feat: per-channel hashcash proof-of-work for PRIVMSG anti-spam (#79)

closes #12

## Summary

Implements per-channel hashcash proof-of-work requirement for PRIVMSG as an anti-spam mechanism. Channel operators set a difficulty level via `MODE +H <bits>`, and clients must compute a proof-of-work stamp bound to the channel name and message body before sending.

## Changes

### Database
- Added `hashcash_bits` column to `channels` table (default 0 = no requirement)
- Added `spent_hashcash` table with `stamp_hash` unique key and `created_at` for TTL pruning
- New queries: `GetChannelHashcashBits`, `SetChannelHashcashBits`, `RecordSpentHashcash`, `IsHashcashSpent`, `PruneSpentHashcash`

### Hashcash Validation (`internal/hashcash/channel.go`)
- `ChannelValidator` type for per-channel stamp validation
- `BodyHash()` computes hex-encoded SHA-256 of message body
- `StampHash()` computes deterministic hash of stamp for spent-token key
- `MintChannelStamp()` generates valid stamps (for clients)
- Stamp format: `1:bits:YYMMDD:channel:bodyhash:counter`
- Validates: version, difficulty, date freshness (48h), channel binding, body hash binding, proof-of-work

### Handler Changes (`internal/handlers/api.go`)
- `validateChannelHashcash()` + `verifyChannelStamp()` — checks hashcash on PRIVMSG to protected channels
- `extractHashcashFromMeta()` — parses hashcash stamp from meta JSON
- `applyChannelMode()` / `setHashcashMode()` / `clearHashcashMode()` — MODE +H/-H support
- `queryChannelMode()` — shows +nH in mode query when hashcash is set
- Meta field now passed through the full dispatch chain (dispatchCommand → handlePrivmsg → handleChannelMsg → sendChannelMsg → fanOut → InsertMessage)
- ISUPPORT updated: `CHANMODES=,H,,imnst` (H in type B = parameter when set)

### Replay Prevention
- Spent stamps persisted to SQLite `spent_hashcash` table
- 1-year TTL (per issue requirements)
- Automatic pruning in cleanup loop

### Client Support (`internal/cli/api/hashcash.go`)
- `MintChannelHashcash(bits, channel, body)` — computes stamps for channel messages

### Tests
- **12 unit tests** in `internal/hashcash/channel_test.go`: happy path, wrong channel, wrong body hash, insufficient bits, zero bits skip, bad format, bad version, expired stamp, missing body hash, body hash determinism, stamp hash, mint+validate round-trip
- **10 integration tests** in `internal/handlers/api_test.go`: set mode, query mode, clear mode, reject no stamp, accept valid stamp, reject replayed stamp, no requirement works, invalid bits range, missing bits arg

### README
- Added `+H` to channel modes table
- Added "Per-Channel Hashcash (Anti-Spam)" section with full documentation
- Updated `meta` field description to mention hashcash

## How It Works

1. Channel operator sets requirement: `MODE #general +H 20` (20 bits)
2. Client mints stamp: computes SHA-256 hashcash bound to `#general` + SHA-256(body)
3. Client sends PRIVMSG with `meta.hashcash` field containing the stamp
4. Server validates stamp, checks spent cache, records as spent, relays message
5. Replayed stamps are rejected for 1 year

## Docker Build

`docker build .` passes clean (formatting, linting, all tests).

Co-authored-by: user <user@Mac.lan guest wan>
Co-authored-by: Jeffrey Paul <sneak@noreply.example.org>
Reviewed-on: #79
Co-authored-by: clawbot <clawbot@noreply.example.org>
Co-committed-by: clawbot <clawbot@noreply.example.org>

internal/db/queries.go

@@ -1305,3 +1305,110 @@ func (database *Database) GetQueueEntryCount(
 
 	return count, nil
 }
+
+// GetChannelHashcashBits returns the hashcash difficulty
+// requirement for a channel. Returns 0 if not set.
+func (database *Database) GetChannelHashcashBits(
+	ctx context.Context,
+	channelID int64,
+) (int, error) {
+	var bits int
+
+	err := database.conn.QueryRowContext(
+		ctx,
+		"SELECT hashcash_bits FROM channels WHERE id = ?",
+		channelID,
+	).Scan(&bits)
+	if err != nil {
+		return 0, fmt.Errorf(
+			"get channel hashcash bits: %w", err,
+		)
+	}
+
+	return bits, nil
+}
+
+// SetChannelHashcashBits sets the hashcash difficulty
+// requirement for a channel. A value of 0 disables the
+// requirement.
+func (database *Database) SetChannelHashcashBits(
+	ctx context.Context,
+	channelID int64,
+	bits int,
+) error {
+	_, err := database.conn.ExecContext(ctx,
+		`UPDATE channels
+		 SET hashcash_bits = ?, updated_at = ?
+		 WHERE id = ?`,
+		bits, time.Now(), channelID)
+	if err != nil {
+		return fmt.Errorf(
+			"set channel hashcash bits: %w", err,
+		)
+	}
+
+	return nil
+}
+
+// RecordSpentHashcash stores a spent hashcash stamp hash
+// for replay prevention.
+func (database *Database) RecordSpentHashcash(
+	ctx context.Context,
+	stampHash string,
+) error {
+	_, err := database.conn.ExecContext(ctx,
+		`INSERT OR IGNORE INTO spent_hashcash
+		 (stamp_hash, created_at)
+		 VALUES (?, ?)`,
+		stampHash, time.Now())
+	if err != nil {
+		return fmt.Errorf(
+			"record spent hashcash: %w", err,
+		)
+	}
+
+	return nil
+}
+
+// IsHashcashSpent checks whether a hashcash stamp hash
+// has already been used.
+func (database *Database) IsHashcashSpent(
+	ctx context.Context,
+	stampHash string,
+) (bool, error) {
+	var count int
+
+	err := database.conn.QueryRowContext(ctx,
+		`SELECT COUNT(*) FROM spent_hashcash
+		 WHERE stamp_hash = ?`,
+		stampHash,
+	).Scan(&count)
+	if err != nil {
+		return false, fmt.Errorf(
+			"check spent hashcash: %w", err,
+		)
+	}
+
+	return count > 0, nil
+}
+
+// PruneSpentHashcash deletes spent hashcash tokens older
+// than the cutoff and returns the number of rows removed.
+func (database *Database) PruneSpentHashcash(
+	ctx context.Context,
+	cutoff time.Time,
+) (int64, error) {
+	res, err := database.conn.ExecContext(ctx,
+		"DELETE FROM spent_hashcash WHERE created_at < ?",
+		cutoff,
+	)
+	if err != nil {
+		return 0, fmt.Errorf(
+			"prune spent hashcash: %w", err,
+		)
+	}
+
+	deleted, _ := res.RowsAffected()
+
+	return deleted, nil
+}