General code-quality and robustness pass across the plugin: thread-
safety on IPC state, resource-disposal cleanups, input validation,
defensive null-checks and a few small UX glitches. Compliance docs
(THIRD_PARTY_NOTICES, PRIVACY, COPYRIGHT) refreshed to v1.0.3.
Highlights
- ExtraChat IPC state synchronised across threads
- ChatLogWindow autocomplete no longer leaks the unmanaged
ImGuiListClipper allocation
- ChatLogWindow + Popout style stack stays balanced when config
toggles mid-frame
- Retention sweep and privacy cleanup wait for the actual filter
pass instead of the fire-and-forget Task that started it
- Configuration.LatestVersion bumped to 13 to match the active
migration path
- GameFunctions placeholder buffer guarded against oversized
replacement names
- TellTarget.IsSet, ResolveTempInputChannel, InputPreview, IconUtil,
Lender, Payloads, ExtraPayload all hardened against null / empty /
EOF / cycle inputs
- FontManager Lodestone download stays in scope for a follow-up
(timeout + lazy init pending)
- AutoTranslate replaced the msvcrt.dll memcmp P/Invoke with a
managed Span comparison
- Privacy cleanup worker thread marked IsBackground = true
- Database cleanup now removes both legacy files in one click
- Tell-target name redacted in the verbose debug log
Compliance
- THIRD_PARTY_NOTICES: last-reviewed bumped to v1.0.3, Pidgin 3.5.1,
SQLitePCLRaw.lib.e_sqlite3 3.50.3 listed as direct dependency with
CVE-2025-6965 / CVE-2025-7709 rationale
- PRIVACY: last-reviewed bumped to v1.0.3, BetterTTV trigger wording
clarified (list fetch at startup vs. on-demand image fetch)
- COPYRIGHT: upstream attribution range widened
Build: 0 warnings, 0 errors. No behavioural changes that would alter
existing user configuration or stored chat history.
LICENSE now starts with the EUPL-1.2 standard header so github-linguist
detects the licence correctly in the repo header. The dual-copyright
block (upstream ChatTwo authors plus Hellion Online Media) moves into a
new COPYRIGHT file referenced from the README. NOTICE.md and
UPSTREAM_SYNC.md stay as-is.
New files under .github:
- workflows/build.yml: validates every push to main and every PR
against the current Dalamud staging branch on a Windows runner
- workflows/release.yml: builds Release on every v* tag, locates the
DalamudPackager latest.zip and attaches it to the matching GitHub
Release via softprops/action-gh-release
- dependabot.yml: weekly NuGet sweeps and monthly GitHub Actions
sweeps with conventional-commit prefixes, grouped patch and minor
PRs to cut review noise
- ISSUE_TEMPLATE/bug_report.yml + feature_request.yml + config.yml:
structured intake that pushes security reports through the private
advisory flow and routes upstream-only issues to ChatTwo
- SECURITY.md: documents the vulnerability reporting channels, scope,
and target disclosure window
The release workflow replaces the previous manual upload step. Tag a
release and the ZIP shows up on the release page automatically.
JonKazama-Hellion