NeuroLag

[1.3.1] — Bug Fix Release

🐛 Fixed

• [CRITICAL] FOLLOW_RANGE stuck at 0 after mob returns near player Mobs whose FOLLOW_RANGE was zeroed by the pathfinding-distance optimiser were never restored when they re-entered a player's chunk radius. They would remain AI-enabled but permanently unable to pathfind, appearing frozen. Fix: restore FOLLOW_RANGE to defaultValue × multiplier inside the nearPlayer || hotRegion branch of applyAiBatched().

• [CRITICAL] ConcurrentModificationException on tpsHistory between main thread and HTTP thread tpsHistory was an ArrayDeque — not thread-safe. The Bukkit main thread writes to it every tick while the Web Dashboard HTTP thread pool iterates it on every /api/status request, causing intermittent exceptions. Fix: replaced with ConcurrentLinkedDeque. Added volatile to tpsSum, tpsCount, criticalActivations, and mediumActivations for JMM visibility.

• [CRITICAL] MySQL connection silently dies after DB restart or idle timeout A single Connection was reused indefinitely. When MySQL restarted or timed out, all subsequent sync calls threw SQLException silently, leaving multi-server sync permanently broken with no visible warning. Fix: added ensureConnected() that checks isClosed() and reconnects automatically before each upsertMysql() / readPeersMysql() call.

• [MEDIUM] autoRestoreOnError never works on first plugin startup The backup-restore safety net checked for existing backups before any had been created, so it could never restore on a fresh install. Fix: doBackup() is now called immediately at startup before the check.

• [MEDIUM] StressTestManager.finish() could run twice, emitting duplicate audit reports If the Bukkit scheduler fired the deferred finish() in the same tick as an early stop() call, both executions would complete and emit an audit report. Fix: finish() returns immediately if running is already false.

• [MEDIUM] Web API /api/cmd whitelist bypassable via prefix matching body.startsWith(a) allowed inputs like "reloadEvil" to pass the filter. Fix: the first token is extracted and matched exactly against the allowlist.

🔒 Security

• Web auth token warned when passed via URL query param ?token=xxx leaks into browser history and proxy logs. Authorization: Bearer header is now the primary path; query-param auth logs a one-time warning.

⚡ Performance

• Redis publisher now uses JedisPool A fresh TCP connection was opened and closed every 5 seconds. A bounded JedisPool (max 8 / idle 2) is created at startup and shared by publisher and subscriber, eliminating per-publish connection overhead.

---