# Issue Triage — 2025-12-23 (elizaOS) ## 1) Security & Trust ### (A) Investigate exposure to n8n CVE-10 RCE - **Issue Title & ID:** *CVE-10 RCE in n8n — assess elizaOS exposure and mitigate* (DISC-SEC-2025-12-22-N8N) - **Current Status:** Reported in `core-devs` by Jin; no GitHub issue/PR found in provided data. - **Impact Assessment:** - **User Impact:** Medium → High (depends on whether elizaOS infra/docs recommend n8n or ship it in templates) - **Functional Impact:** Partial (only impacts users/operators relying on n8n integrations) - **Brand Impact:** High (CVE-10 + RCE is reputationally sensitive) - **Technical Classification:** - **Issue Category:** Security - **Component Affected:** Integrations / DevOps / Documentation (potentially Cloud/automation stack) - **Complexity:** Moderate effort (can become complex if deeply integrated) - **Resource Requirements:** - **Required Expertise:** Security triage, dependency/SBOM auditing, DevOps, incident response comms - **Dependencies:** Need confirmation whether n8n is used in Eliza Cloud MVP, starter templates, or recommended workflows - **Estimated Effort:** 3/5 - **Recommended Priority:** **P0** - **Specific Actionable Next Steps:** 1. Create a tracked GitHub security issue (or GHSA advisory if appropriate) documenting: whether n8n is used, where, and versions. 2. Audit repos/templates/docs for `n8n` references and any deployment manifests including it. 3. If used: pin/upgrade to patched n8n version, rotate secrets, and publish a brief security notice + mitigation steps. 4. Add a “third-party automation security” section to Cloud/operator docs (patch cadence, version pinning). - **Potential Assignees:** **standujar** (server/security rigor), **madjin** (architecture/RFC + comms discipline), **ChristopherTrimboli** (ecosystem/deps), **Jin (madjin)** as reporter/SME. --- ### (B) Snapshot migration support & impersonation risk (Tangem wallet not supported) - **Issue Title & ID:** *Snapshot Eligibility Issue + Tangem Wallet Connection Not Supported (Discord Support Compromised)* — **#6211** - **Current Status:** **OPEN** (1 comment); user explicitly avoiding Discord due to impersonators. - **Impact Assessment:** - **User Impact:** Medium (subset of token migrators; likely non-trivial) - **Functional Impact:** Partial (blocks migration flow for affected wallets) - **Brand Impact:** High (support compromise + migration problems erode trust) - **Technical Classification:** - **Issue Category:** UX / Documentation / Security (support-channel safety) - **Component Affected:** Migration portal process + Support operations - **Complexity:** Moderate effort (may require policy + tooling changes, not just code) - **Resource Requirements:** - **Required Expertise:** Product/support, wallet connectivity knowledge (WalletConnect/Tangem constraints), security comms - **Dependencies:** Clarify snapshot rules, eligibility verification method, and what “manual whitelist” means operationally - **Estimated Effort:** 3/5 - **Recommended Priority:** **P1** - **Specific Actionable Next Steps:** 1. Post an official GitHub response: confirm eligibility rules for Tangem-held tokens at snapshot; outline the *only* safe remediation paths. 2. Publish an “Official Support & Anti-Scam” page linked from README/website (never DM seed, never “send tokens to migrate”, official domains). 3. If feasible: add an alternate proof/verification flow for non-connectable wallets (read-only signature proof, manual verification queue, or portal update). 4. Add banner in migration UX warning about impersonators and listing official links. - **Potential Assignees:** **jasyn_bjorn** (community + transparency), **standujar** (server/process), **madjin** (docs/official comms), plus a product owner for the migration portal. --- ## 2) Core Product Bugs / Regressions ### (C) CLI package bloat (~17GB) due to duplicated DB files in starter templates - **Issue Title & ID:** *CLI / project-starter templates copy database files repeatedly causing ~17GB installs* (DISC-CLI-2025-12-21-DISKSIZE) - **Current Status:** Reported by Odilitime in Discord; no GitHub issue linked in provided data. - **Impact Assessment:** - **User Impact:** High (anyone using CLI/starter templates, CI runners, new developers) - **Functional Impact:** Partial (install/build friction; can fail on disk quotas) - **Brand Impact:** High (perceived poor engineering quality) - **Technical Classification:** - **Issue Category:** Performance / UX - **Component Affected:** CLI, project-starter templates, packaging/release artifacts - **Complexity:** Moderate effort - **Resource Requirements:** - **Required Expertise:** Node/Bun packaging, monorepo workspace tooling, template generation, CI artifact optimization - **Dependencies:** Identify which starter(s) and which DB files (pglite?) are being copied; confirm publish pipeline behavior - **Estimated Effort:** 3/5 - **Recommended Priority:** **P1** - **Specific Actionable Next Steps:** 1. Open a GitHub issue with exact reproduction: `elizaos create ...` → inspect generated tree + published package contents. 2. Identify duplicated assets source: template scaffolding vs npm/bun packaging config (`files`, `.npmignore`, build outputs). 3. Fix: ensure DB artifacts are generated at runtime (or downloaded on-demand) and excluded from templates/packages. 4. Add CI guardrails: fail build if package size exceeds threshold; add a “template output size” test. - **Potential Assignees:** **ChristopherTrimboli** (CLI experience), **lalalune** (Cloud/CLI integration context), **odilitime** (discoverer; template familiarity), **wtfsayo** (monorepo fixes). --- ### (D) Starknet plugin: “Failed to parse String to BigInt” during unruggable token deployment - **Issue Title & ID:** *Starknet plugin deployment fails: “Failed to parse String to BigInt” (DEPLOY_STARKNET_UNRUGGABLE_MEME_TOKEN)* (DISC-PLUG-2025-12-22-STARKNET-BIGINT) - **Current Status:** Under investigation informally; FenrirFawks added logging; Odilitime requested modified `unruggable.ts` via DM. - **Impact Assessment:** - **User Impact:** Medium (Starknet plugin users; Web3 creators) - **Functional Impact:** Yes (blocks token deployment for the affected flow) - **Brand Impact:** Medium (plugin reliability; especially around Web3 actions) - **Technical Classification:** - **Issue Category:** Bug - **Component Affected:** Plugin System → `plugin-starknet` action implementation / parameter parsing - **Complexity:** Simple fix → Moderate effort (likely input normalization + serialization boundary) - **Resource Requirements:** - **Required Expertise:** TypeScript, Starknet SDK types, BigInt serialization pitfalls, action schema validation - **Dependencies:** Need minimal reproducible payload; confirm whether JSON.stringify/transport converts BigInt incorrectly - **Estimated Effort:** 2/5 - **Recommended Priority:** **P2** (upgrade to P1 if plugin is officially promoted in Cloud MVP) - **Specific Actionable Next Steps:** 1. Move DM debugging into a GitHub issue with sanitized logs + sample inputs (avoid secrets). 2. Add schema validation at action boundary: explicitly coerce string → BigInt with clear error messages (and reject decimals/hex mismatches). 3. Add unit tests covering: numeric strings, hex strings, empty strings, large values, and JSON transport. 4. Ensure any API/client transport never attempts to JSON-serialize BigInt directly (use string form). - **Potential Assignees:** **odilitime** (already investigating), **standujar** (type safety/testing discipline), a Starknet plugin maintainer (if identified). --- ## 3) UI / UX Polish (New GitHub Issues) > These are valid UX improvements but should not preempt security, reliability, or release-blocking work. ### (E) Create Agent button inconsistency (My Agents vs Dashboard) - **Issue Title & ID:** *Create Agent Button should be same in My Agents and Dashboard* — **#6274** - **Current Status:** **OPEN** - **Impact Assessment:** User Impact **Medium**; Functional Impact **No**; Brand Impact **Medium** - **Technical Classification:** UX; **Component:** GUI (web client); **Complexity:** Simple fix - **Resource Requirements:** Frontend UI/UX; **Dependencies:** design consistency decisions; **Effort:** 1/5 - **Recommended Priority:** **P3** - **Next Steps:** Define canonical button style/component; update both screens; add visual regression snapshot if available. - **Potential Assignees:** **borisudovicic** (reporter/product QA), **wtfsayo** (client fixes), any active frontend maintainer. --- ### (F) Move avatar button to position #4 in agent builder - **Issue Title & ID:** *Move avatar button to #4 in agent builder* — **#6273** - **Current Status:** **OPEN** - **Impact Assessment:** User Impact **Low–Medium**; Functional Impact **No**; Brand Impact **Low** - **Technical Classification:** UX; **Component:** GUI; **Complexity:** Simple fix - **Resource Requirements:** Frontend; **Dependencies:** confirm intended layout order; **Effort:** 1/5 - **Recommended Priority:** **P4** - **Next Steps:** Validate flow with product; adjust layout; verify responsive breakpoints. - **Potential Assignees:** **borisudovicic**, frontend maintainer. --- ### (G) Add Topics/Adjectives to a form (agent configuration) - **Issue Title & ID:** *Add Topics/Adjectives to a form* — **#6272** - **Current Status:** **OPEN** - **Impact Assessment:** User Impact **Medium**; Functional Impact **Partial** (improves configuration expressiveness); Brand Impact **Medium** - **Technical Classification:** Feature Request / UX; **Component:** GUI + possibly schema; **Complexity:** Moderate effort - **Resource Requirements:** Frontend + character schema alignment; **Dependencies:** confirm backend/character model fields; **Effort:** 2/5 - **Recommended Priority:** **P3** - **Next Steps:** Confirm where these fields live (character schema vs prompt templates); implement UI; ensure persisted in API payload; add migration if needed. - **Potential Assignees:** **wtfsayo** (client), **standujar** (API/schema review), **borisudovicic** (spec). --- ### (H) Inline “send message” button - **Issue Title & ID:** *Inline send message button* — **#6271** - **Current Status:** **OPEN** - **Impact Assessment:** User Impact **Medium**; Functional Impact **No**; Brand Impact **Medium** - **Technical Classification:** UX; **Component:** Chat UI; **Complexity:** Simple fix - **Resource Requirements:** Frontend; **Dependencies:** accessibility/keyboard behavior; **Effort:** 1/5 - **Recommended Priority:** **P3** - **Next Steps:** Implement button with proper disabled/loading states; maintain Enter-to-send; add a11y labels. - **Potential Assignees:** **wtfsayo**, frontend maintainer. --- ### (I) Tooltip for system prompt - **Issue Title & ID:** *Add tooltip for system prompt* — **#6270** - **Current Status:** **OPEN** - **Impact Assessment:** User Impact **Low–Medium**; Functional Impact **No**; Brand Impact **Low–Medium** - **Technical Classification:** Documentation / UX; **Component:** GUI; **Complexity:** Simple fix - **Resource Requirements:** Frontend + copywriting; **Dependencies:** agreed wording; **Effort:** 1/5 - **Recommended Priority:** **P4** - **Next Steps:** Provide concise tooltip copy with link to docs; implement consistent tooltip component. - **Potential Assignees:** **borisudovicic**, **madjin** (docs/copy), frontend maintainer. --- ## 4) Release / Platform Readiness (Cloud + API) ### (J) Publish OpenAPI schema for “create-a-new-agent” endpoint - **Issue Title & ID:** *Publish `openapi.json` schema for create-a-new-agent endpoint* (DISC-API-2025-12-21-OPENAPI) - **Current Status:** Mentioned as documentation need; no GitHub issue linked in provided data. - **Impact Assessment:** User Impact **High** (integrators, SDK authors, partners); Functional Impact **Partial**; Brand Impact **High** - **Technical Classification:** Documentation / Developer Experience; **Component:** API - **Complexity:** Moderate effort - **Resource Requirements:** API ownership, docs tooling, CI publishing pipeline; **Dependencies:** endpoint stability; **Effort:** 2/5 - **Recommended Priority:** **P2** (P1 if Cloud MVP launch depends on external integrations) - **Next Steps:** Confirm canonical OpenAPI source; generate+publish artifact; add versioning; link from docs + repo README. - **Potential Assignees:** **standujar** (server/API), **madjin** (docs pipeline), **ChristopherTrimboli** (DX). --- # Summary: Top Highest-Priority Items to Address Now (5–10) 1. **P0:** (DISC-SEC-2025-12-22-N8N) Investigate and mitigate potential exposure to **n8n CVE-10 RCE**. 2. **P1:** **#6211** Tangem wallet migration blockage + official support safety messaging (reduce scam/impersonation risk). 3. **P1:** (DISC-CLI-2025-12-21-DISKSIZE) **CLI/template 17GB bloat** causing install/CI failures and major DX harm. 4. **P2:** (DISC-PLUG-2025-12-22-STARKNET-BIGINT) **Starknet plugin BigInt parsing** blocks token deployment flow. 5. **P2:** (DISC-API-2025-12-21-OPENAPI) Publish **OpenAPI schema** for agent creation to unblock integrators (especially near Cloud launch). 6. **P3 batch:** **#6274, #6271, #6272** UX improvements (consistency + chat affordances + configuration expressiveness). 7. **P4 batch:** **#6273, #6270** low-risk UI polish. --- # Patterns / Themes Suggesting Deeper Issues - **Release readiness gaps surfacing via Discord instead of GitHub:** multiple operationally important problems (security CVE mention, CLI bloat, Starknet failure) lack formal issues, reducing accountability and slowing resolution. - **Boundary/type-safety issues around action payloads:** the Starknet BigInt failure suggests missing validation/normalization at plugin action boundaries and risky JSON serialization assumptions. - **DX and packaging regressions:** the 17GB CLI/template issue indicates insufficient artifact-size checks and template hygiene, which tends to recur without automated constraints. - **Trust & comms as a product requirement:** migration + impersonation concerns show that support security and “official channel verification” are now part of core reliability/brand. --- # Process Improvements (Prevent Recurrence) 1. **“Discord-to-GitHub” intake rule for critical reports:** any security/release/DX regression reported in Discord must become a GitHub issue within 24 hours (with a short template: repro, logs, impact). 2. **Add CI guardrails for distribution quality:** - Package size thresholds for CLI and starter templates - Template output linting (no embedded DB artifacts; no duplicated large files) 3. **Standardize plugin action schemas and validation:** - Require explicit input schemas (zod/jsonschema) and coercion rules - Add tests for serialization boundaries (BigInt, Dates, Buffers) 4. **Security dependency tracking:** - Maintain a lightweight SBOM/dependency inventory for Cloud/starter stacks - Subscribe to advisories; define patch SLA for CVSS≥9 5. **Official comms hardening:** - Publish a single canonical “Official Links & Support Policy” page and reference it in-app (migration, cloud, docs) - Add automated Discord anti-impersonation guidance + pinned warnings, mirrored on GitHub/docs