# ElizaOS Developer Update (2026-02-10 → 2026-02-16) This update summarizes core runtime and plugin work landed in `elizaos/eliza` plus ecosystem discussions from Discord that affect near-term architecture, security posture, and integrations. --- ## 1) Core Framework ### Per-request / per-entity settings via `RequestContext` A major step toward multi-tenant deployments landed with `RequestContext` support in core, enabling entity-scoped settings resolution without threading parameters through every call stack. - **PR:** `feat(core): add request context for per-user entity settings` ([elizaos/eliza#6457](https://github.com/elizaos/eliza/pull/6457)) - **Impact:** `runtime.getSetting(key)` now checks the active request context first, then falls back to agent/global settings. This is critical when multiple users share a runtime but must not share API keys, OAuth tokens, or per-entity configuration. **Example: scoping provider keys to the initiating user/entity** ```ts import { RequestContext } from "@elizaos/core"; await RequestContext.withEntitySettings( { entityId: "user_123", settings: { OPENAI_API_KEY: process.env.USER_123_OPENAI_KEY, GMAIL_REFRESH_TOKEN: process.env.USER_123_GMAIL_REFRESH_TOKEN, }, }, async () => { // Any code below can call runtime.getSetting(...) // and will receive the entity-specific values. const key = runtime.getSetting("OPENAI_API_KEY"); const resp = await runtime.handleMessage({ text: "hello" }); return resp; } ); ``` ### JWT authentication + user management (server) JWT auth shipped behind a feature flag to support data isolation and external JWT providers. - **PR:** `feat(auth): implement JWT authentication and user management` ([elizaos/eliza#6200](https://github.com/elizaos/eliza/pull/6200)) - **Activation:** requires `ENABLE_DATA_ISOLATION=true` - **Docs:** environment variable reference was expanded ([elizaos/eliza#6377](https://github.com/elizaos/eliza/pull/6377)) This work is foundational for: - isolating memory/history per user and per agent - multi-entity deployments (e.g., one server hosting many independent agents) - connecting Auth0/Clerk/Supabase/Privy-style identity to ElizaOS sessions ### ActionFilterService (prompt bloat reduction at runtime) Filtering of actions/providers sent to the LLM is now handled by a relevance-driven service (vector search + BM25 reranking), reducing the action set from “everything installed” to “what matters for this message”. - **PR:** `feat: ActionFilterService — vector search + BM25 reranking` ([elizaos/eliza#6475](https://github.com/elizaos/eliza/pull/6475)) **Why it matters** - lower token usage and latency (especially with large plugin registries) - improved tool selection accuracy (less distraction / fewer near-miss tools) --- ## 2) New Features ### Plugin bootstrap optimization + robustness The bootstrap plugin received broad improvements (caching, robustness, and initialization UX). - **PR:** `feat(plugin-bootstrap): comprehensive optimization and robustness improvements` ([elizaos/eliza#6476](https://github.com/elizaos/eliza/pull/6476)) If you maintain providers/evaluators, re-run your integration tests against the latest bootstrap package, especially if you rely on provider ordering or implicit caches. ### n8n-workflow plugin: direct REST API for workflow management The `plugin-n8n-workflow` repository introduced REST routes enabling workflow CRUD and operational introspection directly from a frontend—without routing via the natural-language pipeline. - **Repo:** https://github.com/elizaos-plugins/plugin-n8n-workflow - **PR (reported):** new REST API routes for workflow management (see daily summary for 2026-02-16) **What’s included** - workflow CRUD - node catalog browsing - workflow validation - execution monitoring - expanded unit tests + updated test helpers This enables UI-driven automation builders where ElizaOS supplies orchestration + identity + permissions, while n8n supplies execution. ### Discord security + identity initiatives (ecosystem direction) Discord discussions this week introduced two adjacent security building blocks that are likely to influence future first-party patterns: - **MoltBridge (Ed25519 identity + trust scoring for A2A):** announced by Dawn as an off-chain cryptographic identity layer with graph-based broker discovery, motivated by marketplace abuse (341 malicious skills bypassing vetting). - SDKs: `moltbridge` on npm and PyPI (as announced on Discord) - Discord context: https://discord.com/channels/1253563208833433701/1300025221834739744 - **Security Oracle API (beta):** unified risk intelligence (RugCheck, GoPlus, sentiment), including Sybil-farm and insider concentration detection; strict JSON output for agent integration. - Beta limits: 100 req/day, 1 req/10s (as announced) - Discord context: https://discord.com/channels/1253563208833433701/1300025221834739744 **Developer takeaway:** expect upcoming design conversations around replacing API-key trust with signed agent identity + reputation signals, especially for trading and agent marketplaces. --- ## 3) Bug Fixes ### Prevented runtime crashes from `Object.entries(...)` on null/undefined Multiple crash-class bugs were fixed by adding defensive checks in settings utilities and bootstrap providers. - **PR:** `fix: add null checks to Object.entries calls in settings utilities` ([elizaos/eliza#6471](https://github.com/elizaos/eliza/pull/6471)) - **PR:** `fix(plugin-bootstrap): add null check for runtime.providers` ([elizaos/eliza#6473](https://github.com/elizaos/eliza/pull/6473)) **Technical context** These failures commonly manifested as: - provider formatting code calling `Object.entries(value)` when upstream returned `null` - agents falling into “IGNORE”/no-op paths because context providers crashed mid-chain If you maintain plugins/providers, prefer returning `{}` rather than `null` for metadata-like fields, and guard coercions at boundaries. ### MESSAGE_SENT event emission corrected (server) A long-standing lifecycle bug where `EventType.MESSAGE_SENT` wasn’t emitted after central bus delivery is fixed. - **PR:** `fix(server): emit MESSAGE_SENT event after sending to central server` ([elizaos/eliza#6378](https://github.com/elizaos/eliza/pull/6378)) **Why it matters** If you drive downstream workflows (analytics, audit logs, webhooks) from `MESSAGE_SENT`, you should see more consistent event streams after this update. ### Cloud chat: image content stripping fixed (issue closed) An issue where image content was stripped in `/api/v1/chat/completions` (`convertToUIMessages`) was closed this week. - **Issue:** `Image content stripped from LLM requests in cloud chat` ([elizaos/eliza#6494](https://github.com/elizaos/eliza/issues/6494)) — **closed 2026-02-16** ### Still open: duplicate LLM calls when a message contains a URL (webapp) A high-cost UX bug remains open: URLs may be processed twice (text + attachment preview), causing duplicated SSE output and doubled token spend. - **Issue:** `[Bug] URL in message triggers duplicate LLM calls` ([elizaos/eliza#6486](https://github.com/elizaos/eliza/issues/6486)) --- ## 4) API Changes ### Settings resolution precedence change (RequestContext) As part of RequestContext, settings resolution now behaves like: 1) entity/request context settings 2) agent settings 3) global/default settings This is an **API behavior change** for anyone depending on “agent config always wins”. If you are injecting per-user overrides, ensure they’re placed in RequestContext and that you clear context properly between requests. ### Server auth surfaces (JWT mode) JWT mode introduces new expectations for: - protected routes (client + server) - socket authentication flows - user tables / schema changes (via `plugin-sql` updates included in [#6200](https://github.com/elizaos/eliza/pull/6200)) ### n8n-workflow REST surface If you embed n8n-workflow into a UI, you can now bypass NL prompts and manage workflows programmatically. Treat these routes as privileged; pair them with JWT/data isolation if running multi-tenant. --- ## 5) Social Media Integrations ### Twitter plugin: auth retry loop fixed + media upload support The Twitter plugin received major stabilization work and expanded capability for posting media. - **PR:** `fix: authentication retry loop + media upload` ([elizaos-plugins/plugin-twitter#48](https://github.com/elizaos-plugins/plugin-twitter/pull/48)) **Developer notes** - If you previously implemented client-side throttles/workarounds for repeated auth attempts, re-test and simplify. - Media upload paths are now first-class; ensure your agent policies and safety filters cover media posting. **Telegram/Discord/Farcaster** No merged core changes surfaced in the aggregated data this week, but there are ongoing infrastructure threads (deployment, auth, multi-tenant isolation) that should be considered prerequisites for robust chat-platform bots. --- ## 6) Model Provider Updates ### Claude Sonnet / Opus mentions and model behavior tuning Community and internal planning referenced: - model tuning for Eliza personality (issue closed this week: character prompt engineering [elizaos/eliza#6447](https://github.com/elizaos/eliza/issues/6447)) - “Opus 4.5” availability noted in the 2026-02-16 dev recap (validate exact provider wiring in your environment before relying on it in production) ### OpenAI-compatible endpoints (requested) A feature request is open to allow custom OpenAI base URLs (for OpenAI-compatible providers such as SiliconFlow). - **Issue:** `Support custom OpenAI endpoint URL for OpenAI provider` ([elizaos/eliza#6490](https://github.com/elizaos/eliza/issues/6490)) If you maintain providers, prefer exposing a `baseURL`/`endpoint` override consistently across model adapters to avoid one-off forks. --- ## 7) Breaking Changes (V1 → V2 migration warnings) Several large V2 branches/PRs remain in-flight and will be **high-impact** when merged: - **PR:** `V2.0.0` ([elizaos/eliza#6351](https://github.com/elizaos/eliza/pull/6351)) - **PR:** `next` ([elizaos/eliza#6474](https://github.com/elizaos/eliza/pull/6474)) - **PR:** `feat: next generation multi-language Eliza with Rust, Python and TypeScript support` ([elizaos/eliza#6485](https://github.com/elizaos/eliza/pull/6485)) **Expected breakpoints (as described in PR bodies)** - removal of “app/server/CLI and non-essentials” in favor of lean runtimes - new multi-language package layout (Rust/Python/TypeScript cores + plugin ports) - runtime behavior changes (e.g., planning mode toggles, action arguments as tool-like calls) - example and starter restructuring **Migration guidance (practical)** - Pin your production builds to a known-good tag/commit until V2 stabilizes. - Avoid relying on internal package paths; import only from public entrypoints. - If you run multi-tenant, adopt RequestContext + JWT/data isolation patterns now to minimize later refactors. --- ## References / Docs - Core docs bundle: ([elizaos/eliza#6356](https://github.com/elizaos/eliza/pull/6356)) - `docs/ARCHITECTURE.md`, `docs/CORE_CONCEPTS.md`, `docs/PLUGIN_DEVELOPMENT.md`, etc. - Environment variables docs: ([elizaos/eliza#6377](https://github.com/elizaos/eliza/pull/6377)) - Discord threads (identity/security): - MoltBridge + Security Oracle discussion: https://discord.com/channels/1253563208833433701/1300025221834739744