# ElizaOS Developer Update **Week of December 2-9, 2025** ## 1. Core Framework ### Security Incident & Resolution A critical security incident occurred on the elizaOS.ai website this week where an XMR cryptocurrency miner was injected into the code through a Remote Code Execution (RCE) vulnerability in outdated Next.js dependencies (v15.3.1). The security breach was promptly addressed by: - Updating dependencies to Next.js 16.0.7 ([PR #3](https://github.com/elizaos/eliza/pull/3)) - Implementing proper nginx settings for WebSocket support - Rotating Personal Access Tokens (PAT) - Deploying a fresh copy of the site ### Parallel Action Execution A significant improvement to the core runtime was introduced with parallel action execution ([PR #6209](https://github.com/elizaos/eliza/pull/6209)), allowing multiple actions within a single response batch to execute simultaneously: ```typescript // Before: Actions executed sequentially // After: Actions in a batch execute in parallel await Promise.allSettled( actions.map(async (action) => { // All actions receive same initial state snapshot return await executeAction(action, initialState); }) ); ``` Key implementation details: - All actions in a batch receive the same initial state snapshot - State accumulates sequentially between response batches - Results from parallel actions are merged after batch completion - Fault tolerance preserved: if one action fails, others still complete ### Server Optimization The server architecture was refactored for better performance and organization ([PR #6199](https://github.com/elizaos/eliza/pull/6199)): - **Socket.IO Configuration** - Configured `pingInterval` (25s) and `pingTimeout` (20s) - Set `connectTimeout` (10s) - Enforced transport order: `['websocket', 'polling']` - **HTTP Server Timeouts** - Added proper timeout settings to prevent hanging connections - Added checks to handle disconnected clients gracefully - **Code Reorganization** - Restructured root-level files into proper directories following clean architecture principles - Added proper typing with `ServerMiddleware` and `ServerConfig` ## 2. New Features ### Streaming Support for Text Generation Enhanced streaming capabilities were added for `TEXT_SMALL` and `TEXT_LARGE` model types ([PR #6212](https://github.com/elizaos/eliza/pull/6212)): ```typescript // New streaming API usage const result = await runtime.useModel({ type: 'TEXT_LARGE', provider: 'openai', params: { messages: [...], stream: true // Enable streaming } }); // Consuming streaming response if ('textStream' in result) { for await (const chunk of result.textStream) { console.log(chunk); // Process each chunk as it arrives } } ``` This implementation: - Adds the `TextStreamResult` interface with `textStream` async iterable - Introduces `stream?: boolean` parameter to `GenerateTextParams` - Provides a `supportsStreaming()` type guard for model types - Updates `runtime.useModel()` to handle streaming responses ### JWT Authentication System A comprehensive JWT authentication and user management system was introduced ([PR #6200](https://github.com/elizaos/eliza/pull/6200)): ```typescript // JWT Verification Flow // 1. Request with Bearer token // 2. JWTVerifierFactory.create() // 3. Priority: Ed25519 > JWKS > Secret > Disabled // 4. Extract payload.sub // 5. entityId = stringToUuid(sub) ← Derived, NOT stored in JWT // 6. req.entityId = entityId ``` Features include: - Multiple verification strategies (Ed25519, JWKS, Secret) - Entity ID derivation from JWT `sub` claim - Dual authentication modes - Internal service bypass - Credentials-based auth endpoints (`/api/auth/*`) ### ElizaOS Cloud as Default AI Provider The CLI now includes ElizaOS Cloud as the first/recommended option in the `elizaos create` AI model selection ([PR #6208](https://github.com/elizaos/eliza/pull/6208)): - Integrated browser-based login flow for seamless API key setup - Fixed environment variable handling in login flow ## 3. Bug Fixes ### Database and Directory Handling The SQL plugin was updated to automatically create required directories ([PR #6202](https://github.com/elizaos/eliza/pull/6202)): ```typescript // Auto-create .eliza directory if it doesn't exist if (!existsSync(eliza_dir)) { mkdirSync(eliza_dir, { recursive: true }); } ``` This addresses the issue where plugin-sql would crash if the `.eliza` directory didn't exist ([Issue #6204](https://github.com/elizaos/eliza/issues/6204)). ### UI Rendering Improvements Multiple fixes were implemented to improve markdown content spacing in the client UI ([PR #6159](https://github.com/elizaos/eliza/pull/6159), [PR #6197](https://github.com/elizaos/eliza/pull/6197)): - Fixed excessive vertical spacing in AI-generated responses - Added missing heading and separator spacing - Reduced blockquote vertical spacing for more compact display ### Dependency Conflicts A comprehensive update of dependencies across the monorepo resolved conflicting versions ([PR #6210](https://github.com/elizaos/eliza/pull/6210)): ``` Before: - drizzle-orm@0.45.0 (root) - drizzle-orm@0.44.7 (@elizaos/plugin-sql) - drizzle-orm@0.38.4 (@elizaos/plugin-memory) - drizzle-kit@0.31.x (incompatible with drizzle-orm@0.44+) After: - All packages consistently use latest compatible versions ``` Major updates included Bun 1.3.4, TypeScript 5.9.3, React 19.1.0, and numerous other dependencies. ## 4. API Changes ### Unified Serverless API Work began on a unified API for serverless Node.js applications ([PR #6201](https://github.com/elizaos/eliza/pull/6201)), providing a consistent interface for deploying ElizaOS agents across different environments. ### Message Service API Migration Examples were migrated from the deprecated `MESSAGE_RECEIVED` event system to the new `messageService.handleMessage()` API ([PR #6202](https://github.com/elizaos/eliza/pull/6202)): ```typescript // Old approach - deprecated event system agent.on('MESSAGE_RECEIVED', async (message) => { // Handle message }); // New approach - message service API agent.messageService.handleMessage(async (message) => { // Handle message }); ``` ### Environment Variables for JWT Authentication New environment variables were introduced for JWT authentication ([PR #6200](https://github.com/elizaos/eliza/pull/6200)): | Variable | Description | Example | |----------|-------------|---------| | `ENABLE_DATA_ISOLATION` | Enable JWT auth mode | `true` | | `JWT_SECRET` (optional) | HS256 symmetric secret | `your-secret-key` | | `JWT_PUBLIC_KEY_ED25519` (optional) | Ed25519 public key (base64) | `MCowBQYDK2Vw...` | | `JWT_JWKS_URI` (optional) | JWKS endpoint URL | `https://auth0.com/.well-known/jwks.json` | | `JWT_ISSUER_WHITELIST` (optional) | Allowed issuers (comma-separated) | `https://auth0.com/,https://clerk.dev` | ## 5. Social Media Integrations ### Twitter/X Agent Limitations Significant challenges were identified with Twitter agent functionality following the deprecation of username/password authentication: - The current implementation faces severe API read limits, with the first 50 mentions check consuming 50% of the free tier limit immediately - Twitter's legal team actively prevents alternative authentication methods The team is working to: - Restore the ElizaOS X (Twitter) account functionality - Optimize Twitter agent to reduce API read consumption - Implement a per-request pricing model to make agents more cost-effective ### Discord and Telegram Integration Community discussion confirmed that connecting agents to Telegram or Discord directly through the Eliza cloud website is not currently possible. Self-hosting capabilities were discussed as an alternative approach for users with home server setups running models locally with Ollama and N8N. ## 6. Model Provider Updates ### Self-Hosting Recommendations For developers looking to self-host ElizaOS with local models, Jin recommended the Strix Halo mini PC, reporting success running elizaOS with gpt-oss 120b on their GMKTEC EVO-X2 system. ### DeepSeek API Support A community question about using the DeepSeek API with ElizaOS ([Issue #6156](https://github.com/elizaos/eliza/issues/6156)) was closed, though specific implementation details were not provided. ## 7. Breaking Changes ### Token Migration Issues Users continue to experience challenges with the ai16z to ElizaOS token migration process: - Some users reported their ai16z tokens not showing as eligible for migration in the portal - "Max Amount Reached" errors are occurring during migration attempts - Confusion persists about token listing status on exchanges like Kraken The migration team is actively addressing these concerns through dedicated support channels (#migration-support). For historical context, ai16z has seen significant price volatility during migration, with the team clarifying that ElizaOS is now the official token associated with the platform. The Eliza Labs team is working on a roadmap to be hosted in the main elizaOS repository, with additional features like Babylon (a prediction market with agent and human integration) planned for future releases.