# Issue Triage — 2026-04-28 ## 1) Security/Brand Blocker: “feat(virus): add autonomous rust agent (concept art)” — PR elizaos/eliza#6613 - **Current Status:** Open PR (unmerged); automated review flags malware-like behavior (persistence + idle stealth + arbitrary shell execution). - **Impact Assessment:** - **User Impact:** Medium (direct users only if merged/distributed), but **risk surface is broad** - **Functional Impact:** No (new package), **but introduces high-risk capability** - **Brand Impact:** **High/Critical** (perception of shipping malware tooling) - **Technical Classification:** - **Category:** Security - **Component:** Core repo distribution / Examples / Native agent binaries - **Complexity:** Simple fix (policy + PR disposition) / Architectural change if kept (sandboxing, permissions) - **Resource Requirements:** - **Required Expertise:** Security engineering, release governance, legal/ethics review - **Dependencies:** None; decision should precede further work - **Estimated Effort (1–5):** 1–2 (to close/contain); 5 if attempting to make “safe” - **Recommended Priority:** **P0** - **Specific Actionable Next Steps:** 1. Maintainers decide **“won’t merge”** and close PR with clear rationale (persistence/stealth/shell via LLM is unacceptable in mainline). 2. Add/strengthen repo policy: “No persistence/stealth/execution surfaces in official packages without explicit sandbox + permissioning.” 3. If value is desired, move to an external “unsafe research” repo and remove from monorepo history if needed. - **Potential Assignees:** **odilitime**, **lalalune** (maintainers/release governance), plus a security reviewer (e.g., **ai16z-demirix** if available). --- ## 2) Ecosystem-Wide Dependency Modernization (Node 24 / TypeScript 6 / Rimraf 6) — Renovate wave (e.g., elizaos/eliza PRs #6909, #6900, #6899 and related) - **Current Status:** In progress; CI results pending to validate major version bumps across core repos (per dev logs). - **Impact Assessment:** - **User Impact:** High (affects contributors and anyone building from source; downstream plugin builds) - **Functional Impact:** **Partial** (can block installs/builds/CI/release pipelines) - **Brand Impact:** Medium/High (churn and instability visible to OSS community) - **Technical Classification:** - **Category:** Performance/Build System (and Compatibility) - **Component:** Toolchain/CI, monorepo packages, plugin ecosystem - **Complexity:** Complex solution (multi-repo compatibility + CI matrix) - **Resource Requirements:** - **Required Expertise:** CI/build tooling, TypeScript ecosystem, Node runtime compatibility - **Dependencies:** Requires stable CI + clear version policy; may depend on CI migration diagnostics - **Estimated Effort (1–5):** 4 - **Recommended Priority:** **P1** - **Specific Actionable Next Steps:** 1. Create a single tracking issue (“Node24/TS6 cutover”) with an owner and checklist (CI green, local dev, release, templates, plugin contracts). 2. Gate merges behind a compatibility matrix: Node 20/22/24 (at least during transition) and TS 5.9 + 6. 3. Identify and pin any known-breakers (native deps like sharp/onnxruntime/tokenizers; bun interoperability). 4. Communicate a cutover date and support window to plugin maintainers. - **Potential Assignees:** **lalalune** (dependency modernization lead per logs), **odilitime** (core), **2-A-M** (CI/test hardening). --- ## 3) Chat Reliability: Responses dropped during race conditions (explicit `REPLY` discarded) — PR elizaos/eliza#7143 (+ related #7141) - **Current Status:** Fix implemented in PR(s); must ensure merged + released everywhere it matters (agent/app-core deployments). - **Impact Assessment:** - **User Impact:** High (intermittent “agent didn’t reply” is widely experienced and hard to diagnose) - **Functional Impact:** **Yes** (core messaging loop correctness) - **Brand Impact:** High (appears flaky/unreliable) - **Technical Classification:** - **Category:** Bug - **Component:** Core Framework (message service / action routing) - **Complexity:** Moderate effort (needs regression tests + rollout verification) - **Resource Requirements:** - **Required Expertise:** Runtime/message pipeline, concurrency/race handling, test engineering - **Dependencies:** Release pipeline health; downstream apps consuming the package - **Estimated Effort (1–5):** 3 - **Recommended Priority:** **P1** - **Specific Actionable Next Steps:** 1. Merge PR(s) with targeted regression tests (multi-message same-room, streaming on/off). 2. Confirm versions: ensure agent/app-core pin the fixed `@elizaos/*` alpha version(s). 3. Add runtime telemetry/log counters: “race-discard fired”, “explicit reply preserved”, “dropped reply reason”. - **Potential Assignees:** **NubsCarson** (message pipeline fixes), **odilitime**, **2-A-M** (tests/rollout discipline). --- ## 4) Credential Handling & Security: GitHub PAT persistence for coding sub-agents — PR elizaos/eliza#7139 - **Current Status:** Feature PR adds UI card + PAT storage and injects token into sub-agents via env var. - **Impact Assessment:** - **User Impact:** Medium/High (coding-agent users; improves usability but mishandling is costly) - **Functional Impact:** Partial (enables a major workflow; failure = blocked GitHub actions for sub-agents) - **Brand Impact:** High if token leakage occurs - **Technical Classification:** - **Category:** Security + UX - **Component:** App-Core/Agent services (credentials store, settings UI) - **Complexity:** Moderate effort (secure storage, redaction, threat modeling) - **Resource Requirements:** - **Required Expertise:** Secrets management, desktop app security, API design - **Dependencies:** Storage mechanism (OS keychain vs file/db), logging/redaction standards - **Estimated Effort (1–5):** 3–4 - **Recommended Priority:** **P1** - **Specific Actionable Next Steps:** 1. Ensure PAT is stored in **OS keychain** (macOS Keychain / Windows Credential Manager / libsecret) or encrypted at rest with clear key management. 2. Add strict log redaction and “never echo token” tests. 3. Require least-privilege scopes guidance in UI (fine-grained PAT, repo-scoped). 4. Add “disconnect” + token rotation instructions. - **Potential Assignees:** **Dexploarer** (app-core surfaces), **odilitime**, plus a security reviewer (again **ai16z-demirix** if available). --- ## 5) CI Migration Diagnostics (tooling drift / pipeline stability) — WIP (no single issue referenced in logs) - **Current Status:** Ongoing investigation per dev summary (“CI migration diagnostics in progress”). - **Impact Assessment:** - **User Impact:** High (contributors blocked; releases delayed) - **Functional Impact:** **Partial/Yes** (release automation and validation) - **Brand Impact:** Medium/High (visible instability, long PR queues) - **Technical Classification:** - **Category:** Performance/Build System - **Component:** CI, release automation, multi-language matrix (TS/Python/Rust) - **Complexity:** Complex solution - **Resource Requirements:** - **Required Expertise:** GitHub Actions, caching, monorepo CI architecture - **Dependencies:** Dependency modernization wave; release workflow changes - **Estimated Effort (1–5):** 4 - **Recommended Priority:** **P1** - **Specific Actionable Next Steps:** 1. Open a tracking issue: “CI migration diagnostics” with failure modes, owners, and an SLA for CI health. 2. Add a “Known CI Failures” section in CONTRIBUTING + a script to reproduce key CI stages locally. 3. Stabilize by freezing major toolchain bumps until CI is green (or isolate via feature branches). - **Potential Assignees:** **lalalune**, **odilitime**, **2-A-M**. --- ## 6) Broken External Link: Milady Play Store link in GitHub repo is non-functional — (Needs issue; reported on Discord 2026-04-26) - **Current Status:** Reported by community; no fix recorded in provided logs. - **Impact Assessment:** - **User Impact:** Medium (new users blocked from installation path) - **Functional Impact:** Partial (distribution/onboarding) - **Brand Impact:** Medium (basic quality signal) - **Technical Classification:** - **Category:** Documentation/UX - **Component:** Repo docs/README, distribution metadata - **Complexity:** Simple fix - **Resource Requirements:** - **Required Expertise:** Docs/repo maintenance - **Dependencies:** Correct destination URL; confirm app listing status - **Estimated Effort (1–5):** 1 - **Recommended Priority:** **P2** - **Specific Actionable Next Steps:** 1. Create a GitHub issue: “Fix Milady Play Store link in README/docs”. 2. Update link(s) and add a lightweight link-check job (weekly) to catch regressions. - **Potential Assignees:** **binkyfishai** (UI/docs polish), **odilitime** (maintainer). --- ## 7) AppsView Image Rendering Improvements — WIP (mentioned in dev logs) - **Current Status:** In progress; details unspecified (“AppsView image rendering improvements”). - **Impact Assessment:** - **User Impact:** Medium (app catalog discoverability/clarity) - **Functional Impact:** Partial (UI usability) - **Brand Impact:** Medium (visual quality) - **Technical Classification:** - **Category:** UX/Bug - **Component:** App-Core GUI (AppsView) - **Complexity:** Moderate effort - **Resource Requirements:** - **Required Expertise:** React/UI, asset pipeline, possibly Electron/Electrobun constraints - **Dependencies:** None explicit; may be tied to native window surfaces work - **Estimated Effort (1–5):** 2–3 - **Recommended Priority:** **P2** - **Specific Actionable Next Steps:** 1. Define acceptance criteria (broken images? wrong aspect ratio? caching?). 2. Add a UI test snapshot or minimal runtime test validating image URL resolution/fallback. - **Potential Assignees:** **Dexploarer**, **binkyfishai**. --- ## 8) Planning Architecture Clarity: HTN (Hierarchical Task Networks) implementation uncertainty + roadmap — (Needs issue; discussed 2026-04-25) - **Current Status:** Conceptual discussion; uncertainty about v2 HTN details; suggestion to upgrade HTN-lite → full HTN at beta. - **Impact Assessment:** - **User Impact:** Low/Medium (advanced users/builders) - **Functional Impact:** No (not an immediate break), but affects future planning system direction - **Brand Impact:** Medium (confusion around capabilities) - **Technical Classification:** - **Category:** Documentation / Feature Request - **Component:** Core Framework (planning/agent goal decomposition) - **Complexity:** Architectural change (if moving to full HTN via LLM planning) - **Resource Requirements:** - **Required Expertise:** Agent planning architectures, prompt/planner design, evaluation/benchmarks - **Dependencies:** v2/v3 stabilization; planner reliability; test harness - **Estimated Effort (1–5):** 4–5 - **Recommended Priority:** **P3** (plan deliberately; don’t destabilize near releases) - **Specific Actionable Next Steps:** 1. Write an ADR: current HTN-lite behavior, intended “full HTN” meaning, and migration stages. 2. Add documentation page describing planning stack + extension points. 3. Define benchmarks (task decomposition quality, tool-use success, cost/latency). - **Potential Assignees:** **odilitime** (core architecture), **2-A-M** (runtime/planner wiring), community contributor **thirti.eth** (context). --- ## 9) Community Security: Scam link attempts in Discord (moderation response was successful) — (Process item; no GitHub issue referenced) - **Current Status:** Scammer identified and banned by moderator (odilitime); reactive defense worked. - **Impact Assessment:** - **User Impact:** Medium (Discord users; risk of credential theft) - **Functional Impact:** No - **Brand Impact:** High (trust/safety in community channels) - **Technical Classification:** - **Category:** Security / Community Ops - **Component:** Discord moderation + user safety guidance - **Complexity:** Moderate effort (automation + policy) - **Resource Requirements:** - **Required Expertise:** Community ops, Discord automod configuration, security awareness - **Dependencies:** None - **Estimated Effort (1–5):** 2 - **Recommended Priority:** **P2** - **Specific Actionable Next Steps:** 1. Add an automated anti-phishing rule set (link filtering, new-account restrictions, keyword triggers). 2. Pin a “Never share keys/tokens; official links only; how to verify staff” message. 3. Add an incident template + escalation path for moderators. - **Potential Assignees:** **odilitime** (moderator), community ops volunteers (e.g., **blockmaster0xd2** as helper). --- # Concluding Summary ## Top 5–10 highest priority items to address immediately 1. **P0:** PR **#6613** — block/close malware-like “virus” agent package; add explicit policy. 2. **P1:** Dependency modernization cutover (Node 24 / TS 6) — coordinate, gate with CI, track in one place. 3. **P1:** Message race-condition reply drops — merge/release **#7143/#7141** and verify rollout. 4. **P1:** GitHub PAT persistence for coding sub-agents — secure storage + redaction + least-privilege UX before broad adoption. 5. **P1:** CI migration diagnostics — restore CI/release stability; freeze risky merges if needed. 6. **P2:** Fix broken Milady Play Store link; add link-check automation. 7. **P2:** AppsView image rendering — define bug/acceptance + add regression coverage. 8. **P2:** Discord anti-scam hardening — automate what moderators are doing manually. 9. **P3:** HTN planning documentation/ADR — clarify architecture and future direction. ## Patterns / themes indicating deeper architectural issues - **Toolchain volatility + CI fragility:** Major version bumps across Node/TS and multi-language tooling are happening while CI migration is still in flux, increasing breakage probability. - **Runtime correctness under concurrency:** Multiple fixes target message routing and race handling, suggesting the core messaging pipeline needs stronger invariants and better observability. - **Credentials & monetization expanding fast:** Adding billing/PAYG and PAT persistence raises the stakes for security hygiene (storage, redaction, audits) across desktop + cloud surfaces. ## Process improvement recommendations - **Create single “tracking issues” for cross-cutting migrations** (CI migration, Node/TS cutover) with explicit owners, stop/go criteria, and a merge policy. - **Security governance for risky contributions:** add a lightweight security review gate for PRs touching execution, persistence, credentials, or networking; document “unacceptable behaviors” in CONTRIBUTING. - **Observability-first for core runtime bugs:** standardize structured logs/metrics for message lifecycle decisions (discard reasons, action routing decisions) and require a regression test for each messaging incident class. - **Automate community safety controls:** implement Discord automod baselines and publish official link registries to reduce scam effectiveness.