## Issue Triage — 2026-04-30 (elizaOS) ### 1) **Security/Brand: “feat(virus): add autonomous rust agent (concept art)” — PR `elizaos/eliza#6613`** - **Current Status:** Open PR (not merged). External review flags malware-like behaviors (persistence + idle stealth + arbitrary shell execution). - **Impact Assessment:** - **User Impact:** High (if merged/distributed, users could run it; also elevates downstream risk for forks) - **Functional Impact:** Partial (not blocking core runtime today, but threatens safe distribution) - **Brand Impact:** High (association with RAT-like tooling is severe) - **Technical Classification:** - **Issue Category:** Security - **Component Affected:** Core repo / Examples packaging & distribution surface - **Complexity:** Moderate effort (policy + CI guardrails + repo cleanup/decision) - **Resource Requirements:** - **Required Expertise:** Security engineering, OSS governance, release engineering - **Dependencies:** None, but decision needed before further releases/distribution - **Estimated Effort:** 3/5 - **Recommended Priority:** **P0** - **Specific Actionable Next Steps:** 1. **Immediately block merge** (label `security`, `do-not-merge`) and require security approval for any future “autonomous shell” artifacts. 2. Decide disposition: **close PR** vs move to a clearly separated, non-distributed research repo (if the project wants to keep it as “art”). 3. Add a **repository policy**: no persistence mechanisms (Run keys/launch agents) + no unattended arbitrary command execution in official packages/examples. 4. Add CI checks to flag high-risk patterns (Windows Run registry writes, `cmd /C`, `sh -c`, self-installers) and require manual approval. - **Potential Assignees:** `shawmakesmagic`, `odilitime`, `ai16z-demirix` (security reporter), `NubsCarson` (runtime safety) --- ### 2) **Build/DevEx: “Fresh clone fails due to missing preload file” — ID: `NEW (create tracking issue in elizaos/eliza)`** - **Current Status:** Reported in development logs as an active build configuration issue affecting fresh clones. - **Impact Assessment:** - **User Impact:** High (new contributors + clean CI runners impacted) - **Functional Impact:** Partial (blocks desktop app/runtime start paths that require preload) - **Brand Impact:** Medium/High (first-run failure is highly visible) - **Technical Classification:** - **Issue Category:** Bug - **Component Affected:** App Core / Desktop packaging (Electrobun preload) - **Complexity:** Simple fix (file inclusion + contract test) - **Resource Requirements:** - **Required Expertise:** Desktop build tooling (Electrobun), repo packaging/CI - **Dependencies:** May depend on repo structure changes from recent refactors - **Estimated Effort:** 2/5 - **Recommended Priority:** **P0** - **Specific Actionable Next Steps:** 1. Create an issue with exact repro: `git clone` → install → run desktop dev/build, identify missing path. 2. Ensure preload artifact is **tracked and shipped** (not generated-only), and referenced paths are stable. 3. Add a **“fresh clone desktop preload smoke”** CI job on Windows/macOS that fails if preload is missing. 4. Document the expected preload location in CONTRIBUTING / build docs. - **Potential Assignees:** `Dexploarer` (app-core/electrobun surfaces), `odilitime` (release/build), `lalalune` (infra/CI) --- ### 3) **Build/Packaging: “Telegram plugin subpath export emission failure” — ID: `NEW (create tracking issue in elizaos-plugins/plugin-telegram)`** - **Current Status:** Called out in dev logs as requiring attention; likely breaking TS build/packaging for plugin consumers. - **Impact Assessment:** - **User Impact:** Medium/High (Telegram is a common connector; build failure blocks adoption) - **Functional Impact:** Partial (Telegram connector unusable in affected installs) - **Brand Impact:** Medium (plugin ecosystem reliability perception) - **Technical Classification:** - **Issue Category:** Bug - **Component Affected:** Plugin System / `plugin-telegram` packaging (exports, tsup/tsconfig) - **Complexity:** Moderate effort (exports map + build pipeline alignment) - **Resource Requirements:** - **Required Expertise:** TypeScript packaging (`exports`, subpath exports), bundlers (tsup), Node/Bun resolution - **Dependencies:** TS version upgrades (TS6) may interact - **Estimated Effort:** 3/5 - **Recommended Priority:** **P1** - **Specific Actionable Next Steps:** 1. Capture failing scenario: consumer import path + toolchain (Node/Bun) + error output. 2. Audit `package.json` **`exports`** and emitted declaration paths; ensure `types`/`default` fields are consistent. 3. Add a minimal **consumer fixture test** that imports the problematic subpath and runs under Node + Bun. 4. Cut a patch release of the plugin once fixed. - **Potential Assignees:** `dutchiono` (multi-plugin bugfix work), `lalalune` (core/tooling), `odilitime` --- ### 4) **Build/Model Integration: “TypeScript build fixes for Anthropic plugin (TS6/tooling drift)” — ID: `elizaos-plugins/plugin-anthropic (tracking needed)`** - **Current Status:** In-progress per dev logs; risk of broken builds for a major provider integration. - **Impact Assessment:** - **User Impact:** High (Anthropic is a primary model provider in many deployments) - **Functional Impact:** Yes (model integration can be blocked) - **Brand Impact:** High (provider reliability) - **Technical Classification:** - **Issue Category:** Bug - **Component Affected:** Model Integration / `plugin-anthropic` - **Complexity:** Moderate effort - **Resource Requirements:** - **Required Expertise:** TS build tooling, provider SDK integration, ESM/CJS boundary handling - **Dependencies:** Repo-wide TS6 + Node/Bun upgrades; shared types changes - **Estimated Effort:** 3/5 - **Recommended Priority:** **P1** - **Specific Actionable Next Steps:** 1. Open/confirm a single canonical issue capturing current failure modes (tsc errors, tsup output, Bun resolution). 2. Align plugin build with repo standards: ESM output, correct `types` entry, no implicit Node-only imports. 3. Add CI matrix for the plugin: Node LTS + Bun, `typecheck` + `build` + minimal runtime smoke. 4. Validate that the new **credential distinction** work (`elizaos/eliza#7094`) doesn’t regress Anthropic auth flows. - **Potential Assignees:** `standujar` (Anthropic plugin auth work), `NubsCarson` (model stability), `odilitime` --- ### 5) **Cloud Reliability: “CI + Worker E2E tests failing after Cloud migration (Next.js → Vite SPA + Hono Workers)” — ID: `NEW (create tracking issue in elizaos/cloud)`** - **Current Status:** Listed as in-progress / needing fixes in dev logs (CI and worker end-to-end tests). - **Impact Assessment:** - **User Impact:** High (cloud users + releases depend on CI confidence) - **Functional Impact:** Yes (blocks safe deploy/release cadence) - **Brand Impact:** High (cloud stability and trust) - **Technical Classification:** - **Issue Category:** Bug / Reliability - **Component Affected:** Cloud Platform, Workers runtime, CI pipeline - **Complexity:** Complex solution (integration tests + infra drift) - **Resource Requirements:** - **Required Expertise:** Cloudflare Workers/Hono, CI engineering, frontend build systems, observability - **Dependencies:** Storage move to R2; service contracts for image generation + API gateways - **Estimated Effort:** 4/5 - **Recommended Priority:** **P1** - **Specific Actionable Next Steps:** 1. Enumerate failing suites (worker E2E, CI jobs) and categorize: env config vs runtime regressions vs test flakiness. 2. Add hermetic test harness for Workers (mock bindings, deterministic R2 fixtures). 3. Introduce canary deploy + smoke checks (auth, billing, image storage, agent boot). 4. Ensure plugin-lifecycle decoupling changes didn’t break cloud agent startup paths. - **Potential Assignees:** `lalalune` (infra/stability), `hanzlamateen` (cloud changes), `odilitime` --- ### 6) **Security/Operations: “Vault & secrets management incomplete / in-flight refactor” — ID: `NEW (create tracking issue in elizaos/eliza + elizaos/cloud as needed)`** - **Current Status:** Explicitly “remain in progress” in dev logs. - **Impact Assessment:** - **User Impact:** Medium/High (operators deploying agents + cloud services) - **Functional Impact:** Partial (workarounds may exist, but safe ops can be blocked) - **Brand Impact:** High (secrets leaks or unclear handling is reputationally damaging) - **Technical Classification:** - **Issue Category:** Security / Reliability - **Component Affected:** Core Framework + Cloud ops - **Complexity:** Architectural change (secrets lifecycle + rotation + storage backends) - **Resource Requirements:** - **Required Expertise:** Security engineering, platform ops, configuration management - **Dependencies:** Runtime operations refactor; cloud credential flows; connector credential caches - **Estimated Effort:** 5/5 - **Recommended Priority:** **P1** (elevate to P0 if any secret exposure is confirmed) - **Specific Actionable Next Steps:** 1. Define threat model + minimum bar: at-rest encryption, redaction in logs, rotation strategy, separation between local/app/CLI creds. 2. Decide on canonical secret sources (env, local keychain, cloud vault) and precedence rules. 3. Add automated tests to prevent regressions like “disconnect doesn’t disconnect” (similar to fix shipped in `elizaos/eliza#7162` for n8n credential cache). 4. Add audit logging that is safe-by-default (no secrets in traces). - **Potential Assignees:** `shawmakesmagic`, `lalalune`, `odilitime` --- ### 7) **Architecture/Reliability: “Runtime operations refactor (single-flight ops, reload/health) not fully landed” — PR reference: `elizaos/eliza#7166`** - **Current Status:** Feature work bundled; dev logs indicate ongoing “runtime operations refactor.” - **Impact Assessment:** - **User Impact:** Medium (impacts long-running agents, hot reload, health/recovery) - **Functional Impact:** Partial (stability and operability improvements, not total blocker) - **Brand Impact:** Medium (runtime resilience expectations) - **Technical Classification:** - **Issue Category:** Performance / Reliability - **Component Affected:** Agent runtime operations - **Complexity:** Complex solution - **Resource Requirements:** - **Required Expertise:** Runtime architecture, concurrency control, observability - **Dependencies:** Plugin-lifecycle system; CI coverage for reload/restart paths - **Estimated Effort:** 4/5 - **Recommended Priority:** **P2** - **Specific Actionable Next Steps:** 1. Break into trackable sub-issues: health checks, reload-hot, cold strategy, restart semantics. 2. Add contract tests: “reload does not double-register plugins,” “health check surfaces misconfig,” “restart preserves routing.” 3. Publish operator guidance for safe upgrades/reloads. - **Potential Assignees:** `odilitime`, `lalalune`, `2-A-M` --- ### 8) **Security/Community Ops: “Discord scam activity in dev channels (coders) — need stronger mitigations” — ID: `COMM-SEC-001 (create ops ticket)`** - **Current Status:** Scammer banned; additional scam message flagged the next day. Indicates recurring attempts. - **Impact Assessment:** - **User Impact:** Medium/High (contributors and users exposed to fraud) - **Functional Impact:** No (doesn’t break code) but affects community safety - **Brand Impact:** High (trust in official channels) - **Technical Classification:** - **Issue Category:** Security / UX (community safety) - **Component Affected:** Discord community operations - **Complexity:** Moderate effort (process + bot config) - **Resource Requirements:** - **Required Expertise:** Discord moderation, automation/bots, incident response - **Dependencies:** None - **Estimated Effort:** 2/5 - **Recommended Priority:** **P1** - **Specific Actionable Next Steps:** 1. Add hardened channel permissions for “coders” (link posting limits for new accounts, timeout thresholds). 2. Deploy/adjust anti-scam tooling: keyword/link heuristics, auto-quarantine, mod alerts. 3. Publish a pinned “official links + security guidance” post; standardize reporting workflow. - **Potential Assignees:** `odilitime` (moderator), `pmairca` (community ops), `shawmakesmagic` --- ## Immediate Focus Summary (Top 5–10) 1. **P0:** `elizaos/eliza#6613` — block/close malware-like PR; add guardrails and security policy. 2. **P0:** **Fresh clone preload missing** — create issue, fix packaging, add CI smoke test. 3. **P1:** **Telegram plugin subpath export emission failure** — fix exports/build; add consumer import test. 4. **P1:** **Anthropic plugin TS build failures** — restore build stability under TS6/ESM/Bun matrix. 5. **P1:** **Cloud CI + Worker E2E failures after Vite/Hono migration** — stabilize tests + canary smoke checks. 6. **P1:** **Vault/secrets management** — define and implement minimum safe secrets lifecycle and tests. 7. **P1:** **Discord scam mitigation** — prevent repeat incidents with automation + tighter permissions. 8. **P2:** Runtime operations refactor tracking — break down, test, and land safely. --- ## Patterns / Themes Indicating Deeper Issues - **Toolchain churn (TS6/Node/Bun) + packaging complexity** is surfacing as repeated build breakage across plugins (Anthropic, Telegram) and desktop surfaces (preload). - **Architectural decoupling (plugin-lifecycle registration)** increases modularity but raises integration-regression risk unless backed by strong contract tests and consumer fixtures. - **Operational maturity gap**: secrets management and cloud E2E stability are lagging behind rapid platform evolution. - **Security surface expansion**: autonomous agents + payments (x402) + connectors amplify the need for explicit security policies and automated safeguards. --- ## Process Improvements (Prevention) 1. **Add “Fresh Clone Contract” CI:** one job that runs `clone → install → build → minimal run` on Windows/macOS/Linux for core + desktop. 2. **Plugin Consumer Fixture Tests:** per major plugin, maintain a tiny external-style consumer project to validate `exports`, types, and runtime import resolution under Node + Bun. 3. **Security Review Gate for High-Risk Capabilities:** automatic labels + required approvals for PRs touching shell execution, persistence, credential stores, or payment routes. 4. **Release Readiness Dashboard:** consolidate “blocking” items (cloud E2E, plugin builds, packaging smoke tests) into a single checklist that must be green before tagging. 5. **Community Safety Runbook:** pinned official links, reporting workflow, and default Discord anti-scam automation to reduce moderator load and user risk.