Loothing

Fixed

• Trade window no longer throws a "secret string value" error when opening a trade. Opening a trade with another player while certain WoW UI elements were under combat protection caused the trade handler to abort with a Lua error — the queued items would not auto-add and the rejection-on-no-pending check could not run. Loothing now reads the trade partner's name through the protected-value safe path, falls back to the trade partner's unit when needed, and preserves cross-realm and connected-realm names so queued items resume auto-adding correctly.
• Whisper commands stopped throwing "tainted by Loothing" errors during raid combat. The whisper handler used to apply a tostring() "detaint" step that itself threw on protected whisper payloads. The handler now drops protected payloads cleanly without surfacing an error to the chat frame, so !need / !greed / !pass whispers keep working in raid combat.
• Personal loot tracking no longer errors during raid combat. Receive loot chat parsing is now skipped when the underlying message is protected, instead of throwing on the regex match. Saved personal-loot history continues to populate normally outside of tainted contexts.
• Loot ingestion no longer aborts on protected ENCOUNTER_LOOT_RECEIVED payloads. The loot dedup pass uses the same name-comparison helper as the rest of the addon, so a protected looter name now early-returns instead of throwing inside the buffer loop. Trade-queue updates for items the local player loots continue normally.
• Trace logging for loot events stays safe under combat taint. Internal loot trace lines that interpolate the looter name now use the protected-value placeholder instead of tostring(), so debug logging never aborts a session-add.
• Logout export survives /reload mid-encounter. The Tauri companion-app export written at PLAYER_LOGOUT now uses the protected-value-safe player name and class accessors, so a /reload during a raid pull no longer throws while writing the export.
• Version-check responses are now restricted to your group or guild. The version-response handler used to accept payloads from any peer that knew the addon prefix; it now only accepts responses from group members or via the guild distribution channel, preventing a hostile peer from polluting the version display or PlayerCache.
• Council table vote button is safe against rapid row recycling. The vote button click handler now guards against the brief window where a row's candidate has been cleared by the row pool but the button has not yet been re-skinned — a very fast click during a refresh will no longer trigger a Lua error.
• Trade queue no longer keeps items the addon can never look up again. If the winner's name could not be normalized (a corner case under combat protection), the trade-queue insert now refuses the entry instead of saving a placeholder that would sit invisible for two hours before expiring.
• Trade fallback timer no longer mis-attributes a trade if you immediately open a new one. The 0.5-second TRADE_CLOSED fallback that watches bag deltas to detect a successful trade now bails out if a fresh trade window has opened in the meantime, eliminating the rare "wrong recipient" mark when chaining trades back-to-back.
• ml.printCompletedTrades default is now respected when settings are not yet ready. A timing edge case could print a trade-completion line even when the user had the print disabled (or before settings finished loading); the fallback now matches the documented default of off.
• Cross-addon canvas/note sync no longer errors when comparing your own messages. The sender check uses the protected-value-safe name accessor, so a message arriving during combat protection no longer aborts the ignore-self comparison.
• Version-check player cache updates skip protected GUIDs. When a roster unit's GUID was protected, writing it as a cache key would throw; the update is now skipped cleanly instead.

Hardened

• Network message dedup window now drains on idle clients. The 30-second sweep that purges expired dedup keys was previously gated behind incoming traffic — an idle raid (between pulls, post-wipe, awaiting summons) would hold dead keys until the next inbound message. The sweep now runs on a real timer, so memory is reclaimed on schedule regardless of traffic.
• Batched outgoing messages avoid an extra allocation per flush. The internal batch coalescer now hands the pooled message table directly to the encoder instead of copying it before release, restoring the GC-pressure savings the pool was designed for.
• Throttle/debounce trailing edge clamps to a non-negative timer interval. A floating-point edge case at the boundary between leading and trailing fire is now clamped at zero so C_Timer.NewTimer is never called with a negative remaining interval.
• Council membership CANDIDATE_UPDATE handler authorizes before logging. Forged updates from non-master-looter peers are now rejected before triggering the inner-payload diagnostic log, removing one source of debug-frame noise.