# Issue Triage — 2025-12-14 (elizaOS) ## 1) TEXT_LARGE error on minimal prompts when no AI provider plugin is registered (Discord: 💬-coders) - **Issue Title & ID:** `TEXT_LARGE` error even on “hi” when no AI plugin is registered (Discord report; no GH ID) - **Current Status:** Open; user workaround suggested (install/register OpenAI or other inference plugin; run `elizaos update`) - **Impact Assessment** - **User Impact:** **High** (hits new users immediately during first-run) - **Functional Impact:** **Yes** (blocks basic chat/inference) - **Brand Impact:** **High** (looks like a hard failure on hello-world) - **Technical Classification** - **Issue Category:** Bug / UX - **Component Affected:** Core Runtime + Plugin System + CLI (initial project setup / provider selection) - **Complexity:** Moderate effort (better error handling + setup validation) - **Resource Requirements** - **Required Expertise:** Core runtime initialization, plugin registration flow, CLI “create” scaffolding, error messaging - **Dependencies:** Align with CLI/provider defaults (e.g., Eliza Cloud default provider work) and plugin docs - **Estimated Effort:** **3/5** - **Recommended Priority:** **P0** - **Specific Actionable Next Steps** 1. Reproduce with a fresh project missing inference plugin; capture exact stack trace and where `TEXT_LARGE` is thrown. 2. Change failure mode: detect “no inference provider registered” at startup and emit a targeted error (“No AI provider configured. Install/register plugin-openai or configure Eliza Cloud.”). 3. Add CLI guardrails: during `elizaos create`, ensure an inference provider is selected and written to config/env. 4. Add a short “First-run checklist” doc section + link in error output. - **Potential Assignees:** **wtfsayo (sayonara)** (plugin/provider guidance), **lalalune** (CLI flow), **standujar (Stan)** (runtime init / error handling) --- ## 2) OpenAI plugin installation failures likely caused by outdated packages (Discord: 💬-coders) - **Issue Title & ID:** OpenAI plugin install fails until `elizaos update` (Discord report; no GH ID) - **Current Status:** Open; workaround communicated (“run `elizaos update`”) - **Impact Assessment** - **User Impact:** **High** (common path for inference) - **Functional Impact:** **Yes** (blocks adding the default inference provider) - **Brand Impact:** **High** (installation failure = trust loss) - **Technical Classification** - **Issue Category:** Bug / Documentation - **Component Affected:** CLI (update/install), Plugin System (version compatibility), package/dependency management - **Complexity:** Moderate effort - **Resource Requirements** - **Required Expertise:** CLI package management, semver/peer deps, monorepo release/versioning - **Dependencies:** Recent dependency harmonization work (e.g., drizzle/monorepo bumps) and release pipeline - **Estimated Effort:** **3/5** - **Recommended Priority:** **P0** - **Specific Actionable Next Steps** 1. Collect failing install logs (OS, node/bun version, CLI version, exact command). 2. Add CLI preflight: detect “CLI/core/plugin version mismatch” and prompt auto-update with a single confirm. 3. Add compatibility matrix in docs: supported CLI/core/plugin versions; ideally make CLI enforce it. 4. Add an integration test in CLI CI that installs plugin-openai on a freshly created project. - **Potential Assignees:** **lalalune** (CLI + cloud onboarding), **standujar (Stan)** (release/build), **ChristopherTrimboli** (CI/testing) --- ## 3) Monorepo breakage after cleanup PR; requires stabilization + rebasing downstream PRs (PR #6218, follow-on work) - **Issue Title & ID:** TypeScript/build/test breakages after “deslop” cleanup; stabilization needed — **PR #6218** - **Current Status:** Fix exists but needs end-to-end confirmation and merge coordination; downstream PRs need rebase - **Impact Assessment** - **User Impact:** **Medium** (end users indirectly; contributors directly) - **Functional Impact:** **Partial** (blocks development velocity and safe releases) - **Brand Impact:** **High** (visible instability in main branch / contributor friction) - **Technical Classification** - **Issue Category:** Bug / Developer Experience - **Component Affected:** Core Framework + CLI + Plugins (cross-cutting types/build) - **Complexity:** Moderate effort (coordination + CI hardening) - **Resource Requirements** - **Required Expertise:** TypeScript, monorepo dependency graph, CI workflows - **Dependencies:** Merge order with other large PRs (Cloud integration PR #6216; Auth PR #6200) - **Estimated Effort:** **3/5** - **Recommended Priority:** **P0** - **Specific Actionable Next Steps** 1. Run full CI matrix (unit/integration/e2e where available) on #6218; verify no regressions in plugin-sql and server. 2. Land #6218 with a short freeze window; immediately rebase/resolve conflicts for open PRs. 3. Add a “merge safety” checklist for large refactors (incremental merges, feature flags, pre-merge CI gates). - **Potential Assignees:** **standujar (Stan)** (stabilization lead), **lalalune** (author context), **ChristopherTrimboli** (CI/QA) --- ## 4) React dependency security vulnerabilities (Discord mention; no linked GH issue yet) - **Issue Title & ID:** Update React due to newly disclosed vulnerabilities (Discord report; no GH ID) - **Current Status:** Known risk; not tracked as a concrete GH issue in provided data - **Impact Assessment** - **User Impact:** **Medium** (depends on exploitability; higher for hosted apps) - **Functional Impact:** **No** (but security risk) - **Brand Impact:** **High** (security posture) - **Technical Classification** - **Issue Category:** Security - **Component Affected:** Client/App (React), potentially Server-rendered surfaces if any - **Complexity:** Moderate effort (upgrade + regression testing) - **Resource Requirements** - **Required Expertise:** Frontend dependency upgrades, bundler/tooling (Vite/Next/Tauri if applicable), regression testing - **Dependencies:** Ensure compatibility with Next.js patching already mentioned (Next.js 16.0.10 patch to elizaos.ai) - **Estimated Effort:** **3/5** - **Recommended Priority:** **P0** - **Specific Actionable Next Steps** 1. Create a GH Security/Dependabot-tracked issue with exact CVEs/advisories and affected packages. 2. Upgrade React + related packages; run client build + Cypress tests (if present). 3. Cut a patch release; publish upgrade guidance. - **Potential Assignees:** **jin** (raised concern), **Odilitime** (frontend perf/patching), **ChristopherTrimboli** (test validation) --- ## 5) Token migration failures on Bithumb affecting Korean users (Discord: migration support) - **Issue Title & ID:** ELIZA token migration issues for Bithumb users (Discord report; no GH ID) - **Current Status:** Acknowledged; waiting on Bithumb; users frustrated - **Impact Assessment** - **User Impact:** **High** (exchange user cohort impacted) - **Functional Impact:** **No** (not core framework), but blocks user asset access - **Brand Impact:** **Critical** (trust + reputation + community sentiment) - **Technical Classification** - **Issue Category:** UX / Operations (external dependency) - **Component Affected:** Ecosystem/Operations (migration infra), Support workflow - **Complexity:** Complex solution (external partner + comms + potential tooling) - **Resource Requirements** - **Required Expertise:** Partner ops, on-chain/migration knowledge, support tooling, communications - **Dependencies:** Bithumb action/approval; migration contract constraints - **Estimated Effort:** **4/5** - **Recommended Priority:** **P1** (treat as urgent due to brand impact) - **Specific Actionable Next Steps** 1. Create a single source-of-truth status page/update thread (daily/bi-daily) with timelines and what users must do. 2. Provide a “proof of eligibility” checklist for snapshot holders; reduce scam risk with pinned guidance. 3. If feasible, prepare an alternative remediation path (manual claims tool / support-ticket-based verification). - **Potential Assignees:** **jasyn_bjorn** (already engaged), **Odilitime** (coordination), **jin** (comms + security/scam prevention) --- ## 6) pglite performance regression in swarm environment (10ms → 900ms response times) - **Issue Title & ID:** pglite performance degrades severely under load (Discord report; no GH ID) - **Current Status:** Observed; suggested workaround: use PostgreSQL instead of pglite - **Impact Assessment** - **User Impact:** **Medium** (subset using pglite; but likely common in local/dev) - **Functional Impact:** **Partial** (system usable but painfully slow) - **Brand Impact:** **Medium** (perceived “slow framework”) - **Technical Classification** - **Issue Category:** Performance - **Component Affected:** Plugin System (plugin-sql), Storage layer (pglite), Runtime/migrations - **Complexity:** Complex solution (profiling + architectural tuning) - **Resource Requirements** - **Required Expertise:** DB/storage profiling, plugin-sql internals, concurrency/load behavior - **Dependencies:** Recent plugin-sql directory/migration changes; dependency bumps may influence - **Estimated Effort:** **4/5** - **Recommended Priority:** **P1** - **Specific Actionable Next Steps** 1. Reproduce with a benchmark script (single agent vs swarm; record QPS/latency). 2. Profile I/O and locking behavior; verify journaling, WAL settings, or file system contention. 3. Add documentation: when to prefer Postgres; provide “pglite known limits” guidance. 4. Consider connection pooling / batching writes / reducing sync points in message persistence. - **Potential Assignees:** **Odilitime** (reported), **standujar (Stan)** (server/runtime), **wtfsayo** (plugin triage support) --- ## 7) Twitter agent/plugin consuming excessive API requests (50 per call) - **Issue Title & ID:** Twitter integration over-fetching / excessive API calls (Discord report; no GH ID) - **Current Status:** Reported by FenrirFawks; no fix tracked in provided GH issues - **Impact Assessment** - **User Impact:** **Medium** (users of Twitter agent) - **Functional Impact:** **Partial** (may hit rate limits; increased cost) - **Brand Impact:** **Medium** (looks inefficient/unreliable) - **Technical Classification** - **Issue Category:** Performance / Bug - **Component Affected:** Model Integration / Plugin (Twitter) - **Complexity:** Moderate effort - **Resource Requirements** - **Required Expertise:** Twitter/X API, plugin architecture, rate limiting/backoff strategies - **Dependencies:** Any recent TypeScript/build fixes impacting plugin-twitter SQL usage - **Estimated Effort:** **3/5** - **Recommended Priority:** **P2** - **Specific Actionable Next Steps** 1. Instrument and log request counts per action; identify loops/pagination misuse. 2. Implement caching, pagination limits, and idempotency guards. 3. Add rate-limit aware backoff and a hard cap per run/cycle. - **Potential Assignees:** **FenrirFawks** (reporter, validation), **wtfsayo** (plugins), **standujar (Stan)** (observability patterns) --- ## 8) Large, high-risk Cloud onboarding/integration PR needs focused review (PR #6216) - **Issue Title & ID:** Eliza Cloud Integration (CLI auto-login, provision keys, MCP + A2A starter) — **PR #6216** - **Current Status:** Open PR; very large diff (+9989/-101); explicitly requests thorough review - **Impact Assessment** - **User Impact:** **High** (affects default onboarding and deploy/publish flows) - **Functional Impact:** **Partial** (can introduce regressions in create/deploy/publish) - **Brand Impact:** **High** (first impressions and “it just works” story) - **Technical Classification** - **Issue Category:** Feature / Risk Management - **Component Affected:** CLI + Cloud Plugin + Project Starters - **Complexity:** Architectural change (workflow integration across components) - **Resource Requirements** - **Required Expertise:** CLI flows, auth/login UX, cloud API client, starter templates - **Dependencies:** Should not land during build instability (coordinate with #6218) - **Estimated Effort:** **5/5** - **Recommended Priority:** **P1** (review and de-risk this sprint; do not rush merge without gates) - **Specific Actionable Next Steps** 1. Split into smaller PRs if possible: (a) login flow, (b) create scaffolding, (c) deploy/publish, (d) MCP/A2A starter. 2. Add end-to-end CLI tests covering create→login→deploy happy path and failure modes. 3. Security review: ensure token/key handling is encrypted/never logged; validate against recent “character secrets encryption” fix. - **Potential Assignees:** **lalalune** (author), **standujar (Stan)** (server/auth + safety review), **ChristopherTrimboli** (CI/e2e tests) --- ## 9) JWT authentication + multi-tenant data isolation implementation needs review + docs before activation (PR #6200) - **Issue Title & ID:** Implement JWT authentication and user management — **PR #6200** - **Current Status:** Open PR; gated by `ENABLE_DATA_ISOLATION=true`; tests reported passing - **Impact Assessment** - **User Impact:** **Medium → High** (critical for hosted/multi-tenant deployments) - **Functional Impact:** **Partial** (new mode; can break auth expectations if misconfigured) - **Brand Impact:** **High** (security and enterprise readiness) - **Technical Classification** - **Issue Category:** Security / Feature - **Component Affected:** Server API + Socket.IO auth + data isolation - **Complexity:** Architectural change - **Resource Requirements** - **Required Expertise:** Auth/JWT, server middleware, socket auth, threat modeling - **Dependencies:** Documentation updates; alignment with RLS/data isolation direction - **Estimated Effort:** **4/5** - **Recommended Priority:** **P1** - **Specific Actionable Next Steps** 1. Security review: issuer/audience validation, JWKS caching, algorithm confusion protections, log redaction. 2. Add docs: configuration recipes for Auth0/Clerk/Privy/Supabase/Google; migration from `X-Entity-Id`. 3. Add negative tests: invalid `sub`, missing `sub`, rotated keys, JWKS outage behavior. - **Potential Assignees:** **standujar (Stan)** (author), **jin** (infosec focus), **github-advanced-security** (enable/code scanning review) --- # Conclusion ## Top 5–10 issues to address immediately (ranked) 1. **P0:** TEXT_LARGE error when no inference plugin is registered (Discord; runtime/UX hard failure) 2. **P0:** OpenAI plugin installation failures due to outdated packages (Discord; onboarding blocker) 3. **P0:** Monorepo TypeScript/build instability; merge/validate **PR #6218** and rebase backlog 4. **P0:** React dependency security vulnerabilities (create tracked issue; patch release) 5. **P1:** Bithumb token migration failure communications + remediation path (brand-critical ops) 6. **P1:** pglite severe performance regression under swarm load (profiling + guidance) 7. **P1:** High-risk Cloud onboarding changes **PR #6216** (de-risk, split, add e2e gates) 8. **P1:** JWT auth/data isolation **PR #6200** (security review + docs + negative tests) 9. **P2:** Twitter agent/plugin excessive API requests (rate limiting/caching) ## Patterns / themes suggesting deeper architectural problems - **Onboarding fragility:** Multiple reports show first-run failures (missing provider plugin, plugin install mismatch). This indicates insufficient preflight checks and unclear failure messaging. - **Large, sweeping changes landing without enough guardrails:** Very large PRs (cleanup, cloud integration) increase regression risk; build stability issues confirm this. - **Cross-cutting dependency churn:** Reports of outdated packages and ecosystem-wide dependency bumps suggest version compatibility needs stronger enforcement. - **Performance variability in “local-first” storage (pglite):** Big latency swings imply missing benchmarks and load testing for common deployment patterns. ## Recommendations for process improvements 1. **Add “First-run success” CI pipeline:** Spin up a fresh project and verify: select provider → install plugin → run chat → send message. 2. **Introduce compatibility enforcement in CLI:** Refuse to proceed (or auto-update) when CLI/core/plugin versions are incompatible. 3. **Require PR sizing rules + split strategy:** Enforce thresholds where PRs must be split or come with dedicated e2e coverage. 4. **Security hygiene upgrades:** Track frontend CVEs as P0 with a standard patch workflow; ensure secrets never appear in logs/screenshots (add automated secret scanning reminders). 5. **Performance baselines:** Add repeatable benchmarks for storage backends (pglite vs Postgres) and publish recommended defaults by scale.