# ElizaOS Developer Update (2026-05-08 → 2026-05-14)

This update summarizes core/runtime work in `elizaos/eliza`, key plugin migrations, Cloud API surface changes, and integration discussions captured in Discord.

---

## 1) Core Framework

### Cross-platform secrets vault + runtime wiring
Work this week continues the shift away from plaintext `config.env.*` storage toward an OS-backed secrets vault:

- **`@elizaos/vault` introduced + wired into Settings + runtime** ([PR #7197](https://github.com/elizaos/eliza/pull/7197))
  - Adds encrypted-at-rest secrets storage (AES-256-GCM), with master key sourced from:
    - macOS Keychain / Windows Credential Manager / Linux Secret Service (via `@napi-rs/keyring`)
    - **Headless fallback** via passphrase-derived master key (scrypt) for servers/CI
  - Settings “save key” flows now **mirror sensitive fields into the vault** and **reveal reads vault-first** (then falls back to env/legacy config).

- **Headless Linux crash fix for keychain path** ([PR #7230](https://github.com/elizaos/eliza/pull/7230))
  - Prevents native segfaults when `libsecret` is unavailable (typical on headless servers without a running Secret Service / D-Bus session).
  - If you deploy agents on headless Linux, update to include this fix; otherwise the process may hard-crash at boot.

**Developer impact:** prefer storing provider secrets via vault references (`apiKeyRef`) rather than persisting raw keys.

```ts
import { sharedVault } from "@elizaos/vault";

// Store a sensitive value (encrypted at rest)
await sharedVault().set("OPENAI_API_KEY", process.env.OPENAI_API_KEY!, { sensitive: true });

// Read it later (same key)
const key = await sharedVault().get("OPENAI_API_KEY");
```

Related: runtime config loader now skips vault sentinel values to avoid polluting `process.env` with placeholder refs ([PR #7368](https://github.com/elizaos/eliza/pull/7368)).

---

## 2) New Features

### App automation clarification loop (n8n) end-to-end
The n8n workflow generation path gained a full “needs clarification” roundtrip:

- Host route now supports clarification resolution ([PR #7316](https://github.com/elizaos/eliza/pull/7316))
- UI adds inline quick-pick clarification panel ([PR #7341](https://github.com/elizaos/eliza/pull/7341))
- n8n-workflow plugin formalizes `ClarificationRequest` and improves prompt routing (name → id rules) ([PR #7373](https://github.com/elizaos/eliza/pull/7373))

This enables agents to return structured missing-info requests instead of failing generation, and lets the UI feed back user selections to continue the workflow build.

### Discord connector target discovery service
- New `ConnectorTargetCatalog` service exposes real Discord guild/channel targets for configuration and automation context ([PR #7315](https://github.com/elizaos/eliza/pull/7315)).

### Cloud: monetized container app domains + app-scoped chat
Cloud gained a production path for agent-built monetized apps:

- App-scoped chat endpoint: `POST /api/v1/apps/:appId/chat` ([PR #7376](https://github.com/elizaos/eliza/pull/7376))
- Managed domain lifecycle (Cloudflare buy/check/status/sync/verify), ownership checks, and container deployment status reconciliation.

**Note:** PR #7376 landed with review notes that are important for operators and SDK consumers—see “Bug Fixes” and “API Changes” below for the gotchas and recommended handling.

### New connector in monorepo: Slack
- `@elizaos/plugin-slack` migrated into the monorepo under `plugins/plugin-slack/` ([PR #7375](https://github.com/elizaos/eliza/pull/7375))
  - Includes 11 actions (send/edit/delete/react/pins/channel ops) and 3 providers (channel state/member list/workspace info)
  - Updated for core API drift: `State.recentMessagesData` typing and `MentionContext` required fields.

---

## 3) Bug Fixes (critical fixes with context)

### Vault/keychain boot crash on headless Linux (process segfault)
- Fixed by **skipping OS keychain usage on headless Linux** and relying on passphrase/env fallback paths ([PR #7230](https://github.com/elizaos/eliza/pull/7230)).
- Why it mattered: failures were not JS exceptions; they were native crashes, causing non-deterministic boot failures in server deployments.

### n8n workflow generation robustness
Several issues that caused “looks like JSON but parse fails” failures were addressed:

- Tolerate prose appended after JSON objects in workflow responses ([PR #7369](https://github.com/elizaos/eliza/pull/7369))
- Render runtime facts as fenced JSON blocks for more reliable extraction ([PR #7372](https://github.com/elizaos/eliza/pull/7372))
- Support free-form clarifications without `paramPath` mapping ([PR #7370](https://github.com/elizaos/eliza/pull/7370))

### Cloud auth regression fixes (SIWE + steward session)
Multiple fixes landed to restore production auth behavior after cloud→monorepo migration:

- Re-apply hotfixes lost during squash import ([PR #7288](https://github.com/elizaos/eliza/pull/7288))
- Bypass disabled cache singleton that caused SIWE endpoints to 503 in prod ([PR #7324](https://github.com/elizaos/eliza/pull/7324))
- Fix SIWE domain/host calculation by passing `c.env` through Worker paths ([PR #7327](https://github.com/elizaos/eliza/pull/7327))
- Several Cloud frontend fixes to CLI login completion deadlocks and proxy routing issues ([PRs #7357](https://github.com/elizaos/eliza/pull/7357), [#7358](https://github.com/elizaos/eliza/pull/7358), [#7367](https://github.com/elizaos/eliza/pull/7367), [#7377](https://github.com/elizaos/eliza/pull/7377))

### Registry ID collision fix
- Resolved registry loader failure caused by app/plugin sharing the same id `polymarket` ([PR #7314](https://github.com/elizaos/eliza/pull/7314)).

---

## 4) API Changes (developer-visible)

### Secrets + plugins routes (vault integration)
- Sensitive plugin parameters saved via Settings are now **mirrored to vault** and may be persisted as **references** rather than raw values. See:
  - Vault introduction + Settings integration ([PR #7197](https://github.com/elizaos/eliza/pull/7197))
- Provider-switch / operations paths now prefer `apiKeyRef` over `apiKey` and auto-migrate legacy operations during hydrate (part of [PR #7197](https://github.com/elizaos/eliza/pull/7197)).

**Practical guidance:** if you build custom settings panels or external provisioning tools, expect sensitive fields to be stored/revealed through vault-backed routes rather than plain config reads.

### Cloud: new app-scoped chat endpoint
- `POST /api/v1/apps/:appId/chat` introduced ([PR #7376](https://github.com/elizaos/eliza/pull/7376))

**Operator / SDK caution:** review flagged cases where auth errors could be misclassified (e.g., returned as 500 instead of 401/403) due to error handling inside `Promise.all` in the route implementation. If you are integrating against this endpoint, treat `500` with structured error payloads as potentially-auth-related until follow-up hardening lands (see PR discussion in [#7376](https://github.com/elizaos/eliza/pull/7376)).

### n8n clarification resolve flow
- New clarification roundtrip host routes used by UI ([PR #7316](https://github.com/elizaos/eliza/pull/7316)), plus UI quick-pick integration ([PR #7341](https://github.com/elizaos/eliza/pull/7341)).

---

## 5) Social Media / Messaging Integrations

### Slack (newly monorepo-managed)
- `plugins/plugin-slack/` now lives in-tree ([PR #7375](https://github.com/elizaos/eliza/pull/7375)).
- If you were depending on the standalone repo (`elizaos-plugins/plugin-slack`), plan to pin to monorepo releases going forward.

### Discord (automation targeting)
- Discord target enumeration surfaced via `ConnectorTargetCatalog` ([PR #7315](https://github.com/elizaos/eliza/pull/7315)), enabling more reliable “pick a channel” UX for automations/agents.

### Telegram / Discord stability (recent)
While not all landed strictly inside this 7-day window, developers discussed ongoing connector reliability and config propagation issues; recent fixes to be aware of:
- Telegram runtime token application fix (plugin repo) ([plugin-telegram PR #29](https://github.com/elizaos-plugins/plugin-telegram/pull/29))
- Discord plugin config consistency around auto-reply in voice paths ([plugin-discord PR #50](https://github.com/elizaos-plugins/plugin-discord/pull/50), issue [#49](https://github.com/elizaos-plugins/plugin-discord/issues/49))

---

## 6) Model Provider Updates

### Anthropic SDK bump
- `@anthropic-ai/sdk` updated to `^0.92.0` ([PR #7218](https://github.com/elizaos/eliza/pull/7218))

### AI SDK dependency train
A number of Renovate bumps landed (AI SDK + provider utils + OpenAI wrapper). If you maintain custom providers/actions, keep an eye on transitive behavior changes:
- `ai` bumps (e.g., [PR #7229](https://github.com/elizaos/eliza/pull/7229))
- `@ai-sdk/openai` bumps (e.g., [PR #7227](https://github.com/elizaos/eliza/pull/7227))

### Community: Eliza-1 (Qwen3.5) model series announced
Discord announcement (community-facing, relevant for self-hosters choosing default models):
- Eliza-1 series spans **0.6B (mobile/offline)** → **27B-1M (1M context)**; 0.8B is training on H200s (Discord, 2026-05-13)
  - Discussion thread: https://discord.com/channels/1253563208833433701/1253563209462448241

---

## 7) Breaking Changes / Migration Warnings (V1 → V2 and ecosystem shifts)

### Plugin distribution + registry submission instability (v2)
Discord reported a **404 / missing access** issue for the v2 plugin registry infrastructure:
- `elizaos-plugins/registry` repo and `plugins.elizacloud.ai` returning 404 (Discord, 2026-05-12)
- Policy discussions included potentially reverting to direct PRs to `elizaos/eliza` for plugin listing, especially for **BUSL-1.1 licensed** plugins that cannot be merged into the monorepo.

**Impact:** if your v2 plugin publish pipeline depends on the registry endpoint, treat it as unstable until a definitive policy and access restoration is announced.

### Ongoing monorepo consolidation
- Large consolidation PR brought cloud and many plugins into `elizaos/eliza`, while removing legacy rust/python layout assumptions ([PR #7235](https://github.com/elizaos/eliza/pull/7235)).
- Practical effect: expect “source of truth” for many plugins to move into the monorepo; standalone plugin repos may become mirrors/archives.

### V3 roadmap questions (AgentID/identity system)
Developers asked for clarity on whether v3 work is currently infrastructure stabilization vs. nearing public exposure of the autonomous workflow stack, and how much of the **identity/AgentID** system is integrated (Discord, 2026-05-13). No definitive answer was recorded in-channel:
- Thread: https://discord.com/channels/1253563208833433701/1253563209462448241

---

## Appendix: Ecosystem Integration Notes (Discord)

### GODL protocol (Solana) integration proposal via `skill.md`
A proposed integration pattern aligns with ElizaOS’s existing skill ingestion:

- GODL exposes SDKs + websockets + automation hooks and a public `skill.md` designed for agent/tool integration.
- Confirmed in Discord: ElizaOS can use `skill.md` **as-is** (odilitime, 2026-05-13).
  - Coders channel thread: https://discord.com/channels/1253563208833433701/1300025221834739744

If you’re building an external protocol integration, `skill.md` remains the fastest path to “agent can use the protocol” without deep runtime modifications.

---