# ElizaOS Developer Update ## Week of December 4th - December 11th, 2025 ### Core Framework A critical security vulnerability was discovered in the ElizaOS framework where an attacker could extract secrets via API endpoints without proper authentication. The issue stemmed from `process.env` being dumped into unencrypted settings instead of the secure `settings.secrets` storage. The vulnerability was introduced in version 1.6.4 and has been fixed in 1.6.5-alpha.8 via commit a1941c6. The team has added proper encryption for character secrets and implemented safeguards to prevent this class of vulnerability in the future. A related PR (#6217) ensures correct ordering of encryption operations for character secrets. Additionally, a significant code quality improvement was merged in PR #6213, which: - Fixed `any` and `unknown` type assertions with proper type definitions - Removed excessive try/catch blocks that were causing code readability issues - Cleaned up poor comments and removed dead files and code #### Streaming Functionality Stan is working on streaming functionality for the ElizaOS runtime, with tests currently in progress. This will allow for more responsive agent interactions and smoother UX. ### New Features #### Parallel Action Execution A draft PR (#6209) implements parallel action execution within the `processActions()` method to significantly improve performance for multi-action responses: ```typescript // Before: Actions executed sequentially for (const action of actions) { await processAction(action, state); // State changes from each action affect next action } // After: Actions within a batch execute in parallel await Promise.allSettled(actions.map(action => processAction(action, initialState) )); // State changes merge after all parallel actions complete ``` All actions in a batch receive the same initial state snapshot, with state accumulating sequentially between response batches. This preserves the overall execution flow while dramatically speeding up processing time. #### Cross-Chain Liquidity Pools Shaw mentioned deployment of Jeju testnet with cross-chain liquidity pools (xlp) that allow using elizaOS tokens as gas across multiple chains (Base, BSC, OP, Arb, ETH) without bridging. This represents a significant advance in cross-chain interoperability for ElizaOS. #### ElizaOS Cloud Integration PR #6216 tightly integrates the ElizaOS cloud plugin, which can now use cloud as a database and storage provider. The PR enhances the CLI to automatically log users in, provision API keys, and ensure project setup: ```bash # New workflow with cloud integration elizaos create my-project # Select "ElizaOS Cloud" (now the first/recommended option) # Browser-based login flow initiates automatically # API key setup and project configuration happens seamlessly ``` This creates a smoother onboarding experience for new developers and promotes the use of ElizaOS Cloud services. ### Bug Fixes #### Plugin-SQL Database Issues Several users reported foreign key constraint errors with `plugin-sql` and `plugin-twitter` components, particularly when creating memories. Stan is working on a fix and migration guide in PR #6215, which: - Adds smooth migration from pre-1.6.5 (camelCase) to 1.6.5+ (snake_case) schema - Optimizes RLS (Row-Level Security) handling - Cleans up RuntimeMigrator by removing dead code and improving table filtering - Fixes schema indexes and foreign key definitions If you're experiencing these issues, take a database backup before attempting fixes. As a temporary workaround, you can revert to v1.6.4 with SQL fixes applied. #### Twitter Plugin Reply Processing Users reported issues with the Twitter plugin not processing replies properly, showing "No text content in response, skipping tweet reply" for every reply. This issue is currently being investigated. #### Markdown Rendering Improvements PRs #6159 and #6197 fixed excessive vertical spacing in AI-generated markdown responses in the ElizaOS client UI, particularly around headings and blockquotes, creating a more compact and visually consistent display. ### API Changes #### JWT Authentication System PR #6200 implements a complete JWT authentication system for ElizaOS with support for multiple verification strategies: ``` ┌─────────────────────────────────────────────────────────────────┐ │ JWT Verification Flow │ ├─────────────────────────────────────────────────────────────────┤ │ Request with Bearer token │ │ ↓ │ │ JWTVerifierFactory.create() │ │ ↓ │ │ Priority: Ed25519 > JWKS > Secret > Disabled │ │ ↓ │ │ verifier.verify(token) │ │ ↓ │ │ Extract payload.sub │ │ ↓ │ │ entityId = stringToUuid(sub) ← Derived, NOT stored in JWT │ │ ↓ │ │ req.entityId = entityId │ └─────────────────────────────────────────────────────────────────┘ ``` This system supports integration with external providers like Auth0, Clerk, Privy, Supabase, and Google, making it easier to build multi-tenant applications with ElizaOS. #### Unified Serverless API PR #6201 introduces a unified serverless API for ElizaOS, improving the developer experience for serverless deployments and providing consistent behavior across environments. ### Social Media Integrations The Twitter plugin is experiencing issues with API rate limits after the deprecation of username/password authentication. The current implementation faces severe restrictions, with the first 50 mentions check consuming 50% of the free tier limit immediately. For Telegram integration, users can find the plugin at github.com/elizaos-plugins/plugin-telegram, though it cannot currently be connected through the Eliza cloud website interface. The team is working to recover the ElizaOS X (Twitter) account, which will be important for community communications and attracting developers. ### Model Provider Updates Users can now integrate Perplexity's Sonar-Pro LLM through either: 1. `plugin-openai` - By changing environment variables to point to Perplexity's server 2. `plugin-openrouter` - As an alternative routing method For cryptocurrency and market data APIs, developers have several options: - CoinGecko - DeFiLlama - Codex - Dexscreener Many of these have public endpoints available for basic usage. ### Breaking Changes A significant database schema change occurred in the migration from pre-1.6.5 (camelCase) to 1.6.5+ (snake_case), affecting users of the `plugin-sql` package. If you're encountering foreign key constraint errors, particularly with memory-related operations, you'll need to: 1. Back up your database 2. Either update to the latest version when PR #6215 is merged 3. Or revert to v1.6.4 with SQL fixes applied The upcoming migration guide will provide detailed steps for a smooth transition. For security reasons, ELIZA_SERVER_AUTH_TOKEN will become mandatory by default in an upcoming release, with explicit opt-out for development environments only. This change is part of the security improvements resulting from the recent vulnerability assessment. --- For more information on these updates, see the relevant PRs and issues on GitHub, or join the discussion in our Discord server.