npm - let-them-talk - Versions diffs - 3.4.2 → 3.4.3 - Mend

let-them-talk 3.4.2 → 3.4.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,14 @@
 # Changelog
+## [3.4.3] - 2026-03-15
+### Removed — Plugin System
+- Removed the entire plugin system (`vm.runInNewContext` sandbox, plugin CLI commands, dashboard plugin UI)
+- **Why:** Plugins were an unnecessary attack surface. Node.js `vm` is not a security sandbox — plugins could escape and execute arbitrary OS commands. CLI terminals (Claude Code, Gemini, Codex) have their own extension systems, making our plugins redundant.
+- `npx let-them-talk plugin` now shows a deprecation notice
+- MCP tools reduced from 27 + plugins to 27 (all core tools remain)
+- ~200 lines of code removed from server.js, cli.js, dashboard.js, dashboard.html
 ## [3.4.2] - 2026-03-15
 ### Security — CSRF Protection

package/LICENSE CHANGED Viewed

@@ -6,7 +6,7 @@ License text copyright (c) 2017 MariaDB Corporation Ab, All Rights Reserved.
 Parameters
 Licensor:             Dekelelz
-Licensed Work:        Let Them Talk v3.4.2
+Licensed Work:        Let Them Talk v3.4.3
                       The Licensed Work is (c) 2024-2026 Dekelelz.
 Additional Use Grant: You may make use of the Licensed Work, provided that
                       you may not use the Licensed Work for a Commercial

package/cli.js CHANGED Viewed

@@ -8,7 +8,7 @@ const command = process.argv[2];
 function printUsage() {
   console.log(`
-  Let Them Talk — Agent Bridge v3.4.2
+  Let Them Talk — Agent Bridge v3.4.3
   MCP message broker for inter-agent communication
   Supports: Claude Code, Gemini CLI, Codex CLI
@@ -23,11 +23,6 @@ function printUsage() {
     npx let-them-talk dashboard         Launch the web dashboard (http://localhost:3000)
     npx let-them-talk dashboard --lan   Launch dashboard accessible on LAN (phone/tablet)
     npx let-them-talk reset             Clear all conversation data
-    npx let-them-talk plugin list       List installed plugins
-    npx let-them-talk plugin add <file> Install a plugin from a .js file
-    npx let-them-talk plugin remove <n> Remove a plugin by name
-    npx let-them-talk plugin enable <n> Enable a plugin
-    npx let-them-talk plugin disable <n> Disable a plugin
     npx let-them-talk msg <agent> <text> Send a message to an agent
     npx let-them-talk status             Show active agents and message count
     npx let-them-talk help               Show this help message
@@ -293,124 +288,6 @@ function showTemplate(templateName) {
   }
 }
-function pluginCmd() {
-  const subCmd = process.argv[3];
-  const dataDir = process.env.AGENT_BRIDGE_DATA_DIR || path.join(process.cwd(), '.agent-bridge');
-  const pluginsDir = path.join(dataDir, 'plugins');
-  const pluginsFile = path.join(dataDir, 'plugins.json');
-  function getRegistry() {
-    if (!fs.existsSync(pluginsFile)) return [];
-    try { return JSON.parse(fs.readFileSync(pluginsFile, 'utf8')); } catch { return []; }
-  }
-  function saveRegistry(reg) {
-    if (!fs.existsSync(dataDir)) fs.mkdirSync(dataDir, { recursive: true });
-    fs.writeFileSync(pluginsFile, JSON.stringify(reg, null, 2));
-  }
-  switch (subCmd) {
-    case 'list': {
-      const plugins = getRegistry();
-      if (!plugins.length) {
-        console.log('  No plugins installed.');
-        console.log('  Install with: npx let-them-talk plugin add <file.js>');
-        return;
-      }
-      console.log('');
-      console.log('  Installed Plugins');
-      console.log('  =================');
-      for (const p of plugins) {
-        const status = p.enabled !== false ? 'enabled' : 'disabled';
-        console.log('  ' + p.name.padEnd(20) + ' ' + status.padEnd(10) + ' ' + (p.description || ''));
-      }
-      console.log('');
-      break;
-    }
-    case 'add': {
-      const filePath = process.argv[4];
-      if (!filePath) { console.error('  Usage: npx let-them-talk plugin add <file.js>'); process.exit(1); }
-      const absPath = path.resolve(filePath);
-      if (!fs.existsSync(absPath)) { console.error('  File not found: ' + absPath); process.exit(1); }
-      // Validate plugin structure without executing it (no require — prevents RCE on install)
-      try {
-        const src = fs.readFileSync(absPath, 'utf8');
-        if (!src.includes('module.exports') || !src.includes('name') || !src.includes('handler')) {
-          console.error('  Plugin must export name, description, and handler (module.exports = { name, handler })');
-          process.exit(1);
-        }
-        // Extract plugin name from source using regex (no eval)
-        const nameMatch = src.match(/name\s*:\s*['"]([^'"]+)['"]/);
-        const descMatch = src.match(/description\s*:\s*['"]([^'"]+)['"]/);
-        const pluginName = nameMatch ? nameMatch[1] : path.basename(absPath, '.js');
-        const pluginDesc = descMatch ? descMatch[1] : '';
-        if (!fs.existsSync(pluginsDir)) fs.mkdirSync(pluginsDir, { recursive: true });
-        const destFile = path.join(pluginsDir, path.basename(absPath));
-        fs.copyFileSync(absPath, destFile);
-        const reg = getRegistry();
-        if (!reg.find(p => p.name === pluginName)) {
-          reg.push({ name: pluginName, description: pluginDesc, file: path.basename(absPath), enabled: true, added_at: new Date().toISOString() });
-          saveRegistry(reg);
-        }
-        console.log('  Plugin "' + pluginName + '" installed successfully.');
-        console.log('  Restart CLI to load the new tool (runs sandboxed).');
-      } catch (e) {
-        console.error('  Failed to install plugin: ' + e.message);
-        process.exit(1);
-      }
-      break;
-    }
-    case 'remove': {
-      const name = process.argv[4];
-      if (!name) { console.error('  Usage: npx let-them-talk plugin remove <name>'); process.exit(1); }
-      const reg = getRegistry();
-      const plugin = reg.find(p => p.name === name);
-      if (!plugin) { console.error('  Plugin not found: ' + name); process.exit(1); }
-      const newReg = reg.filter(p => p.name !== name);
-      saveRegistry(newReg);
-      if (plugin.file) {
-        const pluginFile = path.resolve(pluginsDir, plugin.file);
-        // Prevent path traversal — only delete files inside pluginsDir
-        if (pluginFile.startsWith(path.resolve(pluginsDir) + path.sep) && fs.existsSync(pluginFile)) {
-          fs.unlinkSync(pluginFile);
-        }
-      }
-      console.log('  Plugin "' + name + '" removed.');
-      break;
-    }
-    case 'enable': {
-      const name = process.argv[4];
-      if (!name) { console.error('  Usage: npx let-them-talk plugin enable <name>'); process.exit(1); }
-      const reg = getRegistry();
-      const plugin = reg.find(p => p.name === name);
-      if (!plugin) { console.error('  Plugin not found: ' + name); process.exit(1); }
-      plugin.enabled = true;
-      saveRegistry(reg);
-      console.log('  Plugin "' + name + '" enabled.');
-      break;
-    }
-    case 'disable': {
-      const name = process.argv[4];
-      if (!name) { console.error('  Usage: npx let-them-talk plugin disable <name>'); process.exit(1); }
-      const reg = getRegistry();
-      const plugin = reg.find(p => p.name === name);
-      if (!plugin) { console.error('  Plugin not found: ' + name); process.exit(1); }
-      plugin.enabled = false;
-      saveRegistry(reg);
-      console.log('  Plugin "' + name + '" disabled.');
-      break;
-    }
-    default:
-      console.error('  Unknown plugin command: ' + (subCmd || ''));
-      console.error('  Available: list, add, remove, enable, disable');
-      process.exit(1);
-  }
-}
 function dashboard() {
   if (process.argv.includes('--lan')) {
     process.env.AGENT_BRIDGE_LAN = 'true';
@@ -532,7 +409,7 @@ switch (command) {
     break;
   case 'plugin':
   case 'plugins':
-    pluginCmd();
+    console.log('  Plugins have been removed in v3.4.3. CLI terminals have their own extension systems.');
     break;
   case 'help':
   case '--help':

package/dashboard.html CHANGED Viewed

@@ -2572,65 +2572,7 @@
   }
   /* ===== v3.0: PLUGINS SECTION ===== */
-  .plugin-card {
-    background: var(--surface-2);
-    border: 1px solid var(--border);
-    border-radius: 6px;
-    padding: 8px 10px;
-    margin-bottom: 4px;
-    display: flex;
-    align-items: center;
-    justify-content: space-between;
-  }
-  .plugin-info {
-    flex: 1;
-    min-width: 0;
-  }
-  .plugin-name {
-    font-size: 12px;
-    font-weight: 600;
-  }
-  .plugin-desc {
-    font-size: 10px;
-    color: var(--text-muted);
-  }
-  .plugin-toggle {
-    background: var(--surface-3);
-    border: 1px solid var(--border);
-    border-radius: 10px;
-    width: 36px;
-    height: 20px;
-    cursor: pointer;
-    position: relative;
-    transition: all 0.2s;
-    flex-shrink: 0;
-  }
-  .plugin-toggle.on {
-    background: var(--green-dim);
-    border-color: var(--green);
-  }
-  .plugin-toggle::after {
-    content: '';
-    position: absolute;
-    width: 14px;
-    height: 14px;
-    border-radius: 50%;
-    background: var(--text-dim);
-    top: 2px;
-    left: 2px;
-    transition: all 0.2s;
-  }
-  .plugin-toggle.on::after {
-    left: 18px;
-    background: var(--green);
-  }
+  /* Plugins removed in v3.4.3 */
   /* ===== v3.0: AVATAR PICKER ===== */
   .avatar-option {
@@ -2758,12 +2700,6 @@
         <div id="activity-heatmap"></div>
       </div>
-      <!-- Plugins Section -->
-      <div class="sidebar-section">
-        <div class="sidebar-title"><span>Plugins</span></div>
-        <div id="plugins-list"></div>
-      </div>
       <!-- Bookmarks Section -->
       <div class="sidebar-section">
         <div class="sidebar-title">
@@ -2842,7 +2778,7 @@
   </div>
 </div>
 <div class="app-footer">
-  <span>Let Them Talk v3.4.2</span>
+  <span>Let Them Talk v3.4.3</span>
 </div>
 <div class="profile-popup" id="profile-popup" onclick="event.stopPropagation()">
   <div class="profile-popup-header">
@@ -4750,44 +4686,6 @@ function switchBranch(name) {
   poll();
 }
-// ==================== v3.0: PLUGINS ====================
-function fetchPlugins() {
-  var pq = projectParam();
-  lttFetch('/api/plugins' + pq).then(function(r) { return r.json(); }).then(function(data) {
-    renderPlugins(Array.isArray(data) ? data : []);
-  }).catch(function() {});
-}
-function renderPlugins(plugins) {
-  var el = document.getElementById('plugins-list');
-  if (!plugins.length) {
-    el.innerHTML = '<div style="color:var(--text-muted);font-size:12px;padding:4px;">No plugins installed</div>';
-    return;
-  }
-  var html = '';
-  for (var i = 0; i < plugins.length; i++) {
-    var p = plugins[i];
-    var onClass = p.enabled !== false ? ' on' : '';
-    html += '<div class="plugin-card">' +
-      '<div class="plugin-info">' +
-        '<div class="plugin-name">' + escapeHtml(p.name) + '</div>' +
-        '<div class="plugin-desc">' + escapeHtml(p.description || '') + '</div>' +
-      '</div>' +
-      '<div class="plugin-toggle' + onClass + '" onclick="togglePlugin(\'' + escapeHtml(p.name) + '\')"></div>' +
-    '</div>';
-  }
-  el.innerHTML = html;
-}
-function togglePlugin(name) {
-  lttFetch('/api/plugins' + projectParam(), {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json' },
-    body: JSON.stringify({ action: 'toggle', name: name })
-  }).then(function() { fetchPlugins(); }).catch(function() {});
-}
 // ==================== POLLING ====================
 function poll() {
@@ -4839,7 +4737,6 @@ function poll() {
     renderBookmarksSidebar();
     fetchActivity();
     fetchBranches();
-    fetchPlugins();
     updateTypingIndicator(cachedAgents);
     if (activeView === 'tasks') fetchTasks();
     if (activeView === 'workspaces') fetchWorkspaces();

package/dashboard.js CHANGED Viewed

@@ -328,7 +328,7 @@ function apiStats(query) {
 function apiReset(query) {
   const projectPath = query.get('project') || null;
   const dataDir = resolveDataDir(projectPath);
-  const fixedFiles = ['messages.jsonl', 'history.jsonl', 'agents.json', 'acks.json', 'tasks.json', 'profiles.json', 'workflows.json', 'branches.json', 'plugins.json', 'read_receipts.json', 'permissions.json'];
+  const fixedFiles = ['messages.jsonl', 'history.jsonl', 'agents.json', 'acks.json', 'tasks.json', 'profiles.json', 'workflows.json', 'branches.json', 'read_receipts.json', 'permissions.json'];
   for (const f of fixedFiles) {
     const p = path.join(dataDir, f);
     if (fs.existsSync(p)) fs.unlinkSync(p);
@@ -1300,27 +1300,6 @@ const server = http.createServer(async (req, res) => {
       res.writeHead(200, { 'Content-Type': 'application/json' });
       res.end(JSON.stringify(branches));
     }
-    else if (url.pathname === '/api/plugins' && req.method === 'GET') {
-      const projectPath = url.searchParams.get('project') || null;
-      const pluginsFile = filePath('plugins.json', projectPath);
-      res.writeHead(200, { 'Content-Type': 'application/json' });
-      res.end(JSON.stringify(fs.existsSync(pluginsFile) ? JSON.parse(fs.readFileSync(pluginsFile, 'utf8')) : []));
-    }
-    else if (url.pathname === '/api/plugins' && req.method === 'POST') {
-      const body = await parseBody(req);
-      const projectPath = url.searchParams.get('project') || null;
-      const pluginsFile = filePath('plugins.json', projectPath);
-      let plugins = [];
-      if (fs.existsSync(pluginsFile)) try { plugins = JSON.parse(fs.readFileSync(pluginsFile, 'utf8')); } catch {}
-      if (body.action === 'toggle' && body.name) {
-        const p = plugins.find(x => x.name === body.name);
-        if (!p) { res.writeHead(404, { 'Content-Type': 'application/json' }); res.end(JSON.stringify({ error: 'Plugin not found' })); return; }
-        p.enabled = !p.enabled;
-        fs.writeFileSync(pluginsFile, JSON.stringify(plugins, null, 2));
-      }
-      res.writeHead(200, { 'Content-Type': 'application/json' });
-      res.end(JSON.stringify({ success: true }));
-    }
     else if (url.pathname === '/api/projects' && req.method === 'DELETE') {
       const body = await parseBody(req);
       const result = apiRemoveProject(body);
@@ -1501,7 +1480,7 @@ server.listen(PORT, LAN_MODE ? '0.0.0.0' : '127.0.0.1', () => {
   const dataDir = resolveDataDir();
   const lanIP = getLanIP();
   console.log('');
-  console.log('  Let Them Talk - Agent Bridge Dashboard v3.4.2');
+  console.log('  Let Them Talk - Agent Bridge Dashboard v3.4.3');
   console.log('  ============================================');
   console.log('  Dashboard:  http://localhost:' + PORT);
   if (LAN_MODE && lanIP) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "let-them-talk",
-  "version": "3.4.2",
+  "version": "3.4.3",
   "description": "MCP message broker + web dashboard for inter-agent communication. Let AI CLI agents talk to each other.",
   "main": "server.js",
   "bin": {

package/server.js CHANGED Viewed

@@ -18,8 +18,7 @@ const PROFILES_FILE = path.join(DATA_DIR, 'profiles.json');
 const WORKFLOWS_FILE = path.join(DATA_DIR, 'workflows.json');
 const WORKSPACES_DIR = path.join(DATA_DIR, 'workspaces');
 const BRANCHES_FILE = path.join(DATA_DIR, 'branches.json');
-const PLUGINS_FILE = path.join(DATA_DIR, 'plugins.json');
-const PLUGINS_DIR = path.join(DATA_DIR, 'plugins');
+// Plugins removed in v3.4.3 — unnecessary attack surface, CLIs have their own extension systems
 // In-memory state for this process
 let registeredName = null;
@@ -418,17 +417,6 @@ function getHistoryFile(branch) {
   return path.join(DATA_DIR, `branch-${sanitizeName(branch)}-history.jsonl`);
 }
-// --- Plugin helpers ---
-function getPluginRegistry() {
-  if (!fs.existsSync(PLUGINS_FILE)) return [];
-  try { return JSON.parse(fs.readFileSync(PLUGINS_FILE, 'utf8')); } catch { return []; }
-}
-function savePluginRegistry(plugins) {
-  fs.writeFileSync(PLUGINS_FILE, JSON.stringify(plugins, null, 2));
-}
 // --- Tool implementations ---
 function toolRegister(name, provider = null) {
@@ -1181,8 +1169,8 @@ function toolReset() {
       }
     }
   }
-  // Remove profiles, workflows, branches, plugins, permissions, read receipts
-  for (const f of [PROFILES_FILE, WORKFLOWS_FILE, BRANCHES_FILE, PLUGINS_FILE, PERMISSIONS_FILE, READ_RECEIPTS_FILE]) {
+  // Remove profiles, workflows, branches, permissions, read receipts
+  for (const f of [PROFILES_FILE, WORKFLOWS_FILE, BRANCHES_FILE, PERMISSIONS_FILE, READ_RECEIPTS_FILE]) {
     if (fs.existsSync(f)) fs.unlinkSync(f);
   }
   // Remove workspaces dir
@@ -1497,11 +1485,6 @@ const server = new Server(
 );
 server.setRequestHandler(ListToolsRequestSchema, async () => {
-  const pluginTools = loadedPlugins.map(p => ({
-    name: 'plugin_' + p.name,
-    description: '[Plugin] ' + p.description,
-    inputSchema: p.inputSchema,
-  }));
   return {
     tools: [
       {
@@ -1875,7 +1858,6 @@ server.setRequestHandler(ListToolsRequestSchema, async () => {
           properties: {},
         },
       },
-      ...pluginTools,
     ],
   };
 });
@@ -1969,12 +1951,6 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
         result = toolListBranches();
         break;
       default:
-        // Check if it's a plugin tool
-        if (name.startsWith('plugin_')) {
-          const pluginName = name.substring(7);
-          result = await executePlugin(pluginName, args);
-          break;
-        }
         return {
           content: [{ type: 'text', text: `Unknown tool: ${name}` }],
           isError: true,
@@ -2014,90 +1990,11 @@ process.on('exit', () => {
 process.on('SIGTERM', () => process.exit(0));
 process.on('SIGINT', () => process.exit(0));
-// --- Phase 5: Plugin system ---
-let loadedPlugins = []; // { name, description, inputSchema, handler }
-function loadPlugins() {
-  loadedPlugins = [];
-  if (!fs.existsSync(PLUGINS_DIR)) return;
-  const registry = getPluginRegistry();
-  const enabledNames = new Set(registry.filter(p => p.enabled !== false).map(p => p.name));
-  try {
-    const vm = require('vm');
-    const files = fs.readdirSync(PLUGINS_DIR).filter(f => f.endsWith('.js'));
-    for (const file of files) {
-      try {
-        const pluginPath = path.join(PLUGINS_DIR, file);
-        const code = fs.readFileSync(pluginPath, 'utf8');
-        // Run plugin in a sandboxed VM context — no require, no process, no child_process
-        const sandbox = { module: { exports: {} }, exports: {}, console: { log: () => {}, error: () => {}, warn: () => {} } };
-        vm.runInNewContext(code, sandbox, { filename: file, timeout: 5000 });
-        const plugin = sandbox.module.exports;
-        if (!plugin.name || !plugin.description || !plugin.handler) {
-          console.error(`Plugin ${file}: missing name, description, or handler`);
-          continue;
-        }
-        if (!enabledNames.has(plugin.name) && enabledNames.size > 0) continue;
-        loadedPlugins.push({
-          name: plugin.name,
-          description: plugin.description,
-          inputSchema: plugin.inputSchema || { type: 'object', properties: {} },
-          handler: plugin.handler,
-        });
-        console.error(`Plugin loaded: ${plugin.name} (sandboxed)`);
-      } catch (e) {
-        console.error(`Plugin ${file} failed to load: ${e.message}`);
-      }
-    }
-  } catch {}
-}
-function executePlugin(pluginName, args) {
-  const plugin = loadedPlugins.find(p => p.name === pluginName);
-  if (!plugin) return { error: `Plugin "${pluginName}" not found` };
-  const context = {
-    registeredName,
-    sendMessage: (to, content) => toolSendMessage(content, to),
-    getAgents: () => toolListAgents().agents,
-    getHistory: (limit) => toolGetHistory(limit),
-    readFile: (filePath) => {
-      const resolved = path.resolve(filePath);
-      const allowedRoot = path.resolve(process.cwd());
-      let realPath;
-      try { realPath = fs.realpathSync(resolved); } catch { throw new Error('File not found'); }
-      if (!realPath.startsWith(allowedRoot + path.sep) && realPath !== allowedRoot) {
-        throw new Error('File path must be within the project directory');
-      }
-      return fs.readFileSync(realPath, 'utf8');
-    },
-  };
-  return new Promise((resolve) => {
-    const timeout = setTimeout(() => resolve({ error: 'Plugin execution timed out (30s)' }), 30000);
-    try {
-      const result = plugin.handler(args, context);
-      if (result && typeof result.then === 'function') {
-        result.then(r => { clearTimeout(timeout); resolve(r); }).catch(e => { clearTimeout(timeout); resolve({ error: e.message }); });
-      } else {
-        clearTimeout(timeout);
-        resolve(result);
-      }
-    } catch (e) {
-      clearTimeout(timeout);
-      resolve({ error: e.message });
-    }
-  });
-}
 async function main() {
   ensureDataDir();
-  loadPlugins();
   const transport = new StdioServerTransport();
   await server.connect(transport);
-  console.error('Agent Bridge MCP server v3.4.2 running (' + (27 + loadedPlugins.length) + ' tools)');
+  console.error('Agent Bridge MCP server v3.4.3 running (27 tools)');
 }
 main().catch(console.error);