426e9eeabd
Benchmark Bridge Tests / benchmark (bunx @biomejs/biome check packages/lifeops-bench/src, benchmark-lint) (push) Waiting to run
Benchmark Bridge Tests / benchmark (bunx vitest run --config packages/lifeops-bench/vitest.config.ts --root packages/lifeops-bench --passWithNoTests, benchmark-tests) (push) Waiting to run
Build Agent Image / build-and-push (push) Waiting to run
Chat shell gestures / Chat shell gesture + parity e2e (push) Waiting to run
Cloud Gateway Discord / Test (push) Waiting to run
Cloud Gateway Webhook / Test (push) Waiting to run
Cloud Tests / lint-and-types (push) Waiting to run
Cloud Tests / unit-tests (push) Waiting to run
Cloud Tests / integration-tests (push) Waiting to run
Cloud Tests / e2e-tests (push) Blocked by required conditions
CodeQL Advanced / Analyze (javascript-typescript) (push) Waiting to run
Deploy Apps Worker (Product 2) / Determine environment (push) Waiting to run
Deploy Apps Worker (Product 2) / Deploy apps worker to apps-control host (${{ needs.determine-env.outputs.environment }}) (push) Blocked by required conditions
Deploy Eliza Provisioning Worker / Determine environment (push) Waiting to run
Deploy Eliza Provisioning Worker / Deploy worker to Hetzner host (${{ needs.determine-env.outputs.environment }} @ ${{ needs.determine-env.outputs.deployment_sha }}) (push) Blocked by required conditions
Dev Smoke / Classify changed paths (push) Waiting to run
Dev Smoke / bun run dev onboarding chat (push) Blocked by required conditions
Dev Smoke / Vite HMR dependency-level smoke (push) Blocked by required conditions
Electrobun Submodule Guard / electrobun gitlink is fetchable (push) Waiting to run
Publish @elizaos/example-code / check_npm (push) Waiting to run
Publish @elizaos/example-code / publish_npm (push) Blocked by required conditions
Publish @elizaos/plugin-elizacloud / verify_version (push) Waiting to run
Publish @elizaos/plugin-elizacloud / publish_npm (push) Blocked by required conditions
Sandbox Live Smoke / Sandbox live smoke (push) Waiting to run
Snap Build & Test / Build Snap (amd64) (push) Waiting to run
Snap Build & Test / Build Snap (arm64) (push) Waiting to run
supply-chain / sbom (push) Waiting to run
supply-chain / vulnerability-scan (push) Waiting to run
Build, Push & Deploy to Phala Cloud / build-and-push (push) Waiting to run
Test Packaging / Validate Packaging Configs (push) Waiting to run
Test Packaging / PyPI on Python ${{ matrix.python }} (push) Waiting to run
Test Packaging / Pack & Test JS Tarballs (push) Waiting to run
Test Packaging / elizaos CLI global-install smoke (node + bun) (push) Waiting to run
UI Fixture E2E / ui-fixture-e2e (push) Waiting to run
UI Fixture E2E / fixture-e2e (push) Waiting to run
UI Story Gate / story-gate (push) Waiting to run
vault-ci / test (macos-latest) (push) Waiting to run
vault-ci / test (ubuntu-latest) (push) Waiting to run
vault-ci / test (windows-latest) (push) Waiting to run
vault-ci / app-core wiring tests (push) Waiting to run
verify-patches / verify patches/CHECKSUMS.sha256 (push) Waiting to run
Voice Benchmark Smoke / voice-emotion fixture smoke (push) Waiting to run
Voice Benchmark Smoke / voiceagentbench fixture smoke (push) Waiting to run
Voice Benchmark Smoke / voicebench-quality unit smoke (push) Waiting to run
Voice Benchmark Smoke / voicebench TypeScript unit (no audio) (push) Waiting to run
Voice Benchmark Smoke / voice bench smoke summary (push) Blocked by required conditions
Windows CI / windows ([bun run --cwd packages/app-core test bun run --cwd packages/elizaos test bun run --cwd packages/cloud/shared test], app-and-cli) (push) Waiting to run
Windows CI / windows ([bun run --cwd packages/scenario-runner test bun run --cwd packages/vault test bun run --cwd packages/security test bun run --cwd plugins/plugin-coding-tools test], framework-packages) (push) Waiting to run
Windows CI / windows ([bun run --cwd plugins/plugin-elizacloud test bun run --cwd plugins/plugin-discord test bun run --cwd plugins/plugin-anthropic test bun run --cwd plugins/plugin-openai test bun run --cwd plugins/plugin-app-control test bun run --cwd plugins/pl… (push) Waiting to run
Windows CI / windows ([node packages/scripts/run-turbo.mjs run build --filter=@elizaos/core --filter=@elizaos/shared --filter=@elizaos/agent --concurrency=4 node packages/scripts/run-bash-linux-only.mjs scripts/verify-riscv64-buildpaths.sh node packages/scripts/run… (push) Waiting to run
Windows CI / windows ([node packages/scripts/run-turbo.mjs run typecheck --filter=@elizaos/core --filter=@elizaos/shared --filter=@elizaos/cloud-shared --concurrency=4 bun run --cwd packages/core test bun run --cwd packages/shared test], core-runtime, 75) (push) Waiting to run
Test Packaging / Build & Test PyPI Package (push) Waiting to run
Voice Workbench / headless workbench (mocked backends) (push) Has been cancelled
Voice Workbench / real acoustic lane (nightly, provisioned only) (push) Has been cancelled
ci / test (push) Has been cancelled
ci / lint-and-format (push) Has been cancelled
ci / build (push) Has been cancelled
ci / dev-startup (push) Has been cancelled
gitleaks / gitleaks (push) Has been cancelled
Markdown Links / Relative Markdown Links (push) Has been cancelled
Quality (Extended) / Homepage Build (PR smoke) (push) Has been cancelled
Quality (Extended) / Comment-only diff guard (push) Has been cancelled
Quality (Extended) / Format + Type Safety Ratchet (push) Has been cancelled
Quality (Extended) / Develop Gate (secret scan + UI determinism) (push) Has been cancelled
Quality (Extended) / Develop Gate (lint) (push) Has been cancelled
5.3 KiB
5.3 KiB
Mirror. Authoritative copy lives in the outer monorepo at
../docs/security/INCIDENT-RUNBOOK.md. Relative links below (../../POLICIES/...) resolve in the outer monorepo, not inside this submodule.
Incident Response Runbook
Operational playbook for the policy in ../../POLICIES/08-incident-response.md (POLICIES/08-incident-response.md).
On-call contacts (placeholders — fill in)
- Primary on-call pager:
<PagerDuty / Opsgenie URL> - Incident channel:
#incident-activeon<chat platform> - Status page:
https://status.<eliza-domain> - Security Lead:
security-lead@elizaos.ai(placeholder) - Legal:
legal@elizaos.ai(placeholder) - Communications:
comms@elizaos.ai(placeholder)
Phases (apply to every incident)
1. Detection
- Source: alert from Prometheus rules (
deploy/observability/prometheus/alerts/security.yml), customer report, internal report, automated scanner. - First responder acknowledges within the SLA in
../../POLICIES/08-incident-response.md(POLICIES/08-incident-response.md).
2. Triage
- Open
#incident-active; designate Incident Commander (IC). - Assign severity (SEV-0…3).
- Open a timeline document (linked in the channel topic).
- Page additional responders as needed (DB, networking, KMS, legal).
3. Contain
- Goal: stop spread before fixing.
- Common containment moves:
- Disable compromised account at the IdP.
- Rotate suspected credential (KMS, GitHub token, deploy key).
- Cordon affected service (route 100% traffic away).
- Quarantine affected host / pod (snapshot for forensics first).
4. Eradicate
- Remove malicious artifact (deploy clean image, revoke malicious plugin, patch vuln).
- Validate via the same detection signal that originally fired.
5. Recover
- Restore service; confirm normal metrics for at least one steady-state cycle.
- Update status page; customer comms per breach-notification rules.
6. Lessons learned
- Within 5 business days, blameless post-incident review.
- File remediation tickets; update risk register.
- Update this runbook with new playbook entries.
Playbooks by scenario
Playbook A — Suspected KMS / Steward master-key compromise (SEV-0)
- Page: Security Lead + Engineering Lead + Legal.
- Contain:
- Suspend issuance of new wrapped DEKs.
- Begin emergency rotation: generate new KEK; re-wrap all DEKs under new KEK.
- Invalidate any plaintext copies (audit Steward access log).
- Eradicate:
- Identify how the key was exposed (audit Steward + host logs).
- Patch the exposure path.
- Recover:
- Confirm all DEKs re-wrapped; archive old KEK for one dual-accept window then destroy.
- Notify:
- Customers per DPA (likely required even if no data was actually decrypted).
- Regulators per applicable law (GDPR 72h).
Playbook B — Plugin compromise (SEV-0/1)
- Page: Security Lead + agent-runtime engineer.
- Contain:
- Add the plugin (or publisher key) to the revocation list and publish.
- Runtime emergency-revoke check fires on next poll; manual broadcast notification to active customers.
- Eradicate:
- Pull plugin from registry.
- Coordinate with plugin author if account compromise; rotate publisher key.
- Recover:
- Customer comms with what to expect; assist affected customers with rotation of any connector tokens the plugin touched.
Playbook C — Connector token theft (SEV-1)
- Page: Security Lead.
- Contain:
- Revoke affected grants in Cloud (DEK-destroy + provider-side revoke).
- If breadth uncertain, broadcast connector-class revoke for the affected provider.
- Eradicate:
- Identify leak path (DB exposure, log leak, in-transit MITM).
- Recover:
- Affected users re-grant; audit-event review for any unauthorized use during window.
Playbook D — Cloud API auth bypass (SEV-0)
- Page: Security Lead + cloud-api owner.
- Contain:
- Roll JWT signing key (
auth.jwt); all existing sessions invalidated. - Deploy patch closing the bypass.
- Roll JWT signing key (
- Eradicate / Recover:
- Verify via integration test fixture for the bypass.
- Customer notification per breach-notification rules.
Playbook E — Supply chain (compromised npm dep) (SEV-1)
- Page: Security Lead + the package owner.
- Contain:
- Pin lockfile to last known-good; rebuild + redeploy.
- Eradicate:
- Audit for runtime indicators of compromise (network destinations, suspicious processes).
- Recover:
- File CVE / coordinate with upstream.
Playbook F — Backup / DR failure (SEV-2 routine; SEV-1 if blocking)
- Re-run backup job; investigate root cause.
- If repeated failure, escalate; manual snapshot of affected datastore.
- Document in monthly capacity / availability review.
Playbook G — Anomalous data-export volume alert (SEV-2/1 by magnitude)
- Contain: rate-limit / disable export endpoint for the affected account.
- Triage: validate vs known automation; review audit events for the user; check for credential compromise indicators.
- Escalate if credential compromise confirmed.
After every incident
- Update
../../POLICIES/08-incident-response.md(POLICIES/08-incident-response.md) if procedure changed. - File risk-register entry if the incident reveals a new risk.
- Update
THREAT-MODEL.mdif a new threat class emerged.