feat: add Content-Security-Policy header for embedded web SPA

Set CSP header on all SPA-served responses to provide defense-in-depth against XSS. The policy restricts scripts, styles, and all other resource types to same-origin only, matching the SPA's actual behavior (external CSS/JS files, same-origin fetch API calls, no WebSockets or external resources).
2026-03-10 03:17:55 -07:00
18 changed files with 236 additions and 1098 deletions
--- a/README.md
+++ b/README.md
@@ -249,8 +249,8 @@ Key properties:
 - **Ordered**: Queue entries have monotonically increasing IDs. Messages are
  always delivered in order within a client's queue.
 - **No delivery/read receipts** for channel messages. DM receipts are planned.
- **Client output queue depth**: Server-configurable via `QUEUE_MAX_AGE`.
-  Default is 30 days. Entries older than this are pruned.
+- **Queue depth**: Server-configurable via `QUEUE_MAX_AGE`. Default is 48
+  hours. Entries older than this are pruned.

 ### Long-Polling

@@ -1624,10 +1624,6 @@ authenticity.
  termination.
 - **CORS**: The server allows all origins by default (`Access-Control-Allow-Origin: *`).
  Restrict this in production via reverse proxy configuration if needed.
- **Content-Security-Policy**: The server sets a strict CSP header on all
-  responses, restricting resource loading to same-origin and disabling
-  dangerous features (object embeds, framing, base tag injection). The
-  embedded SPA works without `'unsafe-inline'` for scripts or styles.

 ---

@@ -1788,14 +1784,14 @@ skew issues) and simpler than UUIDs (integer comparison vs. string comparison).

 ### Data Lifecycle

- **Messages**: Pruned automatically when older than `MESSAGE_MAX_AGE`
-  (default 30 days).
- **Client output queue entries**: Pruned automatically when older than
-  `QUEUE_MAX_AGE` (default 30 days).
+- **Messages**: Stored indefinitely in the current implementation. Rotation
+  per `MAX_HISTORY` is planned.
+- **Queue entries**: Stored until pruned. Pruning by `QUEUE_MAX_AGE` is
+  planned.
 - **Channels**: Deleted when the last member leaves (ephemeral).
 - **Users/sessions**: Deleted on `QUIT` or `POST /api/v1/logout`. Idle
  sessions are automatically expired after `SESSION_IDLE_TIMEOUT` (default
-  30 days) — the server runs a background cleanup loop that parts idle users
+  24h) — the server runs a background cleanup loop that parts idle users
  from all channels, broadcasts QUIT, and releases their nicks.

 ---
@@ -1812,9 +1808,9 @@ directory is also loaded automatically via
 | `PORT`             | int     | `8080`                               | HTTP listen port |
 | `DBURL`            | string  | `file:///var/lib/neoirc/state.db?_journal_mode=WAL` | SQLite connection string. For file-based: `file:///path/to/db.db?_journal_mode=WAL`. For in-memory (testing): `file::memory:?cache=shared`. |
 | `DEBUG`            | bool    | `false`                              | Enable debug logging (verbose request/response logging) |
-| `MESSAGE_MAX_AGE`  | string  | `720h`                               | Maximum age of messages as a Go duration string (e.g. `720h`, `24h`). Messages older than this are pruned. Default is 30 days. |
-| `SESSION_IDLE_TIMEOUT` | string | `720h`                           | Session idle timeout as a Go duration string (e.g. `720h`, `24h`). Sessions with no activity for this long are expired and the nick is released. Default is 30 days. |
-| `QUEUE_MAX_AGE`    | string  | `720h`                               | Maximum age of client output queue entries as a Go duration string (e.g. `720h`, `24h`). Entries older than this are pruned. Default is 30 days. |
+| `MAX_HISTORY`      | int     | `10000`                              | Maximum messages retained per channel before rotation (planned) |
+| `SESSION_IDLE_TIMEOUT` | string | `24h`                            | Session idle timeout as a Go duration string (e.g. `24h`, `30m`). Sessions with no activity for this long are expired and the nick is released. |
+| `QUEUE_MAX_AGE`    | int     | `172800`                             | Maximum age of client queue entries in seconds (48h). Entries older than this are pruned (planned). |
 | `MAX_MESSAGE_SIZE` | int     | `4096`                               | Maximum message body size in bytes (planned enforcement) |
 | `LONG_POLL_TIMEOUT`| int     | `15`                                 | Default long-poll timeout in seconds (client can override via query param, server caps at 30) |
 | `MOTD`             | string  | `""`                                 | Message of the day, shown to clients via `GET /api/v1/server` |
@@ -1833,7 +1829,7 @@ SERVER_NAME=My NeoIRC Server
 MOTD=Welcome! Be excellent to each other.
 DEBUG=false
 DBURL=file:///var/lib/neoirc/state.db?_journal_mode=WAL
-SESSION_IDLE_TIMEOUT=720h
+SESSION_IDLE_TIMEOUT=24h
 ```

 ---
@@ -2228,8 +2224,8 @@ GET /api/v1/challenge
 ### Post-MVP (Planned)

 - [ ] **Hashcash proof-of-work** for session creation (abuse prevention)
- [x] **Client output queue pruning** — delete old client output queue entries per `QUEUE_MAX_AGE`
- [x] **Message rotation** — prune messages older than `MESSAGE_MAX_AGE`
+- [ ] **Queue pruning** — delete old queue entries per `QUEUE_MAX_AGE`
+- [ ] **Message rotation** — enforce `MAX_HISTORY` per channel
 - [ ] **Channel modes** — enforce `+i`, `+m`, `+s`, `+t`, `+n`
 - [ ] **User channel modes** — `+o` (operator), `+v` (voice)
 - [x] **MODE command** — query channel and user modes (set not yet implemented)
--- a/cmd/neoirc-cli/api/client.go
+++ b/cmd/neoirc-cli/api/client.go
@@ -14,7 +14,7 @@ import (
 	"strings"
 	"time"

-	"git.eeqj.de/sneak/neoirc/pkg/irc"
+	"git.eeqj.de/sneak/neoirc/internal/irc"
 )

 const (
--- a/cmd/neoirc-cli/main.go
+++ b/cmd/neoirc-cli/main.go
@@ -9,7 +9,7 @@ import (
 	"time"

 	api "git.eeqj.de/sneak/neoirc/cmd/neoirc-cli/api"
-	"git.eeqj.de/sneak/neoirc/pkg/irc"
+	"git.eeqj.de/sneak/neoirc/internal/irc"
 )

 const (
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -38,9 +38,8 @@ type Config struct {
 	MetricsUsername    string
 	Port               int
 	SentryDSN          string
-	MessageMaxAge      string
+	MaxHistory         int
 	MaxMessageSize     int
-	QueueMaxAge        string
 	MOTD               string
 	ServerName         string
 	FederationKey      string
@@ -69,13 +68,12 @@ func New(
 	viper.SetDefault("SENTRY_DSN", "")
 	viper.SetDefault("METRICS_USERNAME", "")
 	viper.SetDefault("METRICS_PASSWORD", "")
-	viper.SetDefault("MESSAGE_MAX_AGE", "720h")
+	viper.SetDefault("MAX_HISTORY", "10000")
 	viper.SetDefault("MAX_MESSAGE_SIZE", "4096")
-	viper.SetDefault("QUEUE_MAX_AGE", "720h")
 	viper.SetDefault("MOTD", defaultMOTD)
 	viper.SetDefault("SERVER_NAME", "")
 	viper.SetDefault("FEDERATION_KEY", "")
-	viper.SetDefault("SESSION_IDLE_TIMEOUT", "720h")
+	viper.SetDefault("SESSION_IDLE_TIMEOUT", "24h")

 	err := viper.ReadInConfig()
 	if err != nil {
@@ -94,9 +92,8 @@ func New(
 		MaintenanceMode:    viper.GetBool("MAINTENANCE_MODE"),
 		MetricsUsername:    viper.GetString("METRICS_USERNAME"),
 		MetricsPassword:    viper.GetString("METRICS_PASSWORD"),
-		MessageMaxAge:      viper.GetString("MESSAGE_MAX_AGE"),
+		MaxHistory:         viper.GetInt("MAX_HISTORY"),
 		MaxMessageSize:     viper.GetInt("MAX_MESSAGE_SIZE"),
-		QueueMaxAge:        viper.GetString("QUEUE_MAX_AGE"),
 		MOTD:               viper.GetString("MOTD"),
 		ServerName:         viper.GetString("SERVER_NAME"),
 		FederationKey:      viper.GetString("FEDERATION_KEY"),
--- a/internal/db/auth.go
+++ b/internal/db/auth.go
@@ -64,14 +64,12 @@ func (database *Database) RegisterUser(

 	sessionID, _ := res.LastInsertId()

-	tokenHash := hashToken(token)
-
 	clientRes, err := transaction.ExecContext(ctx,
 		`INSERT INTO clients
 		 (uuid, session_id, token,
 		  created_at, last_seen)
 		 VALUES (?, ?, ?, ?, ?)`,
-		clientUUID, sessionID, tokenHash, now, now)
+		clientUUID, sessionID, token, now, now)
 	if err != nil {
 		_ = transaction.Rollback()

@@ -139,14 +137,12 @@ func (database *Database) LoginUser(

 	now := time.Now()

-	tokenHash := hashToken(token)
-
 	res, err := database.conn.ExecContext(ctx,
 		`INSERT INTO clients
 		 (uuid, session_id, token,
 		  created_at, last_seen)
 		 VALUES (?, ?, ?, ?, ?)`,
-		clientUUID, sessionID, tokenHash, now, now)
+		clientUUID, sessionID, token, now, now)
 	if err != nil {
 		return 0, 0, "", fmt.Errorf(
 			"create login client: %w", err,
--- a/internal/db/errors.go
+++ b/internal/db/errors.go
@@ -1,20 +0,0 @@
-// Package db provides database access and migration management.
-package db
-
-import (
-	"errors"
-
-	"modernc.org/sqlite"
-	sqlite3 "modernc.org/sqlite/lib"
-)
-
-// IsUniqueConstraintError reports whether err is a SQLite
-// unique-constraint violation.
-func IsUniqueConstraintError(err error) bool {
-	var sqliteErr *sqlite.Error
-	if !errors.As(err, &sqliteErr) {
-		return false
-	}
-
-	return sqliteErr.Code() == sqlite3.SQLITE_CONSTRAINT_UNIQUE
-}
--- a/internal/db/queries.go
+++ b/internal/db/queries.go
@@ -3,7 +3,6 @@ package db
 import (
 	"context"
 	"crypto/rand"
-	"crypto/sha256"
 	"database/sql"
 	"encoding/hex"
 	"encoding/json"
@@ -11,7 +10,7 @@ import (
 	"strconv"
 	"time"

-	"git.eeqj.de/sneak/neoirc/pkg/irc"
+	"git.eeqj.de/sneak/neoirc/internal/irc"
 	"github.com/google/uuid"
 )

@@ -32,14 +31,6 @@ func generateToken() (string, error) {
 	return hex.EncodeToString(buf), nil
 }

-// hashToken returns the lowercase hex-encoded SHA-256
-// digest of a plaintext token string.
-func hashToken(token string) string {
-	sum := sha256.Sum256([]byte(token))
-
-	return hex.EncodeToString(sum[:])
-}
-
 // IRCMessage is the IRC envelope for all messages.
 type IRCMessage struct {
 	ID      string          `json:"id"`
@@ -114,14 +105,12 @@ func (database *Database) CreateSession(

 	sessionID, _ := res.LastInsertId()

-	tokenHash := hashToken(token)
-
 	clientRes, err := transaction.ExecContext(ctx,
 		`INSERT INTO clients
 		 (uuid, session_id, token,
 		  created_at, last_seen)
 		 VALUES (?, ?, ?, ?, ?)`,
-		clientUUID, sessionID, tokenHash, now, now)
+		clientUUID, sessionID, token, now, now)
 	if err != nil {
 		_ = transaction.Rollback()

@@ -154,8 +143,6 @@ func (database *Database) GetSessionByToken(
 		nick      string
 	)

-	tokenHash := hashToken(token)
-
 	err := database.conn.QueryRowContext(
 		ctx,
 		`SELECT s.id, c.id, s.nick
@@ -163,7 +150,7 @@ func (database *Database) GetSessionByToken(
 		 INNER JOIN sessions s
 		   ON s.id = c.session_id
 		 WHERE c.token = ?`,
-		tokenHash,
+		token,
 	).Scan(&sessionID, &clientID, &nick)
 	if err != nil {
 		return 0, 0, "", fmt.Errorf(
@@ -746,8 +733,8 @@ func scanMessages(
 			code, _ := strconv.Atoi(msg.Command)
 			msg.Code = code

-			if mt, err := irc.FromInt(code); err == nil {
-				msg.Command = mt.Name()
+			if name := irc.Name(code); name != "" {
+				msg.Command = name
 			}
 		}

@@ -1109,160 +1096,3 @@ func (database *Database) GetSessionCreatedAt(

 	return createdAt, nil
 }
-
-// SetAway sets the away message for a session.
-// An empty message clears the away status.
-func (database *Database) SetAway(
-	ctx context.Context,
-	sessionID int64,
-	message string,
-) error {
-	_, err := database.conn.ExecContext(ctx,
-		"UPDATE sessions SET away_message = ? WHERE id = ?",
-		message, sessionID)
-	if err != nil {
-		return fmt.Errorf("set away: %w", err)
-	}
-
-	return nil
-}
-
-// GetAway returns the away message for a session.
-// Returns an empty string if the user is not away.
-func (database *Database) GetAway(
-	ctx context.Context,
-	sessionID int64,
-) (string, error) {
-	var msg string
-
-	err := database.conn.QueryRowContext(ctx,
-		"SELECT away_message FROM sessions WHERE id = ?",
-		sessionID,
-	).Scan(&msg)
-	if err != nil {
-		return "", fmt.Errorf("get away: %w", err)
-	}
-
-	return msg, nil
-}
-
-// SetTopicMeta sets the topic along with who set it and
-// when.
-func (database *Database) SetTopicMeta(
-	ctx context.Context,
-	channelName, topic, setBy string,
-) error {
-	now := time.Now()
-
-	_, err := database.conn.ExecContext(ctx,
-		`UPDATE channels
-		 SET topic = ?, topic_set_by = ?,
-		     topic_set_at = ?, updated_at = ?
-		 WHERE name = ?`,
-		topic, setBy, now, now, channelName)
-	if err != nil {
-		return fmt.Errorf("set topic meta: %w", err)
-	}
-
-	return nil
-}
-
-// TopicMeta holds topic metadata for a channel.
-type TopicMeta struct {
-	SetBy string
-	SetAt time.Time
-}
-
-// GetTopicMeta returns who set the topic and when.
-func (database *Database) GetTopicMeta(
-	ctx context.Context,
-	channelID int64,
-) (*TopicMeta, error) {
-	var (
-		setBy string
-		setAt sql.NullTime
-	)
-
-	err := database.conn.QueryRowContext(ctx,
-		`SELECT topic_set_by, topic_set_at
-		 FROM channels WHERE id = ?`,
-		channelID,
-	).Scan(&setBy, &setAt)
-	if err != nil {
-		return nil, fmt.Errorf(
-			"get topic meta: %w", err,
-		)
-	}
-
-	if setBy == "" || !setAt.Valid {
-		return nil, nil //nolint:nilnil
-	}
-
-	return &TopicMeta{
-		SetBy: setBy,
-		SetAt: setAt.Time,
-	}, nil
-}
-
-// GetSessionLastSeen returns the last_seen time for a
-// session.
-func (database *Database) GetSessionLastSeen(
-	ctx context.Context,
-	sessionID int64,
-) (time.Time, error) {
-	var lastSeen time.Time
-
-	err := database.conn.QueryRowContext(ctx,
-		"SELECT last_seen FROM sessions WHERE id = ?",
-		sessionID,
-	).Scan(&lastSeen)
-	if err != nil {
-		return time.Time{}, fmt.Errorf(
-			"get session last_seen: %w", err,
-		)
-	}
-
-	return lastSeen, nil
-}
-
-// PruneOldQueueEntries deletes client output queue entries
-// older than cutoff and returns the number of rows removed.
-func (database *Database) PruneOldQueueEntries(
-	ctx context.Context,
-	cutoff time.Time,
-) (int64, error) {
-	res, err := database.conn.ExecContext(ctx,
-		"DELETE FROM client_queues WHERE created_at < ?",
-		cutoff,
-	)
-	if err != nil {
-		return 0, fmt.Errorf(
-			"prune old client output queue entries: %w", err,
-		)
-	}
-
-	deleted, _ := res.RowsAffected()
-
-	return deleted, nil
-}
-
-// PruneOldMessages deletes messages older than cutoff and
-// returns the number of rows removed.
-func (database *Database) PruneOldMessages(
-	ctx context.Context,
-	cutoff time.Time,
-) (int64, error) {
-	res, err := database.conn.ExecContext(ctx,
-		"DELETE FROM messages WHERE created_at < ?",
-		cutoff,
-	)
-	if err != nil {
-		return 0, fmt.Errorf(
-			"prune old messages: %w", err,
-		)
-	}
-
-	deleted, _ := res.RowsAffected()
-
-	return deleted, nil
-}
--- a/internal/db/schema/001_initial.sql
+++ b/internal/db/schema/001_initial.sql
@@ -8,7 +8,6 @@ CREATE TABLE IF NOT EXISTS sessions (
    nick TEXT NOT NULL UNIQUE,
    password_hash TEXT NOT NULL DEFAULT '',
    signing_key TEXT NOT NULL DEFAULT '',
-    away_message TEXT NOT NULL DEFAULT '',
    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
    last_seen DATETIME DEFAULT CURRENT_TIMESTAMP
 );
@@ -31,8 +30,6 @@ CREATE TABLE IF NOT EXISTS channels (
    id INTEGER PRIMARY KEY AUTOINCREMENT,
    name TEXT NOT NULL UNIQUE,
    topic TEXT NOT NULL DEFAULT '',
-    topic_set_by TEXT NOT NULL DEFAULT '',
-    topic_set_at DATETIME,
    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
    updated_at DATETIME DEFAULT CURRENT_TIMESTAMP
 );
--- a/internal/handlers/api.go
+++ b/internal/handlers/api.go
@@ -10,8 +10,7 @@ import (
 	"strings"
 	"time"

-	"git.eeqj.de/sneak/neoirc/internal/db"
-	"git.eeqj.de/sneak/neoirc/pkg/irc"
+	"git.eeqj.de/sneak/neoirc/internal/irc"
 	"github.com/go-chi/chi"
 )

@@ -71,10 +70,11 @@ func (hdlr *Handlers) requireAuth(
 	sessionID, clientID, nick, err :=
 		hdlr.authSession(request)
 	if err != nil {
-		hdlr.respondJSON(writer, request, map[string]any{
-			"error":   "not registered",
-			"numeric": irc.ErrNotRegistered,
-		}, http.StatusUnauthorized)
+		hdlr.respondError(
+			writer, request,
+			"unauthorized",
+			http.StatusUnauthorized,
+		)

 		return 0, 0, "", false
 	}
@@ -199,7 +199,7 @@ func (hdlr *Handlers) handleCreateSessionError(
 	request *http.Request,
 	err error,
 ) {
-	if db.IsUniqueConstraintError(err) {
+	if strings.Contains(err.Error(), "UNIQUE") {
 		hdlr.respondError(
 			writer, request,
 			"nick already taken",
@@ -397,12 +397,12 @@ func (hdlr *Handlers) serverName() string {
 func (hdlr *Handlers) enqueueNumeric(
 	ctx context.Context,
 	clientID int64,
-	code irc.IRCMessageType,
+	code int,
 	nick string,
 	params []string,
 	text string,
 ) {
-	command := code.Code()
+	command := fmt.Sprintf("%03d", code)

 	body, err := json.Marshal([]string{text})
 	if err != nil {
@@ -809,11 +809,6 @@ func (hdlr *Handlers) dispatchCommand(
 	bodyLines func() []string,
 ) {
 	switch command {
-	case irc.CmdAway:
-		hdlr.handleAway(
-			writer, request,
-			sessionID, clientID, nick, bodyLines,
-		)
 	case irc.CmdPrivmsg, irc.CmdNotice:
 		hdlr.handlePrivmsg(
 			writer, request,
@@ -924,8 +919,8 @@ func (hdlr *Handlers) handlePrivmsg(
 	if target == "" {
 		hdlr.enqueueNumeric(
 			request.Context(), clientID,
-			irc.ErrNoRecipient, nick, []string{command},
-			"No recipient given",
+			irc.ErrNeedMoreParams, nick, []string{command},
+			"Not enough parameters",
 		)
 		hdlr.broker.Notify(sessionID)
 		hdlr.respondJSON(writer, request,
@@ -939,8 +934,8 @@ func (hdlr *Handlers) handlePrivmsg(
 	if len(lines) == 0 {
 		hdlr.enqueueNumeric(
 			request.Context(), clientID,
-			irc.ErrNoTextToSend, nick, []string{command},
-			"No text to send",
+			irc.ErrNeedMoreParams, nick, []string{command},
+			"Not enough parameters",
 		)
 		hdlr.broker.Notify(sessionID)
 		hdlr.respondJSON(writer, request,
@@ -973,7 +968,7 @@ func (hdlr *Handlers) respondIRCError(
 	writer http.ResponseWriter,
 	request *http.Request,
 	clientID, sessionID int64,
-	code irc.IRCMessageType,
+	code int,
 	nick string,
 	params []string,
 	text string,
@@ -1027,8 +1022,8 @@ func (hdlr *Handlers) handleChannelMsg(
 	if !isMember {
 		hdlr.respondIRCError(
 			writer, request, clientID, sessionID,
-			irc.ErrCannotSendToChan, nick, []string{target},
-			"Cannot send to channel",
+			irc.ErrNotOnChannel, nick, []string{target},
+			"You're not on that channel",
 		)

 		return
@@ -1124,19 +1119,6 @@ func (hdlr *Handlers) handleDirectMsg(
 		return
 	}

-	// If the target is away, send RPL_AWAY to the sender.
-	awayMsg, awayErr := hdlr.params.Database.GetAway(
-		request.Context(), targetSID,
-	)
-	if awayErr == nil && awayMsg != "" {
-		hdlr.enqueueNumeric(
-			request.Context(), clientID,
-			irc.RplAway, nick,
-			[]string{target}, awayMsg,
-		)
-		hdlr.broker.Notify(sessionID)
-	}
-
 	hdlr.respondJSON(writer, request,
 		map[string]string{"id": msgUUID, "status": "sent"},
 		http.StatusOK)
@@ -1247,25 +1229,14 @@ func (hdlr *Handlers) deliverJoinNumerics(
 ) {
 	ctx := request.Context()

-	hdlr.deliverTopicNumerics(
-		ctx, clientID, sessionID, nick, channel, chID,
+	chInfo, err := hdlr.params.Database.GetChannelByName(
+		ctx, channel,
 	)
-
-	hdlr.deliverNamesNumerics(
-		ctx, clientID, nick, channel, chID,
-	)
-
-	hdlr.broker.Notify(sessionID)
+	if err == nil {
+		_ = chInfo // chInfo is the ID; topic comes from DB.
 	}

-// deliverTopicNumerics sends RPL_TOPIC or RPL_NOTOPIC,
-// plus RPL_TOPICWHOTIME when topic metadata is available.
-func (hdlr *Handlers) deliverTopicNumerics(
-	ctx context.Context,
-	clientID, sessionID int64,
-	nick, channel string,
-	chID int64,
-) {
+	// Get topic from channel info.
 	channels, listErr := hdlr.params.Database.ListChannels(
 		ctx, sessionID,
 	)
@@ -1287,39 +1258,14 @@ func (hdlr *Handlers) deliverTopicNumerics(
 			ctx, clientID, irc.RplTopic, nick,
 			[]string{channel}, topic,
 		)
-
-		topicMeta, tmErr := hdlr.params.Database.
-			GetTopicMeta(ctx, chID)
-		if tmErr == nil && topicMeta != nil {
-			hdlr.enqueueNumeric(
-				ctx, clientID,
-				irc.RplTopicWhoTime, nick,
-				[]string{
-					channel,
-					topicMeta.SetBy,
-					strconv.FormatInt(
-						topicMeta.SetAt.Unix(), 10,
-					),
-				},
-				"",
-			)
-		}
 	} else {
 		hdlr.enqueueNumeric(
 			ctx, clientID, irc.RplNoTopic, nick,
 			[]string{channel}, "No topic is set",
 		)
 	}
-}

-// deliverNamesNumerics sends RPL_NAMREPLY and
-// RPL_ENDOFNAMES for a channel.
-func (hdlr *Handlers) deliverNamesNumerics(
-	ctx context.Context,
-	clientID int64,
-	nick, channel string,
-	chID int64,
-) {
+	// Get member list for NAMES reply.
 	members, memErr := hdlr.params.Database.ChannelMembers(
 		ctx, chID,
 	)
@@ -1342,6 +1288,8 @@ func (hdlr *Handlers) deliverNamesNumerics(
 		ctx, clientID, irc.RplEndOfNames, nick,
 		[]string{channel}, "End of /NAMES list",
 	)
+
+	hdlr.broker.Notify(sessionID)
 }

 func (hdlr *Handlers) handlePart(
@@ -1479,7 +1427,7 @@ func (hdlr *Handlers) executeNickChange(
 		request.Context(), sessionID, newNick,
 	)
 	if err != nil {
-		if db.IsUniqueConstraintError(err) {
+		if strings.Contains(err.Error(), "UNIQUE") {
 			hdlr.respondIRCError(
 				writer, request, clientID, sessionID,
 				irc.ErrNicknameInUse, nick, []string{newNick},
@@ -1625,8 +1573,8 @@ func (hdlr *Handlers) executeTopic(
 	body json.RawMessage,
 	chID int64,
 ) {
-	setErr := hdlr.params.Database.SetTopicMeta(
-		request.Context(), channel, topic, nick,
+	setErr := hdlr.params.Database.SetTopic(
+		request.Context(), channel, topic,
 	)
 	if setErr != nil {
 		hdlr.log.Error(
@@ -1653,25 +1601,6 @@ func (hdlr *Handlers) executeTopic(
 		request.Context(), clientID,
 		irc.RplTopic, nick, []string{channel}, topic,
 	)
-
-	// 333 RPL_TOPICWHOTIME
-	topicMeta, tmErr := hdlr.params.Database.
-		GetTopicMeta(request.Context(), chID)
-	if tmErr == nil && topicMeta != nil {
-		hdlr.enqueueNumeric(
-			request.Context(), clientID,
-			irc.RplTopicWhoTime, nick,
-			[]string{
-				channel,
-				topicMeta.SetBy,
-				strconv.FormatInt(
-					topicMeta.SetAt.Unix(), 10,
-				),
-			},
-			"",
-		)
-	}
-
 	hdlr.broker.Notify(sessionID)

 	hdlr.respondJSON(writer, request,
@@ -2061,11 +1990,6 @@ func (hdlr *Handlers) executeWhois(
 		"neoirc server",
 	)

-	// 317 RPL_WHOISIDLE
-	hdlr.deliverWhoisIdle(
-		ctx, clientID, nick, queryNick, targetSID,
-	)
-
 	// 319 RPL_WHOISCHANNELS
 	hdlr.deliverWhoisChannels(
 		ctx, clientID, nick, queryNick, targetSID,
@@ -2475,95 +2399,3 @@ func (hdlr *Handlers) HandleServerInfo() http.HandlerFunc {
 		}, http.StatusOK)
 	}
 }
-
-// handleAway handles the AWAY command. An empty body
-// clears the away status; a non-empty body sets it.
-func (hdlr *Handlers) handleAway(
-	writer http.ResponseWriter,
-	request *http.Request,
-	sessionID, clientID int64,
-	nick string,
-	bodyLines func() []string,
-) {
-	ctx := request.Context()
-
-	lines := bodyLines()
-
-	awayMsg := ""
-	if len(lines) > 0 {
-		awayMsg = strings.Join(lines, " ")
-	}
-
-	err := hdlr.params.Database.SetAway(
-		ctx, sessionID, awayMsg,
-	)
-	if err != nil {
-		hdlr.log.Error("set away failed", "error", err)
-		hdlr.respondError(
-			writer, request,
-			"internal error",
-			http.StatusInternalServerError,
-		)
-
-		return
-	}
-
-	if awayMsg == "" {
-		// 305 RPL_UNAWAY
-		hdlr.enqueueNumeric(
-			ctx, clientID, irc.RplUnaway, nick, nil,
-			"You are no longer marked as being away",
-		)
-	} else {
-		// 306 RPL_NOWAWAY
-		hdlr.enqueueNumeric(
-			ctx, clientID, irc.RplNowAway, nick, nil,
-			"You have been marked as being away",
-		)
-	}
-
-	hdlr.broker.Notify(sessionID)
-	hdlr.respondJSON(writer, request,
-		map[string]string{"status": "ok"},
-		http.StatusOK)
-}
-
-// deliverWhoisIdle sends RPL_WHOISIDLE (317) with idle
-// time and signon time.
-func (hdlr *Handlers) deliverWhoisIdle(
-	ctx context.Context,
-	clientID int64,
-	nick, queryNick string,
-	targetSID int64,
-) {
-	lastSeen, lsErr := hdlr.params.Database.
-		GetSessionLastSeen(ctx, targetSID)
-	if lsErr != nil {
-		return
-	}
-
-	createdAt, caErr := hdlr.params.Database.
-		GetSessionCreatedAt(ctx, targetSID)
-	if caErr != nil {
-		return
-	}
-
-	idleSeconds := int64(time.Since(lastSeen).Seconds())
-	if idleSeconds < 0 {
-		idleSeconds = 0
-	}
-
-	signonUnix := strconv.FormatInt(
-		createdAt.Unix(), 10,
-	)
-
-	hdlr.enqueueNumeric(
-		ctx, clientID, irc.RplWhoisIdle, nick,
-		[]string{
-			queryNick,
-			strconv.FormatInt(idleSeconds, 10),
-			signonUnix,
-		},
-		"seconds idle, signon time",
-	)
-}
--- a/internal/handlers/api_test.go
+++ b/internal/handlers/api_test.go
@@ -810,9 +810,9 @@ func TestMessageMissingBody(t *testing.T) {

 	msgs, _ := tserver.pollMessages(token, lastID)

-	if !findNumeric(msgs, "412") {
+	if !findNumeric(msgs, "461") {
 		t.Fatalf(
-			"expected ERR_NOTEXTTOSEND (412), got %v",
+			"expected ERR_NEEDMOREPARAMS (461), got %v",
 			msgs,
 		)
 	}
@@ -834,9 +834,9 @@ func TestMessageMissingTo(t *testing.T) {

 	msgs, _ := tserver.pollMessages(token, lastID)

-	if !findNumeric(msgs, "411") {
+	if !findNumeric(msgs, "461") {
 		t.Fatalf(
-			"expected ERR_NORECIPIENT (411), got %v",
+			"expected ERR_NEEDMOREPARAMS (461), got %v",
 			msgs,
 		)
 	}
@@ -869,9 +869,9 @@ func TestNonMemberCannotSend(t *testing.T) {

 	msgs, _ := tserver.pollMessages(aliceToken, lastID)

-	if !findNumeric(msgs, "404") {
+	if !findNumeric(msgs, "442") {
 		t.Fatalf(
-			"expected ERR_CANNOTSENDTOCHAN (404), got %v",
+			"expected ERR_NOTONCHANNEL (442), got %v",
 			msgs,
 		)
 	}
--- a/internal/handlers/auth.go
+++ b/internal/handlers/auth.go
@@ -4,8 +4,6 @@ import (
 	"encoding/json"
 	"net/http"
 	"strings"
-
-	"git.eeqj.de/sneak/neoirc/internal/db"
 )

 const minPasswordLength = 8
@@ -96,7 +94,7 @@ func (hdlr *Handlers) handleRegisterError(
 	request *http.Request,
 	err error,
 ) {
-	if db.IsUniqueConstraintError(err) {
+	if strings.Contains(err.Error(), "UNIQUE") {
 		hdlr.respondError(
 			writer, request,
 			"nick already taken",
--- a/internal/handlers/handlers.go
+++ b/internal/handlers/handlers.go
@@ -31,7 +31,7 @@ type Params struct {
 	Healthcheck *healthcheck.Healthcheck
 }

-const defaultIdleTimeout = 30 * 24 * time.Hour
+const defaultIdleTimeout = 24 * time.Hour

 // Handlers manages HTTP request handling.
 type Handlers struct {
@@ -200,77 +200,4 @@ func (hdlr *Handlers) runCleanup(
 			"deleted", deleted,
 		)
 	}
-
-	hdlr.pruneQueuesAndMessages(ctx)
-}
-
-// parseDurationConfig parses a Go duration string,
-// returning zero on empty input and logging on error.
-func (hdlr *Handlers) parseDurationConfig(
-	name, raw string,
-) time.Duration {
-	if raw == "" {
-		return 0
-	}
-
-	dur, err := time.ParseDuration(raw)
-	if err != nil {
-		hdlr.log.Error(
-			"invalid duration config, skipping",
-			"name", name, "value", raw, "error", err,
-		)
-
-		return 0
-	}
-
-	return dur
-}
-
-// pruneQueuesAndMessages removes old client output queue
-// entries per QUEUE_MAX_AGE and old messages per
-// MESSAGE_MAX_AGE.
-func (hdlr *Handlers) pruneQueuesAndMessages(
-	ctx context.Context,
-) {
-	queueMaxAge := hdlr.parseDurationConfig(
-		"QUEUE_MAX_AGE",
-		hdlr.params.Config.QueueMaxAge,
-	)
-	if queueMaxAge > 0 {
-		queueCutoff := time.Now().Add(-queueMaxAge)
-
-		pruned, err := hdlr.params.Database.
-			PruneOldQueueEntries(ctx, queueCutoff)
-		if err != nil {
-			hdlr.log.Error(
-				"client output queue pruning failed", "error", err,
-			)
-		} else if pruned > 0 {
-			hdlr.log.Info(
-				"pruned old client output queue entries",
-				"deleted", pruned,
-			)
-		}
-	}
-
-	messageMaxAge := hdlr.parseDurationConfig(
-		"MESSAGE_MAX_AGE",
-		hdlr.params.Config.MessageMaxAge,
-	)
-	if messageMaxAge > 0 {
-		msgCutoff := time.Now().Add(-messageMaxAge)
-
-		pruned, err := hdlr.params.Database.
-			PruneOldMessages(ctx, msgCutoff)
-		if err != nil {
-			hdlr.log.Error(
-				"message pruning failed", "error", err,
-			)
-		} else if pruned > 0 {
-			hdlr.log.Info(
-				"pruned old messages",
-				"deleted", pruned,
-			)
-		}
-	}
 }
--- a/internal/irc/commands.go
+++ b/internal/irc/commands.go
@@ -2,7 +2,6 @@ package irc

 // IRC command names (RFC 1459 / RFC 2812).
 const (
-	CmdAway    = "AWAY"
 	CmdJoin    = "JOIN"
 	CmdList    = "LIST"
 	CmdLusers  = "LUSERS"
--- a/internal/irc/numerics.go
+++ b/internal/irc/numerics.go
@@ -0,0 +1,150 @@
+// Package irc provides constants and utilities for the
+// IRC protocol, including numeric reply codes from
+// RFC 1459 and RFC 2812, and standard command names.
+package irc
+
+// Connection registration replies (001-005).
+const (
+	RplWelcome  = 1
+	RplYourHost = 2
+	RplCreated  = 3
+	RplMyInfo   = 4
+	RplIsupport = 5
+)
+
+// Command responses (200-399).
+const (
+	RplUmodeIs       = 221
+	RplLuserClient   = 251
+	RplLuserOp       = 252
+	RplLuserUnknown  = 253
+	RplLuserChannels = 254
+	RplLuserMe       = 255
+	RplAway          = 301
+	RplUserHost      = 302
+	RplIson          = 303
+	RplUnaway        = 305
+	RplNowAway       = 306
+	RplWhoisUser     = 311
+	RplWhoisServer   = 312
+	RplWhoisOperator = 313
+	RplEndOfWho      = 315
+	RplWhoisIdle     = 317
+	RplEndOfWhois    = 318
+	RplWhoisChannels = 319
+	RplList          = 322
+	RplListEnd       = 323
+	RplChannelModeIs = 324
+	RplCreationTime  = 329
+	RplNoTopic       = 331
+	RplTopic         = 332
+	RplTopicWhoTime  = 333
+	RplInviting      = 341
+	RplWhoReply      = 352
+	RplNamReply      = 353
+	RplEndOfNames    = 366
+	RplBanList       = 367
+	RplEndOfBanList  = 368
+	RplMotd          = 372
+	RplMotdStart     = 375
+	RplEndOfMotd     = 376
+)
+
+// Error replies (400-599).
+const (
+	ErrNoSuchNick        = 401
+	ErrNoSuchServer      = 402
+	ErrNoSuchChannel     = 403
+	ErrCannotSendToChan  = 404
+	ErrTooManyChannels   = 405
+	ErrNoRecipient       = 411
+	ErrNoTextToSend      = 412
+	ErrUnknownCommand    = 421
+	ErrNoNicknameGiven   = 431
+	ErrErroneusNickname  = 432
+	ErrNicknameInUse     = 433
+	ErrUserNotInChannel  = 441
+	ErrNotOnChannel      = 442
+	ErrNotRegistered     = 451
+	ErrNeedMoreParams    = 461
+	ErrAlreadyRegistered = 462
+	ErrChannelIsFull     = 471
+	ErrInviteOnlyChan    = 473
+	ErrBannedFromChan    = 474
+	ErrBadChannelKey     = 475
+	ErrChanOpPrivsNeeded = 482
+)
+
+// names maps numeric codes to their standard IRC names.
+//
+//nolint:gochecknoglobals
+var names = map[int]string{
+	RplWelcome:       "RPL_WELCOME",
+	RplYourHost:      "RPL_YOURHOST",
+	RplCreated:       "RPL_CREATED",
+	RplMyInfo:        "RPL_MYINFO",
+	RplIsupport:      "RPL_ISUPPORT",
+	RplUmodeIs:       "RPL_UMODEIS",
+	RplLuserClient:   "RPL_LUSERCLIENT",
+	RplLuserOp:       "RPL_LUSEROP",
+	RplLuserUnknown:  "RPL_LUSERUNKNOWN",
+	RplLuserChannels: "RPL_LUSERCHANNELS",
+	RplLuserMe:       "RPL_LUSERME",
+	RplAway:          "RPL_AWAY",
+	RplUserHost:      "RPL_USERHOST",
+	RplIson:          "RPL_ISON",
+	RplUnaway:        "RPL_UNAWAY",
+	RplNowAway:       "RPL_NOWAWAY",
+	RplWhoisUser:     "RPL_WHOISUSER",
+	RplWhoisServer:   "RPL_WHOISSERVER",
+	RplWhoisOperator: "RPL_WHOISOPERATOR",
+	RplEndOfWho:      "RPL_ENDOFWHO",
+	RplWhoisIdle:     "RPL_WHOISIDLE",
+	RplEndOfWhois:    "RPL_ENDOFWHOIS",
+	RplWhoisChannels: "RPL_WHOISCHANNELS",
+	RplList:          "RPL_LIST",
+	RplListEnd:       "RPL_LISTEND", //nolint:misspell
+	RplChannelModeIs: "RPL_CHANNELMODEIS",
+	RplCreationTime:  "RPL_CREATIONTIME",
+	RplNoTopic:       "RPL_NOTOPIC",
+	RplTopic:         "RPL_TOPIC",
+	RplTopicWhoTime:  "RPL_TOPICWHOTIME",
+	RplInviting:      "RPL_INVITING",
+	RplWhoReply:      "RPL_WHOREPLY",
+	RplNamReply:      "RPL_NAMREPLY",
+	RplEndOfNames:    "RPL_ENDOFNAMES",
+	RplBanList:       "RPL_BANLIST",
+	RplEndOfBanList:  "RPL_ENDOFBANLIST",
+	RplMotd:          "RPL_MOTD",
+	RplMotdStart:     "RPL_MOTDSTART",
+	RplEndOfMotd:     "RPL_ENDOFMOTD",
+
+	ErrNoSuchNick:        "ERR_NOSUCHNICK",
+	ErrNoSuchServer:      "ERR_NOSUCHSERVER",
+	ErrNoSuchChannel:     "ERR_NOSUCHCHANNEL",
+	ErrCannotSendToChan:  "ERR_CANNOTSENDTOCHAN",
+	ErrTooManyChannels:   "ERR_TOOMANYCHANNELS",
+	ErrNoRecipient:       "ERR_NORECIPIENT",
+	ErrNoTextToSend:      "ERR_NOTEXTTOSEND",
+	ErrUnknownCommand:    "ERR_UNKNOWNCOMMAND",
+	ErrNoNicknameGiven:   "ERR_NONICKNAMEGIVEN",
+	ErrErroneusNickname:  "ERR_ERRONEUSNICKNAME",
+	ErrNicknameInUse:     "ERR_NICKNAMEINUSE",
+	ErrUserNotInChannel:  "ERR_USERNOTINCHANNEL",
+	ErrNotOnChannel:      "ERR_NOTONCHANNEL",
+	ErrNotRegistered:     "ERR_NOTREGISTERED",
+	ErrNeedMoreParams:    "ERR_NEEDMOREPARAMS",
+	ErrAlreadyRegistered: "ERR_ALREADYREGISTERED",
+	ErrChannelIsFull:     "ERR_CHANNELISFULL",
+	ErrInviteOnlyChan:    "ERR_INVITEONLYCHAN",
+	ErrBannedFromChan:    "ERR_BANNEDFROMCHAN",
+	ErrBadChannelKey:     "ERR_BADCHANNELKEY",
+	ErrChanOpPrivsNeeded: "ERR_CHANOPRIVSNEEDED",
+}
+
+// Name returns the standard IRC name for a numeric code
+// (e.g., Name(2) returns "RPL_YOURHOST"). Returns an
+// empty string if the code is unknown.
+func Name(code int) string {
+	return names[code]
+}
--- a/internal/middleware/middleware.go
+++ b/internal/middleware/middleware.go
@@ -142,6 +142,20 @@ func (mware *Middleware) CORS() func(http.Handler) http.Handler {
 	})
 }

+// Auth returns middleware that performs authentication.
+func (mware *Middleware) Auth() func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(
+			func(
+				writer http.ResponseWriter,
+				request *http.Request,
+			) {
+				mware.log.Info("AUTH: before request")
+				next.ServeHTTP(writer, request)
+			})
+	}
+}
+
 // Metrics returns middleware that records HTTP metrics.
 func (mware *Middleware) Metrics() func(http.Handler) http.Handler {
 	metricsMiddleware := ghmm.New(ghmm.Config{ //nolint:exhaustruct // optional fields
@@ -166,36 +180,3 @@ func (mware *Middleware) MetricsAuth() func(http.Handler) http.Handler {
 		},
 	)
 }
-
-// cspPolicy is the Content-Security-Policy header value applied to all
-// responses.  The embedded SPA loads scripts and styles from same-origin
-// files only (no inline scripts or inline style attributes), so a strict
-// policy works without 'unsafe-inline'.
-const cspPolicy = "default-src 'self'; " +
-	"script-src 'self'; " +
-	"style-src 'self'; " +
-	"connect-src 'self'; " +
-	"img-src 'self'; " +
-	"font-src 'self'; " +
-	"object-src 'none'; " +
-	"frame-ancestors 'none'; " +
-	"base-uri 'self'; " +
-	"form-action 'self'"
-
-// CSP returns middleware that sets the Content-Security-Policy header on
-// every response for defense-in-depth against XSS.
-func (mware *Middleware) CSP() func(http.Handler) http.Handler {
-	return func(next http.Handler) http.Handler {
-		return http.HandlerFunc(
-			func(
-				writer http.ResponseWriter,
-				request *http.Request,
-			) {
-				writer.Header().Set(
-					"Content-Security-Policy",
-					cspPolicy,
-				)
-				next.ServeHTTP(writer, request)
-			})
-	}
-}
--- a/internal/server/routes.go
+++ b/internal/server/routes.go
@@ -16,6 +16,11 @@ import (

 const routeTimeout = 60 * time.Second

+// cspHeader is the Content-Security-Policy applied to the embedded web SPA.
+// The SPA loads external scripts and stylesheets from the same origin only;
+// all API communication uses same-origin fetch (no WebSockets).
+const cspHeader = "default-src 'self'; script-src 'self'; style-src 'self'"
+
 // SetupRoutes configures the HTTP routes and middleware.
 func (srv *Server) SetupRoutes() {
 	srv.router = chi.NewRouter()
@@ -29,7 +34,6 @@ func (srv *Server) SetupRoutes() {
 	}

 	srv.router.Use(srv.mw.CORS())
-	srv.router.Use(srv.mw.CSP())
 	srv.router.Use(middleware.Timeout(routeTimeout))

 	if srv.sentryEnabled {
@@ -134,6 +138,11 @@ func (srv *Server) setupSPA() {
 		writer http.ResponseWriter,
 		request *http.Request,
 	) {
+		writer.Header().Set(
+			"Content-Security-Policy",
+			cspHeader,
+		)
+
 		readFS, ok := distFS.(fs.ReadFileFS)
 		if !ok {
 			fileServer.ServeHTTP(writer, request)
--- a/pkg/irc/numerics.go
+++ b/pkg/irc/numerics.go
@@ -1,391 +0,0 @@
-// Package irc provides constants and utilities for the
-// IRC protocol, including numeric reply codes from
-// RFC 1459 and RFC 2812, and standard command names.
-package irc
-
-import (
-	"errors"
-	"fmt"
-)
-
-// IRCMessageType represents an IRC numeric reply or error code.
-type IRCMessageType int //nolint:revive // Name requested by project owner.
-
-// Name returns the standard IRC name for this numeric code
-// (e.g., IRCMessageType(252).Name() returns "RPL_LUSEROP").
-// Returns an empty string if the code is unknown.
-func (t IRCMessageType) Name() string {
-	return names[t]
-}
-
-// String returns the name and numeric code in angle brackets
-// (e.g., IRCMessageType(252).String() returns "RPL_LUSEROP <252>").
-// If the code is unknown, returns "UNKNOWN <NNN>".
-func (t IRCMessageType) String() string {
-	n := names[t]
-	if n == "" {
-		n = "UNKNOWN"
-	}
-
-	return fmt.Sprintf("%s <%03d>", n, int(t))
-}
-
-// Code returns the three-digit zero-padded string representation
-// of the numeric code (e.g., IRCMessageType(252).Code() returns "252").
-func (t IRCMessageType) Code() string {
-	return fmt.Sprintf("%03d", int(t))
-}
-
-// Int returns the bare integer value of the numeric code.
-func (t IRCMessageType) Int() int {
-	return int(t)
-}
-
-// ErrUnknownNumeric is returned by FromInt when the numeric code is not recognized.
-var ErrUnknownNumeric = errors.New("unknown IRC numeric code")
-
-// FromInt converts an integer to an IRCMessageType, returning an error
-// if the numeric code is not a known IRC reply or error code.
-func FromInt(n int) (IRCMessageType, error) {
-	t := IRCMessageType(n)
-	if _, ok := names[t]; !ok {
-		return 0, fmt.Errorf("%w: %d", ErrUnknownNumeric, n)
-	}
-
-	return t, nil
-}
-
-// Connection registration replies (001-005).
-const (
-	RplWelcome  IRCMessageType = 1
-	RplYourHost IRCMessageType = 2
-	RplCreated  IRCMessageType = 3
-	RplMyInfo   IRCMessageType = 4
-	RplBounce   IRCMessageType = 5 // RFC 2812; also known as RPL_ISUPPORT in practice
-	RplIsupport IRCMessageType = 5 // De-facto standard (same numeric as RplBounce)
-)
-
-// Command responses (200-399).
-const (
-	// RFC 2812 trace/stats/links replies (200-219).
-	RplTraceLink       IRCMessageType = 200
-	RplTraceConnecting IRCMessageType = 201
-	RplTraceHandshake  IRCMessageType = 202
-	RplTraceUnknown    IRCMessageType = 203
-	RplTraceOperator   IRCMessageType = 204
-	RplTraceUser       IRCMessageType = 205
-	RplTraceServer     IRCMessageType = 206
-	RplTraceService    IRCMessageType = 207
-	RplTraceNewType    IRCMessageType = 208
-	RplTraceClass      IRCMessageType = 209
-	RplStatsLinkInfo   IRCMessageType = 211
-	RplStatsCommands   IRCMessageType = 212
-	RplStatsCLine      IRCMessageType = 213
-	RplStatsNLine      IRCMessageType = 214
-	RplStatsILine      IRCMessageType = 215
-	RplStatsKLine      IRCMessageType = 216
-	RplStatsQLine      IRCMessageType = 217
-	RplStatsYLine      IRCMessageType = 218
-	RplEndOfStats      IRCMessageType = 219
-
-	RplUmodeIs      IRCMessageType = 221
-	RplServList     IRCMessageType = 234
-	RplServListEnd  IRCMessageType = 235
-	RplStatsLLine   IRCMessageType = 241
-	RplStatsUptime  IRCMessageType = 242
-	RplStatsOLine   IRCMessageType = 243
-	RplStatsHLine   IRCMessageType = 244
-	RplLuserClient  IRCMessageType = 251
-	RplLuserOp      IRCMessageType = 252
-	RplLuserUnknown IRCMessageType = 253
-
-	RplLuserChannels IRCMessageType = 254
-	RplLuserMe       IRCMessageType = 255
-	RplAdminMe       IRCMessageType = 256
-	RplAdminLoc1     IRCMessageType = 257
-	RplAdminLoc2     IRCMessageType = 258
-	RplAdminEmail    IRCMessageType = 259
-	RplTraceLog      IRCMessageType = 261
-	RplTraceEnd      IRCMessageType = 262
-	RplTryAgain      IRCMessageType = 263
-
-	RplAway          IRCMessageType = 301
-	RplUserHost      IRCMessageType = 302
-	RplIson          IRCMessageType = 303
-	RplUnaway        IRCMessageType = 305
-	RplNowAway       IRCMessageType = 306
-	RplWhoisUser     IRCMessageType = 311
-	RplWhoisServer   IRCMessageType = 312
-	RplWhoisOperator IRCMessageType = 313
-	RplWhoWasUser    IRCMessageType = 314
-	RplEndOfWho      IRCMessageType = 315
-	RplWhoisIdle     IRCMessageType = 317
-	RplEndOfWhois    IRCMessageType = 318
-	RplWhoisChannels IRCMessageType = 319
-	RplListStart     IRCMessageType = 321
-	RplList          IRCMessageType = 322
-	RplListEnd       IRCMessageType = 323
-	RplChannelModeIs IRCMessageType = 324
-
-	RplUniqOpIs        IRCMessageType = 325
-	RplCreationTime    IRCMessageType = 329
-	RplNoTopic         IRCMessageType = 331
-	RplTopic           IRCMessageType = 332
-	RplTopicWhoTime    IRCMessageType = 333
-	RplInviting        IRCMessageType = 341
-	RplSummoning       IRCMessageType = 342
-	RplInviteList      IRCMessageType = 346
-	RplEndOfInviteList IRCMessageType = 347
-	RplExceptList      IRCMessageType = 348
-	RplEndOfExceptList IRCMessageType = 349
-	RplVersion         IRCMessageType = 351
-	RplWhoReply        IRCMessageType = 352
-	RplNamReply        IRCMessageType = 353
-	RplLinks           IRCMessageType = 364
-	RplEndOfLinks      IRCMessageType = 365
-	RplEndOfNames      IRCMessageType = 366
-	RplBanList         IRCMessageType = 367
-	RplEndOfBanList    IRCMessageType = 368
-	RplEndOfWhowas     IRCMessageType = 369
-	RplInfo            IRCMessageType = 371
-	RplMotd            IRCMessageType = 372
-	RplEndOfInfo       IRCMessageType = 374
-	RplMotdStart       IRCMessageType = 375
-	RplEndOfMotd       IRCMessageType = 376
-	RplYoureOper       IRCMessageType = 381
-	RplRehashing       IRCMessageType = 382
-	RplYoureService    IRCMessageType = 383
-	RplTime            IRCMessageType = 391
-	RplUsersStart      IRCMessageType = 392
-	RplUsers           IRCMessageType = 393
-	RplEndOfUsers      IRCMessageType = 394
-	RplNoUsers         IRCMessageType = 395
-)
-
-// Error replies (400-599).
-const (
-	ErrNoSuchNick       IRCMessageType = 401
-	ErrNoSuchServer     IRCMessageType = 402
-	ErrNoSuchChannel    IRCMessageType = 403
-	ErrCannotSendToChan IRCMessageType = 404
-	ErrTooManyChannels  IRCMessageType = 405
-	ErrWasNoSuchNick    IRCMessageType = 406
-	ErrTooManyTargets   IRCMessageType = 407
-	ErrNoSuchService    IRCMessageType = 408
-	ErrNoOrigin         IRCMessageType = 409
-	ErrNoRecipient      IRCMessageType = 411
-	ErrNoTextToSend     IRCMessageType = 412
-	ErrNoTopLevel       IRCMessageType = 413
-	ErrWildTopLevel     IRCMessageType = 414
-	ErrBadMask          IRCMessageType = 415
-	ErrUnknownCommand   IRCMessageType = 421
-	ErrNoMotd           IRCMessageType = 422
-	ErrNoAdminInfo      IRCMessageType = 423
-	ErrFileError        IRCMessageType = 424
-	ErrNoNicknameGiven  IRCMessageType = 431
-	ErrErroneusNickname IRCMessageType = 432
-	ErrNicknameInUse    IRCMessageType = 433
-	ErrNickCollision    IRCMessageType = 436
-	ErrUnavailResource  IRCMessageType = 437
-
-	ErrUserNotInChannel  IRCMessageType = 441
-	ErrNotOnChannel      IRCMessageType = 442
-	ErrUserOnChannel     IRCMessageType = 443
-	ErrNoLogin           IRCMessageType = 444
-	ErrSummonDisabled    IRCMessageType = 445
-	ErrUsersDisabled     IRCMessageType = 446
-	ErrNotRegistered     IRCMessageType = 451
-	ErrNeedMoreParams    IRCMessageType = 461
-	ErrAlreadyRegistered IRCMessageType = 462
-	ErrNoPermForHost     IRCMessageType = 463
-	ErrPasswdMismatch    IRCMessageType = 464
-	ErrYoureBannedCreep  IRCMessageType = 465
-	ErrYouWillBeBanned   IRCMessageType = 466
-	ErrKeySet            IRCMessageType = 467
-	ErrChannelIsFull     IRCMessageType = 471
-	ErrUnknownMode       IRCMessageType = 472
-	ErrInviteOnlyChan    IRCMessageType = 473
-	ErrBannedFromChan    IRCMessageType = 474
-	ErrBadChannelKey     IRCMessageType = 475
-	ErrBadChanMask       IRCMessageType = 476
-	ErrNoChanModes       IRCMessageType = 477
-	ErrBanListFull       IRCMessageType = 478
-	ErrNoPrivileges      IRCMessageType = 481
-	ErrChanOpPrivsNeeded IRCMessageType = 482
-	ErrCantKillServer    IRCMessageType = 483
-	ErrRestricted        IRCMessageType = 484
-	ErrUniqOpPrivsNeeded IRCMessageType = 485
-	ErrNoOperHost        IRCMessageType = 491
-
-	ErrUmodeUnknownFlag IRCMessageType = 501
-	ErrUsersDoNotMatch  IRCMessageType = 502
-)
-
-// names maps numeric codes to their standard IRC names.
-//
-//nolint:gochecknoglobals
-var names = map[IRCMessageType]string{
-	RplWelcome:  "RPL_WELCOME",
-	RplYourHost: "RPL_YOURHOST",
-	RplCreated:  "RPL_CREATED",
-	RplMyInfo:   "RPL_MYINFO",
-	RplBounce:   "RPL_BOUNCE",
-
-	RplTraceLink:       "RPL_TRACELINK",
-	RplTraceConnecting: "RPL_TRACECONNECTING",
-	RplTraceHandshake:  "RPL_TRACEHANDSHAKE",
-	RplTraceUnknown:    "RPL_TRACEUNKNOWN",
-	RplTraceOperator:   "RPL_TRACEOPERATOR",
-	RplTraceUser:       "RPL_TRACEUSER",
-	RplTraceServer:     "RPL_TRACESERVER",
-	RplTraceService:    "RPL_TRACESERVICE",
-	RplTraceNewType:    "RPL_TRACENEWTYPE",
-	RplTraceClass:      "RPL_TRACECLASS",
-	RplStatsLinkInfo:   "RPL_STATSLINKINFO",
-	RplStatsCommands:   "RPL_STATSCOMMANDS",
-	RplStatsCLine:      "RPL_STATSCLINE",
-	RplStatsNLine:      "RPL_STATSNLINE",
-	RplStatsILine:      "RPL_STATSILINE",
-	RplStatsKLine:      "RPL_STATSKLINE",
-	RplStatsQLine:      "RPL_STATSQLINE",
-	RplStatsYLine:      "RPL_STATSYLINE",
-	RplEndOfStats:      "RPL_ENDOFSTATS",
-
-	RplUmodeIs:      "RPL_UMODEIS",
-	RplServList:     "RPL_SERVLIST",
-	RplServListEnd:  "RPL_SERVLISTEND",
-	RplStatsLLine:   "RPL_STATSLLINE",
-	RplStatsUptime:  "RPL_STATSUPTIME",
-	RplStatsOLine:   "RPL_STATSOLINE",
-	RplStatsHLine:   "RPL_STATSHLINE",
-	RplLuserClient:  "RPL_LUSERCLIENT",
-	RplLuserOp:      "RPL_LUSEROP",
-	RplLuserUnknown: "RPL_LUSERUNKNOWN",
-
-	RplLuserChannels: "RPL_LUSERCHANNELS",
-	RplLuserMe:       "RPL_LUSERME",
-	RplAdminMe:       "RPL_ADMINME",
-	RplAdminLoc1:     "RPL_ADMINLOC1",
-	RplAdminLoc2:     "RPL_ADMINLOC2",
-	RplAdminEmail:    "RPL_ADMINEMAIL",
-	RplTraceLog:      "RPL_TRACELOG",
-	RplTraceEnd:      "RPL_TRACEEND",
-	RplTryAgain:      "RPL_TRYAGAIN",
-
-	RplAway:          "RPL_AWAY",
-	RplUserHost:      "RPL_USERHOST",
-	RplIson:          "RPL_ISON",
-	RplUnaway:        "RPL_UNAWAY",
-	RplNowAway:       "RPL_NOWAWAY",
-	RplWhoisUser:     "RPL_WHOISUSER",
-	RplWhoisServer:   "RPL_WHOISSERVER",
-	RplWhoisOperator: "RPL_WHOISOPERATOR",
-	RplWhoWasUser:    "RPL_WHOWASUSER",
-	RplEndOfWho:      "RPL_ENDOFWHO",
-	RplWhoisIdle:     "RPL_WHOISIDLE",
-	RplEndOfWhois:    "RPL_ENDOFWHOIS",
-	RplWhoisChannels: "RPL_WHOISCHANNELS",
-	RplListStart:     "RPL_LISTSTART",
-	RplList:          "RPL_LIST",
-	RplListEnd:       "RPL_LISTEND", //nolint:misspell
-	RplChannelModeIs: "RPL_CHANNELMODEIS",
-
-	RplUniqOpIs:        "RPL_UNIQOPIS",
-	RplCreationTime:    "RPL_CREATIONTIME",
-	RplNoTopic:         "RPL_NOTOPIC",
-	RplTopic:           "RPL_TOPIC",
-	RplTopicWhoTime:    "RPL_TOPICWHOTIME",
-	RplInviting:        "RPL_INVITING",
-	RplSummoning:       "RPL_SUMMONING",
-	RplInviteList:      "RPL_INVITELIST",
-	RplEndOfInviteList: "RPL_ENDOFINVITELIST",
-	RplExceptList:      "RPL_EXCEPTLIST",
-	RplEndOfExceptList: "RPL_ENDOFEXCEPTLIST",
-	RplVersion:         "RPL_VERSION",
-	RplWhoReply:        "RPL_WHOREPLY",
-	RplNamReply:        "RPL_NAMREPLY",
-	RplLinks:           "RPL_LINKS",
-	RplEndOfLinks:      "RPL_ENDOFLINKS",
-	RplEndOfNames:      "RPL_ENDOFNAMES",
-	RplBanList:         "RPL_BANLIST",
-	RplEndOfBanList:    "RPL_ENDOFBANLIST",
-	RplEndOfWhowas:     "RPL_ENDOFWHOWAS",
-	RplInfo:            "RPL_INFO",
-	RplMotd:            "RPL_MOTD",
-	RplEndOfInfo:       "RPL_ENDOFINFO",
-	RplMotdStart:       "RPL_MOTDSTART",
-	RplEndOfMotd:       "RPL_ENDOFMOTD",
-	RplYoureOper:       "RPL_YOUREOPER",
-	RplRehashing:       "RPL_REHASHING",
-	RplYoureService:    "RPL_YOURESERVICE",
-	RplTime:            "RPL_TIME",
-	RplUsersStart:      "RPL_USERSSTART",
-	RplUsers:           "RPL_USERS",
-	RplEndOfUsers:      "RPL_ENDOFUSERS",
-	RplNoUsers:         "RPL_NOUSERS",
-
-	ErrNoSuchNick:       "ERR_NOSUCHNICK",
-	ErrNoSuchServer:     "ERR_NOSUCHSERVER",
-	ErrNoSuchChannel:    "ERR_NOSUCHCHANNEL",
-	ErrCannotSendToChan: "ERR_CANNOTSENDTOCHAN",
-	ErrTooManyChannels:  "ERR_TOOMANYCHANNELS",
-	ErrWasNoSuchNick:    "ERR_WASNOSUCHNICK",
-	ErrTooManyTargets:   "ERR_TOOMANYTARGETS",
-	ErrNoSuchService:    "ERR_NOSUCHSERVICE",
-	ErrNoOrigin:         "ERR_NOORIGIN",
-	ErrNoRecipient:      "ERR_NORECIPIENT",
-	ErrNoTextToSend:     "ERR_NOTEXTTOSEND",
-	ErrNoTopLevel:       "ERR_NOTOPLEVEL",
-	ErrWildTopLevel:     "ERR_WILDTOPLEVEL",
-	ErrBadMask:          "ERR_BADMASK",
-	ErrUnknownCommand:   "ERR_UNKNOWNCOMMAND",
-	ErrNoMotd:           "ERR_NOMOTD",
-	ErrNoAdminInfo:      "ERR_NOADMININFO",
-	ErrFileError:        "ERR_FILEERROR",
-	ErrNoNicknameGiven:  "ERR_NONICKNAMEGIVEN",
-	ErrErroneusNickname: "ERR_ERRONEUSNICKNAME",
-	ErrNicknameInUse:    "ERR_NICKNAMEINUSE",
-	ErrNickCollision:    "ERR_NICKCOLLISION",
-	ErrUnavailResource:  "ERR_UNAVAILRESOURCE",
-
-	ErrUserNotInChannel:  "ERR_USERNOTINCHANNEL",
-	ErrNotOnChannel:      "ERR_NOTONCHANNEL",
-	ErrUserOnChannel:     "ERR_USERONCHANNEL",
-	ErrNoLogin:           "ERR_NOLOGIN",
-	ErrSummonDisabled:    "ERR_SUMMONDISABLED",
-	ErrUsersDisabled:     "ERR_USERSDISABLED",
-	ErrNotRegistered:     "ERR_NOTREGISTERED",
-	ErrNeedMoreParams:    "ERR_NEEDMOREPARAMS",
-	ErrAlreadyRegistered: "ERR_ALREADYREGISTERED",
-	ErrNoPermForHost:     "ERR_NOPERMFORHOST",
-	ErrPasswdMismatch:    "ERR_PASSWDMISMATCH",
-	ErrYoureBannedCreep:  "ERR_YOUREBANNEDCREEP",
-	ErrYouWillBeBanned:   "ERR_YOUWILLBEBANNED",
-	ErrKeySet:            "ERR_KEYSET",
-	ErrChannelIsFull:     "ERR_CHANNELISFULL",
-	ErrUnknownMode:       "ERR_UNKNOWNMODE",
-	ErrInviteOnlyChan:    "ERR_INVITEONLYCHAN",
-	ErrBannedFromChan:    "ERR_BANNEDFROMCHAN",
-	ErrBadChannelKey:     "ERR_BADCHANNELKEY",
-	ErrBadChanMask:       "ERR_BADCHANMASK",
-	ErrNoChanModes:       "ERR_NOCHANMODES",
-	ErrBanListFull:       "ERR_BANLISTFULL",
-	ErrNoPrivileges:      "ERR_NOPRIVILEGES",
-	ErrChanOpPrivsNeeded: "ERR_CHANOPRIVSNEEDED",
-	ErrCantKillServer:    "ERR_CANTKILLSERVER",
-	ErrRestricted:        "ERR_RESTRICTED",
-	ErrUniqOpPrivsNeeded: "ERR_UNIQOPPRIVSNEEDED",
-	ErrNoOperHost:        "ERR_NOOPERHOST",
-
-	ErrUmodeUnknownFlag: "ERR_UMODEUNKNOWNFLAG",
-	ErrUsersDoNotMatch:  "ERR_USERSDONTMATCH",
-}
-
-// Name returns the standard IRC name for a numeric code
-// (e.g., Name(2) returns "RPL_YOURHOST"). Returns an
-// empty string if the code is unknown.
-//
-// Deprecated: Use IRCMessageType.Name() instead.
-func Name(code IRCMessageType) string {
-	return names[code]
-}
--- a/pkg/irc/numerics_test.go
+++ b/pkg/irc/numerics_test.go
@@ -1,163 +0,0 @@
-package irc_test
-
-import (
-	"errors"
-	"testing"
-
-	"git.eeqj.de/sneak/neoirc/pkg/irc"
-)
-
-func TestName(t *testing.T) {
-	t.Parallel()
-
-	tests := []struct {
-		numeric irc.IRCMessageType
-		want    string
-	}{
-		{irc.RplWelcome, "RPL_WELCOME"},
-		{irc.RplBounce, "RPL_BOUNCE"},
-		{irc.RplLuserOp, "RPL_LUSEROP"},
-		{irc.ErrCannotSendToChan, "ERR_CANNOTSENDTOCHAN"},
-		{irc.ErrNicknameInUse, "ERR_NICKNAMEINUSE"},
-	}
-
-	for _, tc := range tests {
-		if got := tc.numeric.Name(); got != tc.want {
-			t.Errorf("IRCMessageType(%d).Name() = %q, want %q", tc.numeric.Int(), got, tc.want)
-		}
-	}
-}
-
-func TestString(t *testing.T) {
-	t.Parallel()
-
-	tests := []struct {
-		numeric irc.IRCMessageType
-		want    string
-	}{
-		{irc.RplWelcome, "RPL_WELCOME <001>"},
-		{irc.RplBounce, "RPL_BOUNCE <005>"},
-		{irc.RplLuserOp, "RPL_LUSEROP <252>"},
-		{irc.ErrCannotSendToChan, "ERR_CANNOTSENDTOCHAN <404>"},
-	}
-
-	for _, tc := range tests {
-		if got := tc.numeric.String(); got != tc.want {
-			t.Errorf("IRCMessageType(%d).String() = %q, want %q", tc.numeric.Int(), got, tc.want)
-		}
-	}
-}
-
-func TestCode(t *testing.T) {
-	t.Parallel()
-
-	tests := []struct {
-		numeric irc.IRCMessageType
-		want    string
-	}{
-		{irc.RplWelcome, "001"},
-		{irc.RplBounce, "005"},
-		{irc.RplLuserOp, "252"},
-		{irc.ErrCannotSendToChan, "404"},
-	}
-
-	for _, tc := range tests {
-		if got := tc.numeric.Code(); got != tc.want {
-			t.Errorf("IRCMessageType(%d).Code() = %q, want %q", tc.numeric.Int(), got, tc.want)
-		}
-	}
-}
-
-func TestInt(t *testing.T) {
-	t.Parallel()
-
-	tests := []struct {
-		numeric irc.IRCMessageType
-		want    int
-	}{
-		{irc.RplWelcome, 1},
-		{irc.RplBounce, 5},
-		{irc.RplLuserOp, 252},
-		{irc.ErrCannotSendToChan, 404},
-	}
-
-	for _, tc := range tests {
-		if got := tc.numeric.Int(); got != tc.want {
-			t.Errorf("IRCMessageType(%d).Int() = %d, want %d", tc.want, got, tc.want)
-		}
-	}
-}
-
-func TestFromInt_Known(t *testing.T) {
-	t.Parallel()
-
-	tests := []struct {
-		code int
-		want irc.IRCMessageType
-	}{
-		{1, irc.RplWelcome},
-		{5, irc.RplBounce},
-		{252, irc.RplLuserOp},
-		{404, irc.ErrCannotSendToChan},
-		{433, irc.ErrNicknameInUse},
-	}
-
-	for _, test := range tests {
-		got, err := irc.FromInt(test.code)
-		if err != nil {
-			t.Errorf("FromInt(%d) returned unexpected error: %v", test.code, err)
-
-			continue
-		}
-
-		if got != test.want {
-			t.Errorf("FromInt(%d) = %v, want %v", test.code, got, test.want)
-		}
-	}
-}
-
-func TestFromInt_Unknown(t *testing.T) {
-	t.Parallel()
-
-	unknowns := []int{0, 999, 600, -1}
-	for _, code := range unknowns {
-		_, err := irc.FromInt(code)
-		if err == nil {
-			t.Errorf("FromInt(%d) expected error, got nil", code)
-
-			continue
-		}
-
-		if !errors.Is(err, irc.ErrUnknownNumeric) {
-			t.Errorf("FromInt(%d) error = %v, want ErrUnknownNumeric", code, err)
-		}
-	}
-}
-
-func TestUnknownNumeric_Name(t *testing.T) {
-	t.Parallel()
-
-	unknown := irc.IRCMessageType(999)
-	if got := unknown.Name(); got != "" {
-		t.Errorf("IRCMessageType(999).Name() = %q, want empty string", got)
-	}
-}
-
-func TestUnknownNumeric_String(t *testing.T) {
-	t.Parallel()
-
-	unknown := irc.IRCMessageType(999)
-	want := "UNKNOWN <999>"
-
-	if got := unknown.String(); got != want {
-		t.Errorf("IRCMessageType(999).String() = %q, want %q", got, want)
-	}
-}
-
-func TestDeprecatedNameFunc(t *testing.T) {
-	t.Parallel()
-
-	if got := irc.Name(irc.RplYourHost); got != "RPL_YOURHOST" {
-		t.Errorf("Name(RplYourHost) = %q, want %q", got, "RPL_YOURHOST")
-	}
-}