docs: community standards, privacy notice and release-body automation

Closes the remaining gaps in GitHub's community-standards check, adds
explicit privacy and dependency documentation matching the plugin's
"DSGVO-by-design" claim, and removes the stale upstream Crowdin
artefact so the repo no longer suggests it ships its own translation
pipeline.

New community-health files:

- CODE_OF_CONDUCT.md: project-specific, short and direct, single
  reporting path to kontakt@hellion-media.de
- CONTRIBUTING.md: scope, accepted vs declined contributions, build
  and test instructions, EUPL-1.2 contribution terms, translation
  policy split between Hellion-specific (here) and upstream strings
  (Chat 2 repo)
- SUPPORT.md: routing for bugs, security, privacy and casual feedback
- .github/PULL_REQUEST_TEMPLATE.md: summary, change-type checklist,
  testing notes, compatibility notes for migrations and manifest
  fields, contribution checklist
- .github/FUNDING.yml: comments-only file, no platforms enabled,
  points donors at the upstream Chat 2 maintainers' Ko-fi pages

New privacy and compliance documentation:

- PRIVACY.md: what the plugin stores locally (config, SQLite,
  EmoteCacheV1), retention defaults, the two outbound network calls
  (BetterTTV API+CDN with ShowEmotes opt-out, Square Enix Lodestone
  font once-off), explicit no-telemetry statement, GDPR
  Art. 15/17/18/20/21 rights mapped to plugin features, third-party
  privacy-policy links
- THIRD_PARTY_NOTICES.md: direct NuGet dependencies with versions
  pinned to v0.5.4 (MessagePack, Microsoft.Data.Sqlite, morelinq,
  Pidgin, SixLabors.ImageSharp under Six Labors Split License 1.0),
  Dalamud SDK and .NET tooling, bundled Exo 2 font (OFL-1.1) and
  plugin icon, network-touch status per component, re-audit commands

Crowdin cleanup:

- crowdin.yml deleted (was upstream Chat 2's project_id 663694,
  pointed at /ChatTwo/Resources/Language.resx, never wired to
  HellionChat strings)
- README, CONTRIBUTING and CODE_OF_CONDUCT no longer suggest
  HellionChat operates a Crowdin project; remaining mentions are
  explicitly framed as upstream Chat 2's workflow

Contact and version consistency:

- Maintainer email switched from maintainer@hellion-media.de to
  kontakt@hellion-media.de in SECURITY.md and NOTICE.md
- README version references updated to 0.5.4 (header, project status
  block) and the update-tag pattern generalised from v0.1.x to v0.X.Y
- bug_report.yml version placeholder bumped to 0.5.4
- Project-documents table added to README footer linking all health
  and reference files in one place

Release-body automation:

- .github/workflows/release.yml now extracts the matching version
  block from ChatTwo/HellionChat.yaml's changelog and combines it
  with a static install / docs footer (custom-repo URL, project
  document links, licence) before passing the result to
  softprops/action-gh-release@v3 via body_path
- Workflow fails fast if no changelog block exists for the tagged
  version, automating the existing "yaml + repo.json + release body
  kept in sync" rule
- Tag value passed via env: TAG_NAME with strict ^v\d+\.\d+\.\d+$
  validation before any string concatenation, so the tag input cannot
  break out into shell evaluation

.github/FUNDING.yml

@@ -0,0 +1,13 @@
+# HellionChat is a hobby project and does not solicit funding.
+#
+# If you want to support the work that made HellionChat possible,
+# please consider supporting the upstream Chat 2 maintainers:
+#
+#   Infiziert90 (Infi):  https://ko-fi.com/infiii
+#   Anna Clemens:        https://ko-fi.com/lojewalo
+#
+# Both Ko-fi pages are also linked in the plugin's settings panel.
+
+# No platforms enabled — keep this file present so GitHub recognises
+# the project as having considered funding without showing a Sponsor
+# button on the repository page.

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -16,7 +16,7 @@ body:
     attributes:
       label: HellionChat version
       description: From Settings → Information → Version
-      placeholder: "0.5.1"
+      placeholder: "0.5.4"
     validations:
       required: true
 

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,72 @@
+<!--
+Thanks for contributing to HellionChat. Please fill in the sections
+below so the review goes quickly. Delete sections that genuinely do
+not apply, but do not delete the whole template.
+
+If this is a security fix, stop here and use a private security
+advisory instead:
+https://github.com/JonKazama-Hellion/HellionChat/security/advisories/new
+-->
+
+## Summary
+
+<!-- One or two sentences. What does this PR change and why. -->
+
+## Type of change
+
+<!-- Tick all that apply. -->
+
+- [ ] Bug fix (non-breaking change that fixes an issue)
+- [ ] New feature (non-breaking change that adds behaviour)
+- [ ] Breaking change (config migration, removed feature, or behaviour
+      change that user-visible defaults rely on)
+- [ ] Documentation only
+- [ ] Translation update
+- [ ] Build, CI or tooling change
+- [ ] Upstream cherry-pick from Chat 2
+
+## Linked issue
+
+<!-- e.g. "Closes #42" or "Refs #42". For trivial typo fixes, "n/a". -->
+
+## How I tested this
+
+<!--
+- Built locally with `dotnet build -c Release`
+- Ran `dotnet test`
+- Loaded the plugin in-game on Windows / Linux / macOS via XIVLauncher
+- Specific scenarios I exercised in-game
+-->
+
+## User-visible changes
+
+<!--
+Anything the end user will notice. New settings, changed defaults,
+new commands, new translations, removed behaviour. If none, write
+"none".
+-->
+
+## Compatibility notes
+
+<!--
+- Does this require a configuration migration? If yes, which version
+  bump and is it covered by the existing migration tests?
+- Does this change the schema in MessageStore?
+- Does this change the repo.json or HellionChat.yaml manifest fields?
+- Does this affect the upstream cherry-pick path? See UPSTREAM_SYNC.md.
+-->
+
+## Checklist
+
+- [ ] I have read [CONTRIBUTING.md](../CONTRIBUTING.md) and
+      [CODE_OF_CONDUCT.md](../CODE_OF_CONDUCT.md).
+- [ ] My change matches the existing code style (`.editorconfig`).
+- [ ] I added or updated tests where the existing test infrastructure
+      made that practical, or I have explained why tests are not
+      applicable.
+- [ ] I updated the README, in-plugin strings or documentation if my
+      change is user-visible.
+- [ ] I did not include any AI-generated code without disclosing it
+      in the PR description (see [AI_DISCLOSURE.md](../AI_DISCLOSURE.md)).
+- [ ] I confirm my contribution is released under the
+      [EUPL-1.2](../LICENSE).

.github/workflows/release.yml

@@ -3,9 +3,14 @@ name: Release
 # Triggered when a vX.Y.Z tag is pushed. Builds the plugin against the
 # current Dalamud staging branch, locates the latest.zip produced by
 # DalamudPackager and attaches it to the matching GitHub Release.
-# Does not consume any user-controlled event payload, only the tag name
-# (validated by the on.tags filter) and the steps output of the locate
-# step (path string from Get-ChildItem on a controlled directory).
+#
+# User-controlled inputs touched by this workflow:
+#   - the tag name (filtered by on.tags = v*, validated again at runtime
+#     against ^v\d+\.\d+\.\d+$ before being used in any string)
+# All other values are either repo-controlled (paths under
+# ChatTwo/bin/Release derived from Get-ChildItem) or pinned URLs to
+# goatcorp / GitHub. Nothing from a webhook event payload (issue/PR
+# titles, commit messages, etc.) flows into a run-step.
 
 on:
   push:
@@ -53,9 +58,101 @@ jobs:
           Write-Host "Found: $($zip.FullName)"
           "path=$($zip.FullName)" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
 
+      # Build a release body from the matching changelog block in
+      # HellionChat.yaml plus a static install / docs footer. Fails the
+      # workflow if no block exists for the tagged version, which is the
+      # automated counterpart to the "yaml + repo.json + release body
+      # kept in sync" rule.
+      #
+      # GITHUB_REF_NAME is read via env: (not ${{ }} interpolation) so the
+      # tag value is treated as a PowerShell variable, not as inline shell
+      # text. The strict regex below rejects anything that is not a clean
+      # semver tag before it is used to build a string.
+      - name: Generate release body
+        shell: pwsh
+        env:
+          TAG_NAME: ${{ github.ref_name }}
+        run: |
+          $tag = $env:TAG_NAME
+          if ($tag -notmatch '^v\d+\.\d+\.\d+$') {
+              throw "Refusing to generate release body for non-semver tag: $tag"
+          }
+          $version = $tag.Substring(1)
+
+          $yamlPath = "ChatTwo/HellionChat.yaml"
+          $raw = Get-Content -Path $yamlPath -Raw
+
+          $marker = "changelog: |-"
+          $idx = $raw.IndexOf($marker)
+          if ($idx -lt 0) { throw "changelog block not found in $yamlPath" }
+
+          # changelog: is the last top-level key in the manifest, so
+          # everything after the marker is the literal block. Strip the
+          # 2-space yaml indent from each line.
+          $afterMarker = $raw.Substring($idx + $marker.Length)
+          $changelogBody = (($afterMarker -split "`r?`n") | ForEach-Object {
+              if ($_ -match '^  ') { $_.Substring(2) } else { $_ }
+          }) -join "`n"
+
+          $header = "**Hellion Chat $version"
+          $start = $changelogBody.IndexOf($header)
+          if ($start -lt 0) {
+              throw "No changelog entry for version $version found in $yamlPath. Update the changelog block before tagging a release."
+          }
+
+          $rest = $changelogBody.Substring($start)
+          $nextHdr = $rest.IndexOf("`n`n**Hellion Chat ", 1)
+          $trailer = $rest.IndexOf("`n`n---")
+
+          if ($nextHdr -ge 0 -and ($trailer -lt 0 -or $nextHdr -lt $trailer)) {
+              $currentBlock = $rest.Substring(0, $nextHdr).TrimEnd()
+          } elseif ($trailer -ge 0) {
+              $currentBlock = $rest.Substring(0, $trailer).TrimEnd()
+          } else {
+              $currentBlock = $rest.TrimEnd()
+          }
+
+          $footer = @'
+
+---
+
+## How to install
+
+This release is distributed via the HellionChat custom repository, not the
+Dalamud main plugin repo. To install:
+
+1. In XIVLauncher: **Settings → Experimental → Custom Plugin Repositories**
+2. Add the URL:
+   `https://raw.githubusercontent.com/JonKazama-Hellion/HellionChat/main/repo.json`
+3. Enable, save, then `/xlplugins` → search **Hellion Chat** → install
+
+## Project documents
+
+- [README](https://github.com/JonKazama-Hellion/HellionChat/blob/main/README.md) — features, architecture, build
+- [Privacy notice](https://github.com/JonKazama-Hellion/HellionChat/blob/main/PRIVACY.md) — what the plugin stores and sends
+- [Third-party notices](https://github.com/JonKazama-Hellion/HellionChat/blob/main/THIRD_PARTY_NOTICES.md) — dependencies and licences
+- [Security policy](https://github.com/JonKazama-Hellion/HellionChat/blob/main/SECURITY.md) — vulnerability reporting
+- [Support](https://github.com/JonKazama-Hellion/HellionChat/blob/main/SUPPORT.md) — bug reports, questions, contact paths
+
+## Licence
+
+[EUPL-1.2](https://github.com/JonKazama-Hellion/HellionChat/blob/main/LICENSE).
+Based on [Chat 2](https://github.com/Infiziert90/ChatTwo) by Infi and Anna,
+also EUPL-1.2.
+'@
+
+          $body = $currentBlock + "`n" + $footer
+          $body | Out-File -FilePath release-body.md -Encoding utf8 -NoNewline
+
+          Write-Host "Generated release body for $tag :"
+          Write-Host "----------------------------------------"
+          Write-Host $body
+          Write-Host "----------------------------------------"
+
       - name: Attach to GitHub release
         uses: softprops/action-gh-release@v3
         with:
           files: ${{ steps.locate.outputs.path }}
+          body_path: release-body.md
           fail_on_unmatched_files: true
           generate_release_notes: false