npm - let-them-talk - Versions diffs - 3.4.1 → 3.4.3 - Mend

let-them-talk 3.4.1 → 3.4.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,43 @@
 # Changelog
+## [3.4.3] - 2026-03-15
+### Removed — Plugin System
+- Removed the entire plugin system (`vm.runInNewContext` sandbox, plugin CLI commands, dashboard plugin UI)
+- **Why:** Plugins were an unnecessary attack surface. Node.js `vm` is not a security sandbox — plugins could escape and execute arbitrary OS commands. CLI terminals (Claude Code, Gemini, Codex) have their own extension systems, making our plugins redundant.
+- `npx let-them-talk plugin` now shows a deprecation notice
+- MCP tools reduced from 27 + plugins to 27 (all core tools remain)
+- ~200 lines of code removed from server.js, cli.js, dashboard.js, dashboard.html
+## [3.4.2] - 2026-03-15
+### Security — CSRF Protection
+- Required `X-LTT-Request` custom header on all POST/PUT/DELETE requests
+- `lttFetch` wrapper in dashboard automatically includes the header
+- Malicious cross-origin pages cannot set custom headers without CORS preflight approval
+- Removed wildcard `Access-Control-Allow-Origin: *` in LAN mode — now uses explicit trusted origins only
+- Empty Origin/Referer no longer auto-trusted — requires custom header as minimum protection
+### Security — LAN Auth Token
+- Auto-generated 32-char hex token when LAN mode is enabled
+- Token required for all non-localhost requests (via `?token=` query param or `X-LTT-Token` header)
+- Token included in QR code URL — phone scans and it just works
+- Token displayed in phone access modal with explanation
+- New token generated each time LAN mode is toggled on
+- Token persists across server restarts via `.lan-token` file
+- Localhost access never requires a token
+### Security — Content Security Policy
+- CSP header added to dashboard HTML response
+- `script-src 'unsafe-inline'` for inline handlers, blocks `eval()` and external scripts
+- `connect-src 'self'` restricts API calls to same origin
+- `font-src`, `style-src`, `img-src` scoped to required sources only
+### Fixed
+- CSRF brace imbalance that trapped GET handlers inside POST-only block
+- LAN token not forwarded from phone URL to API calls and SSE
+- Redundant nested origin check collapsed to single condition
 ## [3.4.1] - 2026-03-15
 ### Added

package/LICENSE CHANGED Viewed

@@ -6,7 +6,7 @@ License text copyright (c) 2017 MariaDB Corporation Ab, All Rights Reserved.
 Parameters
 Licensor:             Dekelelz
-Licensed Work:        Let Them Talk v3.4.1
+Licensed Work:        Let Them Talk v3.4.3
                       The Licensed Work is (c) 2024-2026 Dekelelz.
 Additional Use Grant: You may make use of the Licensed Work, provided that
                       you may not use the Licensed Work for a Commercial

package/cli.js CHANGED Viewed

@@ -8,7 +8,7 @@ const command = process.argv[2];
 function printUsage() {
   console.log(`
-  Let Them Talk — Agent Bridge v3.4.1
+  Let Them Talk — Agent Bridge v3.4.3
   MCP message broker for inter-agent communication
   Supports: Claude Code, Gemini CLI, Codex CLI
@@ -23,11 +23,6 @@ function printUsage() {
     npx let-them-talk dashboard         Launch the web dashboard (http://localhost:3000)
     npx let-them-talk dashboard --lan   Launch dashboard accessible on LAN (phone/tablet)
     npx let-them-talk reset             Clear all conversation data
-    npx let-them-talk plugin list       List installed plugins
-    npx let-them-talk plugin add <file> Install a plugin from a .js file
-    npx let-them-talk plugin remove <n> Remove a plugin by name
-    npx let-them-talk plugin enable <n> Enable a plugin
-    npx let-them-talk plugin disable <n> Disable a plugin
     npx let-them-talk msg <agent> <text> Send a message to an agent
     npx let-them-talk status             Show active agents and message count
     npx let-them-talk help               Show this help message
@@ -293,124 +288,6 @@ function showTemplate(templateName) {
   }
 }
-function pluginCmd() {
-  const subCmd = process.argv[3];
-  const dataDir = process.env.AGENT_BRIDGE_DATA_DIR || path.join(process.cwd(), '.agent-bridge');
-  const pluginsDir = path.join(dataDir, 'plugins');
-  const pluginsFile = path.join(dataDir, 'plugins.json');
-  function getRegistry() {
-    if (!fs.existsSync(pluginsFile)) return [];
-    try { return JSON.parse(fs.readFileSync(pluginsFile, 'utf8')); } catch { return []; }
-  }
-  function saveRegistry(reg) {
-    if (!fs.existsSync(dataDir)) fs.mkdirSync(dataDir, { recursive: true });
-    fs.writeFileSync(pluginsFile, JSON.stringify(reg, null, 2));
-  }
-  switch (subCmd) {
-    case 'list': {
-      const plugins = getRegistry();
-      if (!plugins.length) {
-        console.log('  No plugins installed.');
-        console.log('  Install with: npx let-them-talk plugin add <file.js>');
-        return;
-      }
-      console.log('');
-      console.log('  Installed Plugins');
-      console.log('  =================');
-      for (const p of plugins) {
-        const status = p.enabled !== false ? 'enabled' : 'disabled';
-        console.log('  ' + p.name.padEnd(20) + ' ' + status.padEnd(10) + ' ' + (p.description || ''));
-      }
-      console.log('');
-      break;
-    }
-    case 'add': {
-      const filePath = process.argv[4];
-      if (!filePath) { console.error('  Usage: npx let-them-talk plugin add <file.js>'); process.exit(1); }
-      const absPath = path.resolve(filePath);
-      if (!fs.existsSync(absPath)) { console.error('  File not found: ' + absPath); process.exit(1); }
-      // Validate plugin structure without executing it (no require — prevents RCE on install)
-      try {
-        const src = fs.readFileSync(absPath, 'utf8');
-        if (!src.includes('module.exports') || !src.includes('name') || !src.includes('handler')) {
-          console.error('  Plugin must export name, description, and handler (module.exports = { name, handler })');
-          process.exit(1);
-        }
-        // Extract plugin name from source using regex (no eval)
-        const nameMatch = src.match(/name\s*:\s*['"]([^'"]+)['"]/);
-        const descMatch = src.match(/description\s*:\s*['"]([^'"]+)['"]/);
-        const pluginName = nameMatch ? nameMatch[1] : path.basename(absPath, '.js');
-        const pluginDesc = descMatch ? descMatch[1] : '';
-        if (!fs.existsSync(pluginsDir)) fs.mkdirSync(pluginsDir, { recursive: true });
-        const destFile = path.join(pluginsDir, path.basename(absPath));
-        fs.copyFileSync(absPath, destFile);
-        const reg = getRegistry();
-        if (!reg.find(p => p.name === pluginName)) {
-          reg.push({ name: pluginName, description: pluginDesc, file: path.basename(absPath), enabled: true, added_at: new Date().toISOString() });
-          saveRegistry(reg);
-        }
-        console.log('  Plugin "' + pluginName + '" installed successfully.');
-        console.log('  Restart CLI to load the new tool (runs sandboxed).');
-      } catch (e) {
-        console.error('  Failed to install plugin: ' + e.message);
-        process.exit(1);
-      }
-      break;
-    }
-    case 'remove': {
-      const name = process.argv[4];
-      if (!name) { console.error('  Usage: npx let-them-talk plugin remove <name>'); process.exit(1); }
-      const reg = getRegistry();
-      const plugin = reg.find(p => p.name === name);
-      if (!plugin) { console.error('  Plugin not found: ' + name); process.exit(1); }
-      const newReg = reg.filter(p => p.name !== name);
-      saveRegistry(newReg);
-      if (plugin.file) {
-        const pluginFile = path.resolve(pluginsDir, plugin.file);
-        // Prevent path traversal — only delete files inside pluginsDir
-        if (pluginFile.startsWith(path.resolve(pluginsDir) + path.sep) && fs.existsSync(pluginFile)) {
-          fs.unlinkSync(pluginFile);
-        }
-      }
-      console.log('  Plugin "' + name + '" removed.');
-      break;
-    }
-    case 'enable': {
-      const name = process.argv[4];
-      if (!name) { console.error('  Usage: npx let-them-talk plugin enable <name>'); process.exit(1); }
-      const reg = getRegistry();
-      const plugin = reg.find(p => p.name === name);
-      if (!plugin) { console.error('  Plugin not found: ' + name); process.exit(1); }
-      plugin.enabled = true;
-      saveRegistry(reg);
-      console.log('  Plugin "' + name + '" enabled.');
-      break;
-    }
-    case 'disable': {
-      const name = process.argv[4];
-      if (!name) { console.error('  Usage: npx let-them-talk plugin disable <name>'); process.exit(1); }
-      const reg = getRegistry();
-      const plugin = reg.find(p => p.name === name);
-      if (!plugin) { console.error('  Plugin not found: ' + name); process.exit(1); }
-      plugin.enabled = false;
-      saveRegistry(reg);
-      console.log('  Plugin "' + name + '" disabled.');
-      break;
-    }
-    default:
-      console.error('  Unknown plugin command: ' + (subCmd || ''));
-      console.error('  Available: list, add, remove, enable, disable');
-      process.exit(1);
-  }
-}
 function dashboard() {
   if (process.argv.includes('--lan')) {
     process.env.AGENT_BRIDGE_LAN = 'true';
@@ -532,7 +409,7 @@ switch (command) {
     break;
   case 'plugin':
   case 'plugins':
-    pluginCmd();
+    console.log('  Plugins have been removed in v3.4.3. CLI terminals have their own extension systems.');
     break;
   case 'help':
   case '--help':

package/dashboard.html CHANGED Viewed

@@ -2572,65 +2572,7 @@
   }
   /* ===== v3.0: PLUGINS SECTION ===== */
-  .plugin-card {
-    background: var(--surface-2);
-    border: 1px solid var(--border);
-    border-radius: 6px;
-    padding: 8px 10px;
-    margin-bottom: 4px;
-    display: flex;
-    align-items: center;
-    justify-content: space-between;
-  }
-  .plugin-info {
-    flex: 1;
-    min-width: 0;
-  }
-  .plugin-name {
-    font-size: 12px;
-    font-weight: 600;
-  }
-  .plugin-desc {
-    font-size: 10px;
-    color: var(--text-muted);
-  }
-  .plugin-toggle {
-    background: var(--surface-3);
-    border: 1px solid var(--border);
-    border-radius: 10px;
-    width: 36px;
-    height: 20px;
-    cursor: pointer;
-    position: relative;
-    transition: all 0.2s;
-    flex-shrink: 0;
-  }
-  .plugin-toggle.on {
-    background: var(--green-dim);
-    border-color: var(--green);
-  }
-  .plugin-toggle::after {
-    content: '';
-    position: absolute;
-    width: 14px;
-    height: 14px;
-    border-radius: 50%;
-    background: var(--text-dim);
-    top: 2px;
-    left: 2px;
-    transition: all 0.2s;
-  }
-  .plugin-toggle.on::after {
-    left: 18px;
-    background: var(--green);
-  }
+  /* Plugins removed in v3.4.3 */
   /* ===== v3.0: AVATAR PICKER ===== */
   .avatar-option {
@@ -2758,12 +2700,6 @@
         <div id="activity-heatmap"></div>
       </div>
-      <!-- Plugins Section -->
-      <div class="sidebar-section">
-        <div class="sidebar-title"><span>Plugins</span></div>
-        <div id="plugins-list"></div>
-      </div>
       <!-- Bookmarks Section -->
       <div class="sidebar-section">
         <div class="sidebar-title">
@@ -2842,7 +2778,7 @@
   </div>
 </div>
 <div class="app-footer">
-  <span>Let Them Talk v3.4.1</span>
+  <span>Let Them Talk v3.4.3</span>
 </div>
 <div class="profile-popup" id="profile-popup" onclick="event.stopPropagation()">
   <div class="profile-popup-header">
@@ -2897,6 +2833,26 @@ var POLL_INTERVAL = 2000;
 var SLEEP_THRESHOLD = 60; // seconds
 var lastMessageCount = 0;
 var autoScroll = true;
+// CSRF protection — all mutating requests must include this header
+// Read LAN token from URL on page load (phone access via QR code)
+var _lttToken = (function() {
+  try { var p = new URLSearchParams(window.location.search); var t = p.get('token'); if (t) sessionStorage.setItem('ltt-token', t); return sessionStorage.getItem('ltt-token') || ''; } catch(e) { return ''; }
+})();
+function lttFetch(url, opts) {
+  opts = opts || {};
+  // Append LAN token to URL if present (needed for phone/LAN access)
+  if (_lttToken) {
+    var sep = url.indexOf('?') >= 0 ? '&' : '?';
+    url = url + sep + 'token=' + encodeURIComponent(_lttToken);
+  }
+  if (opts.method && opts.method !== 'GET') {
+    if (!opts.headers) opts.headers = {};
+    opts.headers['X-LTT-Request'] = '1';
+  }
+  return fetch(url, opts);
+}
 var activeThread = null;
 var activeProject = ''; // empty = default/local
 var cachedHistory = [];
@@ -3227,7 +3183,7 @@ function renderAgents(agents) {
 function sendNudge(agentName) {
   var body = JSON.stringify({ to: agentName, content: 'Hey ' + agentName + ', the user is waiting for you. Please check for new messages and continue your work.' });
-  fetch('/api/inject' + projectParam(), {
+  lttFetch('/api/inject' + projectParam(), {
     method: 'POST',
     headers: { 'Content-Type': 'application/json' },
     body: body
@@ -3285,7 +3241,7 @@ function doInject() {
   if (!target || !content) return;
   var body = JSON.stringify({ to: target, content: content });
-  fetch('/api/inject' + projectParam(), {
+  lttFetch('/api/inject' + projectParam(), {
     method: 'POST',
     headers: { 'Content-Type': 'application/json' },
     body: body
@@ -3612,7 +3568,7 @@ var cachedReadReceipts = {};
 function fetchReadReceipts() {
   var pq = activeProject ? '?project=' + encodeURIComponent(activeProject) : '';
-  fetch('/api/read-receipts' + pq).then(function(r) { return r.json(); }).then(function(data) {
+  lttFetch('/api/read-receipts' + pq).then(function(r) { return r.json(); }).then(function(data) {
     cachedReadReceipts = data || {};
   }).catch(function() {});
 }
@@ -3752,7 +3708,7 @@ function deleteMessage(msgId) {
   var preview = msg.content.substring(0, 60) + (msg.content.length > 60 ? '...' : '');
   if (!confirm('Delete this message from ' + msg.from + '?\n\n"' + preview + '"')) return;
   var pq = activeProject ? '?project=' + encodeURIComponent(activeProject) : '';
-  fetch('/api/message' + pq, {
+  lttFetch('/api/message' + pq, {
     method: 'DELETE',
     headers: { 'Content-Type': 'application/json' },
     body: JSON.stringify({ id: msgId })
@@ -3802,7 +3758,7 @@ function saveEditMessage() {
   var content = document.getElementById('edit-msg-content').value.trim();
   if (!content) return;
   var pq = activeProject ? '?project=' + encodeURIComponent(activeProject) : '';
-  fetch('/api/message' + pq, {
+  lttFetch('/api/message' + pq, {
     method: 'PUT',
     headers: { 'Content-Type': 'application/json' },
     body: JSON.stringify({ id: msgId, content: content })
@@ -3994,7 +3950,7 @@ function renderAgentStats() {
 function fetchActivity() {
   var pq = projectParam();
-  fetch('/api/timeline' + pq).then(function(r) { return r.json(); }).then(function(data) {
+  lttFetch('/api/timeline' + pq).then(function(r) { return r.json(); }).then(function(data) {
     renderActivityHeatmap(data);
   }).catch(function() {});
 }
@@ -4174,7 +4130,7 @@ var cachedTasks = [];
 function fetchTasks() {
   var pq = projectParam();
-  fetch('/api/tasks' + pq).then(function(r) { return r.json(); }).then(function(tasks) {
+  lttFetch('/api/tasks' + pq).then(function(r) { return r.json(); }).then(function(tasks) {
     cachedTasks = Array.isArray(tasks) ? tasks : [];
     renderTasks();
   }).catch(function() {
@@ -4265,7 +4221,7 @@ function buildTaskCard(t) {
 }
 function updateTaskStatus(taskId, newStatus) {
-  fetch('/api/tasks' + projectParam(), {
+  lttFetch('/api/tasks' + projectParam(), {
     method: 'POST',
     headers: { 'Content-Type': 'application/json' },
     body: JSON.stringify({ task_id: taskId, status: newStatus })
@@ -4322,7 +4278,7 @@ var AGENT_COLORS = ['#58a6ff', '#f78166', '#7ee787', '#d2a8ff', '#ffa657', '#ff7
 function fetchStats() {
   var pq = activeProject ? '?project=' + encodeURIComponent(activeProject) : '';
-  fetch('/api/stats' + pq).then(function(r) { return r.json(); }).then(function(data) {
+  lttFetch('/api/stats' + pq).then(function(r) { return r.json(); }).then(function(data) {
     renderStats(data);
   }).catch(function(e) { console.error('Stats fetch failed:', e); });
 }
@@ -4571,7 +4527,7 @@ function saveProfile() {
   };
   if (avatar) body.avatar = avatar;
-  fetch('/api/profiles' + projectParam(), {
+  lttFetch('/api/profiles' + projectParam(), {
     method: 'POST',
     headers: { 'Content-Type': 'application/json' },
     body: JSON.stringify(body)
@@ -4587,7 +4543,7 @@ function saveProfile() {
 function fetchWorkspaces() {
   var pq = projectParam();
-  fetch('/api/workspaces' + pq).then(function(r) { return r.json(); }).then(function(data) {
+  lttFetch('/api/workspaces' + pq).then(function(r) { return r.json(); }).then(function(data) {
     renderWorkspaces(data);
   }).catch(function() {});
 }
@@ -4634,7 +4590,7 @@ function renderWorkspaces(data) {
 function fetchWorkflows() {
   var pq = projectParam();
-  fetch('/api/workflows' + pq).then(function(r) { return r.json(); }).then(function(data) {
+  lttFetch('/api/workflows' + pq).then(function(r) { return r.json(); }).then(function(data) {
     renderWorkflows(Array.isArray(data) ? data : []);
   }).catch(function() {});
 }
@@ -4685,7 +4641,7 @@ function renderWorkflows(workflows) {
 }
 function dashAdvanceWorkflow(wfId) {
-  fetch('/api/workflows' + projectParam(), {
+  lttFetch('/api/workflows' + projectParam(), {
     method: 'POST',
     headers: { 'Content-Type': 'application/json' },
     body: JSON.stringify({ action: 'advance', workflow_id: wfId })
@@ -4698,7 +4654,7 @@ var activeBranch = '';
 function fetchBranches() {
   var pq = projectParam();
-  fetch('/api/branches' + pq).then(function(r) { return r.json(); }).then(function(data) {
+  lttFetch('/api/branches' + pq).then(function(r) { return r.json(); }).then(function(data) {
     renderBranchTabs(data);
   }).catch(function() {});
 }
@@ -4730,44 +4686,6 @@ function switchBranch(name) {
   poll();
 }
-// ==================== v3.0: PLUGINS ====================
-function fetchPlugins() {
-  var pq = projectParam();
-  fetch('/api/plugins' + pq).then(function(r) { return r.json(); }).then(function(data) {
-    renderPlugins(Array.isArray(data) ? data : []);
-  }).catch(function() {});
-}
-function renderPlugins(plugins) {
-  var el = document.getElementById('plugins-list');
-  if (!plugins.length) {
-    el.innerHTML = '<div style="color:var(--text-muted);font-size:12px;padding:4px;">No plugins installed</div>';
-    return;
-  }
-  var html = '';
-  for (var i = 0; i < plugins.length; i++) {
-    var p = plugins[i];
-    var onClass = p.enabled !== false ? ' on' : '';
-    html += '<div class="plugin-card">' +
-      '<div class="plugin-info">' +
-        '<div class="plugin-name">' + escapeHtml(p.name) + '</div>' +
-        '<div class="plugin-desc">' + escapeHtml(p.description || '') + '</div>' +
-      '</div>' +
-      '<div class="plugin-toggle' + onClass + '" onclick="togglePlugin(\'' + escapeHtml(p.name) + '\')"></div>' +
-    '</div>';
-  }
-  el.innerHTML = html;
-}
-function togglePlugin(name) {
-  fetch('/api/plugins' + projectParam(), {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json' },
-    body: JSON.stringify({ action: 'toggle', name: name })
-  }).then(function() { fetchPlugins(); }).catch(function() {});
-}
 // ==================== POLLING ====================
 function poll() {
@@ -4776,9 +4694,9 @@ function poll() {
   var bp = activeBranch && activeBranch !== 'main' ? '&branch=' + encodeURIComponent(activeBranch) : '';
   var pollStart = Date.now();
   Promise.all([
-    fetch('/api/history?limit=500' + pp + bp).then(function(r) { return r.json(); }),
-    fetch('/api/agents' + pq).then(function(r) { return r.json(); }),
-    fetch('/api/status' + pq).then(function(r) { return r.json(); }),
+    lttFetch('/api/history?limit=500' + pp + bp).then(function(r) { return r.json(); }),
+    lttFetch('/api/agents' + pq).then(function(r) { return r.json(); }),
+    lttFetch('/api/status' + pq).then(function(r) { return r.json(); }),
   ]).then(function(results) {
     console.log('[LTT] poll ok — history:' + results[0].length + ' agents:' + Object.keys(results[1]).length + ' project:' + (activeProject || 'default'));
     updateConnectionInfo(Date.now() - pollStart);
@@ -4819,7 +4737,6 @@ function poll() {
     renderBookmarksSidebar();
     fetchActivity();
     fetchBranches();
-    fetchPlugins();
     updateTypingIndicator(cachedAgents);
     if (activeView === 'tasks') fetchTasks();
     if (activeView === 'workspaces') fetchWorkspaces();
@@ -4834,7 +4751,7 @@ function poll() {
 function doReset() {
   if (!confirm('Clear all messages, agents, and history?')) return;
-  fetch('/api/reset' + projectParam(), { method: 'POST' }).then(function() {
+  lttFetch('/api/reset' + projectParam(), { method: 'POST' }).then(function() {
     lastMessageCount = 0;
     activeThread = null;
     cachedHistory = [];
@@ -4846,7 +4763,7 @@ function doReset() {
 // ==================== PROJECT MANAGEMENT ====================
 function loadProjects() {
-  return fetch('/api/projects').then(function(r) { return r.json(); }).then(function(projects) {
+  return lttFetch('/api/projects').then(function(r) { return r.json(); }).then(function(projects) {
     console.log('[LTT] loadProjects:', projects.length, 'projects, activeProject:', activeProject);
     var sel = document.getElementById('project-select');
     // Keep the first option (Default)
@@ -4944,7 +4861,7 @@ function addProject() {
   var projectPath = input.value.trim();
   if (!projectPath) return;
-  fetch('/api/projects', {
+  lttFetch('/api/projects', {
     method: 'POST',
     headers: { 'Content-Type': 'application/json' },
     body: JSON.stringify({ path: projectPath })
@@ -4970,7 +4887,7 @@ function discoverProjects() {
   resultsEl.style.display = 'block';
   resultsEl.innerHTML = '<div style="font-size:11px;color:var(--text-muted);padding:4px;">Scanning...</div>';
-  fetch('/api/discover', { method: 'POST' }).then(function(r) { return r.json(); }).then(function(found) {
+  lttFetch('/api/discover', { method: 'POST' }).then(function(r) { return r.json(); }).then(function(found) {
     if (!found.length) {
       resultsEl.innerHTML = '<div style="font-size:11px;color:var(--text-muted);padding:4px;">No new projects found (all discovered projects already added)</div>';
       setTimeout(function() { resultsEl.style.display = 'none'; }, 3000);
@@ -4996,7 +4913,7 @@ function discoverProjects() {
 }
 function addDiscovered(projectPath, name) {
-  fetch('/api/projects', {
+  lttFetch('/api/projects', {
     method: 'POST',
     headers: { 'Content-Type': 'application/json' },
     body: JSON.stringify({ path: projectPath, name: name })
@@ -5012,7 +4929,7 @@ function removeProject() {
   if (!activeProject) return;
   if (!confirm('Remove this project from the dashboard?')) return;
-  fetch('/api/projects', {
+  lttFetch('/api/projects', {
     method: 'DELETE',
     headers: { 'Content-Type': 'application/json' },
     body: JSON.stringify({ path: activeProject })
@@ -5275,7 +5192,7 @@ updateNotifBtn();
 var lanState = { lan_mode: false, lan_ip: null, port: 3000 };
 function fetchLanState() {
-  return fetch('/api/server-info').then(function(r) { return r.json(); }).then(function(info) {
+  return lttFetch('/api/server-info').then(function(r) { return r.json(); }).then(function(info) {
     lanState = info;
     updateLanUI();
     return info;
@@ -5325,7 +5242,7 @@ function toggleLanMode() {
   var content = document.getElementById('phone-modal-content');
   content.innerHTML = '<div class="phone-off-state"><p>Switching...</p></div>';
-  fetch('/api/toggle-lan', { method: 'POST' })
+  lttFetch('/api/toggle-lan', { method: 'POST' })
     .then(function(r) { return r.json(); })
     .then(function(info) {
       lanState = info;
@@ -5353,10 +5270,20 @@ function renderPhoneModalContent() {
   }
   var url = 'http://' + lanState.lan_ip + ':' + lanState.port;
-  // Include active project so the phone shows the same view
-  if (activeProject) url += '?project=' + encodeURIComponent(activeProject);
+  // Include auth token and active project so the phone shows the same view
+  var params = [];
+  if (lanState.lan_token) params.push('token=' + encodeURIComponent(lanState.lan_token));
+  if (activeProject) params.push('project=' + encodeURIComponent(activeProject));
+  if (params.length) url += '?' + params.join('&');
   var qrUrl = 'https://api.qrserver.com/v1/create-qr-code/?size=180x180&color=58a6ff&bgcolor=0d1117&data=' + encodeURIComponent(url);
+  var tokenHtml = lanState.lan_token ?
+    '<div style="margin-top:12px;background:var(--surface-2);border:1px solid var(--border);border-radius:8px;padding:10px">' +
+      '<div style="font-size:10px;color:var(--text-muted);text-transform:uppercase;letter-spacing:0.5px;margin-bottom:4px">Auth Token</div>' +
+      '<div style="font-family:monospace;font-size:13px;color:var(--accent);word-break:break-all">' + escapeHtml(lanState.lan_token) + '</div>' +
+      '<div style="font-size:10px;color:var(--text-muted);margin-top:4px">Included in the QR code URL. Only people with this token can access your dashboard.</div>' +
+    '</div>' : '';
   el.innerHTML =
     '<div class="phone-url-box">' +
       '<div class="phone-url-text">' + escapeHtml(url) + '</div>' +
@@ -5365,12 +5292,16 @@ function renderPhoneModalContent() {
     '<div class="phone-qr">' +
       '<img src="' + qrUrl + '" alt="QR Code" onerror="this.parentElement.style.display=\'none\'">' +
     '</div>' +
-    '<div class="phone-qr-hint">Scan with your phone camera on the same WiFi</div>';
+    '<div class="phone-qr-hint">Scan with your phone camera on the same WiFi</div>' +
+    tokenHtml;
 }
 function copyPhoneUrl() {
   var url = 'http://' + lanState.lan_ip + ':' + lanState.port;
-  if (activeProject) url += '?project=' + encodeURIComponent(activeProject);
+  var params = [];
+  if (lanState.lan_token) params.push('token=' + encodeURIComponent(lanState.lan_token));
+  if (activeProject) params.push('project=' + encodeURIComponent(activeProject));
+  if (params.length) url += '?' + params.join('&');
   navigator.clipboard.writeText(url).then(function() {
     var btn = document.querySelector('.phone-url-copy');
     btn.textContent = 'Copied!';
@@ -5389,7 +5320,7 @@ var selectedCli = 'claude';
 function renderLaunchPanel() {
   var el = document.getElementById('launch-area');
   // Fetch templates
-  fetch('/api/templates').then(function(r) { return r.json(); }).then(function(templates) {
+  lttFetch('/api/templates').then(function(r) { return r.json(); }).then(function(templates) {
     launchTemplates = templates;
     var templateOpts = '<option value="">-- No template --</option>';
     for (var i = 0; i < templates.length; i++) {
@@ -5436,8 +5367,8 @@ function renderLaunchPanel() {
 }
 // ==================== v3.4: CONVERSATION TEMPLATES ====================
-function renderConversationTemplates(p){fetch('/api/conversation-templates').then(function(r){return r.json()}).then(function(t){if(!t.length)return;var s=document.createElement('div');s.className='launch-panel';s.style.marginTop='20px';var h='<h3 style="margin-bottom:4px">Conversation Templates</h3><p style="font-size:12px;color:var(--text-dim);margin-bottom:16px">Pre-built multi-agent workflows. Click to see agent prompts.</p><div style="display:grid;grid-template-columns:repeat(auto-fill,minmax(220px,1fr));gap:12px">';for(var i=0;i<t.length;i++){var c=t[i];var n=c.agents.map(function(a){return a.name}).join(', ');h+='<div style="background:var(--surface-2);border:1px solid var(--border);border-radius:8px;padding:14px;cursor:pointer;transition:all 0.15s" onclick="showConvTemplate(\''+escapeHtml(c.id)+'\')" onmouseover="this.style.borderColor=\'var(--accent)\'" onmouseout="this.style.borderColor=\'var(--border)\'"><div style="font-weight:600;font-size:13px;margin-bottom:4px">'+escapeHtml(c.name)+'</div><div style="font-size:11px;color:var(--text-dim);margin-bottom:8px">'+escapeHtml(c.description)+'</div><div style="font-size:10px;color:var(--text-muted)">Agents: '+escapeHtml(n)+'</div>'+(c.workflow?'<div style="font-size:10px;color:var(--purple);margin-top:4px">Workflow: '+escapeHtml(c.workflow.steps.join(' \u2192 '))+'</div>':'')+'</div>'}h+='</div><div id="conv-template-detail" style="margin-top:16px"></div>';s.innerHTML=h;p.appendChild(s)}).catch(function(){})}
-function showConvTemplate(tid){var pq=activeProject?'?project='+encodeURIComponent(activeProject):'';fetch('/api/conversation-templates/launch'+pq,{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify({template_id:tid})}).then(function(r){return r.json()}).then(function(d){if(d.error){alert(d.error);return}var el=document.getElementById('conv-template-detail');var h='<div style="background:var(--surface);border:1px solid var(--border);border-radius:8px;padding:16px"><div style="font-weight:700;font-size:15px;margin-bottom:4px">'+escapeHtml(d.template.name)+'</div><div style="font-size:12px;color:var(--text-dim);margin-bottom:12px">'+escapeHtml(d.template.description)+'</div>';if(d.template.workflow){h+='<div style="display:flex;gap:6px;align-items:center;margin-bottom:14px;flex-wrap:wrap">';var st=d.template.workflow.steps;for(var s=0;s<st.length;s++){if(s>0)h+='<span style="color:var(--text-muted);font-size:12px">\u2192</span>';h+='<span style="background:var(--purple-dim);color:var(--purple);padding:3px 10px;border-radius:12px;font-size:11px;font-weight:600">'+escapeHtml(st[s])+'</span>'}h+='</div>'}h+='<div style="font-weight:600;font-size:12px;color:var(--text-muted);text-transform:uppercase;letter-spacing:0.5px;margin-bottom:8px">Agent Prompts (copy each into a separate terminal)</div>';for(var i=0;i<d.instructions.length;i++){var inst=d.instructions[i];h+='<div style="margin-bottom:10px"><div style="display:flex;align-items:center;gap:8px;margin-bottom:4px"><span style="font-weight:600;font-size:13px">'+escapeHtml(inst.agent_name)+'</span><span class="role-badge">'+escapeHtml(inst.role)+'</span></div><div class="copy-block" onclick="copyText(this)" data-text="'+inst.prompt.replace(/&/g,'&amp;').replace(/"/g,'&quot;').replace(/</g,'&lt;').replace(/>/g,'&gt;')+'"><span class="copy-hint">click to copy</span><span style="font-size:11px;color:var(--text-dim)">'+escapeHtml(inst.prompt.substring(0,200))+(inst.prompt.length>200?'...':'')+'</span></div></div>'}h+='</div>';el.innerHTML=h;el.scrollIntoView({behavior:'smooth',block:'nearest'})})}
+function renderConversationTemplates(p){lttFetch('/api/conversation-templates').then(function(r){return r.json()}).then(function(t){if(!t.length)return;var s=document.createElement('div');s.className='launch-panel';s.style.marginTop='20px';var h='<h3 style="margin-bottom:4px">Conversation Templates</h3><p style="font-size:12px;color:var(--text-dim);margin-bottom:16px">Pre-built multi-agent workflows. Click to see agent prompts.</p><div style="display:grid;grid-template-columns:repeat(auto-fill,minmax(220px,1fr));gap:12px">';for(var i=0;i<t.length;i++){var c=t[i];var n=c.agents.map(function(a){return a.name}).join(', ');h+='<div style="background:var(--surface-2);border:1px solid var(--border);border-radius:8px;padding:14px;cursor:pointer;transition:all 0.15s" onclick="showConvTemplate(\''+escapeHtml(c.id)+'\')" onmouseover="this.style.borderColor=\'var(--accent)\'" onmouseout="this.style.borderColor=\'var(--border)\'"><div style="font-weight:600;font-size:13px;margin-bottom:4px">'+escapeHtml(c.name)+'</div><div style="font-size:11px;color:var(--text-dim);margin-bottom:8px">'+escapeHtml(c.description)+'</div><div style="font-size:10px;color:var(--text-muted)">Agents: '+escapeHtml(n)+'</div>'+(c.workflow?'<div style="font-size:10px;color:var(--purple);margin-top:4px">Workflow: '+escapeHtml(c.workflow.steps.join(' \u2192 '))+'</div>':'')+'</div>'}h+='</div><div id="conv-template-detail" style="margin-top:16px"></div>';s.innerHTML=h;p.appendChild(s)}).catch(function(){})}
+function showConvTemplate(tid){var pq=activeProject?'?project='+encodeURIComponent(activeProject):'';lttFetch('/api/conversation-templates/launch'+pq,{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify({template_id:tid})}).then(function(r){return r.json()}).then(function(d){if(d.error){alert(d.error);return}var el=document.getElementById('conv-template-detail');var h='<div style="background:var(--surface);border:1px solid var(--border);border-radius:8px;padding:16px"><div style="font-weight:700;font-size:15px;margin-bottom:4px">'+escapeHtml(d.template.name)+'</div><div style="font-size:12px;color:var(--text-dim);margin-bottom:12px">'+escapeHtml(d.template.description)+'</div>';if(d.template.workflow){h+='<div style="display:flex;gap:6px;align-items:center;margin-bottom:14px;flex-wrap:wrap">';var st=d.template.workflow.steps;for(var s=0;s<st.length;s++){if(s>0)h+='<span style="color:var(--text-muted);font-size:12px">\u2192</span>';h+='<span style="background:var(--purple-dim);color:var(--purple);padding:3px 10px;border-radius:12px;font-size:11px;font-weight:600">'+escapeHtml(st[s])+'</span>'}h+='</div>'}h+='<div style="font-weight:600;font-size:12px;color:var(--text-muted);text-transform:uppercase;letter-spacing:0.5px;margin-bottom:8px">Agent Prompts (copy each into a separate terminal)</div>';for(var i=0;i<d.instructions.length;i++){var inst=d.instructions[i];h+='<div style="margin-bottom:10px"><div style="display:flex;align-items:center;gap:8px;margin-bottom:4px"><span style="font-weight:600;font-size:13px">'+escapeHtml(inst.agent_name)+'</span><span class="role-badge">'+escapeHtml(inst.role)+'</span></div><div class="copy-block" onclick="copyText(this)" data-text="'+inst.prompt.replace(/&/g,'&amp;').replace(/"/g,'&quot;').replace(/</g,'&lt;').replace(/>/g,'&gt;')+'"><span class="copy-hint">click to copy</span><span style="font-size:11px;color:var(--text-dim)">'+escapeHtml(inst.prompt.substring(0,200))+(inst.prompt.length>200?'...':'')+'</span></div></div>'}h+='</div>';el.innerHTML=h;el.scrollIntoView({behavior:'smooth',block:'nearest'})})}
 function selectCli(cli) {
   selectedCli = cli;
@@ -5471,7 +5402,7 @@ function doLaunch() {
   var prompt = document.getElementById('launch-prompt').value.trim();
   var resultEl = document.getElementById('launch-result');
-  fetch('/api/launch', {
+  lttFetch('/api/launch', {
     method: 'POST',
     headers: { 'Content-Type': 'application/json' },
     body: JSON.stringify({ cli: selectedCli, project_dir: projectDir || undefined, agent_name: agentName, prompt: prompt || undefined })
@@ -5539,7 +5470,8 @@ function setConnStatus(status) {
 function initSSE() {
   try {
-    var eventSource = new EventSource('/api/events');
+    var sseUrl = '/api/events' + (_lttToken ? '?token=' + encodeURIComponent(_lttToken) : '');
+    var eventSource = new EventSource(sseUrl);
     eventSource.onmessage = function(e) {
       if (e.data === 'update' || e.data === 'connected') {
         poll();

package/dashboard.js CHANGED Viewed

@@ -18,6 +18,26 @@ const PORT = parseInt(process.env.AGENT_BRIDGE_PORT || '3000', 10);
 const LAN_STATE_FILE = path.join(__dirname, '.lan-mode');
 let LAN_MODE = process.env.AGENT_BRIDGE_LAN === 'true' || (fs.existsSync(LAN_STATE_FILE) && fs.readFileSync(LAN_STATE_FILE, 'utf8').trim() === 'true');
+const LAN_TOKEN_FILE = path.join(__dirname, '.lan-token');
+let LAN_TOKEN = null;
+function generateLanToken() {
+  const crypto = require('crypto');
+  LAN_TOKEN = crypto.randomBytes(16).toString('hex');
+  try { fs.writeFileSync(LAN_TOKEN_FILE, LAN_TOKEN); } catch {}
+  return LAN_TOKEN;
+}
+function loadLanToken() {
+  if (fs.existsSync(LAN_TOKEN_FILE)) {
+    try { LAN_TOKEN = fs.readFileSync(LAN_TOKEN_FILE, 'utf8').trim(); } catch {}
+  }
+  if (!LAN_TOKEN) generateLanToken();
+}
+// Load or generate token on startup
+loadLanToken();
 function persistLanMode() {
   try { fs.writeFileSync(LAN_STATE_FILE, LAN_MODE ? 'true' : 'false'); } catch {}
 }
@@ -308,7 +328,7 @@ function apiStats(query) {
 function apiReset(query) {
   const projectPath = query.get('project') || null;
   const dataDir = resolveDataDir(projectPath);
-  const fixedFiles = ['messages.jsonl', 'history.jsonl', 'agents.json', 'acks.json', 'tasks.json', 'profiles.json', 'workflows.json', 'branches.json', 'plugins.json', 'read_receipts.json', 'permissions.json'];
+  const fixedFiles = ['messages.jsonl', 'history.jsonl', 'agents.json', 'acks.json', 'tasks.json', 'profiles.json', 'workflows.json', 'branches.json', 'read_receipts.json', 'permissions.json'];
   for (const f of fixedFiles) {
     const p = path.join(dataDir, f);
     if (fs.existsSync(p)) fs.unlinkSync(p);
@@ -1009,13 +1029,15 @@ const server = http.createServer(async (req, res) => {
   const allowedOrigin = `http://localhost:${PORT}`;
   const reqOrigin = req.headers.origin;
-  if (LAN_MODE && reqOrigin) {
-    res.setHeader('Access-Control-Allow-Origin', '*');
-  } else if (reqOrigin === allowedOrigin || reqOrigin === `http://127.0.0.1:${PORT}`) {
+  const lanIP = getLanIP();
+  const lanOrigin = lanIP ? `http://${lanIP}:${PORT}` : null;
+  const trustedOrigins = [allowedOrigin, `http://127.0.0.1:${PORT}`];
+  if (LAN_MODE && lanOrigin) trustedOrigins.push(lanOrigin);
+  if (reqOrigin && trustedOrigins.includes(reqOrigin)) {
     res.setHeader('Access-Control-Allow-Origin', reqOrigin);
   }
   res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
-  res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
+  res.setHeader('Access-Control-Allow-Headers', 'Content-Type, X-LTT-Request, X-LTT-Token');
   if (req.method === 'OPTIONS') {
     res.writeHead(204);
@@ -1023,7 +1045,23 @@ const server = http.createServer(async (req, res) => {
     return;
   }
-  // CSRF + DNS rebinding protection: validate Host and Origin on mutating requests
+  // LAN auth token — required for non-localhost requests when LAN mode is active
+  if (LAN_MODE) {
+    const host = (req.headers.host || '').replace(/:\d+$/, '');
+    const isLocalhost = host === 'localhost' || host === '127.0.0.1';
+    if (!isLocalhost) {
+      const tokenFromQuery = url.searchParams.get('token');
+      const tokenFromHeader = req.headers['x-ltt-token'];
+      const providedToken = tokenFromHeader || tokenFromQuery;
+      if (!providedToken || providedToken !== LAN_TOKEN) {
+        res.writeHead(401, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Unauthorized: invalid or missing LAN token' }));
+        return;
+      }
+    }
+  }
+  // CSRF + DNS rebinding protection: validate Host, Origin, and custom header on mutating requests
   if (req.method === 'POST' || req.method === 'PUT' || req.method === 'DELETE') {
     // Check Host header to block DNS rebinding attacks
     const host = (req.headers.host || '').replace(/:\d+$/, '');
@@ -1034,13 +1072,26 @@ const server = http.createServer(async (req, res) => {
       res.end(JSON.stringify({ error: 'Forbidden: invalid host' }));
       return;
     }
+    // Require custom header — browsers block cross-origin custom headers without preflight,
+    // which our CORS policy won't approve for foreign origins. This closes the no-Origin gap.
+    if (!req.headers['x-ltt-request']) {
+      res.writeHead(403, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ error: 'Forbidden: missing X-LTT-Request header' }));
+      return;
+    }
     // Check Origin header to block cross-site requests
+    // Empty origin is NOT trusted — requires at least the custom header (checked above)
     const origin = req.headers.origin || '';
     const referer = req.headers.referer || '';
     const source = origin || referer;
-    const isLocal = !source || source.includes('localhost:' + PORT) || source.includes('127.0.0.1:' + PORT);
-    const isLan = LAN_MODE && getLanIP() && source.includes(getLanIP() + ':' + PORT);
-    if (!isLocal && !isLan) {
+    if (!source) {
+      // No origin/referer — non-browser client (curl, scripts, etc.)
+      // Custom header check above is the only protection layer here — allow through
+      // since local CLI tools (like our own `msg` command) need to work
+    }
+    const isLocal = source && (source.includes('localhost:' + PORT) || source.includes('127.0.0.1:' + PORT));
+    const isLan = LAN_MODE && getLanIP() && source && source.includes(getLanIP() + ':' + PORT);
+    if (source && !isLocal && !isLan) {
       res.writeHead(403, { 'Content-Type': 'application/json' });
       res.end(JSON.stringify({ error: 'Forbidden: invalid origin' }));
       return;
@@ -1074,6 +1125,7 @@ const server = http.createServer(async (req, res) => {
       const html = fs.readFileSync(HTML_FILE, 'utf8');
       res.writeHead(200, {
         'Content-Type': 'text/html; charset=utf-8',
+        'Content-Security-Policy': "default-src 'self'; script-src 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src https://fonts.gstatic.com; img-src 'self' data:; connect-src 'self'",
         'Cache-Control': 'no-cache, no-store, must-revalidate',
         'Pragma': 'no-cache',
         'Expires': '0'
@@ -1248,27 +1300,6 @@ const server = http.createServer(async (req, res) => {
       res.writeHead(200, { 'Content-Type': 'application/json' });
       res.end(JSON.stringify(branches));
     }
-    else if (url.pathname === '/api/plugins' && req.method === 'GET') {
-      const projectPath = url.searchParams.get('project') || null;
-      const pluginsFile = filePath('plugins.json', projectPath);
-      res.writeHead(200, { 'Content-Type': 'application/json' });
-      res.end(JSON.stringify(fs.existsSync(pluginsFile) ? JSON.parse(fs.readFileSync(pluginsFile, 'utf8')) : []));
-    }
-    else if (url.pathname === '/api/plugins' && req.method === 'POST') {
-      const body = await parseBody(req);
-      const projectPath = url.searchParams.get('project') || null;
-      const pluginsFile = filePath('plugins.json', projectPath);
-      let plugins = [];
-      if (fs.existsSync(pluginsFile)) try { plugins = JSON.parse(fs.readFileSync(pluginsFile, 'utf8')); } catch {}
-      if (body.action === 'toggle' && body.name) {
-        const p = plugins.find(x => x.name === body.name);
-        if (!p) { res.writeHead(404, { 'Content-Type': 'application/json' }); res.end(JSON.stringify({ error: 'Plugin not found' })); return; }
-        p.enabled = !p.enabled;
-        fs.writeFileSync(pluginsFile, JSON.stringify(plugins, null, 2));
-      }
-      res.writeHead(200, { 'Content-Type': 'application/json' });
-      res.end(JSON.stringify({ success: true }));
-    }
     else if (url.pathname === '/api/projects' && req.method === 'DELETE') {
       const body = await parseBody(req);
       const result = apiRemoveProject(body);
@@ -1321,7 +1352,7 @@ const server = http.createServer(async (req, res) => {
     // Server info (LAN mode detection for frontend)
     else if (url.pathname === '/api/server-info' && req.method === 'GET') {
       res.writeHead(200, { 'Content-Type': 'application/json' });
-      res.end(JSON.stringify({ lan_mode: LAN_MODE, lan_ip: getLanIP(), port: PORT }));
+      res.end(JSON.stringify({ lan_mode: LAN_MODE, lan_ip: getLanIP(), port: PORT, lan_token: LAN_MODE ? LAN_TOKEN : null }));
     }
     // Toggle LAN mode (re-bind server live)
     else if (url.pathname === '/api/toggle-lan' && req.method === 'POST') {
@@ -1329,9 +1360,11 @@ const server = http.createServer(async (req, res) => {
       const lanIP = getLanIP();
       LAN_MODE = newMode;
       persistLanMode();
+      // Regenerate token when enabling LAN mode
+      if (newMode) generateLanToken();
       // Send response first
       res.writeHead(200, { 'Content-Type': 'application/json' });
-      res.end(JSON.stringify({ lan_mode: newMode, lan_ip: lanIP, port: PORT }));
+      res.end(JSON.stringify({ lan_mode: newMode, lan_ip: lanIP, port: PORT, lan_token: newMode ? LAN_TOKEN : null }));
       // Re-bind by stopping the listener and immediately re-listening
       // Use setImmediate to let the response flush first
       setImmediate(() => {
@@ -1447,7 +1480,7 @@ server.listen(PORT, LAN_MODE ? '0.0.0.0' : '127.0.0.1', () => {
   const dataDir = resolveDataDir();
   const lanIP = getLanIP();
   console.log('');
-  console.log('  Let Them Talk - Agent Bridge Dashboard v3.4.1');
+  console.log('  Let Them Talk - Agent Bridge Dashboard v3.4.3');
   console.log('  ============================================');
   console.log('  Dashboard:  http://localhost:' + PORT);
   if (LAN_MODE && lanIP) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "let-them-talk",
-  "version": "3.4.1",
+  "version": "3.4.3",
   "description": "MCP message broker + web dashboard for inter-agent communication. Let AI CLI agents talk to each other.",
   "main": "server.js",
   "bin": {

package/server.js CHANGED Viewed

@@ -18,8 +18,7 @@ const PROFILES_FILE = path.join(DATA_DIR, 'profiles.json');
 const WORKFLOWS_FILE = path.join(DATA_DIR, 'workflows.json');
 const WORKSPACES_DIR = path.join(DATA_DIR, 'workspaces');
 const BRANCHES_FILE = path.join(DATA_DIR, 'branches.json');
-const PLUGINS_FILE = path.join(DATA_DIR, 'plugins.json');
-const PLUGINS_DIR = path.join(DATA_DIR, 'plugins');
+// Plugins removed in v3.4.3 — unnecessary attack surface, CLIs have their own extension systems
 // In-memory state for this process
 let registeredName = null;
@@ -418,17 +417,6 @@ function getHistoryFile(branch) {
   return path.join(DATA_DIR, `branch-${sanitizeName(branch)}-history.jsonl`);
 }
-// --- Plugin helpers ---
-function getPluginRegistry() {
-  if (!fs.existsSync(PLUGINS_FILE)) return [];
-  try { return JSON.parse(fs.readFileSync(PLUGINS_FILE, 'utf8')); } catch { return []; }
-}
-function savePluginRegistry(plugins) {
-  fs.writeFileSync(PLUGINS_FILE, JSON.stringify(plugins, null, 2));
-}
 // --- Tool implementations ---
 function toolRegister(name, provider = null) {
@@ -1181,8 +1169,8 @@ function toolReset() {
       }
     }
   }
-  // Remove profiles, workflows, branches, plugins, permissions, read receipts
-  for (const f of [PROFILES_FILE, WORKFLOWS_FILE, BRANCHES_FILE, PLUGINS_FILE, PERMISSIONS_FILE, READ_RECEIPTS_FILE]) {
+  // Remove profiles, workflows, branches, permissions, read receipts
+  for (const f of [PROFILES_FILE, WORKFLOWS_FILE, BRANCHES_FILE, PERMISSIONS_FILE, READ_RECEIPTS_FILE]) {
     if (fs.existsSync(f)) fs.unlinkSync(f);
   }
   // Remove workspaces dir
@@ -1497,11 +1485,6 @@ const server = new Server(
 );
 server.setRequestHandler(ListToolsRequestSchema, async () => {
-  const pluginTools = loadedPlugins.map(p => ({
-    name: 'plugin_' + p.name,
-    description: '[Plugin] ' + p.description,
-    inputSchema: p.inputSchema,
-  }));
   return {
     tools: [
       {
@@ -1875,7 +1858,6 @@ server.setRequestHandler(ListToolsRequestSchema, async () => {
           properties: {},
         },
       },
-      ...pluginTools,
     ],
   };
 });
@@ -1969,12 +1951,6 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
         result = toolListBranches();
         break;
       default:
-        // Check if it's a plugin tool
-        if (name.startsWith('plugin_')) {
-          const pluginName = name.substring(7);
-          result = await executePlugin(pluginName, args);
-          break;
-        }
         return {
           content: [{ type: 'text', text: `Unknown tool: ${name}` }],
           isError: true,
@@ -2014,90 +1990,11 @@ process.on('exit', () => {
 process.on('SIGTERM', () => process.exit(0));
 process.on('SIGINT', () => process.exit(0));
-// --- Phase 5: Plugin system ---
-let loadedPlugins = []; // { name, description, inputSchema, handler }
-function loadPlugins() {
-  loadedPlugins = [];
-  if (!fs.existsSync(PLUGINS_DIR)) return;
-  const registry = getPluginRegistry();
-  const enabledNames = new Set(registry.filter(p => p.enabled !== false).map(p => p.name));
-  try {
-    const vm = require('vm');
-    const files = fs.readdirSync(PLUGINS_DIR).filter(f => f.endsWith('.js'));
-    for (const file of files) {
-      try {
-        const pluginPath = path.join(PLUGINS_DIR, file);
-        const code = fs.readFileSync(pluginPath, 'utf8');
-        // Run plugin in a sandboxed VM context — no require, no process, no child_process
-        const sandbox = { module: { exports: {} }, exports: {}, console: { log: () => {}, error: () => {}, warn: () => {} } };
-        vm.runInNewContext(code, sandbox, { filename: file, timeout: 5000 });
-        const plugin = sandbox.module.exports;
-        if (!plugin.name || !plugin.description || !plugin.handler) {
-          console.error(`Plugin ${file}: missing name, description, or handler`);
-          continue;
-        }
-        if (!enabledNames.has(plugin.name) && enabledNames.size > 0) continue;
-        loadedPlugins.push({
-          name: plugin.name,
-          description: plugin.description,
-          inputSchema: plugin.inputSchema || { type: 'object', properties: {} },
-          handler: plugin.handler,
-        });
-        console.error(`Plugin loaded: ${plugin.name} (sandboxed)`);
-      } catch (e) {
-        console.error(`Plugin ${file} failed to load: ${e.message}`);
-      }
-    }
-  } catch {}
-}
-function executePlugin(pluginName, args) {
-  const plugin = loadedPlugins.find(p => p.name === pluginName);
-  if (!plugin) return { error: `Plugin "${pluginName}" not found` };
-  const context = {
-    registeredName,
-    sendMessage: (to, content) => toolSendMessage(content, to),
-    getAgents: () => toolListAgents().agents,
-    getHistory: (limit) => toolGetHistory(limit),
-    readFile: (filePath) => {
-      const resolved = path.resolve(filePath);
-      const allowedRoot = path.resolve(process.cwd());
-      let realPath;
-      try { realPath = fs.realpathSync(resolved); } catch { throw new Error('File not found'); }
-      if (!realPath.startsWith(allowedRoot + path.sep) && realPath !== allowedRoot) {
-        throw new Error('File path must be within the project directory');
-      }
-      return fs.readFileSync(realPath, 'utf8');
-    },
-  };
-  return new Promise((resolve) => {
-    const timeout = setTimeout(() => resolve({ error: 'Plugin execution timed out (30s)' }), 30000);
-    try {
-      const result = plugin.handler(args, context);
-      if (result && typeof result.then === 'function') {
-        result.then(r => { clearTimeout(timeout); resolve(r); }).catch(e => { clearTimeout(timeout); resolve({ error: e.message }); });
-      } else {
-        clearTimeout(timeout);
-        resolve(result);
-      }
-    } catch (e) {
-      clearTimeout(timeout);
-      resolve({ error: e.message });
-    }
-  });
-}
 async function main() {
   ensureDataDir();
-  loadPlugins();
   const transport = new StdioServerTransport();
   await server.connect(transport);
-  console.error('Agent Bridge MCP server v3.4.1 running (' + (27 + loadedPlugins.length) + ' tools)');
+  console.error('Agent Bridge MCP server v3.4.3 running (27 tools)');
 }
 main().catch(console.error);