feat: per-channel hashcash proof-of-work for PRIVMSG anti-spam

Add per-channel hashcash requirement via MODE +H <bits>. When set,
PRIVMSG to the channel must include a valid hashcash stamp in the
meta.hashcash field bound to the channel name and message body hash.

Server validates stamp format, difficulty, date freshness, channel
binding, body hash binding, and proof-of-work. Spent stamps are
persisted to SQLite with 1-year TTL for replay prevention.

Stamp format: 1:bits:YYMMDD:channel:bodyhash:counter

Changes:
- Schema: add hashcash_bits column to channels, spent_hashcash table
- DB: queries for get/set channel hashcash bits, spent token CRUD
- Hashcash: ChannelValidator, BodyHash, StampHash, MintChannelStamp
- Handlers: validate hashcash on PRIVMSG, MODE +H/-H support
- Pass meta through fanOut chain to store in messages
- Prune spent hashcash tokens in cleanup loop (1-year TTL)
- Client: MintChannelHashcash helper for CLI
- Tests: 12 new channel_test.go + 10 new api_test.go integration tests
- README: document +H mode, stamp format, and usage

Makefile

@@ -1,4 +1,4 @@
-.PHONY: all build lint fmt fmt-check test check clean run debug docker hooks
+.PHONY: all build lint fmt fmt-check test check clean run debug docker hooks ensure-web-dist
 
 BINARY := neoircd
 VERSION := $(shell git describe --tags --always --dirty 2>/dev/null || echo "dev")
@@ -7,10 +7,21 @@ LDFLAGS := -X main.Version=$(VERSION) -X main.Buildarch=$(BUILDARCH)
 
 all: check build
 
-build:
+# ensure-web-dist creates placeholder files so //go:embed dist/* in
+# web/embed.go resolves without a full Node.js build.  The real SPA is
+# built by the web-builder Docker stage; these placeholders let
+# "make test" and "make build" work outside Docker.
+ensure-web-dist:
+	@if [ ! -d web/dist ]; then \
+		mkdir -p web/dist && \
+		touch web/dist/index.html web/dist/style.css web/dist/app.js && \
+		echo "==> Created placeholder web/dist/ for go:embed"; \
+	fi
+
+build: ensure-web-dist
 	go build -ldflags "$(LDFLAGS)" -o bin/$(BINARY) ./cmd/neoircd
 
-lint:
+lint: ensure-web-dist
 	golangci-lint run --config .golangci.yml ./...
 
 fmt:
@@ -20,7 +31,7 @@ fmt:
 fmt-check:
 	@test -z "$$(gofmt -l .)" || (echo "Files not formatted:" && gofmt -l . && exit 1)
 
-test:
+test: ensure-web-dist
 	go test -timeout 30s -v -race -cover ./...
 
 # check runs all validation without making changes

README.md

@@ -113,8 +113,9 @@ mechanisms or stuffing data into CTCP.
 Everything else is IRC. `PRIVMSG`, `JOIN`, `PART`, `NICK`, `TOPIC`, `MODE`,
 `KICK`, `353`, `433` — same commands, same semantics. Channels start with `#`.
 Joining a nonexistent channel creates it. Channels disappear when empty. Nicks
-are unique per server. There are no accounts — identity is a key, a nick is a
-display name.
+are unique per server. Identity starts with a key — a nick is a display name.
+Accounts are optional: you can create an anonymous session instantly, or
+register with a password for multi-client access to a single session.
 
 ### On the resemblance to JSON-RPC
 
@@ -148,16 +149,45 @@ not arbitrary choices — each one follows from the project's core thesis that
 IRC's command model is correct and only the transport and session management
 need to change.
 
-### Identity & Sessions — No Accounts
+### Identity & Sessions — Dual Authentication Model
 
-There are no accounts, no registration, no passwords. Identity is a signing
-key; a nick is just a display name. The two are decoupled.
+The server supports two authentication paths: **anonymous sessions** for
+instant access, and **optional account registration** for multi-client access.
+
+#### Anonymous Sessions (No Account Required)
+
+The simplest entry point. No registration, no passwords.
 
 - **Session creation**: client sends `POST /api/v1/session` with a desired
   nick → server assigns an **auth token** (64 hex characters of
   cryptographically random bytes) and returns the user ID, nick, and token.
 - The auth token implicitly identifies the client. Clients present it via
   `Authorization: Bearer <token>`.
+- Anonymous sessions are ephemeral — when the session expires or the user
+  QUITs, the nick is released and there is no way to reclaim it.
+
+#### Registered Accounts (Optional)
+
+For users who want multi-client access (multiple devices sharing one session):
+
+- **Registration**: client sends `POST /api/v1/register` with a nick and
+  password (minimum 8 characters) → server creates a session with the
+  password hashed via bcrypt, and returns the user ID, nick, and auth token.
+- **Login**: client sends `POST /api/v1/login` with nick and password →
+  server verifies the password against the stored bcrypt hash and creates a
+  new client token for the existing session. This enables multi-client
+  access: logging in from a new device adds a client to the existing session
+  rather than creating a new one, so channel memberships and message queues
+  are shared. Note: login only works while the session still exists — if all
+  clients have logged out or the user has sent QUIT, the session is deleted
+  and the registration is lost.
+- Registered accounts cannot be logged into via `POST /api/v1/session` —
+  that endpoint is for anonymous sessions only.
+- Anonymous sessions (created via `/session`) cannot be logged into via
+  `/login` because they have no password set.
+
+#### Common Properties (Both Paths)
+
 - Nicks are changeable via the `NICK` command; the server-assigned user ID is
   the stable identity.
 - Server-assigned IDs — clients do not choose their own IDs.
@@ -165,11 +195,17 @@ key; a nick is just a display name. The two are decoupled.
   in the token, no client-side decode. The server is the sole authority on
   token validity.
 
-**Rationale:** IRC has no accounts. You connect, pick a nick, and talk. Adding
-registration, email verification, or OAuth would solve a problem nobody asked
-about and add complexity that drives away casual users. Identity verification
-is handled at the message layer via cryptographic signatures (see
-[Security Model](#security-model)), not at the session layer.
+**Rationale:** IRC has no accounts. You connect, pick a nick, and talk.
+Anonymous sessions preserve that simplicity — instant access, zero friction.
+But some users want to access the same session from multiple devices without
+a bouncer. Optional registration with password enables multi-client login
+without adding friction for casual users: if you don't want an account,
+don't create one. Note: in the current implementation, both anonymous and
+registered sessions are deleted when the last client disconnects (QUIT or
+logout); registration does not make a session survive all-client
+removal. Identity verification at the message layer via cryptographic
+signatures (see [Security Model](#security-model)) remains independent
+of account registration.
 
 ### Nick Semantics
 
@@ -207,12 +243,12 @@ User Session
 └── Client C (token_c, queue_c)
 ```
 
-**Current MVP note:** The current implementation creates a new user (with new
-nick) per `POST /api/v1/session` call. True multi-client (multiple tokens
-sharing one nick/session) is supported by the schema (`client_queues` is keyed
-by user_id, and multiple tokens can point to the same user) but the session
-creation endpoint does not yet support "add a client to an existing session."
-This will be added post-MVP.
+**Multi-client via login:** The `POST /api/v1/login` endpoint adds a new
+client to an existing registered session, enabling true multi-client support
+(multiple tokens sharing one nick/session with independent message queues).
+Anonymous sessions created via `POST /api/v1/session` always create a new
+user with a new nick. A future endpoint to "add a client to an existing
+anonymous session" is planned but not yet implemented.
 
 **Rationale:** The fundamental IRC mobile problem is that you can't have your
 phone and laptop connected simultaneously without a bouncer. Server-side
@@ -327,8 +363,8 @@ needs to revoke a token, change the expiry model, or add/remove claims, JWT
 clients may break or behave incorrectly.
 
 Opaque tokens are simpler:
-- Server generates 32 random bytes → hex-encodes → stores hash
-- Client presents the token; server looks it up
+- Server generates 32 random bytes → hex-encodes → stores SHA-256 hash
+- Client presents the raw token; server hashes and looks it up
 - Revocation is a database delete
 - No clock skew issues, no algorithm confusion, no "none" algorithm attacks
 - Token format can change without breaking clients
@@ -355,6 +391,8 @@ The entire read/write loop for a client is two endpoints. Everything else
 
 ### Session Lifecycle
 
+#### Anonymous Session
+
 ```
 ┌─ Client ──────────────────────────────────────────────────┐
 │                                                            │
@@ -385,6 +423,30 @@ The entire read/write loop for a client is two endpoints. Everything else
 └────────────────────────────────────────────────────────────┘
 ```
 
+#### Registered Account
+
+```
+┌─ Client ──────────────────────────────────────────────────┐
+│                                                            │
+│  1. POST /api/v1/register                                  │
+│     {"nick":"alice", "password":"s3cret!!"}                │
+│     → {"id":1, "nick":"alice", "token":"a1b2c3..."}       │
+│     (Session created with bcrypt-hashed password)          │
+│                                                            │
+│  ... use the API normally (JOIN, PRIVMSG, poll, etc.) ...  │
+│                                                            │
+│  (From another device, while session is still active)      │
+│                                                            │
+│  2. POST /api/v1/login                                     │
+│     {"nick":"alice", "password":"s3cret!!"}                │
+│     → {"id":1, "nick":"alice", "token":"d4e5f6..."}       │
+│     (New client added to existing session — channels       │
+│      and message queues are preserved. If all clients      │
+│      have logged out, session no longer exists.)           │
+│                                                            │
+└────────────────────────────────────────────────────────────┘
+```
+
 ### Queue Architecture
 
 ```
@@ -461,7 +523,7 @@ the same JSON envelope:
 | `params`  | array of strings    | Sometimes | Sometimes | Additional IRC-style positional parameters. Used by commands like `MODE`, `KICK`, and numeric replies like `353` (NAMES). |
 | `body`    | array or object     | Usually   | Usually   | Structured message body. For text messages: array of strings (one per line). For structured data (e.g., `PUBKEY`): JSON object. **Never a raw string.** |
 | `ts`      | string (ISO 8601)   | Ignored   | Always    | Server-assigned timestamp in RFC 3339 / ISO 8601 format with nanosecond precision. Example: `"2026-02-10T20:00:00.000000000Z"`. Always UTC. |
-| `meta`    | object              | Optional  | If present | Extensible metadata. Used for cryptographic signatures (`meta.sig`, `meta.alg`), content hashes, or any client-defined key/value pairs. Server relays `meta` verbatim — it does not interpret or validate it. |
+| `meta`    | object              | Optional  | If present | Extensible metadata. Used for cryptographic signatures (`meta.sig`, `meta.alg`), hashcash proof-of-work (`meta.hashcash`), content hashes, or any client-defined key/value pairs. Server relays `meta` verbatim except for `hashcash` which is validated on channels with `+H` mode. |
 
 **Important invariants:**
 
@@ -951,12 +1013,13 @@ carries IRC-style parameters (e.g., channel name, target nick).
 Inspired by IRC, simplified:
 
 | Mode | Name           | Meaning |
-|------|--------------|---------|
+|------|----------------|---------|
 | `+i` | Invite-only    | Only invited users can join |
 | `+m` | Moderated      | Only voiced (`+v`) users and operators (`+o`) can send |
 | `+s` | Secret         | Channel hidden from LIST response |
 | `+t` | Topic lock     | Only operators can change the topic |
 | `+n` | No external    | Only channel members can send messages to the channel |
+| `+H` | Hashcash       | Requires proof-of-work for PRIVMSG (parameter: bits, e.g. `+H 20`) |
 
 **User channel modes (set per-user per-channel):**
 
@@ -967,6 +1030,56 @@ Inspired by IRC, simplified:
 
 **Status:** Channel modes are defined but not yet enforced. The `modes` column
 exists in the channels table but the server does not check modes on actions.
+Exception: `+H` (hashcash) is fully enforced — see below.
+
+### Per-Channel Hashcash (Anti-Spam)
+
+Channels can require hashcash proof-of-work for every `PRIVMSG`. This is an
+anti-spam mechanism: channel operators set a difficulty level, and clients must
+compute a proof-of-work stamp bound to the specific channel and message before
+sending.
+
+**Setting the requirement:**
+
+```
+MODE #channel +H <bits>    — require <bits> leading zero bits (1-40)
+MODE #channel -H           — disable hashcash requirement
+```
+
+**Stamp format:** `1:bits:YYMMDD:channel:bodyhash:counter`
+
+- `bits` — difficulty (leading zero bits in SHA-256 hash of the stamp)
+- `YYMMDD` — current date (prevents old token reuse)
+- `channel` — channel name (prevents cross-channel reuse)
+- `bodyhash` — hex-encoded SHA-256 of the message body (binds stamp to message)
+- `counter` — hex nonce
+
+**Sending a message to a hashcash-protected channel:**
+
+Include the hashcash stamp in the `meta` field:
+
+```json
+{
+  "command": "PRIVMSG",
+  "to": "#general",
+  "body": ["hello world"],
+  "meta": {
+    "hashcash": "1:20:260317:#general:a1b2c3...bodyhash:1f4a"
+  }
+}
+```
+
+**Server validation:** The server checks that the stamp is well-formed, meets
+the required difficulty, is bound to the correct channel and message body, has a
+recent date, and has not been previously used. Spent stamps are cached for 1
+year to prevent replay attacks.
+
+**Error responses:** If the channel requires hashcash and the stamp is missing,
+invalid, or replayed, the server returns `ERR_CANNOTSENDTOCHAN (404)` with a
+descriptive reason.
+
+**Client minting:** The CLI provides `MintChannelHashcash(bits, channel, body)`
+to compute stamps. Higher bit counts take exponentially longer to compute.
 
 ---
 
@@ -1034,6 +1147,105 @@ TOKEN=$(curl -s -X POST http://localhost:8080/api/v1/session \
 echo $TOKEN
 ```
 
+### POST /api/v1/register — Register Account
+
+Create a new user session with a password. The password is hashed
+with bcrypt and stored server-side. The password enables login from
+additional clients via `POST /api/v1/login` while the session
+remains active.
+
+**Request Body:**
+```json
+{"nick": "alice", "password": "mypassword"}
+```
+
+| Field      | Type   | Required | Constraints |
+|------------|--------|----------|-------------|
+| `nick`     | string | Yes      | 1–32 characters, must be unique on the server |
+| `password` | string | Yes      | Minimum 8 characters |
+
+**Response:** `201 Created`
+```json
+{
+  "id": 1,
+  "nick": "alice",
+  "token": "494ba9fc0f2242873fc5c285dd4a24fc3844ba5e67789a17e69b6fe5f8c132e3"
+}
+```
+
+| Field   | Type    | Description |
+|---------|---------|-------------|
+| `id`    | integer | Server-assigned user ID |
+| `nick`  | string  | Confirmed nick |
+| `token` | string  | 64-character hex auth token |
+
+**Errors:**
+
+| Status | Error | When |
+|--------|-------|------|
+| 400    | `invalid nick format` | Nick doesn't match allowed format |
+| 400    | `password must be at least 8 characters` | Password too short |
+| 409    | `nick already taken` | Another active session holds this nick |
+
+**curl example:**
+```bash
+TOKEN=$(curl -s -X POST http://localhost:8080/api/v1/register \
+  -H 'Content-Type: application/json' \
+  -d '{"nick":"alice","password":"mypassword"}' | jq -r .token)
+echo $TOKEN
+```
+
+### POST /api/v1/login — Login to Account
+
+Authenticate with a previously registered nick and password. Creates a new
+client token for the existing session, preserving channel memberships and
+message queues. This is how multi-client access works for registered accounts:
+each login adds a new client to the session.
+
+On successful login, the server enqueues MOTD messages and synthetic channel
+state (JOIN + TOPIC + NAMES for each channel the session belongs to) into the
+new client's queue, so the client can immediately restore its UI state.
+
+**Request Body:**
+```json
+{"nick": "alice", "password": "mypassword"}
+```
+
+| Field      | Type   | Required | Constraints |
+|------------|--------|----------|-------------|
+| `nick`     | string | Yes      | Must match a registered account |
+| `password` | string | Yes      | Must match the account's password |
+
+**Response:** `200 OK`
+```json
+{
+  "id": 1,
+  "nick": "alice",
+  "token": "7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f"
+}
+```
+
+| Field   | Type    | Description |
+|---------|---------|-------------|
+| `id`    | integer | Session ID (same as when registered) |
+| `nick`  | string  | Current nick |
+| `token` | string  | New 64-character hex auth token for this client |
+
+**Errors:**
+
+| Status | Error | When |
+|--------|-------|------|
+| 400    | `nick and password required` | Missing nick or password |
+| 401    | `invalid credentials` | Wrong password, nick not found, or account has no password |
+
+**curl example:**
+```bash
+TOKEN=$(curl -s -X POST http://localhost:8080/api/v1/login \
+  -H 'Content-Type: application/json' \
+  -d '{"nick":"alice","password":"mypassword"}' | jq -r .token)
+echo $TOKEN
+```
+
 ### GET /api/v1/state — Get Session State
 
 Return the current user's session state.
@@ -1399,13 +1611,40 @@ Return server metadata. No authentication required.
 
 ### GET /.well-known/healthcheck.json — Health Check
 
-Standard health check endpoint. No authentication required.
+Standard health check endpoint. No authentication required. Returns server
+health status and runtime statistics.
 
 **Response:** `200 OK`
+
 ```json
-{"status": "ok"}
+{
+  "status": "ok",
+  "now": "2024-01-15T12:00:00.000000000Z",
+  "uptimeSeconds": 3600,
+  "uptimeHuman": "1h0m0s",
+  "version": "0.1.0",
+  "appname": "neoirc",
+  "maintenanceMode": false,
+  "sessions": 42,
+  "clients": 85,
+  "queuedLines": 128,
+  "channels": 7,
+  "connectionsSinceBoot": 200,
+  "sessionsSinceBoot": 150,
+  "messagesSinceBoot": 5000
+}
 ```
 
+| Field                  | Description                                       |
+| ---------------------- | ------------------------------------------------- |
+| `sessions`             | Current number of active sessions                 |
+| `clients`              | Current number of connected clients               |
+| `queuedLines`          | Total entries in client output queues              |
+| `channels`             | Current number of channels                        |
+| `connectionsSinceBoot` | Total client connections since server start        |
+| `sessionsSinceBoot`    | Total sessions created since server start          |
+| `messagesSinceBoot`    | Total PRIVMSG/NOTICE messages sent since server start |
+
 ---
 
 ## Message Flow
@@ -1590,9 +1829,16 @@ authenticity.
 ### Authentication
 
 - **Session auth**: Opaque bearer tokens (64 hex chars = 256 bits of entropy).
-  Tokens are stored in the database and validated on every request.
-- **No passwords**: Session creation requires only a nick. The token is the
-  sole credential.
+  Tokens are hashed (SHA-256) before storage and validated on every request.
+- **Anonymous sessions**: `POST /api/v1/session` requires only a nick. No
+  password, instant access. The token is the sole credential.
+- **Registered accounts**: `POST /api/v1/register` accepts a nick and password
+  (minimum 8 characters). The password is hashed with bcrypt at the default
+  cost factor and stored alongside the session. `POST /api/v1/login`
+  authenticates against the stored hash and issues a new client token.
+- **Password security**: Passwords are never stored in plain text. bcrypt
+  handles salting and key stretching automatically. Anonymous sessions have
+  an empty `password_hash` and cannot be logged into via `/login`.
 - **Token security**: Tokens should be treated like session cookies. Transmit
   only over HTTPS in production. If a token is compromised, the attacker has
   full access to the session until QUIT or expiry.
@@ -1740,13 +1986,26 @@ The database schema is managed via embedded SQL migration files in
 
 **Current tables:**
 
-#### `users`
+#### `sessions`
+| Column         | Type     | Description |
+|----------------|----------|-------------|
+| `id`           | INTEGER  | Primary key (auto-increment) |
+| `uuid`         | TEXT     | Unique session UUID |
+| `nick`         | TEXT     | Unique nick |
+| `password_hash`| TEXT     | bcrypt hash (empty string for anonymous sessions) |
+| `signing_key`  | TEXT     | Public signing key (empty string if unset) |
+| `away_message` | TEXT     | Away message (empty string if not away) |
+| `created_at`   | DATETIME | Session creation time |
+| `last_seen`    | DATETIME | Last API request time |
+
+#### `clients`
 | Column      | Type     | Description |
 |-------------|----------|-------------|
 | `id`        | INTEGER  | Primary key (auto-increment) |
-| `nick`      | TEXT     | Unique nick |
-| `token`     | TEXT     | Unique auth token (64 hex chars) |
-| `created_at`| DATETIME | Session creation time |
+| `uuid`      | TEXT     | Unique client UUID |
+| `session_id`| INTEGER  | FK → sessions.id (cascade delete) |
+| `token`     | TEXT     | Unique auth token (SHA-256 hash of 64 hex chars) |
+| `created_at`| DATETIME | Client creation time |
 | `last_seen` | DATETIME | Last API request time |
 
 #### `channels`
@@ -1803,10 +2062,19 @@ skew issues) and simpler than UUIDs (integer comparison vs. string comparison).
 - **Client output queue entries**: Pruned automatically when older than
   `QUEUE_MAX_AGE` (default 30 days).
 - **Channels**: Deleted when the last member leaves (ephemeral).
-- **Users/sessions**: Deleted on `QUIT` or `POST /api/v1/logout`. Idle
-  sessions are automatically expired after `SESSION_IDLE_TIMEOUT` (default
-  30 days) — the server runs a background cleanup loop that parts idle users
-  from all channels, broadcasts QUIT, and releases their nicks.
+- **Sessions**: Both anonymous and registered sessions are deleted on `QUIT`
+  or when the last client logs out (`POST /api/v1/logout` with no remaining
+  clients triggers session cleanup). There is no distinction between session
+  types in the cleanup path — `handleQuit` and `cleanupUser` both call
+  `DeleteSession` unconditionally. Idle sessions are automatically expired
+  after `SESSION_IDLE_TIMEOUT`
+  (default 30 days) — the server runs a background cleanup loop that parts
+  idle users from all channels, broadcasts QUIT, and releases their nicks.
+- **Clients**: Individual client tokens are deleted on `POST /api/v1/logout`.
+  A session can have multiple clients; removing one doesn't affect others.
+  However, when the last client is removed (via logout), the entire session
+  is deleted — the user is parted from all channels, QUIT is broadcast, and
+  the nick is released.
 
 ---
 
@@ -1955,11 +2223,21 @@ A complete client needs only four HTTP calls:
 ### Step-by-Step with curl
 
 ```bash
-# 1. Create a session
+# 1a. Create an anonymous session (no account)
 export TOKEN=$(curl -s -X POST http://localhost:8080/api/v1/session \
   -H 'Content-Type: application/json' \
   -d '{"nick":"testuser"}' | jq -r .token)
 
+# 1b. Or register an account (multi-client support)
+export TOKEN=$(curl -s -X POST http://localhost:8080/api/v1/register \
+  -H 'Content-Type: application/json' \
+  -d '{"nick":"testuser","password":"mypassword"}' | jq -r .token)
+
+# 1c. Or login to an existing account
+export TOKEN=$(curl -s -X POST http://localhost:8080/api/v1/login \
+  -H 'Content-Type: application/json' \
+  -d '{"nick":"testuser","password":"mypassword"}' | jq -r .token)
+
 # 2. Join a channel
 curl -s -X POST http://localhost:8080/api/v1/messages \
   -H "Authorization: Bearer $TOKEN" \
@@ -2092,9 +2370,11 @@ Clients should handle these message commands from the queue:
 
 ### Error Handling
 
-- **HTTP 401**: Token expired or invalid. Re-create session.
+- **HTTP 401**: Token expired or invalid. Re-create session (anonymous) or
+  re-login (registered account).
 - **HTTP 404**: Channel or user not found.
-- **HTTP 409**: Nick already taken (on session creation or NICK change).
+- **HTTP 409**: Nick already taken (on session creation, registration, or
+  NICK change).
 - **HTTP 400**: Malformed request. Check the `error` field in the response.
 - **Network errors**: Back off exponentially (1s, 2s, 4s, ..., max 30s).
 
@@ -2111,8 +2391,10 @@ Clients should handle these message commands from the queue:
 4. **DM tab logic**: When you receive a PRIVMSG where `to` is not a channel
    (no `#` prefix), the DM tab should be keyed by the **other** user's nick:
    if `from` is you, use `to`; if `from` is someone else, use `from`.
-5. **Reconnection**: If the poll loop fails with 401, the session is gone.
-   Create a new session. If it fails with a network error, retry with backoff.
+5. **Reconnection**: If the poll loop fails with 401, the token is invalid.
+   For anonymous sessions, create a new session. For registered accounts,
+   log in again via `POST /api/v1/login` to get a fresh token on the same
+   session. If it fails with a network error, retry with backoff.
 
 ---
 
@@ -2332,6 +2614,8 @@ neoirc/
 │   │   └── healthcheck.go  # Health check handler
 │   ├── healthcheck/        # Health check logic
 │   │   └── healthcheck.go
+│   ├── stats/              # Runtime statistics (atomic counters)
+│   │   └── stats.go
 │   ├── logger/             # slog-based logging
 │   │   └── logger.go
 │   ├── middleware/          # HTTP middleware (logging, CORS, metrics, auth)
@@ -2383,9 +2667,13 @@ neoirc/
    build a working IRC-style TUI client against this API in an afternoon, the
    API is too complex.
 
-2. **No accounts** — identity is a signing key, nick is a display name. No
-   registration, no passwords, no email verification. Session creation is
-   instant. The cost of entry is a hashcash proof, not bureaucracy.
+2. **Accounts optional** — anonymous sessions are instant: pick a nick and
+   talk. No registration, no email verification. The cost of entry is a
+   hashcash proof, not bureaucracy. For users who want multi-client access
+   (multiple devices sharing one session), optional account registration
+   with password is available — but never required. Identity
+   verification at the message layer uses cryptographic signing,
+   independent of account status.
 
 3. **IRC semantics over HTTP** — command names and numeric codes from
    RFC 1459/2812. If you've built an IRC client or bot, you already know the

cmd/neoircd/main.go

@@ -10,6 +10,7 @@ import (
 	"git.eeqj.de/sneak/neoirc/internal/logger"
 	"git.eeqj.de/sneak/neoirc/internal/middleware"
 	"git.eeqj.de/sneak/neoirc/internal/server"
+	"git.eeqj.de/sneak/neoirc/internal/stats"
 	"go.uber.org/fx"
 )
 
@@ -35,6 +36,7 @@ func main() {
 			server.New,
 			middleware.New,
 			healthcheck.New,
+			stats.New,
 		),
 		fx.Invoke(func(*server.Server) {}),
 	).Run()

go.mod

@@ -6,7 +6,7 @@ require (
 	github.com/99designs/basicauth-go v0.0.0-20230316000542-bf6f9cbbf0f8
 	github.com/gdamore/tcell/v2 v2.13.8
 	github.com/getsentry/sentry-go v0.42.0
-	github.com/go-chi/chi v1.5.5
+	github.com/go-chi/chi/v5 v5.2.1
 	github.com/go-chi/cors v1.2.2
 	github.com/google/uuid v1.6.0
 	github.com/joho/godotenv v1.5.1

go.sum

@@ -18,8 +18,8 @@ github.com/gdamore/tcell/v2 v2.13.8 h1:Mys/Kl5wfC/GcC5Cx4C2BIQH9dbnhnkPgS9/wF3Rl
 github.com/gdamore/tcell/v2 v2.13.8/go.mod h1:+Wfe208WDdB7INEtCsNrAN6O2m+wsTPk1RAovjaILlo=
 github.com/getsentry/sentry-go v0.42.0 h1:eeFMACuZTbUQf90RE8dE4tXeSe4CZyfvR1MBL7RLEt8=
 github.com/getsentry/sentry-go v0.42.0/go.mod h1:eRXCoh3uvmjQLY6qu63BjUZnaBu5L5WhMV1RwYO8W5s=
-github.com/go-chi/chi v1.5.5 h1:vOB/HbEMt9QqBqErz07QehcOKHaWFtuj87tTDVz2qXE=
-github.com/go-chi/chi v1.5.5/go.mod h1:C9JqLr3tIYjDOZpzn+BCuxY8z8vmca43EeMgyZt7irw=
+github.com/go-chi/chi/v5 v5.2.1 h1:KOIHODQj58PmL80G2Eak4WdvUzjSJSm0vG72crDCqb8=
+github.com/go-chi/chi/v5 v5.2.1/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
 github.com/go-chi/cors v1.2.2 h1:Jmey33TE+b+rB7fT8MUy1u0I4L+NARQlK6LhzKPSyQE=
 github.com/go-chi/cors v1.2.2/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=

internal/cli/api/hashcash.go

@@ -7,6 +7,8 @@ import (
 	"fmt"
 	"math/big"
 	"time"
+
+	"git.eeqj.de/sneak/neoirc/internal/hashcash"
 )
 
 const (
@@ -37,6 +39,23 @@ func MintHashcash(bits int, resource string) string {
 	}
 }
 
+// MintChannelHashcash computes a hashcash stamp bound to
+// a specific channel and message body. The stamp format
+// is 1:bits:YYMMDD:channel:bodyhash:counter where
+// bodyhash is the hex-encoded SHA-256 of the message
+// body bytes. Delegates to the internal/hashcash package.
+func MintChannelHashcash(
+	bits int,
+	channel string,
+	body []byte,
+) string {
+	bodyHash := hashcash.BodyHash(body)
+
+	return hashcash.MintChannelStamp(
+		bits, channel, bodyHash,
+	)
+}
+
 // hasLeadingZeroBits checks if hash has at least numBits
 // leading zero bits.
 func hasLeadingZeroBits(

internal/db/queries.go

@@ -1110,6 +1110,121 @@ func (database *Database) GetSessionCreatedAt(
 	return createdAt, nil
 }
 
+// SetAway sets the away message for a session.
+// An empty message clears the away status.
+func (database *Database) SetAway(
+	ctx context.Context,
+	sessionID int64,
+	message string,
+) error {
+	_, err := database.conn.ExecContext(ctx,
+		"UPDATE sessions SET away_message = ? WHERE id = ?",
+		message, sessionID)
+	if err != nil {
+		return fmt.Errorf("set away: %w", err)
+	}
+
+	return nil
+}
+
+// GetAway returns the away message for a session.
+// Returns an empty string if the user is not away.
+func (database *Database) GetAway(
+	ctx context.Context,
+	sessionID int64,
+) (string, error) {
+	var msg string
+
+	err := database.conn.QueryRowContext(ctx,
+		"SELECT away_message FROM sessions WHERE id = ?",
+		sessionID,
+	).Scan(&msg)
+	if err != nil {
+		return "", fmt.Errorf("get away: %w", err)
+	}
+
+	return msg, nil
+}
+
+// SetTopicMeta sets the topic along with who set it and
+// when.
+func (database *Database) SetTopicMeta(
+	ctx context.Context,
+	channelName, topic, setBy string,
+) error {
+	now := time.Now()
+
+	_, err := database.conn.ExecContext(ctx,
+		`UPDATE channels
+		 SET topic = ?, topic_set_by = ?,
+		     topic_set_at = ?, updated_at = ?
+		 WHERE name = ?`,
+		topic, setBy, now, now, channelName)
+	if err != nil {
+		return fmt.Errorf("set topic meta: %w", err)
+	}
+
+	return nil
+}
+
+// TopicMeta holds topic metadata for a channel.
+type TopicMeta struct {
+	SetBy string
+	SetAt time.Time
+}
+
+// GetTopicMeta returns who set the topic and when.
+func (database *Database) GetTopicMeta(
+	ctx context.Context,
+	channelID int64,
+) (*TopicMeta, error) {
+	var (
+		setBy string
+		setAt sql.NullTime
+	)
+
+	err := database.conn.QueryRowContext(ctx,
+		`SELECT topic_set_by, topic_set_at
+		 FROM channels WHERE id = ?`,
+		channelID,
+	).Scan(&setBy, &setAt)
+	if err != nil {
+		return nil, fmt.Errorf(
+			"get topic meta: %w", err,
+		)
+	}
+
+	if setBy == "" || !setAt.Valid {
+		return nil, nil //nolint:nilnil
+	}
+
+	return &TopicMeta{
+		SetBy: setBy,
+		SetAt: setAt.Time,
+	}, nil
+}
+
+// GetSessionLastSeen returns the last_seen time for a
+// session.
+func (database *Database) GetSessionLastSeen(
+	ctx context.Context,
+	sessionID int64,
+) (time.Time, error) {
+	var lastSeen time.Time
+
+	err := database.conn.QueryRowContext(ctx,
+		"SELECT last_seen FROM sessions WHERE id = ?",
+		sessionID,
+	).Scan(&lastSeen)
+	if err != nil {
+		return time.Time{}, fmt.Errorf(
+			"get session last_seen: %w", err,
+		)
+	}
+
+	return lastSeen, nil
+}
+
 // PruneOldQueueEntries deletes client output queue entries
 // older than cutoff and returns the number of rows removed.
 func (database *Database) PruneOldQueueEntries(
@@ -1151,3 +1266,149 @@ func (database *Database) PruneOldMessages(
 
 	return deleted, nil
 }
+
+// GetClientCount returns the total number of clients.
+func (database *Database) GetClientCount(
+	ctx context.Context,
+) (int64, error) {
+	var count int64
+
+	err := database.conn.QueryRowContext(
+		ctx,
+		"SELECT COUNT(*) FROM clients",
+	).Scan(&count)
+	if err != nil {
+		return 0, fmt.Errorf(
+			"get client count: %w", err,
+		)
+	}
+
+	return count, nil
+}
+
+// GetQueueEntryCount returns the total number of entries
+// in the client output queues.
+func (database *Database) GetQueueEntryCount(
+	ctx context.Context,
+) (int64, error) {
+	var count int64
+
+	err := database.conn.QueryRowContext(
+		ctx,
+		"SELECT COUNT(*) FROM client_queues",
+	).Scan(&count)
+	if err != nil {
+		return 0, fmt.Errorf(
+			"get queue entry count: %w", err,
+		)
+	}
+
+	return count, nil
+}
+
+// GetChannelHashcashBits returns the hashcash difficulty
+// requirement for a channel. Returns 0 if not set.
+func (database *Database) GetChannelHashcashBits(
+	ctx context.Context,
+	channelID int64,
+) (int, error) {
+	var bits int
+
+	err := database.conn.QueryRowContext(
+		ctx,
+		"SELECT hashcash_bits FROM channels WHERE id = ?",
+		channelID,
+	).Scan(&bits)
+	if err != nil {
+		return 0, fmt.Errorf(
+			"get channel hashcash bits: %w", err,
+		)
+	}
+
+	return bits, nil
+}
+
+// SetChannelHashcashBits sets the hashcash difficulty
+// requirement for a channel. A value of 0 disables the
+// requirement.
+func (database *Database) SetChannelHashcashBits(
+	ctx context.Context,
+	channelID int64,
+	bits int,
+) error {
+	_, err := database.conn.ExecContext(ctx,
+		`UPDATE channels
+		 SET hashcash_bits = ?, updated_at = ?
+		 WHERE id = ?`,
+		bits, time.Now(), channelID)
+	if err != nil {
+		return fmt.Errorf(
+			"set channel hashcash bits: %w", err,
+		)
+	}
+
+	return nil
+}
+
+// RecordSpentHashcash stores a spent hashcash stamp hash
+// for replay prevention.
+func (database *Database) RecordSpentHashcash(
+	ctx context.Context,
+	stampHash string,
+) error {
+	_, err := database.conn.ExecContext(ctx,
+		`INSERT OR IGNORE INTO spent_hashcash
+		 (stamp_hash, created_at)
+		 VALUES (?, ?)`,
+		stampHash, time.Now())
+	if err != nil {
+		return fmt.Errorf(
+			"record spent hashcash: %w", err,
+		)
+	}
+
+	return nil
+}
+
+// IsHashcashSpent checks whether a hashcash stamp hash
+// has already been used.
+func (database *Database) IsHashcashSpent(
+	ctx context.Context,
+	stampHash string,
+) (bool, error) {
+	var count int
+
+	err := database.conn.QueryRowContext(ctx,
+		`SELECT COUNT(*) FROM spent_hashcash
+		 WHERE stamp_hash = ?`,
+		stampHash,
+	).Scan(&count)
+	if err != nil {
+		return false, fmt.Errorf(
+			"check spent hashcash: %w", err,
+		)
+	}
+
+	return count > 0, nil
+}
+
+// PruneSpentHashcash deletes spent hashcash tokens older
+// than the cutoff and returns the number of rows removed.
+func (database *Database) PruneSpentHashcash(
+	ctx context.Context,
+	cutoff time.Time,
+) (int64, error) {
+	res, err := database.conn.ExecContext(ctx,
+		"DELETE FROM spent_hashcash WHERE created_at < ?",
+		cutoff,
+	)
+	if err != nil {
+		return 0, fmt.Errorf(
+			"prune spent hashcash: %w", err,
+		)
+	}
+
+	deleted, _ := res.RowsAffected()
+
+	return deleted, nil
+}

internal/db/schema/001_initial.sql

@@ -8,6 +8,7 @@ CREATE TABLE IF NOT EXISTS sessions (
     nick TEXT NOT NULL UNIQUE,
     password_hash TEXT NOT NULL DEFAULT '',
     signing_key TEXT NOT NULL DEFAULT '',
+    away_message TEXT NOT NULL DEFAULT '',
     created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
     last_seen DATETIME DEFAULT CURRENT_TIMESTAMP
 );
@@ -30,6 +31,9 @@ CREATE TABLE IF NOT EXISTS channels (
     id INTEGER PRIMARY KEY AUTOINCREMENT,
     name TEXT NOT NULL UNIQUE,
     topic TEXT NOT NULL DEFAULT '',
+    topic_set_by TEXT NOT NULL DEFAULT '',
+    topic_set_at DATETIME,
+    hashcash_bits INTEGER NOT NULL DEFAULT 0,
     created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
     updated_at DATETIME DEFAULT CURRENT_TIMESTAMP
 );
@@ -58,6 +62,14 @@ CREATE TABLE IF NOT EXISTS messages (
 CREATE INDEX IF NOT EXISTS idx_messages_to_id ON messages(msg_to, id);
 CREATE INDEX IF NOT EXISTS idx_messages_created ON messages(created_at);
 
+-- Spent hashcash tokens for replay prevention (1-year TTL)
+CREATE TABLE IF NOT EXISTS spent_hashcash (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    stamp_hash TEXT NOT NULL UNIQUE,
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP
+);
+CREATE INDEX IF NOT EXISTS idx_spent_hashcash_created ON spent_hashcash(created_at);
+
 -- Per-client message queues for fan-out delivery
 CREATE TABLE IF NOT EXISTS client_queues (
     id INTEGER PRIMARY KEY AUTOINCREMENT,

internal/handlers/api.go

@@ -3,6 +3,7 @@ package handlers
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
 	"regexp"
@@ -11,8 +12,14 @@ import (
 	"time"
 
 	"git.eeqj.de/sneak/neoirc/internal/db"
+	"git.eeqj.de/sneak/neoirc/internal/hashcash"
 	"git.eeqj.de/sneak/neoirc/pkg/irc"
-	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/v5"
+)
+
+var (
+	errHashcashRequired = errors.New("hashcash required")
+	errHashcashReused   = errors.New("hashcash reused")
 )
 
 var validNickRe = regexp.MustCompile(
@@ -71,11 +78,10 @@ func (hdlr *Handlers) requireAuth(
 	sessionID, clientID, nick, err :=
 		hdlr.authSession(request)
 	if err != nil {
-		hdlr.respondError(
-			writer, request,
-			"unauthorized",
-			http.StatusUnauthorized,
-		)
+		hdlr.respondJSON(writer, request, map[string]any{
+			"error":   "not registered",
+			"numeric": irc.ErrNotRegistered,
+		}, http.StatusUnauthorized)
 
 		return 0, 0, "", false
 	}
@@ -89,10 +95,11 @@ func (hdlr *Handlers) fanOut(
 	request *http.Request,
 	command, from, target string,
 	body json.RawMessage,
+	meta json.RawMessage,
 	sessionIDs []int64,
 ) (string, error) {
 	dbID, msgUUID, err := hdlr.params.Database.InsertMessage(
-		request.Context(), command, from, target, nil, body, nil,
+		request.Context(), command, from, target, nil, body, meta,
 	)
 	if err != nil {
 		return "", fmt.Errorf("insert message: %w", err)
@@ -118,10 +125,11 @@ func (hdlr *Handlers) fanOutSilent(
 	request *http.Request,
 	command, from, target string,
 	body json.RawMessage,
+	meta json.RawMessage,
 	sessionIDs []int64,
 ) error {
 	_, err := hdlr.fanOut(
-		request, command, from, target, body, sessionIDs,
+		request, command, from, target, body, meta, sessionIDs,
 	)
 
 	return err
@@ -213,6 +221,9 @@ func (hdlr *Handlers) handleCreateSession(
 		return
 	}
 
+	hdlr.stats.IncrSessions()
+	hdlr.stats.IncrConnections()
+
 	hdlr.deliverMOTD(request, clientID, sessionID, payload.Nick)
 
 	hdlr.respondJSON(writer, request, map[string]any{
@@ -292,7 +303,7 @@ func (hdlr *Handlers) deliverWelcome(
 		[]string{
 			"CHANTYPES=#",
 			"NICKLEN=32",
-			"CHANMODES=,,," + "imnst",
+			"CHANMODES=,,H," + "imnst",
 			"NETWORK=neoirc",
 			"CASEMAPPING=ascii",
 		},
@@ -823,7 +834,7 @@ func (hdlr *Handlers) HandleSendCommand() http.HandlerFunc {
 			writer, request,
 			sessionID, clientID, nick,
 			payload.Command, payload.To,
-			payload.Body, bodyLines,
+			payload.Body, payload.Meta, bodyLines,
 		)
 	}
 }
@@ -834,14 +845,20 @@ func (hdlr *Handlers) dispatchCommand(
 	sessionID, clientID int64,
 	nick, command, target string,
 	body json.RawMessage,
+	meta json.RawMessage,
 	bodyLines func() []string,
 ) {
 	switch command {
+	case irc.CmdAway:
+		hdlr.handleAway(
+			writer, request,
+			sessionID, clientID, nick, bodyLines,
+		)
 	case irc.CmdPrivmsg, irc.CmdNotice:
 		hdlr.handlePrivmsg(
 			writer, request,
 			sessionID, clientID, nick,
-			command, target, body, bodyLines,
+			command, target, body, meta, bodyLines,
 		)
 	case irc.CmdJoin:
 		hdlr.handleJoin(
@@ -942,13 +959,14 @@ func (hdlr *Handlers) handlePrivmsg(
 	sessionID, clientID int64,
 	nick, command, target string,
 	body json.RawMessage,
+	meta json.RawMessage,
 	bodyLines func() []string,
 ) {
 	if target == "" {
 		hdlr.enqueueNumeric(
 			request.Context(), clientID,
-			irc.ErrNeedMoreParams, nick, []string{command},
-			"Not enough parameters",
+			irc.ErrNoRecipient, nick, []string{command},
+			"No recipient given",
 		)
 		hdlr.broker.Notify(sessionID)
 		hdlr.respondJSON(writer, request,
@@ -962,8 +980,8 @@ func (hdlr *Handlers) handlePrivmsg(
 	if len(lines) == 0 {
 		hdlr.enqueueNumeric(
 			request.Context(), clientID,
-			irc.ErrNeedMoreParams, nick, []string{command},
-			"Not enough parameters",
+			irc.ErrNoTextToSend, nick, []string{command},
+			"No text to send",
 		)
 		hdlr.broker.Notify(sessionID)
 		hdlr.respondJSON(writer, request,
@@ -973,11 +991,13 @@ func (hdlr *Handlers) handlePrivmsg(
 		return
 	}
 
+	hdlr.stats.IncrMessages()
+
 	if strings.HasPrefix(target, "#") {
 		hdlr.handleChannelMsg(
 			writer, request,
 			sessionID, clientID, nick,
-			command, target, body,
+			command, target, body, meta,
 		)
 
 		return
@@ -986,7 +1006,7 @@ func (hdlr *Handlers) handlePrivmsg(
 	hdlr.handleDirectMsg(
 		writer, request,
 		sessionID, clientID, nick,
-		command, target, body,
+		command, target, body, meta,
 	)
 }
 
@@ -1017,6 +1037,7 @@ func (hdlr *Handlers) handleChannelMsg(
 	sessionID, clientID int64,
 	nick, command, target string,
 	body json.RawMessage,
+	meta json.RawMessage,
 ) {
 	chID, err := hdlr.params.Database.GetChannelByName(
 		request.Context(), target,
@@ -1050,16 +1071,179 @@ func (hdlr *Handlers) handleChannelMsg(
 	if !isMember {
 		hdlr.respondIRCError(
 			writer, request, clientID, sessionID,
-			irc.ErrNotOnChannel, nick, []string{target},
-			"You're not on that channel",
+			irc.ErrCannotSendToChan, nick, []string{target},
+			"Cannot send to channel",
 		)
 
 		return
 	}
 
-	hdlr.sendChannelMsg(
-		writer, request, command, nick, target, body, chID,
+	hashcashErr := hdlr.validateChannelHashcash(
+		request, clientID, sessionID,
+		writer, nick, target, body, meta, chID,
 	)
+	if hashcashErr != nil {
+		return
+	}
+
+	hdlr.sendChannelMsg(
+		writer, request, command, nick, target,
+		body, meta, chID,
+	)
+}
+
+// validateChannelHashcash checks whether the channel
+// requires hashcash proof-of-work for messages and
+// validates the stamp from the message meta field.
+// Returns nil on success or if the channel has no
+// hashcash requirement. On failure, it sends the
+// appropriate IRC error and returns a non-nil error.
+func (hdlr *Handlers) validateChannelHashcash(
+	request *http.Request,
+	clientID, sessionID int64,
+	writer http.ResponseWriter,
+	nick, target string,
+	body json.RawMessage,
+	meta json.RawMessage,
+	chID int64,
+) error {
+	ctx := request.Context()
+
+	bits, bitsErr := hdlr.params.Database.GetChannelHashcashBits(
+		ctx, chID,
+	)
+	if bitsErr != nil {
+		hdlr.log.Error(
+			"get channel hashcash bits", "error", bitsErr,
+		)
+		hdlr.respondError(
+			writer, request,
+			"internal error",
+			http.StatusInternalServerError,
+		)
+
+		return fmt.Errorf("channel hashcash bits: %w", bitsErr)
+	}
+
+	if bits <= 0 {
+		return nil
+	}
+
+	stamp := hdlr.extractHashcashFromMeta(meta)
+	if stamp == "" {
+		hdlr.respondIRCError(
+			writer, request, clientID, sessionID,
+			irc.ErrCannotSendToChan, nick, []string{target},
+			"Channel requires hashcash proof-of-work",
+		)
+
+		return errHashcashRequired
+	}
+
+	return hdlr.verifyChannelStamp(
+		request, writer,
+		clientID, sessionID,
+		nick, target, body, stamp, bits,
+	)
+}
+
+// verifyChannelStamp validates a channel hashcash stamp
+// and checks for replay attacks.
+func (hdlr *Handlers) verifyChannelStamp(
+	request *http.Request,
+	writer http.ResponseWriter,
+	clientID, sessionID int64,
+	nick, target string,
+	body json.RawMessage,
+	stamp string,
+	bits int,
+) error {
+	ctx := request.Context()
+	bodyHashStr := hashcash.BodyHash(body)
+
+	valErr := hdlr.channelHashcash.ValidateStamp(
+		stamp, bits, target, bodyHashStr,
+	)
+	if valErr != nil {
+		hdlr.respondIRCError(
+			writer, request, clientID, sessionID,
+			irc.ErrCannotSendToChan, nick, []string{target},
+			"Invalid hashcash: "+valErr.Error(),
+		)
+
+		return fmt.Errorf("channel hashcash: %w", valErr)
+	}
+
+	stampKey := hashcash.StampHash(stamp)
+
+	spent, spentErr := hdlr.params.Database.IsHashcashSpent(
+		ctx, stampKey,
+	)
+	if spentErr != nil {
+		hdlr.log.Error(
+			"check spent hashcash", "error", spentErr,
+		)
+		hdlr.respondError(
+			writer, request,
+			"internal error",
+			http.StatusInternalServerError,
+		)
+
+		return fmt.Errorf("check spent hashcash: %w", spentErr)
+	}
+
+	if spent {
+		hdlr.respondIRCError(
+			writer, request, clientID, sessionID,
+			irc.ErrCannotSendToChan, nick, []string{target},
+			"Hashcash stamp already used",
+		)
+
+		return errHashcashReused
+	}
+
+	recordErr := hdlr.params.Database.RecordSpentHashcash(
+		ctx, stampKey,
+	)
+	if recordErr != nil {
+		hdlr.log.Error(
+			"record spent hashcash", "error", recordErr,
+		)
+	}
+
+	return nil
+}
+
+// extractHashcashFromMeta parses the meta JSON and
+// returns the hashcash stamp string, or empty string
+// if not present.
+func (hdlr *Handlers) extractHashcashFromMeta(
+	meta json.RawMessage,
+) string {
+	if len(meta) == 0 {
+		return ""
+	}
+
+	var metaMap map[string]json.RawMessage
+
+	err := json.Unmarshal(meta, &metaMap)
+	if err != nil {
+		return ""
+	}
+
+	raw, ok := metaMap["hashcash"]
+	if !ok {
+		return ""
+	}
+
+	var stamp string
+
+	err = json.Unmarshal(raw, &stamp)
+	if err != nil {
+		return ""
+	}
+
+	return stamp
 }
 
 func (hdlr *Handlers) sendChannelMsg(
@@ -1067,6 +1251,7 @@ func (hdlr *Handlers) sendChannelMsg(
 	request *http.Request,
 	command, nick, target string,
 	body json.RawMessage,
+	meta json.RawMessage,
 	chID int64,
 ) {
 	memberIDs, err := hdlr.params.Database.GetChannelMemberIDs(
@@ -1086,7 +1271,7 @@ func (hdlr *Handlers) sendChannelMsg(
 	}
 
 	msgUUID, err := hdlr.fanOut(
-		request, command, nick, target, body, memberIDs,
+		request, command, nick, target, body, meta, memberIDs,
 	)
 	if err != nil {
 		hdlr.log.Error("send message failed", "error", err)
@@ -1110,6 +1295,7 @@ func (hdlr *Handlers) handleDirectMsg(
 	sessionID, clientID int64,
 	nick, command, target string,
 	body json.RawMessage,
+	meta json.RawMessage,
 ) {
 	targetSID, err := hdlr.params.Database.GetSessionByNick(
 		request.Context(), target,
@@ -1134,7 +1320,7 @@ func (hdlr *Handlers) handleDirectMsg(
 	}
 
 	msgUUID, err := hdlr.fanOut(
-		request, command, nick, target, body, recipients,
+		request, command, nick, target, body, meta, recipients,
 	)
 	if err != nil {
 		hdlr.log.Error("send dm failed", "error", err)
@@ -1147,6 +1333,19 @@ func (hdlr *Handlers) handleDirectMsg(
 		return
 	}
 
+	// If the target is away, send RPL_AWAY to the sender.
+	awayMsg, awayErr := hdlr.params.Database.GetAway(
+		request.Context(), targetSID,
+	)
+	if awayErr == nil && awayMsg != "" {
+		hdlr.enqueueNumeric(
+			request.Context(), clientID,
+			irc.RplAway, nick,
+			[]string{target}, awayMsg,
+		)
+		hdlr.broker.Notify(sessionID)
+	}
+
 	hdlr.respondJSON(writer, request,
 		map[string]string{"id": msgUUID, "status": "sent"},
 		http.StatusOK)
@@ -1232,7 +1431,7 @@ func (hdlr *Handlers) executeJoin(
 	)
 
 	_ = hdlr.fanOutSilent(
-		request, irc.CmdJoin, nick, channel, nil, memberIDs,
+		request, irc.CmdJoin, nick, channel, nil, nil, memberIDs,
 	)
 
 	hdlr.deliverJoinNumerics(
@@ -1257,14 +1456,25 @@ func (hdlr *Handlers) deliverJoinNumerics(
 ) {
 	ctx := request.Context()
 
-	chInfo, err := hdlr.params.Database.GetChannelByName(
-		ctx, channel,
+	hdlr.deliverTopicNumerics(
+		ctx, clientID, sessionID, nick, channel, chID,
 	)
-	if err == nil {
-		_ = chInfo // chInfo is the ID; topic comes from DB.
-	}
 
-	// Get topic from channel info.
+	hdlr.deliverNamesNumerics(
+		ctx, clientID, nick, channel, chID,
+	)
+
+	hdlr.broker.Notify(sessionID)
+}
+
+// deliverTopicNumerics sends RPL_TOPIC or RPL_NOTOPIC,
+// plus RPL_TOPICWHOTIME when topic metadata is available.
+func (hdlr *Handlers) deliverTopicNumerics(
+	ctx context.Context,
+	clientID, sessionID int64,
+	nick, channel string,
+	chID int64,
+) {
 	channels, listErr := hdlr.params.Database.ListChannels(
 		ctx, sessionID,
 	)
@@ -1286,14 +1496,39 @@ func (hdlr *Handlers) deliverJoinNumerics(
 			ctx, clientID, irc.RplTopic, nick,
 			[]string{channel}, topic,
 		)
+
+		topicMeta, tmErr := hdlr.params.Database.
+			GetTopicMeta(ctx, chID)
+		if tmErr == nil && topicMeta != nil {
+			hdlr.enqueueNumeric(
+				ctx, clientID,
+				irc.RplTopicWhoTime, nick,
+				[]string{
+					channel,
+					topicMeta.SetBy,
+					strconv.FormatInt(
+						topicMeta.SetAt.Unix(), 10,
+					),
+				},
+				"",
+			)
+		}
 	} else {
 		hdlr.enqueueNumeric(
 			ctx, clientID, irc.RplNoTopic, nick,
 			[]string{channel}, "No topic is set",
 		)
 	}
+}
 
-	// Get member list for NAMES reply.
+// deliverNamesNumerics sends RPL_NAMREPLY and
+// RPL_ENDOFNAMES for a channel.
+func (hdlr *Handlers) deliverNamesNumerics(
+	ctx context.Context,
+	clientID int64,
+	nick, channel string,
+	chID int64,
+) {
 	members, memErr := hdlr.params.Database.ChannelMembers(
 		ctx, chID,
 	)
@@ -1316,8 +1551,6 @@ func (hdlr *Handlers) deliverJoinNumerics(
 		ctx, clientID, irc.RplEndOfNames, nick,
 		[]string{channel}, "End of /NAMES list",
 	)
-
-	hdlr.broker.Notify(sessionID)
 }
 
 func (hdlr *Handlers) handlePart(
@@ -1368,7 +1601,7 @@ func (hdlr *Handlers) handlePart(
 	)
 
 	_ = hdlr.fanOutSilent(
-		request, irc.CmdPart, nick, channel, body, memberIDs,
+		request, irc.CmdPart, nick, channel, body, nil, memberIDs,
 	)
 
 	err = hdlr.params.Database.PartChannel(
@@ -1585,6 +1818,32 @@ func (hdlr *Handlers) handleTopic(
 		return
 	}
 
+	isMember, err := hdlr.params.Database.IsChannelMember(
+		request.Context(), chID, sessionID,
+	)
+	if err != nil {
+		hdlr.log.Error(
+			"check membership failed", "error", err,
+		)
+		hdlr.respondError(
+			writer, request,
+			"internal error",
+			http.StatusInternalServerError,
+		)
+
+		return
+	}
+
+	if !isMember {
+		hdlr.respondIRCError(
+			writer, request, clientID, sessionID,
+			irc.ErrNotOnChannel, nick, []string{channel},
+			"You're not on that channel",
+		)
+
+		return
+	}
+
 	hdlr.executeTopic(
 		writer, request,
 		sessionID, clientID, nick,
@@ -1601,8 +1860,8 @@ func (hdlr *Handlers) executeTopic(
 	body json.RawMessage,
 	chID int64,
 ) {
-	setErr := hdlr.params.Database.SetTopic(
-		request.Context(), channel, topic,
+	setErr := hdlr.params.Database.SetTopicMeta(
+		request.Context(), channel, topic, nick,
 	)
 	if setErr != nil {
 		hdlr.log.Error(
@@ -1622,13 +1881,32 @@ func (hdlr *Handlers) executeTopic(
 	)
 
 	_ = hdlr.fanOutSilent(
-		request, irc.CmdTopic, nick, channel, body, memberIDs,
+		request, irc.CmdTopic, nick, channel, body, nil, memberIDs,
 	)
 
 	hdlr.enqueueNumeric(
 		request.Context(), clientID,
 		irc.RplTopic, nick, []string{channel}, topic,
 	)
+
+	// 333 RPL_TOPICWHOTIME
+	topicMeta, tmErr := hdlr.params.Database.
+		GetTopicMeta(request.Context(), chID)
+	if tmErr == nil && topicMeta != nil {
+		hdlr.enqueueNumeric(
+			request.Context(), clientID,
+			irc.RplTopicWhoTime, nick,
+			[]string{
+				channel,
+				topicMeta.SetBy,
+				strconv.FormatInt(
+					topicMeta.SetAt.Unix(), 10,
+				),
+			},
+			"",
+		)
+	}
+
 	hdlr.broker.Notify(sessionID)
 
 	hdlr.respondJSON(writer, request,
@@ -1766,11 +2044,10 @@ func (hdlr *Handlers) handleMode(
 		return
 	}
 
-	_ = bodyLines
-
 	hdlr.handleChannelMode(
 		writer, request,
 		sessionID, clientID, nick, channel,
+		bodyLines,
 	)
 }
 
@@ -1779,6 +2056,7 @@ func (hdlr *Handlers) handleChannelMode(
 	request *http.Request,
 	sessionID, clientID int64,
 	nick, channel string,
+	bodyLines func() []string,
 ) {
 	ctx := request.Context()
 
@@ -1795,10 +2073,47 @@ func (hdlr *Handlers) handleChannelMode(
 		return
 	}
 
+	lines := bodyLines()
+	if len(lines) > 0 {
+		hdlr.applyChannelMode(
+			writer, request,
+			sessionID, clientID, nick,
+			channel, chID, lines,
+		)
+
+		return
+	}
+
+	hdlr.queryChannelMode(
+		writer, request,
+		sessionID, clientID, nick, channel, chID,
+	)
+}
+
+// queryChannelMode sends RPL_CHANNELMODEIS and
+// RPL_CREATIONTIME for a channel. Includes +H if
+// the channel has a hashcash requirement.
+func (hdlr *Handlers) queryChannelMode(
+	writer http.ResponseWriter,
+	request *http.Request,
+	sessionID, clientID int64,
+	nick, channel string,
+	chID int64,
+) {
+	ctx := request.Context()
+
+	modeStr := "+n"
+
+	bits, bitsErr := hdlr.params.Database.
+		GetChannelHashcashBits(ctx, chID)
+	if bitsErr == nil && bits > 0 {
+		modeStr = fmt.Sprintf("+nH %d", bits)
+	}
+
 	// 324 RPL_CHANNELMODEIS
 	hdlr.enqueueNumeric(
 		ctx, clientID, irc.RplChannelModeIs, nick,
-		[]string{channel, "+n"}, "",
+		[]string{channel, modeStr}, "",
 	)
 
 	// 329 RPL_CREATIONTIME
@@ -1823,6 +2138,156 @@ func (hdlr *Handlers) handleChannelMode(
 		http.StatusOK)
 }
 
+// applyChannelMode handles setting channel modes.
+// Currently supports +H/-H for hashcash bits.
+func (hdlr *Handlers) applyChannelMode(
+	writer http.ResponseWriter,
+	request *http.Request,
+	sessionID, clientID int64,
+	nick, channel string,
+	chID int64,
+	modeArgs []string,
+) {
+	ctx := request.Context()
+	modeStr := modeArgs[0]
+
+	switch modeStr {
+	case "+H":
+		hdlr.setHashcashMode(
+			writer, request,
+			sessionID, clientID, nick,
+			channel, chID, modeArgs,
+		)
+	case "-H":
+		hdlr.clearHashcashMode(
+			writer, request,
+			sessionID, clientID, nick,
+			channel, chID,
+		)
+	default:
+		// Unknown or unsupported mode change.
+		hdlr.enqueueNumeric(
+			ctx, clientID, irc.ErrUnknownMode, nick,
+			[]string{modeStr},
+			"is unknown mode char to me",
+		)
+		hdlr.broker.Notify(sessionID)
+		hdlr.respondJSON(writer, request,
+			map[string]string{"status": "error"},
+			http.StatusOK)
+	}
+}
+
+const (
+	// minHashcashBits is the minimum allowed hashcash
+	// difficulty for channels.
+	minHashcashBits = 1
+	// maxHashcashBits is the maximum allowed hashcash
+	// difficulty for channels.
+	maxHashcashBits = 40
+)
+
+// setHashcashMode handles MODE #channel +H <bits>.
+func (hdlr *Handlers) setHashcashMode(
+	writer http.ResponseWriter,
+	request *http.Request,
+	sessionID, clientID int64,
+	nick, channel string,
+	chID int64,
+	modeArgs []string,
+) {
+	ctx := request.Context()
+
+	if len(modeArgs) < 2 { //nolint:mnd // +H requires a bits arg
+		hdlr.respondIRCError(
+			writer, request, clientID, sessionID,
+			irc.ErrNeedMoreParams, nick, []string{irc.CmdMode},
+			"Not enough parameters (+H requires bits)",
+		)
+
+		return
+	}
+
+	bits, err := strconv.Atoi(modeArgs[1])
+	if err != nil || bits < minHashcashBits ||
+		bits > maxHashcashBits {
+		hdlr.respondIRCError(
+			writer, request, clientID, sessionID,
+			irc.ErrUnknownMode, nick, []string{"+H"},
+			fmt.Sprintf(
+				"Invalid hashcash bits (must be %d-%d)",
+				minHashcashBits, maxHashcashBits,
+			),
+		)
+
+		return
+	}
+
+	err = hdlr.params.Database.SetChannelHashcashBits(
+		ctx, chID, bits,
+	)
+	if err != nil {
+		hdlr.log.Error(
+			"set channel hashcash bits", "error", err,
+		)
+		hdlr.respondError(
+			writer, request,
+			"internal error",
+			http.StatusInternalServerError,
+		)
+
+		return
+	}
+
+	hdlr.enqueueNumeric(
+		ctx, clientID, irc.RplChannelModeIs, nick,
+		[]string{
+			channel,
+			fmt.Sprintf("+H %d", bits),
+		}, "",
+	)
+	hdlr.broker.Notify(sessionID)
+	hdlr.respondJSON(writer, request,
+		map[string]string{"status": "ok"},
+		http.StatusOK)
+}
+
+// clearHashcashMode handles MODE #channel -H.
+func (hdlr *Handlers) clearHashcashMode(
+	writer http.ResponseWriter,
+	request *http.Request,
+	sessionID, clientID int64,
+	nick, channel string,
+	chID int64,
+) {
+	ctx := request.Context()
+
+	err := hdlr.params.Database.SetChannelHashcashBits(
+		ctx, chID, 0,
+	)
+	if err != nil {
+		hdlr.log.Error(
+			"clear channel hashcash bits", "error", err,
+		)
+		hdlr.respondError(
+			writer, request,
+			"internal error",
+			http.StatusInternalServerError,
+		)
+
+		return
+	}
+
+	hdlr.enqueueNumeric(
+		ctx, clientID, irc.RplChannelModeIs, nick,
+		[]string{channel, "+n"}, "",
+	)
+	hdlr.broker.Notify(sessionID)
+	hdlr.respondJSON(writer, request,
+		map[string]string{"status": "ok"},
+		http.StatusOK)
+}
+
 // handleNames sends NAMES reply for a channel.
 func (hdlr *Handlers) handleNames(
 	writer http.ResponseWriter,
@@ -2018,6 +2483,11 @@ func (hdlr *Handlers) executeWhois(
 		"neoirc server",
 	)
 
+	// 317 RPL_WHOISIDLE
+	hdlr.deliverWhoisIdle(
+		ctx, clientID, nick, queryNick, targetSID,
+	)
+
 	// 319 RPL_WHOISCHANNELS
 	hdlr.deliverWhoisChannels(
 		ctx, clientID, nick, queryNick, targetSID,
@@ -2435,3 +2905,95 @@ func (hdlr *Handlers) HandleServerInfo() http.HandlerFunc {
 		)
 	}
 }
+
+// handleAway handles the AWAY command. An empty body
+// clears the away status; a non-empty body sets it.
+func (hdlr *Handlers) handleAway(
+	writer http.ResponseWriter,
+	request *http.Request,
+	sessionID, clientID int64,
+	nick string,
+	bodyLines func() []string,
+) {
+	ctx := request.Context()
+
+	lines := bodyLines()
+
+	awayMsg := ""
+	if len(lines) > 0 {
+		awayMsg = strings.Join(lines, " ")
+	}
+
+	err := hdlr.params.Database.SetAway(
+		ctx, sessionID, awayMsg,
+	)
+	if err != nil {
+		hdlr.log.Error("set away failed", "error", err)
+		hdlr.respondError(
+			writer, request,
+			"internal error",
+			http.StatusInternalServerError,
+		)
+
+		return
+	}
+
+	if awayMsg == "" {
+		// 305 RPL_UNAWAY
+		hdlr.enqueueNumeric(
+			ctx, clientID, irc.RplUnaway, nick, nil,
+			"You are no longer marked as being away",
+		)
+	} else {
+		// 306 RPL_NOWAWAY
+		hdlr.enqueueNumeric(
+			ctx, clientID, irc.RplNowAway, nick, nil,
+			"You have been marked as being away",
+		)
+	}
+
+	hdlr.broker.Notify(sessionID)
+	hdlr.respondJSON(writer, request,
+		map[string]string{"status": "ok"},
+		http.StatusOK)
+}
+
+// deliverWhoisIdle sends RPL_WHOISIDLE (317) with idle
+// time and signon time.
+func (hdlr *Handlers) deliverWhoisIdle(
+	ctx context.Context,
+	clientID int64,
+	nick, queryNick string,
+	targetSID int64,
+) {
+	lastSeen, lsErr := hdlr.params.Database.
+		GetSessionLastSeen(ctx, targetSID)
+	if lsErr != nil {
+		return
+	}
+
+	createdAt, caErr := hdlr.params.Database.
+		GetSessionCreatedAt(ctx, targetSID)
+	if caErr != nil {
+		return
+	}
+
+	idleSeconds := int64(time.Since(lastSeen).Seconds())
+	if idleSeconds < 0 {
+		idleSeconds = 0
+	}
+
+	signonUnix := strconv.FormatInt(
+		createdAt.Unix(), 10,
+	)
+
+	hdlr.enqueueNumeric(
+		ctx, clientID, irc.RplWhoisIdle, nick,
+		[]string{
+			queryNick,
+			strconv.FormatInt(idleSeconds, 10),
+			signonUnix,
+		},
+		"seconds idle, signon time",
+	)
+}

internal/handlers/api_test.go

@@ -22,10 +22,12 @@ import (
 	"git.eeqj.de/sneak/neoirc/internal/db"
 	"git.eeqj.de/sneak/neoirc/internal/globals"
 	"git.eeqj.de/sneak/neoirc/internal/handlers"
+	"git.eeqj.de/sneak/neoirc/internal/hashcash"
 	"git.eeqj.de/sneak/neoirc/internal/healthcheck"
 	"git.eeqj.de/sneak/neoirc/internal/logger"
 	"git.eeqj.de/sneak/neoirc/internal/middleware"
 	"git.eeqj.de/sneak/neoirc/internal/server"
+	"git.eeqj.de/sneak/neoirc/internal/stats"
 	"go.uber.org/fx"
 	"go.uber.org/fx/fxtest"
 )
@@ -90,6 +92,7 @@ func newTestServer(
 				return cfg, nil
 			},
 			newTestDB,
+			stats.New,
 			newTestHealthcheck,
 			newTestMiddleware,
 			newTestHandlers,
@@ -144,12 +147,14 @@ func newTestHealthcheck(
 	cfg *config.Config,
 	log *logger.Logger,
 	database *db.Database,
+	tracker *stats.Tracker,
 ) (*healthcheck.Healthcheck, error) {
 	hcheck, err := healthcheck.New(lifecycle, healthcheck.Params{ //nolint:exhaustruct
 		Globals:  globs,
 		Config:   cfg,
 		Logger:   log,
 		Database: database,
+		Stats:    tracker,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("test healthcheck: %w", err)
@@ -183,6 +188,7 @@ func newTestHandlers(
 	cfg *config.Config,
 	database *db.Database,
 	hcheck *healthcheck.Healthcheck,
+	tracker *stats.Tracker,
 ) (*handlers.Handlers, error) {
 	hdlr, err := handlers.New(lifecycle, handlers.Params{ //nolint:exhaustruct
 		Logger:      log,
@@ -190,6 +196,7 @@ func newTestHandlers(
 		Config:      cfg,
 		Database:    database,
 		Healthcheck: hcheck,
+		Stats:       tracker,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("test handlers: %w", err)
@@ -811,9 +818,9 @@ func TestMessageMissingBody(t *testing.T) {
 
 	msgs, _ := tserver.pollMessages(token, lastID)
 
-	if !findNumeric(msgs, "461") {
+	if !findNumeric(msgs, "412") {
 		t.Fatalf(
-			"expected ERR_NEEDMOREPARAMS (461), got %v",
+			"expected ERR_NOTEXTTOSEND (412), got %v",
 			msgs,
 		)
 	}
@@ -835,9 +842,9 @@ func TestMessageMissingTo(t *testing.T) {
 
 	msgs, _ := tserver.pollMessages(token, lastID)
 
-	if !findNumeric(msgs, "461") {
+	if !findNumeric(msgs, "411") {
 		t.Fatalf(
-			"expected ERR_NEEDMOREPARAMS (461), got %v",
+			"expected ERR_NORECIPIENT (411), got %v",
 			msgs,
 		)
 	}
@@ -870,9 +877,9 @@ func TestNonMemberCannotSend(t *testing.T) {
 
 	msgs, _ := tserver.pollMessages(aliceToken, lastID)
 
-	if !findNumeric(msgs, "442") {
+	if !findNumeric(msgs, "404") {
 		t.Fatalf(
-			"expected ERR_NOTONCHANNEL (442), got %v",
+			"expected ERR_CANNOTSENDTOCHAN (404), got %v",
 			msgs,
 		)
 	}
@@ -1134,6 +1141,42 @@ func TestTopicMissingBody(t *testing.T) {
 	}
 }
 
+func TestTopicNonMember(t *testing.T) {
+	tserver := newTestServer(t)
+	aliceToken := tserver.createSession("alice_topic")
+	bobToken := tserver.createSession("bob_topic")
+
+	// Only alice joins the channel.
+	tserver.sendCommand(aliceToken, map[string]any{
+		commandKey: joinCmd, toKey: "#topicpriv",
+	})
+
+	// Drain bob's initial messages.
+	_, lastID := tserver.pollMessages(bobToken, 0)
+
+	// Bob tries to set topic without joining.
+	status, _ := tserver.sendCommand(
+		bobToken,
+		map[string]any{
+			commandKey: "TOPIC",
+			toKey:      "#topicpriv",
+			bodyKey:    []string{"Hijacked topic"},
+		},
+	)
+	if status != http.StatusOK {
+		t.Fatalf("expected 200, got %d", status)
+	}
+
+	msgs, _ := tserver.pollMessages(bobToken, lastID)
+
+	if !findNumeric(msgs, "442") {
+		t.Fatalf(
+			"expected ERR_NOTONCHANNEL (442), got %v",
+			msgs,
+		)
+	}
+}
+
 func TestPing(t *testing.T) {
 	tserver := newTestServer(t)
 	token := tserver.createSession("ping_user")
@@ -1657,6 +1700,133 @@ func TestHealthcheck(t *testing.T) {
 	}
 }
 
+func TestHealthcheckRuntimeStatsFields(t *testing.T) {
+	tserver := newTestServer(t)
+
+	resp, err := doRequest(
+		t,
+		http.MethodGet,
+		tserver.url("/.well-known/healthcheck.json"),
+		nil,
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	defer func() { _ = resp.Body.Close() }()
+
+	if resp.StatusCode != http.StatusOK {
+		t.Fatalf(
+			"expected 200, got %d", resp.StatusCode,
+		)
+	}
+
+	var result map[string]any
+
+	decErr := json.NewDecoder(resp.Body).Decode(&result)
+	if decErr != nil {
+		t.Fatalf("decode healthcheck: %v", decErr)
+	}
+
+	requiredFields := []string{
+		"sessions", "clients", "queuedLines",
+		"channels", "connectionsSinceBoot",
+		"sessionsSinceBoot", "messagesSinceBoot",
+	}
+
+	for _, field := range requiredFields {
+		if _, ok := result[field]; !ok {
+			t.Errorf(
+				"missing field %q in healthcheck", field,
+			)
+		}
+	}
+}
+
+func TestHealthcheckRuntimeStatsValues(t *testing.T) {
+	tserver := newTestServer(t)
+
+	token := tserver.createSession("statsuser")
+
+	tserver.sendCommand(token, map[string]any{
+		commandKey: joinCmd, toKey: "#statschan",
+	})
+	tserver.sendCommand(token, map[string]any{
+		commandKey: privmsgCmd,
+		toKey:      "#statschan",
+		bodyKey:    []string{"hello stats"},
+	})
+
+	result := tserver.fetchHealthcheck(t)
+
+	assertFieldGTE(t, result, "sessions", 1)
+	assertFieldGTE(t, result, "clients", 1)
+	assertFieldGTE(t, result, "channels", 1)
+	assertFieldGTE(t, result, "queuedLines", 0)
+	assertFieldGTE(t, result, "sessionsSinceBoot", 1)
+	assertFieldGTE(t, result, "connectionsSinceBoot", 1)
+	assertFieldGTE(t, result, "messagesSinceBoot", 1)
+}
+
+func (tserver *testServer) fetchHealthcheck(
+	t *testing.T,
+) map[string]any {
+	t.Helper()
+
+	resp, err := doRequest(
+		t,
+		http.MethodGet,
+		tserver.url("/.well-known/healthcheck.json"),
+		nil,
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	defer func() { _ = resp.Body.Close() }()
+
+	if resp.StatusCode != http.StatusOK {
+		t.Fatalf(
+			"expected 200, got %d", resp.StatusCode,
+		)
+	}
+
+	var result map[string]any
+
+	decErr := json.NewDecoder(resp.Body).Decode(&result)
+	if decErr != nil {
+		t.Fatalf("decode healthcheck: %v", decErr)
+	}
+
+	return result
+}
+
+func assertFieldGTE(
+	t *testing.T,
+	result map[string]any,
+	field string,
+	minimum float64,
+) {
+	t.Helper()
+
+	val, ok := result[field].(float64)
+	if !ok {
+		t.Errorf(
+			"field %q: not a number (got %T)",
+			field, result[field],
+		)
+
+		return
+	}
+
+	if val < minimum {
+		t.Errorf(
+			"expected %s >= %v, got %v",
+			field, minimum, val,
+		)
+	}
+}
+
 func TestRegisterValid(t *testing.T) {
 	tserver := newTestServer(t)
 
@@ -1988,3 +2158,397 @@ func TestNickBroadcastToChannels(t *testing.T) {
 		)
 	}
 }
+
+// --- Channel Hashcash Tests ---
+
+const (
+	metaKey     = "meta"
+	modeCmd     = "MODE"
+	hashcashKey = "hashcash"
+)
+
+func mintTestChannelHashcash(
+	tb testing.TB,
+	bits int,
+	channel string,
+	body json.RawMessage,
+) string {
+	tb.Helper()
+
+	bodyHash := hashcash.BodyHash(body)
+
+	return hashcash.MintChannelStamp(bits, channel, bodyHash)
+}
+
+func TestChannelHashcashSetMode(t *testing.T) {
+	tserver := newTestServer(t)
+	token := tserver.createSession("hcmode_user")
+
+	tserver.sendCommand(token, map[string]any{
+		commandKey: joinCmd, toKey: "#hctest",
+	})
+
+	_, lastID := tserver.pollMessages(token, 0)
+
+	// Set hashcash bits to 2 via MODE +H.
+	status, _ := tserver.sendCommand(
+		token,
+		map[string]any{
+			commandKey: modeCmd,
+			toKey:      "#hctest",
+			bodyKey:    []string{"+H", "2"},
+		},
+	)
+	if status != http.StatusOK {
+		t.Fatalf("expected 200, got %d", status)
+	}
+
+	msgs, _ := tserver.pollMessages(token, lastID)
+
+	// Should get RPL_CHANNELMODEIS (324) confirming +H.
+	if !findNumeric(msgs, "324") {
+		t.Fatalf(
+			"expected RPL_CHANNELMODEIS (324), got %v",
+			msgs,
+		)
+	}
+}
+
+func TestChannelHashcashQueryMode(t *testing.T) {
+	tserver := newTestServer(t)
+	token := tserver.createSession("hcquery_user")
+
+	tserver.sendCommand(token, map[string]any{
+		commandKey: joinCmd, toKey: "#hcquery",
+	})
+
+	// Set hashcash bits.
+	tserver.sendCommand(token, map[string]any{
+		commandKey: modeCmd,
+		toKey:      "#hcquery",
+		bodyKey:    []string{"+H", "5"},
+	})
+
+	_, lastID := tserver.pollMessages(token, 0)
+
+	// Query mode — should show +nH.
+	tserver.sendCommand(token, map[string]any{
+		commandKey: modeCmd,
+		toKey:      "#hcquery",
+	})
+
+	msgs, _ := tserver.pollMessages(token, lastID)
+
+	found := false
+
+	for _, msg := range msgs {
+		code, ok := msg["code"].(float64)
+		if ok && int(code) == 324 {
+			found = true
+		}
+	}
+
+	if !found {
+		t.Fatalf(
+			"expected RPL_CHANNELMODEIS (324), got %v",
+			msgs,
+		)
+	}
+}
+
+func TestChannelHashcashClearMode(t *testing.T) {
+	tserver := newTestServer(t)
+	token := tserver.createSession("hcclear_user")
+
+	tserver.sendCommand(token, map[string]any{
+		commandKey: joinCmd, toKey: "#hcclear",
+	})
+
+	// Set hashcash bits.
+	tserver.sendCommand(token, map[string]any{
+		commandKey: modeCmd,
+		toKey:      "#hcclear",
+		bodyKey:    []string{"+H", "5"},
+	})
+
+	// Clear hashcash bits.
+	status, _ := tserver.sendCommand(token, map[string]any{
+		commandKey: modeCmd,
+		toKey:      "#hcclear",
+		bodyKey:    []string{"-H"},
+	})
+	if status != http.StatusOK {
+		t.Fatalf("expected 200, got %d", status)
+	}
+
+	// Now message should succeed without hashcash.
+	status, result := tserver.sendCommand(
+		token,
+		map[string]any{
+			commandKey: privmsgCmd,
+			toKey:      "#hcclear",
+			bodyKey:    []string{"test message"},
+		},
+	)
+	if status != http.StatusOK {
+		t.Fatalf(
+			"expected 200, got %d: %v", status, result,
+		)
+	}
+}
+
+func TestChannelHashcashRejectNoStamp(t *testing.T) {
+	tserver := newTestServer(t)
+	token := tserver.createSession("hcreject_user")
+
+	tserver.sendCommand(token, map[string]any{
+		commandKey: joinCmd, toKey: "#hcreject",
+	})
+
+	// Set hashcash requirement.
+	tserver.sendCommand(token, map[string]any{
+		commandKey: modeCmd,
+		toKey:      "#hcreject",
+		bodyKey:    []string{"+H", "2"},
+	})
+
+	_, lastID := tserver.pollMessages(token, 0)
+
+	// Send message without hashcash — should fail.
+	status, _ := tserver.sendCommand(
+		token,
+		map[string]any{
+			commandKey: privmsgCmd,
+			toKey:      "#hcreject",
+			bodyKey:    []string{"spam message"},
+		},
+	)
+	if status != http.StatusOK {
+		t.Fatalf("expected 200, got %d", status)
+	}
+
+	msgs, _ := tserver.pollMessages(token, lastID)
+
+	// Should get ERR_CANNOTSENDTOCHAN (404).
+	if !findNumeric(msgs, "404") {
+		t.Fatalf(
+			"expected ERR_CANNOTSENDTOCHAN (404), got %v",
+			msgs,
+		)
+	}
+}
+
+func TestChannelHashcashAcceptValidStamp(t *testing.T) {
+	tserver := newTestServer(t)
+	token := tserver.createSession("hcaccept_user")
+
+	tserver.sendCommand(token, map[string]any{
+		commandKey: joinCmd, toKey: "#hcaccept",
+	})
+
+	// Set hashcash requirement (2 bits = fast to mint).
+	tserver.sendCommand(token, map[string]any{
+		commandKey: modeCmd,
+		toKey:      "#hcaccept",
+		bodyKey:    []string{"+H", "2"},
+	})
+
+	_, lastID := tserver.pollMessages(token, 0)
+
+	// Mint a valid hashcash stamp.
+	msgBody, marshalErr := json.Marshal(
+		[]string{"hello world"},
+	)
+	if marshalErr != nil {
+		t.Fatal(marshalErr)
+	}
+
+	stamp := mintTestChannelHashcash(
+		t, 2, "#hcaccept", msgBody,
+	)
+
+	// Send message with valid hashcash.
+	status, result := tserver.sendCommand(
+		token,
+		map[string]any{
+			commandKey: privmsgCmd,
+			toKey:      "#hcaccept",
+			bodyKey:    []string{"hello world"},
+			metaKey: map[string]any{
+				hashcashKey: stamp,
+			},
+		},
+	)
+	if status != http.StatusOK {
+		t.Fatalf(
+			"expected 200, got %d: %v", status, result,
+		)
+	}
+
+	if result["id"] == nil || result["id"] == "" {
+		t.Fatal("expected message id for valid hashcash")
+	}
+
+	// Verify the message was delivered.
+	msgs, _ := tserver.pollMessages(token, lastID)
+	if !findMessage(msgs, privmsgCmd, "hcaccept_user") {
+		t.Fatalf(
+			"message not received: %v", msgs,
+		)
+	}
+}
+
+func TestChannelHashcashRejectReplayedStamp(t *testing.T) {
+	tserver := newTestServer(t)
+	token := tserver.createSession("hcreplay_user")
+
+	tserver.sendCommand(token, map[string]any{
+		commandKey: joinCmd, toKey: "#hcreplay",
+	})
+
+	// Set hashcash requirement.
+	tserver.sendCommand(token, map[string]any{
+		commandKey: modeCmd,
+		toKey:      "#hcreplay",
+		bodyKey:    []string{"+H", "2"},
+	})
+
+	_, _ = tserver.pollMessages(token, 0)
+
+	// Mint and send once — should succeed.
+	msgBody, marshalErr := json.Marshal(
+		[]string{"unique msg"},
+	)
+	if marshalErr != nil {
+		t.Fatal(marshalErr)
+	}
+
+	stamp := mintTestChannelHashcash(
+		t, 2, "#hcreplay", msgBody,
+	)
+
+	status, _ := tserver.sendCommand(
+		token,
+		map[string]any{
+			commandKey: privmsgCmd,
+			toKey:      "#hcreplay",
+			bodyKey:    []string{"unique msg"},
+			metaKey: map[string]any{
+				hashcashKey: stamp,
+			},
+		},
+	)
+	if status != http.StatusOK {
+		t.Fatalf("expected 200, got %d", status)
+	}
+
+	_, lastID := tserver.pollMessages(token, 0)
+
+	// Replay the same stamp — should fail.
+	status, _ = tserver.sendCommand(
+		token,
+		map[string]any{
+			commandKey: privmsgCmd,
+			toKey:      "#hcreplay",
+			bodyKey:    []string{"unique msg"},
+			metaKey: map[string]any{
+				hashcashKey: stamp,
+			},
+		},
+	)
+	if status != http.StatusOK {
+		t.Fatalf("expected 200, got %d", status)
+	}
+
+	msgs, _ := tserver.pollMessages(token, lastID)
+
+	// Should get ERR_CANNOTSENDTOCHAN (404).
+	if !findNumeric(msgs, "404") {
+		t.Fatalf(
+			"expected replay rejection (404), got %v",
+			msgs,
+		)
+	}
+}
+
+func TestChannelHashcashNoRequirementWorks(t *testing.T) {
+	tserver := newTestServer(t)
+	token := tserver.createSession("hcnone_user")
+
+	tserver.sendCommand(token, map[string]any{
+		commandKey: joinCmd, toKey: "#nohashcash",
+	})
+
+	// No hashcash set — message should work.
+	status, result := tserver.sendCommand(
+		token,
+		map[string]any{
+			commandKey: privmsgCmd,
+			toKey:      "#nohashcash",
+			bodyKey:    []string{"free message"},
+		},
+	)
+	if status != http.StatusOK {
+		t.Fatalf(
+			"expected 200, got %d: %v", status, result,
+		)
+	}
+
+	if result["id"] == nil || result["id"] == "" {
+		t.Fatal("expected message id")
+	}
+}
+
+func TestChannelHashcashInvalidBitsRange(t *testing.T) {
+	tserver := newTestServer(t)
+	token := tserver.createSession("hcbits_user")
+
+	tserver.sendCommand(token, map[string]any{
+		commandKey: joinCmd, toKey: "#hcbits",
+	})
+
+	_, lastID := tserver.pollMessages(token, 0)
+
+	// Try to set bits to 0 — should fail.
+	tserver.sendCommand(token, map[string]any{
+		commandKey: modeCmd,
+		toKey:      "#hcbits",
+		bodyKey:    []string{"+H", "0"},
+	})
+
+	msgs, _ := tserver.pollMessages(token, lastID)
+
+	if !findNumeric(msgs, "472") {
+		t.Fatalf(
+			"expected ERR_UNKNOWNMODE (472), got %v",
+			msgs,
+		)
+	}
+}
+
+func TestChannelHashcashMissingBitsArg(t *testing.T) {
+	tserver := newTestServer(t)
+	token := tserver.createSession("hcnoarg_user")
+
+	tserver.sendCommand(token, map[string]any{
+		commandKey: joinCmd, toKey: "#hcnoarg",
+	})
+
+	_, lastID := tserver.pollMessages(token, 0)
+
+	// Try to set +H without bits argument.
+	tserver.sendCommand(token, map[string]any{
+		commandKey: modeCmd,
+		toKey:      "#hcnoarg",
+		bodyKey:    []string{"+H"},
+	})
+
+	msgs, _ := tserver.pollMessages(token, lastID)
+
+	if !findNumeric(msgs, "461") {
+		t.Fatalf(
+			"expected ERR_NEEDMOREPARAMS (461), got %v",
+			msgs,
+		)
+	}
+}

internal/handlers/auth.go

@@ -82,6 +82,9 @@ func (hdlr *Handlers) handleRegister(
 		return
 	}
 
+	hdlr.stats.IncrSessions()
+	hdlr.stats.IncrConnections()
+
 	hdlr.deliverMOTD(request, clientID, sessionID, payload.Nick)
 
 	hdlr.respondJSON(writer, request, map[string]any{
@@ -180,6 +183,8 @@ func (hdlr *Handlers) handleLogin(
 		return
 	}
 
+	hdlr.stats.IncrConnections()
+
 	hdlr.deliverMOTD(
 		request, clientID, sessionID, payload.Nick,
 	)

internal/handlers/handlers.go

@@ -16,6 +16,7 @@ import (
 	"git.eeqj.de/sneak/neoirc/internal/hashcash"
 	"git.eeqj.de/sneak/neoirc/internal/healthcheck"
 	"git.eeqj.de/sneak/neoirc/internal/logger"
+	"git.eeqj.de/sneak/neoirc/internal/stats"
 	"go.uber.org/fx"
 )
 
@@ -30,10 +31,16 @@ type Params struct {
 	Config      *config.Config
 	Database    *db.Database
 	Healthcheck *healthcheck.Healthcheck
+	Stats       *stats.Tracker
 }
 
 const defaultIdleTimeout = 30 * 24 * time.Hour
 
+// spentHashcashTTL is how long spent hashcash tokens are
+// retained for replay prevention. Per issue requirements,
+// this is 1 year.
+const spentHashcashTTL = 365 * 24 * time.Hour
+
 // Handlers manages HTTP request handling.
 type Handlers struct {
 	params          *Params
@@ -41,6 +48,8 @@ type Handlers struct {
 	hc              *healthcheck.Healthcheck
 	broker          *broker.Broker
 	hashcashVal     *hashcash.Validator
+	channelHashcash *hashcash.ChannelValidator
+	stats           *stats.Tracker
 	cancelCleanup   context.CancelFunc
 }
 
@@ -60,6 +69,8 @@ func New(
 		hc:              params.Healthcheck,
 		broker:          broker.New(),
 		hashcashVal:     hashcash.NewValidator(resource),
+		channelHashcash: hashcash.NewChannelValidator(),
+		stats:           params.Stats,
 	}
 
 	lifecycle.Append(fx.Hook{
@@ -281,4 +292,20 @@ func (hdlr *Handlers) pruneQueuesAndMessages(
 			)
 		}
 	}
+
+	// Prune spent hashcash tokens older than 1 year.
+	hashcashCutoff := time.Now().Add(-spentHashcashTTL)
+
+	pruned, err := hdlr.params.Database.
+		PruneSpentHashcash(ctx, hashcashCutoff)
+	if err != nil {
+		hdlr.log.Error(
+			"spent hashcash pruning failed", "error", err,
+		)
+	} else if pruned > 0 {
+		hdlr.log.Info(
+			"pruned spent hashcash tokens",
+			"deleted", pruned,
+		)
+	}
 }

internal/handlers/healthcheck.go

@@ -12,7 +12,7 @@ func (hdlr *Handlers) HandleHealthCheck() http.HandlerFunc {
 		writer http.ResponseWriter,
 		request *http.Request,
 	) {
-		resp := hdlr.hc.Healthcheck()
+		resp := hdlr.hc.Healthcheck(request.Context())
 		hdlr.respondJSON(writer, request, resp, httpStatusOK)
 	}
 }

internal/hashcash/channel.go

@@ -0,0 +1,186 @@
+package hashcash
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"strconv"
+	"strings"
+	"time"
+)
+
+var (
+	errBodyHashMismatch = errors.New(
+		"body hash mismatch",
+	)
+	errBodyHashMissing = errors.New(
+		"body hash missing",
+	)
+)
+
+// ChannelValidator checks hashcash stamps for
+// per-channel PRIVMSG validation. It verifies that
+// stamps are bound to a specific channel and message
+// body. Replay prevention is handled externally via
+// the database spent_hashcash table for persistence
+// across server restarts (1-year TTL).
+type ChannelValidator struct{}
+
+// NewChannelValidator creates a ChannelValidator.
+func NewChannelValidator() *ChannelValidator {
+	return &ChannelValidator{}
+}
+
+// BodyHash computes the hex-encoded SHA-256 hash of a
+// message body for use in hashcash stamp validation.
+func BodyHash(body []byte) string {
+	hash := sha256.Sum256(body)
+
+	return hex.EncodeToString(hash[:])
+}
+
+// ValidateStamp checks a channel hashcash stamp. It
+// verifies the stamp format, difficulty, date, channel
+// binding, body hash binding, and proof-of-work. Replay
+// detection is NOT performed here — callers must check
+// the spent_hashcash table separately.
+//
+// Stamp format: 1:bits:YYMMDD:channel:bodyhash:counter.
+func (cv *ChannelValidator) ValidateStamp(
+	stamp string,
+	requiredBits int,
+	channel string,
+	bodyHash string,
+) error {
+	if requiredBits <= 0 {
+		return nil
+	}
+
+	parts := strings.Split(stamp, ":")
+	if len(parts) != stampFields {
+		return fmt.Errorf(
+			"%w: expected %d, got %d",
+			errInvalidFields, stampFields, len(parts),
+		)
+	}
+
+	version := parts[0]
+	bitsStr := parts[1]
+	dateStr := parts[2]
+	resource := parts[3]
+	stampBodyHash := parts[4]
+
+	headerErr := validateChannelHeader(
+		version, bitsStr, resource,
+		requiredBits, channel,
+	)
+	if headerErr != nil {
+		return headerErr
+	}
+
+	stampTime, parseErr := parseStampDate(dateStr)
+	if parseErr != nil {
+		return parseErr
+	}
+
+	timeErr := validateTime(stampTime)
+	if timeErr != nil {
+		return timeErr
+	}
+
+	bodyErr := validateBodyHash(
+		stampBodyHash, bodyHash,
+	)
+	if bodyErr != nil {
+		return bodyErr
+	}
+
+	return validateProof(stamp, requiredBits)
+}
+
+// StampHash returns a deterministic hash of a stamp
+// string for use as a spent-token key.
+func StampHash(stamp string) string {
+	hash := sha256.Sum256([]byte(stamp))
+
+	return hex.EncodeToString(hash[:])
+}
+
+func validateChannelHeader(
+	version, bitsStr, resource string,
+	requiredBits int,
+	channel string,
+) error {
+	if version != stampVersion {
+		return fmt.Errorf(
+			"%w: %s", errBadVersion, version,
+		)
+	}
+
+	claimedBits, err := strconv.Atoi(bitsStr)
+	if err != nil || claimedBits < requiredBits {
+		return fmt.Errorf(
+			"%w: need %d bits",
+			errInsufficientBits, requiredBits,
+		)
+	}
+
+	if resource != channel {
+		return fmt.Errorf(
+			"%w: got %q, want %q",
+			errWrongResource, resource, channel,
+		)
+	}
+
+	return nil
+}
+
+func validateBodyHash(
+	stampBodyHash, expectedBodyHash string,
+) error {
+	if stampBodyHash == "" {
+		return errBodyHashMissing
+	}
+
+	if stampBodyHash != expectedBodyHash {
+		return fmt.Errorf(
+			"%w: got %q, want %q",
+			errBodyHashMismatch,
+			stampBodyHash, expectedBodyHash,
+		)
+	}
+
+	return nil
+}
+
+// MintChannelStamp computes a channel hashcash stamp
+// with the given difficulty, channel name, and body hash.
+// This is intended for clients to generate stamps before
+// sending PRIVMSG to hashcash-protected channels.
+//
+// Stamp format: 1:bits:YYMMDD:channel:bodyhash:counter.
+func MintChannelStamp(
+	bits int,
+	channel string,
+	bodyHash string,
+) string {
+	date := time.Now().UTC().Format(dateFormatShort)
+	prefix := fmt.Sprintf(
+		"1:%d:%s:%s:%s:",
+		bits, date, channel, bodyHash,
+	)
+
+	counter := uint64(0)
+
+	for {
+		stamp := prefix + strconv.FormatUint(counter, 16)
+		hash := sha256.Sum256([]byte(stamp))
+
+		if hasLeadingZeroBits(hash[:], bits) {
+			return stamp
+		}
+
+		counter++
+	}
+}

internal/hashcash/channel_test.go

@@ -0,0 +1,244 @@
+package hashcash_test
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"testing"
+
+	"git.eeqj.de/sneak/neoirc/internal/hashcash"
+)
+
+const (
+	testChannel  = "#general"
+	testBodyText = `["hello world"]`
+)
+
+func testBodyHash() string {
+	hash := sha256.Sum256([]byte(testBodyText))
+
+	return hex.EncodeToString(hash[:])
+}
+
+func TestChannelValidateHappyPath(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewChannelValidator()
+	bodyHash := testBodyHash()
+
+	stamp := hashcash.MintChannelStamp(
+		testBits, testChannel, bodyHash,
+	)
+
+	err := validator.ValidateStamp(
+		stamp, testBits, testChannel, bodyHash,
+	)
+	if err != nil {
+		t.Fatalf("valid channel stamp rejected: %v", err)
+	}
+}
+
+func TestChannelValidateWrongChannel(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewChannelValidator()
+	bodyHash := testBodyHash()
+
+	stamp := hashcash.MintChannelStamp(
+		testBits, testChannel, bodyHash,
+	)
+
+	err := validator.ValidateStamp(
+		stamp, testBits, "#other", bodyHash,
+	)
+	if err == nil {
+		t.Fatal("expected channel mismatch error")
+	}
+}
+
+func TestChannelValidateWrongBodyHash(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewChannelValidator()
+	bodyHash := testBodyHash()
+
+	stamp := hashcash.MintChannelStamp(
+		testBits, testChannel, bodyHash,
+	)
+
+	wrongHash := sha256.Sum256([]byte("different body"))
+	wrongBodyHash := hex.EncodeToString(wrongHash[:])
+
+	err := validator.ValidateStamp(
+		stamp, testBits, testChannel, wrongBodyHash,
+	)
+	if err == nil {
+		t.Fatal("expected body hash mismatch error")
+	}
+}
+
+func TestChannelValidateInsufficientBits(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewChannelValidator()
+	bodyHash := testBodyHash()
+
+	// Mint with 2 bits but require 4.
+	stamp := hashcash.MintChannelStamp(
+		testBits, testChannel, bodyHash,
+	)
+
+	err := validator.ValidateStamp(
+		stamp, 4, testChannel, bodyHash,
+	)
+	if err == nil {
+		t.Fatal("expected insufficient bits error")
+	}
+}
+
+func TestChannelValidateZeroBitsSkips(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewChannelValidator()
+
+	err := validator.ValidateStamp(
+		"garbage", 0, "#ch", "abc",
+	)
+	if err != nil {
+		t.Fatalf("zero bits should skip: %v", err)
+	}
+}
+
+func TestChannelValidateBadFormat(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewChannelValidator()
+
+	err := validator.ValidateStamp(
+		"not:valid", testBits, testChannel, "abc",
+	)
+	if err == nil {
+		t.Fatal("expected bad format error")
+	}
+}
+
+func TestChannelValidateBadVersion(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewChannelValidator()
+	bodyHash := testBodyHash()
+
+	stamp := "2:2:260317:#general:" + bodyHash + ":counter"
+
+	err := validator.ValidateStamp(
+		stamp, testBits, testChannel, bodyHash,
+	)
+	if err == nil {
+		t.Fatal("expected bad version error")
+	}
+}
+
+func TestChannelValidateExpiredStamp(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewChannelValidator()
+	bodyHash := testBodyHash()
+
+	// Mint with a very old date by manually constructing.
+	stamp := mintStampWithDate(
+		t, testBits, testChannel, "200101",
+	)
+
+	err := validator.ValidateStamp(
+		stamp, testBits, testChannel, bodyHash,
+	)
+	if err == nil {
+		t.Fatal("expected expired stamp error")
+	}
+}
+
+func TestChannelValidateMissingBodyHash(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewChannelValidator()
+	bodyHash := testBodyHash()
+
+	// Construct a stamp with empty body hash field.
+	stamp := mintStampWithDate(
+		t, testBits, testChannel, todayDate(),
+	)
+
+	// This uses the session-style stamp which has empty
+	// ext field — body hash is missing.
+	err := validator.ValidateStamp(
+		stamp, testBits, testChannel, bodyHash,
+	)
+	if err == nil {
+		t.Fatal("expected missing body hash error")
+	}
+}
+
+func TestBodyHash(t *testing.T) {
+	t.Parallel()
+
+	body := []byte(`["hello world"]`)
+	bodyHash := hashcash.BodyHash(body)
+
+	if len(bodyHash) != 64 {
+		t.Fatalf(
+			"expected 64-char hex hash, got %d",
+			len(bodyHash),
+		)
+	}
+
+	// Same input should produce same hash.
+	bodyHash2 := hashcash.BodyHash(body)
+	if bodyHash != bodyHash2 {
+		t.Fatal("body hash not deterministic")
+	}
+
+	// Different input should produce different hash.
+	bodyHash3 := hashcash.BodyHash([]byte("different"))
+	if bodyHash == bodyHash3 {
+		t.Fatal("different inputs produced same hash")
+	}
+}
+
+func TestStampHash(t *testing.T) {
+	t.Parallel()
+
+	hash1 := hashcash.StampHash("stamp1")
+	hash2 := hashcash.StampHash("stamp2")
+
+	if hash1 == hash2 {
+		t.Fatal("different stamps produced same hash")
+	}
+
+	// Same input should be deterministic.
+	hash1b := hashcash.StampHash("stamp1")
+	if hash1 != hash1b {
+		t.Fatal("stamp hash not deterministic")
+	}
+}
+
+func TestMintChannelStamp(t *testing.T) {
+	t.Parallel()
+
+	bodyHash := testBodyHash()
+	stamp := hashcash.MintChannelStamp(
+		testBits, testChannel, bodyHash,
+	)
+
+	if stamp == "" {
+		t.Fatal("expected non-empty stamp")
+	}
+
+	// Validate the minted stamp.
+	validator := hashcash.NewChannelValidator()
+
+	err := validator.ValidateStamp(
+		stamp, testBits, testChannel, bodyHash,
+	)
+	if err != nil {
+		t.Fatalf("minted stamp failed validation: %v", err)
+	}
+}

internal/healthcheck/healthcheck.go

@@ -10,6 +10,7 @@ import (
 	"git.eeqj.de/sneak/neoirc/internal/db"
 	"git.eeqj.de/sneak/neoirc/internal/globals"
 	"git.eeqj.de/sneak/neoirc/internal/logger"
+	"git.eeqj.de/sneak/neoirc/internal/stats"
 	"go.uber.org/fx"
 )
 
@@ -21,6 +22,7 @@ type Params struct {
 	Config   *config.Config
 	Logger   *logger.Logger
 	Database *db.Database
+	Stats    *stats.Tracker
 }
 
 // Healthcheck tracks server uptime and provides health status.
@@ -64,11 +66,22 @@ type Response struct {
 	Version       string `json:"version"`
 	Appname       string `json:"appname"`
 	Maintenance   bool   `json:"maintenanceMode"`
+
+	// Runtime statistics.
+	Sessions             int64 `json:"sessions"`
+	Clients              int64 `json:"clients"`
+	QueuedLines          int64 `json:"queuedLines"`
+	Channels             int64 `json:"channels"`
+	ConnectionsSinceBoot int64 `json:"connectionsSinceBoot"`
+	SessionsSinceBoot    int64 `json:"sessionsSinceBoot"`
+	MessagesSinceBoot    int64 `json:"messagesSinceBoot"`
 }
 
 // Healthcheck returns the current health status of the server.
-func (hcheck *Healthcheck) Healthcheck() *Response {
-	return &Response{
+func (hcheck *Healthcheck) Healthcheck(
+	ctx context.Context,
+) *Response {
+	resp := &Response{
 		Status:        "ok",
 		Now:           time.Now().UTC().Format(time.RFC3339Nano),
 		UptimeSeconds: int64(hcheck.uptime().Seconds()),
@@ -76,6 +89,64 @@ func (hcheck *Healthcheck) Healthcheck() *Response {
 		Appname:       hcheck.params.Globals.Appname,
 		Version:       hcheck.params.Globals.Version,
 		Maintenance:   hcheck.params.Config.MaintenanceMode,
+
+		Sessions:             0,
+		Clients:              0,
+		QueuedLines:          0,
+		Channels:             0,
+		ConnectionsSinceBoot: hcheck.params.Stats.ConnectionsSinceBoot(),
+		SessionsSinceBoot:    hcheck.params.Stats.SessionsSinceBoot(),
+		MessagesSinceBoot:    hcheck.params.Stats.MessagesSinceBoot(),
+	}
+
+	hcheck.populateDBStats(ctx, resp)
+
+	return resp
+}
+
+// populateDBStats fills in database-derived counters.
+func (hcheck *Healthcheck) populateDBStats(
+	ctx context.Context,
+	resp *Response,
+) {
+	sessions, err := hcheck.params.Database.GetUserCount(ctx)
+	if err != nil {
+		hcheck.log.Error(
+			"healthcheck: session count failed",
+			"error", err,
+		)
+	} else {
+		resp.Sessions = sessions
+	}
+
+	clients, err := hcheck.params.Database.GetClientCount(ctx)
+	if err != nil {
+		hcheck.log.Error(
+			"healthcheck: client count failed",
+			"error", err,
+		)
+	} else {
+		resp.Clients = clients
+	}
+
+	queued, err := hcheck.params.Database.GetQueueEntryCount(ctx)
+	if err != nil {
+		hcheck.log.Error(
+			"healthcheck: queue entry count failed",
+			"error", err,
+		)
+	} else {
+		resp.QueuedLines = queued
+	}
+
+	channels, err := hcheck.params.Database.GetChannelCount(ctx)
+	if err != nil {
+		hcheck.log.Error(
+			"healthcheck: channel count failed",
+			"error", err,
+		)
+	} else {
+		resp.Channels = channels
 	}
 }
 

internal/middleware/middleware.go

@@ -11,7 +11,7 @@ import (
 	"git.eeqj.de/sneak/neoirc/internal/globals"
 	"git.eeqj.de/sneak/neoirc/internal/logger"
 	basicauth "github.com/99designs/basicauth-go"
-	chimw "github.com/go-chi/chi/middleware"
+	chimw "github.com/go-chi/chi/v5/middleware"
 	"github.com/go-chi/cors"
 	metrics "github.com/slok/go-http-metrics/metrics/prometheus"
 	ghmm "github.com/slok/go-http-metrics/middleware"

internal/server/routes.go

@@ -8,8 +8,8 @@ import (
 	"git.eeqj.de/sneak/neoirc/web"
 
 	sentryhttp "github.com/getsentry/sentry-go/http"
-	"github.com/go-chi/chi"
-	"github.com/go-chi/chi/middleware"
+	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/chi/v5/middleware"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"github.com/spf13/viper"
 )

internal/server/server.go

@@ -20,7 +20,7 @@ import (
 	"go.uber.org/fx"
 
 	"github.com/getsentry/sentry-go"
-	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/v5"
 
 	_ "github.com/joho/godotenv/autoload" // loads .env file
 )

internal/stats/stats.go

@@ -0,0 +1,52 @@
+// Package stats tracks runtime statistics since server boot.
+package stats
+
+import (
+	"sync/atomic"
+)
+
+// Tracker holds atomic counters for runtime statistics
+// that accumulate since the server started.
+type Tracker struct {
+	connectionsSinceBoot atomic.Int64
+	sessionsSinceBoot    atomic.Int64
+	messagesSinceBoot    atomic.Int64
+}
+
+// New creates a new Tracker with all counters at zero.
+func New() *Tracker {
+	return &Tracker{} //nolint:exhaustruct // atomic fields have zero-value defaults
+}
+
+// IncrConnections increments the total connection count.
+func (t *Tracker) IncrConnections() {
+	t.connectionsSinceBoot.Add(1)
+}
+
+// IncrSessions increments the total session count.
+func (t *Tracker) IncrSessions() {
+	t.sessionsSinceBoot.Add(1)
+}
+
+// IncrMessages increments the total PRIVMSG/NOTICE count.
+func (t *Tracker) IncrMessages() {
+	t.messagesSinceBoot.Add(1)
+}
+
+// ConnectionsSinceBoot returns the total number of
+// client connections since boot.
+func (t *Tracker) ConnectionsSinceBoot() int64 {
+	return t.connectionsSinceBoot.Load()
+}
+
+// SessionsSinceBoot returns the total number of sessions
+// created since boot.
+func (t *Tracker) SessionsSinceBoot() int64 {
+	return t.sessionsSinceBoot.Load()
+}
+
+// MessagesSinceBoot returns the total number of
+// PRIVMSG/NOTICE messages sent since boot.
+func (t *Tracker) MessagesSinceBoot() int64 {
+	return t.messagesSinceBoot.Load()
+}

internal/stats/stats_test.go

@@ -0,0 +1,117 @@
+package stats_test
+
+import (
+	"testing"
+
+	"git.eeqj.de/sneak/neoirc/internal/stats"
+)
+
+func TestNew(t *testing.T) {
+	t.Parallel()
+
+	tracker := stats.New()
+	if tracker == nil {
+		t.Fatal("expected non-nil tracker")
+	}
+
+	if tracker.ConnectionsSinceBoot() != 0 {
+		t.Errorf(
+			"expected 0 connections, got %d",
+			tracker.ConnectionsSinceBoot(),
+		)
+	}
+
+	if tracker.SessionsSinceBoot() != 0 {
+		t.Errorf(
+			"expected 0 sessions, got %d",
+			tracker.SessionsSinceBoot(),
+		)
+	}
+
+	if tracker.MessagesSinceBoot() != 0 {
+		t.Errorf(
+			"expected 0 messages, got %d",
+			tracker.MessagesSinceBoot(),
+		)
+	}
+}
+
+func TestIncrConnections(t *testing.T) {
+	t.Parallel()
+
+	tracker := stats.New()
+
+	tracker.IncrConnections()
+	tracker.IncrConnections()
+	tracker.IncrConnections()
+
+	got := tracker.ConnectionsSinceBoot()
+	if got != 3 {
+		t.Errorf(
+			"expected 3 connections, got %d", got,
+		)
+	}
+}
+
+func TestIncrSessions(t *testing.T) {
+	t.Parallel()
+
+	tracker := stats.New()
+
+	tracker.IncrSessions()
+	tracker.IncrSessions()
+
+	got := tracker.SessionsSinceBoot()
+	if got != 2 {
+		t.Errorf(
+			"expected 2 sessions, got %d", got,
+		)
+	}
+}
+
+func TestIncrMessages(t *testing.T) {
+	t.Parallel()
+
+	tracker := stats.New()
+
+	tracker.IncrMessages()
+
+	got := tracker.MessagesSinceBoot()
+	if got != 1 {
+		t.Errorf(
+			"expected 1 message, got %d", got,
+		)
+	}
+}
+
+func TestCountersAreIndependent(t *testing.T) {
+	t.Parallel()
+
+	tracker := stats.New()
+
+	tracker.IncrConnections()
+	tracker.IncrSessions()
+	tracker.IncrMessages()
+	tracker.IncrMessages()
+
+	if tracker.ConnectionsSinceBoot() != 1 {
+		t.Errorf(
+			"expected 1 connection, got %d",
+			tracker.ConnectionsSinceBoot(),
+		)
+	}
+
+	if tracker.SessionsSinceBoot() != 1 {
+		t.Errorf(
+			"expected 1 session, got %d",
+			tracker.SessionsSinceBoot(),
+		)
+	}
+
+	if tracker.MessagesSinceBoot() != 2 {
+		t.Errorf(
+			"expected 2 messages, got %d",
+			tracker.MessagesSinceBoot(),
+		)
+	}
+}

pkg/irc/commands.go

@@ -2,6 +2,7 @@ package irc
 
 // IRC command names (RFC 1459 / RFC 2812).
 const (
+	CmdAway    = "AWAY"
 	CmdJoin    = "JOIN"
 	CmdList    = "LIST"
 	CmdLusers  = "LUSERS"