## Issue Triage — 2026-04-29 ### 1) **bun install blocked by missing transitive dependency (merge required) — elizaos/eliza#7146** - **Current Status:** Open PR; explicitly identified as the primary blocker for the modernization stack. - **Impact Assessment:** - **User Impact:** **Critical** (contributors + downstream repos can’t reliably install/build) - **Functional Impact:** **Yes** (blocks builds, CI, and dependency upgrades) - **Brand Impact:** **High** (appears “broken to build”) - **Technical Classification:** - **Category:** Bug / Build Reliability - **Component:** Tooling / Dependency Graph (Bun, workspace) - **Complexity:** **Moderate effort** - **Resource Requirements:** - **Required Expertise:** Bun package resolution, TS monorepo/workspaces, lockfiles, CI - **Dependencies:** Unblocks Node.js 24 / TS 6 / Bun 1.3.13 / React 19 update work across repos - **Estimated Effort:** **4/5** - **Recommended Priority:** **P0** - **Specific Actionable Next Steps:** - [ ] Reproduce failure from clean environment (`rm -rf node_modules bun.lock && bun install`) and capture the missing transitive package + resolution path. - [ ] Ensure fix is deterministic across OS (Linux/macOS/Windows runners) and CI images. - [ ] Add a CI smoke step that validates `bun install` in a clean workspace (to prevent recurrence). - [ ] Merge #7146 ASAP; immediately re-run stalled dependency PR stack. - **Potential Assignees:** **odilitime** (infra/release), **lalalune** (core stability), **shawmakesmagic** (integration ownership) --- ### 2) **CI/CD is failing to run bun install + tsc in downstream repos (regressions undetected) — elizaos/cloud (workflow failures), elizaos-plugins/registry (workflow failures)** - **Current Status:** Ongoing; called out in dev logs as actively failing and masking regressions. - **Impact Assessment:** - **User Impact:** **High** (cloud + plugin ecosystem changes can break silently) - **Functional Impact:** **Partial** (runtime may still work, but releases/QA compromised) - **Brand Impact:** **High** (shipping instability, broken mainline confidence) - **Technical Classification:** - **Category:** Bug / Reliability - **Component:** CI Pipelines (cloud, registry), TypeScript build checks - **Complexity:** **Moderate effort** - **Resource Requirements:** - **Required Expertise:** GitHub Actions, Bun, TypeScript project refs, caching strategies - **Dependencies:** Likely blocked/compounded by elizaos/eliza#7146; may also require pinning tool versions - **Estimated Effort:** **3/5** - **Recommended Priority:** **P0** - **Specific Actionable Next Steps:** - [ ] After #7146 merge: re-enable/verify `bun install` and `tsc --noEmit` steps in **cloud** and **registry** workflows. - [ ] Add explicit “fail fast” checks (install + typecheck) and ensure they are required for merge. - [ ] Audit CI cache keys (Bun version + lockfile hash) to prevent stale cache hiding failures. - [ ] Create a short “CI Health” dashboard issue documenting current red workflows and owners. - **Potential Assignees:** **odilitime**, **dutchiono** (cloud), **2-A-M** (test/coverage discipline) --- ### 3) **Security/brand risk: autonomous shell-executing “virus” package proposed in repo — elizaos/eliza PR #6613** - **Current Status:** Open PR; contains behaviors strongly matching malware characteristics (persistence, idle stealth, unrestricted shell exec). - **Impact Assessment:** - **User Impact:** **High** (if merged/distributed, users could run dangerous binary) - **Functional Impact:** **Partial** (not required for core, but introduces major risk surface) - **Brand Impact:** **Critical** (association with “virus/RAT” behavior under elizaOS brand) - **Technical Classification:** - **Category:** **Security** - **Component:** Examples / Packaging / Distribution Safety - **Complexity:** **Architectural change** (requires policy + repo hygiene decisions more than code tweaks) - **Resource Requirements:** - **Required Expertise:** Security review, supply-chain policy, maintainership governance - **Dependencies:** None; should be handled independently and urgently - **Estimated Effort:** **2/5** (to decide/close) to **5/5** (if attempting to “sanitize” safely) - **Recommended Priority:** **P0** - **Specific Actionable Next Steps:** - [ ] Immediate maintainer decision: **close PR** or move to a non-official sandbox repo/fork. - [ ] Add/clarify contribution policy: disallow persistence + unrestricted shell exec examples in core monorepo. - [ ] Add a SECURITY.md note on prohibited PoCs and review requirements for OS-level automation. - [ ] If any code is kept: rename package + remove persistence/idle stealth + gate shell commands behind explicit allowlisted tools with user confirmation (but default recommendation: do not merge). - **Potential Assignees:** **odilitime** (maintainer), **lalalune** (core), security-focused contributors (e.g., **ai16z-demirix** for review support) --- ### 4) **Dependency modernization stack stalled (Node.js 24 / TypeScript 6 / Bun 1.3.13 / React 19.2.5) — blocked by build/install issues** - **Current Status:** In progress but “critically blocked” per dev logs; broad upgrade effort paused. - **Impact Assessment:** - **User Impact:** **High** (developers blocked; ecosystem fragmentation across versions) - **Functional Impact:** **Partial** (core may run, but upgrades + plugin compatibility stall) - **Brand Impact:** **Medium/High** (appears hard to maintain/upgrade) - **Technical Classification:** - **Category:** Performance / Maintenance (Build + Compatibility) - **Component:** Toolchain + Frontend stack - **Complexity:** **Complex solution** (cross-repo coordination) - **Resource Requirements:** - **Required Expertise:** TS config, Bun/runtime nuances, React migration, CI matrix testing - **Dependencies:** Unblocked by #7146 and CI pipeline repair - **Estimated Effort:** **5/5** - **Recommended Priority:** **P1** (start immediately after P0 blockers clear) - **Specific Actionable Next Steps:** - [ ] Define an “upgrade tranche plan” (tooling first → core packages → apps → plugins). - [ ] Add a compatibility matrix CI job (Node 22 LTS vs Node 24; Bun pinned) until migration completes. - [ ] Freeze non-essential feature merges during the critical toolchain bump window to reduce churn. - **Potential Assignees:** **odilitime**, **Dexploarer** (app-core/react surfaces), **2-A-M** (tests/automation coverage) --- ### 5) **Broken Milady Play Store link referenced from GitHub (user-facing) — ID: TBD (create GH issue)** - **Current Status:** Reported in Discord (2026-04-26); no linked GitHub issue in provided data. - **Impact Assessment:** - **User Impact:** **Medium** (blocks installs / onboarding for Android users) - **Functional Impact:** **Partial** (distribution path broken) - **Brand Impact:** **High** (public-facing link rot) - **Technical Classification:** - **Category:** Documentation / UX - **Component:** Repo README/docs, release/distribution metadata - **Complexity:** **Simple fix** - **Resource Requirements:** - **Required Expertise:** Docs maintenance, release management - **Dependencies:** None - **Estimated Effort:** **1/5** - **Recommended Priority:** **P1** - **Specific Actionable Next Steps:** - [ ] File a GitHub issue referencing the exact repo/path and the expected Play Store URL. - [ ] Fix link(s) in README/docs + any in-app “Get Milady” surfaces. - [ ] Add a docs CI link-check (at least for top-level READMEs / release pages). - **Potential Assignees:** **shawmakesmagic** (Milady integration owner), **Dexploarer** (app-core UI/docs), **odilitime** (repo hygiene) --- ### 6) **x402 + $ELIZA as default payment method: documentation + UX clarity gaps — ID: TBD (create GH issue)** - **Current Status:** Implemented per Discord (2026-04-28); users asked for clarification (“Does this mean billing x402 with $ELIZA?”). - **Impact Assessment:** - **User Impact:** **Medium** (billing confusion can block adoption) - **Functional Impact:** **Partial** (feature works but unclear) - **Brand Impact:** **Medium/High** (payments ambiguity erodes trust) - **Technical Classification:** - **Category:** Documentation / UX - **Component:** Payments (x402), Cloud/Agent billing surfaces - **Complexity:** **Moderate effort** (docs + small UI copy + examples) - **Resource Requirements:** - **Required Expertise:** x402 flow knowledge, billing UX, docs - **Dependencies:** Coordinate with any ongoing x402 paid route work (recently landed features mentioned in logs) - **Estimated Effort:** **2/5** - **Recommended Priority:** **P2** - **Specific Actionable Next Steps:** - [ ] Publish a single canonical explainer: “How x402 billing works with $ELIZA” (buyer/seller, wallet flow, fees). - [ ] Add an end-to-end example (curl `.well-known/x402` discovery → paid call) in docs. - [ ] Ensure UI copy avoids implying exclusivity if strategy is “accept any payment, buy back tokens” (Discord strategy discussion shows tension here). - **Potential Assignees:** **odilitime** (platform comms), **shawmakesmagic** (product direction), **2-A-M** (tests + surfaced UX patterns) --- ### 7) **Release readiness risk: Eliza v3 + Milady integration nearing completion but lacks tracked checklist — ID: TBD (create GH issue / milestone)** - **Current Status:** “Nearing completion” per Discord (2026-04-28); no visible release checklist in provided data. - **Impact Assessment:** - **User Impact:** **High** (v3 release quality affects broad user base) - **Functional Impact:** **Yes** (major version readiness impacts core) - **Brand Impact:** **High** (major releases are perception anchors) - **Technical Classification:** - **Category:** Reliability / Release Management - **Component:** Core framework + Milady app integration - **Complexity:** **Complex solution** (QA + coordination) - **Resource Requirements:** - **Required Expertise:** Release engineering, QA, cross-platform packaging, integration testing - **Dependencies:** CI health restoration; dependency modernization constraints - **Estimated Effort:** **4/5** - **Recommended Priority:** **P1** - **Specific Actionable Next Steps:** - [ ] Create a v3 release milestone with explicit exit criteria (CI green, install/build, smoke tests, docs). - [ ] Identify top integration risks (auth, payment, connector routing, app packaging). - [ ] Run a short “beta soak” with a pinned toolchain and reproducible install steps. - **Potential Assignees:** **shawmakesmagic** (release driver), **odilitime** (release infra), **Dexploarer** (app-core), **lalalune** (core runtime) --- ### 8) **Cloud provider gateway migration stability (OpenRouter w/ OpenAI+Anthropic failovers) — ID: TBD (audit task)** - **Current Status:** Completed migration mentioned in dev logs; needs post-migration validation to prevent silent quality/cost regressions. - **Impact Assessment:** - **User Impact:** **Medium/High** (cloud customers affected if routing/failover misbehaves) - **Functional Impact:** **Partial** (model calls still work but could be flaky/expensive) - **Brand Impact:** **High** (cloud reliability expectation) - **Technical Classification:** - **Category:** Performance / Reliability - **Component:** Cloud / Model Integration - **Complexity:** **Moderate effort** - **Resource Requirements:** - **Required Expertise:** API gateway/routing, observability, billing metering - **Dependencies:** CI + typecheck restoration for cloud repo - **Estimated Effort:** **3/5** - **Recommended Priority:** **P2** - **Specific Actionable Next Steps:** - [ ] Add synthetic checks for primary+failover model calls (timeouts, error mapping, retry behavior). - [ ] Validate billing classifications (prior issues existed around model pricing accuracy per weekly summary). - [ ] Document failover policy and expose minimal telemetry for operators. - **Potential Assignees:** **dutchiono** (cloud), **odilitime** (infra), **lalalune** (runtime behavior) --- ## Immediate Focus Summary (Top 5–10) 1. **P0:** elizaos/eliza#7146 — bun install missing transitive dependency (merge to unblock everything). 2. **P0:** Restore **CI install + typecheck** for elizaos/cloud and elizaos-plugins/registry (stop shipping blind). 3. **P0:** elizaos/eliza PR #6613 — “virus” package security/brand risk (close or remove from official monorepo). 4. **P1:** v3 + Milady release readiness milestone/checklist (avoid a major-version quality miss). 5. **P1:** Fix broken **Milady Play Store** link (user-facing onboarding break). 6. **P1/P2:** Dependency modernization plan execution once unblocked (Node24/TS6/Bun/React19). 7. **P2:** x402 + $ELIZA billing documentation/UX clarity to reduce payment confusion. 8. **P2:** Post-migration validation for Cloud OpenRouter routing/failovers + billing correctness. --- ## Patterns / Themes Indicating Deeper Issues - **Toolchain + monorepo fragility:** A single missing transitive dependency can halt the entire modernization program, indicating insufficient “clean install” enforcement and lockfile discipline. - **CI as a weak gate:** Reports that CI is not reliably running bun install/tsc in key repos suggests merges can land without basic build guarantees. - **Security governance gaps for “agent autonomy” artifacts:** The presence of a PR implementing persistence + idle stealth + shell execution highlights the need for clearer security boundaries and contribution policies. - **Cross-repo coordination overhead:** Cloud, core, plugins, and apps are moving together; failures in one repo (or shared tooling) cascade quickly. --- ## Recommendations (Process Improvements) 1. **Make clean install + typecheck required checks** on every core repo (eliza, cloud, registry), run on fresh runner with cache disabled at least once per day. 2. **Introduce an “Upgrade Tranche” playbook** for major toolchain bumps (pin versions, staged merges, temporary branch protection, explicit rollback plan). 3. **Security intake policy for high-risk capabilities** (OS persistence, shell execution, credential access): require maintainer pre-approval + security review label before PR review begins. 4. **Create issues from Discord reports by default** (with links + reproduction steps) so user-facing breaks (e.g., Play Store links) don’t disappear in chat history. 5. **Automate link checking** for top-level READMEs/docs and release/distribution URLs to prevent public link rot.