let-them-talk 3.4.2 → 3.4.4

package/CHANGELOG.md

@@ -1,5 +1,24 @@
 # Changelog
 
+## [3.4.4] - 2026-03-15
+
+### Fixed
+- Add project now accepts any existing directory (removed requirement for package.json or .git)
+- Init safely backs up corrupted .mcp.json and settings.json before overwriting
+
+### Changed
+- Removed plugin references from website and docs
+- Website updated with security features (LAN auth token, CSRF, CSP)
+
+## [3.4.3] - 2026-03-15
+
+### Removed — Plugin System
+- Removed the entire plugin system (`vm.runInNewContext` sandbox, plugin CLI commands, dashboard plugin UI)
+- **Why:** Plugins were an unnecessary attack surface. Node.js `vm` is not a security sandbox — plugins could escape and execute arbitrary OS commands. CLI terminals (Claude Code, Gemini, Codex) have their own extension systems, making our plugins redundant.
+- `npx let-them-talk plugin` now shows a deprecation notice
+- MCP tools reduced from 27 + plugins to 27 (all core tools remain)
+- ~200 lines of code removed from server.js, cli.js, dashboard.js, dashboard.html
+
 ## [3.4.2] - 2026-03-15
 
 ### Security — CSRF Protection

package/LICENSE

@@ -6,7 +6,7 @@ License text copyright (c) 2017 MariaDB Corporation Ab, All Rights Reserved.
 Parameters
 
 Licensor:             Dekelelz
-Licensed Work:        Let Them Talk v3.4.2
+Licensed Work:        Let Them Talk v3.4.4
                       The Licensed Work is (c) 2024-2026 Dekelelz.
 Additional Use Grant: You may make use of the Licensed Work, provided that
                       you may not use the Licensed Work for a Commercial

package/README.md

@@ -72,7 +72,7 @@ Run `npx let-them-talk init --all` to configure all three at once.
        |                       |                       |
        +----------- .agent-bridge/ directory ----------+
                     messages · agents · tasks
-                    profiles · workflows · plugins
+                    profiles · workflows · permissions
                               |
                               v
                     Web Dashboard :3000
@@ -84,7 +84,7 @@ Each terminal spawns its own MCP server process. All processes share a `.agent-b
 
 ## Highlights
 
-- **27 MCP tools** — messaging, tasks, workflows, profiles, workspaces, branching, plugins
+- **27 MCP tools** — messaging, tasks, workflows, profiles, workspaces, branching
 - **Premium dashboard** — glassmorphism UI, Inter font, gradient accents, SSE real-time (~200ms)
 - **Stats & analytics** — per-agent message counts, response times, hourly activity charts, velocity
 - **Conversation templates** — 4 built-in multi-agent workflows (Code Review, Debug Squad, Feature Dev, Research & Write)
@@ -96,7 +96,7 @@ Each terminal spawns its own MCP server process. All processes share a `.agent-b
 - **Compact view** — dense message toggle for power users, persists to localStorage
 - **Multi-format export** — HTML, Markdown, and JSON export
 - **CLI tools** — send messages and check status directly from the command line
-- **Plugin system** — extend with custom tools, 30s sandboxed execution
+- **Secure by default** — CSRF protection, LAN auth tokens, Content Security Policy, agent permissions
 - **Zero config** — one `npx` command, auto-detects your CLI, works immediately
 
 ## Agent Templates
@@ -147,7 +147,7 @@ Launch with `npx let-them-talk dashboard` — opens at `http://localhost:3000`.
 - Browser notifications and sound alerts
 - LAN mode for phone access
 
-## MCP Tools (27 + plugins)
+## MCP Tools (27)
 
 <details>
 <summary><strong>Messaging (13 tools)</strong></summary>
@@ -207,38 +207,6 @@ Launch with `npx let-them-talk dashboard` — opens at `http://localhost:3000`.
 
 </details>
 
-## Plugins
-
-Extend Let Them Talk with custom tools. Drop a `.js` file in `.agent-bridge/plugins/`.
-
-```javascript
-module.exports = {
-  name: 'my-tool',
-  description: 'What this tool does',
-  inputSchema: {
-    type: 'object',
-    properties: {
-      query: { type: 'string', description: 'Input text' }
-    },
-    required: ['query']
-  },
-  handler(args, ctx) {
-    // ctx: sendMessage, getAgents, getHistory, readFile, registeredName, dataDir
-    return { result: 'done', query: args.query };
-  }
-};
-```
-
-```bash
-npx let-them-talk plugin add my-tool.js    # install
-npx let-them-talk plugin list              # list installed
-npx let-them-talk plugin remove my-tool    # remove
-npx let-them-talk plugin enable my-tool    # enable
-npx let-them-talk plugin disable my-tool   # disable
-```
-
-Plugins run sandboxed with a 30-second timeout. Manage via CLI or dashboard.
-
 ## CLI Reference
 
 ```bash
@@ -248,7 +216,8 @@ npx let-them-talk init --template <name>   # use a team template
 npx let-them-talk templates                # list templates
 npx let-them-talk dashboard                # launch web dashboard
 npx let-them-talk reset                    # clear conversation data
-npx let-them-talk plugin <subcommand>      # manage plugins
+npx let-them-talk msg <agent> <text>       # send a message from CLI
+npx let-them-talk status                  # show active agents
 npx let-them-talk help                     # show help
 ```
 
@@ -268,7 +237,7 @@ Let Them Talk is a **local message broker**. It passes text messages between CLI
 
 **Does not:** access the internet, store API keys, run cloud services, or grant new filesystem access.
 
-**Built-in protections:** CORS restriction, XSS prevention, path traversal protection, symlink validation, origin enforcement, SSE connection limits, input validation, message size limits (1MB), plugin sandboxing (30s timeout).
+**Built-in protections:** CSRF custom header, LAN auth tokens, Content Security Policy, CORS restriction, XSS prevention, path traversal protection, symlink validation, origin enforcement, SSE connection limits, input validation, message size limits (1MB), agent permissions.
 
 **LAN mode:** Optional phone access exposes the dashboard to your local WiFi only. Requires explicit activation.
 

package/cli.js

@@ -8,7 +8,7 @@ const command = process.argv[2];
 
 function printUsage() {
   console.log(`
-  Let Them Talk — Agent Bridge v3.4.2
+  Let Them Talk — Agent Bridge v3.4.4
   MCP message broker for inter-agent communication
   Supports: Claude Code, Gemini CLI, Codex CLI
 
@@ -23,11 +23,6 @@ function printUsage() {
     npx let-them-talk dashboard         Launch the web dashboard (http://localhost:3000)
     npx let-them-talk dashboard --lan   Launch dashboard accessible on LAN (phone/tablet)
     npx let-them-talk reset             Clear all conversation data
-    npx let-them-talk plugin list       List installed plugins
-    npx let-them-talk plugin add <file> Install a plugin from a .js file
-    npx let-them-talk plugin remove <n> Remove a plugin by name
-    npx let-them-talk plugin enable <n> Enable a plugin
-    npx let-them-talk plugin disable <n> Disable a plugin
     npx let-them-talk msg <agent> <text> Send a message to an agent
     npx let-them-talk status             Show active agents and message count
     npx let-them-talk help               Show this help message
@@ -70,7 +65,12 @@ function setupClaude(serverPath, cwd) {
     try {
       mcpConfig = JSON.parse(fs.readFileSync(mcpConfigPath, 'utf8'));
       if (!mcpConfig.mcpServers) mcpConfig.mcpServers = {};
-    } catch {}
+    } catch {
+      // Backup corrupted file before overwriting
+      const backup = mcpConfigPath + '.backup';
+      fs.copyFileSync(mcpConfigPath, backup);
+      console.log('  [warn] Existing .mcp.json was invalid — backed up to .mcp.json.backup');
+    }
   }
 
   mcpConfig.mcpServers['agent-bridge'] = {
@@ -98,7 +98,11 @@ function setupGemini(serverPath, cwd) {
     try {
       settings = JSON.parse(fs.readFileSync(settingsPath, 'utf8'));
       if (!settings.mcpServers) settings.mcpServers = {};
-    } catch {}
+    } catch {
+      const backup = settingsPath + '.backup';
+      fs.copyFileSync(settingsPath, backup);
+      console.log('  [warn] Existing settings.json was invalid — backed up to settings.json.backup');
+    }
   }
 
   settings.mcpServers['agent-bridge'] = {
@@ -293,124 +297,6 @@ function showTemplate(templateName) {
   }
 }
 
-function pluginCmd() {
-  const subCmd = process.argv[3];
-  const dataDir = process.env.AGENT_BRIDGE_DATA_DIR || path.join(process.cwd(), '.agent-bridge');
-  const pluginsDir = path.join(dataDir, 'plugins');
-  const pluginsFile = path.join(dataDir, 'plugins.json');
-
-  function getRegistry() {
-    if (!fs.existsSync(pluginsFile)) return [];
-    try { return JSON.parse(fs.readFileSync(pluginsFile, 'utf8')); } catch { return []; }
-  }
-
-  function saveRegistry(reg) {
-    if (!fs.existsSync(dataDir)) fs.mkdirSync(dataDir, { recursive: true });
-    fs.writeFileSync(pluginsFile, JSON.stringify(reg, null, 2));
-  }
-
-  switch (subCmd) {
-    case 'list': {
-      const plugins = getRegistry();
-      if (!plugins.length) {
-        console.log('  No plugins installed.');
-        console.log('  Install with: npx let-them-talk plugin add <file.js>');
-        return;
-      }
-      console.log('');
-      console.log('  Installed Plugins');
-      console.log('  =================');
-      for (const p of plugins) {
-        const status = p.enabled !== false ? 'enabled' : 'disabled';
-        console.log('  ' + p.name.padEnd(20) + ' ' + status.padEnd(10) + ' ' + (p.description || ''));
-      }
-      console.log('');
-      break;
-    }
-    case 'add': {
-      const filePath = process.argv[4];
-      if (!filePath) { console.error('  Usage: npx let-them-talk plugin add <file.js>'); process.exit(1); }
-      const absPath = path.resolve(filePath);
-      if (!fs.existsSync(absPath)) { console.error('  File not found: ' + absPath); process.exit(1); }
-
-      // Validate plugin structure without executing it (no require — prevents RCE on install)
-      try {
-        const src = fs.readFileSync(absPath, 'utf8');
-        if (!src.includes('module.exports') || !src.includes('name') || !src.includes('handler')) {
-          console.error('  Plugin must export name, description, and handler (module.exports = { name, handler })');
-          process.exit(1);
-        }
-
-        // Extract plugin name from source using regex (no eval)
-        const nameMatch = src.match(/name\s*:\s*['"]([^'"]+)['"]/);
-        const descMatch = src.match(/description\s*:\s*['"]([^'"]+)['"]/);
-        const pluginName = nameMatch ? nameMatch[1] : path.basename(absPath, '.js');
-        const pluginDesc = descMatch ? descMatch[1] : '';
-
-        if (!fs.existsSync(pluginsDir)) fs.mkdirSync(pluginsDir, { recursive: true });
-        const destFile = path.join(pluginsDir, path.basename(absPath));
-        fs.copyFileSync(absPath, destFile);
-
-        const reg = getRegistry();
-        if (!reg.find(p => p.name === pluginName)) {
-          reg.push({ name: pluginName, description: pluginDesc, file: path.basename(absPath), enabled: true, added_at: new Date().toISOString() });
-          saveRegistry(reg);
-        }
-        console.log('  Plugin "' + pluginName + '" installed successfully.');
-        console.log('  Restart CLI to load the new tool (runs sandboxed).');
-      } catch (e) {
-        console.error('  Failed to install plugin: ' + e.message);
-        process.exit(1);
-      }
-      break;
-    }
-    case 'remove': {
-      const name = process.argv[4];
-      if (!name) { console.error('  Usage: npx let-them-talk plugin remove <name>'); process.exit(1); }
-      const reg = getRegistry();
-      const plugin = reg.find(p => p.name === name);
-      if (!plugin) { console.error('  Plugin not found: ' + name); process.exit(1); }
-      const newReg = reg.filter(p => p.name !== name);
-      saveRegistry(newReg);
-      if (plugin.file) {
-        const pluginFile = path.resolve(pluginsDir, plugin.file);
-        // Prevent path traversal — only delete files inside pluginsDir
-        if (pluginFile.startsWith(path.resolve(pluginsDir) + path.sep) && fs.existsSync(pluginFile)) {
-          fs.unlinkSync(pluginFile);
-        }
-      }
-      console.log('  Plugin "' + name + '" removed.');
-      break;
-    }
-    case 'enable': {
-      const name = process.argv[4];
-      if (!name) { console.error('  Usage: npx let-them-talk plugin enable <name>'); process.exit(1); }
-      const reg = getRegistry();
-      const plugin = reg.find(p => p.name === name);
-      if (!plugin) { console.error('  Plugin not found: ' + name); process.exit(1); }
-      plugin.enabled = true;
-      saveRegistry(reg);
-      console.log('  Plugin "' + name + '" enabled.');
-      break;
-    }
-    case 'disable': {
-      const name = process.argv[4];
-      if (!name) { console.error('  Usage: npx let-them-talk plugin disable <name>'); process.exit(1); }
-      const reg = getRegistry();
-      const plugin = reg.find(p => p.name === name);
-      if (!plugin) { console.error('  Plugin not found: ' + name); process.exit(1); }
-      plugin.enabled = false;
-      saveRegistry(reg);
-      console.log('  Plugin "' + name + '" disabled.');
-      break;
-    }
-    default:
-      console.error('  Unknown plugin command: ' + (subCmd || ''));
-      console.error('  Available: list, add, remove, enable, disable');
-      process.exit(1);
-  }
-}
-
 function dashboard() {
   if (process.argv.includes('--lan')) {
     process.env.AGENT_BRIDGE_LAN = 'true';
@@ -532,7 +418,7 @@ switch (command) {
     break;
   case 'plugin':
   case 'plugins':
-    pluginCmd();
+    console.log('  Plugins have been removed in v3.4.3. CLI terminals have their own extension systems.');
     break;
   case 'help':
   case '--help':

package/dashboard.html

@@ -2572,65 +2572,7 @@
   }
 
   /* ===== v3.0: PLUGINS SECTION ===== */
-  .plugin-card {
-    background: var(--surface-2);
-    border: 1px solid var(--border);
-    border-radius: 6px;
-    padding: 8px 10px;
-    margin-bottom: 4px;
-    display: flex;
-    align-items: center;
-    justify-content: space-between;
-  }
-
-  .plugin-info {
-    flex: 1;
-    min-width: 0;
-  }
-
-  .plugin-name {
-    font-size: 12px;
-    font-weight: 600;
-  }
-
-  .plugin-desc {
-    font-size: 10px;
-    color: var(--text-muted);
-  }
-
-  .plugin-toggle {
-    background: var(--surface-3);
-    border: 1px solid var(--border);
-    border-radius: 10px;
-    width: 36px;
-    height: 20px;
-    cursor: pointer;
-    position: relative;
-    transition: all 0.2s;
-    flex-shrink: 0;
-  }
-
-  .plugin-toggle.on {
-    background: var(--green-dim);
-    border-color: var(--green);
-  }
-
-  .plugin-toggle::after {
-    content: '';
-    position: absolute;
-    width: 14px;
-    height: 14px;
-    border-radius: 50%;
-    background: var(--text-dim);
-    top: 2px;
-    left: 2px;
-    transition: all 0.2s;
-  }
-
-  .plugin-toggle.on::after {
-    left: 18px;
-    background: var(--green);
-  }
+  /* Plugins removed in v3.4.3 */
 
   /* ===== v3.0: AVATAR PICKER ===== */
   .avatar-option {
@@ -2758,12 +2700,6 @@
         <div id="activity-heatmap"></div>
       </div>
 
-      <!-- Plugins Section -->
-      <div class="sidebar-section">
-        <div class="sidebar-title"><span>Plugins</span></div>
-        <div id="plugins-list"></div>
-      </div>
-
       <!-- Bookmarks Section -->
       <div class="sidebar-section">
         <div class="sidebar-title">
@@ -2842,7 +2778,7 @@
   </div>
 </div>
 <div class="app-footer">
-  <span>Let Them Talk v3.4.2</span>
+  <span>Let Them Talk v3.4.4</span>
 </div>
 <div class="profile-popup" id="profile-popup" onclick="event.stopPropagation()">
   <div class="profile-popup-header">
@@ -4750,44 +4686,6 @@ function switchBranch(name) {
   poll();
 }
 
-// ==================== v3.0: PLUGINS ====================
-
-function fetchPlugins() {
-  var pq = projectParam();
-  lttFetch('/api/plugins' + pq).then(function(r) { return r.json(); }).then(function(data) {
-    renderPlugins(Array.isArray(data) ? data : []);
-  }).catch(function() {});
-}
-
-function renderPlugins(plugins) {
-  var el = document.getElementById('plugins-list');
-  if (!plugins.length) {
-    el.innerHTML = '<div style="color:var(--text-muted);font-size:12px;padding:4px;">No plugins installed</div>';
-    return;
-  }
-  var html = '';
-  for (var i = 0; i < plugins.length; i++) {
-    var p = plugins[i];
-    var onClass = p.enabled !== false ? ' on' : '';
-    html += '<div class="plugin-card">' +
-      '<div class="plugin-info">' +
-        '<div class="plugin-name">' + escapeHtml(p.name) + '</div>' +
-        '<div class="plugin-desc">' + escapeHtml(p.description || '') + '</div>' +
-      '</div>' +
-      '<div class="plugin-toggle' + onClass + '" onclick="togglePlugin(\'' + escapeHtml(p.name) + '\')"></div>' +
-    '</div>';
-  }
-  el.innerHTML = html;
-}
-
-function togglePlugin(name) {
-  lttFetch('/api/plugins' + projectParam(), {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json' },
-    body: JSON.stringify({ action: 'toggle', name: name })
-  }).then(function() { fetchPlugins(); }).catch(function() {});
-}
-
 // ==================== POLLING ====================
 
 function poll() {
@@ -4839,7 +4737,6 @@ function poll() {
     renderBookmarksSidebar();
     fetchActivity();
     fetchBranches();
-    fetchPlugins();
     updateTypingIndicator(cachedAgents);
     if (activeView === 'tasks') fetchTasks();
     if (activeView === 'workspaces') fetchWorkspaces();

package/dashboard.js

@@ -328,7 +328,7 @@ function apiStats(query) {
 function apiReset(query) {
   const projectPath = query.get('project') || null;
   const dataDir = resolveDataDir(projectPath);
-  const fixedFiles = ['messages.jsonl', 'history.jsonl', 'agents.json', 'acks.json', 'tasks.json', 'profiles.json', 'workflows.json', 'branches.json', 'plugins.json', 'read_receipts.json', 'permissions.json'];
+  const fixedFiles = ['messages.jsonl', 'history.jsonl', 'agents.json', 'acks.json', 'tasks.json', 'profiles.json', 'workflows.json', 'branches.json', 'read_receipts.json', 'permissions.json'];
   for (const f of fixedFiles) {
     const p = path.join(dataDir, f);
     if (fs.existsSync(p)) fs.unlinkSync(p);
@@ -412,15 +412,7 @@ function apiAddProject(body) {
   const absPath = path.resolve(body.path);
   if (!fs.existsSync(absPath)) return { error: `Path does not exist: ${absPath}` };
 
-  // Restrict to paths under cwd or paths that look like project directories
-  const cwd = path.resolve(process.cwd());
-  if (!absPath.startsWith(cwd + path.sep) && absPath !== cwd) {
-    const hasProject = fs.existsSync(path.join(absPath, 'package.json')) ||
-                       fs.existsSync(path.join(absPath, '.git'));
-    if (!hasProject) {
-      return { error: 'Path must be a project directory (with package.json or .git)' };
-    }
-  }
+  // Any existing directory can be added as a project — user explicitly chose it
 
   const projects = getProjects();
   const name = body.name || path.basename(absPath);
@@ -1300,27 +1292,6 @@ const server = http.createServer(async (req, res) => {
       res.writeHead(200, { 'Content-Type': 'application/json' });
       res.end(JSON.stringify(branches));
     }
-    else if (url.pathname === '/api/plugins' && req.method === 'GET') {
-      const projectPath = url.searchParams.get('project') || null;
-      const pluginsFile = filePath('plugins.json', projectPath);
-      res.writeHead(200, { 'Content-Type': 'application/json' });
-      res.end(JSON.stringify(fs.existsSync(pluginsFile) ? JSON.parse(fs.readFileSync(pluginsFile, 'utf8')) : []));
-    }
-    else if (url.pathname === '/api/plugins' && req.method === 'POST') {
-      const body = await parseBody(req);
-      const projectPath = url.searchParams.get('project') || null;
-      const pluginsFile = filePath('plugins.json', projectPath);
-      let plugins = [];
-      if (fs.existsSync(pluginsFile)) try { plugins = JSON.parse(fs.readFileSync(pluginsFile, 'utf8')); } catch {}
-      if (body.action === 'toggle' && body.name) {
-        const p = plugins.find(x => x.name === body.name);
-        if (!p) { res.writeHead(404, { 'Content-Type': 'application/json' }); res.end(JSON.stringify({ error: 'Plugin not found' })); return; }
-        p.enabled = !p.enabled;
-        fs.writeFileSync(pluginsFile, JSON.stringify(plugins, null, 2));
-      }
-      res.writeHead(200, { 'Content-Type': 'application/json' });
-      res.end(JSON.stringify({ success: true }));
-    }
     else if (url.pathname === '/api/projects' && req.method === 'DELETE') {
       const body = await parseBody(req);
       const result = apiRemoveProject(body);
@@ -1501,7 +1472,7 @@ server.listen(PORT, LAN_MODE ? '0.0.0.0' : '127.0.0.1', () => {
   const dataDir = resolveDataDir();
   const lanIP = getLanIP();
   console.log('');
-  console.log('  Let Them Talk - Agent Bridge Dashboard v3.4.2');
+  console.log('  Let Them Talk - Agent Bridge Dashboard v3.4.4');
   console.log('  ============================================');
   console.log('  Dashboard:  http://localhost:' + PORT);
   if (LAN_MODE && lanIP) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "let-them-talk",
-  "version": "3.4.2",
+  "version": "3.4.4",
   "description": "MCP message broker + web dashboard for inter-agent communication. Let AI CLI agents talk to each other.",
   "main": "server.js",
   "bin": {

package/server.js

@@ -18,8 +18,7 @@ const PROFILES_FILE = path.join(DATA_DIR, 'profiles.json');
 const WORKFLOWS_FILE = path.join(DATA_DIR, 'workflows.json');
 const WORKSPACES_DIR = path.join(DATA_DIR, 'workspaces');
 const BRANCHES_FILE = path.join(DATA_DIR, 'branches.json');
-const PLUGINS_FILE = path.join(DATA_DIR, 'plugins.json');
-const PLUGINS_DIR = path.join(DATA_DIR, 'plugins');
+// Plugins removed in v3.4.3 — unnecessary attack surface, CLIs have their own extension systems
 
 // In-memory state for this process
 let registeredName = null;
@@ -418,17 +417,6 @@ function getHistoryFile(branch) {
   return path.join(DATA_DIR, `branch-${sanitizeName(branch)}-history.jsonl`);
 }
 
-// --- Plugin helpers ---
-
-function getPluginRegistry() {
-  if (!fs.existsSync(PLUGINS_FILE)) return [];
-  try { return JSON.parse(fs.readFileSync(PLUGINS_FILE, 'utf8')); } catch { return []; }
-}
-
-function savePluginRegistry(plugins) {
-  fs.writeFileSync(PLUGINS_FILE, JSON.stringify(plugins, null, 2));
-}
-
 // --- Tool implementations ---
 
 function toolRegister(name, provider = null) {
@@ -1181,8 +1169,8 @@ function toolReset() {
       }
     }
   }
-  // Remove profiles, workflows, branches, plugins, permissions, read receipts
-  for (const f of [PROFILES_FILE, WORKFLOWS_FILE, BRANCHES_FILE, PLUGINS_FILE, PERMISSIONS_FILE, READ_RECEIPTS_FILE]) {
+  // Remove profiles, workflows, branches, permissions, read receipts
+  for (const f of [PROFILES_FILE, WORKFLOWS_FILE, BRANCHES_FILE, PERMISSIONS_FILE, READ_RECEIPTS_FILE]) {
     if (fs.existsSync(f)) fs.unlinkSync(f);
   }
   // Remove workspaces dir
@@ -1492,16 +1480,11 @@ function toolListBranches() {
 // --- MCP Server setup ---
 
 const server = new Server(
-  { name: 'agent-bridge', version: '3.0.0' },
+  { name: 'agent-bridge', version: '3.4.4' },
   { capabilities: { tools: {} } }
 );
 
 server.setRequestHandler(ListToolsRequestSchema, async () => {
-  const pluginTools = loadedPlugins.map(p => ({
-    name: 'plugin_' + p.name,
-    description: '[Plugin] ' + p.description,
-    inputSchema: p.inputSchema,
-  }));
   return {
     tools: [
       {
@@ -1875,7 +1858,6 @@ server.setRequestHandler(ListToolsRequestSchema, async () => {
           properties: {},
         },
       },
-      ...pluginTools,
     ],
   };
 });
@@ -1969,12 +1951,6 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
         result = toolListBranches();
         break;
       default:
-        // Check if it's a plugin tool
-        if (name.startsWith('plugin_')) {
-          const pluginName = name.substring(7);
-          result = await executePlugin(pluginName, args);
-          break;
-        }
         return {
           content: [{ type: 'text', text: `Unknown tool: ${name}` }],
           isError: true,
@@ -2014,90 +1990,11 @@ process.on('exit', () => {
 process.on('SIGTERM', () => process.exit(0));
 process.on('SIGINT', () => process.exit(0));
 
-// --- Phase 5: Plugin system ---
-
-let loadedPlugins = []; // { name, description, inputSchema, handler }
-
-function loadPlugins() {
-  loadedPlugins = [];
-  if (!fs.existsSync(PLUGINS_DIR)) return;
-  const registry = getPluginRegistry();
-  const enabledNames = new Set(registry.filter(p => p.enabled !== false).map(p => p.name));
-
-  try {
-    const vm = require('vm');
-    const files = fs.readdirSync(PLUGINS_DIR).filter(f => f.endsWith('.js'));
-    for (const file of files) {
-      try {
-        const pluginPath = path.join(PLUGINS_DIR, file);
-        const code = fs.readFileSync(pluginPath, 'utf8');
-        // Run plugin in a sandboxed VM context — no require, no process, no child_process
-        const sandbox = { module: { exports: {} }, exports: {}, console: { log: () => {}, error: () => {}, warn: () => {} } };
-        vm.runInNewContext(code, sandbox, { filename: file, timeout: 5000 });
-        const plugin = sandbox.module.exports;
-        if (!plugin.name || !plugin.description || !plugin.handler) {
-          console.error(`Plugin ${file}: missing name, description, or handler`);
-          continue;
-        }
-        if (!enabledNames.has(plugin.name) && enabledNames.size > 0) continue;
-        loadedPlugins.push({
-          name: plugin.name,
-          description: plugin.description,
-          inputSchema: plugin.inputSchema || { type: 'object', properties: {} },
-          handler: plugin.handler,
-        });
-        console.error(`Plugin loaded: ${plugin.name} (sandboxed)`);
-      } catch (e) {
-        console.error(`Plugin ${file} failed to load: ${e.message}`);
-      }
-    }
-  } catch {}
-}
-
-function executePlugin(pluginName, args) {
-  const plugin = loadedPlugins.find(p => p.name === pluginName);
-  if (!plugin) return { error: `Plugin "${pluginName}" not found` };
-
-  const context = {
-    registeredName,
-    sendMessage: (to, content) => toolSendMessage(content, to),
-    getAgents: () => toolListAgents().agents,
-    getHistory: (limit) => toolGetHistory(limit),
-    readFile: (filePath) => {
-      const resolved = path.resolve(filePath);
-      const allowedRoot = path.resolve(process.cwd());
-      let realPath;
-      try { realPath = fs.realpathSync(resolved); } catch { throw new Error('File not found'); }
-      if (!realPath.startsWith(allowedRoot + path.sep) && realPath !== allowedRoot) {
-        throw new Error('File path must be within the project directory');
-      }
-      return fs.readFileSync(realPath, 'utf8');
-    },
-  };
-
-  return new Promise((resolve) => {
-    const timeout = setTimeout(() => resolve({ error: 'Plugin execution timed out (30s)' }), 30000);
-    try {
-      const result = plugin.handler(args, context);
-      if (result && typeof result.then === 'function') {
-        result.then(r => { clearTimeout(timeout); resolve(r); }).catch(e => { clearTimeout(timeout); resolve({ error: e.message }); });
-      } else {
-        clearTimeout(timeout);
-        resolve(result);
-      }
-    } catch (e) {
-      clearTimeout(timeout);
-      resolve({ error: e.message });
-    }
-  });
-}
-
 async function main() {
   ensureDataDir();
-  loadPlugins();
   const transport = new StdioServerTransport();
   await server.connect(transport);
-  console.error('Agent Bridge MCP server v3.4.2 running (' + (27 + loadedPlugins.length) + ' tools)');
+  console.error('Agent Bridge MCP server v3.4.4 running (27 tools)');
 }
 
 main().catch(console.error);