## Issue Triage — 2026-04-08 (elizaOS)

### 1) `elizaos create` fails on macOS with “Bun’s postinstall script was not run”
- **Issue Title & ID:** elizaos/eliza — “elizaos create fails with "Bun's postinstall script was not run" on macOS” (#6704)
- **Current Status:** OPEN (no PR linked); reproducible on macOS Apple Silicon + bun 1.3.11 + @elizaos/cli 1.7.2
- **Impact Assessment:**
  - **User Impact:** **High** (new users on macOS using bun install path)
  - **Functional Impact:** **Yes** (blocks project scaffolding / onboarding)
  - **Brand Impact:** **High** (first-run failure; CLI perceived broken)
- **Technical Classification:**
  - **Issue Category:** Bug / DX
  - **Component Affected:** CLI, plugin-bootstrap packaging, install/runtime dependencies
  - **Complexity:** **Moderate effort** (dependency changes + verification across package managers)
- **Resource Requirements:**
  - **Required Expertise:** Node/Bun packaging, workspace tooling, CLI release process
  - **Dependencies:** Needs coordinated changes in `@elizaos/cli` and `@elizaos/plugin-bootstrap`; regression tests for macOS + bun
  - **Estimated Effort (1-5):** **3**
- **Recommended Priority:** **P0**
- **Specific Actionable Next Steps:**
  1. Remove `bun` **runtime** dependency from `@elizaos/cli` and `@elizaos/plugin-bootstrap` (replace with `@types/bun` devDependency if needed).
  2. Add CI smoke test: `bun install -g @elizaos/cli` then `elizaos create` on macOS runners (arm64 if available).
  3. Modify CLI failure behavior: don’t delete the scaffolded directory on build failure (or add `--no-cleanup` defaulting to preserve for debugging).
  4. Publish patch release once verified (include clear release notes + workaround removal).
- **Potential Assignees:** **odilitime** (core/dev tooling), **dirtybits** (reporter; can validate fix), a release maintainer for @elizaos/cli

---

### 2) Security dependency updates (multiple CVEs) pending merge
- **Issue Title & ID:** elizaos/eliza — Dependabot “bump npm_and_yarn group… (path-to-regexp, handlebars, picomatch)” (PR #6694)
- **Current Status:** OPEN PR (security fixes available upstream; not merged)
- **Impact Assessment:**
  - **User Impact:** **Medium–High** (depends on whether affected packages are shipped/used in exposed surfaces)
  - **Functional Impact:** **Partial** (security posture; possible DoS/route-regex issues)
  - **Brand Impact:** **High** (unpatched CVEs reflect poorly)
- **Technical Classification:**
  - **Issue Category:** Security
  - **Component Affected:** computeruse subpackages / JS deps
  - **Complexity:** **Simple fix** (merge after tests)
- **Resource Requirements:**
  - **Required Expertise:** Dependency management, CI verification
  - **Dependencies:** Passing CI; confirm no lockfile conflicts with other open PRs
  - **Estimated Effort (1-5):** **1**
- **Recommended Priority:** **P0**
- **Specific Actionable Next Steps:**
  1. Run full CI + targeted tests for any routing/glob/template compilation flows.
  2. If CI green, fast-track merge; if conflicts, rebase with `@dependabot rebase`.
  3. Cut a patch release / publish updated packages if applicable.
- **Potential Assignees:** **odilitime** (maintainer), any core maintainer with merge rights

---

### 3) TOON connectors: missing action params + async action continuation loop causes spam/noisy outputs
- **Issue Title & ID:** elizaos/eliza — “Fix/toon action params” (PR #6709)
- **Current Status:** OPEN PR; tests reported passing; large diff (template migration XML→TOON + schema fixes)
- **Impact Assessment:**
  - **User Impact:** **High** (Discord/Milady and other TOON encapsulation connectors)
  - **Functional Impact:** **Partial–Yes** (actions with required params fail to execute; async tasks cause repeated filler responses)
  - **Brand Impact:** **Medium–High** (connectors look unreliable/spammy)
- **Technical Classification:**
  - **Issue Category:** Bug / UX
  - **Component Affected:** Core framework message service, connector encapsulation (TOON)
  - **Complexity:** **Moderate effort** (review risk due to broad refactor; core fix itself is small)
- **Resource Requirements:**
  - **Required Expertise:** Core runtime/message pipeline, connector formats (TOON/XML), prompt/schema design
  - **Dependencies:** Careful review to isolate the two bugfixes from the wider template migration
  - **Estimated Effort (1-5):** **3**
- **Recommended Priority:** **P1**
- **Specific Actionable Next Steps:**
  1. Split PR into: (a) minimal bugfix (schema `params` + terminal action set) and (b) template migration/refactors, to reduce merge risk.
  2. Add regression tests: required-param action invoked via TOON connector must pass params through; async task actions must not loop continuation.
  3. Validate with at least one real connector integration (Discord) in a staging harness.
- **Potential Assignees:** **NubsCarson** (author), **odilitime** (core review/merge)

---

### 4) `plugin-twitter` / X login failing (“page not found”) even with cookies (Discord report)
- **Issue Title & ID:** Discord coders — “eliza-agent unable to log in to X (page not found after retries, even using cookies)” (DISC-2026-04-07-XLOGIN)
- **Current Status:** Reported on Discord; triage requested (need versions of elizaOS + plugin-twitter)
- **Impact Assessment:**
  - **User Impact:** **Medium** (anyone running X automation; likely a common use case)
  - **Functional Impact:** **Yes** for X posting/reading workflows
  - **Brand Impact:** **Medium** (public-facing integrations breaking)
- **Technical Classification:**
  - **Issue Category:** Bug / Integration
  - **Component Affected:** Plugin System → `plugin-twitter` (auth/session handling), potentially connector/browser automation
  - **Complexity:** **Complex solution** (X frequently changes login flow; may require new auth strategy)
- **Resource Requirements:**
  - **Required Expertise:** Web auth flows, X/Twitter anti-bot constraints, cookie/session mgmt, headless browser tooling (if used)
  - **Dependencies:** Need exact versions + logs; confirm whether X endpoint changes or account restrictions are involved
  - **Estimated Effort (1-5):** **4**
- **Recommended Priority:** **P1**
- **Specific Actionable Next Steps:**
  1. Convert Discord report into a GitHub issue with: plugin-twitter version, eliza version, auth method, HTTP traces/screenshot, and whether it’s API-based or browser-based.
  2. Add a healthcheck diagnostic mode (prints detected login route, status codes, retry reasons, cookie domain/path validity).
  3. Investigate X flow change: “page not found” could be geo/UA gating, deprecated endpoint, or redirect chain failure—add redirect logging.
  4. Document a short-term mitigation (pin known-working version, or require API-based auth where possible).
- **Potential Assignees:** **odilitime** (triage), **dave_24736** (reporter; can supply logs), a maintainer familiar with `plugin-twitter`

---

### 5) Dev harness PR risks breaking fresh clones due to submodule workspaces + lockfile mismatch
- **Issue Title & ID:** elizaos/eliza — “feat: add agent/ like starter in develop” (PR #6702)
- **Current Status:** OPEN PR; reviewer notes: committed workspace paths for submodule plugins + bun.lock mismatch; will break installs on machines without submodules initialized
- **Impact Assessment:**
  - **User Impact:** **Medium** (contributors; CI; dev environments)
  - **Functional Impact:** **Partial** (repo boot/dev workflow breaks; not end-user runtime unless merged)
  - **Brand Impact:** **Medium** (contributor experience + CI reliability)
- **Technical Classification:**
  - **Issue Category:** Bug / DX / Build-Infra
  - **Component Affected:** Monorepo workspaces, scripts, lockfile integrity
  - **Complexity:** **Moderate effort** (workflow + policy + lockfile discipline)
- **Resource Requirements:**
  - **Required Expertise:** Bun workspaces, monorepo dependency hygiene, CI
  - **Dependencies:** Decide policy: submodules optional vs required; ensure restore script is enforced
  - **Estimated Effort (1-5):** **3**
- **Recommended Priority:** **P1** (block merge until fixed)
- **Specific Actionable Next Steps:**
  1. Run `plugin-submodules:restore` and recommit with root `package.json` free of missing workspace paths.
  2. Regenerate `bun.lock` so it matches `workspace:*` (or stop using `workspace:*` if submodules are optional).
  3. Add CI check: fail if `package.json` contains submodule workspace entries unless submodules are present.
  4. Fix harness loop bug: change `break` to `continue` when `runtime.messageService` not ready.
  5. Decide multi-character DB behavior (per-character adapter vs shared primary adapter) and document it.
- **Potential Assignees:** **odilitime** (author), a CI/build maintainer for review

---

### 6) Windows: Git checkout blocked by PGlite memory artifacts (plugin-openrouter)
- **Issue Title & ID:** elizaos-plugins/plugin-openrouter — “Fix PGlite memory artifacts blocking Windows Git checkouts” (PR ID not provided in feed)
- **Current Status:** PR opened (unmerged)
- **Impact Assessment:**
  - **User Impact:** **Medium** (Windows contributors/users of that plugin)
  - **Functional Impact:** **Partial** (blocks checkout/build on Windows)
  - **Brand Impact:** **Medium** (cross-platform reliability)
- **Technical Classification:**
  - **Issue Category:** Bug / Build-Infra
  - **Component Affected:** Plugin System → plugin-openrouter repo hygiene (generated artifacts)
  - **Complexity:** **Simple fix**
- **Resource Requirements:**
  - **Required Expertise:** Git attributes/filters, ignore rules, Windows filesystem quirks
  - **Dependencies:** None beyond plugin repo maintainers
  - **Estimated Effort (1-5):** **2**
- **Recommended Priority:** **P2**
- **Specific Actionable Next Steps:**
  1. Ensure artifacts are gitignored and/or removed from history if needed.
  2. Add CI job on Windows that does clean clone + install.
- **Potential Assignees:** plugin-openrouter maintainers; **odilitime** for coordination

---

### 7) ai-news regeneration: add fallback models + credit usage monitoring
- **Issue Title & ID:** Discord action items — “Implement fallback models” + “Add better monitoring of credit usage” (DISC-2026-04-07-AINEWS)
- **Current Status:** In progress (per dankvr); no linked GitHub issue/PR provided
- **Impact Assessment:**
  - **User Impact:** **Medium** (consumers of ai-news feed)
  - **Functional Impact:** **Partial** (prevents data gaps/outages; avoids credit exhaustion)
  - **Brand Impact:** **Medium** (public data reliability)
- **Technical Classification:**
  - **Issue Category:** Performance/Reliability
  - **Component Affected:** Model integration + data pipeline/observability
  - **Complexity:** **Moderate effort**
- **Resource Requirements:**
  - **Required Expertise:** LLM provider failover, quotas/usage tracking, monitoring/alerting
  - **Dependencies:** Access to provider usage APIs; define fallback selection policy
  - **Estimated Effort (1-5):** **3**
- **Recommended Priority:** **P2**
- **Specific Actionable Next Steps:**
  1. Create a GitHub issue with acceptance criteria: failover behavior, max-cost-per-day, alert thresholds.
  2. Implement model fallback chain (primary→secondary→tertiary) with circuit breakers.
  3. Emit per-run cost + cumulative daily spend metrics; alert on anomaly spikes.
- **Potential Assignees:** **dankvr** (owner), a core dev for monitoring integration

---

### 8) Delegation chains for autonomous agents (scoped authority, spend limits, cascade revocation)
- **Issue Title & ID:** elizaos/eliza — “Implement delegation chains for autonomous agents” (GitHub issue opened; **number not provided in feed**)
- **Current Status:** OPEN (proposal stage)
- **Impact Assessment:**
  - **User Impact:** **Medium** (developers building multi-agent economies)
  - **Functional Impact:** **Partial** (not blocking current core, but key for safe autonomy)
  - **Brand Impact:** **High** (trust/safety roadmap credibility)
- **Technical Classification:**
  - **Issue Category:** Feature Request / Security Architecture
  - **Component Affected:** Core Framework (identity/authZ), agent governance/spend controls
  - **Complexity:** **Architectural change**
- **Resource Requirements:**
  - **Required Expertise:** AuthZ models, capability delegation, revocation semantics, threat modeling
  - **Dependencies:** Alignment with AgentID (#6688 referenced in weekly summary) and spend governance (Dreamline x402)
  - **Estimated Effort (1-5):** **5**
- **Recommended Priority:** **P2**
- **Specific Actionable Next Steps:**
  1. Locate and link the exact GitHub issue ID; define MVP scope (single-hop delegation + spend cap).
  2. Produce a threat model + spec (revocation propagation, auditability, offline expiry).
  3. Implement reference module + minimal API hooks; add examples in one high-risk plugin (e.g., swaps/payments).
- **Potential Assignees:** **odilitime** (core), security-focused contributors; coordinate with AgentID owners

---

### 9) Capability token enforcement plugin proposal (SINT integration)
- **Issue Title & ID:** elizaos/eliza — “Plugin proposal: @sint/eliza-plugin — capability token enforcement…” (#6707)
- **Current Status:** OPEN (proposal; community offering)
- **Impact Assessment:**
  - **User Impact:** **Medium**
  - **Functional Impact:** **No** (not required for baseline), but major safety enhancement for tool calls
  - **Brand Impact:** **High** (security-first posture for agent tool execution)
- **Technical Classification:**
  - **Issue Category:** Security / Feature Request
  - **Component Affected:** Plugin System, Guardrails/tool-call pipeline
  - **Complexity:** **Complex solution** (policy, approval flows, evidence ledger integration)
- **Resource Requirements:**
  - **Required Expertise:** Capability-based security, cryptographic signing, policy engines, audit/evidence systems
  - **Dependencies:** Coordination with AgentID and any existing guardrails/spend governance
  - **Estimated Effort (1-5):** **4**
- **Recommended Priority:** **P2**
- **Specific Actionable Next Steps:**
  1. Request a minimal PoC PR that intercepts a small set of actions (e.g., `RUN_IN_TERMINAL`, `SOLANA_TRANSFER`) with signed approvals.
  2. Define a standard “tool authorization interface” in core so multiple security plugins can integrate cleanly.
  3. Security review: key management, replay protection, token expiry, and operator UX.
- **Potential Assignees:** **pshkv** (proposer), **odilitime** (core liaison), security reviewers

---

### 10) Marketplace plugin proposals (MAXIA, SafeAgent) + token-economy promo (AIGEN)
- **Issue Title & ID:**  
  - elizaos/eliza — “Plugin: MAXIA AI Marketplace…” (#6700)  
  - elizaos/eliza — “Plugin: SafeAgent — Token safety checks…” (#6706)  
  - elizaos/eliza — “AIGEN Protocol — Earn $AIGEN tokens…” (#6708)
- **Current Status:** OPEN (early discussion; no PRs)
- **Impact Assessment:**
  - **User Impact:** **Low–Medium** (optional ecosystem plugins)
  - **Functional Impact:** **No**
  - **Brand Impact:** **Medium** (quality bar for plugin ecosystem + risk of low-signal token promo noise)
- **Technical Classification:**
  - **Issue Category:** Feature Request / Ecosystem
  - **Component Affected:** Plugin registry, integration standards, security review process
  - **Complexity:** **Moderate effort** (for acceptance criteria, API contracts, review)
- **Resource Requirements:**
  - **Required Expertise:** Plugin API design, security review (esp. trading), documentation
  - **Dependencies:** Clear plugin acceptance policy + mandatory safety guidelines for financial actions
  - **Estimated Effort (1-5):** **2–4** (varies by plugin)
- **Recommended Priority:**  
  - **MAXIA (#6700): P3** (valuable, but large scope)  
  - **SafeAgent (#6706): P3** (useful safety layer; evaluate trust & attack surface)  
  - **AIGEN (#6708): P4** (treat as non-core; ensure repo hygiene and avoid endorsement risk)
- **Specific Actionable Next Steps:**
  1. Require a standard security checklist for finance/trading plugins (key handling, slippage limits, allowlists, simulation, audit logs).
  2. Ask each proposer for: threat model, rate limits, safe defaults, and a minimal action subset PoC.
  3. Decide whether issues belong in elizaos/eliza or in registry repo; route accordingly.
- **Potential Assignees:** **majorelalexis-stack** (MAXIA), **CryptoGenesisSecurity** (SafeAgent), registry maintainers + **odilitime** for policy

---

## Highest-Priority Summary (Top 5–10 to act on now)
1. **P0:** #6704 — macOS `elizaos create` bun postinstall failure (blocks onboarding).
2. **P0:** PR #6694 — security dependency updates (CVE fixes) pending merge.
3. **P1:** PR #6709 — TOON action params missing + async continuation spam (connector reliability).
4. **P1:** DISC-2026-04-07-XLOGIN — `plugin-twitter` X login broken (convert to GitHub issue + diagnose).
5. **P1:** PR #6702 — dev harness/submodule workspace + lockfile mismatch (block merge until fixed).
6. **P2:** plugin-openrouter Windows checkout fix (cross-platform dev usability).
7. **P2:** Delegation chains proposal (spec + MVP planning; aligns with trust infrastructure).
8. **P2:** #6707 capability token enforcement (define core hook + PoC).
9. **P2:** ai-news fallback + credit monitoring (reliability/ops).
10. **P3/P4:** Marketplace + token-economy plugin proposals (#6700, #6706, #6708) (policy + gating).

---

## Patterns / Themes Indicating Deeper Issues
- **Tooling/packaging fragility (Bun + workspaces + lockfiles):** Multiple signals that dependency declaration and workspace state can easily drift, breaking first-run or fresh clones.
- **Connector format divergence (XML vs TOON) affecting action correctness:** Schema/prompt mismatches can silently drop required action params, causing failures that look like “LLM unreliability.”
- **Growing need for standardized safety/authZ for tool calls:** Multiple proposals (delegation chains, capability tokens, spend governance) point to a missing unified authorization interface in core.
- **Third-party platform volatility (X/Twitter):** Integrations will continue to break unless observability + quick adaptation paths exist.

---

## Process Improvement Recommendations
1. **Add “first-run” CI smoke tests** for the CLI on macOS + Linux (and ideally Windows): `install -> elizaos create -> build -> run minimal message`.
2. **Enforce lockfile/workspace consistency checks in CI** (fail PRs where `package.json` workspaces reference missing paths; detect `workspace:*` vs registry resolution mismatches).
3. **Require PR decomposition for high-churn changes** (e.g., TOON migration split from bugfix) to reduce review/merge risk.
4. **Create a formal “Connector Contract Test Suite”** ensuring each encapsulation format (TOON/XML/JSON) preserves: action selection, param passing, and async/terminal action semantics.
5. **Define a core “Tool Authorization Hook” interface** (pre-execution policy checks, spend caps, approvals, audit events) so security plugins can integrate consistently without ad-hoc patterns.