# ElizaOS Developer Update (2026-04-30 → 2026-05-06) This update covers merged work and notable discussions across core/runtime, Cloud, and plugins, plus key fixes affecting self-hosting and connector reliability. --- ## 1) Core Framework ### Monorepo consolidation: Cloud + plugins integrated, legacy stacks removed A large repo reshape landed to consolidate Cloud and plugin codepaths directly into `elizaos/eliza`, while removing legacy Rust/Python surfaces from the primary distribution. This significantly changes how developers navigate and vendor the ecosystem. - PR: **“chore: add cloud and plugins, remove rust and python”** ([elizaos/eliza#7235](https://github.com/elizaos/eliza/pull/7235)) **Impact (practical):** - Cloud code is now co-located with runtime/app-core and plugin sources. - Plugin development increasingly assumes the monorepo layout (`plugins/*`) as canonical. - If you maintained automation around standalone plugin repos, expect path/layout drift. ### Plugin lifecycle & self-hosted runtime hardening Self-hosted connectivity received substantial work: CORS, bearer auth, and cross-platform build fixes, plus additional runtime plugin lifecycle wiring. - PR: **“feat(self-hosted): CORS + bearer auth + cross-platform build fixes”** ([elizaos/eliza#7212](https://github.com/elizaos/eliza/pull/7212)) This is foundational for running remote dashboards and mobile/desktop shells against a self-hosted agent runtime with consistent authentication. --- ## 2) New Features ### `@elizaos/vault`: cross-platform secrets vault + Settings UI integration A new first-class secrets vault package landed, with runtime + Settings UI integration and a migration away from plaintext `config.env.*` storage for sensitive values. - PR: **“feat(vault): @elizaos/vault — cross-platform secrets vault + Settings UI integration”** ([elizaos/eliza#7197](https://github.com/elizaos/eliza/pull/7197)) **What it enables:** - AES-256-GCM encryption-at-rest for secrets - OS keychain-backed master key by default (Keychain / Credential Manager / Secret Service) - Headless passphrase-derived master key fallback for server environments - Vault-first reveal path (`/api/plugins/:id/reveal`) and write-through mirroring on plugin saves - Provider routing now supports storing **references** (`apiKeyRef`) rather than raw keys in runtime ops **Code example (vault usage in-package)** ```ts import { sharedVault } from "@elizaos/vault"; const vault = sharedVault(); // Store sensitive key (encrypted at rest) await vault.set("OPENAI_API_KEY", process.env.OPENAI_API_KEY!, { sensitive: true }); // Retrieve later (e.g., when building provider clients) const apiKey = await vault.get("OPENAI_API_KEY"); ``` **Developer notes:** - If you built plugins that rely on reading secrets directly from `process.env`, ensure you also support the Settings save/reveal flow. The runtime increasingly prefers vault-backed values where available. - For headless servers, ensure you provide a passphrase path if no OS keychain is present (see bug fix section for headless Linux constraints). ### Slack connector is now in the monorepo Slack was migrated into `plugins/plugin-slack`, bringing actions/providers/tests alongside other connectors. - PR: **“feat(slack): migrate plugin-slack into the monorepo”** ([elizaos/eliza#7375](https://github.com/elizaos/eliza/pull/7375)) **Highlights:** - 11 actions (send/edit/delete, channel ops, pins, reactions, emoji list, etc.) - 3 providers (workspace/channel/member context) - Socket Mode service - Unit tests included (120 tests) If you depended on `elizaos-plugins/plugin-slack`, plan to update import and contribution workflows to the monorepo source-of-truth. ### Cloud: monetized container app domains + app-scoped chat endpoint Cloud gained a production path for agent-built monetized apps, including app-scoped chat and managed domains (Cloudflare flows). - PR: **“feat(cloud): support monetized container app domains”** ([elizaos/eliza#7376](https://github.com/elizaos/eliza/pull/7376)) **New/expanded endpoints (Cloud):** - `POST /api/v1/apps/:appId/chat` (app-scoped inference with monetization metadata) - Domain lifecycle routes under `/api/v1/apps/:id/domains/*` (check/buy/status/sync/verify) - Container deployment monitoring reconciliation (deploying → running) **Example: app-scoped chat call** ```bash curl -X POST "https://api.elizacloud.ai/api/v1/apps/$APP_ID/chat" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $STEWARD_TOKEN" \ -d '{ "messages": [{ "role": "user", "content": "Explain the app pricing model." }], "stream": false }' ``` ### n8n clarification loop (end-to-end) + UX quick-picks The n8n workflow generation flow now supports a structured clarification roundtrip from plugin → host routes → UI rendering. - PR (host routes): **“feat(n8n): clarification roundtrip route”** ([elizaos/eliza#7316](https://github.com/elizaos/eliza/pull/7316)) - PR (UI): **“feat(automations): clarification quick-pick UI”** ([elizaos/eliza#7341](https://github.com/elizaos/eliza/pull/7341)) - PR (plugin): **“feat(n8n-workflow): structured ClarificationRequest + name->id prompt rules”** ([elizaos/eliza#7373](https://github.com/elizaos/eliza/pull/7373)) This reduces “hallucinated config” behavior by forcing missing credentials/targets to be explicitly requested and supplied. --- ## 3) Bug Fixes (critical) ### Headless Linux segfault on boot: keychain access guarded A process-level crash was fixed for headless Linux hosts where the Secret Service backend is unavailable (common in server/CI). - PR: **“fix(vault, confidant): skip OS keychain on headless Linux to prevent native segfault on agent boot”** ([elizaos/eliza#7230](https://github.com/elizaos/eliza/pull/7230)) **Why it mattered:** - `@napi-rs/keyring` + `libsecret` can segfault when D-Bus/Secret Service isn’t reachable. - This was not a catchable JS exception; it killed the runtime process. - The vault now uses a safer selection chain for master key sources on headless Linux. **Operational note:** for self-hosted servers, ensure your deployment provides either (a) a functional Secret Service, or (b) a passphrase-based master key path supported by the vault. ### Vault sentinel pollution in `process.env` A follow-up fix prevents vault “sentinel” values from being propagated into `process.env` during config loads. - PR: **“fix(agent): skip vault sentinels in applyConfigEnvToProcessEnv”** ([elizaos/eliza#7368](https://github.com/elizaos/eliza/pull/7368)) If you experienced provider initialization with non-key placeholder values after enabling vault-backed settings, this addresses that class of failure. ### Cloud auth stability: SIWE unblocked + correct host/domain resolution SIWE endpoints and domain handling were fixed to work correctly in Worker environments and when cache is disabled. - PR: **“fix(cloud/auth): unblock SIWE by bypassing the disabled cache singleton”** ([elizaos/eliza#7324](https://github.com/elizaos/eliza/pull/7324)) - PR: **“fix(cloud/auth): pass c.env to getAppHost/getAppUrl on Worker (SIWE domain)”** ([elizaos/eliza#7327](https://github.com/elizaos/eliza/pull/7327)) - PR: **“fix(cloud): re-apply auth fixes lost in cloud → eliza migration”** ([elizaos/eliza#7288](https://github.com/elizaos/eliza/pull/7288)) ### n8n workflow generation: tolerate trailing prose after JSON Workflow parsing was hardened when models append non-JSON text after an expected JSON payload. - PR: **“fix(n8n-workflow): tolerate prose-trailed JSON in parseWorkflowResponse”** ([elizaos/eliza#7369](https://github.com/elizaos/eliza/pull/7369)) ### Automations clarification resolution: support free-form clarifications Clarification resolution no longer assumes every clarification maps to a concrete `paramPath`. - PR: **“fix(automations): support free-form clarifications in resolve flow”** ([elizaos/eliza#7370](https://github.com/elizaos/eliza/pull/7370)) --- ## 4) API Changes (developer-facing) ### Provider switching now supports `apiKeyRef` (vault reference) instead of plaintext As part of vault integration, runtime operations and provider switching paths now prefer storing references to secrets rather than secrets themselves. - Implemented in: [elizaos/eliza#7197](https://github.com/elizaos/eliza/pull/7197) **What to watch for:** - If you built custom provider routes or persisted provider ops externally, confirm you handle `apiKeyRef` in addition to (or instead of) `apiKey`. - Plugin save/reveal semantics now consult vault first, then fall back to `process.env`/`config.env` for compatibility. ### Cloud API expansion for apps/domains Cloud introduced/expanded app-scoped and domain-scoped endpoints (see New Features section). - Implemented in: [elizaos/eliza#7376](https://github.com/elizaos/eliza/pull/7376) **Note:** This PR touched billing reconciliation and auth classification paths; review the PR discussion and tests if you are integrating directly with Cloud billing/app chat. --- ## 5) Social Media Integrations (Twitter/Telegram/Discord/Farcaster) ### Telegram reliability: duplicate pollers can drop messages (recently triaged) A critical integration pitfall was identified: two Telegraf pollers using the same bot token will race `getUpdates`, causing silent message loss. This was surfaced as an issue and closed after investigation. - Issue: **telegram dual-poller race → silent message loss** ([elizaos/eliza#7245](https://github.com/elizaos/eliza/issues/7245)) **Action for developers shipping Telegram bots:** - Ensure only one component owns long-polling for a given token (either the Telegram plugin *or* an app wrapper, not both). - Prefer the canonical plugin path unless you have a platform-specific lifecycle workaround. ### Discord targeting support for automations Discord connector targeting catalog was added for enumerating real guilds/channels and feeding the automations clarification loop. - PR: **“feat(app-core): connector-target-catalog service (Discord)”** ([elizaos/eliza#7315](https://github.com/elizaos/eliza/pull/7315)) ### Security note (Discord community ops) Discord discussion flagged recurring scam links around token migration/bridging. While not a code change, developers should avoid embedding unofficial bridging URLs in docs/UI and should prefer vetted providers. - Discussion context (Discord, 2026-05-05): bridging suggestions included Wormhole / deBridge; multiple scam warnings. --- ## 6) Model Provider Updates (OpenAI/Anthropic/DeepSeek/etc.) ### Anthropic SDK bumped - PR: **“fix(deps): update dependency @anthropic-ai/sdk to ^0.92.0”** ([elizaos/eliza#7218](https://github.com/elizaos/eliza/pull/7218)) ### Ongoing “eliza-1” model training (community/dev discussion) Shaw shared ongoing work training **eliza-1**, a general-purpose model based on **Qwen**, trained inside the Eliza harness with performance/efficiency techniques: - speculative decoding (“dflash”) - “caveman compression” applied to thinking processes - “turboquant” quantization pipeline - Mentioned a **v2.0.0-beta.0** release being pushed to GitHub during this cycle (Discord: [2026-05-05 discussion thread](https://discord.com/channels/1253563208833433701/1253563209462448241)) **Developer implication:** expect upcoming provider/runtime surface area for hosting or routing to an Eliza-native model; if you maintain custom model-provider plugins, keep an eye on new decoding/quantization assumptions and any required metadata/config. --- ## 7) Breaking Changes / V1 → V2 Migration Warnings ### Monorepo migration changes paths and “source of truth” - The integration of Cloud and plugins into `elizaos/eliza` ([#7235](https://github.com/elizaos/eliza/pull/7235)) can break: - scripts that clone standalone plugin repos - references to old repository URLs in package metadata - CI workflows expecting multi-language layouts **Recommendation:** pin to tagged releases for production and update any automation to target monorepo plugin paths (`plugins/`). ### Secrets handling: don’t assume plaintext env persistence With vault integration ([#7197](https://github.com/elizaos/eliza/pull/7197)): - sensitive settings may be stored encrypted and referenced indirectly - provider selection may persist `apiKeyRef` not `apiKey` - reveal flows consult vault first **Migration checklist for plugin authors:** - Treat credentials fields as sensitive and compatible with vault mirroring. - Avoid logging raw secrets; rely on masked logging utilities where available. - When reading config, prefer the platform’s resolved credential access path rather than directly parsing `config.env`. ### Node/Bun/platform skew Some packages are moving quickly (e.g., Node 24 bump in specific plugin packages, plus cross-platform build work). If your downstream environment pins older Node versions, verify compatibility before pulling latest `develop`. - Example PR affecting Node versioning: [elizaos/eliza#7239](https://github.com/elizaos/eliza/pull/7239) --- ### References - Core repo: https://github.com/elizaos/eliza - Vault feature PR: https://github.com/elizaos/eliza/pull/7197 - Self-hosted runtime fixes: https://github.com/elizaos/eliza/pull/7212 - Monorepo consolidation: https://github.com/elizaos/eliza/pull/7235 - Slack plugin migration: https://github.com/elizaos/eliza/pull/7375 - Cloud monetized apps/domains: https://github.com/elizaos/eliza/pull/7376