StarChat | Chat Plugin v1.2.2

Security hardening release. No breaking changes — drop-in upgrade. Following the recent "hack your server via chat" videos going around, I audited StarChat against the MiniMessage privilege-escalation exploit (a player writes a clickable message, an admin clicks it, the command runs as the admin). StarChat was NOT vulnerable to that exploit — it uses the legacy component serializer, which cannot produce click events from chat text, and its tag parser rejects the syntax outright. Nothing to fix there. However the audit found a smaller, related issue and 1.2.2 closes it:

• Chat colour-code gate. Previously any player could put &-codes / hex / formatting inside their own message — enabling rank spoofing (&4&l[Owner]) and &k obfuscated spam. Now colour/format in the message body requires the permission starchat.chat.color (default: op).
• New toggle Features.message-colors.require-permission in settings.yml — set it to false to keep the old "everyone can colour" behaviour.
• The server chat format, prefixes and the /chatcolor selector are unaffected — only the text the player types.

Recommended for every server. Give your trusted ranks starchat.chat.color via LuckPerms and you are done.

Smaller download, identical functionality.

The 1.2.0 jar shipped with native SQLite drivers for 23 CPU/OS combinations (Android, FreeBSD, PowerPC, RISC-V, ARM v6/v7, etc.) baked in — about 14 MB of platform-specific binaries that almost no production server actually used.

In 1.2.1 the SQLite driver is declared as a Paper runtime library instead:

• Servers using H2 (default) or MySQL don't download a single SQLite byte.
• Servers that opt into database.type: SQLITE have Paper auto-fetch the driver on first boot — only the native lib for the host's CPU.
• Plain jar: 17 MB → 3.0 MB. ProGuard release jar: 16 MB → 2.2 MB (-86%).

No config or behaviour change. Drop-in upgrade.

- A bug that increased the size of the plugin has been fixed

Big release. Rewrites the chat filter to close a stack of bypasses, makes the
plugin Folia-safe end-to-end, adds SQLite support and server telemetry, and fixes
every persistence bug found in our internal audit. Recommended upgrade for every server.

Added​

• SQLite support alongside H2, MySQL and MariaDB. Single-file DB at
  plugins/StarChat/database/starchat.db.
• Filter is now fully configurable — each normalisation step (Unicode fold,
  colour-code strip, zero-width strip, IPv6 detection, dot-obfuscation collapse,
  minimum phone-number digit count) is an opt-out flag in chat-filter.yml so you
  can tune false positives for your community.
• Server telemetry on every heartbeat (player count, software, MC version, plugin
  version, uptime) — visible on your dashboard.
• 2-hour grace window for transient licence-server hiccups: a momentary outage
  no longer kicks a live server offline mid-tick.
• Dashboard: email notification preferences, history filter, live "Last heartbeat"
  column on the Servers panel.

Fixed​

• Folia: sound playback, mention titles, staff-chat actionbars and announcer
  broadcasts no longer crash when players are spread across multiple regions.
• Chat-filter bypasses: tp 1.2.3.4 no longer slips past as "coordinates", IPv6
  addresses are now detected, full-width / zero-width / colour-code obfuscation is
  normalised before matching, and the whitelist now requires an exact-host match
  (no more mc.yourserver.com.evil.tk substring tricks).
• Aggressive bad-word mode now strips separator characters before matching, so
  f.u.c.k, b a d, etc. don't pass the filter.
• /chatcolor and every per-player toggle (/ignoreall, /chatping, /chattoggle,
  /staffchat, /spymsg, /mutechat) now persist across restarts and reloads.
• Private messages, broadcasts, announcements and staff chat all run through the
  chat filter and respect the message-length cap. Previously they were a free bypass.
• /starchat showinv / showitem / showec cache keys are now random tokens — a
  player can no longer open another player's inventory snapshot by guessing the name.
• PlaceholderAPI is no longer evaluated on the body of player messages, so typing
  %vault_eco_balance% in chat does not leak the sender's balance.
• /starchat reload now refreshes every manager and feature task, not just the
  formatter and filter. Stale config no longer lingers after a reload.

Drop-in upgrade - No config migration required. New filter flags default to the
previous behaviour.

Need help upgrading? Join the Discord or open a ticket. Full changelog: starchat.minestar.me/changelog

• Fully Configurable ChatColor GUI: The /chatcolor menu is now 100% customizable via chat-color.yml. You can add unlimited custom colors, change materials, display names, and set specific permissions for each color. Automatic pagination is included!
• Advanced Chat Filter Persistence: Player infraction points and filter states are now thoroughly saved to the database. Punishments and warnings will perfectly persist even if players disconnect or the server restarts.
• Granular Filter Scoring & Spam Tracking: Added the ability to assign custom point values for different types of infractions (IPs, URLs, Bad-Words, Regex) directly in the config. Spam limit violations (cooldowns, similar messages, repeated characters) now correctly contribute to player warning points.
• Enhanced Filter Actions: Filter punishment actions now support a once-only toggle and can shoot direct notify-player warning messages to offenders when triggered.
• Critical Performance & Memory Fixes: Fixed severe memory leaks and task cancellation bugs related to Minigames, StaffChat actionbars, and Announcements, specifically greatly improving performance and stability on Folia servers.

- Fixed /clearchat command,

- Fixed several bugs, improved performance, and added some new features.

- Added the ability to use StarChat completely free of charge. Visit https://starchat.minestar.me/dashboard