## Issue Triage — 2026-04-19

### 1) Private disclosure: multiple security vulnerabilities in ElizaOS app (reported by **kullai**) — ID: DISCORD-SEC-2026-04-18-KULLAI
- **Current Status:** Reported privately to maintainer (**odilitime**); acknowledged received. No public tracking issue yet.
- **Impact Assessment:**
  - **User Impact:** **High** (unknown scope until triaged; could affect any deployment depending on vuln class)
  - **Functional Impact:** **Partial** (depends on vuln; could escalate to service compromise)
  - **Brand Impact:** **High** (security perception risk if mishandled or leaked)
- **Technical Classification:**
  - **Issue Category:** **Security**
  - **Component Affected:** **Core Framework / App runtime (unknown until details reviewed)**
  - **Complexity:** **Moderate → Complex** (depends on number/severity; may require coordinated patch + release)
- **Resource Requirements:**
  - **Required Expertise:** AppSec triage, threat modeling, secure coding, release management
  - **Dependencies:** Need full repro details + affected versions + attack preconditions; may require coordinated release cut
  - **Estimated Effort (1–5):** **4**
- **Recommended Priority:** **P0**
- **Specific Actionable Next Steps:**
  1. Create a **private** tracking item (GitHub Security Advisory draft or private repo issue) and label severity per finding.
  2. Confirm **affected versions**, exploitability (remote/local), authentication requirements, and potential data exposure.
  3. Implement fixes behind tests; prepare **hotfix release** plan (including any plugin/app bundles affected).
  4. Prepare coordinated disclosure notes (CVE if warranted) after patch is available.
- **Potential Assignees:** **odilitime** (lead), **wakesync** (core), **puncar** (testing), **tcm390** (core)

---

### 2) PR introduces malware-like autonomous “virus” agent package — ID: elizaos/eliza PR **#6613** “feat(virus): add autonomous rust agent (concept art)”
- **Current Status:** Open PR; not merged.
- **Impact Assessment:**
  - **User Impact:** **Critical** (if merged, downstream users may unknowingly build/distribute it; high abuse potential)
  - **Functional Impact:** **No** (not needed for core functionality)
  - **Brand Impact:** **Critical** (project reputational risk; could trigger platform/AV flags and loss of trust)
- **Technical Classification:**
  - **Issue Category:** **Security**
  - **Component Affected:** **Repository / Distribution surface / Examples**
  - **Complexity:** **Simple fix** (close/reject/remove), but policy decision is important
- **Resource Requirements:**
  - **Required Expertise:** Security review, governance/maintainer decision-making
  - **Dependencies:** None
  - **Estimated Effort (1–5):** **1**
- **Recommended Priority:** **P0**
- **Specific Actionable Next Steps:**
  1. **Do not merge.** Close PR with clear rationale (persistence + idle stealth + arbitrary shell execution).
  2. Add/clarify repository policy: disallow code that implements **persistence/stealth/autonomous shell** behaviors under official org.
  3. Add CI/review guardrails for “dangerous capability” additions (require security approval for shell/persistence features).
- **Potential Assignees:** **odilitime** (final call), **shawmakesmagic** (governance/mod), **stan0473** (core dev)

---

### 3) Active phishing/scam campaigns impersonating team (fake Solana airdrops; repeated scammer reports) — ID: DISCORD-SCAM-2026-04-18-AIRDROPS
- **Current Status:** Ongoing reports; community warning each other; needs structured mitigation.
- **Impact Assessment:**
  - **User Impact:** **High** (community members at risk of wallet drain / credential theft)
  - **Functional Impact:** **No** (doesn’t break runtime, but disrupts community support channels)
  - **Brand Impact:** **High** (impersonation erodes trust quickly)
- **Technical Classification:**
  - **Issue Category:** **Security / UX (community safety)**
  - **Component Affected:** **Discord / Official comms**
  - **Complexity:** **Moderate effort** (process + moderation automation)
- **Resource Requirements:**
  - **Required Expertise:** Community ops/moderation, Discord security, link filtering/AutoMod setup
  - **Dependencies:** Clear “official channels” documentation; mod availability/timezone coverage
  - **Estimated Effort (1–5):** **3**
- **Recommended Priority:** **P1**
- **Specific Actionable Next Steps:**
  1. Ban/report confirmed scam accounts (e.g., repeated reports about **frog.cs**); enable stricter new-account permissions.
  2. Turn on Discord **AutoMod**: block common airdrop keywords, suspicious domains, and “impersonation display names”.
  3. Pin a permanent “**No Airdrops / Official Links Only**” message + locked announcement channel for verified updates.
  4. Add a lightweight incident playbook: how users report scams, what mods do, and response SLAs.
- **Potential Assignees:** **odilitime** (mod), **shawmakesmagic** (mod), **satsbased** (mini mod), **spankyxn** (helper)

---

### 4) Missing formal vulnerability disclosure policy (no SECURITY.md; reporting confusion) — ID: DOC-SECURITY-2026-04
- **Current Status:** Not documented; contributor initially advised to open a public issue/PR before correcting course.
- **Impact Assessment:**
  - **User Impact:** **Medium** (increases chance of accidental public disclosure)
  - **Functional Impact:** **No**
  - **Brand Impact:** **High** (security maturity signal; affects researcher willingness to report)
- **Technical Classification:**
  - **Issue Category:** **Documentation / Security**
  - **Component Affected:** **Repo meta (GitHub) / Community workflows**
  - **Complexity:** **Simple fix**
- **Resource Requirements:**
  - **Required Expertise:** Maintainer policy writing, GitHub Security Advisories usage
  - **Dependencies:** Decide on contact method (security email vs GHSA only), expectations for response time
  - **Estimated Effort (1–5):** **2**
- **Recommended Priority:** **P1**
- **Specific Actionable Next Steps:**
  1. Add **SECURITY.md** with: private reporting steps, supported versions, response targets, and disclosure process.
  2. Add “Security issue?” checkbox to issue templates that routes reporters to SECURITY.md.
  3. Define whether a **bug bounty** exists (even “no bounty” is fine—just document it).
- **Potential Assignees:** **odilitime**, **stan0473**, **lalalune** (process/docs heavy contributor)

---

### 5) Runtime fix PR has a flagged type mismatch (risk of runtime/type errors) — ID: elizaos/eliza PR **#6543** “fix(runtime): handle IGNORE action fallback…”
- **Current Status:** Open PR; review tooling flagged a critical type mismatch in `embedding.ts`.
- **Impact Assessment:**
  - **User Impact:** **High** (runtime robustness; embedding path can break)
  - **Functional Impact:** **Partial** (affects agent runtime behavior and embedding stability)
  - **Brand Impact:** **Medium** (quality and reliability)
- **Technical Classification:**
  - **Issue Category:** **Bug**
  - **Component Affected:** **Core Framework (@elizaos/core runtime + embeddings)**
  - **Complexity:** **Moderate effort** (fix + validate + tests)
- **Resource Requirements:**
  - **Required Expertise:** TypeScript core runtime knowledge, embedding pipeline familiarity
  - **Dependencies:** Needs targeted fix + CI green; may interact with current dependency bumps
  - **Estimated Effort (1–5):** **3**
- **Recommended Priority:** **P1**
- **Specific Actionable Next Steps:**
  1. Fix the mismatch (pass the correct variable type into `retrieveCachedEmbedding`, per review note).
  2. Ensure consistent logging (`elizaLogger` vs `console.error`) if maintainers consider it blocking.
  3. Run `bun run test:core` and add one regression test for the IGNORE fallback path.
- **Potential Assignees:** **paulf280-ui** (author), **odilitime** (core review), **wakesync** (runtime)

---

### 6) Release automation overhaul is still unmerged (large, high-risk, blocks stable release posture) — ID: elizaos/eliza PR **#6530** “V2.0.0 release”
- **Current Status:** Open PR; major CI/release refactor pending.
- **Impact Assessment:**
  - **User Impact:** **Medium → High** (release stability affects everyone consuming packages)
  - **Functional Impact:** **Partial** (blocks predictable publishing; can halt downstream upgrades)
  - **Brand Impact:** **High** (broken releases are highly visible)
- **Technical Classification:**
  - **Issue Category:** **Bug / Performance (CI) / Infrastructure**
  - **Component Affected:** **CI/CD, release workflows, packaging (TS/Python/Rust)**
  - **Complexity:** **Architectural change**
- **Resource Requirements:**
  - **Required Expertise:** GitHub Actions, multi-language packaging, NPM/PyPI/crates releases
  - **Dependencies:** Coordination with ongoing dependency bumps; may require staged rollout
  - **Estimated Effort (1–5):** **5**
- **Recommended Priority:** **P1**
- **Specific Actionable Next Steps:**
  1. Break PR into mergeable chunks (CI consolidation, release flows, SBOM scanning) to reduce blast radius.
  2. Create a “release contract” checklist: publish dry-run, artifact verification, rollback steps.
  3. Ensure serialized workflows + retry logic align with current registry/plugin release processes.
- **Potential Assignees:** **odilitime** (author/lead), **lalalune** (infra stability), **tcm390** (core)

---

### 7) Contribution guide PR has an unusually massive diff (risk of noisy/unreviewable change) — ID: elizaos/eliza PR **#6647** “docs: Add comprehensive CONTRIBUTING.md guide”
- **Current Status:** Open PR; very large additions/deletions for a docs change.
- **Impact Assessment:**
  - **User Impact:** **Medium** (onboarding quality matters; but not blocking runtime)
  - **Functional Impact:** **No**
  - **Brand Impact:** **Medium** (good docs help; messy PR hurts contributor experience)
- **Technical Classification:**
  - **Issue Category:** **Documentation**
  - **Component Affected:** **Repo meta / contributor workflow**
  - **Complexity:** **Moderate effort** (needs pruning + alignment with current workflow)
- **Resource Requirements:**
  - **Required Expertise:** Maintainer workflow knowledge, docs editing
  - **Dependencies:** Must match current toolchain (bun/node versions, monorepo layout, plugin policy)
  - **Estimated Effort (1–5):** **2**
- **Recommended Priority:** **P2**
- **Specific Actionable Next Steps:**
  1. Ask author to rebase and reduce scope to *only* `CONTRIBUTING.md` (+ minimal supporting docs).
  2. Verify instructions reflect post–Eliza Labs restructuring and “plugins in independent repos” guidance.
  3. Add a short “Security reporting” section linking to SECURITY.md (see Issue #4).
- **Potential Assignees:** **vincent067** (author), **lalalune** (process/docs), **odilitime** (final)

---

### 8) New commerce integration proposal (Merxex) lacks scoped requirements and security model — ID: GH-ISSUE-2026-04-18-MERXEX (number not present in provided data)
- **Current Status:** New issue opened (per dev log); evaluation stage.
- **Impact Assessment:**
  - **User Impact:** **Low → Medium** (feature value depends on adoption)
  - **Functional Impact:** **No**
  - **Brand Impact:** **Medium** (commerce implies trust/safety expectations)
- **Technical Classification:**
  - **Issue Category:** **Feature Request**
  - **Component Affected:** **Plugin System / Agent-to-agent commerce**
  - **Complexity:** **Complex solution** (security, payments, identity, dispute/escrow semantics)
- **Resource Requirements:**
  - **Required Expertise:** Web3/payments, plugin API design, security/threat modeling
  - **Dependencies:** Needs a baseline security model (scoped authority/delegation; safe key handling)
  - **Estimated Effort (1–5):** **4**
- **Recommended Priority:** **P3**
- **Specific Actionable Next Steps:**
  1. Require a design doc: threat model, custody model, permissions, replay protection, audit logs.
  2. Decide whether this belongs in official org or third-party plugin repo.
  3. Add an “unsafe-by-default” warning if any wallet spend actions are exposed.
- **Potential Assignees:** **odilitime** (architecture), **wakesync** (core), **0xSolace** (ecosystem integrations)

---

### 9) Plugin registry intake: `@quantoracle/plugin-quantoracle` proposed addition — ID: REGISTRY-PLUGIN-2026-04-18-QUANTORACLE
- **Current Status:** Proposed for registry inclusion (per dev log); not yet validated in this dataset.
- **Impact Assessment:**
  - **User Impact:** **Low → Medium** (only users who install it)
  - **Functional Impact:** **No**
  - **Brand Impact:** **Medium** (registry inclusion implies a minimum quality/security bar)
- **Technical Classification:**
  - **Issue Category:** **Feature Request / Documentation (registry policy)**
  - **Component Affected:** **Plugin System / Registry**
  - **Complexity:** **Moderate effort**
- **Resource Requirements:**
  - **Required Expertise:** Plugin review, supply-chain safety (deps, signing/publishing), API compatibility checks
  - **Dependencies:** Registry acceptance criteria; CI checks for plugin manifests and basic smoke tests
  - **Estimated Effort (1–5):** **2**
- **Recommended Priority:** **P3**
- **Specific Actionable Next Steps:**
  1. Run registry validation: licensing, repo ownership, package provenance, minimal tests.
  2. Require security notes (API keys, network calls, data handling).
  3. Confirm compatibility with current `@elizaos/*` versions (avoid