Add SHA-256-based hashcash proof-of-work requirement to POST /session
to prevent abuse via rapid session creation. The server advertises the
required difficulty via GET /server (hashcash_bits field), and clients
must include a valid stamp in the X-Hashcash request header.
Server-side:
- New internal/hashcash package with stamp validation (format, bits,
date, resource, replay prevention via in-memory spent set)
- Config: NEOIRC_HASHCASH_BITS env var (default 20, set 0 to disable)
- GET /server includes hashcash_bits when > 0
- POST /session validates X-Hashcash header when enabled
- Returns HTTP 402 for missing/invalid stamps
Client-side:
- SPA: fetches hashcash_bits from /server, computes stamp using Web
Crypto API with batched SHA-256, shows 'Computing proof-of-work...'
feedback during computation
- CLI: api package gains MintHashcash() function, CreateSession()
auto-fetches server info and computes stamp when required
Stamp format: 1:bits:YYMMDD:resource::counter (standard hashcash)
closes #11
