Patch Notes

Room overflows + messenger invites

Overflow rooms now inherit their parent metadata and auto-create on demand; room invites open externally and clear once accepted.

• Overflow rooms are only created when needed, inherit category, entry phrase, advisory, topic, and legacy ID from the base room, and auto-close 8 hours after going empty.
• System room joins auto-route to the next overflow when full and inform users which room they landed in.
• Knock command disabled; full-room messaging now suggests /join only.
• Messenger room invites de-duplicate across events, open in a separate tab/window without navigating the messenger, and dismiss after acceptance.

Status presets and live presence

Restored always-visible status controls and made dropdown presets instantly publish status text to chat.

• Status dropdown and message box are visible by default in messenger, matching the original UX.
• Picking a preset (Busy/Away/DND/etc.) now fills and sends the status message immediately; custom messages still work.
• Status messages are allowed for online users so activity text updates live under names in the room list.
• Preset away panel keeps common canned messages and applies them in one click.

Firewall updates

Documented the latest firewall rule changes to keep chat and messenger ports exposed only as intended.

• Captured recent firewall adjustments in the patch log for ops visibility.
• Ensures chat WebSocket and messenger endpoints remain accessible while other ports stay restricted.

Access controls, rate limits, and upload hardening

Shorter-lived WS tokens, optional origin allowlist, per-user rate limits for chat/PMs/buddies/invites, status sanitization, safer uploads, DB least-privilege, and mysql2 patch.

• WS tokens now expire after 12 hours; optional origin allowlist via WS_ALLOWED_ORIGINS; per-IP connect rate limit with logging.
• Per-user rate limits: chat 30/min, PMs 20/min, buddy requests 10/min, room invites 10/min; auth failures and rate hits logged.
• Status messages stripped of HTML server-side before presence/userlist emit.
• Uploads: size/extension/MIME enforced; upload dir non-executable; WebP fallback saves original format; write-permission fix on chat_images.
• Database least privilege: app user limited to chatapp.* only.
• Dependencies: mysql2 bumped to 3.20.0; npm audit clean.

Status message sanitization

Hardened status message handling to strip HTML before storing/emitting presence.

• Server now strips tags and angle brackets from status messages before persisting/publishing presence.
• Prevents any embedded HTML from reaching user lists or overlays even if a client renders raw text.

User Data

Track every login event with device/network metadata

• Creates table structures for user_data.

Messenger-only signup + recovery flow

Dedicated messenger registration, recovery phrase capture, and remembered credentials for the desktop messenger.

• Added messenger-specific register page with the same validation rules as the main site and recovery phrase generation.
• New messenger recovery page shows the six-word phrase once and routes back to messenger login.
• Messenger login now remembers username/password when “Keep me logged in” is checked, streamlining re-entry.
• Room invites in messenger now de-duplicate and open rooms in an external browser window only.

Download safety warnings

Download page now emphasizes the uninstaller link and warns users to uninstall older builds before reinstalling.

• Added a blinking blue highlight to the ChatMessenger uninstaller download link so it stands out next to the installer.
• Inserted a yellow alert above the “Read Me Before Downloading” box advising users to uninstall previous installs before running a new one.
• Kept the alert hidden when the note is collapsed so the downloads section stays compact by default.

Homepage nav + download labels

Restored flashing Chat Login button, uninstaller highlight, uninstall warnings, and clearer download labels.

• Top nav now shows a flashing “Chat Login” button to match the previous design.
• Uninstaller download is highlighted with a cyan blink effect to stand out from the installer.
• Read-me box includes a visible uninstall-first warning plus in-text explanation.
• Download buttons renamed to Installer.exe, Uninstaller.exe, Install zip, Portable zip, Portable 7z.
• Footer includes About link for transparency.

Download readme + footer links

Added uninstall-first guidance to the downloads readme and exposed the About link in the homepage footer.

• Download “Read Me Before Downloading” now warns users to uninstall prior builds before running new installers.
• Footer includes an About link alongside Home, Downloads, Donate, and Support for better transparency.

Landing page + downloads

Homepage refreshed with messenger previews, sliders, and direct desktop download links.

• New hero sliders highlight messenger, login, profile, and rooms screens with autoplay controls.
• Download cards now link to the latest Chatterous Messenger builds (.zip and .7z).
• Updated marketing assets and styles (`images/*.webp`, `css/index.css`) to match the retro-modern look.

Standalone Messenger + PM sounds

Messenger now opens in its own window with buddy list controls, status picker, invites, and refreshed notification sounds.

• New messenger-only entry point (`chat-messenger.php`) that loads the external UI without falling back to rooms.
• Front-end (`js/chat-messenger.js`) now handles buddy refresh, PM windows, presence sync, context menu actions, and audio cues.
• Added bundled PM and presence sound effects so online/offline changes and requests surface audibly.

Long-lived sessions and device binding

Session and remember-me cookies now persist long-term and bind to a per-device identifier for trusted logins.

• Session and remember tokens use 10-year lifetimes with secure, HttpOnly, SameSite=Lax cookies.
• Each browser gets a device cookie that is hashed and stored in `user_devices` for trust checks on login.
• Remember tokens rotate after auto-login to limit replay risk while keeping users signed in.

Bug Reports

Track user-submitted bug reports with severity and reproduction steps.

• Creates table structures for bug_reports.

Active Users Socket ID

Add socket_id column to active_users to track websocket connections safely.

• Adds columns socket_id to active_users.
• Wraps the schema change in guard logic so the patch can be applied safely more than once.

User Privacy Chat Filters

Add profanity, spam, and caps chat filter toggles to user_privacy when absent.

• Adds columns filter_profanity to user_privacy.
• Adds columns filter_spam to user_privacy.
• Adds columns filter_caps to user_privacy.
• Wraps the schema change in guard logic so the patch can be applied safely more than once.

Users ID Constraints

Enforce primary key and unique username/email on users; abort when duplicates exist.

• Modifies existing column definitions on users.
• Removes obsolete indexes from users before rebuilding constraints.
• Adds or refreshes indexes and constraints on users.
• Wraps the schema change in guard logic so the patch can be applied safely more than once.
• Stops the migration when duplicate or invalid data would break the new constraint rules.

Active Users DND

Add do_not_disturb status to active_users and public presence enums.

• Modifies existing column definitions on active_users.

Active Users Presence Room

Add public room presence channel (separate from real room_name).

• Adds columns presence_room to active_users.
• Updates existing records in active_users.

Active Users Presence Site

Add public/site-facing presence status used to mask invisible users.

• Adds columns presence_site to active_users.
• Updates existing records in active_users.

Sub Profile Infojson Avatar

Sub-profile / profile display support patch 1) Ensure users.information_json exists (used by information.php + profile.php rendering) 2) Ensure profile/user avatars fall back to default-avatar.webp when empty

• Adds columns information_json to users.
• Modifies existing column definitions on profiles.
• Updates existing records in users and profiles.
• Wraps the schema change in guard logic so the patch can be applied safely more than once.

Users Branch Rename

Rename legacy users.service_rank column to branch when branch is missing.

• Modifies existing column definitions on users.
• Wraps the schema change in guard logic so the patch can be applied safely more than once.

Users Memory

Add remember-me flag so users can persist sessions across devices.

• Adds columns memory to users.

Users Service Rank

Add service_rank to capture a user's branch/grade metadata for future migration.

• Adds columns service_rank to users.

Privacy Default

Default PM privacy: allow messages from everyone unless user explicitly restricts.

• Modifies existing column definitions on user_privacy.
• Updates existing records in user_privacy.

Recovery Pending

Pending recovery phrase table to show once post-login

• Creates table structures for recovery_phrase_pending.

Recovery Phrase

Add recovery phrase hash to users for password changes

• Adds columns recovery_phrase_hash to users.

User IP Blocks

2026-02-22: record user IPs and allow precise IP blocking

• Creates table structures for user_ip_logs and blocked_ips.

Photos Albums

• Creates table structures for photo_albums.
• Adds columns album_id to user_photos.
• Adds or refreshes indexes and constraints on user_photos.

Wall Stories Colors

• Adds columns text_color and bg_color to wall_stories.

Pokes

• Creates table structures for user_pokes.

Virtual_pets

• Creates table structures for virtual_pets, user_pet_progress, virtual_pet_visits, and virtual_pet_relationships.

Remember Tokens

Persistent login tokens

• Creates table structures for remember_tokens.

Room Protected

• Adds columns is_protected to user_rooms.
• Updates existing records in user_rooms.

User Devices

• Creates table structures for user_devices.

Users Last IP

• Adds columns last_ip to users.

Courier Boosts

Courier job bonuses + temporary skill boosts

• Adds columns temp_skill_key, temp_skill_points, and temp_skill_until to pet_stats.
• Adds columns bonus_skill_key, bonus_points, bonus_seconds, and extra_xp to courier_jobs.
• Seeds or refreshes rows in courier_jobs.

Courier Collections Bulk

Auto-generated collections and items

• Seeds or refreshes rows in courier_collections and courier_collection_items.

Courier Collections

Collections (very rare sub-award)

• Creates table structures for courier_collections, courier_collection_items, and courier_collection_drops.
• Seeds or refreshes rows in courier_collections and courier_collection_items.

Courier Dedupe

Deduplicate courier_jobs and enforce unique names

• Adds or refreshes indexes and constraints on courier_jobs.

Courier Loot

Loot system for courier jobs

• Creates table structures for courier_loot_items and courier_loot_drops.
• Seeds or refreshes rows in courier_loot_items.

Courier Powersets

Powersets for pets

• Adds columns powerset, powerset_changed_at, and powerset_reset_token to pet_stats.

Courier Skills

Pet skills for Shadow Courier League

• Creates table structures for pet_skills.

Courier Stats

Add health/stamina resources for pets

• Adds columns health_current and stamina_current to pet_stats.

Courier

Shadow Courier League

• Creates table structures for courier_jobs, pet_stats, pet_job_cooldowns, pet_run_logs, crews, crew_members, and crew_stats.
• Seeds or refreshes rows in courier_jobs.

Pets

Pets system (Black Copper currency)

• Creates table structures for pet_credits, pet_ownerships, pet_owner_stats, and pet_transactions.

Birth Day

• Adds columns birth_day to users.

Birth Visibility

• Adds columns show_birth_month, show_birth_day, show_birth_year, and show_horoscope to users.

Blog Categories User

Per-user blog categories (admin can manage all)

• Adds columns user_id to blog_categories.
• Removes obsolete indexes from blog_categories before rebuilding constraints.
• Adds or refreshes indexes and constraints on blog_categories.

Blog Extensions

Blog categories and images

• Creates table structures for blog_categories, blog_post_categories, and blog_post_images.
• Seeds or refreshes rows in blog_categories.

Blog Moderation

Blog moderation and comment images

• Creates table structures for blog_comment_images.
• Adds columns locked to blog_posts.

Blog

Blog plugin tables

• Creates table structures for blog_posts and blog_comments.

Forked Videos

Forked video graph using YouTube embeds (public)

• Creates table structures for fork_videos, fork_choices, and fork_events.

Friends Favorites

• Creates table structures for friend_favorites.

Plugins

Plugin registry

• Creates table structures for plugins.
• Seeds or refreshes rows in plugins.

Profile Custom Sections

• Adds columns field_section to profile_custom_fields.

Show Birthdate

• Adds columns show_birthdate to users.

Wall Previews

Link previews for wall

• Creates table structures for wall_link_previews.

Wall Stories

Wall stories (short posts with optional images)

• Creates table structures for wall_stories and wall_story_images.

Wall

Site-wide wall: posts, comments, likes, shares, follows, and verification

• Creates table structures for user_verifications, wall_posts, wall_comments, wall_likes, wall_shares, and wall_follows.

Gift Catalog

Expand gift catalog

• Adds or refreshes indexes and constraints on gift_catalog.
• Seeds or refreshes rows in gift_catalog.

Gift Images Svg

Map gift names to /uploads/gifts/<slug>.svg

• Updates existing records in gift_catalog.

Gift Images

Map gift names to /uploads/gifts/<slug>.png

• Updates existing records in gift_catalog.

Gumball Phrases

Add gumball phrases (super powers)

• Adds or refreshes indexes and constraints on gumball_catalog.
• Seeds or refreshes rows in gumball_catalog.

Media Gifts

Media embeds + ratings + credits + gifts

• Creates table structures for media_items, media_ratings, user_credits, gift_catalog, and user_gifts.
• Seeds or refreshes rows in gift_catalog.

Perks

Credits transfers

• Creates table structures for credit_transfers, drink_catalog, user_drinks, badge_catalog, user_badges, gumball_catalog, user_gumballs, and user_gumball_awards.
• Seeds or refreshes rows in drink_catalog, badge_catalog, and gumball_catalog.

Room Filters Lists

Add allow/block lists

• Adds columns allowlist and blocklist to room_settings.

Room Filters Media

Room filter media toggles

• Adds columns allow_images and allow_youtube to room_settings.

Room Filters

Room filter settings

• Creates table structures for room_settings.