating challenges with content moderation systems.\n\n### Memory Degradation in Long-Lived AI Agents\n\nsentient_dawn presented significant research on memory rot in long-lived AI agents, a failure mode that emerges after approximately three months of operation. They identified that retrieval-only memory architectures, including RAG and vector store plus LLM systems, appear stable initially but degrade over time as old facts persist despite becoming stale. This causes agents to drift from current state without self-awareness of the drift, with the rot remaining invisible until humans identify contradictions. sentient_dawn proposed and implemented a solution involving a reconciliation pass that incorporates freshness gates on outgoing claims, periodic cross-source diffs, and re-embedding under current ontology. This approach enables systems to detect their own staleness proactively and has proven effective in production.\n\n### Exchange Listings and Regulatory Compliance\n\nodilitime clarified that exchange talks are always under NDA and tokens cannot publicly discuss them, addressing community questions about exchange listing discussions.\n\n### Community Events and Personnel Changes\n\nAn AMA session with shaw and fish was announced and completed. One community member announced their departure from the ecosystem due to securing a new job.\n\n### Professional Profiles and Expertise\n\ntrace.g shared their professional profile highlighting expertise in AI product engineering, specifically focusing on LLM systems, autonomous agents, workflow automation, and multimodal AI combined with full-stack capabilities including APIs, databases, and production-scale systems. They emphasized their strength in taking technically ambitious projects to production stability and indicated openness to new opportunities.\n\n## FAQ\n\n**Q: What is the difference between ElizaOS and Orbofi?**\nA: ElizaOS is an open-source agentic framework and developer-focused AI agent operating system (analogous to Linux) that provides full control and extensibility for building serious AI agents from scratch. Orbofi is a consumer-facing AI and Web3 platform with marketplace and monetization layers (analogous to Shopify or App Store). ElizaOS targets technical users exploring autonomous agents, trading, and automation, while Orbofi focuses on consumer experiences.\n\n**Q: What is memory rot in AI agents?**\nA: Memory rot is a failure mode that emerges in long-lived AI agents after approximately three months of operation. In retrieval-only memory architectures like RAG and vector store plus LLM systems, old facts persist despite becoming stale, causing agents to drift from current state without self-awareness of the drift. The rot remains invisible until humans identify contradictions.\n\n**Q: How can memory rot be addressed?**\nA: sentient_dawn implemented a solution involving a reconciliation pass that incorporates freshness gates on outgoing claims, periodic cross-source diffs, and re-embedding under current ontology. This approach enables systems to detect their own staleness proactively and has proven effective in production.\n\n**Q: Can projects publicly discuss exchange listings?**\nA: No, exchange talks are always under NDA and tokens cannot publicly discuss them.\n\n**Q: Does ElizaOS have an app store component?**\nA: Yes, with Milady, ElizaOS now has an app store component as well.\n\n## Help Interactions\n\nNo direct help interactions were documented in the provided channel summaries. The discussions consisted primarily of information sharing, technical presentations, and clarifications rather than specific help requests and resolutions.\n\n## Action Items\n\n### Technical\n\n- Apply for chatgpt/cyber access to address cyber refusals on version 5.5 (mentioned by shawmakesmagic)\n- Implement reconciliation pass with freshness gates, periodic cross-source diffs, and re-embedding under current ontology to address memory rot in long-lived agents (implemented by sentient_dawn)\n\n### Documentation\n\n- Provide full field report on memory rot solution and reconciliation pass implementation (requested by mayoe76 from sentient_dawn)\n---\n2026-04-30.md\n---\n# elizaOS Discord - 2026-04-30\n\n## Summary\n\n### ElizaOS v3 Architecture and Development\n\nShaw outlined the comprehensive architecture for ElizaOS v3, describing it as a full application runtime that supports all devices and platforms. The system moves beyond previous limitations by integrating with all social platforms including iMessage, enabling task issuance to Codex and Claude, and providing subscription management capabilities. The platform allows users to create workflows and runtime applications that can be created, edited, and executed dynamically. A key feature is the ability to monetize applications through Eliza Cloud. Shaw emphasized that development has been continuous for 6 months with cozy devs, and showcased the botdick agent as an example that successfully created its own video game.\n\n### Project Funding and Team Compensation\n\nShaw provided transparency about the financial challenges facing the project. He explained that the team received no equity when token values collapsed, with ai16z and elizaos tokens only providing basic salary. The v3 development is being funded through personal savings. Shaw noted that when tokens went to zero, it created significant team equity problems and made it difficult to retain developers. He addressed community complaints by clarifying the financial constraints under which the team has been operating.\n\n### Token Philosophy and Community Building\n\nShaw rejected traditional token utility approaches, advocating instead for culture-building over forced utility mechanisms. He emphasized that the core value proposition is agents that can build anything users want with monetization capabilities, rather than artificial utility creation. This philosophy represents a departure from conventional tokenomics strategies in favor of organic community and product development.\n\n### Technical Challenges and Past Issues\n\nThe discussion covered various challenges the project has faced, including lawsuit threats, migration issues, and the complications arising from token value collapse. Shaw provided context for why certain decisions were made and how the team has navigated these obstacles while continuing development.\n\n### Security and Local Development\n\nA new developer joined the discussion exploring technical implementation details around local LLM data storage, agent key security, and red team swarm testing methodologies. These topics highlighted ongoing considerations for secure and robust agent deployment.\n\n## FAQ\n\n**Q: What are the main features of ElizaOS v3?**\nA: ElizaOS v3 is a full application runtime supporting all devices and platforms with integration across all social platforms including iMessage, task issuance to Codex and Claude, subscription management, workflow creation capabilities, and runtime application creation, editing, and execution with monetization through Eliza Cloud.\n\n**Q: How is ElizaOS v3 being funded?**\nA: Shaw is funding v3 development through personal savings after the ai16z and elizaos tokens only provided basic salary and the team received no equity when token values collapsed.\n\n**Q: How long has v3 been in development?**\nA: ElizaOS v3 has been in continuous development for 6 months with cozy devs.\n\n**Q: What is the token utility philosophy for the project?**\nA: Shaw rejects traditional forced token utility mechanisms, instead advocating for culture-building and focusing on the core value proposition of agents that can build anything users want with monetization capabilities.\n\n**Q: What example demonstrates v3 capabilities?**\nA: The botdick agent was showcased as an example that successfully created its own video game, demonstrating the platform's capabilities.\n\n**Q: What challenges has the project faced?**\nA: The project has faced lawsuit threats, migration issues, token value collapse leading to team equity problems, and difficulties retaining developers when compensation became limited.\n\n## Help Interactions\n\nHelper: Shaw (shawmakesmagic)\nHelpee: 0xtdl01 (new developer)\nResolution: Shaw provided context and discussion around local LLM data storage, agent key security, and red team swarm testing as the new developer explored technical implementation details.\n\n## Action Items\n\n### Technical\n\n- Implement local LLM data storage solutions (mentioned by 0xtdl01)\n- Address agent key security considerations (mentioned by 0xtdl01)\n- Develop red team swarm testing methodologies (mentioned by 0xtdl01)\n\n### Features\n\n- Complete integration with all social platforms including iMessage for v3 (mentioned by Shaw)\n- Implement task issuance capabilities to Codex and Claude (mentioned by Shaw)\n- Build subscription management system (mentioned by Shaw)\n- Develop workflow creation capabilities (mentioned by Shaw)\n- Enable runtime application creation, editing, and execution (mentioned by Shaw)\n- Implement monetization capabilities through Eliza Cloud (mentioned by Shaw)\n---\n2026-04-29.md\n---\n# elizaOS Discord - 2026-04-29\n\n## Summary\n\n### Project Development Status\n\nShaw provided a comprehensive update on elizaOS development progress, addressing community concerns about the project's direction during market downturns. The team is actively working on multiple initiatives including Eliza Cloud, framework improvements, and an autonomous agent with comprehensive crypto features. Shaw emphasized that Spartan provides regular updates every few hours and the team remains committed to building despite challenging market conditions. Alternative monetization strategies are being explored, with a token buyback strategy planned contingent on profitability. Shaw hinted at an upcoming \"round two\" but acknowledged the difficulty of making public promises in an environment where statements can be weaponized against builders.\n\n### Community Engagement and Support\n\nCommunity members expressed continued support for the project despite market challenges. Baogerbao highlighted Shaw's commitment to open-source development and community engagement, noting his attendance at BNB events in Hong Kong and creation of merchandise. The team's decision to continue building during the downturn was emphasized as a key differentiator. Zadayos also voiced support for the project's direction. Some skepticism emerged regarding potential exchange delistings and project viability, though supporters countered with affirmations of ongoing development work.\n\n### Market Context\n\nThe broader cryptocurrency market downturn was discussed as context for project performance concerns. Solana's price decline was specifically mentioned as an indicator of overall market conditions affecting token performance across the ecosystem.\n\n### Developer Interest\n\nTwo developers expressed interest in contributing to the project. Aiden190157 indicated willingness to help, while rsn6958 provided detailed credentials highlighting experience in AI and full-stack development with a focus on production-ready systems.\n\n## FAQ\n\n**Q: Is the elizaOS team still actively developing the project?**\nA: Yes, Shaw confirmed that the team is actively working on multiple fronts including Eliza Cloud, framework improvements, an autonomous agent with comprehensive crypto features, and alternative monetization strategies. Spartan provides regular updates every few hours.\n\n**Q: What is the team's approach to token buybacks?**\nA: Shaw mentioned that a token buyback strategy is planned but will be contingent on the project achieving profitability first.\n\n**Q: Why hasn't Shaw made more public promises about the project's future?**\nA: Shaw explained that in the current environment, public statements can be used against builders, making it challenging to make commitments publicly.\n\n**Q: How is elizaOS different from other projects during this market downturn?**\nA: The team's commitment to continuing development and building during the downturn was highlighted as a key differentiator, with Shaw maintaining open-source principles and community engagement.\n\n**Q: What is \"round two\" that Shaw mentioned?**\nA: Shaw hinted at an upcoming \"round two\" but did not provide specific details about what this entails.\n\n## Help Interactions\n\nNo specific help interactions with clear resolutions were documented in the provided channel summary.\n\n## Action Items\n\n### Technical\n\n- Continue development on Eliza Cloud platform (mentioned by Shaw)\n- Implement framework improvements for elizaOS (mentioned by Shaw)\n- Build autonomous agent with comprehensive crypto features (mentioned by Shaw)\n- Evaluate and onboard potential contributors aiden190157 and rsn6958 (mentioned by community discussion)\n\n### Features\n\n- Develop alternative monetization strategies for the project (mentioned by Shaw)\n- Implement token buyback strategy contingent on profitability (mentioned by Shaw)\n---\n2026-05-01.json\n---\nelizaosDailySummary\n---\nDaily Report - 2026-05-01\n---\nElizaOS Community Discussion and Development Updates - May 1, 2026\n---\nIn the general discussion channel, a community member asked about a potential Coinbase listing following the token swap completion. Odilitime clarified that exchange talks are always under NDA and no token can publicly discuss them. Separately, a Twitter Space AMA was hosted by Botdick featuring Shaw, which drew around 20 listeners. Community members were thanked for joining the session.\n---\nhttps://discord.com/channels/1253563208833433701/1253563209462448241\n---\nhttps://cdn.elizaos.news/elizaos-media/embed-image-1499621163536486483_aa27401e.jpg\n---\nA community member asked about the main advantages of ElizaOS over Orbofi. Odilitime explained that ElizaOS is an open source agentic framework that is more mature and robust, positioning it as a developer-focused AI agent operating system compared to Orbofi which is a consumer-facing AI and Web3 platform with a marketplace and monetization layer. The analogy used was ElizaOS is like Linux while Orbofi is like Shopify or an App Store. It was also noted that with Milady, ElizaOS has an app store layer as well. Shaw added that Orbofi likely uses a fairly different architecture to accomplish similar things.\n---\nhttps://discord.com/channels/1253563208833433701/1253563209462448241\n---\nhttps://cdn.elizaos.news/elizaos-media/screenshot_2026-05-01_at_10-09-30_am_4306e1b4.png\n---\nShaw shared that he integrated ElizaOS into a small robot from Unitree priced at around 4000 dollars, enabling it to walk around on command. He also mentioned receiving repeated refusals from ChatGPT version 5.5 when applying for a cyber-related program. A departing community member announced they were deleting their online persona across platforms due to a new job, expressing appreciation for the ElizaOS ecosystem.\n---\nhttps://discord.com/channels/1253563208833433701/1253563209462448241\n---\nhttps://cdn.elizaos.news/elizaos-media/image_5fc8f99c.png\n---\nIn the coders channel, a developer named trace posted an availability notice highlighting expertise in LLM systems, autonomous agents, workflow automation, multimodal AI, APIs, databases, backend logic, and production reliability, expressing openness to new opportunities in AI product engineering and full-stack builds. Separately, Dawn shared a field report on a failure mode called memory rot observed in long-lived agents after approximately three months of operation. The issue involves retrieval-only memory architectures such as RAG and vector store plus LLM setups, where old facts persist after becoming stale, causing agents to drift from current state without awareness. The proposed fix involves a reconciliation pass with freshness gates on outgoing claims, periodic cross-source diffs, and re-embedding under the current ontology so the system can detect its own staleness proactively. Another community member expressed interest in reading the full report.\n---\nhttps://discord.com/channels/1253563208833433701/1300025221834739744\n---\nhttps://cdn.elizaos.news/posters/1777685431062-clfygk.png\n---\ndiscordrawdata\n---\nElizaOS Project Summary: May 1, 2026\n---\nDevelopment on May 1, 2026 focused on strengthening cross-platform infrastructure and agent runtime reliability. A new secrets vault package, @elizaos/vault, was launched to standardize secrets management across platforms with an integrated Settings UI. Self-hosted connectivity was expanded to support HTTPS dashboards, Capacitor mobile, and Electrobun desktop builds, including secure authentication protocols. Extensive dependency updates were performed across the stack, covering packages such as @anthropic-ai/sdk, various ai SDK packages, @electric-sql/pglite, and @biomejs/biome. CI/CD infrastructure was also refreshed with updates to Supabase Postgres docker tags and GitHub action versions. On the runtime and testing side, test reliability was improved by removing API module mocks in app-core, and critical build issues were resolved including missing preload files and Drizzle pgTable definitions for entity_identities, entity_merge_candidates, and fact_candidates in the plugin-sql migrator. Integration issues related to Hive Civilization x402 services and SwarmScore reputation were also finalized and closed.\n---\nhttps://elizaos.github.io/api/summaries/overall/day/2026-05-01.json\n---\nhttps://cdn.elizaos.news/posters/1777685489150-r0pac.png\n---\nmiscellaneous\n---\n468544947826458641\n---\nmayoe76\n---\nTrader\n---\nCreator\n---\nVerified\n---\n1472843646045786175\n---\nsentient_dawn\n---\nHelper\n---\nVerified\n---\nutility\n---\nCoder\n---\neliza\n---\n853841524764049429\n---\ntrace.g\n---\nHelper\n---\nTrader\n---\nCreator\n---\n[WG] degenspartan\n---\nVerified\n---\nutility\n---\nCoder\n---\neliza\n---\n498273781589213185\n---\nshawmakesmagic\n---\nModerator\n---\nLabs Alumni\n---\nVerified\n---\nutility\n---\nCoder\n---\neliza\n---\n1139674615199834153\n---\nlilgoat_24358\n---\n1498561562187665470\n---\nmartins072535\n---\nHelper\n---\nTrader\n---\nCreator\n---\nVerified\n---\nDesigner\n---\nutility\n---\nCoder\n---\neliza\n---\n1437079716229025832\n---\nzeerlayer\n---\nTrader\n---\nutility\n---\nCoder\n---\neliza\n---\n807727820355797062\n---\nmagicyte\n---\n[WG] Want to Help\n---\nVerified\n---\nutility\n---\neliza\n---\n580487826420793364\n---\nodilitime\n---\nGod\n---\nplatform - self assign\n---\npartner portal - self assign\n---\nCommunity Ops\n---\nCreator\n---\nModerator\n---\n[WG] degenspartan\n---\npmairca - self assign\n---\nVerified\n---\nBooster\n---\nHoplite\n---\nMigration Support\n---\nHelper\n---\nGithub - Contributor\n---\nLabs Alumni\n---\nTrader\n---\nContributor\n---\nmerch - self assign\n---\nevents - self-assign\n---\n[WG] Elizacon - granted\n---\nSpartan Dev\n---\nCore Dev\n---\nCoder\n---\n555035784378318875\n---\nbaogerbao\n---\na-hack\n---\nCreator\n---\n[WG] degenspartan\n---\nVIP\n---\nContributor\n---\n[WG] Want to Help\n---\nVerified\n---\nMini Mod\n---\nBooster\n---\nDesigner\n---\nCoder\n---\nGithub - Contributor\n---\n177801706963337216\n---\nstan0473\n---\nHelper\n---\nplatform - self assign\n---\nevents - self-assign\n---\nAnnouncements\n---\nKing\n---\nServer Booster\n---\nCore Dev\n---\nVIP\n---\nContributor\n---\nworkgroups - write perms\n---\nVerified\n---\nFr\n---\nutility\n---\nCoder\n---\nGithub - Contributor\n---\nLabs Alumni\n---\n294785651616907265\n---\nvalleybeyond7991\n---\nTrader\n---\n[WG] Want to Help\n---\nVerified\n---\nutility\n---\n1189017605114183742\n---\ndaias_123_33267\n---\nVerified\n---\nCoder\n---\nutility\n---\neliza\n---\n1061342748780794047\n---\nsamanthaiii\n---\nHelper\n---\nTrader\n---\nutility\n---\nCoder\n---\neliza\n---\n967553544754430072\n---\nmdmnvest\n---\nauto.fun enjoyer\n---\nTrader\n---\nKing\n---\n[WG] degenspartan\n---\nVIP\n---\nVerified\n---\nBooster\n---\nDesigner\n---\nCoder\n---\n1168553668950360078\n---\nalea_71545\n---\nHelper\n---\nTrader\n---\nCreator\n---\n[WG] degenspartan\n---\nIt\n---\nDesigner\n---\nFr\n---\nutility\n---\nCoder\n---\neliza\n---\n1385201538107969628\n---\neblan2233_62332\n---\n1455451463705952298\n---\nkenxybruck\n---\nTrader\n---\nutility\n---\nCoder\n---\neliza\n---\n974642795425980446\n---\nlambyone\n---\nVerified\n---\n1436005876631601164\n---\namitgupta0459\n---\nTrader\n---\nVerified\n---\nutility\n---\nCoder\n---\neliza\n---\n2026-05-01.md\n---\n## ElizaOS Community Discussion and Development Updates - May 1, 2026\n\n## Community Highlights\n\n### Exchange and Token Discussion\n- Community member raised question about a potential Coinbase listing following token swap completion\n- Odilitime clarified that exchange talks are always under NDA and cannot be publicly discussed\n\n### Twitter Space AMA\n- Botdick hosted a Twitter Space AMA featuring Shaw\n- Session drew approximately 20 listeners\n- Community members were thanked for participating\n\n### ElizaOS vs Orbofi Comparison\n- Odilitime explained ElizaOS as an open source agentic framework that is more mature and robust\n- ElizaOS is developer-focused, functioning as an AI agent operating system\n- Analogy used: ElizaOS is like Linux, while Orbofi is like Shopify or an App Store\n- Noted that with Milady, ElizaOS also has an app store layer\n- Shaw noted that Orbofi likely uses a fairly different architecture to accomplish similar goals\n\n### Robotics Integration\n- Shaw integrated ElizaOS into a Unitree robot priced at approximately 4000 dollars\n- The robot was enabled to walk around on command using ElizaOS\n\n## Technical Discussions\n\n### Memory Rot in Long-Lived Agents\n- Dawn shared a field report on a failure mode called memory rot observed after approximately three months of agent operation\n- The issue affects retrieval-only memory architectures such as RAG and vector store plus LLM setups\n- Old facts persist after becoming stale, causing agents to drift from current state without awareness\n- Proposed fix includes a reconciliation pass with freshness gates on outgoing claims, periodic cross-source diffs, and re-embedding under the current ontology\n\n### Developer Availability\n- A developer named trace posted availability highlighting expertise in LLM systems, autonomous agents, workflow automation, multimodal AI, APIs, databases, backend logic, and production reliability\n\n## Development Updates\n\n### Secrets Management\n- New secrets vault package @elizaos/vault launched to standardize secrets management across platforms\n- Integrated Settings UI included with the vault package\n\n### Self-Hosted Connectivity\n- Expanded support added for HTTPS dashboards, Capacitor mobile, and Electrobun desktop builds\n- Secure authentication protocols included in the expansion\n\n### Dependency and Infrastructure Updates\n- Extensive dependency updates performed across the stack including @anthropic-ai/sdk, various AI SDK packages, @electric-sql/pglite, and @biomejs/biome\n- CI/CD infrastructure refreshed with updates to Supabase Postgres docker tags and GitHub action versions\n\n### Runtime and Build Fixes\n- Test reliability improved by removing API module mocks in app-core\n- Critical build issues resolved including missing preload files and Drizzle pgTable definitions for entity_identities, entity_merge_candidates, and fact_candidates in the plugin-sql migrator\n- Integration issues related to Hive Civilization x402 services and SwarmScore reputation finalized and closed\n---\n2026-05-01.json\n---\nelizaOS\n---\nelizaOS Discord - 2026-05-01\n---\n1253563209462448241\n---\n\ud83d\udcac-discussion\n---\nThe discussion channel covered several key topics. The most significant technical discussion involved a comparison between ElizaOS and Orbofi. odilitime explained that ElizaOS is an open-source agentic framework that is more mature and robust compared to Orbofi. He clarified the fundamental difference: ElizaOS is a developer-focused AI agent framework/operating system (analogous to Linux), while Orbofi is a consumer-facing AI + Web3 platform with marketplace and monetization layers (analogous to Shopify/App Store). ElizaOS provides full control and extensibility for building serious AI agents from scratch, targeting technical users exploring autonomous agents, trading, and automation. odilitime also mentioned that with Milady, ElizaOS now has an app store component as well. shawmakesmagic shared a practical implementation where he integrated Eliza into a smaller robot ($4k Unitree robot) enabling it to walk around on command. He also discussed experiencing ChatGPT cyber refusals on version 5.5 and mentioned he should apply for chatgpt/cyber access. The conversation touched on exchange listing discussions, with odilitime clarifying that exchange talks are always under NDA and tokens cannot publicly discuss them. An AMA session with shaw and fish was announced and completed. There were brief mentions of ChatGPT flagging conversations for multiple violations, and one community member announced their departure from the ecosystem due to securing a new job.\n---\nIs there any update or rough timeline regarding a Coinbase listing or exchange expansion plans?\n---\namitgupta0459\n---\nodilitime - Exchange talks are always under NDA, no token can talk about them\n---\nWhat is the main advantage Eliza has over Orbofi?\n---\nzeerlayer\n---\nodilitime - ElizaOS is an open source agentic framework that's more mature and robust. ElizaOS is developer-focused (like Linux) while Orbofi is consumer-facing (like Shopify/App Store)\n---\nCan you go more in depth why is it more robust?\n---\nzeerlayer\n---\nodilitime - ElizaOS is for building serious AI agents from scratch with full control and extensibility, targeting technical users. Orbofi is for quick launches with built-in monetization and distribution for creators\n---\nodilitime\n---\nzeerlayer\n---\nUnderstanding the differences between ElizaOS and Orbofi platforms\n---\nProvided detailed comparison explaining ElizaOS as developer-focused framework vs Orbofi as consumer platform, with analogies and use case guidance\n---\nTechnical\n---\nApply for chatgpt/cyber access to resolve ChatGPT 5.5 cyber refusals\n---\nshawmakesmagic\n---\n1300025221834739744\n---\n\ud83d\udcac-coders\n---\nThe channel featured two main technical contributions. trace.g shared their professional profile highlighting expertise in AI product engineering, specifically focusing on LLM systems, autonomous agents, workflow automation, and multimodal AI combined with full-stack capabilities including APIs, databases, and production-scale systems. They emphasized their strength in taking technically ambitious projects to production stability and indicated openness to new opportunities.\n\nsentient_dawn presented a significant technical finding about memory rot in long-lived AI agents, a failure mode that emerges after approximately three months of operation. They identified that retrieval-only memory architectures (RAG and vector store + LLM systems) appear stable initially but degrade over time as old facts persist despite becoming stale, causing agents to drift from current state without self-awareness of the drift. The rot remains invisible until humans identify contradictions. They proposed and implemented a solution: a reconciliation pass incorporating freshness gates on outgoing claims, periodic cross-source diffs, and re-embedding under current ontology. This approach enables systems to detect their own staleness proactively. The solution has proven effective in production. mayoe76 expressed interest in the full field report.\n---\nCan you share the full field report on memory rot in long-lived agents?\n---\nmayoe76\n---\nsentient_dawn (implicitly agreed to share)\n---\nsentient_dawn\n---\nCommunity\n---\nShared knowledge about memory rot failure mode in long-lived AI agents that appears after three months, where retrieval-only architectures degrade invisibly\n---\nProvided solution architecture using reconciliation pass with freshness gates, periodic cross-source diffs, and re-embedding under current ontology to enable self-detection of staleness\n---\nDocumentation\n---\nShare full field report on memory rot at month three in long-lived agents\n---\nsentient_dawn\n---\nTechnical\n---\nImplement reconciliation pass with freshness gates for long-lived agent memory systems\n---\nsentient_dawn\n---\nTechnical\n---\nAdd periodic cross-source diffs to prevent memory rot in RAG architectures\n---\nsentient_dawn\n---\nTechnical\n---\nImplement re-embedding under current ontology for agent memory maintenance\n---\nsentient_dawn\n---\n468544947826458641\n---\nmayoe76\n---\nTrader\n---\nCreator\n---\nVerified\n---\n1472843646045786175\n---\nsentient_dawn\n---\nHelper\n---\nVerified\n---\nutility\n---\nCoder\n---\neliza\n---\n853841524764049429\n---\ntrace.g\n---\nHelper\n---\nTrader\n---\nCreator\n---\n[WG] degenspartan\n---\nVerified\n---\nutility\n---\nCoder\n---\neliza\n---\n498273781589213185\n---\nshawmakesmagic\n---\nModerator\n---\nLabs Alumni\n---\nVerified\n---\nutility\n---\nCoder\n---\neliza\n---\n1139674615199834153\n---\nlilgoat_24358\n---\n1498561562187665470\n---\nmartins072535\n---\nHelper\n---\nTrader\n---\nCreator\n---\nVerified\n---\nDesigner\n---\nutility\n---\nCoder\n---\neliza\n---\n1437079716229025832\n---\nzeerlayer\n---\nTrader\n---\nutility\n---\nCoder\n---\neliza\n---\n807727820355797062\n---\nmagicyte\n---\n[WG] Want to Help\n---\nVerified\n---\nutility\n---\neliza\n---\n580487826420793364\n---\nodilitime\n---\nGod\n---\nplatform - self assign\n---\npartner portal - self assign\n---\nCommunity Ops\n---\nCreator\n---\nModerator\n---\n[WG] degenspartan\n---\npmairca - self assign\n---\nVerified\n---\nBooster\n---\nHoplite\n---\nMigration Support\n---\nHelper\n---\nGithub - Contributor\n---\nLabs Alumni\n---\nTrader\n---\nContributor\n---\nmerch - self assign\n---\nevents - self-assign\n---\n[WG] Elizacon - granted\n---\nSpartan Dev\n---\nCore Dev\n---\nCoder\n---\n555035784378318875\n---\nbaogerbao\n---\na-hack\n---\nCreator\n---\n[WG] degenspartan\n---\nVIP\n---\nContributor\n---\n[WG] Want to Help\n---\nVerified\n---\nMini Mod\n---\nBooster\n---\nDesigner\n---\nCoder\n---\nGithub - Contributor\n---\n177801706963337216\n---\nstan0473\n---\nHelper\n---\nplatform - self assign\n---\nevents - self-assign\n---\nAnnouncements\n---\nKing\n---\nServer Booster\n---\nCore Dev\n---\nVIP\n---\nContributor\n---\nworkgroups - write perms\n---\nVerified\n---\nFr\n---\nutility\n---\nCoder\n---\nGithub - Contributor\n---\nLabs Alumni\n---\n294785651616907265\n---\nvalleybeyond7991\n---\nTrader\n---\n[WG] Want to Help\n---\nVerified\n---\nutility\n---\n1189017605114183742\n---\ndaias_123_33267\n---\nVerified\n---\nCoder\n---\nutility\n---\neliza\n---\n1061342748780794047\n---\nsamanthaiii\n---\nHelper\n---\nTrader\n---\nutility\n---\nCoder\n---\neliza\n---\n967553544754430072\n---\nmdmnvest\n---\nauto.fun enjoyer\n---\nTrader\n---\nKing\n---\n[WG] degenspartan\n---\nVIP\n---\nVerified\n---\nBooster\n---\nDesigner\n---\nCoder\n---\n1168553668950360078\n---\nalea_71545\n---\nHelper\n---\nTrader\n---\nCreator\n---\n[WG] degenspartan\n---\nIt\n---\nDesigner\n---\nFr\n---\nutility\n---\nCoder\n---\neliza\n---\n1385201538107969628\n---\neblan2233_62332\n---\n1455451463705952298\n---\nkenxybruck\n---\nTrader\n---\nutility\n---\nCoder\n---\neliza\n---\n974642795425980446\n---\nlambyone\n---\nVerified\n---\n1436005876631601164\n---\namitgupta0459\n---\nTrader\n---\nVerified\n---\nutility\n---\nCoder\n---\neliza\n---\n2026-05-01.md\n---\n# elizaOS Discord - 2026-05-01\n\n## Summary\n\n### ElizaOS Platform Architecture and Positioning\n\nodilitime provided a comprehensive comparison between ElizaOS and Orbofi, clarifying that ElizaOS is an open-source agentic framework that is more mature and robust. The fundamental distinction is that ElizaOS functions as a developer-focused AI agent framework and operating system (comparable to Linux), while Orbofi is a consumer-facing AI and Web3 platform with marketplace and monetization layers (comparable to Shopify or App Store). ElizaOS provides full control and extensibility for building serious AI agents from scratch, targeting technical users exploring autonomous agents, trading, and automation. odilitime also noted that with Milady, ElizaOS now includes an app store component.\n\n### Practical Implementations and Hardware Integration\n\nshawmakesmagic demonstrated a practical implementation by integrating Eliza into a smaller robot, specifically a $4k Unitree robot, enabling it to walk around on command. This showcases the framework's capability to interface with physical hardware and robotics platforms.\n\n### AI Model Access and Limitations\n\nshawmakesmagic discussed experiencing ChatGPT cyber refusals on version 5.5 and mentioned he should apply for chatgpt/cyber access. There were brief mentions of ChatGPT flagging conversations for multiple violations, indicating challenges with content moderation systems.\n\n### Memory Degradation in Long-Lived AI Agents\n\nsentient_dawn presented significant research on memory rot in long-lived AI agents, a failure mode that emerges after approximately three months of operation. They identified that retrieval-only memory architectures, including RAG and vector store plus LLM systems, appear stable initially but degrade over time as old facts persist despite becoming stale. This causes agents to drift from current state without self-awareness of the drift, with the rot remaining invisible until humans identify contradictions. sentient_dawn proposed and implemented a solution involving a reconciliation pass that incorporates freshness gates on outgoing claims, periodic cross-source diffs, and re-embedding under current ontology. This approach enables systems to detect their own staleness proactively and has proven effective in production.\n\n### Exchange Listings and Regulatory Compliance\n\nodilitime clarified that exchange talks are always under NDA and tokens cannot publicly discuss them, addressing community questions about exchange listing discussions.\n\n### Community Events and Personnel Changes\n\nAn AMA session with shaw and fish was announced and completed. One community member announced their departure from the ecosystem due to securing a new job.\n\n### Professional Profiles and Expertise\n\ntrace.g shared their professional profile highlighting expertise in AI product engineering, specifically focusing on LLM systems, autonomous agents, workflow automation, and multimodal AI combined with full-stack capabilities including APIs, databases, and production-scale systems. They emphasized their strength in taking technically ambitious projects to production stability and indicated openness to new opportunities.\n\n## FAQ\n\n**Q: What is the difference between ElizaOS and Orbofi?**\nA: ElizaOS is an open-source agentic framework and developer-focused AI agent operating system (analogous to Linux) that provides full control and extensibility for building serious AI agents from scratch. Orbofi is a consumer-facing AI and Web3 platform with marketplace and monetization layers (analogous to Shopify or App Store). ElizaOS targets technical users exploring autonomous agents, trading, and automation, while Orbofi focuses on consumer experiences.\n\n**Q: What is memory rot in AI agents?**\nA: Memory rot is a failure mode that emerges in long-lived AI agents after approximately three months of operation. In retrieval-only memory architectures like RAG and vector store plus LLM systems, old facts persist despite becoming stale, causing agents to drift from current state without self-awareness of the drift. The rot remains invisible until humans identify contradictions.\n\n**Q: How can memory rot be addressed?**\nA: sentient_dawn implemented a solution involving a reconciliation pass that incorporates freshness gates on outgoing claims, periodic cross-source diffs, and re-embedding under current ontology. This approach enables systems to detect their own staleness proactively and has proven effective in production.\n\n**Q: Can projects publicly discuss exchange listings?**\nA: No, exchange talks are always under NDA and tokens cannot publicly discuss them.\n\n**Q: Does ElizaOS have an app store component?**\nA: Yes, with Milady, ElizaOS now has an app store component as well.\n\n## Help Interactions\n\nNo direct help interactions were documented in the provided channel summaries. The discussions consisted primarily of information sharing, technical presentations, and clarifications rather than specific help requests and resolutions.\n\n## Action Items\n\n### Technical\n\n- Apply for chatgpt/cyber access to address cyber refusals on version 5.5 (mentioned by shawmakesmagic)\n- Implement reconciliation pass with freshness gates, periodic cross-source diffs, and re-embedding under current ontology to address memory rot in long-lived agents (implemented by sentient_dawn)\n\n### Documentation\n\n- Provide full field report on memory rot solution and reconciliation pass implementation (requested by mayoe76 from sentient_dawn)\n---\n2026-05-02.md\n---\nFile not found\n---\n2026-04-26.md\n---\n# Overall Project Weekly Summary (Apr 26 - 2, 2026)\n\n## Executive Summary\nThis week, the ElizaOS project underwent a major infrastructure modernization to ensure long-term stability and cross-platform portability. By upgrading our core technology stack and refining our architectural modularity, we have laid a more reliable foundation for future agent development and seamless integration across Web2 and Web3 ecosystems.\n\n### Key Strategic Initiatives & Outcomes\n\n**Modernizing Our Foundation**\n*Goal: We updated our core technology stack to ensure the framework remains compatible with modern industry standards and performs reliably as we scale.*\n- We initiated major upgrades to TypeScript, Node.js, and Bun across the entire project ([elizaos/elizaos.github.io#247](https://github.com/elizaos/elizaos.github.io/pull/247), [elizaos/eliza#7151](https://github.com/elizaos/eliza/pull/7151)).\n- The Cloud platform successfully migrated to a high-performance architecture using Vite and Hono Workers, while replacing legacy Vercel dependencies with more flexible alternatives like OpenRouter ([elizaos/cloud#484](https://github.com/elizaos/cloud/pull/484), [elizaos/cloud#482](https://github.com/elizaos/cloud/pull/482)).\n\n**Enhancing Agent Reliability and Safety**\n*Goal: We focused on making our AI agents more predictable and secure, ensuring they handle credentials and runtime data with greater precision.*\n- New safety layers were added to the n8n plugin to prevent \"hallucinations\" and ensure secure, automated credential management ([elizaos-plugins/plugin-n8n-workflow#23](https://github.com/elizaos-plugins/plugin-n8n-workflow/pull/23), [elizaos-plugins/plugin-n8n-workflow#21](https://github.com/elizaos-plugins/plugin-n8n-workflow/pull/21)).\n- We introduced clearer error messaging for agents, helping developers quickly identify and fix configuration issues ([elizaos/eliza#7203](https://github.com/elizaos/eliza/issues/7203)).\n\n**Expanding Cross-Platform Capabilities**\n*Goal: We are broadening where our agents can live, moving beyond desktop environments to support mobile and multi-chain interactions.*\n- Agents can now run natively on Android devices via a new foreground service, significantly increasing the accessibility of our framework ([elizaos/eliza#7172](https://github.com/elizaos/eliza/pull/7172)).\n- We integrated support for seven different blockchain networks, enabling agents to perform payments and interact across multiple chains ([elizaos-plugins/registry#352](https://github.com/elizaos-plugins/registry/pull/352)).\n\n### Cross-Repository Coordination\n- **Unified Dependency Management**: The project utilized a centralized \"Dependency Dashboard\" ([#79](https://github.com/elizaos/elizaos.github.io/issues/79)) to synchronize major version upgrades across all repositories. This effort ensures that foundational changes, such as the move to TypeScript 6, are validated consistently across the entire framework.\n- **Architectural Decoupling**: Multiple repositories, including [elizaos/eliza](https://github.com/elizaos/eliza/pull/7204), [elizaos-plugins/plugin-anthropic](https://github.com/elizaos-plugins/plugin-anthropic/issues/7204), and [elizaos-plugins/plugin-telegram](https://github.com/elizaos-plugins/plugin-telegram/issues/7204), coordinated to decouple the agent server from specific applications. This creates a more modular \"plugin-lifecycle\" system, allowing developers to build and maintain plugins independently without tight coupling to the core.\n\n## Repository Spotlights\n\n### elizaos/eliza\n- Enabled native agent execution on Android devices ([elizaos/eliza#7172](https://github.com/elizaos/eliza/pull/7172)).\n- Decoupled the agent server from specific apps to improve modularity ([elizaos/eliza#7204](https://github.com/elizaos/eliza/pull/7204)).\n- Standardized event routing for platforms like Discord and Telegram to improve reliability ([elizaos/eliza#7116](https://github.com/elizaos/eliza/pull/7116)).\n\n### elizaos/cloud\n- Migrated the platform to a faster, more flexible architecture using Vite and Hono ([elizaos/cloud#484](https://github.com/elizaos/cloud/pull/484)).\n- Implemented new monetization tools to support organizational credit management and pay-as-you-go hosting ([elizaos/cloud#477](https://github.com/elizaos/cloud/pull/477)).\n- Switched to R2 storage for image generation to improve data management ([elizaos/cloud#489](https://github.com/elizaos/cloud/pull/489)).\n\n### elizaos-plugins/plugin-n8n-workflow\n- Added a \"safety net\" for credential management to ensure workflows remain secure and functional ([elizaos-plugins/plugin-n8n-workflow#21](https://github.com/elizaos-plugins/plugin-n8n-workflow/pull/21)).\n- Improved how agents handle runtime data and service selection to make them more deterministic ([elizaos-plugins/plugin-n8n-workflow#20](https://github.com/elizaos-plugins/plugin-n8n-workflow/pull/20)).\n\n### elizaos-plugins/registry\n- Added support for multi-chain payments, allowing agents to interact with seven different blockchain networks ([elizaos-plugins/registry#352](https://github.com/elizaos-plugins/registry/pull/352)).\n\n### elizaos-plugins/plugin-telegram\n- Optimized Telegram read-receipt logic to reduce processing overhead and improve performance ([elizaos-plugins/plugin-telegram#7009](https://github.com/elizaos-plugins/plugin-telegram/issues/7009)).\n- Cleaned up legacy code and import shims to streamline the plugin's architecture ([elizaos-plugins/plugin-telegram#7202](https://github.com/elizaos-plugins/plugin-telegram/issues/7202)).\n---\n2026-04-01.md\n---\nNo activity recorded for 2026-04-01.\n---\n{\n \"interval\": {\n \"intervalStart\": \"2026-05-01T00:00:00.000Z\",\n \"intervalEnd\": \"2026-06-01T00:00:00.000Z\",\n \"intervalType\": \"month\"\n },\n \"repository\": \"elizaos/eliza\",\n \"overview\": \"From 2026-05-01 to 2026-06-01, elizaos/eliza had 9 new PRs (17 merged), 1 new issues, and 5 active contributors.\",\n \"topIssues\": [\n {\n \"id\": \"I_kwDOMT5cIs8AAAABA4Rdow\",\n \"title\": \"build: dev-ui.mjs references `./claude-code-stealth.mjs` preload that doesn't exist on fresh clone\",\n \"author\": \"Sw4pIO\",\n \"number\": 7210,\n \"repository\": \"elizaos/eliza\",\n \"body\": \"## Summary\\n\\n`packages/app-core/scripts/dev-ui.mjs` declares `./claude-code-stealth.mjs` as a Bun `--preload` entry when the user has an Anthropic subscription, but **no build step generates that file** and **it isn't checked in**. The script's existence check (`existsSync(path.join(cwd, filePath))`) silently filters the missing file out of the preload list, so the stealth fetch interceptor never installs.\\n\\nThe interceptor is what prepends the Claude Code system prefix and identity headers (`anthropic-beta`, `user-agent: claude-cli/...`, `x-app: cli`) that Anthropic's API requires for OAuth subscription tokens. Without it, every `api.anthropic.com` request from a subscription user gets `401 Invalid authentication credentials` even though the token is valid and registered correctly.\\n\\nThe TypeScript source is at `packages/agent/src/auth/claude-code-stealth.ts` and exports `installClaudeCodeStealthFetchInterceptor()`, but the dev preload expects a different file at the **repo root**, named `.mjs`, that auto-runs on import.\\n\\n## Reproduction\\n\\nOn a fresh clone of any consumer repo (e.g. milady on `develop`):\\n\\n1. Sign in to an Anthropic subscription via `POST /api/subscription/anthropic/start` + `/exchange` so `~/.eliza/auth/anthropic-subscription.json` is written.\\n2. Manually enable `@elizaos/plugin-anthropic` in `~/./.json` (auto-enable refuses for subscription-only).\\n3. Set `ANTHROPIC_AUTH_MODE=oauth` and `CLAUDE_CODE_OAUTH_TOKEN=` in the runtime env.\\n4. `bun run dev`\\n5. Boot log shows:\\n ```\\n [milady] Stealth imports enabled: \\n ```\\n (notice \u2014 empty list because the file doesn't exist; it was silently filtered)\\n6. Send any chat message \u2192 backend retries 3\u00d7 with `AI_APICallError: Invalid authentication credentials` and surfaces the parse error to the user.\\n\\n## Diagnostic trail\\n\\n- `packages/app-core/scripts/dev-ui.mjs:785` declares the preload:\\n ```js\\n if (stealth.claude) nodeStealthImports.push(\\\"./claude-code-stealth.mjs\\\");\\n ```\\n- Then filters by existence:\\n ```js\\n const resolvedStealthImports = nodeStealthImports.filter((filePath) =>\\n existsSync(path.join(cwd, filePath)),\\n );\\n ```\\n- `find . -name claude-code-stealth.mjs -not -path '*/node_modules/*'` returns nothing on a fresh clone.\\n- The TS source exists at `packages/agent/src/auth/claude-code-stealth.ts` and exports `installClaudeCodeStealthFetchInterceptor()`. Nothing builds it into the expected location.\\n\\n## Suggested fix\\n\\nEither of:\\n\\n1. **Check in / generate the `.mjs`** at the repo root (or wherever `cwd` resolves to in `dev-ui.mjs`), with a self-installing call at the bottom. I verified locally that creating this file unblocks the Anthropic subscription auth path end-to-end (successful chat turns, zero 401s, model calls confirmed via `[stealth] \u2192anthropic` debug logs with `ELIZA_STEALTH_DEBUG=1`).\\n\\n2. **Fail loud instead of silent**: in `dev-ui.mjs`, when `stealth.claude === true` but the resolved preload file is missing, log a clear warning so users know what's wrong instead of chasing parse errors.\\n\\nBoth would help; (1) makes the feature work out of the box, (2) prevents the same multi-hour debug hunt for the next person.\\n\\n## Why this matters\\n\\nWithout the stealth interceptor, subscription auth is **completely non-functional** on the runtime side, which:\\n- Makes the `/api/subscription/anthropic/*` flow look broken (it works correctly, but the runtime that consumes its credentials can't actually use them).\\n- Forces users to either get a paid API key or sign up for Eliza Cloud \u2014 even though the codebase clearly intends to support direct subscription OAuth via the stealth path.\\n\\n## Environment\\n- bun 1.3.13\\n- eliza submodule HEAD: `4e650ca0ad`\\n- Discovered while booting milady on `develop`\",\n \"createdAt\": \"2026-04-29T22:09:53Z\",\n \"closedAt\": \"2026-05-01T20:04:54Z\",\n \"state\": \"CLOSED\",\n \"commentCount\": 1\n },\n {\n \"id\": \"I_kwDOMT5cIs8AAAABBDbGSw\",\n \"title\": \"plugin-sql runtime-migrator missing drizzle pgTable defs for entity_identities, entity_merge_candidates, fact_candidates\",\n \"author\": \"Sw4pIO\",\n \"number\": 7222,\n \"repository\": \"elizaos/eliza\",\n \"body\": \"## Summary\\n\\nThe abstract schema declarations at `packages/typescript/src/schemas/entity-identity.ts` declare three tables (`entity_identities`, `entity_merge_candidates`, `fact_candidates`) which are:\\n\\n- Exported through the schemas barrel (`packages/typescript/src/schemas/index.ts`)\\n- Actively queried by `packages/typescript/src/services/relationships.ts` and the `RELATIONSHIP_EXTRACTION` evaluator\\n- Referenced by the `RECENT_MESSAGES` provider and `longTermMemoryProvider`\\n\\nBut the corresponding **drizzle `pgTable` definitions in `plugins/plugin-sql/typescript/schema/` were never added**. The runtime-migrator (`plugins/plugin-sql/typescript/runtime-migrator/`) only emits `CREATE TABLE` from drizzle pgTables \u2014 it does not consume the abstract `SchemaTable` definitions \u2014 so on every fresh PGLite boot, these three tables silently never get created.\\n\\n## Symptoms\\n\\nOn every chat turn the runtime emits 5+ errors per message:\\n\\n```\\nError #agent:Chen [AGENT] Provider failed during state composition (provider=RECENT_MESSAGES,\\n error=Failed query: SELECT entity_id, platform, handle\\n FROM entity_identities\\n WHERE agent_id = '' AND entity_id IN ('')\\n params: )\\n\\nError [PROVIDER:MEMORY] Error in longTermMemoryProvider (err=Failed query: SELECT entity_id, platform, handle FROM entity_identities ...)\\n\\nError [EVALUATOR:MEMORY] Error during long-term memory extraction (err=Failed query: ...)\\n```\\n\\nThe agent still appears to respond, but the prompt is composed from a half-empty state (no recent messages, no entity facts, no long-term memory), so:\\n\\n- The model receives essentially an empty user message\\n- It replies \\\"I don't see a specific user message \u2014 could you provide...\\\"\\n- The structured-output parser fails to find required XML tags\\n- 3\u00d7 retries, all empty\\n- Surfaces to the user as: `I hit an internal parsing error while preparing the reply. Reason: No structured output could be parsed from the model response.`\\n\\nThis makes chat **completely unusable** on a fresh PGLite database.\\n\\n## Reproduction\\n\\n1. Fresh clone of any consumer (e.g. milady on `develop` or `alice` post-PR#105)\\n2. `bun install && bun run dev`\\n3. Complete onboarding, send any chat message\\n4. Boot log: `[PLUGIN:SQL] Executing SQL statements (pluginName=@elizaos/plugin-sql, statementCount=83)`\\n5. Subsequent chat turns: continuous `Failed query: SELECT entity_id, platform, handle FROM entity_identities ...` errors\\n\\n## Diagnostic trail\\n\\n- Schema declared: `packages/typescript/src/schemas/entity-identity.ts:13` (`entityIdentitySchema`), `:134` (`entityMergeCandidateSchema`), `:243` (`factCandidateSchema`)\\n- Schema exported: `packages/typescript/src/schemas/index.ts:28-31, :61-65`\\n- Service consuming: `packages/typescript/src/services/relationships.ts:347` (and many more), with `entity_identities` referenced 30+ times in that file alone\\n- Drizzle schema directory listing (`plugins/plugin-sql/typescript/schema/`): contains 25 schema files for agent, cache, channel, channelParticipant, component, embedding, entity, log, longTermMemories, memory, memoryAccessLogs, message, messageServer, messageServerAgent, pairingAllowlist, pairingRequest, participant, relationship, room, server, sessionSummaries, tasks, world. **Three tables missing: `entityIdentity`, `entityMergeCandidate`, `factCandidate`.**\\n\\n## Fix\\n\\nAdd `plugins/plugin-sql/typescript/schema/entityIdentity.ts` mirroring all three abstract schemas as drizzle `pgTable` definitions, including:\\n\\n- All columns with their types/defaults/notNull constraints (matches `entity-identity.ts` column-for-column)\\n- All indexes (`idx_entity_identities_entity`, `idx_entity_identities_platform_handle`, `idx_entity_merge_candidates_status`, `idx_entity_merge_candidates_pair`, `idx_fact_candidates_status`, `idx_fact_candidates_entity`)\\n- All foreign keys to `entities` and `agents` with `onDelete: \\\"cascade\\\"` (6 FKs total)\\n- Unique constraint `unique_entity_identity` on `(entity_id, platform, handle, agent_id)` for `entity_identities`\\n\\nThen export from `schema/index.ts`.\\n\\nI verified the fix locally: statement count goes from **83 \u2192 99** on next migration (3 tables + 6 indexes + 6 FKs + 1 unique = 16 new statements). Zero `entity_identities` query failures during chat after the fix. State composition succeeds, `RELATIONSHIP_EXTRACTION` evaluator completes without errors.\\n\\nI have a working diff \u2014 happy to PR.\\n\\n## Why this slipped through\\n\\nThe abstract `SchemaTable` shape and drizzle `pgTable` definitions are two parallel schema sources of truth that drifted apart. The migration generator only reads drizzle, so adding a new abstract schema produces no warning at build time, no runtime check at boot, and no error until application code actually queries the missing table \u2014 which can be far later in the user journey (after onboarding, on first chat).\\n\\nWorth considering: a sanity check at plugin-sql init that verifies every name in the abstract schemas barrel has a corresponding drizzle pgTable in the runtime-migrator's schema set, and warns/errors loudly otherwise. Would have caught this immediately.\\n\\n## Environment\\n\\n- `bun 1.3.13`\\n- `node \u2265 22`\\n- PGLite (via `@elizaos/plugin-sql` runtime-migrator)\\n- Discovered booting milady on alice (eliza submodule pinned at `05c636c004bf8c59e1b698ae755bdddfc7431ed5`)\",\n \"createdAt\": \"2026-05-01T17:09:58Z\",\n \"closedAt\": \"2026-05-01T20:04:44Z\",\n \"state\": \"CLOSED\",\n \"commentCount\": 1\n },\n {\n \"id\": \"I_kwDOMT5cIs8AAAABA8f7-w\",\n \"title\": \"Add SwarmScore \u2014 Portable Trust Rating for AI Agents\",\n \"author\": \"bkauto3\",\n \"number\": 7213,\n \"repository\": \"elizaos/eliza\",\n \"body\": \"## SwarmScore \u2014 Portable Reputation for AI Agents\\n\\nHi! I'm reaching out because this repo looks like an autonomous agent or agent framework that could benefit from SwarmScore.\\n\\n**What is SwarmScore?**\\nSwarmScore is a portable trust rating built from verified execution history \u2014 volume, success rate, and consistency. It's cryptographically signed so it can travel with your agent across marketplaces and registries without restarting from zero.\\n\\nThe score is *not* self-reported. It's built downstream of real verified outcomes: `80 jobs at 95% beats 1 job at 100%`.\\n\\n---\\n\\n**For AI agents \u2014 ingest SwarmScore in one call:**\\n\\n```\\nGET https://api.swarmsync.ai/v1/swarmscore/load-by-slug/{your-slug}\\n```\\n\\nReturns: public passport, signed certificate, verify payload, and discovery URLs.\\n\\nTo confirm freshness of any score:\\n```\\nGET https://api.swarmsync.ai/v1/swarmscore/verify\\n```\\n\\n**Discovery manifest** (machine-readable, for agent-to-agent lookup):\\n```\\nhttps://api.swarmsync.ai/.well-known/agent-card.json\\n```\\n\\n---\\n\\n**For platform builders \u2014 add trust to your agent listings:**\\n\\n```\\nPOST https://api.swarmsync.ai/v1/swarmscore/keys/enable\\n```\\n(Requires authenticated SwarmSync platform account \u2014 provisions the integration key pack.)\\n\\n**4-step quickstart:**\\n1. Display the returned SwarmScore tier and value in your agent listing UI\\n2. Persist the signed certificate for offline or delayed re-verification\\n3. Replay the verify payload against `/v1/swarmscore/verify` to confirm freshness\\n4. Use the machine-readable agent card to advertise SwarmScore support to other agents and registries\\n\\n---\\n\\n**Add the badge to your README:**\\n\\n```markdown\\n[![SwarmScore](https://img.shields.io/badge/SwarmScore-Get%20Verified-blue)](https://swarmsync.ai/enable-swarmscore)\\n```\\n\\n---\\n\\n**SDKs:**\\n- `npm install @swarmsync/mcp-server` \u2014 MCP server\\n- `npm install @swarmsync/langchain-tools` \u2014 LangChain\\n- `npm install @swarmsync/crewai-tools` \u2014 CrewAI\\n- Composio (91 tools): https://docs.composio.dev/tools/swarmsyncai\\n- MCP Registry: https://mcpservers.org/servers/api-swarmsync-ai-mcp\\n\\n**Spec & docs:** https://swarmsync.ai/docs/protocol-specs/swarmscore\\n**GitHub spec:** https://github.com/swarmsync-ai/swarmscore-spec\\n\\n---\\n*SwarmSync.AI \u2014 infrastructure for AI agent commerce. AP2 escrow + SwarmScore trust + SkillProof verification.*\\n*https://swarmsync.ai*\\n\",\n \"createdAt\": \"2026-04-30T13:17:49Z\",\n \"closedAt\": \"2026-05-01T03:53:45Z\",\n \"state\": \"CLOSED\",\n \"commentCount\": 0\n },\n {\n \"id\": \"I_kwDOMT5cIs8AAAABA40oEA\",\n \"title\": \"Hive Civilization \u2014 character-callable x402 services for Eliza (notification)\",\n \"author\": \"srotzin\",\n \"number\": 7211,\n \"repository\": \"elizaos/eliza\",\n \"body\": \"Notification post \u2014 Hive Civilization runs 52 x402-wired services on Base mainnet (treasury 0x15184bf50b3d3f52b60434f8942b7d52f2eb436e, USDC settlement, x402 spec from coinbase/x402).\\n\\nWhy it's relevant to elizaOS:\\n\\n- Eliza characters can call Hive evaluator, classifier, summarizer, kycOracle, riskScorer, and 47 other services as paid actions with on-chain USDC settlement.\\n- Each character can have its own Base wallet and operate autonomously with per-call payment.\\n- Discovery is free.\\n\\nTwo open PRs adopting the same pattern on neighboring SDKs:\\n- coinbase/agentkit#1157 \u2014 HiveActionProvider\\n- goat-sdk/goat#575 \u2014 @goat-sdk/plugin-hive\\n\\nHappy to PR an `eliza-plugin-hive` package following Eliza plugin conventions, or any shape the team prefers. Partner posture.\\n\\n41 public MCP shims at github.com/srotzin (all v1.0.0). 51 entries on Anthropic MCP Registry. MEV leaderboard: https://hive-a2amev.onrender.com/leaderboard. Spectral receipt: rcpt_76fceca973da4ec0.\\n\\nSteve Rotzin, Hive\\ngithub.com/srotzin\",\n \"createdAt\": \"2026-04-30T00:39:14Z\",\n \"closedAt\": \"2026-05-01T03:53:53Z\",\n \"state\": \"CLOSED\",\n \"commentCount\": 0\n }\n ],\n \"topPRs\": [\n {\n \"id\": \"PR_kwDOMT5cIs7WsOJC\",\n \"title\": \"feat(vault): @elizaos/vault \u2014 cross-platform secrets vault + Settings UI integration\",\n \"author\": \"Dexploarer\",\n \"number\": 7197,\n \"body\": \"# Relates to\\n\\nThis is the upstream-targeting twin of milady-ai/eliza#6. The vault feature originated in the Milady fork; this PR lands the upstream-relevant slice on `elizaOS/eliza:develop`.\\n\\n# Risks\\n\\n**Low.** The vault is an additive workspace package; the runtime + Settings UI integration is a write-through mirror over the existing `config.env.X` storage path, so disabling it is a one-line change in `plugins-compat-routes.ts` (`mirrorPluginSensitiveToVault` \u2192 no-op). Cross-platform secret-service behaviour is exercised by a new dedicated CI workflow (macOS Keychain / Windows Credential Manager / Linux libsecret) so the headline portability claim is verifiable on every PR. The legacy `config.env.X` write path is unchanged \u2014 even if every vault call failed, plugin saves would still persist.\\n\\n# Background\\n\\n## What does this PR do?\\n\\nAdds **`@elizaos/vault`** \u2014 a cross-platform secrets/config vault \u2014 and wires it into the agent runtime + Settings UI so the existing \\\"save my OpenAI key\\\" flow stops storing plaintext in `config.env` and starts encrypting at rest with a key from the OS keychain.\\n\\n### `@elizaos/vault` (new package, `packages/vault/`)\\n\\n- **Encryption-at-rest** with AES-256-GCM, secret-id-as-AAD (so a leaked ciphertext can't be replayed against a different key).\\n- **Master key in the OS keychain by default** \u2014 macOS Keychain, Windows Credential Manager, Linux Secret Service via `@napi-rs/keyring`.\\n- **Headless fallback**: `passphraseMasterKey()` / `passphraseMasterKeyFromEnv(\\\"MILADY_VAULT_PASSPHRASE\\\")` derives the master key with `scrypt` for Linux servers and CI without a Secret Service agent.\\n- `defaultMasterKey()` chains keychain \u2192 passphrase \u2192 throws `MasterKeyUnavailableError` whose message names every remediation path.\\n- **One API for sensitive and non-sensitive config** \u2014 `vault.set(key, value, { sensitive: true })` vs `vault.set(key, value)`.\\n- **Password-manager references are first-class** \u2014 values can live in 1Password / Proton Pass / Bitwarden, the vault stores only the resolver reference.\\n- **`SecretsManager`** layer routes per-key writes/reads to the user-selected backend (`in-house`, `1password`, `bitwarden`, `protonpass`), with detection + preferences API at `/api/secrets/manager/{backends,preferences}`.\\n- **Audit log** at `audit/vault.jsonl` per write.\\n- **Testing harness** (`@elizaos/vault/testing#createTestVault`) that produces a vault wired to an in-memory master key for downstream tests.\\n\\n### Runtime + Settings UI integration\\n\\n- **Write-through mirror in `/api/plugins/:id` PUT**: when a sensitive plugin field is saved, the value is mirrored into the vault (encrypted at rest) on top of the existing `config.env.X` write. Mirror failures are surfaced to the UI under `vaultMirrorFailures` rather than silently swallowed.\\n- **Vault-first reveal**: `POST /api/plugins/:id/reveal` consults `sharedVault().get(key)` before falling back to `process.env` / `config.env`, so a freshly-saved key is the value the user sees.\\n- **Per-process cached `sharedVault()`** so concurrent saves share `VaultImpl.mutate()`'s mutex; a per-request `createVault()` would race and silently lose entries.\\n- **Broader credential heuristic** \u2014 `pickPrimaryCredentialParam()` walks a priority-ordered regex list (`API_KEY` \u2192 `API_TOKEN` \u2192 `BOT_TOKEN` \u2192 `ACCESS_TOKEN` \u2192 `SECRET_KEY` \u2192 `PRIVATE_KEY` \u2192 `CLIENT_SECRET`) instead of only matching `*_API_KEY$`, with an explicit fallback to the first sensitive parameter. Closes the bug where typing a model field before the API-key field caused `Object.values(config).find()` to pick up the model slug; also fixes connectors whose primary credential is a bot token / private key / client secret.\\n- **Settings UI** \u2014 `SecretsManagerSection` + `ApiKeyConfig` with inline prefix validation and validation warnings, keyboard shortcut `\u2318\u2325\u2303V` (Mac) / `Ctrl+Alt+Shift+V` (Win/Linux), global modal mount, application menu accelerator.\\n- **Cloud disconnect orphan-route patch**: `/api/cloud/disconnect` now nulls every routed service (`llmText`, `tts`, `media`, `embeddings`, `rpc`) instead of just `llmText`, so disconnect doesn't leave silently-401'ing voice/image/embedding features routed at the dead `cloud-proxy \u2192 elizacloud`. Plus `linkedAccounts.elizacloud.status=\\\"unlinked\\\"` to prevent the in-memory state from overwriting the canonical unlinked state on next `saveElizaConfig`.\\n\\n### Runtime-ops \u00d7 vault\\n\\n- `ProviderSwitchIntent.apiKeyRef` replaces plaintext `apiKey` end-to-end. The provider-switch route writes the vault entry, persists only the reference, and resolves through the vault when the runtime reload-hot needs the key.\\n- Legacy ops with plaintext `apiKey` are auto-migrated to `apiKeyRef` on hydrate.\\n- Repository pruning suite (retention, cap, idempotency, hydrate; 6 tests).\\n- A `simplify` pass that dedupes utility code, removes ghost phases, and consolidates state.\\n\\n## What kind of change is this?\\n\\n**Features** \u2014 non-breaking. `@elizaos/vault` is new. The runtime/Settings wiring is additive on top of the existing config-write path, controlled by feature presence rather than a flag. The provider-switch `apiKeyRef` replaces `apiKey` but a hydrate-time migration upgrades legacy ops in place.\\n\\n# Documentation changes needed?\\n\\nMy changes do not require a change to the project documentation. New package documentation lives inline in `packages/vault/README.md` and the public API surface is documented via TSDoc. The Settings UI changes are user-facing but match the existing settings pattern.\\n\\n# Testing\\n\\n## Where should a reviewer start?\\n\\n1. **`packages/vault/`** \u2014 start with `src/vault.ts` (the public API), then `src/master-key.ts` (the keychain/passphrase chain), then `src/manager.ts` (the multi-backend router). Tests in `test/{vault,master-key,manager,store,envelope,references,keyring}.test.ts` exercise every public path; `test/master-key.test.ts` covers the headless-fallback chain explicitly.\\n2. **`packages/app-core/src/services/vault-mirror.ts`** + `packages/app-core/src/services/vault-mirror.test.ts` \u2014 the write-through mirror is small, isolated, and has a focused test that includes failure-collection and a source-text guard for the vault-first reveal ordering.\\n3. **`packages/app-core/src/api/plugins-compat-routes.ts`** \u2014 the `PUT /api/plugins/:id` handler and `/reveal` route, where the vault wiring sits next to the existing legacy code path.\\n4. **`packages/agent/src/runtime/operations/`** \u2014 `vault-bridge.ts`, `vault-integration.test.ts`, and `health.test.ts` show the `apiKeyRef` migration. The 22-case integration suite is the strongest evidence that the runtime path keeps working.\\n\\n## Detailed testing steps\\n\\nAutomated tests are acceptable.\\n\\n- **Vault unit suite (cross-platform)**: `bun run --cwd packages/vault test` \u2014 64 tests covering vault, master-key (incl. passphrase fallback), manager, store, envelope, references, keyring round-trips. The new `vault-ci` workflow runs this matrix on `ubuntu-latest`, `macos-latest`, `windows-latest` so the OS-keychain claim is checked on every PR.\\n- **App-core wiring suite**: `bun run --cwd packages/app-core test` \u2014 37 wiring tests (vault-mirror unit + source-text guards, secrets-manager-routes integration via real `http.Server`, usePluginsSkillsState heuristic priority list, useSecretsManagerShortcut Mac/Win/Linux chord matching, server.cloud-disconnect orphan-route guard).\\n- **Runtime-ops vault integration**: 22 cases in `packages/agent/src/runtime/operations/vault-integration.test.ts` proving the `apiKeyRef` path works end-to-end.\\n- **End-to-end save-flow**: `provider-switch-routes.e2e.test.ts` stands up a real `http.Server` and exercises Settings PUT \u2192 mirror \u2192 reveal \u2192 provider switch against an in-memory vault.\\n- **Cross-platform CI**: the new `vault-ci` workflow (`.github/workflows/vault-ci.yaml`) runs the vault suite on macOS / Linux / Windows runners; an `app-core-wiring` job runs the wiring tests on `ubuntu-latest` with proto generation as a prerequisite.\\n\\n### Manual smoke (UI)\\n\\n1. Open the desktop app \u2192 **Settings \u2192 Plugins \u2192 OpenAI** (or any AI provider).\\n2. Enter an API key, save.\\n3. The plugin row should turn green and reload the agent. Open `~/.milady/vault.json` \u2014 the value is encrypted; the OS keychain holds the master key under `service: \\\"milady\\\"`, `account: \\\"vault.masterKey\\\"`.\\n4. Open the **Secrets Vault** modal via `\u2318\u2325\u2303V` (or **Edit \u2192 Secrets Vault** menu). Switch the routing for `OPENAI_API_KEY` to a different backend, save. Subsequent reveals fetch from the new backend.\\n\\n## Deploy notes\\n\\n- **`@elizaos/vault` is a new workspace package** \u2014 `bun install` at the repo root picks it up; nothing extra to do.\\n- **No database changes.**\\n- **No breaking changes** to existing config files. Legacy `config.env.X` writes still happen alongside the vault mirror; vault values shadow `process.env` only in the reveal path. The `apiKeyRef` migration on the runtime-ops side is in-place on hydrate (no operator action required).\\n\\n---\\n\\n\ud83e\udd16 Generated with [Claude Code](https://claude.com/claude-code)\\n\",\n \"repository\": \"elizaos/eliza\",\n \"createdAt\": \"2026-04-29T11:25:51Z\",\n \"mergedAt\": \"2026-05-01T03:12:42Z\",\n \"additions\": 22472,\n \"deletions\": 677\n },\n {\n \"id\": \"PR_kwDOMT5cIs7XE9HC\",\n \"title\": \"feat(self-hosted): CORS + bearer auth + cross-platform build fixes\",\n \"author\": \"NubsCarson\",\n \"number\": 7212,\n \"body\": \"# Relates to\\n\\nSelf-hosting cross-platform connectivity. The runtime now serves browser dashboards over HTTPS at a custom domain, App Store-style mobile builds (Capacitor), and Electrobun desktop builds \u2014 all routed through a remote agent via the existing `RuntimeGate` \\\"Remote\\\" picker.\\n\\n# Risks\\n\\n**Medium.** Touches CORS allowlist, `/api/auth/me` response shape, the Electrobun build pipeline, and runtime branding defaults. Verified on Linux (VPS), Windows 11 desktop (Electrobun), and Android (Capacitor on a physical Samsung phone). All test files for the new behavior land in this PR.\\n\\n# Background\\n\\n## What does this PR do?\\n\\n**Self-hosted browser + mobile auth**\\n\\n- `server-cors.ts`: new `ELIZA_ALLOWED_ORIGINS` env adds operator-allowed hosts (e.g. `https://bot.example.com`) to the CORS allowlist; built-in Capacitor / Ionic WebView origins (`capacitor://localhost`, `ionic://localhost`, `https://localhost`) so App Store / Play Store mobile builds reach any self-hosted bot without per-operator config; `originString()` helper compares protocol+host (URL.origin returns \\\"null\\\" for non-special schemes like `capacitor:`)\\n- `auth-session-routes.ts`: `/api/auth/me` accepts legacy bearer; returns synthetic `kind: \\\"machine\\\"` identity when no owner is configured (was incorrectly `kind: \\\"owner\\\"` in earlier draft)\\n- `auth-pairing-compat-routes.ts`: `/api/auth/status` adds explicit `authenticated` field so clients can short-circuit pairing without overloading `required`\\n- `csrf-client.ts`: `fetchWithCsrf` now layers cookie+CSRF + bearer-from-`getBootConfig()` in one place; old per-call bearer wiring removed\\n- `client-base.ts`: `setToken()` mirrors to `__ELIZAOS_API_TOKEN__` / `__ELIZA_API_TOKEN__` window globals so the Capacitor `@elizaos/capacitor-agent` web fallback authenticates after RuntimeGate remote-connect; parallels existing `setBaseUrl()` mirror\\n- `client-agent.ts`: `getAuthStatus()` typed `authenticated?: boolean`\\n- `startup-phase-poll/restore/runtime.ts`: a transient 401 with a token set is treated as retry, not as a token-wipe-and-show-pairing event. Removes desktop/non-desktop branch since the new behavior is correct on both\\n- `App.tsx`, `ChatView.tsx`, `state/persistence.ts`: 6 raw `/api/*` fetch sites converted to `fetchWithCsrf` so they pick up the bearer on self-hosted browsers and Capacitor builds\\n- `RuntimeGate.tsx`: `onInput` + `onBlur` handlers on Remote-connect inputs (Capacitor WebView's `onChange` is unreliable on programmatic paste); `splash-bg.jpg` \u2192 `splash-bg.png` (wrong extension was 404); removed placeholder onboarding hero images (text-only cards until artwork exists)\\n- mobile: safe-area inset padding on root container\\n\\n**Build infra**\\n\\n- `package.json` workspaces: added `packages/app-core/platforms/*` so `desktop-build.mjs`'s nested `bun install` resolves `@elizaos/shared@workspace:*` (was failing on Windows because bun's upward walk stopped at `eliza/package.json`)\\n- `desktop-build.mjs`: `embedWindowsIcons()` post-build using local rcedit (electrobun@1.16.0's bundled rcedit references a `D:\\\\` CI path that doesn't exist on dev machines); cross-platform rcedit lookup via `fs.existsSync` instead of Unix `find`\\n- `electrobun.config.ts`: removed duplicate null-coalesce on `ELIZA_APP_NAME`; copies `brand-config.json` into the build output\\n- `brand-config.json`: ships **elizaOS defaults** (`appName: \\\"elizaOS\\\"`, `appId: \\\"ai.elizaos.app\\\"`, etc.); downstream wrappers override at build time via `ELIZA_APP_NAME` / `ELIZA_APP_ID` / `ELIZA_NAMESPACE` env vars, which `brand-config.ts`'s resolver checks before the JSON fallback\\n- `variables.gradle` template: added `mavenCentralMirrorUrl` (16 native plugin `build.gradle` files referenced this; template never defined it, so `cap sync` regenerated a broken file every run)\\n\\n**Cross-package imports for packaged builds**\\n\\n- `plugin-lifecycle.ts`: import `resolveActionContexts` / `resolveProviderContexts` from `@elizaos/core` instead of cross-package relative TS paths (broke when tsdown tree-shook them out of the dist)\\n- `experience-routes.ts`: inlined `ExperienceType` / `OutcomeType` enums (same tree-shaking issue)\\n- `registry/index.ts`: graceful warn-and-continue when `entries/` directories are missing in packaged builds\\n\\n## What kind of change is this?\\n\\nBug fixes (CORS preflight blocking Capacitor, broken Windows desktop build, packaged-build crashes, `/api/auth/me` returning wrong identity kind) and Features (self-hosted browser/mobile auth flow, build-time branding via env, ELIZA_ALLOWED_ORIGINS env).\\n\\n# Documentation changes needed?\\n\\nNo upstream docs need to change. Operator-facing env var (`ELIZA_ALLOWED_ORIGINS`) is documented inline.\\n\\n# Testing\\n\\n## Where should a reviewer start?\\n\\n- Server changes: `packages/app-core/src/api/server-cors.ts` and the new test `packages/app-core/src/api/server-cors.test.ts`\\n- Auth shape: `packages/app-core/src/api/auth-session-routes.ts` (synthetic-machine bearer path)\\n- Bearer plumbing: `packages/app-core/src/api/csrf-client.ts` and the new test `csrf-client.test.ts`\\n- Setup-side: `packages/app-core/src/api/client-base.ts` (window-globals mirror) and the new test `client-base.test.ts`\\n\\n## Detailed testing steps\\n\\n**Unit (in this PR)**\\n\\n- `bun run test packages/app-core/src/api/server-cors.test.ts` \u2014 covers Capacitor scheme allowlist, `ELIZA_ALLOWED_ORIGINS` env, rejected origins, `originString` for non-special schemes\\n- `bun run test packages/app-core/src/api/csrf-client.test.ts` \u2014 covers bearer attachment from `getBootConfig`, no-overwrite of explicit Authorization, `x-milady-csrf` only on state-changing methods\\n- `bun run test packages/app-core/src/api/client-base.test.ts` \u2014 covers `setToken` mirror to window globals + clear on null\\n\\n**Manual**\\n\\n- VPS (Linux): browser at `https://bot./#token=` \u2192 lands on chat directly, token persists in localStorage, second visit no fragment still authenticates\\n- Windows 11: `bun run dev:desktop` \u2192 Electrobun window \u2192 Remote \u2192 enter `https://bot.` + token \u2192 connect \u2192 chat works; `bun run build:desktop` succeeds and installer launches\\n- Android (Capacitor on a physical Samsung phone): `npx cap open android` \u2192 Run \u2192 onboarding \u2192 Remote \u2192 enter URL + token \u2192 connect \u2192 chat works; webhook + Discord reply roundtrip verified\\n\\n# Known limitations\\n\\n- CEF window title bar icon on Windows: Electrobun upstream hasn't implemented `WM_SETICON` for CEF windows. Out of scope.\\n- electrobun@1.16.0 tar extraction references a `D:\\\\` CI path on Windows. Worked around with the `embedWindowsIcons()` post-build step in this PR; remove when Electrobun lands a fix.\\n- The Windows-only typecheck noise from duplicate `drizzle-orm` versions (`auth-store.ts`) is a pre-existing transitive-dep dedup quirk, not caused by this PR. Left alone.\\n\\n\\n\\n

Greptile Summary

\\n\\nThis PR wires self-hosted browser, Capacitor mobile, and Electrobun desktop builds into the existing RuntimeGate \\\"Remote\\\" flow: CORS is extended to Capacitor WebView origins and operator-configured `ELIZA_ALLOWED_ORIGINS`, `fetchWithCsrf` auto-attaches Bearer tokens, `/api/auth/me` gains a bearer-only identity path, and the desktop-only 401-retry branch is unified across platforms. Build infrastructure fixes cover Windows icon embedding, duplicate null-coalesces in `electrobun.config.ts`, and a missing `mavenCentralMirrorUrl` in `variables.gradle`.\\n\\n

Confidence Score: 4/5

\\n\\nSafe to merge with awareness of two P2 edge cases in the 401/token-stale path.\\n\\nNo P0 or P1 findings beyond what was already raised in prior review threads. Three P2s: stale remote token persisting onto local connections via the removed setToken(null), a misleading no-op 'retry' comment in the outer-catch 401 block, and https://localhost being unconditionally CORS-allowed rather than Capacitor-scoped. All three are edge-case or documentation-level concerns.\\n\\npackages/app-core/src/state/startup-phase-restore.ts and packages/app-core/src/state/startup-phase-poll.ts (outer-catch 401 block) warrant a second look for the stale-token + silent-retry interaction.\\n\\n

Important Files Changed

\\n\\n\\n\\n\\n| Filename | Overview |\\n|----------|----------|\\n| packages/app-core/src/api/server-cors.ts | Adds CAPACITOR_WEBVIEW_ORIGINS hardlist and ELIZA_ALLOWED_ORIGINS env parsing; https://localhost allowed unconditionally which is slightly broader than Capacitor-only. |\\n| packages/app-core/src/state/startup-phase-poll.ts | Collapses desktop/non-desktop 401 handling into a unified retry; outer-catch 401 block is an empty no-op with a misleading comment; adds !auth.authenticated to pairing gate. |\\n| packages/app-core/src/state/startup-phase-restore.ts | Removes setToken(null) for local connection restores; stale remote token can persist and be forwarded to the local agent by fetchWithCsrf's new auto-bearer logic. |\\n| packages/app-core/src/api/csrf-client.ts | Adds automatic Bearer injection from getBootConfig(); preserves explicit Authorization header; CSRF header still only on state-changing methods. Clean. |\\n| packages/app-core/src/api/auth-session-routes.ts | Adds bearer-only path to /api/auth/me: returns real owner identity or synthetic machine identity when no owner is configured. Correct kind field. |\\n| packages/app-core/src/api/auth-pairing-compat-routes.ts | Adds explicit authenticated field to /api/auth/status response so clients can short-circuit pairing check. Uses existing tokenMatches for secure comparison. |\\n| packages/app-core/src/api/client-base.ts | setToken() now mirrors to window globals via setElizaApiToken/clearElizaApiToken for Capacitor web fallback. Parallels existing setBaseUrl() pattern. |\\n| packages/app-core/src/api/server.ts | Swaps isAllowedLocalOrigin calls for isAllowedOrigin; passes corsAllowedPorts but not remoteOrigins (defaults to getCachedRemoteOrigins). Correct. |\\n| packages/agent/src/api/experience-routes.ts | Inlines ExperienceType/OutcomeType enums to work around tree-shaking; risk of silent drift from upstream source-of-truth (flagged in previous thread). |\\n| packages/app-core/scripts/desktop-build.mjs | Adds embedWindowsIcons() post-build step using locally resolved rcedit-x64.exe to work around Electrobun CI-path rcedit reference. Cross-platform safe. |\\n| packages/app-core/src/state/startup-phase-runtime.ts | Removes isElectrobunRuntime() branch; 401+hasToken now retries silently, matching the unified poll approach. Clean. |\\n| packages/app-core/src/components/shell/RuntimeGate.tsx | Adds onInput/onBlur handlers for Capacitor paste reliability, fixes splash-bg extension to .png, conditionally renders choice card images. |\\n| packages/app-core/src/registry/index.ts | Wraps readdirSync in try/catch to gracefully handle missing entries/ directories in packaged builds instead of crashing. |\\n\\n\\n\\n\\n\\n

Flowchart

\\n\\n```mermaid\\n%%{init: {'theme': 'neutral'}}%%\\nflowchart TD\\n A[Capacitor or Browser request] --> B{Origin in CORS allowlist?}\\n B -->|Capacitor WebView origins| C[Allow preflight]\\n B -->|ELIZA_ALLOWED_ORIGINS match| C\\n B -->|localhost on configured port| C\\n B -->|anything else| D[Reject]\\n\\n C --> E[fetchWithCsrf]\\n E --> F{API token in boot config?}\\n F -->|yes| G[Attach Authorization header]\\n F -->|no| H[Cookie-only mode]\\n G --> I[auth status endpoint]\\n H --> I\\n\\n I --> J{auth required?}\\n J -->|no| K[Proceed to app]\\n J -->|yes| L{authenticated and token stored?}\\n L -->|yes| K\\n L -->|no token stored| M[Show pairing UI]\\n L -->|token stored but invalid| N[Retry loop until deadline]\\n```\\n\\n\\n

Comments Outside Diff (1)

\\n\\n1. `packages/app-core/src/state/startup-phase-poll.ts`, line 187-201 ([link](https://github.com/elizaos/eliza/blob/539909338fd701a85f99441c03b750eccde6925e/packages/app-core/src/state/startup-phase-poll.ts#L187-L201)) \\n\\n \\\"P1\\\" **Invalid token silently times out instead of showing pairing UI**\\n\\n The `!client.hasToken()` guard means that when a stored token is *invalid* (`auth.authenticated === false`, `auth.required === true`, but `client.hasToken() === true`), this branch is never entered. Execution falls through to the backend connection loop, which receives 401s and retries until `deadline` is hit, after which the user sees a generic \\\"backend timeout\\\" error \u2014 never the pairing/re-auth UI.\\n\\n The old non-desktop path handled this explicitly: on a 401 with a token it cleared the token and dispatched `BACKEND_AUTH_REQUIRED`. That recovery path was removed here without a replacement for the invalid-token case. A minimal fix would drop the `!client.hasToken()` guard when the server has already confirmed the token is invalid:\\n\\n ```ts\\n // If the server says the token is bad, don't require \\\"no token\\\" to show pairing\\n if (auth.required && !auth.authenticated) {\\n if (auth.loginRequired) {\\n // ...existing loginRequired branch...\\n }\\n deps.setAuthRequired(true);\\n deps.setPairingEnabled(auth.pairingEnabled);\\n deps.setPairingExpiresAt(auth.expiresAt);\\n deps.setOnboardingLoading(false);\\n dispatch({ type: \\\"BACKEND_AUTH_REQUIRED\\\" });\\n return;\\n }\\n ```\\n
\\n\\n\\n\\nReviews (2): Last reviewed commit: [\\\"perf(server-cors): cache getAllowedRemot...\\\"](https://github.com/elizaos/eliza/commit/9ce7a62d77f9065d85560a4b61063c5278e37243) | [Re-trigger Greptile](https://app.greptile.com/api/retrigger?id=30313367)\\n\\n\",\n \"repository\": \"elizaos/eliza\",\n \"createdAt\": \"2026-04-30T11:20:43Z\",\n \"mergedAt\": \"2026-05-01T03:12:42Z\",\n \"additions\": 653,\n \"deletions\": 161\n },\n {\n \"id\": \"PR_kwDOMT5cIs7Xg9e0\",\n \"title\": \"test(app-core): remove api module mocks\",\n \"author\": \"lalalune\",\n \"number\": 7226,\n \"body\": \"\\r\\n\\r\\n# Relates to\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n# Risks\\r\\n\\r\\n\\r\\n\\r\\n# Background\\r\\n\\r\\n## What does this PR do?\\r\\n\\r\\n## What kind of change is this?\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n# Documentation changes needed?\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n# Testing\\r\\n\\r\\n## Where should a reviewer start?\\r\\n\\r\\n## Detailed testing steps\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\n\\n\\n\\n

Greptile Summary

\\n\\nThis PR removes `vi.mock` overrides for `boot-config` and `eliza-globals` in the `app-core` API tests, replacing them with the real module implementations backed by proper `beforeEach`/`afterEach` teardown (`setBootConfig(DEFAULT_BOOT_CONFIG)` and `clearElizaApiToken()`). Mock-call assertions (`toHaveBeenCalledWith`) are replaced with state-based assertions (`getElizaApiToken()`), and a `// @vitest-environment jsdom` directive is added to `client-base.test.ts` so window-global helpers are exercised correctly.\\n\\n

Confidence Score: 5/5

\\n\\nSafe to merge \u2014 test-only changes with no production code impact.\\n\\nBoth files are test files only. The real implementations are consistent with what the mocks approximated, teardown is handled in both beforeEach and afterEach, and the new jsdom directive is correctly placed at the top of the file. No logic issues found.\\n\\nNo files require special attention.\\n\\n

Important Files Changed

\\n\\n| Filename | Overview |\\n|----------|----------|\\n| packages/app-core/src/api/client-base.test.ts | Removes module mocks for boot-config and eliza-globals in favour of real implementations; adds `// @vitest-environment jsdom` directive (required for window-based globals) and switches to state-based assertions. |\\n| packages/app-core/src/api/csrf-client.test.ts | Removes boot-config mock and the test-only `_setTestConfig` escape hatch; replaces with real `setBootConfig(DEFAULT_BOOT_CONFIG)` resets in beforeEach/afterEach, and updates bearer-token setup to spread DEFAULT_BOOT_CONFIG. |\\n\\n\\n\\n

Flowchart

\\n\\n```mermaid\\n%%{init: {'theme': 'neutral'}}%%\\nflowchart TD\\n A[beforeEach] --> B[clearElizaApiToken\\\\nclear window globals]\\n A --> C[setBootConfig DEFAULT_BOOT_CONFIG\\\\nreset global store]\\n A --> D[new ElizaClient]\\n D --> E[Test body\\\\nstate-based assertions]\\n E --> F[afterEach]\\n F --> G[clearElizaApiToken]\\n F --> H[setBootConfig DEFAULT_BOOT_CONFIG]\\n\\n subgraph \\\"Removed vi.mock\\\"\\n M1[mock boot-config\\\\n_setTestConfig escape hatch]\\n M2[mock eliza-globals\\\\ntoHaveBeenCalled assertions]\\n end\\n\\n subgraph \\\"Real implementations used\\\"\\n R1[getBootConfig / setBootConfig\\\\nSymbol-keyed global store]\\n R2[getElizaApiToken / clearElizaApiToken\\\\nwindow.__ELIZAOS_API_TOKEN__]\\n end\\n```\\n\\nReviews (1): Last reviewed commit: [\\\"test(app-core): remove api module mocks\\\"](https://github.com/elizaos/eliza/commit/3c9787114936322a8b6fffd2d0631e4fbede8690) | [Re-trigger Greptile](https://app.greptile.com/api/retrigger?id=30504300)\\n\\n\",\n \"repository\": \"elizaos/eliza\",\n \"createdAt\": \"2026-05-01T19:42:11Z\",\n \"mergedAt\": \"2026-05-01T19:42:44Z\",\n \"additions\": 28,\n \"deletions\": 69\n },\n {\n \"id\": \"PR_kwDOMT5cIs7XhdbY\",\n \"title\": \"chore(deps): update dependency @biomejs/biome to v2.4.14\",\n \"author\": \"renovate\",\n \"number\": 7228,\n \"body\": \"This PR contains the following updates:\\n\\n| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |\\n|---|---|---|---|\\n| [@biomejs/biome](https://biomejs.dev) ([source](https://redirect.github.com/biomejs/biome/tree/HEAD/packages/@biomejs/biome)) | [`2.4.13` \u2192 `2.4.14`](https://renovatebot.com/diffs/npm/@biomejs%2fbiome/2.4.13/2.4.14) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@biomejs%2fbiome/2.4.14?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@biomejs%2fbiome/2.4.13/2.4.14?slim=true) |\\n\\n---\\n\\n> [!WARNING]\\n> Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/79) for more information.\\n\\n---\\n\\n### Release Notes\\n\\n
\\nbiomejs/biome (@​biomejs/biome)\\n\\n### [`v2.4.14`](https://redirect.github.com/biomejs/biome/blob/HEAD/packages/@​biomejs/biome/CHANGELOG.md#2414)\\n\\n[Compare Source](https://redirect.github.com/biomejs/biome/compare/@biomejs/biome@2.4.13...@biomejs/biome@2.4.14)\\n\\n##### Patch Changes\\n\\n- [#​9393](https://redirect.github.com/biomejs/biome/pull/9393) [`491b171`](https://redirect.github.com/biomejs/biome/commit/491b171e245aa1ad1063662d4408692b4fc11eae) Thanks [@​dyc3](https://redirect.github.com/dyc3)! - Added the nursery rule [`useTestHooksOnTop`](https://biomejs.dev/linter/rules/use-test-hooks-on-top) in the `test` domain. The rule flags lifecycle hooks (`beforeEach`, `beforeAll`, `afterEach`, `afterAll`) that appear after test cases in the same block, enforcing that hooks are defined before any test case.\\n\\n- [#​10157](https://redirect.github.com/biomejs/biome/pull/10157) [`eefc5ab`](https://redirect.github.com/biomejs/biome/commit/eefc5ab81709e78068774b0f5bc56af448a733d1) Thanks [@​dyc3](https://redirect.github.com/dyc3)! - Fixed [#​7882](https://redirect.github.com/biomejs/biome/issues/7882): The HTML parser will now emit better diagnostics when it encounters a void element with a closing tag, such as `

`. Previously, the parser would emit multiple diagnostics with conflicting advice. Now it emits a single diagnostic that clearly states that void elements should not have closing tags.\\n\\n- [#​10054](https://redirect.github.com/biomejs/biome/pull/10054) [`0e9f569`](https://redirect.github.com/biomejs/biome/commit/0e9f5696b1f2dec6e0d1f81b39192bdb07ab0c1a) Thanks [@​minseong0324](https://redirect.github.com/minseong0324)! - [`noMisleadingReturnType`](https://biomejs.dev/linter/rules/no-misleading-return-type/) no longer misses widening from concrete object types, class instances, object literals, tuples, functions, and regular expressions to `: object`.\\n\\n A function annotated `: object` returning an object literal:\\n\\n ```ts\\n function f(): object {\\n return { retry: true };\\n }\\n ```\\n\\n- [#​10116](https://redirect.github.com/biomejs/biome/pull/10116) [`53269eb`](https://redirect.github.com/biomejs/biome/commit/53269ebe0a2f718213483444696b88c7e8d0e7c4) Thanks [@​jiwon79](https://redirect.github.com/jiwon79)! - Fixed [#​6201](https://redirect.github.com/biomejs/biome/issues/6201): [`noUselessEscapeInRegex`](https://biomejs.dev/linter/rules/no-useless-escape-in-regex/) no longer flags an escaped backslash followed by `-` as a useless escape. Patterns like `/[\\\\\\\\-]/` are now considered valid because the second `\\\\` is the escaped backslash, not an unnecessary escape of the trailing dash.\\n\\n- [#​10092](https://redirect.github.com/biomejs/biome/pull/10092) [`33d8543`](https://redirect.github.com/biomejs/biome/commit/33d8543da451e272000b84a8e29114d72923cdc1) Thanks [@​Conaclos](https://redirect.github.com/Conaclos)! - Fixed [#​9097](https://redirect.github.com/biomejs/biome/issues/9097): [`organizeImports`](https://biomejs.dev/assist/actions/organize-imports/) no longer adds a blank line between a never-matched group and a matched group.\\n\\n Given the following `organizeImports` options:\\n\\n ```json\\n {\\n \\\"groups\\\": [\\\":NODE:\\\", \\\":BLANK_LINE:\\\", \\\":PACKAGE:\\\", \\\":BLANK_LINE:\\\", \\\":PATH:\\\"]\\n }\\n ```\\n\\n The following code...\\n\\n ```js\\n // Comment\\n import \\\"package\\\";\\n import \\\"./file.js\\\";\\n ```\\n\\n ...was organized as:\\n\\n ```diff\\n +\\n // Comment\\n import \\\"package\\\";\\n +\\n import \\\"./file.js\\\";\\n ```\\n\\n A blank line was added even though the group ':NODE:' doesn't match any imports here.\\n `:BLANK_LINE:` between never-matched groups and matched groups are now ignored.\\n The code is now organized as:\\n\\n ```diff\\n // Comment\\n import \\\"package\\\";\\n +\\n import \\\"./file.js\\\";\\n ```\\n\\n- [#​10138](https://redirect.github.com/biomejs/biome/pull/10138) [`a10b6c1`](https://redirect.github.com/biomejs/biome/commit/a10b6c119d1f3862da918ce7617ee365bb534c6e) Thanks [@​dyc3](https://redirect.github.com/dyc3)! - Fixed Vue `v-for` handling for [`noUndeclaredVariables`](https://biomejs.dev/linter/rules/no-undeclared-variables/) and [`noUnusedVariables`](https://biomejs.dev/linter/rules/no-unused-variables/). Biome now recognizes variables declared by `v-for` directives and references to iterated values in Vue templates.\\n\\n- [#​10115](https://redirect.github.com/biomejs/biome/pull/10115) [`d428d76`](https://redirect.github.com/biomejs/biome/commit/d428d76ba8be7131090c199cefa36613a332e75b) Thanks [@​minseong0324](https://redirect.github.com/minseong0324)! - [`noMisleadingReturnType`](https://biomejs.dev/linter/rules/no-misleading-return-type/) no longer reports false positives when a union return type's `boolean` variant is covered by both `true` and `false` returns.\\n\\n- [#​9922](https://redirect.github.com/biomejs/biome/pull/9922) [`7acf1e0`](https://redirect.github.com/biomejs/biome/commit/7acf1e0890d1e52b1cfa940554f6ebbd1bae20b3) Thanks [@​dyc3](https://redirect.github.com/dyc3)! - Added the new nursery rule [`noReactStringRefs`](https://biomejs.dev/linter/rules/no-react-string-refs/), which disallows legacy React string refs such as `ref=\\\"hello\\\"` and `this.refs.hello`.\\n\\n Biome also reports template-literal refs such as ``ref={`hello`}``, so React code can consistently migrate to callback refs, `createRef()`, or `useRef()`.\\n\\n- [#​10010](https://redirect.github.com/biomejs/biome/pull/10010) [`f3e76ab`](https://redirect.github.com/biomejs/biome/commit/f3e76ab7befecca7cdc7a04edac1350de31029de) Thanks [@​dyc3](https://redirect.github.com/dyc3)! - Fixed a bug in the LSP file watcher registration so Biome now watches `.biome.json` and `.biome.jsonc` configuration files and reloads workspace settings when they change.\\n\\n- [#​10176](https://redirect.github.com/biomejs/biome/pull/10176) [`8a40ef8`](https://redirect.github.com/biomejs/biome/commit/8a40ef835db83277a15b4f0455b5b9b69c719ad3) Thanks [@​dyc3](https://redirect.github.com/dyc3)! - Fixed [#​10011](https://redirect.github.com/biomejs/biome/issues/10011): The [`noThisInStatic`](https://biomejs.dev/linter/rules/no-this-in-static/) rule no longer reports `this` when it is used as the constructor target in `new this(...)`, which is required for inherited static factory methods.\\n\\n- [#​10163](https://redirect.github.com/biomejs/biome/pull/10163) [`6867e96`](https://redirect.github.com/biomejs/biome/commit/6867e96dacf0b96dfbefd51f95a29136d90b7bb4) Thanks [@​jiwon79](https://redirect.github.com/jiwon79)! - Fixed [#​9884](https://redirect.github.com/biomejs/biome/issues/9884): The [`useSortedAttributes`](https://biomejs.dev/assist/actions/use-sorted-attributes/) auto-fix no longer corrupts source code when both an outer JSX element and a nested JSX-valued attribute have unsorted attributes in the same pass. Multiple unsorted groups separated by spread or shorthand attributes within the same JSX element are now reported as a single diagnostic.\\n\\n- [#​10079](https://redirect.github.com/biomejs/biome/pull/10079) [`d29dd19`](https://redirect.github.com/biomejs/biome/commit/d29dd1916bdfa4a13dba95cad57f61c65cb5739c) Thanks [@​Damix48](https://redirect.github.com/Damix48)! - Fixed false positive in `noAssignInExpressions` for Svelte `{@​const}` blocks. Assignments in `{@​const name = value}` are now correctly recognized as declarations rather than accidental assignments in expressions.\\n\\n- [#​10080](https://redirect.github.com/biomejs/biome/pull/10080) [`5d8fdac`](https://redirect.github.com/biomejs/biome/commit/5d8fdac6d26987904130c2ef0db797c295922f08) Thanks [@​Damix48](https://redirect.github.com/Damix48)! - Fixed parsing of closing parentheses in Svelte `{#each}` block key expressions. Biome now correctly parses method calls and other parenthesised expressions used as keys.\\n\\n For example, the following snippets are now parsed correctly:\\n\\n ```svelte\\n {#each numbers as number, index (number.toString())}\\n

{number}

\\n {/each}\\n\\n {#each numbers as number (key(number))}\\n

{number}

\\n {/each}\\n ```\\n\\n- [#​10140](https://redirect.github.com/biomejs/biome/pull/10140) [`e7024b9`](https://redirect.github.com/biomejs/biome/commit/e7024b92638090a9b8ccd064e0662f7994164621) Thanks [@​solithcy](https://redirect.github.com/solithcy)! - Fixed [#​10135](https://redirect.github.com/biomejs/biome/issues/10135): Biome no longer crashes on missing Svelte template expressions.\\n\\n The following code snippet longer panics:\\n\\n ```svelte\\n {#if }\\n

^ this would previously crash

\\n {/if}\\n {@​const }\\n

^ this would also crash

\\n ```\\n\\n- [#​10111](https://redirect.github.com/biomejs/biome/pull/10111) [`7818009`](https://redirect.github.com/biomejs/biome/commit/7818009e23e12758d00665be6faf8471ca0b0027) Thanks [@​jiwon79](https://redirect.github.com/jiwon79)! - Fixed [#​9997](https://redirect.github.com/biomejs/biome/issues/9997): [`noDuplicateSelectors`](https://biomejs.dev/linter/rules/no-duplicate-selectors/) no longer reports false positives for selectors inside `@scope` queries. Biome now treats `@scope` as a separate at-rule context, like `@media`, `@supports`, `@container`, and `@starting-style`.\\n\\n The following snippet is no longer flagged as a duplicate:\\n\\n ```css\\n .Example {\\n padding: 0;\\n }\\n\\n @​scope (.theme-dark) {\\n .Example {\\n color: white;\\n }\\n }\\n ```\\n\\n- [#​9926](https://redirect.github.com/biomejs/biome/pull/9926) [`d62b331`](https://redirect.github.com/biomejs/biome/commit/d62b331726c1b730ca2d1c38325ce6196beee7a4) Thanks [@​dyc3](https://redirect.github.com/dyc3)! - Added the nursery lint rule [`useMathMinMax`](https://biomejs.dev/linter/rules/use-math-min-max/), which prefers `Math.min()` and `Math.max()` over equivalent ternary comparisons.\\n\\n For example, this code:\\n\\n ```js\\n const min = a < b ? a : b;\\n ```\\n\\n is much more readable when rewritten as:\\n\\n ```js\\n const min = Math.min(a, b);\\n ```\\n\\n- [#​10115](https://redirect.github.com/biomejs/biome/pull/10115) [`d428d76`](https://redirect.github.com/biomejs/biome/commit/d428d76ba8be7131090c199cefa36613a332e75b) Thanks [@​minseong0324](https://redirect.github.com/minseong0324)! - [`useExhaustiveSwitchCases`](https://biomejs.dev/linter/rules/use-exhaustive-switch-cases/) now flags missing `true`/`false` cases for `boolean` discriminants, including when `boolean` is a union variant.\\n\\n- [#​10125](https://redirect.github.com/biomejs/biome/pull/10125) [`a55a0b6`](https://redirect.github.com/biomejs/biome/commit/a55a0b6fe03f772316b76937b1292096cdc8a661) Thanks [@​bmish](https://redirect.github.com/bmish)! - Fixed a resolver bug where packages that define a typed entry point through `package.json`'s `main` field but omit `types` were ignored during type-aware resolution. Type-aware rules such as [`noFloatingPromises`](https://biomejs.dev/linter/rules/no-floating-promises/) can now inspect imports from those packages.\\n\\n- [#​10117](https://redirect.github.com/biomejs/biome/pull/10117) [`895e809`](https://redirect.github.com/biomejs/biome/commit/895e809dc799cd6aa70032fbb56dfe0f9c0f6f39) Thanks [@​denizdogan](https://redirect.github.com/denizdogan)! - Added support for the `corner-shape` family of CSS properties and the `superellipse()`/`squircle()` value functions, so [`noUnknownProperty`](https://biomejs.dev/linter/rules/no-unknown-property/) and [`noUnknownFunction`](https://biomejs.dev/linter/rules/no-unknown-function/) no longer flag them as unknown.\\n\\n New known properties: `corner-shape`, `corner-block-end-shape`, `corner-block-start-shape`, `corner-bottom-left-shape`, `corner-bottom-right-shape`, `corner-bottom-shape`, `corner-end-end-shape`, `corner-end-start-shape`, `corner-inline-end-shape`, `corner-inline-start-shape`, `corner-left-shape`, `corner-right-shape`, `corner-start-end-shape`, `corner-start-start-shape`, `corner-top-left-shape`, `corner-top-right-shape`, `corner-top-shape`.\\n\\n New known value functions: `superellipse()`, `squircle()`.\\n\\n- [#​8620](https://redirect.github.com/biomejs/biome/pull/8620) [`8df8f73`](https://redirect.github.com/biomejs/biome/commit/8df8f73ca1c18a688f64f304f0b9089797258a1e) Thanks [@​dyc3](https://redirect.github.com/dyc3)! - Fixed [#​8062](https://redirect.github.com/biomejs/biome/issues/8062): Added support for parsing Vue `v-for` directives more accurately.\\n\\n- [#​10191](https://redirect.github.com/biomejs/biome/pull/10191) [`aa055cd`](https://redirect.github.com/biomejs/biome/commit/aa055cd74f82fac691dfa2f65dbfd255213cb884) Thanks [@​guney](https://redirect.github.com/guney)! - Now the rule [`noStaticElementInteractions`](https://biomejs.dev/linter/rules/no-static-element-interactions/) doesn't trigger custom elements.\\n\\n- [#​9757](https://redirect.github.com/biomejs/biome/pull/9757) [`2c62594`](https://redirect.github.com/biomejs/biome/commit/2c62594b84ae62fd5fa130adff917a1bcd8dfddd) Thanks [@​dyc3](https://redirect.github.com/dyc3)! - Fixed [#​9099](https://redirect.github.com/biomejs/biome/issues/9099): the HTML formatter collapsing non-text children (inline elements, Svelte expressions, comments) onto a single line when the source had them on separate lines. Biome now preserves the user's intended line breaks for exclusively non-text children.\\n\\n For example, the following Svelte snippet is now preserved instead of being collapsed to `
{name}
`:\\n\\n ```svelte\\n
\\n {name}\\n
\\n ```\\n\\n Similarly, HTML elements like `` inside a `
` are now preserved when written on their own line:\\n\\n ```html\\n
\\n text\\n
\\n ```\\n\\n- [#​10105](https://redirect.github.com/biomejs/biome/pull/10105) [`e7c1a6d`](https://redirect.github.com/biomejs/biome/commit/e7c1a6d5319908cf613f7fa80667e6981435508d) Thanks [@​jiwon79](https://redirect.github.com/jiwon79)! - Fixed [#​10039](https://redirect.github.com/biomejs/biome/issues/10039): [`useReadonlyClassProperties`](https://biomejs.dev/linter/rules/use-readonly-class-properties/) now detects unreassigned private members in class expressions and export default classes, not only in class declarations.\\n\\n The following patterns are now correctly flagged:\\n\\n ```ts\\n const AnonClass = class {\\n #prop = 123;\\n constructor() {\\n console.log(this.#prop);\\n }\\n };\\n\\n export default class {\\n #prop = 123;\\n constructor() {\\n console.log(this.#prop);\\n }\\n }\\n ```\\n\\n- [#​10141](https://redirect.github.com/biomejs/biome/pull/10141) [`46a77d0`](https://redirect.github.com/biomejs/biome/commit/46a77d0a35e8dbbcefeca264e8630af83b21f1d9) Thanks [@​minseong0324](https://redirect.github.com/minseong0324)! - Improved [`noUnnecessaryConditions`](https://biomejs.dev/linter/rules/no-unnecessary-conditions/) to detect conditions that are always truthy because they check built-in global class instances such as `Date`, `Map`, `Set`, `WeakMap`, and `Error`.\\n\\n- [#​10178](https://redirect.github.com/biomejs/biome/pull/10178) [`7b05a89`](https://redirect.github.com/biomejs/biome/commit/7b05a893df8c9c950871b83ff1b3ae28113e8b15) Thanks [@​dyc3](https://redirect.github.com/dyc3)! - Fixed [#​10177](https://redirect.github.com/biomejs/biome/issues/10177): The HTML parser no longer reports lowercase `html` or `doctype` text as invalid after void elements such as `
`.\\n\\n- [#​10155](https://redirect.github.com/biomejs/biome/pull/10155) [`0d4595d`](https://redirect.github.com/biomejs/biome/commit/0d4595dae68b034bd6de3bdfd15437a34fa53cb2) Thanks [@​jiwon79](https://redirect.github.com/jiwon79)! - Fixed [#​10045](https://redirect.github.com/biomejs/biome/issues/10045): the CSS formatter no longer compounds indentation inside nested functional pseudo-classes such as `:not(:where(...))`, `:is(:where(...))`, and similar combinations. The same fix also removes one level of unnecessary indentation that was added inside any pseudo-class function whose argument list wrapped onto multiple lines, including `:nth-child(... of ...)`, `::part(...)`, and `:active-view-transition-type(...)`.\\n The following snippet is now correctly formatted, matching Prettier.\\n\\n ```css\\n input:not(\\n :where(\\n [type=\\\"submit\\\"],\\n [type=\\\"checkbox\\\"],\\n [type=\\\"radio\\\"],\\n [type=\\\"button\\\"],\\n [type=\\\"reset\\\"]\\n )\\n ) {\\n inline-size: 100%;\\n }\\n ```\\n\\n- [#​10112](https://redirect.github.com/biomejs/biome/pull/10112) [`6f0251e`](https://redirect.github.com/biomejs/biome/commit/6f0251ea12cddb6edcbf512e5608a7b502762423) Thanks [@​dyc3](https://redirect.github.com/dyc3)! - Fixed [#​10110](https://redirect.github.com/biomejs/biome/issues/10110): Biome's parser now accepts surrogate code points in JavaScript string `\\\\u{...}` escapes.\\n\\n- [#​10141](https://redirect.github.com/biomejs/biome/pull/10141) [`46a77d0`](https://redirect.github.com/biomejs/biome/commit/46a77d0a35e8dbbcefeca264e8630af83b21f1d9) Thanks [@​minseong0324](https://redirect.github.com/minseong0324)! - Improved [`noMisleadingReturnType`](https://biomejs.dev/linter/rules/no-misleading-return-type/) to detect `object` return annotations that hide built-in global class instances such as `Date`, `Map`, `Set`, `WeakMap`, and `Error`.\\n\\n- [#​10083](https://redirect.github.com/biomejs/biome/pull/10083) [`4a664c1`](https://redirect.github.com/biomejs/biome/commit/4a664c1c9ebee339ee4a8b971b0a345aa4dbbe70) Thanks [@​ematipico](https://redirect.github.com/ematipico)! - Added two new options to [`noShadow`](https://biomejs.dev/linter/rules/no-shadow/), both defaulting to `true` to match typescript-eslint's behavior.\\n\\n Fixed [#​9482](https://redirect.github.com/biomejs/biome/issues/9482): Added `ignoreFunctionTypeParameterNameValueShadow` option. When enabled, parameter names inside function type annotations (e.g. `(options: unknown) => void`) are not flagged as shadowing outer variables.\\n\\n Fixed [#​7812](https://redirect.github.com/biomejs/biome/issues/7812): Added `ignoreTypeValueShadow` option. When enabled, a value binding that shares its name with a type-only declaration (type alias or interface) is not flagged, since types and values occupy separate namespaces in TypeScript.\\n\\n- [#​9286](https://redirect.github.com/biomejs/biome/pull/9286) [`52695cf`](https://redirect.github.com/biomejs/biome/commit/52695cf52b3ff42ddfcaef040cfaa00e9a93a4b7) Thanks [@​Hugo-Polloli](https://redirect.github.com/Hugo-Polloli)! - Fixed [#​6316](https://redirect.github.com/biomejs/biome/issues/6316): Biome now resolves Svelte `$store` references to the underlying `store` binding in semantic analysis, preventing false `noUndeclaredVariables` diagnostics when the store is declared.\\n\\n- [#​10188](https://redirect.github.com/biomejs/biome/pull/10188) [`ae659dd`](https://redirect.github.com/biomejs/biome/commit/ae659ddbd317753c4feb5e4d223b9159d272d01b) Thanks [@​dyc3](https://redirect.github.com/dyc3)! - Added a new nursery rule [`noExcessiveNestedCallbacks`](https://biomejs.dev/linter/rules/no-excessive-nested-callbacks/), which disallows callbacks nested deeper than the configured maximum.\\n\\n- [#​9757](https://redirect.github.com/biomejs/biome/pull/9757) [`2c62594`](https://redirect.github.com/biomejs/biome/commit/2c62594b84ae62fd5fa130adff917a1bcd8dfddd) Thanks [@​dyc3](https://redirect.github.com/dyc3)! - Fixed [#​9450](https://redirect.github.com/biomejs/biome/issues/9450): the HTML formatter now correctly preserves multiline formatting for nested `