feat: implement Tier 2 channel modes (+b/+i/+s/+k/+l)

Implement the second tier of IRC channel features:

1. Ban system (+b): Add/remove/list bans with wildcard matching.
   Bans prevent both joining and sending messages.
   Schema: channel_bans table with mask, set_by, created_at.

2. Invite-only (+i): Channel mode requiring invitation to join.
   INVITE command for operators. Invites stored in DB and
   cleared after successful JOIN.

3. Secret (+s): Hides channel from LIST for non-members and
   from WHOIS channel lists when querier is not in same channel.

4. Channel key (+k): Password-protected channels. Key required
   on JOIN, set/cleared by operators.

5. User limit (+l): Maximum member count enforcement. Rejects
   JOIN when channel is at capacity.

Updated ISUPPORT CHANMODES to b,k,Hl,imnst.
Updated RPL_MYINFO available modes to ikmnostl.
Comprehensive tests for all features at both DB and handler levels.
README updated with full documentation of all new modes.

closes #86

internal/db/queries.go

@@ -9,6 +9,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"strconv"
+	"strings"
 	"time"
 
 	"git.eeqj.de/sneak/neoirc/pkg/irc"
@@ -1835,3 +1836,534 @@ func (database *Database) PruneSpentHashcash(
 
 	return deleted, nil
 }
+
+// --- Tier 2: Ban system (+b) ---
+
+// BanInfo represents a channel ban entry.
+type BanInfo struct {
+	Mask      string
+	SetBy     string
+	CreatedAt time.Time
+}
+
+// AddChannelBan inserts a ban mask for a channel.
+func (database *Database) AddChannelBan(
+	ctx context.Context,
+	channelID int64,
+	mask, setBy string,
+) error {
+	_, err := database.conn.ExecContext(ctx,
+		`INSERT OR IGNORE INTO channel_bans
+		 (channel_id, mask, set_by, created_at)
+		 VALUES (?, ?, ?, ?)`,
+		channelID, mask, setBy, time.Now())
+	if err != nil {
+		return fmt.Errorf("add channel ban: %w", err)
+	}
+
+	return nil
+}
+
+// RemoveChannelBan removes a ban mask from a channel.
+func (database *Database) RemoveChannelBan(
+	ctx context.Context,
+	channelID int64,
+	mask string,
+) error {
+	_, err := database.conn.ExecContext(ctx,
+		`DELETE FROM channel_bans
+		 WHERE channel_id = ? AND mask = ?`,
+		channelID, mask)
+	if err != nil {
+		return fmt.Errorf("remove channel ban: %w", err)
+	}
+
+	return nil
+}
+
+// ListChannelBans returns all bans for a channel.
+//
+//nolint:dupl // different query+type vs filtered variant
+func (database *Database) ListChannelBans(
+	ctx context.Context,
+	channelID int64,
+) ([]BanInfo, error) {
+	rows, err := database.conn.QueryContext(ctx,
+		`SELECT mask, set_by, created_at
+		 FROM channel_bans
+		 WHERE channel_id = ?
+		 ORDER BY created_at ASC`,
+		channelID)
+	if err != nil {
+		return nil, fmt.Errorf("list channel bans: %w", err)
+	}
+
+	defer func() { _ = rows.Close() }()
+
+	var bans []BanInfo
+
+	for rows.Next() {
+		var ban BanInfo
+
+		if scanErr := rows.Scan(
+			&ban.Mask, &ban.SetBy, &ban.CreatedAt,
+		); scanErr != nil {
+			return nil, fmt.Errorf(
+				"scan channel ban: %w", scanErr,
+			)
+		}
+
+		bans = append(bans, ban)
+	}
+
+	if rowErr := rows.Err(); rowErr != nil {
+		return nil, fmt.Errorf(
+			"iterate channel bans: %w", rowErr,
+		)
+	}
+
+	return bans, nil
+}
+
+// IsSessionBanned checks if a session's hostmask matches
+// any ban in the channel. Returns true if banned.
+func (database *Database) IsSessionBanned(
+	ctx context.Context,
+	channelID, sessionID int64,
+) (bool, error) {
+	// Get the session's hostmask parts.
+	var nick, username, hostname string
+
+	err := database.conn.QueryRowContext(ctx,
+		`SELECT nick, username, hostname
+		 FROM sessions WHERE id = ?`,
+		sessionID,
+	).Scan(&nick, &username, &hostname)
+	if err != nil {
+		return false, fmt.Errorf(
+			"get session hostmask: %w", err,
+		)
+	}
+
+	hostmask := FormatHostmask(nick, username, hostname)
+
+	// Get all ban masks for the channel.
+	bans, banErr := database.ListChannelBans(ctx, channelID)
+	if banErr != nil {
+		return false, banErr
+	}
+
+	for _, ban := range bans {
+		if MatchBanMask(ban.Mask, hostmask) {
+			return true, nil
+		}
+	}
+
+	return false, nil
+}
+
+// MatchBanMask checks if hostmask matches a ban pattern
+// using IRC-style wildcard matching (* and ?).
+func MatchBanMask(pattern, hostmask string) bool {
+	return wildcardMatch(
+		strings.ToLower(pattern),
+		strings.ToLower(hostmask),
+	)
+}
+
+// wildcardMatch implements simple glob-style matching
+// with * (any sequence) and ? (any single character).
+func wildcardMatch(pattern, str string) bool {
+	for len(pattern) > 0 {
+		switch pattern[0] {
+		case '*':
+			// Skip consecutive asterisks.
+			for len(pattern) > 0 && pattern[0] == '*' {
+				pattern = pattern[1:]
+			}
+
+			if len(pattern) == 0 {
+				return true
+			}
+
+			for i := 0; i <= len(str); i++ {
+				if wildcardMatch(pattern, str[i:]) {
+					return true
+				}
+			}
+
+			return false
+		case '?':
+			if len(str) == 0 {
+				return false
+			}
+
+			pattern = pattern[1:]
+			str = str[1:]
+		default:
+			if len(str) == 0 || pattern[0] != str[0] {
+				return false
+			}
+
+			pattern = pattern[1:]
+			str = str[1:]
+		}
+	}
+
+	return len(str) == 0
+}
+
+// --- Tier 2: Invite-only (+i) ---
+
+// IsChannelInviteOnly checks if a channel has +i mode.
+func (database *Database) IsChannelInviteOnly(
+	ctx context.Context,
+	channelID int64,
+) (bool, error) {
+	var isInviteOnly int
+
+	err := database.conn.QueryRowContext(ctx,
+		`SELECT is_invite_only FROM channels
+		 WHERE id = ?`,
+		channelID,
+	).Scan(&isInviteOnly)
+	if err != nil {
+		return false, fmt.Errorf(
+			"check invite only: %w", err,
+		)
+	}
+
+	return isInviteOnly != 0, nil
+}
+
+// SetChannelInviteOnly sets or unsets +i mode.
+func (database *Database) SetChannelInviteOnly(
+	ctx context.Context,
+	channelID int64,
+	inviteOnly bool,
+) error {
+	val := 0
+	if inviteOnly {
+		val = 1
+	}
+
+	_, err := database.conn.ExecContext(ctx,
+		`UPDATE channels
+		 SET is_invite_only = ?, updated_at = ?
+		 WHERE id = ?`,
+		val, time.Now(), channelID)
+	if err != nil {
+		return fmt.Errorf(
+			"set invite only: %w", err,
+		)
+	}
+
+	return nil
+}
+
+// AddChannelInvite records that a session has been
+// invited to a channel.
+func (database *Database) AddChannelInvite(
+	ctx context.Context,
+	channelID, sessionID int64,
+	invitedBy string,
+) error {
+	_, err := database.conn.ExecContext(ctx,
+		`INSERT OR IGNORE INTO channel_invites
+		 (channel_id, session_id, invited_by, created_at)
+		 VALUES (?, ?, ?, ?)`,
+		channelID, sessionID, invitedBy, time.Now())
+	if err != nil {
+		return fmt.Errorf("add channel invite: %w", err)
+	}
+
+	return nil
+}
+
+// HasChannelInvite checks if a session has been invited
+// to a channel.
+func (database *Database) HasChannelInvite(
+	ctx context.Context,
+	channelID, sessionID int64,
+) (bool, error) {
+	var count int
+
+	err := database.conn.QueryRowContext(ctx,
+		`SELECT COUNT(*) FROM channel_invites
+		 WHERE channel_id = ? AND session_id = ?`,
+		channelID, sessionID,
+	).Scan(&count)
+	if err != nil {
+		return false, fmt.Errorf(
+			"check invite: %w", err,
+		)
+	}
+
+	return count > 0, nil
+}
+
+// ClearChannelInvite removes a session's invite to a
+// channel (called after successful JOIN).
+func (database *Database) ClearChannelInvite(
+	ctx context.Context,
+	channelID, sessionID int64,
+) error {
+	_, err := database.conn.ExecContext(ctx,
+		`DELETE FROM channel_invites
+		 WHERE channel_id = ? AND session_id = ?`,
+		channelID, sessionID)
+	if err != nil {
+		return fmt.Errorf("clear invite: %w", err)
+	}
+
+	return nil
+}
+
+// --- Tier 2: Secret (+s) ---
+
+// IsChannelSecret checks if a channel has +s mode.
+func (database *Database) IsChannelSecret(
+	ctx context.Context,
+	channelID int64,
+) (bool, error) {
+	var isSecret int
+
+	err := database.conn.QueryRowContext(ctx,
+		`SELECT is_secret FROM channels
+		 WHERE id = ?`,
+		channelID,
+	).Scan(&isSecret)
+	if err != nil {
+		return false, fmt.Errorf(
+			"check secret: %w", err,
+		)
+	}
+
+	return isSecret != 0, nil
+}
+
+// SetChannelSecret sets or unsets +s mode.
+func (database *Database) SetChannelSecret(
+	ctx context.Context,
+	channelID int64,
+	secret bool,
+) error {
+	val := 0
+	if secret {
+		val = 1
+	}
+
+	_, err := database.conn.ExecContext(ctx,
+		`UPDATE channels
+		 SET is_secret = ?, updated_at = ?
+		 WHERE id = ?`,
+		val, time.Now(), channelID)
+	if err != nil {
+		return fmt.Errorf("set secret: %w", err)
+	}
+
+	return nil
+}
+
+// ListAllChannelsWithCountsFiltered returns all channels
+// with member counts, excluding secret channels that
+// the given session is not a member of.
+//
+//nolint:dupl // different query+type vs ListChannelBans
+func (database *Database) ListAllChannelsWithCountsFiltered(
+	ctx context.Context,
+	sessionID int64,
+) ([]ChannelInfoFull, error) {
+	rows, err := database.conn.QueryContext(ctx,
+		`SELECT c.name, COUNT(cm.id) AS member_count,
+		        c.topic
+		 FROM channels c
+		 LEFT JOIN channel_members cm
+		   ON cm.channel_id = c.id
+		 WHERE c.is_secret = 0
+		    OR c.id IN (
+		       SELECT channel_id FROM channel_members
+		       WHERE session_id = ?
+		    )
+		 GROUP BY c.id
+		 ORDER BY c.name ASC`,
+		sessionID)
+	if err != nil {
+		return nil, fmt.Errorf(
+			"list channels filtered: %w", err,
+		)
+	}
+
+	defer func() { _ = rows.Close() }()
+
+	var channels []ChannelInfoFull
+
+	for rows.Next() {
+		var chanInfo ChannelInfoFull
+
+		if scanErr := rows.Scan(
+			&chanInfo.Name,
+			&chanInfo.MemberCount,
+			&chanInfo.Topic,
+		); scanErr != nil {
+			return nil, fmt.Errorf(
+				"scan channel: %w", scanErr,
+			)
+		}
+
+		channels = append(channels, chanInfo)
+	}
+
+	if rowErr := rows.Err(); rowErr != nil {
+		return nil, fmt.Errorf(
+			"iterate channels: %w", rowErr,
+		)
+	}
+
+	return channels, nil
+}
+
+// GetSessionChannelsFiltered returns channels a session
+// belongs to, optionally excluding secret channels for
+// WHOIS (when the querier is not in the same channel).
+// If querierID == targetID, returns all channels.
+func (database *Database) GetSessionChannelsFiltered(
+	ctx context.Context,
+	targetSID, querierSID int64,
+) ([]ChannelInfo, error) {
+	// If querying yourself, return all channels.
+	if targetSID == querierSID {
+		return database.GetSessionChannels(ctx, targetSID)
+	}
+
+	rows, err := database.conn.QueryContext(ctx,
+		`SELECT c.id, c.name, c.topic
+		 FROM channels c
+		 JOIN channel_members cm
+		   ON cm.channel_id = c.id
+		 WHERE cm.session_id = ?
+		   AND (c.is_secret = 0
+		        OR c.id IN (
+		           SELECT channel_id FROM channel_members
+		           WHERE session_id = ?
+		        ))
+		 ORDER BY c.name ASC`,
+		targetSID, querierSID)
+	if err != nil {
+		return nil, fmt.Errorf(
+			"get session channels filtered: %w", err,
+		)
+	}
+
+	defer func() { _ = rows.Close() }()
+
+	var channels []ChannelInfo
+
+	for rows.Next() {
+		var chanInfo ChannelInfo
+
+		if scanErr := rows.Scan(
+			&chanInfo.ID,
+			&chanInfo.Name,
+			&chanInfo.Topic,
+		); scanErr != nil {
+			return nil, fmt.Errorf(
+				"scan channel: %w", scanErr,
+			)
+		}
+
+		channels = append(channels, chanInfo)
+	}
+
+	if rowErr := rows.Err(); rowErr != nil {
+		return nil, fmt.Errorf(
+			"iterate channels: %w", rowErr,
+		)
+	}
+
+	return channels, nil
+}
+
+// --- Tier 2: Channel Key (+k) ---
+
+// GetChannelKey returns the key for a channel (empty
+// string means no key set).
+func (database *Database) GetChannelKey(
+	ctx context.Context,
+	channelID int64,
+) (string, error) {
+	var key string
+
+	err := database.conn.QueryRowContext(ctx,
+		`SELECT channel_key FROM channels
+		 WHERE id = ?`,
+		channelID,
+	).Scan(&key)
+	if err != nil {
+		return "", fmt.Errorf("get channel key: %w", err)
+	}
+
+	return key, nil
+}
+
+// SetChannelKey sets or clears the key for a channel.
+func (database *Database) SetChannelKey(
+	ctx context.Context,
+	channelID int64,
+	key string,
+) error {
+	_, err := database.conn.ExecContext(ctx,
+		`UPDATE channels
+		 SET channel_key = ?, updated_at = ?
+		 WHERE id = ?`,
+		key, time.Now(), channelID)
+	if err != nil {
+		return fmt.Errorf("set channel key: %w", err)
+	}
+
+	return nil
+}
+
+// --- Tier 2: User Limit (+l) ---
+
+// GetChannelUserLimit returns the user limit for a
+// channel (0 means no limit).
+func (database *Database) GetChannelUserLimit(
+	ctx context.Context,
+	channelID int64,
+) (int, error) {
+	var limit int
+
+	err := database.conn.QueryRowContext(ctx,
+		`SELECT user_limit FROM channels
+		 WHERE id = ?`,
+		channelID,
+	).Scan(&limit)
+	if err != nil {
+		return 0, fmt.Errorf(
+			"get channel user limit: %w", err,
+		)
+	}
+
+	return limit, nil
+}
+
+// SetChannelUserLimit sets the user limit for a channel.
+func (database *Database) SetChannelUserLimit(
+	ctx context.Context,
+	channelID int64,
+	limit int,
+) error {
+	_, err := database.conn.ExecContext(ctx,
+		`UPDATE channels
+		 SET user_limit = ?, updated_at = ?
+		 WHERE id = ?`,
+		limit, time.Now(), channelID)
+	if err != nil {
+		return fmt.Errorf(
+			"set channel user limit: %w", err,
+		)
+	}
+
+	return nil
+}