Refactor Email Summarizer plugin configuration for improved clarity and security

- Removed outdated migration instructions from `plugin-configuration.md` to streamline documentation.
- Enhanced `README.md` to clearly outline the three-file separation for plugin configuration, emphasizing the roles of `.env`, `config.yml`, and `plugins.yml`.
- Updated `setup.py` to reflect changes in orchestration settings, ensuring only relevant configurations are included in `config/plugins.yml`.
- Improved security messaging to highlight the importance of not committing secrets to version control.

Author: AnkushMalaker

backends/advanced/Docs/plugin-configuration.md

@@ -239,44 +239,6 @@ class MyPlugin(BasePlugin):
 
 ✅ **Unified interface**: All plugins loaded with same pattern via `load_plugin_config()`
 
-## Migration from Old System
-
-If you have existing plugins using the old configuration system:
-
-**Old way** (everything in `config/plugins.yml`):
-```yaml
-plugins:
-  email_summarizer:
-    enabled: true
-    events: [...]
-    subject_prefix: "Summary"          # ❌ Config mixed with orchestration
-    smtp_host: smtp.gmail.com          # ❌ Non-secret in wrong place
-    smtp_password: app-password        # ❌ SECRET IN VERSION CONTROL!
-```
-
-**New way** (properly separated):
-
-1. **Orchestration** in `config/plugins.yml`:
-   ```yaml
-   plugins:
-     email_summarizer:
-       enabled: true
-       events: [conversation.complete]
-   ```
-
-2. **Settings** in `plugins/email_summarizer/config.yml`:
-   ```yaml
-   subject_prefix: "Summary"
-   smtp_host: ${SMTP_HOST}
-   smtp_password: ${SMTP_PASSWORD}
-   ```
-
-3. **Secrets** in `.env`:
-   ```bash
-   SMTP_HOST=smtp.gmail.com
-   SMTP_PASSWORD=app-password
-   ```
-
 ## Troubleshooting
 
 ### Plugin not loading

backends/advanced/src/advanced_omi_backend/plugins/email_summarizer/README.md

@@ -20,6 +20,26 @@ Automatically sends email summaries when conversations complete.
 5. Formats beautiful HTML and plain text emails
 6. Sends email via configured SMTP server
 
+## Configuration Architecture
+
+Chronicle uses a clean three-file separation for plugin configuration:
+
+1. **`backends/advanced/.env`** - Secrets only (SMTP credentials, API keys)
+   - Gitignored for security
+   - Never commit to version control
+
+2. **`plugins/email_summarizer/config.yml`** - Plugin-specific settings
+   - Email content options (subject prefix, max sentences, etc.)
+   - References environment variables using `${VAR_NAME}` syntax
+   - Defaults work for most users - typically no editing needed
+
+3. **`config/plugins.yml`** - Orchestration only
+   - `enabled` flag
+   - Event subscriptions
+   - Trigger conditions
+
+This separation keeps secrets secure and configuration organized. See [`plugin-configuration.md`](../../../Docs/plugin-configuration.md) for details.
+
 ## Configuration
 
 ### Step 1: Get SMTP Credentials
@@ -55,7 +75,7 @@ FROM_NAME=Chronicle AI
 
 ### Step 3: Enable Plugin
 
-Add to `config/plugins.yml`:
+Add to `config/plugins.yml` (orchestration only):
 
 ```yaml
 plugins:
@@ -65,23 +85,14 @@ plugins:
       - conversation.complete
     condition:
       type: always
-
-    # SMTP Configuration
-    smtp_host: ${SMTP_HOST:-smtp.gmail.com}
-    smtp_port: ${SMTP_PORT:-587}
-    smtp_username: ${SMTP_USERNAME}
-    smtp_password: ${SMTP_PASSWORD}
-    smtp_use_tls: ${SMTP_USE_TLS:-true}
-    from_email: ${FROM_EMAIL:-noreply@chronicle.ai}
-    from_name: ${FROM_NAME:-Chronicle AI}
-
-    # Email Content Options
-    subject_prefix: "Conversation Summary"
-    summary_max_sentences: 3
-    include_conversation_id: true
-    include_duration: true
 ```
 
+**That's it!** Plugin-specific settings are already configured in:
+- **`plugins/email_summarizer/config.yml`** - Email content options (subject prefix, max sentences, etc.)
+- **SMTP credentials** are automatically read from `.env` via environment variable references
+
+You typically don't need to edit `config.yml` - the defaults work for most users. If you want to customize email content settings, see the Configuration Options section below.
+
 ### Step 4: Restart Backend
 
 ```bash
@@ -91,6 +102,8 @@ docker compose restart
 
 ## Configuration Options
 
+All configuration options below are in **`plugins/email_summarizer/config.yml`** and have sensible defaults. You typically don't need to modify these unless you want to customize email content.
+
 | Option | Type | Default | Description |
 |--------|------|---------|-------------|
 | `smtp_host` | string | `smtp.gmail.com` | SMTP server hostname |
@@ -180,17 +193,12 @@ This will:
 
 ## 🔒 Security Best Practices
 
-### NEVER Commit Secrets to YAML Files
+### NEVER Commit Secrets to Version Control
 
-**WRONG** ❌:
-```yaml
-# config/plugins.yml
-smtp_password: xnetcqctkkfgzllh  # Hardcoded secret - SECURITY RISK!
-```
+Always use environment variable references in configuration files:
 
-**CORRECT** ✅:
 ```yaml
-# config/plugins.yml
+# plugins/email_summarizer/config.yml
 smtp_password: ${SMTP_PASSWORD}  # Reference to environment variable
 ```
 
@@ -199,12 +207,13 @@ smtp_password: ${SMTP_PASSWORD}  # Reference to environment variable
 SMTP_PASSWORD=xnetcqctkkfgzllh  # Actual secret stored safely
 ```
 
-### Configuration Architecture
+### How Configuration Works
 
-The setup wizard automatically:
-- ✅ Saves SMTP credentials to `backends/advanced/.env`
-- ✅ Updates `config/plugins.yml` with `${ENV_VAR}` references
-- ✅ Prevents accidental secret commits
+The plugin system automatically:
+- ✅ Loads settings from `plugins/email_summarizer/config.yml`
+- ✅ Expands `${ENV_VAR}` references from `backends/advanced/.env`
+- ✅ Merges orchestration settings (enabled, events) from `config/plugins.yml`
+- ✅ Prevents accidental secret commits (only .env has secrets, and it's gitignored)
 
 **Always use the setup wizard** instead of manual configuration:
 ```bash

backends/advanced/src/advanced_omi_backend/plugins/email_summarizer/setup.py

@@ -31,10 +31,11 @@
 console = Console()
 
 
-def update_plugins_yml_with_env_refs():
+def update_plugins_yml_orchestration():
     """
-    Update config/plugins.yml with environment variable references.
-    This ensures secrets are NOT hardcoded in plugins.yml.
+    Update config/plugins.yml with orchestration settings only.
+    Plugin-specific settings are in plugins/email_summarizer/config.yml.
+    This follows Chronicle's three-file configuration architecture.
     """
     plugins_yml_path = project_root / "config" / "plugins.yml"
 
@@ -55,24 +56,12 @@ def update_plugins_yml_with_env_refs():
     if 'plugins' not in config:
         config['plugins'] = {}
 
-    # Build plugin config with env var references (NOT actual values!)
+    # Only orchestration settings in config/plugins.yml
+    # Plugin-specific settings are in plugins/email_summarizer/config.yml
     plugin_config = {
         'enabled': False,  # Let user enable manually or prompt
         'events': ['conversation.complete'],
-        'condition': {'type': 'always'},
-        # Use env var references - these get expanded at runtime
-        'smtp_host': '${SMTP_HOST:-smtp.gmail.com}',
-        'smtp_port': '${SMTP_PORT:-587}',
-        'smtp_username': '${SMTP_USERNAME}',
-        'smtp_password': '${SMTP_PASSWORD}',
-        'smtp_use_tls': '${SMTP_USE_TLS:-true}',
-        'from_email': '${FROM_EMAIL}',
-        'from_name': '${FROM_NAME:-Chronicle AI}',
-        # Non-secret settings (literal values OK)
-        'subject_prefix': 'Conversation Summary',
-        'summary_max_sentences': 3,
-        'include_conversation_id': True,
-        'include_duration': True
+        'condition': {'type': 'always'}
     }
 
     # Update or create plugin entry
@@ -90,7 +79,7 @@ def update_plugins_yml_with_env_refs():
     with open(plugins_yml_path, 'w') as f:
         yaml.dump(config, f, default_flow_style=False, sort_keys=False)
 
-    console.print("[green]✅ Updated config/plugins.yml with environment variable references[/green]")
+    console.print("[green]✅ Updated config/plugins.yml (orchestration only)[/green]")
 
     return plugins_yml_path
 
@@ -164,9 +153,9 @@ def main():
 
     console.print("[green]✅ SMTP credentials saved to backends/advanced/.env[/green]")
 
-    # Auto-update plugins.yml with env var references
+    # Auto-update plugins.yml with orchestration settings only
     console.print("\n📝 [bold]Updating plugin configuration...[/bold]")
-    plugins_yml_path = update_plugins_yml_with_env_refs()
+    plugins_yml_path = update_plugins_yml_orchestration()
 
     # Prompt to enable plugin
     enable_now = Confirm.ask("\nEnable email_summarizer plugin now?", default=True)
@@ -181,7 +170,8 @@ def main():
     console.print("\n[bold cyan]✅ Email Summarizer configured successfully![/bold cyan]")
     console.print("\n[bold]Configuration saved to:[/bold]")
     console.print("  • [green]backends/advanced/.env[/green] - SMTP credentials (secrets)")
-    console.print("  • [green]config/plugins.yml[/green] - Plugin orchestration (env var references)")
+    console.print("  • [green]config/plugins.yml[/green] - Plugin orchestration (enabled, events)")
+    console.print("  • [green]plugins/email_summarizer/config.yml[/green] - Plugin settings (already configured)")
     console.print()
 
     if not enable_now:
@@ -192,8 +182,9 @@ def main():
     console.print("[bold]Restart backend to apply:[/bold]")
     console.print("  [dim]cd backends/advanced && docker compose restart[/dim]")
     console.print()
-    console.print("[yellow]⚠️  SECURITY: Never paste actual passwords in config/plugins.yml![/yellow]")
-    console.print("[yellow]    Secrets go in .env, YAML files use ${ENV_VAR} references.[/yellow]")
+    console.print("[yellow]⚠️  SECURITY: Never commit secrets to git![/yellow]")
+    console.print("[yellow]    • Secrets go in backends/advanced/.env (gitignored)[/yellow]")
+    console.print("[yellow]    • Config files use ${ENV_VAR} references only[/yellow]")
 
 
 if __name__ == '__main__':