# ElizaOS Developer Update (2026-05-05) — Week of 2026-04-28 to 2026-05-04 ## 1) Core Framework ### Monorepo restructuring: Cloud + Plugins consolidated A major repository consolidation landed, bringing Cloud + plugin sources into the main `elizaos/eliza` monorepo and removing legacy Rust/Python surfaces that were previously maintained in-tree. This is a foundational change for build/test topology and contributor workflows: - PR: **“chore: add cloud and plugins, remove rust and python”** — https://github.com/elizaos/eliza/pull/7235 **Impact** - CI and workspace dependency graphs now assume Cloud packages exist under `cloud/` and plugins under `plugins/`. - Downstream forks/submodules that referenced removed Rust/Python paths will need to update their build scripts and any pinned paths. ### Runtime config hardening: avoid leaking vault sentinels into `process.env` Config application was fixed so vault sentinel values don’t get written into `process.env` during repeated config hydrations (which happen post-boot in many services). - PR: **“fix(agent): skip vault sentinels in applyConfigEnvToProcessEnv”** — https://github.com/elizaos/eliza/pull/7368 ### LifeOps autonomy modules integrated The LifeOps app gained a large set of autonomy-oriented modules (planning, inbox management, health monitoring, activity reporting) and an “analysis mode” path intended to support deeper structured reasoning/processing in LifeOps flows. - PR: **“Add ilfeops code + analysis mode”** — https://github.com/elizaos/eliza/pull/7356 ## 2) New Features ### Cross-platform secrets vault: `@elizaos/vault` + Settings UI integration A new first-class secrets vault package was added and wired into the runtime + Settings UI so sensitive connector/provider credentials can be encrypted at rest and managed via OS keychains (with headless-safe fallbacks). - PR: **“feat(vault): @elizaos/vault — cross-platform secrets vault + Settings UI integration”** — https://github.com/elizaos/eliza/pull/7197 **What you get** - AES-256-GCM encryption at rest - OS keychain storage for master key (macOS Keychain / Windows Credential Manager / Linux Secret Service), plus passphrase derivation fallback - Vault-first “reveal” behavior in plugin routes so newly saved keys are retrieved from the vault before falling back to legacy env/config - Provider routing now persists *references* to secrets (`apiKeyRef`) rather than plaintext in runtime operations **Minimal example: store and retrieve a secret** ```ts import { sharedVault } from "@elizaos/vault"; const vault = sharedVault(); // Store a sensitive value (encrypted at rest) await vault.set("OPENAI_API_KEY", process.env.OPENAI_API_KEY!, { sensitive: true }); // Later: resolve it for provider initialization const apiKey = await vault.get("OPENAI_API_KEY"); if (!apiKey) throw new Error("Missing OPENAI_API_KEY in vault"); ``` **Developer note** If you maintain custom plugin settings UIs or custom config writers, prefer persisting secret *references* and letting the runtime resolve through the vault, rather than writing plaintext into `config.env.*`. --- ### Cloud monetization path: app-scoped chat + managed domains (Cloudflare) Cloud now supports the production flow for **monetized container app domains**, including: - app-scoped chat endpoint: `POST /api/v1/apps/:appId/chat` - managed domain lifecycle (check/buy/status/sync/verify) - Cloudflare registrar/DNS integration - container control-plane reconciliation improvements - PR: **“feat(cloud): support monetized container app domains”** — https://github.com/elizaos/eliza/pull/7376 - Related docs in-tree (added/updated by the PR): - `cloud/packages/docs/building-a-monetized-app.md` - `cloud/packages/docs/agent-skill-build-monetized-app.md` **Example: call an app-scoped chat endpoint** ```bash curl -X POST "https://www.elizacloud.ai/api/v1/apps/$APP_ID/chat" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $ELIZA_CLOUD_TOKEN" \ -d '{ "messages": [{"role":"user","content":"Explain pricing for my app domain purchase flow."}], "stream": false }' ``` **Important follow-up risk** Automated review flagged edge cases where auth errors could be surfaced as `500` and domain sync might fail to mark domains as verified, affecting CORS origin lists. If you’re building on these endpoints this week, validate: - 401/403 behavior for API-key callers - `verified` propagation after Cloudflare zone provisioning completes (Reference: PR review notes embedded on https://github.com/elizaos/eliza/pull/7376) --- ### Slack connector migrated into monorepo `@elizaos/plugin-slack` is now maintained inside the monorepo alongside other social connectors, with actions/providers/tests brought in. - PR: **“feat(slack): migrate plugin-slack into the monorepo”** — https://github.com/elizaos/eliza/pull/7375 **What’s included** - 11 Slack actions (send/edit/delete, pins, reactions, read/list channels, emoji list, user info) - 3 providers (channel state, member list, workspace info) - 120 unit tests migrated with the plugin **Example: enabling Slack plugin in an app config** ```json { "plugins": { "entries": { "@elizaos/plugin-slack": { "enabled": true } } } } ``` --- ### Automations (n8n): clarification roundtrip + UI quick-picks The n8n workflow generation path gained a full “clarification” loop: the backend route now returns structured clarification requests, and the UI renders inline quick-picks to resolve missing info without abandoning the flow. - Backend route: **“feat(n8n): clarification roundtrip route”** — https://github.com/elizaos/eliza/pull/7316 - UI quick-picks: **“feat(automations): clarification quick-pick UI”** — https://github.com/elizaos/eliza/pull/7341 - Plugin improvements: - **“feat(n8n-workflow): structured ClarificationRequest + name->id prompt rules”** — https://github.com/elizaos/eliza/pull/7373 - **“fix(n8n-workflow): tolerate prose-trailed JSON in parseWorkflowResponse”** — https://github.com/elizaos/eliza/pull/7369 **ClarificationRequest shape (conceptual)** ```ts type ClarificationRequest = { id: string; prompt: string; options?: Array<{ label: string; value: string }>; // paramPath may be omitted for free-form clarifications (see fixes below) paramPath?: string; }; ``` ## 3) Bug Fixes (critical/high impact) ### Headless Linux crash: keychain/libsecret segfault prevented agent boot A process-level segfault on Linux hosts without a Secret Service agent (D-Bus/libsecret) was resolved by skipping OS keychain usage in headless environments and ensuring a safe fallback chain. - PR: **“fix(vault, confidant): skip OS keychain on headless Linux to prevent native segfault on agent boot”** — https://github.com/elizaos/eliza/pull/7230 **Why it mattered** This was not a catchable JS exception—agents could hard-crash during startup on common server environments. If you deploy headlessly, you should rebase onto a revision including this fix. --- ### Cloud dashboard billing fetch render-loop The Cloud dashboard was repeatedly refetching billing data due to a `useEffect` dependency loop, causing unnecessary network load and UI instability. - PR: **“fix(cloud): stop billing-fetch render-loop in CloudDashboard”** — https://github.com/elizaos/eliza/pull/7374 --- ### Cloudflare Pages Functions consolidation (stability + routing correctness) Pages proxy functions were consolidated into `_middleware.ts` to avoid cold-start routing issues tied to route pattern translation and upstream dependency changes. - PR: **“fix(cloud/frontend): consolidate Pages Functions into _middleware.ts”** — https://github.com/elizaos/eliza/pull/7357 --- ### CLI login flow deadlocks + session synchronization fixes Multiple fixes stabilized `/auth/cli-login` completion and steward session synchronization, preventing “stuck generating API key” scenarios and correcting cookie/session propagation: - **CLI login completion effect deadlock** — https://github.com/elizaos/eliza/pull/7367 - **CLI login active-flag race on cleanup** — https://github.com/elizaos/eliza/pull/7377 - **Repair steward login session flow** — https://github.com/elizaos/eliza/pull/7361 - **StewardProvider cookie sync fix** — https://github.com/elizaos/eliza/pull/7360 - **apiFetch for steward-session** — https://github.com/elizaos/eliza/pull/7359 - **SPA direct routing for /steward/** — https://github.com/elizaos/eliza/pull/7358 --- ### Automations clarification resolution bugfixes Two fixes improved correctness of clarification resolution and trigger deletion flows: - **Free-form clarifications supported (paramPath optional)** — https://github.com/elizaos/eliza/pull/7370 - **Pass triggerName correctly for deletion confirmation** — https://github.com/elizaos/eliza/pull/7340 --- ### Plugin build stability: TypeScript version split caused Bun resolver hang A plugin-level TypeScript downgrade introduced a workspace version split that could hang Bun’s resolver. Reverted to restore consistency. - PR: **“fix(plugin-video): revert typescript downgrade that hangs bun resolver”** — https://github.com/elizaos/eliza/pull/7346 ## 4) API Changes (developer-facing) ### New Cloud API endpoints (monetized apps) Added/expanded Cloud endpoints (within the monorepo `cloud/` app) for monetized app chat and domain lifecycle: - `POST /api/v1/apps/:id/chat` - `POST /api/v1/apps/:id/domains/check` - `POST /api/v1/apps/:id/domains/buy` - `POST /api/v1/apps/:id/domains/sync` - `POST /api/v1/apps/:id/domains/verify` - plus DNS record management endpoints under `/api/v1/apps/:id/domains/:domain/dns/...` PR: https://github.com/elizaos/eliza/pull/7376 ### Secrets management routes (vault + multi-backend routing) Vault introduces secrets manager routing APIs (used by Settings UI integrations) and shifts provider switching to prefer secret references: - `GET/POST /api/secrets/manager/{backends,preferences}` (as implemented by the vault feature set) - Plugin save/reveal paths now consult the vault first (see PR #7197) PR: https://github.com/elizaos/eliza/pull/7197 ### n8n clarification roundtrip API Host route returns structured clarifications for workflow generation and supports subsequent resolution calls: - PR: https://github.com/elizaos/eliza/pull/7316 ## 5) Social Media Integrations (Twitter/Telegram/Discord/Farcaster/Slack) ### Slack: now first-class inside the monorepo - Migration PR: https://github.com/elizaos/eliza/pull/7375 **Developer note:** the incoming-message path should be treated as critical infrastructure; ensure your deployments capture and report Slack API errors (rate limits, user lookup failures) to avoid silent drops. ### Discord: target enumeration service for automations A new catalog service surfaces real Discord guilds/channels to support automation setup and clarification flows. - PR: https://github.com/elizaos/eliza/pull/7315 ### Telegram: known integration issue (runtime bypass) Discord discussions and internal tracking identified a Telegram wrapper behavior where the wrapper can bypass the agent runtime, preventing skill/action dispatch. This is not yet reflected as a merged fix in the provided PR set; if you are building Telegram experiences this week, verify: - updates go through the agent runtime event pipeline - actions/skills dispatch occurs for Telegram-originated messages (See the “Identified Issues” section in the daily project summary for 2026-05-04.) ## 6) Model Provider Updates (OpenAI/Anthropic/DeepSeek/etc.) ### Dependency updates - Anthropic SDK updated: - PR: **“fix(deps): update dependency @anthropic-ai/sdk to ^0.92.0”** — https://github.com/elizaos/eliza/pull/7218 - Ongoing AI SDK package bumps (OpenAI adapter + provider utilities): - Example PRs: https://github.com/elizaos/eliza/pull/7227, https://github.com/elizaos/eliza/pull/7224, https://github.com/elizaos/eliza/pull/7229 ### Credential handling improvements via vault integration The vault + Settings wiring improves provider key handling broadly: - Better “primary credential” heuristics for connectors/providers (API key vs bot token vs private key, etc.) - Reduced likelihood of accidentally persisting non-secret fields as credentials PR: https://github.com/elizaos/eliza/pull/7197 ## 7) Breaking Changes / V1 → V2 Migration Warnings ### Repository layout and workspace expectations changed (high risk for forks/submodules) - PR: https://github.com/elizaos/eliza/pull/7235 **If you embed ElizaOS as a submodule or vendored dependency** - Re-check any path assumptions (`cloud/`, `plugins/`, removed Rust/Python directories). - Re-run lockfile generation and validate your CI jobs that previously targeted standalone repos. ### Secrets and provider configuration: move away from plaintext keys With `@elizaos/vault`, the recommended path is now: - store secrets in the vault - persist references (`apiKeyRef`) instead of raw `apiKey` - avoid copying vault sentinel values into `process.env` PRs: https://github.com/elizaos/eliza/pull/7197, https://github.com/elizaos/eliza/pull/7368 **Migration guidance** If you have custom runtime ops or provider-switch code that expects `apiKey` fields, update it to resolve secrets via the vault/ref layer rather than reading directly from config/env. --- ### Community / Dev-Discord note (operational) Discord spam filtering was tightened due to bot activity; developers sharing URLs may need to wrap links in backticks to avoid auto-deletion (workaround shared in Discord on 2026-05-03). This doesn’t affect runtime behavior but may impact support/debug workflows in community channels.