minecraft-server/docs/PLUGIN_ALTERNATIVES.md

Plugin alternatives — FOSS-alignment audit

Goal: for every plugin, evaluate against the vision (FOSS, privacy-first, no telemetry, no Microsoft-account dependency, active maintenance, GH-source-of-truth, attribution-respecting). Identify swaps where a more aligned alternative exists.

Scoring axes:

• L — License (GPL/MIT/Apache > LGPL > custom-FOSS > closed)
• S — Source visibility (GH > Hangar > Modrinth-only > Spigot-only > closed)
• T — Telemetry (none > opt-in > opt-out > forced)
• M — Maintenance (active commits in last 90 days > stale > archived > dead)
• D — Dependency footprint (no native, no proprietary deps > requires ProtocolLib/Vault > requires premium)

1. LuckPerms (perms)

Field	Value
Current	LuckPerms by Luck (lucko)
License	MIT
Source	https://github.com/LuckPerms/LuckPerms
Vision fit	Excellent — author is FOSS-native, MIT, GH-primary, no telemetry

Alternatives:

• PermissionsEx — abandoned, security holes
• GroupManager (Essentials) — bundled, weaker
• GoPerms — newer, less battle-tested

Verdict: Keep. Industry standard, perfect alignment.

---

2. PlaceholderAPI (placeholder framework)

Field	Value
Current	PlaceholderAPI by HelpChat / extended-clip
License	GPL-3.0
Source	https://github.com/PlaceholderAPI/PlaceholderAPI
Vision fit	Excellent — GPL, GH, ubiquitous

Alternatives:

• MVdWPlaceholderAPI — defunct, premium
• MiniPlaceholders — Adventure-native, modern, MIT, https://github.com/MiniPlaceholders/MiniPlaceholders

Verdict: Keep PlaceholderAPI for now, evaluate MiniPlaceholders as a future swap if our other plugins start using Adventure components — it's lighter and avoids legacy color codes.

---

3. EssentialsX (utility kitchen sink)

Field	Value
Current	EssentialsX
License	GPL-3.0
Source	https://github.com/EssentialsX/Essentials
Vision fit	Strong — GPL, GH, but huge surface area, slow to adopt new APIs

Alternatives:

• CMI — paid, closed → reject
• Nova Essentials — newer, modular, MIT-ish, https://github.com/NovaEssentials
• EssentialsK — fork w/ Kotlin/modern paper API, https://github.com/Essentials-K/EssentialsK
• Modular replacements (one plugin per feature):
  • Homes/teleport: HuskHomes (https://github.com/WiIIiam278/HuskHomes) — MIT, modern, cross-server
  • Warps: HuskHomes covers it
  • Kits: dedicated KitMaster, or stay with EssentialsX
  • Economy: TNE, ElementalEcon (FOSS)
  • Chat: VentureChat (https://github.com/VentureCommunications/VentureChat) — GPL

Verdict: Keep EssentialsX short-term. Long-term: split by domain — HuskHomes for teleport (better UX), keep EssentialsX for the rest until evaluated. Document as Phase 4 in ROADMAP.

---

4. WorldEdit (world editing)

Field	Value
Current	WorldEdit by EngineHub
License	GPL-3.0
Source	https://github.com/EngineHub/WorldEdit
Vision fit	Excellent — GPL, GH, gold standard

Alternatives:

• FastAsyncWorldEdit (FAWE) — fork w/ async perf, LGPL, https://github.com/IntellectualSites/FastAsyncWorldEdit — drop-in replacement, faster
• VoxelSniper — different use case (terrain sculpting)

Verdict: Swap to FAWE. Same API, much faster, FOSS, actively maintained. Bonus: handles big edits without freezing the server.

---

5. Simple Voice Chat (voice)

Field	Value
Current	Simple Voice Chat by henkelmax
License	LGPL-3.0
Source	https://github.com/henkelmax/simple-voice-chat
Vision fit	Excellent — LGPL, GH, no telemetry, self-hosted

Alternatives:

• Plasmo Voice — separate ecosystem, mod-side requirement, less plugin-friendly
• Mumble integration — heavy, breaks one-click goal

Verdict: Keep. Best-in-class for our use case.

---

6. MiniMOTD (server-list MOTD)

Field	Value
Current	MiniMOTD by jpenilla
License	MIT
Source	https://github.com/jpenilla/MiniMOTD
Vision fit	Excellent — MIT, GH

Alternatives:

• ServerListPlus — older, more features, GPL
• Native paper-api MOTD — code yourself, no plugin

Verdict: Keep. Lightweight, modern, no reason to swap.

---

7. SkinsRestorer (offline-mode skins)

Field	Value
Current	SkinsRestorer
License	GPL-3.0
Source	https://github.com/SkinsRestorer/SkinsRestorer
Vision fit	Strong — GPL, GH, but proxies skin lookup through Mojang API by default

Concern: "Microsoft-free" goal vs. Mojang skin API. Workaround: SkinsRestorer supports custom skin URLs / MineSkin alternative.

Alternatives:

• MineSkin (https://api.mineskin.org) — community skin server, can be self-hosted
• NameMC mirror APIs — third-party
• Self-hosted skin server — most aligned, requires setup

Verdict: Keep SkinsRestorer. Phase 2 follow-up: configure to point at self-hosted skin server (or MineSkin) to fully cut Mojang dependency. Document in docs/SKIN_HOSTING.md (TBD).

---

8. CoreProtect / CoreProtect-CE (logging / rollback)

Field	Value
Current	CoreProtect-CE 23.1 (community fork)
License	Source-available, "all rights reserved" — readable but not OSI-FOSS
Source	https://github.com/PlayPro/CoreProtect (orig), https://github.com/Intelli/CoreProtect (CE fork)
Vision fit	Mixed — license isn't OSI-FOSS, but operationally is the most reliable rollback plugin in the ecosystem

Operator priority (explicit): solid logs from day one, easy per-player rollback matters more than license purity for this specific plugin.

Comparison vs Prism (the FOSS alternative):

Feature	CoreProtect-CE	Prism
Per-player rollback (/co rollback u:Foo t:7d r:50)	rock solid, 13+ years tuned	supported, less battle-tested
Inspector tool (/co i → click block)	gold standard UX	works, less polished
Sign/container/entity restoration	clean, robust	edge-case bugs reported
At-scale performance (100+ players)	proven	less proven
Rollback safety on huge edits	proven	newer codebase
API surface for other plugins	wide ecosystem support	smaller ecosystem
License	source-available, "all rights reserved"	MIT
Source readable	yes (GH public)	yes (GH public)
Active dev	yes (CE fork: Intelli)	yes (Prism v3+)

Why this is the principled exception:

• License is source-available (readable + auditable + forkable in practice), not OSI-FOSS (no explicit redistribution grant).
• Operational reliability for player protection outweighs license purity for this one plugin.
• Server's trust model depends on rollback being airtight; Prism's gotchas (sign/container restoration edge cases) would mean failed grief reports.
• CoreProtect's inspector tool UX is so dominant that swapping costs admin productivity.

Verdict: Keep CoreProtect-CE. Document this as the one acknowledged license exception in MISSION.md. Revisit when Prism reaches feature parity on signs/containers/entity rollback at scale.

Alternatives evaluated:

• Prism v3+ — MIT, modern, active. Strong on paper, gaps in field-tested rollback edge cases. Reconsider in 12-18 months.
• LogBlock — abandoned, drop.
• CoreProtect 22.x — earlier Apache-2.0 version; outdated, missing features.

---

9. GrimAC (anti-cheat)

Field	Value
Current	GrimAC by MWHunter
License	GPL-3.0
Source	https://github.com/GrimAnticheat/Grim
Vision fit	Excellent — GPL, GH, no telemetry, transparent detection logic

Alternatives:

• Vulcan — paid, closed → reject
• Matrix — paid → reject
• NoCheatPlus — abandoned upstream, reincarnated as CMI-NCP, free but old
• Spartan AC — paid, closed → reject

Verdict: Keep. GrimAC is the only FOSS anti-cheat that matters in 2026.

---

10. spark (profiler)

Field	Value
Current	spark by Luck (lucko)
License	GPL-3.0
Source	https://github.com/lucko/spark
Vision fit	Excellent — GPL, GH, no telemetry beyond opt-in heap-share

Alternatives:

• Timings — Paper built-in, deprecated upstream
• Pufferfish profiler — server-fork-specific

Verdict: Keep. Only credible profiler.

---

11. DiscordSRV (Discord bridge)

Field	Value
Current	DiscordSRV by Scarsz
License	GPL-3.0
Source	https://github.com/DiscordSRV/DiscordSRV
Vision fit	Mixed — DiscordSRV itself is GPL/FOSS, but Discord is the opposite of our values (proprietary, closed, telemetry-heavy, Microsoft-adjacent via MS GitHub stack). Bridges player chat to a closed platform.

Alternatives:

• MatrixSRV / matrix-bridge — bridge to Matrix instead of/alongside Discord
• Telegraph — Telegram bridge
• RevoltSRV — bridge to Revolt (FOSS Discord-alike), https://github.com/Frosty-The-Dev/RevoltSRV
• Custom Matrix bridge — write your own to existing Tuwunel homeserver (memory: txt.s8n.ru is yours)

Verdict: Keep DiscordSRV for player reach, but add a Matrix bridge as the primary FOSS-aligned channel. Discord is where players are; Matrix is where principles are. Operate both. You already run a Tuwunel homeserver (txt.s8n.ru) — natural home for the FOSS-aligned bridge. Action: deploy mc-matrix-bridge alongside.

---

12. LandClaimPlugin (claims) — recently swapped from Lands

Field	Value
Current	LandClaimPlugin (Modrinth)
License	TBD (verify on Modrinth + GH)
Source	https://modrinth.com/plugin/landclaimplugin
Vision fit	Strong if FOSS confirmed, Verify before celebrating

Alternatives:

• GriefPrevention (https://github.com/GriefPrevention/GriefPrevention) — MIT, GH, oldest + most battle-tested FOSS claim plugin
• GriefDefender — fork, GPL, modern
• RedProtect — GPL, mature, https://github.com/FabioZumbi12/RedProtect
• PlotSquared — for plot-style worlds, different use case

Operator decision (confirmed): Keep LandClaimPlugin. Rationale:

• Chunk-based claims = vanilla-feel. Players see chunk borders via F3+G (built-in vanilla) — no client mod, no resource pack, no extra UI required to know where claims are.
• GriefPrevention's free-form rectangle claims feel less native and require a separate visualization tool/plugin for boundary display.
• Keeping vanilla-aligned mechanics is mission-aligned: minimum surface area, maximum native feel.

Outstanding TODO: verify LandClaimPlugin's license. If proprietary, fork or replace with another chunk-based FOSS claim plugin (chunk-claim plugins exist on Modrinth, e.g. chunkclaim, simplechunkclaim).

Alternatives kept on file as fallback:

• GriefPrevention — free-form, FOSS, but loses the chunk-feel.
• ChunkClaim — chunk-based, FOSS-likely; fallback if LCP license fails.

---

13. TAB (tablist / scoreboard / nametags)

Field	Value
Current	TAB by NEZNAMY
License	verify — listed on GH but check
Source	https://github.com/NEZNAMY/TAB
Vision fit	Strong — GH-primary, no telemetry, free

Alternatives:

• FeatherBoard — paid, closed → reject
• AnimatedTabs / TabPrefix — feature subset only
• MyScoreboard — scoreboard only

Verdict: Keep. Best feature/license tradeoff.

---

14. ProtocolLib (protocol library)

Field	Value
Current	ProtocolLib by dmulloy2 + contributors
License	GPL-2.0
Source	https://github.com/dmulloy2/ProtocolLib
Vision fit	Strong — GPL, GH, but heavy; many plugins demand it

Alternatives:

• PacketEvents (https://github.com/retrooper/packetevents) — GPL-3.0, more modern, faster, used by GrimAC
• Native Paper packet API — limited but growing

Verdict: Evaluate dropping ProtocolLib in favor of PacketEvents. GrimAC already uses PacketEvents. If we can find PacketEvents-based forks of plugins currently demanding ProtocolLib, we shrink the dep tree. Phase 4 task.

---

15. Vault (economy/perms abstraction)

Field	Value
Current	Vault by MilkBowl
License	LGPL-3.0
Source	https://github.com/MilkBowl/Vault
Vision fit	Strong — LGPL, GH, but old (2016 era API)

Alternatives:

• VaultUnlocked (https://github.com/CraftYourMind/VaultUnlocked) — modern fork, more features
• Treasury — GPL-3.0, modern econ-only API, https://github.com/lokka30/Treasury

Verdict: Swap to VaultUnlocked. Fork with same API surface but modernized. Treasury alone won't cover non-econ plugins demanding Vault.

---

16. LoginSecurity (offline-mode auth)

Field	Value
Current	LoginSecurity 3.3.1 (lenis0012 archived; Sytm fork)
License	GPL-3.0
Source	original archived; forks unclear
Vision fit	Weak — upstream dead, fork unclear, security-critical

Critical feature requirement (from operator): plugin must teleport unauthenticated players to spawn during login. Reason: prevents base-coord leaks via screenshot/glance/screen-share by anyone who joins w/ a stolen username before typing /login. This is non-negotiable for cracked-server gameplay safety.

Alternatives evaluated against this requirement:

Plugin	Teleports unauth → spawn?	License	Active	Notes
AuthMe Reloaded	Yes — teleportUnAuthedToSpawn: true config option	GPL-3.0	active	https://github.com/AuthMe/AuthMeReloaded
FastLogin	No (premium-passthrough flow)	LGPL-3.0	active	Different use case
xAuth	Yes (old impl)	abandoned	dead	reject
nLogin	Yes	closed	n/a	reject
LibreLogin	Yes (proxy-side)	GPL-3.0	active	https://github.com/kyngs/LibreLogin — Velocity/BungeeCord focused; may be overkill for single-server but FOSS-aligned

AuthMe-specific config to match LoginSecurity behavior:

# config.yml
restrictions:
  teleportUnAuthedToSpawn: true       # the critical feature
  ProtectInventoryBeforeLogIn: true   # extra safety
  allowMovement: false                # block all movement until /login
  noTeleport: true                    # block /tp until authed
  timeout: 60                          # kick after 60s of no /login

Verdict: Swap to AuthMe Reloaded. Same critical feature, active maintenance, FOSS, security-audited. LoginSecurity is end-of-life and forks are murky. High priority because this is auth + base-coord protection.

---

17. ComfyWhitelist (whitelist)

Field	Value
Current	ComfyWhitelist by etil2jz
License	TBD — verify
Source	TBD — likely Hangar/GH
Vision fit	Conditional Keep if license verifies as FOSS

Critical feature requirement (from operator): plugin must apply whitelist changes without server restart or /reload, and must work on cracked/offline-mode servers without Mojang API lookups.

Why native /whitelist is insufficient on this server:

Vanilla /whitelist add <name> on an offline-mode server:

1. Tries to look up the player's UUID via Mojang API.
2. If Mojang lookup fails (network blip, Mojang down, player has no premium account): server may store wrong UUID, no UUID, or refuse to add.
3. Cracked players have offline-derived UUIDs (OfflinePlayer:<name> hash), which don't match Mojang's online UUID. Whitelist comparison fails on join.
4. Some Paper/Purpur configs require restart to fully apply whitelist changes when UUID lookup is involved.

ComfyWhitelist (and similar name-based whitelist plugins) sidestep all of the above:

• Whitelist by name string, not UUID.
• No Mojang API calls — fully local, fully offline-safe.
• Changes apply instantly, no restart, no /reload.
• Aligns w/ "Microsoft-free" mission (no Mojang dependency for whitelist auth).

Alternatives that also satisfy these constraints:

Plugin	Name-based?	No Mojang call?	Hot-reload?	License	Source
ComfyWhitelist	yes	yes	yes	TBD	TBD
Native /whitelist	no (UUID)	no	partial	n/a	n/a
AdvancedWhitelist	varies	varies	yes	GPL	Hangar
Whitelist (by mxstr)	yes	yes	yes	MIT	https://github.com/mxstr/Whitelist
Custom 50-line plugin	yes	yes	yes	MIT	self-host

Verdict: Keep ComfyWhitelist — features (name-based + hot-reload + offline-safe) are mission-critical. TODO: verify ComfyWhitelist license is FOSS. If proprietary or unclear → swap to a confirmed-FOSS name-based whitelist plugin (like the mxstr one) preserving all three features.

Note for documentation: add to docs/plugins/comfywhitelist.md an explicit "why we use this over native" rationale so future maintainers don't drop it.

---

18. MarriageMaster (social)

Field	Value
Current	MarriageMaster by DerFlash
License	TBD (likely Spigot resource license)
Source	https://www.spigotmc.org/resources/marriagemaster.19273/ — Spigot only
Vision fit	Weak — Spigot-only acquisition, no GH presence found, license unclear

Alternatives:

• SimpleMarriage (FOSS, less feature) — find GPL alternative
• Ditch entirely — niche feature, low priority

Verdict: Audit: is this feature widely used by your players? If yes, find a GPL alternative or fork DerFlash's plugin under FOSS license (if license permits). If no, drop.

---

19. PhantomSMP (phantom rebalance)

Field	Value
Current	PhantomSMP by Lielay9
License	TBD (Spigot resource)
Source	Spigot only
Vision fit	Weak

Alternatives:

• PhantomLight — alternative Spigot resource, license TBD
• Native Paper config — paper-world-defaults.yml has phantom-spawn knobs
• DataPack — vanilla solution, no plugin needed

Verdict: Replace with native Paper config + datapack. Removes plugin dep entirely. Your players won't notice the difference if tuned well.

---

20. HelpCommand (custom /help)

Field	Value
Current	HelpCommand by Slimerblue22
License	TBD
Source	Spigot only
Vision fit	Weak — easy to drop

Alternatives:

• Native Bukkit /help — built-in
• HelpCMD — alternative
• commands.yml — Bukkit's built-in alias system covers most use cases

Verdict: Drop. Use native /help + customize via commands.yml (already in repo).

---

21. ProAntiTab (tab-completion filter)

Field	Value
Current	ProAntiTab by RayzsYT
License	GPL-2.0-or-later (verified via Modrinth 2026-04-27)
Source	https://github.com/RayzsYT/ProAntiTab
Modrinth	https://modrinth.com/plugin/proantitab
Vision fit	Excellent — GPL, GH-primary, free, supports Paper/Purpur/Velocity/Folia

Earlier note corrected: Initially flagged as "likely premium BoomEaro" — that was wrong. Real author is RayzsYT, plugin is FOSS, free, well-maintained.

Features that justify keeping:

• Hide commands from tab-complete based on permission
• Block plugin-detection hacks (spoofing, namespace probing)
• Custom F3 server brand (cosmetic, no info leak)
• Whitelist/blacklist command modes
• Sub-argument blocking (granular command visibility)
• PlaceholderAPI integration, MiniMessage formatting
• Group-based permission system

Verdict: Keep ProAntiTab. No swap needed. Aligned with mission, GPL FOSS, GH source-of-truth, free.

---

Already removed (vision-aligned)

Plugin	Reason	Replacement
Lands	Paid, closed-ish	LandClaimPlugin (verify FOSS)
LitePlaytimeRewards	Dead upstream	TBD or drop
CosmicGuard	Premium continuous	GrimAC covers anti-cheat

---

Summary table

#	Plugin	Status	Action
1	LuckPerms	Keep	—
2	PlaceholderAPI	Keep	Evaluate MiniPlaceholders Phase 4
3	EssentialsX	Keep	Long-term: split into modular FOSS (HuskHomes etc)
4	WorldEdit	Swap → FAWE	High pri (perf + still GPL)
5	Simple Voice Chat	Keep	—
6	MiniMOTD	Keep	—
7	SkinsRestorer	Keep	Phase 2: self-hosted skin server
8	CoreProtect-CE	Keep (acknowledged license exception)	Reliability > purity per operator decision
9	GrimAC	Keep	—
10	spark	Keep	—
11	DiscordSRV	Keep + add Matrix bridge	High pri (FOSS comm channel)
12	LandClaimPlugin	Verify license, possibly swap → GriefPrevention	High pri
13	TAB	Keep (verify license)	Med pri verify
14	ProtocolLib	Keep, evaluate PacketEvents-only future	Phase 4
15	Vault	Swap → VaultUnlocked	Med pri
16	LoginSecurity	Swap → AuthMe Reloaded	High pri (auth)
17	ComfyWhitelist	Drop → native /whitelist	Low pri
18	MarriageMaster	Audit usage, drop or replace	Low pri
19	PhantomSMP	Drop → native config + datapack	Low pri
20	HelpCommand	Drop → native /help	Low pri
21	ProAntiTab	Keep (GPL-2.0-or-later, FOSS, free, GH)	—

High-priority swap order (proposed)

1. LoginSecurity → AuthMe Reloaded — security-critical, dead upstream
2. Verify ProAntiTab + LandClaimPlugin licenses — drop/swap if non-FOSS
3. WorldEdit → FAWE — perf win, drop-in
4. Vault → VaultUnlocked — modernization
5. Add Matrix bridge for chat — uses existing Tuwunel homeserver
6. CoreProtect-CE → Prism — license cleanup (do after world stable, harder migration)
7. Drop ComfyWhitelist, HelpCommand, PhantomSMP — consolidate to native
8. Phase 4 deep refactor: EssentialsX split, ProtocolLib evaluation, MiniPlaceholders eval

Each swap = a PR + a docs/migrations/<from>-to-<to>.md doc.