# Issue Triage — 2026-04-15 (elizaOS) ## 1) `elizaos create` fails on macOS: “Bun's postinstall script was not run” — **#6704** - **Current Status:** OPEN (no comments) - **Impact Assessment:** - **User Impact:** **High** (blocks new project creation for macOS + Bun users; impacts onboarding funnel) - **Functional Impact:** **Yes** (CLI scaffolding/build step fails; project directory removed) - **Brand Impact:** **High** (first-run failure strongly signals poor DX) - **Technical Classification:** - **Category:** Bug / UX - **Component:** CLI / Bootstrap templates / Dependency management - **Complexity:** **Simple fix** - **Resource Requirements:** - **Required Expertise:** Bun + Node packaging, workspace dependency hygiene - **Dependencies:** None - **Estimated Effort:** **2/5** - **Recommended Priority:** **P0** - **Specific Actionable Next Steps:** 1. Remove `bun` from **runtime** dependencies of `@elizaos/cli` and `@elizaos/plugin-bootstrap`; keep `@types/bun` as dev-only. 2. Add a CLI preflight check: detect broken `node_modules/bun` stubs and print actionable guidance instead of failing mid-build. 3. Add a macOS (darwin-aarch64) CI smoke test that runs `elizaos create` end-to-end with Bun. 4. Update docs: “Bun installation expectations” + known pnpm/ignore-scripts pitfalls. - **Potential Assignees:** - **odilitime** (core/dev workflow changes) - **NubsCarson** (message/bootstrapping familiarity; can help validate template build flow) - Reporter **dirtybits** (validate fix on affected env) --- ## 2) Memory correctness regression in merged core hardening PR: IGNORE memories silently dropped when `ALLOW_MEMORY_SOURCE_IDS` is set — **PR #6562** - **Current Status:** **MERGED** (2026-04-08); regression flagged by automated review (Greptile) - **Impact Assessment:** - **User Impact:** **Medium → High** (affects any deployment using `ALLOW_MEMORY_SOURCE_IDS`; silent behavioral change) - **Functional Impact:** **Partial** (memory pipeline correctness; “IGNORE” outcomes no longer recorded as designed) - **Brand Impact:** **High** (silent data/behavior drift; hard to diagnose) - **Technical Classification:** - **Category:** Bug - **Component:** Core Framework (TypeScript) → `DefaultMessageService` memory persistence logic - **Complexity:** **Moderate effort** (needs fix + regression test + backport if releases exist) - **Resource Requirements:** - **Required Expertise:** Core message pipeline + memory persistence semantics - **Dependencies:** Should be fixed before further memory-control features ship - **Estimated Effort:** **3/5** - **Recommended Priority:** **P0** - **Specific Actionable Next Steps:** 1. Patch `IGNORE` persistence path to **not** require a hardcoded `"agent_response"` in allowlist (align with normal response persistence behavior). 2. Add unit tests covering: - `DISABLE_MEMORY_CREATION=true` (no memory writes) - `ALLOW_MEMORY_SOURCE_IDS` configured (normal + IGNORE persistence behavior) - Regression case where IGNORE was previously dropped 3. Add a changelog note: “Memory allowlist semantics clarified; IGNORE persistence restored.” 4. Consider a short-term mitigation flag (if needed): `PERSIST_IGNORE_MEMORIES=false` defaulting to current intended behavior. - **Potential Assignees:** - **odilitime** (author of #6562; fastest path to correct intent) - **greptile-apps** (review verification) - **NubsCarson** (message-service tests; recently worked in same area) --- ## 3) Semantic memory corruption: embedding failure persists a **zero-vector**, making stored memories effectively unretrievable — **PR #6562** - **Current Status:** **MERGED** (2026-04-08); flagged by automated review (Greptile) - **Impact Assessment:** - **User Impact:** **High** (any embedding outage/API error leads to silent “stored but never found” memories) - **Functional Impact:** **Partial** (retrieval degraded; subtle long-term agent performance issues) - **Brand Impact:** **High** (trust in “memory” feature erodes if entries vanish from retrieval) - **Technical Classification:** - **Category:** Bug / Data integrity - **Component:** Core Framework → runtime memory + embeddings pipeline - **Complexity:** **Moderate effort** - **Resource Requirements:** - **Required Expertise:** Embedding pipeline, vector DB/search assumptions, memory schema - **Dependencies:** Align with any memory controls (`DISABLE_MEMORY_CREATION`) and future AgentID work - **Estimated Effort:** **3/5** - **Recommended Priority:** **P0** - **Specific Actionable Next Steps:** 1. Change behavior on embedding failure: - **Do not persist** the memory until embeddings succeed, **or** - Persist with `embeddingStatus=FAILED` and exclude from similarity search until repaired. 2. Add a retry/re-embed job (on startup or periodic) for `FAILED` embeddings. 3. Add metrics/logging: count embedding failures; surface in health checks. 4. Add tests: simulated embedding failure should not write a zero-vector that poisons retrieval. - **Potential Assignees:** - **odilitime** (core runtime changes) - **0xSolace** (strong PR contribution history; could help implement robust fallback) - **greptile-apps** (review/verification) --- ## 4) Dev workflow / fresh clone risk: submodule workspace + lockfile inconsistencies may break installs/CI — **PR #6702** - **Current Status:** **MERGED** (2026-04-09); review flagged potential “fresh clone” breakage (workspace paths + `bun.lock` mismatch) - **Impact Assessment:** - **User Impact:** **High** (contributors and CI; potentially anyone running `bun install` from a clean checkout) - **Functional Impact:** **Yes** (install/build can fail before runtime starts) - **Brand Impact:** **Medium → High** (contributor friction; perceived repo instability) - **Technical Classification:** - **Category:** Bug / Build & Tooling - **Component:** Monorepo workspaces, submodule tooling scripts, lockfile integrity - **Complexity:** **Moderate effort** (requires reproducible verification + follow-up PR) - **Resource Requirements:** - **Required Expertise:** Bun workspaces/lockfiles, git submodules, CI pipelines - **Dependencies:** None, but blocks other work if CI/install is flaky - **Estimated Effort:** **3/5** - **Recommended Priority:** **P1** (upgrade to P0 if CI or user reports confirm breakage) - **Specific Actionable Next Steps:** 1. Run a “clean clone” verification in CI: - `git clone` (no submodules) → `bun install` → `bun run build` (should pass) - `git clone --recurse-submodules` → `bun install` → `bun run dev` (should pass) 2. If submodules are optional, ensure committed root `package.json` does **not** reference missing workspace dirs by default. 3. Regenerate `bun.lock` to match `workspace:*` resolution (or remove `workspace:*` if not guaranteed). 4. Document the supported dev modes: “core-only” vs “with optional submodules”. - **Potential Assignees:** - **odilitime** (author; owns dev workflow scripts) - **dutchiono** / **0xSolace** (strong TS contributions; can help validate CI matrix) --- ## 5) Group addressee routing PR has a logic bug that can silently disable name resolution when `agentId ≠ entityId` — **PR #6712** - **Current Status:** OPEN (not merged); Greptile flagged P1 logic bug (`aliasEntity` causing token ambiguity) - **Impact Assessment:** - **User Impact:** **Medium** (group chat connectors; multi-agent rooms) - **Functional Impact:** **Partial** (feature does not work as intended; agents may respond incorrectly or miss mentions) - **Brand Impact:** **Medium** (multi-party reliability is a visible quality signal) - **Technical Classification:** - **Category:** Bug / UX - **Component:** Core Framework → group routing / `shouldRespond` path - **Complexity:** **Moderate effort** - **Resource Requirements:** - **Required Expertise:** Entity/agent identity model, message routing, deterministic resolution - **Dependencies:** Should be fixed before merge; also interacts with AgentID direction - **Estimated Effort:** **3/5** - **Recommended Priority:** **P1** - **Specific Actionable Next Steps:** 1. Fix `aliasEntity` / registry mapping so alternate IDs do not create multi-entity token collisions. 2. Add a unit test covering: - room with an agent whose `agentId` differs from `entityId` - addressed-to-self and addressed-to-other detection 3. Add connector-level guidance: include `replyToEntityId` metadata where possible to reduce ambiguity. - **Potential Assignees:** - **odilitime** (PR author) - **greptile-apps** (re-review after fix) - **NubsCarson** (message service + routing test support) --- ## 6) `plugin-mnemopay` PR lacks persistence + has state corruption/null-safety risks — **PR #6701** - **Current Status:** OPEN; automated review recommends “not safe to merge” - **Impact Assessment:** - **User Impact:** **Low → Medium** (only affects adopters if merged; currently blocks a promising plugin) - **Functional Impact:** **Partial** (plugin’s stated purpose—long-term reputation/memory—fails without persistence) - **Brand Impact:** **Medium** (merging would harm trust in plugin quality) - **Technical Classification:** - **Category:** Bug / Feature quality - **Component:** Plugin System (financial/economic memory plugin) - **Complexity:** **Complex solution** (persistence design, eviction policy, tests) - **Resource Requirements:** - **Required Expertise:** Plugin architecture, storage adapters (SQL/kv), defensive config parsing - **Dependencies:** Decide on a standard persistence approach for plugins (SQL plugin? core memory store?) - **Estimated Effort:** **4/5** - **Recommended Priority:** **P2** (do not merge until corrected) - **Specific Actionable Next Steps:** 1. Add persistence (SQL adapter integration or pluggable storage interface). 2. Guard config parsing (`MNEMOPAY_REPUTATION_DELTA`) against NaN; provide defaults and warnings. 3. Fix all unsafe service casts in handlers/evaluator; return graceful `success:false` results. 4. Add eviction/limits for auto-tracked memories; tighten evaluator triggers. 5. Add tests for persistence, config validation, and action keyword disambiguation. - **Potential Assignees:** - **t49qnsx7qt-kpanks** (author/maintainer) - **odilitime** (plugin architecture guidance) - **dutchiono** (tests + TS plugin patterns) --- ## 7) Marketplace / security plugin proposals (triage for roadmap alignment) ### 7a) MAXIA marketplace plugin proposal — **#6700** - **Current Status:** OPEN - **Impact Assessment:** User Impact **Medium**, Functional Impact **No** (new capability), Brand Impact **Medium** - **Technical Classification:** Feature Request; Plugin System / External service integration; **Complex solution** - **Effort:** **4/5** - **Priority:** **P3** - **Next Steps:** Request a minimal scoped MVP (1–3 actions), clarify auth model + rate limits, define registry acceptance criteria for financial plugins. - **Potential Assignees:** **majorelalexis-stack** (author), **odilitime** (review), **loaditoutadmin** (security posture alignment) ### 7b) SafeAgent token safety checks plugin proposal — **#6706** - **Current Status:** OPEN - **Impact Assessment:** User Impact **Medium**, Functional Impact **No**, Brand Impact **High** (safety narrative) - **Technical Classification:** Feature Request / Security-adjacent; Plugin System / Wallet-trading workflows; **Moderate effort** - **Effort:** **3/5** - **Priority:** **P3** (raise to P2 if wallet plugin adoption grows and safety incidents occur) - **Next Steps:** Validate methodology, define “block trade” enforcement interface, add reproducible benchmarks and chain coverage docs. - **Potential Assignees:** **CryptoGenesisSecurity** (author), **0xSolace** (EVM/tooling), **odilitime** (policy integration) ### 7c) Capability token enforcement plugin proposal (SINT) — **#6707** - **Current Status:** OPEN - **Impact Assessment:** User Impact **Medium**, Functional Impact **Partial** (security posture for tool calls), Brand Impact **High** - **Technical Classification:** Security/Feature; Core guardrails integration + Plugin System; **Architectural change** - **Effort:** **5/5** - **Priority:** **P2** (strategically aligned with AgentID; not a same-day hotfix) - **Next Steps:** Align with AgentID schema direction (#6688), define minimum viable “capability approval” API in core, threat model + audit expectations. - **Potential Assignees:** **pshkv** (author), **odilitime** (core), **loaditoutadmin** (security review) --- # Concluding Summary ## 1) Top 5–10 highest-priority items to address now 1. **P0:** #6704 — `elizaos create` fails on macOS due to Bun postinstall dependency misuse. 2. **P0:** PR #6562 — IGNORE memory persistence regression when `ALLOW_MEMORY_SOURCE_IDS` is set. 3. **P0:** PR #6562 — zero-vector embedding fallback silently corrupts semantic memory retrieval. 4. **P1:** PR #6702 — verify/repair fresh-clone install integrity (workspace/submodule/lockfile consistency). 5. **P1:** PR #6712 — fix `aliasEntity` ambiguity bug before merging group addressee routing. 6. **P2:** PR #6701 — block merge until persistence + null-safety + tests are added. 7. **P2:** #6707 — begin design alignment for capability-based authorization (AgentID-adjacent). 8. **P3:** #6706 — evaluate safety plugin integration path for trading/wallet workflows. 9. **P3:** #6700 — marketplace plugin: request scoped MVP + security expectations. ## 2) Patterns / themes suggesting deeper architectural issues - **Silent failure modes in “memory” and “routing” core paths:** regressions (IGNORE persistence, zero-vector embeddings, addressee ambiguity) share a theme of *quietly degrading correctness* without clear operator visibility. - **DevEx fragility from dependency/workspace complexity:** Bun + workspaces + optional submodules increase the chance of “works on my machine” merges unless clean-clone CI is enforced. - **Security/economic features outpacing standardized interfaces:** multiple proposals (wallet ops, token safety, capability tokens, marketplaces) highlight missing common primitives: authorization, audit trails, and policy enforcement hooks. ## 3) Recommendations for process improvements - **Add “clean clone” CI gates** for Bun-based installs and basic commands (`bun install`, `bun run build`, `elizaos create`, minimal runtime boot). - **Introduce “data integrity” tests for memory pipelines:** ensure embedding failures, allowlists, and DISABLE flags behave predictably (no silent corruption, no silent drops). - **Adopt a pre-merge checklist for core behavior changes:** - explicit behavior-change notes (latency defaults, persistence semantics) - mandatory regression tests for any modification to `message.ts`/`runtime.ts` decision or persistence logic - **Define plugin acceptance criteria for financial/security plugins:** persistence expectations, auditability, config validation, and fail-safe behavior (e.g., “block trade” semantics must be explicit and testable).