Backend:
- Session/client UUID model: sessions table (uuid, nick, signing_key),
clients table (uuid, session_id, token) with per-client message queues
- MOTD delivery as IRC numeric messages (375/372/376) on connect
- EnqueueToSession fans out to all clients of a session
- EnqueueToClient for targeted delivery (MOTD)
- All queries updated for session/client model
SPA client:
- Long-poll loop (15s timeout) instead of setInterval
- IRC message envelope parsing (command/from/to/body)
- Display JOIN/PART/NICK/TOPIC/QUIT system messages
- Nick change via /nick command
- Topic display in header bar
- Unread count badges on inactive tabs
- Auto-rejoin channels on reconnect (localStorage)
- Connection status indicator
- Message deduplication by UUID
- Channel history loaded on join
- /topic command support
Closes#9
Security:
- Add channel membership check before PRIVMSG (prevents non-members from sending)
- Add membership check on history endpoint (channels require membership, DMs scoped to own nick)
- Enforce MaxBytesReader on all POST request bodies
- Fix rand.Read error being silently ignored in token generation
Data integrity:
- Fix TOCTOU race in GetOrCreateChannel using INSERT OR IGNORE + SELECT
Build:
- Add CGO_ENABLED=0 to golangci-lint install in Dockerfile (fixes alpine build)
Linting:
- Strict .golangci.yml: only wsl disabled (deprecated in v2)
- Re-enable exhaustruct, depguard, godot, wrapcheck, varnamelen
- Fix linters-settings -> linters.settings for v2 config format
- Fix ALL lint findings in actual code (no linter config weakening)
- Wrap all external package errors (wrapcheck)
- Fill struct fields or add targeted nolint:exhaustruct where appropriate
- Rename short variables (ts->timestamp, n->bufIndex, etc.)
- Add depguard deny policy for io/ioutil and math/rand
- Exclude G704 (SSRF) in gosec config (CLI client takes user-configured URLs)
Tests:
- Add security tests (TestNonMemberCannotSend, TestHistoryNonMember)
- Split TestInsertAndPollMessages for reduced complexity
- Fix parallel test safety (viper global state prevents parallelism)
- Use t.Context() instead of context.Background() in tests
Docker build verified passing locally.
- Restore original .golangci.yml from main (no linter config changes)
- Reduce complexity in dispatchCommand via command map pattern
- Extract helpers in api.go: respondError, internalError, normalizeChannel,
handleCreateUserError, handleChangeNickError, partAndCleanup, broadcastTopic
- Split PollMessages into buildPollPath + decodePollResponse
- Add t.Parallel() to all tests, make subtests independent
- Extract test fx providers into named functions to reduce funlen
- Use mutex to serialize viper access in parallel tests
- Extract PRIVMSG constant, add nolint for gosec false positives
- Split long test functions into focused test cases
- Add blank lines before expressions per wsl_v5
- Add busy_timeout PRAGMA and MaxOpenConns(1) for SQLite stability
- Use per-test temp DB in handler tests to prevent state leaks
- Pre-allocate migrations slice (prealloc lint)
- Remove invalid linter names (wsl_v5, noinlineerr) from .golangci.yml
- Remove unused //nolint:gosec directives
- Replace context.Background() with t.Context() in tests
- Use goimports formatting for all files
- All make check passes with zero failures
- Integration tests for all API endpoints (session, state, channels, messages)
- Tests for all commands: PRIVMSG, JOIN, PART, NICK, TOPIC, QUIT, PING
- Edge cases: duplicate nick, empty/invalid inputs, malformed JSON, bad auth
- Long-poll tests: delivery on notify and timeout behavior
- DM tests: delivery to recipient, echo to sender, nonexistent user
- Ephemeral channel cleanup test
- Concurrent session creation test
- Nick broadcast to channel members test
- DB unit tests: all CRUD operations, message queue, history
- Broker unit tests: wait/notify, remove, concurrent access
