Semgrep rule IDs follow the pattern <pack>.<rule>. The pack name is
csharp.lang.security.sqli.csharp-sqli and the rule inside it is also
called csharp-sqli, so the full ID needs the trailing .csharp-sqli
again. Without it the exclude flag silently filters a different
subset of rules and the actual rule still runs.
Semgrep flags eight CommandText-with-string-interpolation call sites
in MessageStore.cs as SQL-injection patterns. All are safe in this
context: table names and clause fragments come from internal code
constants, the actual values are bound via SqlParameter, and the
plugin SQL surface is local-only with no external input vector.
CodeQL would not flag these because it does dataflow analysis and
sees the constants. Semgrep only matches patterns. Excluding the rule
for this repo only via the new semgrep-exclude-rules input keeps the
rule active for the other Hellion repos where it might catch real
issues (e.g. the web apps).
Calls JonKazama-Hellion/security-workflows for Semgrep SAST + Trivy
filesystem vulnerability scan. Runs on push to main/master, on every
PR, and weekly Monday 06:00 UTC.
Cleanup pass after the v1.4.3 cutover. Five files still carried
gitea.com hosts or dead github.com security-advisory links because
they were not touched in the prior URL sweep.
- forge-announce.yml: Discord embed avatar and tag link
- release-footer.md: custom-repo URL plus six doc/license links
- bug_report.yml, config.yml, PULL_REQUEST_TEMPLATE.md: replace
github.com/.../security/advisories/new with mailto:kontakt@
hellion-media.de. Gitea has no privately-reportable advisory
feature; e-mail is the closest functional equivalent.
Pure string replacement, no logic change.
Migrations: all current users are on schema v16, the v9 to v16 migration
chain ran in v1.2.1 and earlier. Replace the seven in-LoadAsync migration
blocks with a hard schema-gate in the Phase-1 ctor; older configs trigger
a clear "install v1.4.2 first" error. Code-hygiene change, fast-path
saving is negligible. Remove the now-unused TryReadPreV13ThemeOpacity
helper that only served the v13 to v14 block.
AutoTranslate.PreloadCache: was sync ~300 ms in LoadAsync. Move to
Task.Run so plugin-load returns ~300 ms earlier. Trade-off: first
auto-translate use of a session may have a sub-second hitch if the
cache hasn't finished warming. Acceptable, it is first-use cost
instead of every-load cost.
The previous fire-and-forget Task.Run pattern could leave Plugin.FontManager
null when the first UiBuilder.Draw tick fires (ChatLogWindow dereferences
FontManager.FontAwesome / RegularFont / ItalicFont in its draw paths).
Allocate FontManager and call BuildFonts() synchronously, mirroring
ChatTwo Plugin.cs:152. BuildFonts itself is non-blocking — it just
registers IFontHandles with Dalamud's atlas; the actual atlas rebuild
runs on Dalamud's pipeline a few frames later, so the perceived-load
win still holds (LoadAsync no longer waits for atlas build).
BuildFontsAsync in FontManager.cs stays for the Settings-driven manual
rebuild path.
Phase-1 was still doing 7 schema migrations and 25+ service allocations
synchronously, blocking the ctor return. Move all of that to LoadAsync,
keeping only bootstrap-essentials in the ctor: conflict detection,
config load, language init, ImGui init, WindowSystem skeleton.
Decouple the font task from the LoadAsync await — font-build runs
fire-and-forget, so first frames render with Dalamud's default font
until the Hellion-Exo2/NotoSans atlas rebuild completes (visible
"font-pop"). Mirrors ChatTwo's pattern; the perceived-load win comes
from "Finished loading" landing earlier, not from a faster atlas build.
Smoke test in Task 6 surfaced a NullReferenceException at Plugin.cs:885 —
the retention sweep was scheduled in Phase 1 but dereferences
MessageManager.Store, which is only allocated in Phase 2 (LoadAsync).
Move the call after MessageManager init. Drop the comment that wrongly
claimed independence from Phase-2 services.
I-1: rewrite property-shape comment to reflect that all properties (not
just Phase-2 ones) moved to { get; private set; } = null!;.
I-3: drop plan-jargon (Q1=A / Q3=B / Task 5) from source comments;
replace with durable rationale and a version-anchored TODO for the
FontManager.BuildFontsAsync follow-up.
I-4: remove German-word leak ("pflicht") from English comment in
DisposeAsync.
M-5: wrap each cleanup line inside Framework.RunOnFrameworkThread with
CaptureFailure so a single Dispose throw no longer strands subsequent
cleanup. Drops the inline try/swallow on SetChatInteractable. Mirrors
Lightless DisposeFrameworkBoundServicesAsync pattern.
actions/upload-artifact@v7 fails on Gitea Actions — the GitHub
artifact API has compatibility gaps the Gitea runtime layer does not
fully cover, and v7 specifically tripped exitcode 1 on the Strato
runner. The build itself runs fine; the artefact was never consumed
by anything (release.yml does its own latest.zip lookup), so the
cleanest fix is to make build.yml a pure compile-health check
without artefact upload.
Chat 2 has entered a major rework that Infi confirmed makes selective
patches no longer portable. The cherry-pick pipeline as a routine
workflow stops with the v1.4.x cycle. Documentation reflects the new
state across all touchpoints.
UPSTREAM_SYNC.md rewritten: replaces the "How I Cherry-Pick" /
"Reviewing What Is New Upstream" / "Conflict Handling" sections with
"Why Cherry-Picking Stopped", "What Closing the Pipeline Means in
Practice", "What Does Not Change", "What Could Re-Open Later".
Existing cherry-pick trails in the git history stay intact, EUPL-1.2
anchor lines and NOTICE.md remain canonical.
README.md, CONTRIBUTING.md, ROADMAP.md, THIRD_PARTY_NOTICES.md and
the PR template updated to match: cherry-pick references reframed as
historical or pointed at UPSTREAM_SYNC.md for the current state.
NOTICE.md keeps the BetterTTV cherry-pick example as a concrete past
case but adds a paragraph that the pipeline is closed and clarifies
the attribution standard is preserved unchanged.
PULL_REQUEST_TEMPLATE.md drops the "Upstream cherry-pick from Chat 2"
checkbox and the cherry-pick-path compatibility prompt. The upstream
git remote was already removed locally on 2026-05-08 (separate change,
not in this commit).
No source-file edits, no manifest version bump, no changelog entry —
this is documentation-only and ships with the next release.
- codeql.yml removed: GitHub-only (uses github/codeql-action/*).
- build.yml + release.yml: runs-on switched to ubuntu-latest (Gitea Cloud
has no Windows runner). Dalamud staging is now downloaded via curl/unzip
into $HOME/.xlcore/dalamud/Hooks/dev/, the path the Dalamud SDK 15 uses
on Linux. Locate-step uses find instead of Get-ChildItem.
- release.yml: softprops/action-gh-release replaced with the Gitea-native
https://gitea.com/actions/release-action. Auto-injected GITHUB_TOKEN on
Gitea Actions has Gitea-API scope and is sufficient.
- forge-announce.yml: environment: Webhook removed (Gitea has no
environments — DISCORD_FORGE_WEBHOOK is a repo-level Actions secret).
avatar_url and embed url switched from raw.githubusercontent.com /
github.com to gitea.com.
- release-footer.md: install URL plus the five doc links (README, PRIVACY,
THIRD_PARTY_NOTICES, SECURITY, SUPPORT) and LICENSE link switched to
gitea.com/.../src/branch/main/. ChatTwo upstream link stays on GitHub.
The comment on BrandingLinks claimed a follow-up housekeeping sweep was
"out of scope for this Cycle" — that Cycle framing no longer matches how
Plan v4 schedules the work. Trim the trailing clause; the rest of the
comment still documents the housekeeping intent.
Re-encodes the four existing screenshots and the docs/images forge banner
to 8-bit indexed-color PNGs. Total asset payload drops from ~3.87 MB to
~311 KB (92% smaller) without visible quality loss in the README/forge
post rendering.
Adds the four brand-logo variants designed by Florian Eck and credited
in COPYRIGHT (Visual assets section): the Hellion Online Media wordmark,
the square Hellion crest, the horizontal Hellion Forge color logo and
the Discord-sized hammer mark. All variants live in docs/images/ so the
forge post and README can reference them without polluting the in-game
plugin payload under HellionChat/images/.
Visual assets are NOT covered by the EUPL-1.2 source code licence; their
licensing terms are documented in COPYRIGHT.
Renames HellionChat/SelfTest/ to HellionChat/SelfTests/ (plural) to
match the folder convention used throughout the Build Suite Plan v4
Phase 6 file list. The singular name was introduced as a known
discrepancy in cb327b8 and is now resolved.
- git mv preserves full history via rename detection
- Namespace updated: HellionChat.SelfTest → HellionChat.SelfTests
- Plugin.cs qualifier updated: SelfTest. → SelfTests.
- Build: 0 errors, 0 warnings
Registers a single SelfTestStep that exercises Plugin.ThemeRegistry.Switch
through the live theme list. Verified in-game via /xldev SelfTest tab on
2026-05-08; Plugin loads cleanly with the RegisterTestSteps call and the
step runs the theme cycle as expected.
Folder is HellionChat/SelfTest/ (singular). Future steps may rename to
SelfTests/ to match the local Plan v4 convention.
ChatBox.SendMessage reads bytes from ValidateMessage so Encoding.UTF8.GetBytes
runs once per send. ValidateMessage takes an injectable sanitiser so xUnit can
exercise the length-equality gate without ClientStructs game memory.
CompactInputSubmitter and CompactInputHistoryNavigator lift the deterministic
parts of ChatInputBar's pop-out submit and history-up/down callback into POCO
helpers under HellionChat/_Helpers/. The ImGui buffer splice
(DeleteChars/InsertChars) stays at the call site because it needs the live
callback data.
Behavior is identical to the previous inline implementation; tests in the
local Build Suite repo pin the contracts.
Establishes the local pre-push gate. preflight.sh runs four blocks: version
consistency, manifest shape (Icon plus all ImageUrls), changelog sync, plus a
release build as compile-health smoke. setup-hooks.sh wires core.hooksPath to
.githooks. .gitignore opens scripts/ for tracking (setup-dev-env.sh stays
private). Test execution itself lives in a separate local repository and is
not part of this codebase.
Hellion Chat 1.4.0 — Critical Lifecycle Fixes
Seven P0 lifecycle and race bugs eliminated before any performance refactor.
Plus version bump, manifest sync, changelog, forge-post.
Match the new HellionChat comment-length convention: 1-3 lines for
standard pitfall notes, 5+ only for non-trivial workarounds. The
previous Dispose comment was 14 lines of textbook prose, which veered
into AI-slop territory and would rot on the next refactor.
JonKazama-Hellion
renovate-bot