chore(repo): fix license detection and add github workflows

LICENSE now starts with the EUPL-1.2 standard header so github-linguist
detects the licence correctly in the repo header. The dual-copyright
block (upstream ChatTwo authors plus Hellion Online Media) moves into a
new COPYRIGHT file referenced from the README. NOTICE.md and
UPSTREAM_SYNC.md stay as-is.

New files under .github:

- workflows/build.yml: validates every push to main and every PR
  against the current Dalamud staging branch on a Windows runner
- workflows/release.yml: builds Release on every v* tag, locates the
  DalamudPackager latest.zip and attaches it to the matching GitHub
  Release via softprops/action-gh-release
- dependabot.yml: weekly NuGet sweeps and monthly GitHub Actions
  sweeps with conventional-commit prefixes, grouped patch and minor
  PRs to cut review noise
- ISSUE_TEMPLATE/bug_report.yml + feature_request.yml + config.yml:
  structured intake that pushes security reports through the private
  advisory flow and routes upstream-only issues to ChatTwo
- SECURITY.md: documents the vulnerability reporting channels, scope,
  and target disclosure window

The release workflow replaces the previous manual upload step. Tag a
release and the ZIP shows up on the release page automatically.

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,73 @@
+name: Bug report
+description: Something in HellionChat is broken or behaves wrong
+labels:
+  - bug
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for reporting. Please fill in the fields below so I can
+        reproduce the issue. If this is a security issue, stop here and
+        use the [private vulnerability advisory](https://github.com/JonKazama-Hellion/HellionChat/security/advisories/new)
+        instead.
+
+  - type: input
+    id: version
+    attributes:
+      label: HellionChat version
+      description: From Settings → Information → Version
+      placeholder: "0.5.1"
+    validations:
+      required: true
+
+  - type: dropdown
+    id: platform
+    attributes:
+      label: Platform
+      options:
+        - Windows (XIVLauncher)
+        - Linux (XIVLauncher Core)
+        - macOS (XIVLauncher Core / wine)
+        - Other
+    validations:
+      required: true
+
+  - type: textarea
+    id: what-happened
+    attributes:
+      label: What happened
+      description: Plain description, no log dumps yet
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected
+    attributes:
+      label: What you expected
+    validations:
+      required: true
+
+  - type: textarea
+    id: steps
+    attributes:
+      label: How to reproduce
+      description: Step-by-step from "open settings" or "log in" through to the broken behaviour
+    validations:
+      required: true
+
+  - type: textarea
+    id: log
+    attributes:
+      label: Relevant /xllog excerpt
+      description: Filter for "HellionChat" or "ChatTwo" if the log is huge
+      render: text
+
+  - type: checkboxes
+    id: confirm
+    attributes:
+      label: Pre-flight
+      options:
+        - label: I am running the latest version of HellionChat
+          required: true
+        - label: I have searched existing issues for duplicates
+          required: true

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,14 @@
+blank_issues_enabled: false
+
+contact_links:
+  - name: Security vulnerability
+    url: https://github.com/JonKazama-Hellion/HellionChat/security/advisories/new
+    about: Do not open a public issue for security problems. Use the private advisory instead.
+
+  - name: Upstream Chat 2 issue
+    url: https://github.com/Infiziert90/ChatTwo/issues
+    about: If the issue exists in upstream Chat 2 too, please report it there so the original maintainers see it as well.
+
+  - name: Discord
+    url: https://discord.com/users/j.j_kazama
+    about: Quick questions, casual feedback. Bug reports still go through the issue tracker for tracking.

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,55 @@
+name: Feature request
+description: Suggest a feature or enhancement for HellionChat
+labels:
+  - enhancement
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for the suggestion. HellionChat focuses on privacy by
+        default and a small, well-scoped feature set. Suggestions that
+        align with that scope are easier to accept than ones that pull
+        the plugin toward "do everything".
+
+  - type: textarea
+    id: problem
+    attributes:
+      label: What problem are you trying to solve
+      description: The user-side problem, not the proposed solution yet
+    validations:
+      required: true
+
+  - type: textarea
+    id: solution
+    attributes:
+      label: What you would like HellionChat to do
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives you have considered
+      description: Other plugins, manual workarounds, settings combinations
+
+  - type: dropdown
+    id: scope
+    attributes:
+      label: Scope estimate from your side
+      options:
+        - "Small (one tab, one toggle, one filter)"
+        - "Medium (a settings section, persistent state, one new file)"
+        - "Large (architectural, touches the message pipeline or the database)"
+        - "I don't know"
+    validations:
+      required: true
+
+  - type: checkboxes
+    id: confirm
+    attributes:
+      label: Pre-flight
+      options:
+        - label: I have searched existing issues for similar requests
+          required: true
+        - label: I understand HellionChat is a privacy-focused fork and not a feature parity tool with upstream Chat 2
+          required: true

.github/dependabot.yml

@@ -0,0 +1,42 @@
+version: 2
+
+updates:
+  # NuGet package updates for the plugin project. Weekly cadence keeps the
+  # noise down while still catching transitive security advisories within
+  # a few days of disclosure.
+  - package-ecosystem: nuget
+    directory: /ChatTwo
+    schedule:
+      interval: weekly
+      day: monday
+      time: "07:00"
+      timezone: Europe/Berlin
+    open-pull-requests-limit: 5
+    labels:
+      - dependencies
+      - nuget
+    commit-message:
+      prefix: "chore(deps)"
+    groups:
+      patches:
+        update-types:
+          - patch
+      minor:
+        update-types:
+          - minor
+
+  # GitHub Actions versions in .github/workflows. Lower cadence because
+  # Action releases ship less frequently and are usually safe to defer
+  # for a month.
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
+      time: "07:00"
+      timezone: Europe/Berlin
+    open-pull-requests-limit: 3
+    labels:
+      - dependencies
+      - github-actions
+    commit-message:
+      prefix: "chore(actions)"

.github/workflows/build.yml

@@ -0,0 +1,49 @@
+name: Build
+
+# Verifies that every push to main and every PR still builds against the
+# current Dalamud staging branch. Does not produce release artefacts; the
+# release workflow handles that on tag.
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Build (Release)
+    runs-on: windows-latest
+    timeout-minutes: 15
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup .NET 10
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 10.0.x
+
+      - name: Download Dalamud staging
+        shell: pwsh
+        run: |
+          $hooks = Join-Path $env:APPDATA "XIVLauncher\addon\Hooks\dev"
+          New-Item -ItemType Directory -Force -Path $hooks | Out-Null
+          Invoke-WebRequest -Uri https://goatcorp.github.io/dalamud-distrib/stg/latest.zip -OutFile dalamud.zip
+          Expand-Archive -Force -Path dalamud.zip -DestinationPath $hooks
+
+      - name: Restore
+        run: dotnet restore ChatTwo/ChatTwo.csproj
+
+      - name: Build (Release)
+        run: dotnet build ChatTwo/ChatTwo.csproj --configuration Release --no-restore
+
+      - name: Upload build output
+        uses: actions/upload-artifact@v4
+        with:
+          name: HellionChat-build-${{ github.run_number }}
+          path: ChatTwo/bin/Release/**/HellionChat/**
+          if-no-files-found: warn
+          retention-days: 14

.github/workflows/release.yml

@@ -0,0 +1,61 @@
+name: Release
+
+# Triggered when a vX.Y.Z tag is pushed. Builds the plugin against the
+# current Dalamud staging branch, locates the latest.zip produced by
+# DalamudPackager and attaches it to the matching GitHub Release.
+# Does not consume any user-controlled event payload, only the tag name
+# (validated by the on.tags filter) and the steps output of the locate
+# step (path string from Get-ChildItem on a controlled directory).
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    name: Build and attach release ZIP
+    runs-on: windows-latest
+    timeout-minutes: 20
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup .NET 10
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 10.0.x
+
+      - name: Download Dalamud staging
+        shell: pwsh
+        run: |
+          $hooks = Join-Path $env:APPDATA "XIVLauncher\addon\Hooks\dev"
+          New-Item -ItemType Directory -Force -Path $hooks | Out-Null
+          Invoke-WebRequest -Uri https://goatcorp.github.io/dalamud-distrib/stg/latest.zip -OutFile dalamud.zip
+          Expand-Archive -Force -Path dalamud.zip -DestinationPath $hooks
+
+      - name: Build (Release)
+        run: dotnet build ChatTwo/ChatTwo.csproj --configuration Release
+
+      - name: Locate latest.zip
+        id: locate
+        shell: pwsh
+        run: |
+          $zip = Get-ChildItem -Path ChatTwo\bin\Release -Recurse -Filter latest.zip | Select-Object -First 1
+          if (-not $zip)
+          {
+              throw "latest.zip not found under ChatTwo\bin\Release"
+          }
+          Write-Host "Found: $($zip.FullName)"
+          "path=$($zip.FullName)" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
+
+      - name: Attach to GitHub release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: ${{ steps.locate.outputs.path }}
+          fail_on_unmatched_files: true
+          generate_release_notes: false

COPYRIGHT

@@ -0,0 +1,27 @@
+HellionChat — a privacy-focused fork of ChatTwo for FINAL FANTASY XIV
+
+Copyright (c) 2024-2025 Infiziert90 (Infi) and Anna Clemens (ascclemens)
+    Original ChatTwo authors and copyright holders of the upstream
+    plugin this fork is built on. Their work covers the message store,
+    the channel filtering, the sidebar tab system, the FFXIV chat
+    hooks, the localisation infrastructure and most of the
+    architecture HellionChat still relies on.
+
+Copyright (c) 2025-2026 Florian Wathling / Hellion Online Media
+    HellionChat-specific modifications, including the privacy filter,
+    per-channel retention sweep, export pipeline, Auto-Tell-Tabs,
+    Hellion theme and font integration, German localisation and the
+    EUPL-1.2 fork maintenance.
+
+Licensed under the European Union Public Licence (EUPL), Version 1.2
+only. The full Licence text lives in the LICENSE file at the root of
+this repository. The official Licence website is at:
+
+    https://eupl.eu/1.2/en/
+
+This Work is provided "AS IS" without warranties of any kind. See
+Article 7 (Disclaimer of Warranty) and Article 8 (Disclaimer of
+Liability) of the Licence for the legally binding wording.
+
+Acknowledgements directed at the upstream ChatTwo authors live in
+NOTICE.md. The manual upstream-sync workflow lives in UPSTREAM_SYNC.md.

LICENSE

@@ -1,31 +1,5 @@
-HellionChat — a privacy-focused fork of ChatTwo
-
-Copyright (c) 2024-2025 Infiziert90 (Infi) and Anna Clemens
-    (original ChatTwo authors and copyright holders of the upstream work
-    this fork is built on)
-Copyright (c) 2025-2026 Florian Wathling / Hellion Online Media
-    (HellionChat-specific modifications, Privacy/Export/Auto-Tell-Tabs
-    features, Hellion theme, German localisation, EUPL-1.2 fork
-    maintenance)
-
-Licensed under the European Union Public Licence (EUPL), Version 1.2 only.
-
-You may obtain a copy of the Licence at:
-https://eupl.eu/1.2/en/
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the Licence is distributed on an "AS IS" basis, WITHOUT
-WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-Licence for the specific language governing permissions and limitations
-under the Licence.
-
-The full Licence text follows below.
-
-================================================================================
-
-EUROPEAN UNION PUBLIC LICENCE v. 1.2
-
-EUPL (c) the European Union 2007, 2016
+                      EUROPEAN UNION PUBLIC LICENCE v. 1.2
+                      EUPL (c) the European Union 2007, 2016
 
 This European Union Public Licence (the 'EUPL') applies to the Work (as
 defined below) which is provided under the terms of this Licence. Any use
@@ -37,7 +11,7 @@ The Work is provided under the terms of this Licence when the Licensor (as
 defined below) has placed the following notice immediately following the
 copyright notice for the Work:
 
-    Licensed under the EUPL
+        Licensed under the EUPL
 
 or has expressed by any other means his willingness to license under the
 EUPL.

README.md

@@ -269,7 +269,7 @@ Phase 3 (offen, kein festes Datum):
 
 ## Lizenz
 
-EUPL-1.2 (gleiche Lizenz wie Upstream Chat 2). Volltext liegt in [LICENSE](LICENSE), persönliche Danksagung an die Upstream-Autoren in [NOTICE.md](NOTICE.md).
+EUPL-1.2 (gleiche Lizenz wie Upstream Chat 2). Volltext in [LICENSE](LICENSE), Copyright-Notes mit Dual-Holder-Block in [COPYRIGHT](COPYRIGHT), persönliche Danksagung an die Upstream-Autoren in [NOTICE.md](NOTICE.md).
 
 © 2023–2026 die Chat-2-Autoren (Infi, Anna und die Upstream-Contributors) für die Engine, IPC und Storage-Schicht.
 © 2026 Hellion Online Media für die Hellion-Chat-Erweiterungen.

SECURITY.md

@@ -0,0 +1,49 @@
+# Security policy
+
+## Reporting a vulnerability
+
+If you find a security issue in HellionChat, please do not open a public
+GitHub issue. Use one of the private channels below instead so we can
+investigate and ship a fix before the details go out.
+
+**Preferred:**
+[Privately report a vulnerability](https://github.com/JonKazama-Hellion/HellionChat/security/advisories/new)
+through GitHub's Security Advisories. This routes the report directly to
+me and keeps the conversation off the public timeline.
+
+**Alternative:**
+- Email: `maintainer@hellion-media.de`
+- Discord: `@j.j_kazama`
+
+I respond on weekdays during European business hours. For urgent
+disclosures (active exploitation, user-data exposure) email is the
+fastest path.
+
+## What I treat as in scope
+
+- Code paths in HellionChat that touch user-controlled input (chat
+  messages, plugin config, file paths the user can influence)
+- The privacy filter in MessageStore.cs and the export pipeline
+- The Configuration migration logic
+- The EmoteCache HTTP client and path handling
+- The Auto-Tell-Tabs spawn logic and history preload
+
+## What is not in scope
+
+- Issues in upstream Chat 2 that we have not modified — please report
+  those at <https://github.com/Infiziert90/ChatTwo/issues>
+- Issues in Dalamud itself — those go to <https://github.com/goatcorp/Dalamud>
+- Issues in the FFXIV game client
+- Anything that needs the user to install a malicious plugin first
+
+## Acknowledgement
+
+I list everyone who reports a real issue in the changelog of the release
+that fixes it, unless they prefer to stay anonymous. No bug bounty,
+nothing financial; this is a hobby plugin.
+
+## Disclosure window
+
+I aim to ship a fix within 14 days for high-severity issues and within
+30 days for everything else. If a fix needs more time I will say so in
+the private thread.