# ElizaOS Developer Update (2026-04-26 → 2026-05-02) This week focused on **cross-platform portability** (self-hosted HTTPS dashboards + Capacitor + Electrobun), **secrets hardening** (new OS-keychain-backed vault), and **runtime reliability** (schema/migration correctness, fewer flaky tests, packaged-build fixes). --- ## 1) Core Framework ### Cross-platform runtime connectivity (self-hosted + desktop + mobile) PR **#7212** delivered the foundational plumbing to treat a *remote* self-hosted runtime as a first-class target across web dashboards, Capacitor mobile builds, and Electrobun desktop builds: - **CORS allowlisting** with operator-configurable origins via `ELIZA_ALLOWED_ORIGINS` and built-in Capacitor/Ionic WebView origins. - **Bearer token authentication** consolidated in the client (`fetchWithCsrf`) so apps behave consistently across platforms. - **Auth state machine tweaks** to avoid prematurely wiping tokens on transient 401s during boot/restore. Links: - PR: https://github.com/elizaos/eliza/pull/7212 ### Plugin lifecycle / packaged-build robustness `plugin-lifecycle` and other imports were hardened to avoid cross-package relative imports that can break after bundling/tree-shaking (notably in packaged builds). (Implemented as part of **#7212**.) --- ## 2) New Features ### `@elizaos/vault`: cross-platform secrets vault + Settings UI integration A major new capability landed: **encrypted secrets at rest**, backed by OS keychains by default, with UI support and runtime integration. Key properties: - AES-256-GCM encryption; master key stored in: - macOS Keychain - Windows Credential Manager - Linux Secret Service (`@napi-rs/keyring`) - Headless/server fallback via passphrase-derived master key (`scrypt`) - Vault-first “reveal” semantics in Settings (newly-saved secrets are read from vault before legacy sources) - Multi-backend “Secrets Manager” routing for password managers (1Password / Bitwarden / Proton Pass) via stored references - Provider switching now persists **references** (`apiKeyRef`) rather than plaintext Links: - PR: https://github.com/elizaos/eliza/pull/7197 - Package docs (in-repo): `packages/vault/README.md` (added in #7197) #### Example: storing and retrieving a sensitive secret ```ts import { sharedVault } from "@elizaos/vault"; const vault = sharedVault(); // Store encrypted at rest await vault.set("OPENAI_API_KEY", process.env.OPENAI_API_KEY!, { sensitive: true }); // Retrieve later (decrypts via master key) const apiKey = await vault.get("OPENAI_API_KEY"); ``` #### Example: headless/server fallback master key If you’re running on a Linux server without Secret Service: ```bash export MILADY_VAULT_PASSPHRASE="replace-with-a-strong-passphrase" ``` Your deployment can then rely on passphrase-derived keys (no OS keychain required). ### Self-hosted dashboard + mobile origin support Operators can now explicitly allow custom dashboard origins: ```bash export ELIZA_ALLOWED_ORIGINS="https://bot.example.com,https://ops.example.com" ``` This is in addition to built-in support for: - `capacitor://localhost` - `ionic://localhost` - `https://localhost` (for local/dev flows) (Implemented in **#7212**.) --- ## 3) Bug Fixes (critical) ### Fix: missing Anthropic “Claude Code stealth” preload path broke OAuth subscription tokens A high-impact issue was closed this week: `dev-ui.mjs` referenced a missing preload file (`./claude-code-stealth.mjs`) on fresh clones, which meant the **fetch interceptor never installed**. For Anthropic subscription/OAuth users, this manifested as persistent **401 Invalid authentication credentials** despite valid tokens. - Issue: https://github.com/elizaos/eliza/issues/7210 (closed) - Technical root cause: preload file referenced at runtime didn’t exist; existence check silently filtered it out, so required headers/prefix were never applied. ### Fix: plugin-sql runtime-migrator missing `pgTable` definitions caused fresh DB boots to be unusable Another critical fix closed: three tables were declared in abstract schemas but never added to the plugin-sql drizzle schema set: - `entity_identities` - `entity_merge_candidates` - `fact_candidates` Because the runtime-migrator generates SQL from drizzle `pgTable` definitions (not the abstract schemas), these tables were **never created** on fresh PGLite boots. This caused cascading failures in state composition (RECENT_MESSAGES, longTermMemory provider, relationship extraction), producing empty/invalid prompts and downstream structured-output parse failures. - Issue: https://github.com/elizaos/eliza/issues/7222 (closed) ### Reduced test flakiness by removing API module mocks `app-core` tests were updated to use real module implementations rather than brittle `vi.mock` overrides, improving reliability and reducing “false green” test behavior. - PR: https://github.com/elizaos/eliza/pull/7226 --- ## 4) API Changes (developer-facing) ### Auth/session endpoints (shape + semantics) From **#7212**: - `GET /api/auth/me` - Accepts legacy bearer authentication. - Returns a synthetic identity with `kind: "machine"` when no owner is configured (previously could misreport as `"owner"` in some paths). - `GET /api/auth/status` - Adds explicit `authenticated` boolean so clients can short-circuit pairing logic without overloading `required`. These changes mainly affect custom clients and embedded/webview frontends. Links: - PR: https://github.com/elizaos/eliza/pull/7212 ### Settings / secrets behavior changes (vault-first reveal) From **#7197**: - `POST /api/plugins/:id/reveal` now checks the vault first, then falls back to legacy `process.env` / `config.env`. - `PUT /api/plugins/:id` mirrors sensitive fields into the vault and reports `vaultMirrorFailures` back to the UI rather than silently swallowing errors. Link: - PR: https://github.com/elizaos/eliza/pull/7197 ### Provider switching: plaintext → reference (`apiKeyRef`) Provider switching operations now store a **reference** to a vault entry rather than raw secrets; legacy plaintext operations are migrated on hydrate. Link: - PR: https://github.com/elizaos/eliza/pull/7197 --- ## 5) Social Media Integrations ### Discord/Telegram event routing standardization (foundation for reliability) Earlier this week’s cross-repo coordination emphasized standardizing event routing to reduce platform-specific divergence and improve runtime predictability. If you maintain platform plugins, align with the core event-kind routing and lifecycle expectations. Reference (week summary): - PR: https://github.com/elizaos/eliza/pull/7116 ### Forward-looking: “all social platforms” runtime vision (v3) Discord discussions reiterated the v3 direction: full application runtime across devices, deeper social integrations (including iMessage), and workflow-driven runtime apps (create/edit/execute dynamically), with monetization via Eliza Cloud. (Architecture direction discussed on Discord; not yet a single upstream PR.) --- ## 6) Model Provider Updates ### Anthropic SDK updates + subscription auth considerations Dependency updates included `@anthropic-ai/sdk` bumps (notably to `^0.92.0`) alongside broader AI SDK upgrades. - Renovate PR: `@anthropic-ai/sdk` (tracked in the daily rollup; see “completedItems” in the aggregated report) - Issue context: OAuth subscription flows are sensitive to correct header/prefix behavior (see closed issue **#7210** above). ### AI SDK / provider packages updated Multiple Renovate PRs updated: - `ai` - `@ai-sdk/openai` - `@ai-sdk/provider` - `@ai-sdk/provider-utils` These are non-functional changes by themselves, but plugin maintainers should watch for upstream provider interface shifts when bumping versions. Example link (one of several): - PR: https://github.com/elizaos/eliza/pull/7214 --- ## 7) Breaking Changes / V1 → V2 Migration Warnings No single “flag day” breaking PR landed this week, but several ongoing shifts can bite downstream forks and plugin authors during V1→V2/V3-era migration: ### Secrets storage expectations have changed (recommended migration path) If your plugin or app assumes secrets live in plaintext in `config.env`: - Prefer vault-backed reads where available (or use Settings reveal endpoints). - Avoid persisting raw tokens in plugin config; store vault references instead. Reference: - https://github.com/elizaos/eliza/pull/7197 ### Packaged builds: avoid cross-package relative imports Packaged builds (tsdown/tree-shaking) can drop or relocate deep exports. If your plugin imports internal files via relative paths into other workspace packages, migrate to public exports (e.g., `@elizaos/core`). Reference: - https://github.com/elizaos/eliza/pull/7212 ### SQL schema sources of truth must remain consistent The plugin-sql migrator generates DDL from drizzle schemas, not abstract schema declarations. If you add/modify abstract schemas without adding drizzle `pgTable` definitions, fresh boots can fail in subtle ways. Reference: - https://github.com/elizaos/eliza/issues/7222 --- ## Notable Discord Engineering Threads (context for upcoming work) - **Long-lived agent “memory rot” (≈3 months)**: retrieval-only memory (RAG/vector) can silently drift as stale facts persist. Proposed production fix: reconciliation pass with freshness gates on outgoing claims, periodic cross-source diffs, and re-embedding under current ontology. A full field report was requested. - Discussion summary: https://discord.com/channels/1253563208833433701/1300025221834739744 - **Robotics integration**: ElizaOS successfully integrated with a Unitree robot (commanded walking), highlighting hardware/control-plane extensibility. - **Security**: interest in local LLM data storage, agent key security, and red-team swarm testing methodologies (areas likely to intersect with the new vault package and runtime hardening).