# ElizaOS Developer Update - November 28, 2025 ## Core Framework We're excited to announce the completion of significant security and architecture improvements this week. PR #6167 (Entity-level RLS & Security Improvements) has been merged, implementing four major enhancements: 1. **Entity-Level Row Level Security (RLS)** - PostgreSQL RLS policies now provide automatic data isolation by entity (users, agents, bots) within the database. This prevents accidental data leaks and enforces security at the database level. 2. **Semantic Clarity Refactoring** - We've renamed `serverId` to `messageServerId` throughout the codebase to prevent ambiguity between ElizaOS server instances and message platforms (Discord, Telegram, etc.). 3. **Performance Optimization** - New methods `isRoomParticipant` and `isChannelParticipant` have been implemented with O(1) time complexity, replacing previous O(n) implementations that loaded all participants into memory. 4. **Timeline Action Spans Fix** - Run timelines now correctly display action details by including `action_event` logs in the timeline data. All changes maintain backward compatibility with existing deployments and plugins. ## New Features ### Dynamic Prompt Normalization PR #6192 by @wtfsayo implements improved normalization for structured responses from dynamicPromptExecFromState: ```typescript // Now handles both XML and JSON outputs const result = await runtime.dynamicPromptExecFromState({ model: "gpt-5-nano", prompt: "Generate a product recommendation", schema: { required: ["name", "price", "rating"], properties: { name: { type: "string" }, price: { type: "number" }, rating: { type: "number", minimum: 0, maximum: 5 } } } }); // Properly handles falsy values in required fields console.log(result.name); // "Budget Headphones" console.log(result.price); // 0 (falsy but valid) console.log(result.rating); // 4.5 ``` ### Plugin Name Resolution Improvements PR #6164 adds enhanced dependency resolution to handle both scoped package names and short names: ```typescript // All of these now work correctly await runtime.loadPlugin("@elizaos/plugin-sql"); await runtime.loadPlugin("plugin-sql"); await runtime.loadPlugin("sql"); // Deduplication prevents double-loading const deps = ["sql", "@elizaos/plugin-sql"]; // Only loads once ``` ## Bug Fixes ### Model Parameter Support Fixed the `topP` parameter for Anthropic models (PR #6166). The parameter is now properly passed through in runtime-generated parameters: ```typescript // Now works with both OpenAI and Anthropic const result = await runtime.generate({ model: "claude-3-opus-20240229", prompt: "Write a short story", topP: 0.8 // Previously ignored for Anthropic models }); ``` ### TypeScript Declaration Fix PR #6170 resolved a critical bug in the core TypeScript declarations that was causing build failures with `instanceof` checks on generic types. We've replaced these checks with a new `isPlainObject` type guard: ```typescript // Before: Failed TypeScript compilation if (params instanceof ModelParamsMap[model.type]) { // ... } // After: Type-safe and compiles properly if (isPlainObject(params)) { // ... } ``` ## API Changes ### Deprecation Notice: serverId → messageServerId As part of PR #6167, we've renamed `serverId` to `messageServerId` throughout the codebase to prevent ambiguity: ```typescript // Deprecated (still works for backward compatibility) const room = await adapter.getRoom({ serverId, roomId }); // New recommended approach const room = await adapter.getRoom({ messageServerId, roomId }); ``` This change affects all messaging-related APIs that reference external platforms like Discord, Telegram, etc. The old field name is still supported but marked as deprecated in TypeScript. ## Social Media Integrations ### Discord Plugin Improvements This week's testing uncovered and fixed several bugs in the Discord plugin: 1. Real-world testing revealed errors with message handling and participant tracking 2. Fixed an issue with the "gpt-5-nano" model requiring "max_completion_tokens" instead of "max_tokens" 3. Improved logging in pretty and JSON formats The Discord plugin now has better error handling and more consistent behavior in production environments. ## Model Provider Updates ### OpenRouter Embedding Support in CLI PR #6142 added native embedding support for OpenRouter in the ElizaOS CLI: ```bash # Now sets up both text generation and embeddings with one provider elizaos create --provider openrouter ``` This eliminates the need to configure a separate embedding provider when using OpenRouter for text generation. ### Anthropic Advanced Tool Use The team is tracking Anthropic's new advanced tool use capabilities, noting similarities to ElizaOS's "build an agent" functionality. We're exploring integrating these capabilities into our runtime for more powerful agent capabilities. ## Breaking Changes All changes this week maintain backward compatibility with V1, but developers migrating to V2 should note: 1. For Entity-Level RLS to work correctly, ensure your PostgreSQL connection includes the proper environment variables: ``` ENABLE_RLS_ISOLATION=true ENABLE_DATA_ISOLATION=true RLS_OWNER_ID= ``` 2. While `serverId` continues to work, start migrating to `messageServerId` in your code. The TypeScript compiler will warn about deprecated usage. 3. When using the Token migration process, remember that the 90-day migration window is in place, but only tokens held before the November 11th snapshot are eligible. For detailed migration guidance, reach out through the #support-ticket channel in Discord.