Submit a merge request that closes this issue to earn points on merge — bounties stack on the standard +40 merge_pr award. New to the repo? See the Contributing guide, and Local Development & SSO to run the app locally (cp .dev.vars.example .dev.vars && pnpm dev, after rebasing on main) and fully test your change before opening the MR.

Description

Context

The bug-report intake at /contribute#report-bug requires opening a browser, logging in, filling a form. For power users (especially when reporting from mobile during a security poke session) a Signal bot command is dramatically lower friction. The bot already has 100+ commands and existing scoreboard integration via BOT_API_KEY.

Acceptance criteria

  • [ ] New bot command !reportbug (or !bug) — DM-only (refuses in groups for confidentiality)
  • [ ] Conversational flow:
  1. User: !reportbug
  2. Bot: "Severity? (low/medium/high/critical/rce/unknown)"
  3. User: medium
  4. Bot: "Affected service? (signal-bot/scoreboard/wiki/...)"
  5. User: scoreboard
  6. Bot: "Title (one line):"
  7. User: IDOR on /profile/<userId>
  8. Bot: "Describe the bug. End with a line containing only END."
  9. User: (multi-line description, ends with END)
  10. Bot: "Optional: PoC / repro steps. End with END or skip."
  11. User: ...
  12. Bot: "Submitted as request #234. An admin will review within a few days. https://score.irregulars.io/profile to track."
  • [ ] Bot calls POST https://score.irregulars.io/contribute/report-bug with BOT_API_KEY header (the scoreboard endpoint must be extended to accept bot-API-key auth in addition to session auth — see related work)
  • [ ] User identity resolved via Signal UUID → users.signal_uuid → user_id
  • [ ] If user not linked: bot prompts them to link via /link first (existing flow)
  • [ ] Conversation state stored in Redis with 10-min TTL (state machine: severity → affected → title → description → poc → confirm)

Technical hints

  • Pattern reference: existing apps/signal-bot/src/src/commands/score-command.ts for the scoreboard API call
  • State machine pattern: look at apps/signal-bot/src/src/commands/breakout-command.ts (multi-step interactive)
  • Scoreboard endpoint /contribute/report-bug currently only accepts session auth — needs a parallel auth path: Authorization: Bearer ${BOT_API_KEY} + X-Signal-UUID: <uuid> resolves to user via the lookup
  • DM-only enforcement: check message.groupId is null

Why this matters

  • The current web form requires an SSO session — useless on a tablet during travel, slow on mobile
  • Power users will report 5-10x more findings if the friction is one DM
  • Signal is the community's primary surface; the bot already has trust

--- *M-tier bounty (100 pts + 40 merge_pr = 140). Touches signal-bot + scoreboard, plus a small auth extension. Could be split into two MRs (auth extension first, then bot command) if a contributor prefers.*

Relevant files

No relevant files linked yet.

Hints

No hints yet.

Activity

No points have been awarded for this bounty yet.

Comments

No comments yet. Be the first to weigh in.

↑ Top