Feature: swamp issue for extensions — bug reports, security disclosures, and author notifications #903
Description
Problem
swamp issue bug and swamp issue feature currently only target the swamp platform itself (systeminit/swamp). There is no mechanism to report issues — bugs, security vulnerabilities, or general feedback — against a specific extension published to the swamp.club registry.
As an extension publisher (@dougschaefer — 7 published extensions), I have no way to know if someone encounters a problem with one of my extensions unless they happen to find my GitHub repo, and that's only if my manifest includes a repository URL. Not all extensions do.
As a consumer evaluating third-party extensions, I recently ran security audits against several community extensions and found significant vulnerabilities (command injection, credential exposure, MITM-susceptible SSH defaults). I had no way to report these findings to the extension authors through the platform. The only option was filing an issue on systeminit/swamp, which isn't the right place for extension-specific reports.
Proposed Feature
Extend swamp issue to support extension-scoped reports:
# Report a bug against an extension
swamp issue bug --extension @adam/cfgmgmt
# Report a security vulnerability (could support private disclosure)
swamp issue bug --extension @adam/cfgmgmt --security
# Request a feature on an extension
swamp issue feature --extension @bixu/homekitFor extension authors (notification side)
Extension publishers should be notified when someone files an issue against their extension. This could be:
- Email notification to the registered swamp.club account
- A
swamp extension issuescommand to list open reports against your published extensions - Webhook/integration support for routing to external trackers
As a publisher, if someone has a problem with @dougschaefer/opnsense-firewall, I want to know about it without them having to track down my GitHub repo or Discord handle.
For reporters (submission side)
swamp issue bug --extension @name/extshould work the same way the currentswamp issue bugworks, but route to the extension author instead of systeminit/swamp- Security reports should support private disclosure (visible only to the extension author and swamp.club admins, not public)
- Reports should include the extension version the reporter has installed, for reproducibility
For the ecosystem (visibility side)
- A public issue/discussion surface per extension on swamp.club would let consumers evaluate extension health before installing (are issues being responded to? are security reports addressed?)
- This becomes increasingly important as the registry grows — 568 extensions already, and consumers need signals beyond the code itself to assess trustworthiness
Context
This came up during a security audit of community extensions. I audited @adam/cfgmgmt, @magistr/libvirt, @bixu/homekit, and @4chems/chemonym using a security audit skill that checks for credential leaks, injection vulnerabilities, and supply chain risks. Several had findings that warranted author notification, but the only available path was filing on systeminit/swamp (#901) since there was no repo URL in the manifest and no way to contact the author through the registry.
The registry already has authentication, collectives, trust management, and yank support. Adding issue routing would complete the publisher-consumer feedback loop.