# ElizaOS Developer Update (2026-04-27 → 2026-05-03) This update summarizes merged work and critical fixes landing through **2026-05-03** (as of **2026-05-04**), plus relevant developer Discord context. --- ## 1) Core Framework ### Cross-platform secrets + runtime credential plumbing (`@elizaos/vault`) A major architectural addition landed: **`@elizaos/vault`**, a cross-platform secrets vault wired into both the **agent runtime** and the **Settings UI**. This reduces reliance on plaintext `config.env.*` storage and introduces an OS-keychain-backed encryption-at-rest path. Key implementation details: - **AES-256-GCM envelope encryption** with secret-id-as-AAD. - **Master key** sourced from OS keychains by default (macOS Keychain / Windows Credential Manager / Linux Secret Service via `@napi-rs/keyring`), with **headless passphrase fallback** for servers/CI. - **Runtime operations migration** away from plaintext provider keys: `ProviderSwitchIntent.apiKeyRef` replaces `apiKey` end-to-end (legacy ops are auto-migrated at hydrate time). - Settings API now performs a **vault mirror write-through** for sensitive plugin fields and reveals keys **vault-first**. PR: **feat(vault)** `@elizaos/vault` + Settings integration - https://github.com/elizaos/eliza/pull/7197 Related headless stability fix (prevents process-level crashes on Linux without secret service): - https://github.com/elizaos/eliza/pull/7230 --- ### Self-hosted runtime connectivity hardening (CORS + bearer auth) Self-hosted deployments gained better support for remote dashboards and cross-platform builds: - Adds **CORS** controls to runtime-served endpoints - Introduces/standardizes **Bearer auth** for remote agent routing - Addresses build issues across Capacitor + Electrobun packaging paths PR: - https://github.com/elizaos/eliza/pull/7212 --- ### Repo maintainability: consolidation and legacy removal A large-scale cleanup consolidated cloud + plugins into the main repo while removing legacy Rust/Python scaffolding. PR: - https://github.com/elizaos/eliza/pull/7235 Impact: repository layout and CI workflow surfaces changed significantly; downstream tooling that assumes old submodule boundaries may need updates. --- ### Cloud API architecture: Clean Architecture migration (WIP) A longer refactor is underway to address Cloudflare Workers request-scope I/O constraints (not merged; do not build against this branch as stable). PR (Draft/WIP): - https://github.com/elizaos/eliza/pull/7336 ADR referenced in PR: `cloud/docs/architecture/clean-architecture-migration.md` --- ## 2) New Features ### n8n “clarification roundtrip” (NL → workflow) with catalog snapshots ElizaOS now supports a full backend loop for workflows that require user clarification before deployment. What changed: - `POST /api/n8n/workflows/generate` can now return a **short-circuit envelope**: - `status: "needs_clarification"` - `draft` - `clarifications: ClarificationRequest[]` - `catalog: TargetGroup[]` (platform-scoped snapshot for UI quick-picks) - New endpoint: `POST /api/n8n/workflows/resolve-clarification` - Applies `{ paramPath, value }[]` resolutions into the draft (dot-path + bracketed key syntax) - Runs `validateAndRepair` - Deploys when clarifications are resolved PRs: - Connector catalog service (Discord enumeration surfaced for quick-picks): https://github.com/elizaos/eliza/pull/7315 - Clarification routes + response union/types: https://github.com/elizaos/eliza/pull/7316 Backend response shape example: ```ts // /api/n8n/workflows/generate (simplified) type N8nWorkflowGenerateResponse = | { status: "needs_clarification"; draft: unknown; clarifications: ClarificationRequest[]; catalog: TargetGroup[] } | { status: "ok"; workflow: unknown }; ``` Client-side handling sketch: ```ts const res = await fetch("/api/n8n/workflows/generate", { method: "POST", headers: { "content-type": "application/json" }, body: JSON.stringify({ prompt }), }).then(r => r.json()); if (res.status === "needs_clarification") { // render quick-picks using res.catalog, bind to res.clarifications const resolve = await fetch("/api/n8n/workflows/resolve-clarification", { method: "POST", headers: { "content-type": "application/json" }, body: JSON.stringify({ draft: res.draft, resolutions: [{ paramPath: 'nodes["Discord Send"].parameters.channelId', value: "123" }], }), }).then(r => r.json()); // resolve may return needs_clarification again or deploy final workflow } ``` Notes from review automation in #7316: there are warnings about paramPath formats and legacy clarification pruning edge cases; if you build custom UIs on top of this, validate with real n8n drafts. --- ### Automations UX restoration: NL-first “hero centerpiece” The Automations overview returned to an NL-first entry point (improves workflow creation funnel). PR: - https://github.com/elizaos/eliza/pull/7317 --- ## 3) Bug Fixes (critical) ### Headless Linux segfault on boot (keyring/libsecret / D-Bus) Root cause: `@napi-rs/keyring` could hard-crash the process when a Secret Service is unavailable (headless servers, minimal containers). The fix adds **D-Bus detection + fallback path** so vault/confidant does not attempt OS-keychain calls when it would crash. PR: - https://github.com/elizaos/eliza/pull/7230 Operational guidance: - For headless deployments, prefer passphrase master keys (or env-provisioned passphrase) rather than relying on Secret Service. --- ### Telegram message loss + launch failures (polling race + Bun error handling) Two classes of Telegram failures were addressed: - **Message loss** due to **concurrent pollers** (multiple Telegraf consumers racing `getUpdates`) and related polling lifecycle issues. - **Launch errors** stemming from Bun/runtime writeability constraints in error objects (previously causing silent failures). Issue context (race + silent drop): - https://github.com/elizaos/eliza/issues/7245 (Work landed as part of the stabilization set described in the daily engineering summary; if you run bespoke wrappers around `@elizaos/plugin-telegram`, ensure only one poller owns the bot token.) --- ### SIWE auth reliability on Cloudflare Workers (cache hotfix + domain correctness) Two related fixes: - SIWE endpoints were incorrectly gated on cache availability during a `CACHE_ENABLED=false` hotfix; SIWE was unblocked by bypassing that dependency. - SIWE domain resolution on Workers incorrectly returned `localhost:3000`; now reads from request env. PRs: - https://github.com/elizaos/eliza/pull/7324 - https://github.com/elizaos/eliza/pull/7327 --- ### Client architecture: duplicate `MiladyClient` broke prototype augmentation A critical runtime/UI failure mode occurred when augmenters attached methods to a class that was never instantiated (duplicate class definitions). The fix merged into a canonical client type (standardized as `ElizaClient` in the stabilization notes) so prototype augmentation lands on the live instance. Issue context: - https://github.com/elizaos/eliza/issues/7244 --- ### Auth detection: Codex CLI token shape drift Codex CLI began writing `~/.codex/auth.json` with a modern `tokens.access_token` shape; detection previously only checked legacy `OPENAI_API_KEY/auth_mode`. This caused false “install required” states and prevented auto-enabling the OpenAI provider path. Issue context: - https://github.com/elizaos/eliza/issues/7243 --- ### SQL runtime migrations: missing drizzle `pgTable` definitions `plugin-sql` runtime-migrator only emits DDL from drizzle schema definitions; three abstract schema tables were referenced but not created on fresh PGLite boots, breaking memory/relationship providers and causing chat to degrade into parse errors. Issue context: - https://github.com/elizaos/eliza/issues/7222 --- ## 4) API Changes (developer-facing) ### New n8n endpoints + widened response union - `POST /api/n8n/workflows/resolve-clarification` (new) - `POST /api/n8n/workflows/generate` now may return `{ status: "needs_clarification", ... }` instead of always deploying immediately. PR: - https://github.com/elizaos/eliza/pull/7316 ### Secrets APIs and runtime ops now prefer references over raw keys With vault integration: - Provider switching persists **references** (e.g., `apiKeyRef`) rather than plaintext keys. - Plugin settings save paths now mirror sensitive values into the vault and may surface `vaultMirrorFailures`. PR: - https://github.com/elizaos/eliza/pull/7197 --- ## 5) Social Media Integrations (Twitter / Telegram / Discord / Farcaster) ### Telegram - Stability work focused on preventing polling races and Bun-related launch failure modes (see Bug Fixes). Issue reference for message-loss race: - https://github.com/elizaos/eliza/issues/7245 ### Discord - New **Discord connector target enumeration** is now available via `ConnectorTargetCatalog`, enabling downstream features (notably n8n clarification quick-picks) to present real guild/channel lists. PR: - https://github.com/elizaos/eliza/pull/7315 ### Discord server ops note (developer workflow) In Discord, strict anti-spam URL filters blocked legitimate links; a temporary workaround is to wrap URLs in backticks: - Example: `` `https://domain.com` `` This is a server moderation setting rather than a code change, but it impacts developer collaboration. Discussion context: - https://discord.com/channels/1253563208833433701/1300025221834739744 --- ## 6) Model Provider Updates (OpenAI / Anthropic / DeepSeek / etc.) ### Anthropic SDK bump Anthropic SDK updated in core TypeScript package. PR: - https://github.com/elizaos/eliza/pull/7218 ### AI SDK / OpenAI provider utility bumps Multiple Renovate updates landed for the `ai` SDK and `@ai-sdk/*` packages (not individually breaking, but watch for subtle streaming/tool-call behavior changes). Examples: - https://github.com/elizaos/eliza/pull/7217 - https://github.com/elizaos/eliza/pull/7229 - https://github.com/elizaos/eliza/pull/7214 - https://github.com/elizaos/eliza/pull/7227 ### Provider roadmap signal from Discord (forward-looking) Shaw mentioned ongoing training of a model intended to be made available to users “essentially for free” at quality comparable to “Sonnet 4.5”, and plans for harness-tuned DeepSeek after cloud onboarding. Treat this as roadmap, not shipped API. Discussion context: - https://discord.com/channels/1253563208833433701/1301363808421543988 --- ## 7) Breaking Changes / Migration Warnings (V1 → V2) ### Vault + `apiKeyRef` migration implications If you have tooling that: - reads plugin credentials directly from `config.env.*`, or - expects provider switch operations to store raw `apiKey`, you should update to handle **vault-stored secrets** and/or **reference-based credentials**. The runtime includes migration for legacy ops, but custom integrations may not. PR: - https://github.com/elizaos/eliza/pull/7197 ### n8n generate API is no longer “deploy-only” Automation clients that assumed `POST /api/n8n/workflows/generate` always returns a deployed workflow must now handle the `needs_clarification` branch. PR: - https://github.com/elizaos/eliza/pull/7316 ### Repo consolidation fallout The large consolidation PR may break scripts relying on old paths, submodules, or removed Rust/Python workflows. PR: - https://github.com/elizaos/eliza/pull/7235 --- ### Additional context from Discord: V3 / Cloud / Milady push Discord discussion emphasized near-term focus on: - **ElizaOS V3 launch** - **Eliza Cloud** - **Milady app** (revenue driver) While not merged code this week, this affects what to expect in upcoming breaking changes and release coordination. Discussion context: - https://discord.com/channels/1253563208833433701/1253563209462448241