Merge branch 'main' into feature/tier2-channel-modes

## Summary

Fixes the CI build failure caused by the `internal/handlers` test package exceeding the 30-second per-package timeout on the x86_64 CI runner.

## Root Cause

Each of the 104 handler tests was creating a **file-backed SQLite database** in a temp directory with WAL journaling. On slower CI runners (x86_64 ubuntu-latest), the cumulative filesystem I/O overhead for 104 DB create + migrate + teardown cycles pushed the package well past the 30s timeout.

## Fix

1. **In-memory SQLite** — Switch test databases from `file:<tmpdir>/test.db?_journal_mode=WAL&_busy_timeout=5000` to `file:test_<ptr>?mode=memory&cache=shared`. Each test still gets its own isolated database (unique name per `*testing.T` pointer), but without filesystem I/O.

2. **Consolidated test server constructors** — Merged the duplicate `newTestServer()` and `newTestServerWithOper()` setup code into a shared `newTestServerWith()` helper, removing ~50 lines of duplication.

## Results

| Environment | Before | After |
|---|---|---|
| ARM native (no race) | ~4.5s | ~2.0s |
| ARM native (with race) | ~11.5s | ~8.7s |
| Docker ARM (with race+cover) | **~20.4s** | **~10.0s** |

The Docker ARM time is the closest proxy for CI. With the ~2x overhead of x86_64 emulation on CI, the estimated CI time is ~20s — well within the 30s timeout.

## What This Does NOT Change

- No test assertions modified
- No tests skipped or removed
- No linter config changes
- No Makefile changes
- No CI config changes
- All 104 handler tests still run with full isolation

closes #90

Co-authored-by: clawbot <clawbot@noreply.git.eeqj.de>
Reviewed-on: #93
Co-authored-by: clawbot <clawbot@noreply.example.org>
Co-committed-by: clawbot <clawbot@noreply.example.org>

.dockerignore

@@ -1,8 +1,8 @@
 .git
 *.md
 !README.md
-chatd
+neoircd
-chat-cli
+neoirc-cli
 data.db
 data.db-wal
 data.db-shm

.gitignore

@@ -21,7 +21,8 @@ node_modules/
 *.key
 
 # Build artifacts
-/chatd
+web/dist/
+/neoircd
 /bin/
 *.exe
 *.dll
@@ -34,5 +35,5 @@ vendor/
 # Project
 data.db
 debug.log
-/chat-cli
+/neoirc-cli
 web/node_modules/

AGENTS.md

@@ -5,7 +5,7 @@
 1. **Format**: `gofmt -s -w .` and `goimports -w .`
 2. **Lint**: `golangci-lint run --config .golangci.yml ./...` — zero issues
 3. **Test**: `go test -race ./...` — all passing
-4. **Build**: `go build ./cmd/chatd` — compiles clean
+4. **Build**: `go build ./cmd/neoircd` — compiles clean
 
 No commit lands on main with lint errors, test failures, or formatting issues.
 

Dockerfile

@@ -1,32 +1,59 @@
+# Web build stage — compile SPA from source
+# node:22-alpine, 2026-03-09
+FROM node@sha256:8094c002d08262dba12645a3b4a15cd6cd627d30bc782f53229a2ec13ee22a00 AS web-builder
+WORKDIR /web
+COPY web/package.json web/package-lock.json ./
+RUN npm ci
+COPY web/src/ src/
+COPY web/build.sh build.sh
+RUN sh build.sh
+
+# Lint stage — fast feedback on formatting and lint issues
+# golangci/golangci-lint:v2.1.6, 2026-03-02
+FROM golangci/golangci-lint@sha256:568ee1c1c53493575fa9494e280e579ac9ca865787bafe4df3023ae59ecf299b AS lint
+WORKDIR /src
+COPY go.mod go.sum ./
+RUN go mod download
+COPY . .
+# Create placeholder files so //go:embed dist/* in web/embed.go resolves
+# without depending on the web-builder stage (lint should fail fast)
+RUN mkdir -p web/dist && touch web/dist/index.html web/dist/style.css web/dist/app.js
+RUN make fmt-check
+RUN make lint
+
+# Build stage
 # golang:1.24-alpine, 2026-02-26
 FROM golang@sha256:8bee1901f1e530bfb4a7850aa7a479d17ae3a18beb6e09064ed54cfd245b7191 AS builder
 WORKDIR /src
 RUN apk add --no-cache git build-base make
 
-# golangci-lint v2.1.6 (eabc2638a66d), 2026-02-26
+# Force BuildKit to run the lint stage before proceeding
-RUN CGO_ENABLED=0 go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@eabc2638a66daf5bb6c6fb052a32fa3ef7b6600d
+COPY --from=lint /src/go.sum /dev/null
 
 COPY go.mod go.sum ./
 RUN go mod download
 
 COPY . .
+COPY --from=web-builder /web/dist/ web/dist/
 
-# Run all checks — build fails if branch is not green
+RUN make test
-RUN make check
 
 # Build static binaries (no cgo needed at runtime — modernc.org/sqlite is pure Go)
 ARG VERSION=dev
-RUN CGO_ENABLED=0 go build -trimpath -ldflags="-s -w -X main.Version=${VERSION}" -o /chatd ./cmd/chatd/
+RUN CGO_ENABLED=0 go build -trimpath -ldflags="-s -w -X main.Version=${VERSION}" -o /neoircd ./cmd/neoircd/
-RUN CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" -o /chat-cli ./cmd/chat-cli/
+RUN CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" -o /neoirc-cli ./cmd/neoirc-cli/
 
+# Runtime stage
 # alpine:3.21, 2026-02-26
 FROM alpine@sha256:c3f8e73fdb79deaebaa2037150150191b9dcbfba68b4a46d70103204c53f4709
 RUN apk add --no-cache ca-certificates \
-    && addgroup -S chat && adduser -S chat -G chat
+    && addgroup -S neoirc && adduser -S neoirc -G neoirc \
-COPY --from=builder /chatd /usr/local/bin/chatd
+    && mkdir -p /var/lib/neoirc \
+    && chown neoirc:neoirc /var/lib/neoirc
+COPY --from=builder /neoircd /usr/local/bin/neoircd
 
-USER chat
+USER neoirc
 EXPOSE 8080
 HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
     CMD wget -qO- http://localhost:8080/.well-known/healthcheck.json || exit 1
-ENTRYPOINT ["chatd"]
+ENTRYPOINT ["neoircd"]

Makefile

@@ -1,16 +1,27 @@
-.PHONY: all build lint fmt fmt-check test check clean run debug docker hooks
+.PHONY: all build lint fmt fmt-check test check clean run debug docker hooks ensure-web-dist
 
-BINARY := chatd
+BINARY := neoircd
 VERSION := $(shell git describe --tags --always --dirty 2>/dev/null || echo "dev")
 BUILDARCH := $(shell go env GOARCH)
 LDFLAGS := -X main.Version=$(VERSION) -X main.Buildarch=$(BUILDARCH)
 
 all: check build
 
-build:
+# ensure-web-dist creates placeholder files so //go:embed dist/* in
-	go build -ldflags "$(LDFLAGS)" -o bin/$(BINARY) ./cmd/chatd
+# web/embed.go resolves without a full Node.js build.  The real SPA is
+# built by the web-builder Docker stage; these placeholders let
+# "make test" and "make build" work outside Docker.
+ensure-web-dist:
+	@if [ ! -d web/dist ]; then \
+		mkdir -p web/dist && \
+		touch web/dist/index.html web/dist/style.css web/dist/app.js && \
+		echo "==> Created placeholder web/dist/ for go:embed"; \
+	fi
 
-lint:
+build: ensure-web-dist
+	go build -ldflags "$(LDFLAGS)" -o bin/$(BINARY) ./cmd/neoircd
+
+lint: ensure-web-dist
 	golangci-lint run --config .golangci.yml ./...
 
 fmt:
@@ -20,14 +31,14 @@ fmt:
 fmt-check:
 	@test -z "$$(gofmt -l .)" || (echo "Files not formatted:" && gofmt -l . && exit 1)
 
-test:
+test: ensure-web-dist
-	go test -timeout 30s -v -race -cover ./...
+	go test -timeout 30s -race -cover ./... || go test -timeout 30s -race -v ./...
 
 # check runs all validation without making changes
 # Used by CI and Docker build — fails if anything is wrong
 check: test lint fmt-check
 	@echo "==> Building..."
-	go build -ldflags "$(LDFLAGS)" -o /dev/null ./cmd/chatd
+	go build -ldflags "$(LDFLAGS)" -o /dev/null ./cmd/neoircd
 	@echo "==> All checks passed!"
 
 run: build
@@ -37,10 +48,10 @@ debug: build
 	DEBUG=1 GOTRACEBACK=all ./bin/$(BINARY)
 
 clean:
-	rm -rf bin/ chatd data.db
+	rm -rf bin/ neoircd
 
 docker:
-	docker build -t chat .
+	docker build -t neoirc .
 
 hooks:
 	@printf '#!/bin/sh\nset -e\n' > .git/hooks/pre-commit

REPO_POLICIES.md

@@ -1,6 +1,6 @@
 ---
 title: Repository Policies
-last_modified: 2026-02-22
+last_modified: 2026-03-09
 ---
 
 This document covers repository structure, tooling, and workflow standards. Code
@@ -98,6 +98,13 @@ style conventions are in separate documents:
   `https://git.eeqj.de/sneak/prompts/raw/branch/main/.gitignore` when setting up
   a new repo.
 
+- **No build artifacts in version control.** Code-derived data (compiled
+  bundles, minified output, generated assets) must never be committed to the
+  repository if it can be avoided. The build process (e.g. Dockerfile, Makefile)
+  should generate these at build time. Notable exception: Go protobuf generated
+  files (`.pb.go`) ARE committed because repos need to work with `go get`, which
+  downloads code but does not execute code generation.
+
 - Never use `git add -A` or `git add .`. Always stage files explicitly by name.
 
 - Never force-push to `main`.
@@ -144,8 +151,14 @@ style conventions are in separate documents:
 - Use SemVer.
 
 - Database migrations live in `internal/db/migrations/` and must be embedded in
-  the binary. Pre-1.0.0: modify existing migrations (no installed base assumed).
+  the binary.
-  Post-1.0.0: add new migration files.
+    - `000_migration.sql` — contains ONLY the creation of the migrations
+      tracking table itself. Nothing else.
+    - `001_schema.sql` — the full application schema.
+    - **Pre-1.0.0:** never add additional migration files (002, 003, etc.).
+      There is no installed base to migrate. Edit `001_schema.sql` directly.
+    - **Post-1.0.0:** add new numbered migration files for each schema change.
+      Never edit existing migrations after release.
 
 - All repos should have an `.editorconfig` enforcing the project's indentation
   settings.

cmd/chatd/main.go

@@ -1,41 +0,0 @@
-// Package main is the entry point for the chatd server.
-package main
-
-import (
-	"git.eeqj.de/sneak/chat/internal/config"
-	"git.eeqj.de/sneak/chat/internal/db"
-	"git.eeqj.de/sneak/chat/internal/globals"
-	"git.eeqj.de/sneak/chat/internal/handlers"
-	"git.eeqj.de/sneak/chat/internal/healthcheck"
-	"git.eeqj.de/sneak/chat/internal/logger"
-	"git.eeqj.de/sneak/chat/internal/middleware"
-	"git.eeqj.de/sneak/chat/internal/server"
-	"go.uber.org/fx"
-)
-
-var (
-	// Appname is the application name, set at build time.
-	Appname = "chat" //nolint:gochecknoglobals
-
-	// Version is the application version, set at build time.
-	Version string //nolint:gochecknoglobals
-)
-
-func main() {
-	globals.Appname = Appname
-	globals.Version = Version
-
-	fx.New(
-		fx.Provide(
-			config.New,
-			db.New,
-			globals.New,
-			handlers.New,
-			logger.New,
-			server.New,
-			middleware.New,
-			healthcheck.New,
-		),
-		fx.Invoke(func(*server.Server) {}),
-	).Run()
-}

cmd/neoirc-cli/main.go

@@ -0,0 +1,8 @@
+// Package main is the entry point for the neoirc-cli client.
+package main
+
+import "git.eeqj.de/sneak/neoirc/internal/cli"
+
+func main() {
+	cli.Run()
+}

cmd/neoircd/main.go

@@ -0,0 +1,43 @@
+// Package main is the entry point for the neoircd server.
+package main
+
+import (
+	"git.eeqj.de/sneak/neoirc/internal/config"
+	"git.eeqj.de/sneak/neoirc/internal/db"
+	"git.eeqj.de/sneak/neoirc/internal/globals"
+	"git.eeqj.de/sneak/neoirc/internal/handlers"
+	"git.eeqj.de/sneak/neoirc/internal/healthcheck"
+	"git.eeqj.de/sneak/neoirc/internal/logger"
+	"git.eeqj.de/sneak/neoirc/internal/middleware"
+	"git.eeqj.de/sneak/neoirc/internal/server"
+	"git.eeqj.de/sneak/neoirc/internal/stats"
+	"go.uber.org/fx"
+)
+
+var (
+	// Appname is the application name, set at build time.
+	Appname = "neoirc" //nolint:gochecknoglobals
+
+	// Version is the application version, set at build time.
+	Version string //nolint:gochecknoglobals
+)
+
+func main() {
+	globals.Appname = Appname
+	globals.Version = Version
+
+	fx.New(
+		fx.Provide(
+			config.New,
+			db.New,
+			globals.New,
+			handlers.New,
+			logger.New,
+			server.New,
+			middleware.New,
+			healthcheck.New,
+			stats.New,
+		),
+		fx.Invoke(func(*server.Server) {}),
+	).Run()
+}

go.mod

@@ -1,4 +1,4 @@
-module git.eeqj.de/sneak/chat
+module git.eeqj.de/sneak/neoirc
 
 go 1.24.0
 
@@ -6,7 +6,7 @@ require (
 	github.com/99designs/basicauth-go v0.0.0-20230316000542-bf6f9cbbf0f8
 	github.com/gdamore/tcell/v2 v2.13.8
 	github.com/getsentry/sentry-go v0.42.0
-	github.com/go-chi/chi v1.5.5
+	github.com/go-chi/chi/v5 v5.2.1
 	github.com/go-chi/cors v1.2.2
 	github.com/google/uuid v1.6.0
 	github.com/joho/godotenv v1.5.1
@@ -16,6 +16,7 @@ require (
 	github.com/spf13/viper v1.21.0
 	go.uber.org/fx v1.24.0
 	golang.org/x/crypto v0.48.0
+	golang.org/x/time v0.6.0
 	modernc.org/sqlite v1.45.0
 )
 

go.sum

@@ -18,8 +18,8 @@ github.com/gdamore/tcell/v2 v2.13.8 h1:Mys/Kl5wfC/GcC5Cx4C2BIQH9dbnhnkPgS9/wF3Rl
 github.com/gdamore/tcell/v2 v2.13.8/go.mod h1:+Wfe208WDdB7INEtCsNrAN6O2m+wsTPk1RAovjaILlo=
 github.com/getsentry/sentry-go v0.42.0 h1:eeFMACuZTbUQf90RE8dE4tXeSe4CZyfvR1MBL7RLEt8=
 github.com/getsentry/sentry-go v0.42.0/go.mod h1:eRXCoh3uvmjQLY6qu63BjUZnaBu5L5WhMV1RwYO8W5s=
-github.com/go-chi/chi v1.5.5 h1:vOB/HbEMt9QqBqErz07QehcOKHaWFtuj87tTDVz2qXE=
+github.com/go-chi/chi/v5 v5.2.1 h1:KOIHODQj58PmL80G2Eak4WdvUzjSJSm0vG72crDCqb8=
-github.com/go-chi/chi v1.5.5/go.mod h1:C9JqLr3tIYjDOZpzn+BCuxY8z8vmca43EeMgyZt7irw=
+github.com/go-chi/chi/v5 v5.2.1/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
 github.com/go-chi/cors v1.2.2 h1:Jmey33TE+b+rB7fT8MUy1u0I4L+NARQlK6LhzKPSyQE=
 github.com/go-chi/cors v1.2.2/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
@@ -151,6 +151,8 @@ golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
 golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
+golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U=
+golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=

internal/broker/broker_test.go

@@ -5,7 +5,7 @@ import (
 	"testing"
 	"time"
 
-	"git.eeqj.de/sneak/chat/internal/broker"
+	"git.eeqj.de/sneak/neoirc/internal/broker"
 )
 
 func TestNewBroker(t *testing.T) {

internal/cli/api/client.go

@@ -1,5 +1,5 @@
-// Package chatapi provides a client for the chat server API.
+// Package neoircapi provides a client for the neoirc server API.
-package chatapi
+package neoircapi
 
 import (
 	"bytes"
@@ -9,10 +9,13 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"net/http/cookiejar"
 	"net/url"
 	"strconv"
 	"strings"
 	"time"
+
+	"git.eeqj.de/sneak/neoirc/pkg/irc"
 )
 
 const (
@@ -23,31 +26,51 @@ const (
 
 var errHTTP = errors.New("HTTP error")
 
-// Client wraps HTTP calls to the chat server API.
+// Client wraps HTTP calls to the neoirc server API.
 type Client struct {
 	BaseURL    string
-	Token      string
 	HTTPClient *http.Client
 }
 
-// NewClient creates a new API client.
+// NewClient creates a new API client with a cookie jar
+// for automatic auth cookie management.
 func NewClient(baseURL string) *Client {
-	return &Client{ //nolint:exhaustruct // Token set after CreateSession
+	jar, _ := cookiejar.New(nil)
+
+	return &Client{
 		BaseURL: baseURL,
 		HTTPClient: &http.Client{ //nolint:exhaustruct // defaults fine
 			Timeout: httpTimeout,
+			Jar:     jar,
 		},
 	}
 }
 
 // CreateSession creates a new session on the server.
+// If the server requires hashcash proof-of-work, it
+// automatically fetches the difficulty and computes a
+// valid stamp.
 func (client *Client) CreateSession(
 	nick string,
 ) (*SessionResponse, error) {
+	// Fetch server info to check for hashcash requirement.
+	info, err := client.GetServerInfo()
+
+	var hashcashStamp string
+
+	if err == nil && info.HashcashBits > 0 {
+		resource := info.Name
+		if resource == "" {
+			resource = "neoirc"
+		}
+
+		hashcashStamp = MintHashcash(info.HashcashBits, resource)
+	}
+
 	data, err := client.do(
 		http.MethodPost,
 		"/api/v1/session",
-		&SessionRequest{Nick: nick},
+		&SessionRequest{Nick: nick, Hashcash: hashcashStamp},
 	)
 	if err != nil {
 		return nil, err
@@ -60,8 +83,6 @@ func (client *Client) CreateSession(
 		return nil, fmt.Errorf("decode session: %w", err)
 	}
 
-	client.Token = resp.Token
-
 	return &resp, nil
 }
 
@@ -102,6 +123,7 @@ func (client *Client) PollMessages(
 		Timeout: time.Duration(
 			timeout+pollExtraTime,
 		) * time.Second,
+		Jar: client.HTTPClient.Jar,
 	}
 
 	params := url.Values{}
@@ -126,10 +148,6 @@ func (client *Client) PollMessages(
 		return nil, fmt.Errorf("new request: %w", err)
 	}
 
-	request.Header.Set(
-		"Authorization", "Bearer "+client.Token,
-	)
-
 	resp, err := pollClient.Do(request)
 	if err != nil {
 		return nil, fmt.Errorf("poll request: %w", err)
@@ -168,7 +186,7 @@ func (client *Client) PollMessages(
 func (client *Client) JoinChannel(channel string) error {
 	return client.SendMessage(
 		&Message{ //nolint:exhaustruct // only command+to needed
-			Command: "JOIN", To: channel,
+			Command: irc.CmdJoin, To: channel,
 		},
 	)
 }
@@ -177,7 +195,7 @@ func (client *Client) JoinChannel(channel string) error {
 func (client *Client) PartChannel(channel string) error {
 	return client.SendMessage(
 		&Message{ //nolint:exhaustruct // only command+to needed
-			Command: "PART", To: channel,
+			Command: irc.CmdPart, To: channel,
 		},
 	)
 }
@@ -285,12 +303,6 @@ func (client *Client) do(
 		"Content-Type", "application/json",
 	)
 
-	if client.Token != "" {
-		request.Header.Set(
-			"Authorization", "Bearer "+client.Token,
-		)
-	}
-
 	resp, err := client.HTTPClient.Do(request)
 	if err != nil {
 		return nil, fmt.Errorf("http: %w", err)

internal/cli/api/hashcash.go

@@ -0,0 +1,98 @@
+package neoircapi
+
+import (
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"math/big"
+	"time"
+
+	"git.eeqj.de/sneak/neoirc/internal/hashcash"
+)
+
+const (
+	// bitsPerByte is the number of bits in a byte.
+	bitsPerByte = 8
+	// fullByteMask is 0xFF, a mask for all bits in a byte.
+	fullByteMask = 0xFF
+	// counterSpace is the range for random counter seeds.
+	counterSpace = 1 << 48
+)
+
+// MintHashcash computes a hashcash stamp with the given
+// difficulty (leading zero bits) and resource string.
+func MintHashcash(bits int, resource string) string {
+	date := time.Now().UTC().Format("060102")
+	prefix := fmt.Sprintf(
+		"1:%d:%s:%s::", bits, date, resource,
+	)
+
+	for {
+		counter := randomCounter()
+		stamp := prefix + counter
+		hash := sha256.Sum256([]byte(stamp))
+
+		if hasLeadingZeroBits(hash[:], bits) {
+			return stamp
+		}
+	}
+}
+
+// MintChannelHashcash computes a hashcash stamp bound to
+// a specific channel and message body. The stamp format
+// is 1:bits:YYMMDD:channel:bodyhash:counter where
+// bodyhash is the hex-encoded SHA-256 of the message
+// body bytes. Delegates to the internal/hashcash package.
+func MintChannelHashcash(
+	bits int,
+	channel string,
+	body []byte,
+) string {
+	bodyHash := hashcash.BodyHash(body)
+
+	return hashcash.MintChannelStamp(
+		bits, channel, bodyHash,
+	)
+}
+
+// hasLeadingZeroBits checks if hash has at least numBits
+// leading zero bits.
+func hasLeadingZeroBits(
+	hash []byte,
+	numBits int,
+) bool {
+	fullBytes := numBits / bitsPerByte
+	remainBits := numBits % bitsPerByte
+
+	for idx := range fullBytes {
+		if hash[idx] != 0 {
+			return false
+		}
+	}
+
+	if remainBits > 0 && fullBytes < len(hash) {
+		mask := byte(
+			fullByteMask << (bitsPerByte - remainBits),
+		)
+
+		if hash[fullBytes]&mask != 0 {
+			return false
+		}
+	}
+
+	return true
+}
+
+// randomCounter generates a random hex counter string.
+func randomCounter() string {
+	counterVal, err := rand.Int(
+		rand.Reader, big.NewInt(counterSpace),
+	)
+	if err != nil {
+		// Fallback to timestamp-based counter on error.
+		return fmt.Sprintf("%x", time.Now().UnixNano())
+	}
+
+	return hex.EncodeToString(counterVal.Bytes())
+}

internal/cli/api/types.go

@@ -1,17 +1,17 @@
-package chatapi
+package neoircapi
 
 import "time"
 
 // SessionRequest is the body for POST /api/v1/session.
 type SessionRequest struct {
 	Nick     string `json:"nick"`
+	Hashcash string `json:"pow_token,omitempty"` //nolint:tagliatelle
 }
 
 // SessionResponse is the response from session creation.
 type SessionResponse struct {
 	ID   int64  `json:"id"`
 	Nick string `json:"nick"`
-	Token string `json:"token"`
 }
 
 // StateResponse is the response from GET /api/v1/state.
@@ -21,7 +21,7 @@ type StateResponse struct {
 	Channels []string `json:"channels"`
 }
 
-// Message represents a chat message envelope.
+// Message represents a neoirc message envelope.
 type Message struct {
 	Command string   `json:"command"`
 	From    string   `json:"from,omitempty"`
@@ -66,6 +66,7 @@ type ServerInfo struct {
 	Name         string `json:"name"`
 	MOTD         string `json:"motd"`
 	Version      string `json:"version"`
+	HashcashBits int    `json:"hashcash_bits"` //nolint:tagliatelle
 }
 
 // MessagesResponse wraps polling results.

internal/cli/app.go

@@ -1,5 +1,5 @@
-// Package main is the entry point for the chat-cli client.
+// Package cli implements the neoirc-cli terminal client.
-package main
+package cli
 
 import (
 	"fmt"
@@ -8,7 +8,8 @@ import (
 	"sync"
 	"time"
 
-	api "git.eeqj.de/sneak/chat/cmd/chat-cli/api"
+	api "git.eeqj.de/sneak/neoirc/internal/cli/api"
+	"git.eeqj.de/sneak/neoirc/pkg/irc"
 )
 
 const (
@@ -31,7 +32,8 @@ type App struct {
 	stopPoll  chan struct{}
 }
 
-func main() {
+// Run creates and runs the CLI application.
+func Run() {
 	app := &App{ //nolint:exhaustruct
 		ui:   NewUI(),
 		nick: "guest",
@@ -41,7 +43,7 @@ func main() {
 	app.ui.SetStatus(app.nick, "", "disconnected")
 
 	app.ui.AddStatus(
-		"Welcome to chat-cli — an IRC-style client",
+		"Welcome to neoirc-cli — an IRC-style client",
 	)
 	app.ui.AddStatus(
 		"Type [yellow]/connect <server-url>" +
@@ -86,7 +88,7 @@ func (a *App) handleInput(text string) {
 	}
 
 	err := a.client.SendMessage(&api.Message{ //nolint:exhaustruct
-		Command: "PRIVMSG",
+		Command: irc.CmdPrivmsg,
 		To:      target,
 		Body:    []string{text},
 	})
@@ -138,16 +140,29 @@ func (a *App) dispatchCommand(cmd, args string) {
 		a.cmdQuery(args)
 	case "/topic":
 		a.cmdTopic(args)
-	case "/names":
-		a.cmdNames()
-	case "/list":
-		a.cmdList()
 	case "/window", "/w":
 		a.cmdWindow(args)
 	case "/quit":
 		a.cmdQuit()
 	case "/help":
 		a.cmdHelp()
+	default:
+		a.dispatchInfoCommand(cmd, args)
+	}
+}
+
+func (a *App) dispatchInfoCommand(cmd, args string) {
+	switch cmd {
+	case "/names":
+		a.cmdNames()
+	case "/list":
+		a.cmdList()
+	case "/motd":
+		a.cmdMotd()
+	case "/who":
+		a.cmdWho(args)
+	case "/whois":
+		a.cmdWhois(args)
 	default:
 		a.ui.AddStatus(
 			"[red]Unknown command: " + cmd,
@@ -228,7 +243,7 @@ func (a *App) cmdNick(nick string) {
 	}
 
 	err := a.client.SendMessage(&api.Message{ //nolint:exhaustruct
-		Command: "NICK",
+		Command: irc.CmdNick,
 		Body:    []string{nick},
 	})
 	if err != nil {
@@ -363,7 +378,7 @@ func (a *App) cmdMsg(args string) {
 	}
 
 	err := a.client.SendMessage(&api.Message{ //nolint:exhaustruct
-		Command: "PRIVMSG",
+		Command: irc.CmdPrivmsg,
 		To:      target,
 		Body:    []string{text},
 	})
@@ -421,7 +436,7 @@ func (a *App) cmdTopic(args string) {
 
 	if args == "" {
 		err := a.client.SendMessage(&api.Message{ //nolint:exhaustruct
-			Command: "TOPIC",
+			Command: irc.CmdTopic,
 			To:      target,
 		})
 		if err != nil {
@@ -434,7 +449,7 @@ func (a *App) cmdTopic(args string) {
 	}
 
 	err := a.client.SendMessage(&api.Message{ //nolint:exhaustruct
-		Command: "TOPIC",
+		Command: irc.CmdTopic,
 		To:      target,
 		Body:    []string{args},
 	})
@@ -510,6 +525,96 @@ func (a *App) cmdList() {
 	a.ui.AddStatus("[cyan]*** End of channel list")
 }
 
+func (a *App) cmdMotd() {
+	a.mu.Lock()
+	connected := a.connected
+	a.mu.Unlock()
+
+	if !connected {
+		a.ui.AddStatus("[red]Not connected")
+
+		return
+	}
+
+	err := a.client.SendMessage(
+		&api.Message{Command: irc.CmdMotd}, //nolint:exhaustruct
+	)
+	if err != nil {
+		a.ui.AddStatus(fmt.Sprintf(
+			"[red]MOTD failed: %v", err,
+		))
+	}
+}
+
+func (a *App) cmdWho(args string) {
+	a.mu.Lock()
+	connected := a.connected
+	target := a.target
+	a.mu.Unlock()
+
+	if !connected {
+		a.ui.AddStatus("[red]Not connected")
+
+		return
+	}
+
+	channel := args
+	if channel == "" {
+		channel = target
+	}
+
+	if channel == "" ||
+		!strings.HasPrefix(channel, "#") {
+		a.ui.AddStatus(
+			"[red]Usage: /who #channel",
+		)
+
+		return
+	}
+
+	err := a.client.SendMessage(
+		&api.Message{ //nolint:exhaustruct
+			Command: irc.CmdWho, To: channel,
+		},
+	)
+	if err != nil {
+		a.ui.AddStatus(fmt.Sprintf(
+			"[red]WHO failed: %v", err,
+		))
+	}
+}
+
+func (a *App) cmdWhois(args string) {
+	a.mu.Lock()
+	connected := a.connected
+	a.mu.Unlock()
+
+	if !connected {
+		a.ui.AddStatus("[red]Not connected")
+
+		return
+	}
+
+	if args == "" {
+		a.ui.AddStatus(
+			"[red]Usage: /whois <nick>",
+		)
+
+		return
+	}
+
+	err := a.client.SendMessage(
+		&api.Message{ //nolint:exhaustruct
+			Command: irc.CmdWhois, To: args,
+		},
+	)
+	if err != nil {
+		a.ui.AddStatus(fmt.Sprintf(
+			"[red]WHOIS failed: %v", err,
+		))
+	}
+}
+
 func (a *App) cmdWindow(args string) {
 	if args == "" {
 		a.ui.AddStatus(
@@ -550,7 +655,7 @@ func (a *App) cmdQuit() {
 
 	if a.connected && a.client != nil {
 		_ = a.client.SendMessage(
-			&api.Message{Command: "QUIT"}, //nolint:exhaustruct
+			&api.Message{Command: irc.CmdQuit}, //nolint:exhaustruct
 		)
 	}
 
@@ -564,7 +669,7 @@ func (a *App) cmdQuit() {
 
 func (a *App) cmdHelp() {
 	help := []string{
-		"[cyan]*** chat-cli commands:",
+		"[cyan]*** neoirc-cli commands:",
 		"  /connect <url>  — Connect to server",
 		"  /nick <name>    — Change nickname",
 		"  /join #channel  — Join channel",
@@ -574,6 +679,9 @@ func (a *App) cmdHelp() {
 		"  /topic [text]   — View/set topic",
 		"  /names          — List channel members",
 		"  /list           — List channels",
+		"  /who [#channel] — List users in channel",
+		"  /whois <nick>   — Show user info",
+		"  /motd           — Show message of the day",
 		"  /window <n>     — Switch buffer",
 		"  /quit           — Disconnect and exit",
 		"  /help           — This help",
@@ -632,19 +740,19 @@ func (a *App) handleServerMessage(msg *api.Message) {
 	a.mu.Unlock()
 
 	switch msg.Command {
-	case "PRIVMSG":
+	case irc.CmdPrivmsg:
 		a.handlePrivmsgEvent(msg, timestamp, myNick)
-	case "JOIN":
+	case irc.CmdJoin:
 		a.handleJoinEvent(msg, timestamp)
-	case "PART":
+	case irc.CmdPart:
 		a.handlePartEvent(msg, timestamp)
-	case "QUIT":
+	case irc.CmdQuit:
 		a.handleQuitEvent(msg, timestamp)
-	case "NICK":
+	case irc.CmdNick:
 		a.handleNickEvent(msg, timestamp, myNick)
-	case "NOTICE":
+	case irc.CmdNotice:
 		a.handleNoticeEvent(msg, timestamp)
-	case "TOPIC":
+	case irc.CmdTopic:
 		a.handleTopicEvent(msg, timestamp)
 	default:
 		a.handleDefaultEvent(msg, timestamp)

internal/cli/ui.go

@@ -1,4 +1,4 @@
-package main
+package cli
 
 import (
 	"fmt"

internal/config/config.go

@@ -5,14 +5,22 @@ import (
 	"errors"
 	"log/slog"
 
-	"git.eeqj.de/sneak/chat/internal/globals"
+	"git.eeqj.de/sneak/neoirc/internal/globals"
-	"git.eeqj.de/sneak/chat/internal/logger"
+	"git.eeqj.de/sneak/neoirc/internal/logger"
 	"github.com/spf13/viper"
 	"go.uber.org/fx"
 
 	_ "github.com/joho/godotenv/autoload" // loads .env file
 )
 
+const defaultMOTD = ` _ __   ___  ___  (_)_ __ ___
+| '_ \ / _ \/ _ \ | | '__/ __|
+| | | |  __/ (_) || | | | (__
+|_| |_|\___|\___/ |_|_|  \___|
+
+Welcome to NeoIRC — IRC semantics over HTTP.
+Type /help for available commands.`
+
 // Params defines the dependencies for creating a Config.
 type Params struct {
 	fx.In
@@ -30,12 +38,18 @@ type Config struct {
 	MetricsUsername    string
 	Port               int
 	SentryDSN          string
-	MaxHistory         int
+	MessageMaxAge      string
 	MaxMessageSize     int
+	QueueMaxAge        string
 	MOTD               string
 	ServerName         string
 	FederationKey      string
 	SessionIdleTimeout string
+	HashcashBits       int
+	OperName           string
+	OperPassword       string
+	LoginRateLimit     float64
+	LoginRateBurst     int
 	params             *Params
 	log                *slog.Logger
 }
@@ -56,16 +70,22 @@ func New(
 	viper.SetDefault("DEBUG", "false")
 	viper.SetDefault("MAINTENANCE_MODE", "false")
 	viper.SetDefault("PORT", "8080")
-	viper.SetDefault("DBURL", "file:./data.db?_journal_mode=WAL")
+	viper.SetDefault("DBURL", "file:///var/lib/neoirc/state.db?_journal_mode=WAL")
 	viper.SetDefault("SENTRY_DSN", "")
 	viper.SetDefault("METRICS_USERNAME", "")
 	viper.SetDefault("METRICS_PASSWORD", "")
-	viper.SetDefault("MAX_HISTORY", "10000")
+	viper.SetDefault("MESSAGE_MAX_AGE", "720h")
 	viper.SetDefault("MAX_MESSAGE_SIZE", "4096")
-	viper.SetDefault("MOTD", "")
+	viper.SetDefault("QUEUE_MAX_AGE", "720h")
+	viper.SetDefault("MOTD", defaultMOTD)
 	viper.SetDefault("SERVER_NAME", "")
 	viper.SetDefault("FEDERATION_KEY", "")
-	viper.SetDefault("SESSION_IDLE_TIMEOUT", "24h")
+	viper.SetDefault("SESSION_IDLE_TIMEOUT", "720h")
+	viper.SetDefault("NEOIRC_HASHCASH_BITS", "20")
+	viper.SetDefault("NEOIRC_OPER_NAME", "")
+	viper.SetDefault("NEOIRC_OPER_PASSWORD", "")
+	viper.SetDefault("LOGIN_RATE_LIMIT", "1")
+	viper.SetDefault("LOGIN_RATE_BURST", "5")
 
 	err := viper.ReadInConfig()
 	if err != nil {
@@ -84,12 +104,18 @@ func New(
 		MaintenanceMode:    viper.GetBool("MAINTENANCE_MODE"),
 		MetricsUsername:    viper.GetString("METRICS_USERNAME"),
 		MetricsPassword:    viper.GetString("METRICS_PASSWORD"),
-		MaxHistory:         viper.GetInt("MAX_HISTORY"),
+		MessageMaxAge:      viper.GetString("MESSAGE_MAX_AGE"),
 		MaxMessageSize:     viper.GetInt("MAX_MESSAGE_SIZE"),
+		QueueMaxAge:        viper.GetString("QUEUE_MAX_AGE"),
 		MOTD:               viper.GetString("MOTD"),
 		ServerName:         viper.GetString("SERVER_NAME"),
 		FederationKey:      viper.GetString("FEDERATION_KEY"),
 		SessionIdleTimeout: viper.GetString("SESSION_IDLE_TIMEOUT"),
+		HashcashBits:       viper.GetInt("NEOIRC_HASHCASH_BITS"),
+		OperName:           viper.GetString("NEOIRC_OPER_NAME"),
+		OperPassword:       viper.GetString("NEOIRC_OPER_PASSWORD"),
+		LoginRateLimit:     viper.GetFloat64("LOGIN_RATE_LIMIT"),
+		LoginRateBurst:     viper.GetInt("LOGIN_RATE_BURST"),
 		log:                log,
 		params:             &params,
 	}

internal/db/auth.go

@@ -10,91 +10,46 @@ import (
 	"golang.org/x/crypto/bcrypt"
 )
 
-const bcryptCost = bcrypt.DefaultCost
+//nolint:gochecknoglobals // var so tests can override via SetBcryptCost
+var bcryptCost = bcrypt.DefaultCost
+
+// SetBcryptCost overrides the bcrypt cost.
+// Use bcrypt.MinCost in tests to avoid slow hashing.
+func SetBcryptCost(cost int) { bcryptCost = cost }
 
 var errNoPassword = errors.New(
 	"account has no password set",
 )
 
-// RegisterUser creates a session with a hashed password
+// SetPassword sets a bcrypt-hashed password on a session,
-// and returns session ID, client ID, and token.
+// enabling multi-client login via POST /api/v1/login.
-func (database *Database) RegisterUser(
+func (database *Database) SetPassword(
 	ctx context.Context,
-	nick, password string,
+	sessionID int64,
-) (int64, int64, string, error) {
+	password string,
+) error {
 	hash, err := bcrypt.GenerateFromPassword(
 		[]byte(password), bcryptCost,
 	)
 	if err != nil {
-		return 0, 0, "", fmt.Errorf(
+		return fmt.Errorf("hash password: %w", err)
-			"hash password: %w", err,
-		)
 	}
 
-	sessionUUID := uuid.New().String()
+	_, err = database.conn.ExecContext(ctx,
-	clientUUID := uuid.New().String()
+		"UPDATE sessions SET password_hash = ? WHERE id = ?",
-
+		string(hash), sessionID)
-	token, err := generateToken()
 	if err != nil {
-		return 0, 0, "", err
+		return fmt.Errorf("set password: %w", err)
 	}
 
-	now := time.Now()
+	return nil
-
-	transaction, err := database.conn.BeginTx(ctx, nil)
-	if err != nil {
-		return 0, 0, "", fmt.Errorf(
-			"begin tx: %w", err,
-		)
-	}
-
-	res, err := transaction.ExecContext(ctx,
-		`INSERT INTO sessions
-		 (uuid, nick, password_hash,
-		  created_at, last_seen)
-		 VALUES (?, ?, ?, ?, ?)`,
-		sessionUUID, nick, string(hash), now, now)
-	if err != nil {
-		_ = transaction.Rollback()
-
-		return 0, 0, "", fmt.Errorf(
-			"create session: %w", err,
-		)
-	}
-
-	sessionID, _ := res.LastInsertId()
-
-	clientRes, err := transaction.ExecContext(ctx,
-		`INSERT INTO clients
-		 (uuid, session_id, token,
-		  created_at, last_seen)
-		 VALUES (?, ?, ?, ?, ?)`,
-		clientUUID, sessionID, token, now, now)
-	if err != nil {
-		_ = transaction.Rollback()
-
-		return 0, 0, "", fmt.Errorf(
-			"create client: %w", err,
-		)
-	}
-
-	clientID, _ := clientRes.LastInsertId()
-
-	err = transaction.Commit()
-	if err != nil {
-		return 0, 0, "", fmt.Errorf(
-			"commit registration: %w", err,
-		)
-	}
-
-	return sessionID, clientID, token, nil
 }
 
 // LoginUser verifies a nick/password and creates a new
 // client token.
 func (database *Database) LoginUser(
 	ctx context.Context,
-	nick, password string,
+	nick, password, remoteIP, hostname string,
 ) (int64, int64, string, error) {
 	var (
 		sessionID    int64
@@ -137,12 +92,15 @@ func (database *Database) LoginUser(
 
 	now := time.Now()
 
+	tokenHash := hashToken(token)
+
 	res, err := database.conn.ExecContext(ctx,
 		`INSERT INTO clients
-		 (uuid, session_id, token,
+		 (uuid, session_id, token, ip, hostname,
 		  created_at, last_seen)
-		 VALUES (?, ?, ?, ?, ?)`,
+		 VALUES (?, ?, ?, ?, ?, ?, ?)`,
-		clientUUID, sessionID, token, now, now)
+		clientUUID, sessionID, tokenHash,
+		remoteIP, hostname, now, now)
 	if err != nil {
 		return 0, 0, "", fmt.Errorf(
 			"create login client: %w", err,

internal/db/auth_test.go

@@ -6,63 +6,65 @@ import (
 	_ "modernc.org/sqlite"
 )
 
-func TestRegisterUser(t *testing.T) {
+func TestSetPassword(t *testing.T) {
 	t.Parallel()
 
 	database := setupTestDB(t)
 	ctx := t.Context()
 
-	sessionID, clientID, token, err :=
+	sessionID, _, _, err :=
-		database.RegisterUser(ctx, "reguser", "password123")
+		database.CreateSession(ctx, "passuser", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
 
-	if sessionID == 0 || clientID == 0 || token == "" {
+	err = database.SetPassword(
+		ctx, sessionID, "password123",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Verify we can now log in with the password.
+	loginSID, loginCID, loginToken, err :=
+		database.LoginUser(ctx, "passuser", "password123", "", "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if loginSID == 0 || loginCID == 0 || loginToken == "" {
 		t.Fatal("expected valid ids and token")
 	}
-
-	// Verify session works via token lookup.
-	sid, cid, nick, err :=
-		database.GetSessionByToken(ctx, token)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if sid != sessionID || cid != clientID {
-		t.Fatal("session/client id mismatch")
-	}
-
-	if nick != "reguser" {
-		t.Fatalf("expected reguser, got %s", nick)
-	}
 }
 
-func TestRegisterUserDuplicateNick(t *testing.T) {
+func TestSetPasswordThenWrongLogin(t *testing.T) {
 	t.Parallel()
 
 	database := setupTestDB(t)
 	ctx := t.Context()
 
-	regSID, regCID, regToken, err :=
+	sessionID, _, _, err :=
-		database.RegisterUser(ctx, "dupnick", "password123")
+		database.CreateSession(ctx, "wrongpw", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
 
-	_ = regSID
+	err = database.SetPassword(
-	_ = regCID
+		ctx, sessionID, "correctpass",
-	_ = regToken
+	)
-
+	if err != nil {
-	dupSID, dupCID, dupToken, dupErr :=
+		t.Fatal(err)
-		database.RegisterUser(ctx, "dupnick", "other12345")
-	if dupErr == nil {
-		t.Fatal("expected error for duplicate nick")
 	}
 
-	_ = dupSID
+	loginSID, loginCID, loginToken, loginErr :=
-	_ = dupCID
+		database.LoginUser(ctx, "wrongpw", "wrongpass12", "", "")
-	_ = dupToken
+	if loginErr == nil {
+		t.Fatal("expected error for wrong password")
+	}
+
+	_ = loginSID
+	_ = loginCID
+	_ = loginToken
 }
 
 func TestLoginUser(t *testing.T) {
@@ -71,23 +73,26 @@ func TestLoginUser(t *testing.T) {
 	database := setupTestDB(t)
 	ctx := t.Context()
 
-	regSID, regCID, regToken, err :=
+	sessionID, _, _, err :=
-		database.RegisterUser(ctx, "loginuser", "mypassword")
+		database.CreateSession(ctx, "loginuser", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
 
-	_ = regSID
+	err = database.SetPassword(
-	_ = regCID
+		ctx, sessionID, "mypassword",
-	_ = regToken
+	)
-
-	sessionID, clientID, token, err :=
-		database.LoginUser(ctx, "loginuser", "mypassword")
 	if err != nil {
 		t.Fatal(err)
 	}
 
-	if sessionID == 0 || clientID == 0 || token == "" {
+	loginSID, loginCID, token, err :=
+		database.LoginUser(ctx, "loginuser", "mypassword", "", "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if loginSID == 0 || loginCID == 0 || token == "" {
 		t.Fatal("expected valid ids and token")
 	}
 
@@ -103,33 +108,6 @@ func TestLoginUser(t *testing.T) {
 	}
 }
 
-func TestLoginUserWrongPassword(t *testing.T) {
-	t.Parallel()
-
-	database := setupTestDB(t)
-	ctx := t.Context()
-
-	regSID, regCID, regToken, err :=
-		database.RegisterUser(ctx, "wrongpw", "correctpass")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	_ = regSID
-	_ = regCID
-	_ = regToken
-
-	loginSID, loginCID, loginToken, loginErr :=
-		database.LoginUser(ctx, "wrongpw", "wrongpass12")
-	if loginErr == nil {
-		t.Fatal("expected error for wrong password")
-	}
-
-	_ = loginSID
-	_ = loginCID
-	_ = loginToken
-}
-
 func TestLoginUserNoPassword(t *testing.T) {
 	t.Parallel()
 
@@ -138,7 +116,7 @@ func TestLoginUserNoPassword(t *testing.T) {
 
 	// Create anonymous session (no password).
 	anonSID, anonCID, anonToken, err :=
-		database.CreateSession(ctx, "anon")
+		database.CreateSession(ctx, "anon", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -148,7 +126,7 @@ func TestLoginUserNoPassword(t *testing.T) {
 	_ = anonToken
 
 	loginSID, loginCID, loginToken, loginErr :=
-		database.LoginUser(ctx, "anon", "anything1")
+		database.LoginUser(ctx, "anon", "anything1", "", "")
 	if loginErr == nil {
 		t.Fatal(
 			"expected error for login on passwordless account",
@@ -167,7 +145,7 @@ func TestLoginUserNonexistent(t *testing.T) {
 	ctx := t.Context()
 
 	loginSID, loginCID, loginToken, err :=
-		database.LoginUser(ctx, "ghost", "password123")
+		database.LoginUser(ctx, "ghost", "password123", "", "")
 	if err == nil {
 		t.Fatal("expected error for nonexistent user")
 	}

internal/db/db.go

@@ -12,8 +12,8 @@ import (
 	"strconv"
 	"strings"
 
-	"git.eeqj.de/sneak/chat/internal/config"
+	"git.eeqj.de/sneak/neoirc/internal/config"
-	"git.eeqj.de/sneak/chat/internal/logger"
+	"git.eeqj.de/sneak/neoirc/internal/logger"
 	"go.uber.org/fx"
 
 	_ "github.com/joho/godotenv/autoload" // .env
@@ -87,7 +87,7 @@ func (database *Database) GetDB() *sql.DB {
 func (database *Database) connect(ctx context.Context) error {
 	dbURL := database.params.Config.DBURL
 	if dbURL == "" {
-		dbURL = "file:./data.db?_journal_mode=WAL&_busy_timeout=5000"
+		dbURL = "file:///var/lib/neoirc/state.db?_journal_mode=WAL&_busy_timeout=5000"
 	}
 
 	database.log.Info(

internal/db/errors.go

@@ -0,0 +1,20 @@
+// Package db provides database access and migration management.
+package db
+
+import (
+	"errors"
+
+	"modernc.org/sqlite"
+	sqlite3 "modernc.org/sqlite/lib"
+)
+
+// IsUniqueConstraintError reports whether err is a SQLite
+// unique-constraint violation.
+func IsUniqueConstraintError(err error) bool {
+	var sqliteErr *sqlite.Error
+	if !errors.As(err, &sqliteErr) {
+		return false
+	}
+
+	return sqliteErr.Code() == sqlite3.SQLITE_CONSTRAINT_UNIQUE
+}

internal/db/main_test.go

@@ -0,0 +1,14 @@
+package db_test
+
+import (
+	"os"
+	"testing"
+
+	"git.eeqj.de/sneak/neoirc/internal/db"
+	"golang.org/x/crypto/bcrypt"
+)
+
+func TestMain(m *testing.M) {
+	db.SetBcryptCost(bcrypt.MinCost)
+	os.Exit(m.Run())
+}

internal/db/queries_test.go

@@ -4,7 +4,7 @@ import (
 	"encoding/json"
 	"testing"
 
-	"git.eeqj.de/sneak/chat/internal/db"
+	"git.eeqj.de/sneak/neoirc/internal/db"
 
 	_ "modernc.org/sqlite"
 )
@@ -34,7 +34,7 @@ func TestCreateSession(t *testing.T) {
 	ctx := t.Context()
 
 	sessionID, _, token, err := database.CreateSession(
-		ctx, "alice",
+		ctx, "alice", "", "", "",
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -45,7 +45,7 @@ func TestCreateSession(t *testing.T) {
 	}
 
 	_, _, dupToken, dupErr := database.CreateSession(
-		ctx, "alice",
+		ctx, "alice", "", "", "",
 	)
 	if dupErr == nil {
 		t.Fatal("expected error for duplicate nick")
@@ -54,13 +54,249 @@ func TestCreateSession(t *testing.T) {
 	_ = dupToken
 }
 
+// assertSessionHostInfo creates a session and verifies
+// the stored username and hostname match expectations.
+func assertSessionHostInfo(
+	t *testing.T,
+	database *db.Database,
+	nick, inputUser, inputHost,
+	expectUser, expectHost string,
+) {
+	t.Helper()
+
+	sessionID, _, _, err := database.CreateSession(
+		t.Context(), nick, inputUser, inputHost, "",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	info, err := database.GetSessionHostInfo(
+		t.Context(), sessionID,
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if info.Username != expectUser {
+		t.Fatalf(
+			"expected username %s, got %s",
+			expectUser, info.Username,
+		)
+	}
+
+	if info.Hostname != expectHost {
+		t.Fatalf(
+			"expected hostname %s, got %s",
+			expectHost, info.Hostname,
+		)
+	}
+}
+
+func TestCreateSessionWithUserHost(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+
+	assertSessionHostInfo(
+		t, database,
+		"hostuser", "myident", "example.com",
+		"myident", "example.com",
+	)
+}
+
+func TestCreateSessionDefaultUsername(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+
+	// Empty username defaults to nick.
+	assertSessionHostInfo(
+		t, database,
+		"defaultu", "", "host.local",
+		"defaultu", "host.local",
+	)
+}
+
+func TestCreateSessionStoresIP(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	sessionID, clientID, _, err := database.CreateSession(
+		ctx, "ipuser", "ident", "host.example.com",
+		"192.168.1.42",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	info, err := database.GetSessionHostInfo(
+		ctx, sessionID,
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if info.IP != "192.168.1.42" {
+		t.Fatalf(
+			"expected session IP 192.168.1.42, got %s",
+			info.IP,
+		)
+	}
+
+	clientInfo, err := database.GetClientHostInfo(
+		ctx, clientID,
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if clientInfo.IP != "192.168.1.42" {
+		t.Fatalf(
+			"expected client IP 192.168.1.42, got %s",
+			clientInfo.IP,
+		)
+	}
+
+	if clientInfo.Hostname != "host.example.com" {
+		t.Fatalf(
+			"expected client hostname host.example.com, got %s",
+			clientInfo.Hostname,
+		)
+	}
+}
+
+func TestGetClientHostInfoNotFound(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+
+	_, err := database.GetClientHostInfo(
+		t.Context(), 99999,
+	)
+	if err == nil {
+		t.Fatal("expected error for nonexistent client")
+	}
+}
+
+func TestGetSessionHostInfoNotFound(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+
+	_, err := database.GetSessionHostInfo(
+		t.Context(), 99999,
+	)
+	if err == nil {
+		t.Fatal("expected error for nonexistent session")
+	}
+}
+
+func TestFormatHostmask(t *testing.T) {
+	t.Parallel()
+
+	result := db.FormatHostmask(
+		"nick", "user", "host.com",
+	)
+	if result != "nick!user@host.com" {
+		t.Fatalf(
+			"expected nick!user@host.com, got %s",
+			result,
+		)
+	}
+}
+
+func TestFormatHostmaskDefaults(t *testing.T) {
+	t.Parallel()
+
+	result := db.FormatHostmask("nick", "", "")
+	if result != "nick!nick@*" {
+		t.Fatalf(
+			"expected nick!nick@*, got %s",
+			result,
+		)
+	}
+}
+
+func TestMemberInfoHostmask(t *testing.T) {
+	t.Parallel()
+
+	member := &db.MemberInfo{ //nolint:exhaustruct // test only uses hostmask fields
+		Nick:     "alice",
+		Username: "aliceident",
+		Hostname: "alice.example.com",
+	}
+
+	hostmask := member.Hostmask()
+	expected := "alice!aliceident@alice.example.com"
+
+	if hostmask != expected {
+		t.Fatalf(
+			"expected %s, got %s", expected, hostmask,
+		)
+	}
+}
+
+func TestChannelMembersIncludeUserHost(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	sid, _, _, err := database.CreateSession(
+		ctx, "memuser", "myuser", "myhost.net", "",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	chID, err := database.GetOrCreateChannel(
+		ctx, "#hostchan",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = database.JoinChannel(ctx, chID, sid)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	members, err := database.ChannelMembers(ctx, chID)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(members) != 1 {
+		t.Fatalf(
+			"expected 1 member, got %d", len(members),
+		)
+	}
+
+	if members[0].Username != "myuser" {
+		t.Fatalf(
+			"expected username myuser, got %s",
+			members[0].Username,
+		)
+	}
+
+	if members[0].Hostname != "myhost.net" {
+		t.Fatalf(
+			"expected hostname myhost.net, got %s",
+			members[0].Hostname,
+		)
+	}
+}
+
 func TestGetSessionByToken(t *testing.T) {
 	t.Parallel()
 
 	database := setupTestDB(t)
 	ctx := t.Context()
 
-	_, _, token, err := database.CreateSession(ctx, "bob")
+	_, _, token, err := database.CreateSession(ctx, "bob", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -93,7 +329,7 @@ func TestGetSessionByNick(t *testing.T) {
 	ctx := t.Context()
 
 	charlieID, charlieClientID, charlieToken, err :=
-		database.CreateSession(ctx, "charlie")
+		database.CreateSession(ctx, "charlie", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -150,7 +386,7 @@ func TestJoinAndPart(t *testing.T) {
 	database := setupTestDB(t)
 	ctx := t.Context()
 
-	sid, _, _, err := database.CreateSession(ctx, "user1")
+	sid, _, _, err := database.CreateSession(ctx, "user1", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -199,7 +435,7 @@ func TestDeleteChannelIfEmpty(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	sid, _, _, err := database.CreateSession(ctx, "temp")
+	sid, _, _, err := database.CreateSession(ctx, "temp", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -234,7 +470,7 @@ func createSessionWithChannels(
 
 	ctx := t.Context()
 
-	sid, _, _, err := database.CreateSession(ctx, nick)
+	sid, _, _, err := database.CreateSession(ctx, nick, "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -317,7 +553,7 @@ func TestChangeNick(t *testing.T) {
 	ctx := t.Context()
 
 	sid, _, token, err := database.CreateSession(
-		ctx, "old",
+		ctx, "old", "", "", "",
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -383,7 +619,7 @@ func TestInsertMessage(t *testing.T) {
 	body := json.RawMessage(`["hello"]`)
 
 	dbID, msgUUID, err := database.InsertMessage(
-		ctx, "PRIVMSG", "poller", "#test", body, nil,
+		ctx, "PRIVMSG", "poller", "#test", nil, body, nil,
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -401,7 +637,7 @@ func TestPollMessages(t *testing.T) {
 	ctx := t.Context()
 
 	sid, _, token, err := database.CreateSession(
-		ctx, "poller",
+		ctx, "poller", "", "", "",
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -417,7 +653,7 @@ func TestPollMessages(t *testing.T) {
 	body := json.RawMessage(`["hello"]`)
 
 	dbID, _, err := database.InsertMessage(
-		ctx, "PRIVMSG", "poller", "#test", body, nil,
+		ctx, "PRIVMSG", "poller", "#test", nil, body, nil,
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -475,7 +711,7 @@ func TestGetHistory(t *testing.T) {
 	for range msgCount {
 		_, _, err := database.InsertMessage(
 			ctx, "PRIVMSG", "user", "#hist",
-			json.RawMessage(`["msg"]`), nil,
+			nil, json.RawMessage(`["msg"]`), nil,
 		)
 		if err != nil {
 			t.Fatal(err)
@@ -508,7 +744,7 @@ func TestDeleteSession(t *testing.T) {
 	ctx := t.Context()
 
 	sid, _, _, err := database.CreateSession(
-		ctx, "deleteme",
+		ctx, "deleteme", "", "", "",
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -548,12 +784,12 @@ func TestChannelMembers(t *testing.T) {
 	database := setupTestDB(t)
 	ctx := t.Context()
 
-	sid1, _, _, err := database.CreateSession(ctx, "m1")
+	sid1, _, _, err := database.CreateSession(ctx, "m1", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
 
-	sid2, _, _, err := database.CreateSession(ctx, "m2")
+	sid2, _, _, err := database.CreateSession(ctx, "m2", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -611,7 +847,7 @@ func TestEnqueueToClient(t *testing.T) {
 	ctx := t.Context()
 
 	_, _, token, err := database.CreateSession(
-		ctx, "enqclient",
+		ctx, "enqclient", "", "", "",
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -627,7 +863,7 @@ func TestEnqueueToClient(t *testing.T) {
 	body := json.RawMessage(`["test"]`)
 
 	dbID, _, err := database.InsertMessage(
-		ctx, "PRIVMSG", "sender", "#ch", body, nil,
+		ctx, "PRIVMSG", "sender", "#ch", nil, body, nil,
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -651,3 +887,604 @@ func TestEnqueueToClient(t *testing.T) {
 		t.Fatalf("expected 1, got %d", len(msgs))
 	}
 }
+
+func TestSetAndCheckSessionOper(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	sessionID, _, _, err := database.CreateSession(
+		ctx, "opernick", "", "", "",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Initially not oper.
+	isOper, err := database.IsSessionOper(ctx, sessionID)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if isOper {
+		t.Fatal("expected session not to be oper")
+	}
+
+	// Set oper.
+	err = database.SetSessionOper(ctx, sessionID, true)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	isOper, err = database.IsSessionOper(ctx, sessionID)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if !isOper {
+		t.Fatal("expected session to be oper")
+	}
+
+	// Unset oper.
+	err = database.SetSessionOper(ctx, sessionID, false)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	isOper, err = database.IsSessionOper(ctx, sessionID)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if isOper {
+		t.Fatal("expected session not to be oper")
+	}
+}
+
+func TestGetLatestClientForSession(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	sessionID, _, _, err := database.CreateSession(
+		ctx, "clientnick", "", "", "10.0.0.1",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	clientInfo, err := database.GetLatestClientForSession(
+		ctx, sessionID,
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if clientInfo.IP != "10.0.0.1" {
+		t.Fatalf(
+			"expected IP 10.0.0.1, got %s",
+			clientInfo.IP,
+		)
+	}
+}
+
+func TestGetOperCount(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	// Create two sessions.
+	sid1, _, _, err := database.CreateSession(
+		ctx, "user1", "", "", "",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	sid2, _, _, err := database.CreateSession(
+		ctx, "user2", "", "", "",
+	)
+	_ = sid2
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Initially zero opers.
+	count, err := database.GetOperCount(ctx)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if count != 0 {
+		t.Fatalf("expected 0 opers, got %d", count)
+	}
+
+	// Set one as oper.
+	err = database.SetSessionOper(ctx, sid1, true)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	count, err = database.GetOperCount(ctx)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if count != 1 {
+		t.Fatalf("expected 1 oper, got %d", count)
+	}
+}
+
+// --- Tier 2 Tests ---
+
+func TestWildcardMatch(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		pattern string
+		input   string
+		match   bool
+	}{
+		{"*!*@*", "nick!user@host", true},
+		{"*!*@*.example.com", "nick!user@foo.example.com", true},
+		{"*!*@*.example.com", "nick!user@other.net", false},
+		{"badnick!*@*", "badnick!user@host", true},
+		{"badnick!*@*", "goodnick!user@host", false},
+		{"nick!user@host", "nick!user@host", true},
+		{"nick!user@host", "nick!user@other", false},
+		{"*", "anything", true},
+		{"?ick!*@*", "nick!user@host", true},
+		{"?ick!*@*", "nn!user@host", false},
+		// Case-insensitive.
+		{"Nick!*@*", "nick!user@host", true},
+	}
+
+	for _, tc := range tests {
+		result := db.MatchBanMask(tc.pattern, tc.input)
+		if result != tc.match {
+			t.Errorf(
+				"MatchBanMask(%q, %q) = %v, want %v",
+				tc.pattern, tc.input, result, tc.match,
+			)
+		}
+	}
+}
+
+func TestChannelBanCRUD(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	chID, err := database.GetOrCreateChannel(ctx, "#test")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// No bans initially.
+	bans, err := database.ListChannelBans(ctx, chID)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(bans) != 0 {
+		t.Fatalf("expected 0 bans, got %d", len(bans))
+	}
+
+	// Add a ban.
+	err = database.AddChannelBan(
+		ctx, chID, "*!*@evil.com", "op",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	bans, err = database.ListChannelBans(ctx, chID)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(bans) != 1 {
+		t.Fatalf("expected 1 ban, got %d", len(bans))
+	}
+
+	if bans[0].Mask != "*!*@evil.com" {
+		t.Fatalf("wrong mask: %s", bans[0].Mask)
+	}
+
+	// Duplicate add is ignored (OR IGNORE).
+	err = database.AddChannelBan(
+		ctx, chID, "*!*@evil.com", "op2",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	bans, _ = database.ListChannelBans(ctx, chID)
+	if len(bans) != 1 {
+		t.Fatalf("expected 1 ban after dup, got %d", len(bans))
+	}
+
+	// Remove ban.
+	err = database.RemoveChannelBan(
+		ctx, chID, "*!*@evil.com",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	bans, _ = database.ListChannelBans(ctx, chID)
+	if len(bans) != 0 {
+		t.Fatalf("expected 0 bans after remove, got %d", len(bans))
+	}
+}
+
+func TestIsSessionBanned(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	sid, _, _, err := database.CreateSession(
+		ctx, "victim", "victim", "evil.com", "",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	chID, err := database.GetOrCreateChannel(ctx, "#bantest")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Not banned initially.
+	banned, err := database.IsSessionBanned(ctx, chID, sid)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if banned {
+		t.Fatal("should not be banned initially")
+	}
+
+	// Add ban matching the hostmask.
+	err = database.AddChannelBan(
+		ctx, chID, "*!*@evil.com", "op",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	banned, err = database.IsSessionBanned(ctx, chID, sid)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if !banned {
+		t.Fatal("should be banned")
+	}
+}
+
+func TestChannelInviteOnly(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	chID, err := database.GetOrCreateChannel(ctx, "#invite")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Default: not invite-only.
+	isIO, err := database.IsChannelInviteOnly(ctx, chID)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if isIO {
+		t.Fatal("should not be invite-only by default")
+	}
+
+	// Set invite-only.
+	err = database.SetChannelInviteOnly(ctx, chID, true)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	isIO, _ = database.IsChannelInviteOnly(ctx, chID)
+	if !isIO {
+		t.Fatal("should be invite-only")
+	}
+
+	// Unset.
+	err = database.SetChannelInviteOnly(ctx, chID, false)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	isIO, _ = database.IsChannelInviteOnly(ctx, chID)
+	if isIO {
+		t.Fatal("should not be invite-only")
+	}
+}
+
+func TestChannelInviteCRUD(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	sid, _, _, err := database.CreateSession(
+		ctx, "invited", "", "", "",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	chID, err := database.GetOrCreateChannel(ctx, "#inv")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// No invite initially.
+	has, err := database.HasChannelInvite(ctx, chID, sid)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if has {
+		t.Fatal("should not have invite")
+	}
+
+	// Add invite.
+	err = database.AddChannelInvite(ctx, chID, sid, "op")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	has, _ = database.HasChannelInvite(ctx, chID, sid)
+	if !has {
+		t.Fatal("should have invite")
+	}
+
+	// Clear invite.
+	err = database.ClearChannelInvite(ctx, chID, sid)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	has, _ = database.HasChannelInvite(ctx, chID, sid)
+	if has {
+		t.Fatal("invite should be cleared")
+	}
+}
+
+func TestChannelSecret(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	chID, err := database.GetOrCreateChannel(ctx, "#secret")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Default: not secret.
+	isSec, err := database.IsChannelSecret(ctx, chID)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if isSec {
+		t.Fatal("should not be secret by default")
+	}
+
+	err = database.SetChannelSecret(ctx, chID, true)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	isSec, _ = database.IsChannelSecret(ctx, chID)
+	if !isSec {
+		t.Fatal("should be secret")
+	}
+}
+
+// createTestSession is a helper to create a session and
+// return only the session ID.
+func createTestSession(
+	t *testing.T,
+	database *db.Database,
+	nick string,
+) int64 {
+	t.Helper()
+
+	sid, _, _, err := database.CreateSession(
+		t.Context(), nick, "", "", "",
+	)
+	if err != nil {
+		t.Fatalf("create session %s: %v", nick, err)
+	}
+
+	return sid
+}
+
+func TestSecretChannelFiltering(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	// Create two sessions.
+	sid1 := createTestSession(t, database, "member")
+	sid2 := createTestSession(t, database, "outsider")
+
+	// Create a secret channel.
+	chID, _ := database.GetOrCreateChannel(ctx, "#secret")
+	_ = database.SetChannelSecret(ctx, chID, true)
+	_ = database.JoinChannel(ctx, chID, sid1)
+
+	// Create a non-secret channel.
+	chID2, _ := database.GetOrCreateChannel(ctx, "#public")
+	_ = database.JoinChannel(ctx, chID2, sid1)
+
+	// Member should see both.
+	list, err := database.ListAllChannelsWithCountsFiltered(
+		ctx, sid1,
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(list) != 2 {
+		t.Fatalf("member should see 2 channels, got %d", len(list))
+	}
+
+	// Outsider should only see public.
+	list, _ = database.ListAllChannelsWithCountsFiltered(
+		ctx, sid2,
+	)
+	if len(list) != 1 {
+		t.Fatalf("outsider should see 1 channel, got %d", len(list))
+	}
+
+	if list[0].Name != "#public" {
+		t.Fatalf("outsider should see #public, got %s", list[0].Name)
+	}
+}
+
+func TestWhoisChannelFiltering(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	sid1 := createTestSession(t, database, "target")
+	sid2 := createTestSession(t, database, "querier")
+
+	// Create secret channel, target joins it.
+	chID, _ := database.GetOrCreateChannel(ctx, "#hidden")
+	_ = database.SetChannelSecret(ctx, chID, true)
+	_ = database.JoinChannel(ctx, chID, sid1)
+
+	// Querier (non-member) should not see the channel.
+	channels, err := database.GetSessionChannelsFiltered(
+		ctx, sid1, sid2,
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(channels) != 0 {
+		t.Fatalf(
+			"querier should see 0 channels, got %d",
+			len(channels),
+		)
+	}
+
+	// Target querying self should see it.
+	channels, _ = database.GetSessionChannelsFiltered(
+		ctx, sid1, sid1,
+	)
+	if len(channels) != 1 {
+		t.Fatalf(
+			"self-query should see 1 channel, got %d",
+			len(channels),
+		)
+	}
+}
+
+//nolint:dupl // structurally similar to TestChannelUserLimit
+func TestChannelKey(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	chID, err := database.GetOrCreateChannel(ctx, "#keyed")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Default: no key.
+	key, err := database.GetChannelKey(ctx, chID)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if key != "" {
+		t.Fatalf("expected empty key, got %q", key)
+	}
+
+	// Set key.
+	err = database.SetChannelKey(ctx, chID, "secret123")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	key, _ = database.GetChannelKey(ctx, chID)
+	if key != "secret123" {
+		t.Fatalf("expected secret123, got %q", key)
+	}
+
+	// Clear key.
+	err = database.SetChannelKey(ctx, chID, "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	key, _ = database.GetChannelKey(ctx, chID)
+	if key != "" {
+		t.Fatalf("expected empty key, got %q", key)
+	}
+}
+
+//nolint:dupl // structurally similar to TestChannelKey
+func TestChannelUserLimit(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	chID, err := database.GetOrCreateChannel(ctx, "#limited")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Default: no limit.
+	limit, err := database.GetChannelUserLimit(ctx, chID)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if limit != 0 {
+		t.Fatalf("expected 0 limit, got %d", limit)
+	}
+
+	// Set limit.
+	err = database.SetChannelUserLimit(ctx, chID, 50)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	limit, _ = database.GetChannelUserLimit(ctx, chID)
+	if limit != 50 {
+		t.Fatalf("expected 50, got %d", limit)
+	}
+
+	// Clear limit.
+	err = database.SetChannelUserLimit(ctx, chID, 0)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	limit, _ = database.GetChannelUserLimit(ctx, chID)
+	if limit != 0 {
+		t.Fatalf("expected 0, got %d", limit)
+	}
+}

internal/db/schema/001_initial.sql

@@ -6,8 +6,13 @@ CREATE TABLE IF NOT EXISTS sessions (
     id INTEGER PRIMARY KEY AUTOINCREMENT,
     uuid TEXT NOT NULL UNIQUE,
     nick TEXT NOT NULL UNIQUE,
+    username TEXT NOT NULL DEFAULT '',
+    hostname TEXT NOT NULL DEFAULT '',
+    ip TEXT NOT NULL DEFAULT '',
+    is_oper INTEGER NOT NULL DEFAULT 0,
     password_hash TEXT NOT NULL DEFAULT '',
     signing_key TEXT NOT NULL DEFAULT '',
+    away_message TEXT NOT NULL DEFAULT '',
     created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
     last_seen DATETIME DEFAULT CURRENT_TIMESTAMP
 );
@@ -19,6 +24,8 @@ CREATE TABLE IF NOT EXISTS clients (
     uuid TEXT NOT NULL UNIQUE,
     session_id INTEGER NOT NULL REFERENCES sessions(id) ON DELETE CASCADE,
     token TEXT NOT NULL UNIQUE,
+    ip TEXT NOT NULL DEFAULT '',
+    hostname TEXT NOT NULL DEFAULT '',
     created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
     last_seen DATETIME DEFAULT CURRENT_TIMESTAMP
 );
@@ -30,15 +37,48 @@ CREATE TABLE IF NOT EXISTS channels (
     id INTEGER PRIMARY KEY AUTOINCREMENT,
     name TEXT NOT NULL UNIQUE,
     topic TEXT NOT NULL DEFAULT '',
+    topic_set_by TEXT NOT NULL DEFAULT '',
+    topic_set_at DATETIME,
+    hashcash_bits INTEGER NOT NULL DEFAULT 0,
+    is_moderated INTEGER NOT NULL DEFAULT 0,
+    is_topic_locked INTEGER NOT NULL DEFAULT 1,
+    is_invite_only INTEGER NOT NULL DEFAULT 0,
+    is_secret INTEGER NOT NULL DEFAULT 0,
+    channel_key TEXT NOT NULL DEFAULT '',
+    user_limit INTEGER NOT NULL DEFAULT 0,
     created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
     updated_at DATETIME DEFAULT CURRENT_TIMESTAMP
 );
 
+-- Channel bans
+CREATE TABLE IF NOT EXISTS channel_bans (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    channel_id INTEGER NOT NULL REFERENCES channels(id) ON DELETE CASCADE,
+    mask TEXT NOT NULL,
+    set_by TEXT NOT NULL,
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+    UNIQUE(channel_id, mask)
+);
+CREATE INDEX IF NOT EXISTS idx_channel_bans_channel ON channel_bans(channel_id);
+
+-- Channel invites (in-memory would be simpler but DB survives restarts)
+CREATE TABLE IF NOT EXISTS channel_invites (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    channel_id INTEGER NOT NULL REFERENCES channels(id) ON DELETE CASCADE,
+    session_id INTEGER NOT NULL REFERENCES sessions(id) ON DELETE CASCADE,
+    invited_by TEXT NOT NULL DEFAULT '',
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+    UNIQUE(channel_id, session_id)
+);
+CREATE INDEX IF NOT EXISTS idx_channel_invites_channel ON channel_invites(channel_id);
+
 -- Channel members
 CREATE TABLE IF NOT EXISTS channel_members (
     id INTEGER PRIMARY KEY AUTOINCREMENT,
     channel_id INTEGER NOT NULL REFERENCES channels(id) ON DELETE CASCADE,
     session_id INTEGER NOT NULL REFERENCES sessions(id) ON DELETE CASCADE,
+    is_operator INTEGER NOT NULL DEFAULT 0,
+    is_voiced INTEGER NOT NULL DEFAULT 0,
     joined_at DATETIME DEFAULT CURRENT_TIMESTAMP,
     UNIQUE(channel_id, session_id)
 );
@@ -50,6 +90,7 @@ CREATE TABLE IF NOT EXISTS messages (
     command TEXT NOT NULL DEFAULT 'PRIVMSG',
     msg_from TEXT NOT NULL DEFAULT '',
     msg_to TEXT NOT NULL DEFAULT '',
+    params TEXT NOT NULL DEFAULT '[]',
     body TEXT NOT NULL DEFAULT '[]',
     meta TEXT NOT NULL DEFAULT '{}',
     created_at DATETIME DEFAULT CURRENT_TIMESTAMP
@@ -57,6 +98,14 @@ CREATE TABLE IF NOT EXISTS messages (
 CREATE INDEX IF NOT EXISTS idx_messages_to_id ON messages(msg_to, id);
 CREATE INDEX IF NOT EXISTS idx_messages_created ON messages(created_at);
 
+-- Spent hashcash tokens for replay prevention (1-year TTL)
+CREATE TABLE IF NOT EXISTS spent_hashcash (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    stamp_hash TEXT NOT NULL UNIQUE,
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP
+);
+CREATE INDEX IF NOT EXISTS idx_spent_hashcash_created ON spent_hashcash(created_at);
+
 -- Per-client message queues for fan-out delivery
 CREATE TABLE IF NOT EXISTS client_queues (
     id INTEGER PRIMARY KEY AUTOINCREMENT,

internal/globals/globals.go

@@ -2,6 +2,8 @@
 package globals
 
 import (
+	"time"
+
 	"go.uber.org/fx"
 )
 
@@ -17,14 +19,16 @@ var (
 type Globals struct {
 	Appname   string
 	Version   string
+	StartTime time.Time
 }
 
 // New creates a new Globals instance from the global state.
 func New(_ fx.Lifecycle) (*Globals, error) {
-	n := &Globals{
+	result := &Globals{
 		Appname:   Appname,
 		Version:   Version,
+		StartTime: time.Now(),
 	}
 
-	return n, nil
+	return result, nil
 }

internal/handlers/auth.go

@@ -4,116 +4,12 @@ import (
 	"encoding/json"
 	"net/http"
 	"strings"
+
+	"git.eeqj.de/sneak/neoirc/pkg/irc"
 )
 
 const minPasswordLength = 8
 
-// HandleRegister creates a new user with a password.
-func (hdlr *Handlers) HandleRegister() http.HandlerFunc {
-	return func(
-		writer http.ResponseWriter,
-		request *http.Request,
-	) {
-		request.Body = http.MaxBytesReader(
-			writer, request.Body, hdlr.maxBodySize(),
-		)
-
-		hdlr.handleRegister(writer, request)
-	}
-}
-
-func (hdlr *Handlers) handleRegister(
-	writer http.ResponseWriter,
-	request *http.Request,
-) {
-	type registerRequest struct {
-		Nick     string `json:"nick"`
-		Password string `json:"password"`
-	}
-
-	var payload registerRequest
-
-	err := json.NewDecoder(request.Body).Decode(&payload)
-	if err != nil {
-		hdlr.respondError(
-			writer, request,
-			"invalid request body",
-			http.StatusBadRequest,
-		)
-
-		return
-	}
-
-	payload.Nick = strings.TrimSpace(payload.Nick)
-
-	if !validNickRe.MatchString(payload.Nick) {
-		hdlr.respondError(
-			writer, request,
-			"invalid nick format",
-			http.StatusBadRequest,
-		)
-
-		return
-	}
-
-	if len(payload.Password) < minPasswordLength {
-		hdlr.respondError(
-			writer, request,
-			"password must be at least 8 characters",
-			http.StatusBadRequest,
-		)
-
-		return
-	}
-
-	sessionID, clientID, token, err :=
-		hdlr.params.Database.RegisterUser(
-			request.Context(),
-			payload.Nick,
-			payload.Password,
-		)
-	if err != nil {
-		hdlr.handleRegisterError(
-			writer, request, err,
-		)
-
-		return
-	}
-
-	hdlr.deliverMOTD(request, clientID, sessionID)
-
-	hdlr.respondJSON(writer, request, map[string]any{
-		"id":    sessionID,
-		"nick":  payload.Nick,
-		"token": token,
-	}, http.StatusCreated)
-}
-
-func (hdlr *Handlers) handleRegisterError(
-	writer http.ResponseWriter,
-	request *http.Request,
-	err error,
-) {
-	if strings.Contains(err.Error(), "UNIQUE") {
-		hdlr.respondError(
-			writer, request,
-			"nick already taken",
-			http.StatusConflict,
-		)
-
-		return
-	}
-
-	hdlr.log.Error(
-		"register user failed", "error", err,
-	)
-	hdlr.respondError(
-		writer, request,
-		"internal error",
-		http.StatusInternalServerError,
-	)
-}
-
 // HandleLogin authenticates a user with nick and password.
 func (hdlr *Handlers) HandleLogin() http.HandlerFunc {
 	return func(
@@ -132,6 +28,21 @@ func (hdlr *Handlers) handleLogin(
 	writer http.ResponseWriter,
 	request *http.Request,
 ) {
+	ip := clientIP(request)
+
+	if !hdlr.loginLimiter.Allow(ip) {
+		writer.Header().Set(
+			"Retry-After", "1",
+		)
+		hdlr.respondError(
+			writer, request,
+			"too many login attempts, try again later",
+			http.StatusTooManyRequests,
+		)
+
+		return
+	}
+
 	type loginRequest struct {
 		Nick     string `json:"nick"`
 		Password string `json:"password"`
@@ -162,11 +73,27 @@ func (hdlr *Handlers) handleLogin(
 		return
 	}
 
-	sessionID, _, token, err :=
+	hdlr.executeLogin(
+		writer, request, payload.Nick, payload.Password,
+	)
+}
+
+func (hdlr *Handlers) executeLogin(
+	writer http.ResponseWriter,
+	request *http.Request,
+	nick, password string,
+) {
+	remoteIP := clientIP(request)
+
+	hostname := resolveHostname(
+		request.Context(), remoteIP,
+	)
+
+	sessionID, clientID, token, err :=
 		hdlr.params.Database.LoginUser(
 			request.Context(),
-			payload.Nick,
+			nick, password,
-			payload.Password,
+			remoteIP, hostname,
 		)
 	if err != nil {
 		hdlr.respondError(
@@ -178,9 +105,78 @@ func (hdlr *Handlers) handleLogin(
 		return
 	}
 
+	hdlr.stats.IncrConnections()
+
+	hdlr.deliverMOTD(
+		request, clientID, sessionID, nick,
+	)
+
+	// Initialize channel state so the new client knows
+	// which channels the session already belongs to.
+	hdlr.initChannelState(
+		request, clientID, sessionID, nick,
+	)
+
+	hdlr.setAuthCookie(writer, request, token)
+
 	hdlr.respondJSON(writer, request, map[string]any{
 		"id":   sessionID,
-		"nick":  payload.Nick,
+		"nick": nick,
-		"token": token,
 	}, http.StatusOK)
 }
+
+// handlePass handles the IRC PASS command to set a
+// password on the authenticated session, enabling
+// multi-client login via POST /api/v1/login.
+func (hdlr *Handlers) handlePass(
+	writer http.ResponseWriter,
+	request *http.Request,
+	sessionID, clientID int64,
+	nick string,
+	bodyLines func() []string,
+) {
+	lines := bodyLines()
+	if len(lines) == 0 || lines[0] == "" {
+		hdlr.respondIRCError(
+			writer, request, clientID, sessionID,
+			irc.ErrNeedMoreParams, nick,
+			[]string{irc.CmdPass},
+			"Not enough parameters",
+		)
+
+		return
+	}
+
+	password := lines[0]
+
+	if len(password) < minPasswordLength {
+		hdlr.respondIRCError(
+			writer, request, clientID, sessionID,
+			irc.ErrNeedMoreParams, nick,
+			[]string{irc.CmdPass},
+			"Password must be at least 8 characters",
+		)
+
+		return
+	}
+
+	err := hdlr.params.Database.SetPassword(
+		request.Context(), sessionID, password,
+	)
+	if err != nil {
+		hdlr.log.Error(
+			"set password failed", "error", err,
+		)
+		hdlr.respondError(
+			writer, request,
+			"internal error",
+			http.StatusInternalServerError,
+		)
+
+		return
+	}
+
+	hdlr.respondJSON(writer, request,
+		map[string]string{"status": "ok"},
+		http.StatusOK)
+}

internal/handlers/handlers.go

@@ -1,4 +1,4 @@
-// Package handlers provides HTTP request handlers for the chat server.
+// Package handlers provides HTTP request handlers for the neoirc server.
 package handlers
 
 import (
@@ -9,12 +9,15 @@ import (
 	"net/http"
 	"time"
 
-	"git.eeqj.de/sneak/chat/internal/broker"
+	"git.eeqj.de/sneak/neoirc/internal/broker"
-	"git.eeqj.de/sneak/chat/internal/config"
+	"git.eeqj.de/sneak/neoirc/internal/config"
-	"git.eeqj.de/sneak/chat/internal/db"
+	"git.eeqj.de/sneak/neoirc/internal/db"
-	"git.eeqj.de/sneak/chat/internal/globals"
+	"git.eeqj.de/sneak/neoirc/internal/globals"
-	"git.eeqj.de/sneak/chat/internal/healthcheck"
+	"git.eeqj.de/sneak/neoirc/internal/hashcash"
-	"git.eeqj.de/sneak/chat/internal/logger"
+	"git.eeqj.de/sneak/neoirc/internal/healthcheck"
+	"git.eeqj.de/sneak/neoirc/internal/logger"
+	"git.eeqj.de/sneak/neoirc/internal/ratelimit"
+	"git.eeqj.de/sneak/neoirc/internal/stats"
 	"go.uber.org/fx"
 )
 
@@ -29,9 +32,15 @@ type Params struct {
 	Config      *config.Config
 	Database    *db.Database
 	Healthcheck *healthcheck.Healthcheck
+	Stats       *stats.Tracker
 }
 
-const defaultIdleTimeout = 24 * time.Hour
+const defaultIdleTimeout = 30 * 24 * time.Hour
+
+// spentHashcashTTL is how long spent hashcash tokens are
+// retained for replay prevention. Per issue requirements,
+// this is 1 year.
+const spentHashcashTTL = 365 * 24 * time.Hour
 
 // Handlers manages HTTP request handling.
 type Handlers struct {
@@ -39,6 +48,10 @@ type Handlers struct {
 	log             *slog.Logger
 	hc              *healthcheck.Healthcheck
 	broker          *broker.Broker
+	hashcashVal     *hashcash.Validator
+	channelHashcash *hashcash.ChannelValidator
+	loginLimiter    *ratelimit.Limiter
+	stats           *stats.Tracker
 	cancelCleanup   context.CancelFunc
 }
 
@@ -47,11 +60,30 @@ func New(
 	lifecycle fx.Lifecycle,
 	params Params,
 ) (*Handlers, error) {
+	resource := params.Config.ServerName
+	if resource == "" {
+		resource = "neoirc"
+	}
+
+	loginRate := params.Config.LoginRateLimit
+	if loginRate <= 0 {
+		loginRate = ratelimit.DefaultRate
+	}
+
+	loginBurst := params.Config.LoginRateBurst
+	if loginBurst <= 0 {
+		loginBurst = ratelimit.DefaultBurst
+	}
+
 	hdlr := &Handlers{ //nolint:exhaustruct // cancelCleanup set in startCleanup
 		params:          &params,
 		log:             params.Logger.Get(),
 		hc:              params.Healthcheck,
 		broker:          broker.New(),
+		hashcashVal:     hashcash.NewValidator(resource),
+		channelHashcash: hashcash.NewChannelValidator(),
+		loginLimiter:    ratelimit.New(loginRate, loginBurst),
+		stats:           params.Stats,
 	}
 
 	lifecycle.Append(fx.Hook{
@@ -143,6 +175,10 @@ func (hdlr *Handlers) stopCleanup() {
 	if hdlr.cancelCleanup != nil {
 		hdlr.cancelCleanup()
 	}
+
+	if hdlr.loginLimiter != nil {
+		hdlr.loginLimiter.Stop()
+	}
 }
 
 func (hdlr *Handlers) cleanupLoop(ctx context.Context) {
@@ -200,4 +236,93 @@ func (hdlr *Handlers) runCleanup(
 			"deleted", deleted,
 		)
 	}
+
+	hdlr.pruneQueuesAndMessages(ctx)
+}
+
+// parseDurationConfig parses a Go duration string,
+// returning zero on empty input and logging on error.
+func (hdlr *Handlers) parseDurationConfig(
+	name, raw string,
+) time.Duration {
+	if raw == "" {
+		return 0
+	}
+
+	dur, err := time.ParseDuration(raw)
+	if err != nil {
+		hdlr.log.Error(
+			"invalid duration config, skipping",
+			"name", name, "value", raw, "error", err,
+		)
+
+		return 0
+	}
+
+	return dur
+}
+
+// pruneQueuesAndMessages removes old client output queue
+// entries per QUEUE_MAX_AGE and old messages per
+// MESSAGE_MAX_AGE.
+func (hdlr *Handlers) pruneQueuesAndMessages(
+	ctx context.Context,
+) {
+	queueMaxAge := hdlr.parseDurationConfig(
+		"QUEUE_MAX_AGE",
+		hdlr.params.Config.QueueMaxAge,
+	)
+	if queueMaxAge > 0 {
+		queueCutoff := time.Now().Add(-queueMaxAge)
+
+		pruned, err := hdlr.params.Database.
+			PruneOldQueueEntries(ctx, queueCutoff)
+		if err != nil {
+			hdlr.log.Error(
+				"client output queue pruning failed", "error", err,
+			)
+		} else if pruned > 0 {
+			hdlr.log.Info(
+				"pruned old client output queue entries",
+				"deleted", pruned,
+			)
+		}
+	}
+
+	messageMaxAge := hdlr.parseDurationConfig(
+		"MESSAGE_MAX_AGE",
+		hdlr.params.Config.MessageMaxAge,
+	)
+	if messageMaxAge > 0 {
+		msgCutoff := time.Now().Add(-messageMaxAge)
+
+		pruned, err := hdlr.params.Database.
+			PruneOldMessages(ctx, msgCutoff)
+		if err != nil {
+			hdlr.log.Error(
+				"message pruning failed", "error", err,
+			)
+		} else if pruned > 0 {
+			hdlr.log.Info(
+				"pruned old messages",
+				"deleted", pruned,
+			)
+		}
+	}
+
+	// Prune spent hashcash tokens older than 1 year.
+	hashcashCutoff := time.Now().Add(-spentHashcashTTL)
+
+	pruned, err := hdlr.params.Database.
+		PruneSpentHashcash(ctx, hashcashCutoff)
+	if err != nil {
+		hdlr.log.Error(
+			"spent hashcash pruning failed", "error", err,
+		)
+	} else if pruned > 0 {
+		hdlr.log.Info(
+			"pruned spent hashcash tokens",
+			"deleted", pruned,
+		)
+	}
 }

internal/handlers/healthcheck.go

@@ -12,7 +12,7 @@ func (hdlr *Handlers) HandleHealthCheck() http.HandlerFunc {
 		writer http.ResponseWriter,
 		request *http.Request,
 	) {
-		resp := hdlr.hc.Healthcheck()
+		resp := hdlr.hc.Healthcheck(request.Context())
 		hdlr.respondJSON(writer, request, resp, httpStatusOK)
 	}
 }

internal/hashcash/channel.go

@@ -0,0 +1,186 @@
+package hashcash
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"strconv"
+	"strings"
+	"time"
+)
+
+var (
+	errBodyHashMismatch = errors.New(
+		"body hash mismatch",
+	)
+	errBodyHashMissing = errors.New(
+		"body hash missing",
+	)
+)
+
+// ChannelValidator checks hashcash stamps for
+// per-channel PRIVMSG validation. It verifies that
+// stamps are bound to a specific channel and message
+// body. Replay prevention is handled externally via
+// the database spent_hashcash table for persistence
+// across server restarts (1-year TTL).
+type ChannelValidator struct{}
+
+// NewChannelValidator creates a ChannelValidator.
+func NewChannelValidator() *ChannelValidator {
+	return &ChannelValidator{}
+}
+
+// BodyHash computes the hex-encoded SHA-256 hash of a
+// message body for use in hashcash stamp validation.
+func BodyHash(body []byte) string {
+	hash := sha256.Sum256(body)
+
+	return hex.EncodeToString(hash[:])
+}
+
+// ValidateStamp checks a channel hashcash stamp. It
+// verifies the stamp format, difficulty, date, channel
+// binding, body hash binding, and proof-of-work. Replay
+// detection is NOT performed here — callers must check
+// the spent_hashcash table separately.
+//
+// Stamp format: 1:bits:YYMMDD:channel:bodyhash:counter.
+func (cv *ChannelValidator) ValidateStamp(
+	stamp string,
+	requiredBits int,
+	channel string,
+	bodyHash string,
+) error {
+	if requiredBits <= 0 {
+		return nil
+	}
+
+	parts := strings.Split(stamp, ":")
+	if len(parts) != stampFields {
+		return fmt.Errorf(
+			"%w: expected %d, got %d",
+			errInvalidFields, stampFields, len(parts),
+		)
+	}
+
+	version := parts[0]
+	bitsStr := parts[1]
+	dateStr := parts[2]
+	resource := parts[3]
+	stampBodyHash := parts[4]
+
+	headerErr := validateChannelHeader(
+		version, bitsStr, resource,
+		requiredBits, channel,
+	)
+	if headerErr != nil {
+		return headerErr
+	}
+
+	stampTime, parseErr := parseStampDate(dateStr)
+	if parseErr != nil {
+		return parseErr
+	}
+
+	timeErr := validateTime(stampTime)
+	if timeErr != nil {
+		return timeErr
+	}
+
+	bodyErr := validateBodyHash(
+		stampBodyHash, bodyHash,
+	)
+	if bodyErr != nil {
+		return bodyErr
+	}
+
+	return validateProof(stamp, requiredBits)
+}
+
+// StampHash returns a deterministic hash of a stamp
+// string for use as a spent-token key.
+func StampHash(stamp string) string {
+	hash := sha256.Sum256([]byte(stamp))
+
+	return hex.EncodeToString(hash[:])
+}
+
+func validateChannelHeader(
+	version, bitsStr, resource string,
+	requiredBits int,
+	channel string,
+) error {
+	if version != stampVersion {
+		return fmt.Errorf(
+			"%w: %s", errBadVersion, version,
+		)
+	}
+
+	claimedBits, err := strconv.Atoi(bitsStr)
+	if err != nil || claimedBits < requiredBits {
+		return fmt.Errorf(
+			"%w: need %d bits",
+			errInsufficientBits, requiredBits,
+		)
+	}
+
+	if resource != channel {
+		return fmt.Errorf(
+			"%w: got %q, want %q",
+			errWrongResource, resource, channel,
+		)
+	}
+
+	return nil
+}
+
+func validateBodyHash(
+	stampBodyHash, expectedBodyHash string,
+) error {
+	if stampBodyHash == "" {
+		return errBodyHashMissing
+	}
+
+	if stampBodyHash != expectedBodyHash {
+		return fmt.Errorf(
+			"%w: got %q, want %q",
+			errBodyHashMismatch,
+			stampBodyHash, expectedBodyHash,
+		)
+	}
+
+	return nil
+}
+
+// MintChannelStamp computes a channel hashcash stamp
+// with the given difficulty, channel name, and body hash.
+// This is intended for clients to generate stamps before
+// sending PRIVMSG to hashcash-protected channels.
+//
+// Stamp format: 1:bits:YYMMDD:channel:bodyhash:counter.
+func MintChannelStamp(
+	bits int,
+	channel string,
+	bodyHash string,
+) string {
+	date := time.Now().UTC().Format(dateFormatShort)
+	prefix := fmt.Sprintf(
+		"1:%d:%s:%s:%s:",
+		bits, date, channel, bodyHash,
+	)
+
+	counter := uint64(0)
+
+	for {
+		stamp := prefix + strconv.FormatUint(counter, 16)
+		hash := sha256.Sum256([]byte(stamp))
+
+		if hasLeadingZeroBits(hash[:], bits) {
+			return stamp
+		}
+
+		counter++
+	}
+}

internal/hashcash/channel_test.go

@@ -0,0 +1,244 @@
+package hashcash_test
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"testing"
+
+	"git.eeqj.de/sneak/neoirc/internal/hashcash"
+)
+
+const (
+	testChannel  = "#general"
+	testBodyText = `["hello world"]`
+)
+
+func testBodyHash() string {
+	hash := sha256.Sum256([]byte(testBodyText))
+
+	return hex.EncodeToString(hash[:])
+}
+
+func TestChannelValidateHappyPath(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewChannelValidator()
+	bodyHash := testBodyHash()
+
+	stamp := hashcash.MintChannelStamp(
+		testBits, testChannel, bodyHash,
+	)
+
+	err := validator.ValidateStamp(
+		stamp, testBits, testChannel, bodyHash,
+	)
+	if err != nil {
+		t.Fatalf("valid channel stamp rejected: %v", err)
+	}
+}
+
+func TestChannelValidateWrongChannel(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewChannelValidator()
+	bodyHash := testBodyHash()
+
+	stamp := hashcash.MintChannelStamp(
+		testBits, testChannel, bodyHash,
+	)
+
+	err := validator.ValidateStamp(
+		stamp, testBits, "#other", bodyHash,
+	)
+	if err == nil {
+		t.Fatal("expected channel mismatch error")
+	}
+}
+
+func TestChannelValidateWrongBodyHash(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewChannelValidator()
+	bodyHash := testBodyHash()
+
+	stamp := hashcash.MintChannelStamp(
+		testBits, testChannel, bodyHash,
+	)
+
+	wrongHash := sha256.Sum256([]byte("different body"))
+	wrongBodyHash := hex.EncodeToString(wrongHash[:])
+
+	err := validator.ValidateStamp(
+		stamp, testBits, testChannel, wrongBodyHash,
+	)
+	if err == nil {
+		t.Fatal("expected body hash mismatch error")
+	}
+}
+
+func TestChannelValidateInsufficientBits(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewChannelValidator()
+	bodyHash := testBodyHash()
+
+	// Mint with 2 bits but require 4.
+	stamp := hashcash.MintChannelStamp(
+		testBits, testChannel, bodyHash,
+	)
+
+	err := validator.ValidateStamp(
+		stamp, 4, testChannel, bodyHash,
+	)
+	if err == nil {
+		t.Fatal("expected insufficient bits error")
+	}
+}
+
+func TestChannelValidateZeroBitsSkips(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewChannelValidator()
+
+	err := validator.ValidateStamp(
+		"garbage", 0, "#ch", "abc",
+	)
+	if err != nil {
+		t.Fatalf("zero bits should skip: %v", err)
+	}
+}
+
+func TestChannelValidateBadFormat(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewChannelValidator()
+
+	err := validator.ValidateStamp(
+		"not:valid", testBits, testChannel, "abc",
+	)
+	if err == nil {
+		t.Fatal("expected bad format error")
+	}
+}
+
+func TestChannelValidateBadVersion(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewChannelValidator()
+	bodyHash := testBodyHash()
+
+	stamp := "2:2:260317:#general:" + bodyHash + ":counter"
+
+	err := validator.ValidateStamp(
+		stamp, testBits, testChannel, bodyHash,
+	)
+	if err == nil {
+		t.Fatal("expected bad version error")
+	}
+}
+
+func TestChannelValidateExpiredStamp(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewChannelValidator()
+	bodyHash := testBodyHash()
+
+	// Mint with a very old date by manually constructing.
+	stamp := mintStampWithDate(
+		t, testBits, testChannel, "200101",
+	)
+
+	err := validator.ValidateStamp(
+		stamp, testBits, testChannel, bodyHash,
+	)
+	if err == nil {
+		t.Fatal("expected expired stamp error")
+	}
+}
+
+func TestChannelValidateMissingBodyHash(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewChannelValidator()
+	bodyHash := testBodyHash()
+
+	// Construct a stamp with empty body hash field.
+	stamp := mintStampWithDate(
+		t, testBits, testChannel, todayDate(),
+	)
+
+	// This uses the session-style stamp which has empty
+	// ext field — body hash is missing.
+	err := validator.ValidateStamp(
+		stamp, testBits, testChannel, bodyHash,
+	)
+	if err == nil {
+		t.Fatal("expected missing body hash error")
+	}
+}
+
+func TestBodyHash(t *testing.T) {
+	t.Parallel()
+
+	body := []byte(`["hello world"]`)
+	bodyHash := hashcash.BodyHash(body)
+
+	if len(bodyHash) != 64 {
+		t.Fatalf(
+			"expected 64-char hex hash, got %d",
+			len(bodyHash),
+		)
+	}
+
+	// Same input should produce same hash.
+	bodyHash2 := hashcash.BodyHash(body)
+	if bodyHash != bodyHash2 {
+		t.Fatal("body hash not deterministic")
+	}
+
+	// Different input should produce different hash.
+	bodyHash3 := hashcash.BodyHash([]byte("different"))
+	if bodyHash == bodyHash3 {
+		t.Fatal("different inputs produced same hash")
+	}
+}
+
+func TestStampHash(t *testing.T) {
+	t.Parallel()
+
+	hash1 := hashcash.StampHash("stamp1")
+	hash2 := hashcash.StampHash("stamp2")
+
+	if hash1 == hash2 {
+		t.Fatal("different stamps produced same hash")
+	}
+
+	// Same input should be deterministic.
+	hash1b := hashcash.StampHash("stamp1")
+	if hash1 != hash1b {
+		t.Fatal("stamp hash not deterministic")
+	}
+}
+
+func TestMintChannelStamp(t *testing.T) {
+	t.Parallel()
+
+	bodyHash := testBodyHash()
+	stamp := hashcash.MintChannelStamp(
+		testBits, testChannel, bodyHash,
+	)
+
+	if stamp == "" {
+		t.Fatal("expected non-empty stamp")
+	}
+
+	// Validate the minted stamp.
+	validator := hashcash.NewChannelValidator()
+
+	err := validator.ValidateStamp(
+		stamp, testBits, testChannel, bodyHash,
+	)
+	if err != nil {
+		t.Fatalf("minted stamp failed validation: %v", err)
+	}
+}

internal/hashcash/hashcash.go

@@ -0,0 +1,277 @@
+// Package hashcash implements SHA-256-based hashcash
+// proof-of-work validation for abuse prevention.
+//
+// Stamp format: 1:bits:YYMMDD:resource::counter.
+//
+// The SHA-256 hash of the entire stamp string must have
+// at least `bits` leading zero bits.
+package hashcash
+
+import (
+	"crypto/sha256"
+	"errors"
+	"fmt"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+)
+
+const (
+	// stampVersion is the only supported hashcash version.
+	stampVersion = "1"
+	// stampFields is the number of fields in a stamp.
+	stampFields = 6
+	// maxStampAge is how old a stamp can be before
+	// rejection.
+	maxStampAge = 48 * time.Hour
+	// maxFutureSkew allows stamps slightly in the future.
+	maxFutureSkew = 1 * time.Hour
+	// pruneInterval controls how often expired stamps are
+	// removed from the spent set.
+	pruneInterval = 10 * time.Minute
+	// dateFormatShort is the YYMMDD date layout.
+	dateFormatShort = "060102"
+	// dateFormatLong is the YYMMDDHHMMSS date layout.
+	dateFormatLong = "060102150405"
+	// dateShortLen is the length of YYMMDD.
+	dateShortLen = 6
+	// dateLongLen is the length of YYMMDDHHMMSS.
+	dateLongLen = 12
+	// bitsPerByte is the number of bits in a byte.
+	bitsPerByte = 8
+	// fullByteMask is 0xFF, a mask for all bits in a byte.
+	fullByteMask = 0xFF
+)
+
+var (
+	errInvalidFields    = errors.New("invalid stamp field count")
+	errBadVersion       = errors.New("unsupported stamp version")
+	errInsufficientBits = errors.New("insufficient difficulty")
+	errWrongResource    = errors.New("wrong resource")
+	errStampExpired     = errors.New("stamp expired")
+	errStampFuture      = errors.New("stamp date in future")
+	errProofFailed      = errors.New("proof-of-work failed")
+	errStampReused      = errors.New("stamp already used")
+	errBadDateFormat    = errors.New("unrecognized date format")
+)
+
+// Validator checks hashcash stamps for validity and
+// prevents replay attacks via an in-memory spent set.
+type Validator struct {
+	resource string
+	mu       sync.Mutex
+	spent    map[string]time.Time
+}
+
+// NewValidator creates a Validator for the given resource.
+func NewValidator(resource string) *Validator {
+	validator := &Validator{
+		resource: resource,
+		mu:       sync.Mutex{},
+		spent:    make(map[string]time.Time),
+	}
+
+	go validator.pruneLoop()
+
+	return validator
+}
+
+// Validate checks a hashcash stamp. It returns nil if the
+// stamp is valid and has not been seen before.
+func (v *Validator) Validate(
+	stamp string,
+	requiredBits int,
+) error {
+	if requiredBits <= 0 {
+		return nil
+	}
+
+	parts := strings.Split(stamp, ":")
+	if len(parts) != stampFields {
+		return fmt.Errorf(
+			"%w: expected %d, got %d",
+			errInvalidFields, stampFields, len(parts),
+		)
+	}
+
+	version := parts[0]
+	bitsStr := parts[1]
+	dateStr := parts[2]
+	resource := parts[3]
+
+	if err := v.validateHeader(
+		version, bitsStr, resource, requiredBits,
+	); err != nil {
+		return err
+	}
+
+	stampTime, err := parseStampDate(dateStr)
+	if err != nil {
+		return err
+	}
+
+	if err := validateTime(stampTime); err != nil {
+		return err
+	}
+
+	if err := validateProof(
+		stamp, requiredBits,
+	); err != nil {
+		return err
+	}
+
+	return v.checkAndRecordStamp(stamp, stampTime)
+}
+
+func (v *Validator) validateHeader(
+	version, bitsStr, resource string,
+	requiredBits int,
+) error {
+	if version != stampVersion {
+		return fmt.Errorf(
+			"%w: %s", errBadVersion, version,
+		)
+	}
+
+	claimedBits, err := strconv.Atoi(bitsStr)
+	if err != nil || claimedBits < requiredBits {
+		return fmt.Errorf(
+			"%w: need %d bits",
+			errInsufficientBits, requiredBits,
+		)
+	}
+
+	if resource != v.resource {
+		return fmt.Errorf(
+			"%w: got %q, want %q",
+			errWrongResource, resource, v.resource,
+		)
+	}
+
+	return nil
+}
+
+func validateTime(stampTime time.Time) error {
+	now := time.Now()
+
+	if now.Sub(stampTime) > maxStampAge {
+		return errStampExpired
+	}
+
+	if stampTime.Sub(now) > maxFutureSkew {
+		return errStampFuture
+	}
+
+	return nil
+}
+
+func validateProof(stamp string, requiredBits int) error {
+	hash := sha256.Sum256([]byte(stamp))
+	if !hasLeadingZeroBits(hash[:], requiredBits) {
+		return fmt.Errorf(
+			"%w: need %d leading zero bits",
+			errProofFailed, requiredBits,
+		)
+	}
+
+	return nil
+}
+
+func (v *Validator) checkAndRecordStamp(
+	stamp string,
+	stampTime time.Time,
+) error {
+	v.mu.Lock()
+	defer v.mu.Unlock()
+
+	if _, ok := v.spent[stamp]; ok {
+		return errStampReused
+	}
+
+	v.spent[stamp] = stampTime
+
+	return nil
+}
+
+// hasLeadingZeroBits checks if the hash has at least n
+// leading zero bits.
+func hasLeadingZeroBits(hash []byte, numBits int) bool {
+	fullBytes := numBits / bitsPerByte
+	remainBits := numBits % bitsPerByte
+
+	for idx := range fullBytes {
+		if hash[idx] != 0 {
+			return false
+		}
+	}
+
+	if remainBits > 0 && fullBytes < len(hash) {
+		mask := byte(
+			fullByteMask << (bitsPerByte - remainBits),
+		)
+
+		if hash[fullBytes]&mask != 0 {
+			return false
+		}
+	}
+
+	return true
+}
+
+// parseStampDate parses a hashcash date stamp.
+// Supports YYMMDD and YYMMDDHHMMSS formats.
+func parseStampDate(dateStr string) (time.Time, error) {
+	switch len(dateStr) {
+	case dateShortLen:
+		parsed, err := time.Parse(
+			dateFormatShort, dateStr,
+		)
+		if err != nil {
+			return time.Time{}, fmt.Errorf(
+				"parse date: %w", err,
+			)
+		}
+
+		return parsed, nil
+	case dateLongLen:
+		parsed, err := time.Parse(
+			dateFormatLong, dateStr,
+		)
+		if err != nil {
+			return time.Time{}, fmt.Errorf(
+				"parse date: %w", err,
+			)
+		}
+
+		return parsed, nil
+	default:
+		return time.Time{}, fmt.Errorf(
+			"%w: %q", errBadDateFormat, dateStr,
+		)
+	}
+}
+
+// pruneLoop periodically removes expired stamps from the
+// spent set.
+func (v *Validator) pruneLoop() {
+	ticker := time.NewTicker(pruneInterval)
+	defer ticker.Stop()
+
+	for range ticker.C {
+		v.prune()
+	}
+}
+
+func (v *Validator) prune() {
+	cutoff := time.Now().Add(-maxStampAge)
+
+	v.mu.Lock()
+	defer v.mu.Unlock()
+
+	for stamp, stampTime := range v.spent {
+		if stampTime.Before(cutoff) {
+			delete(v.spent, stamp)
+		}
+	}
+}

internal/hashcash/hashcash_test.go

@@ -0,0 +1,261 @@
+package hashcash_test
+
+import (
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"math/big"
+	"testing"
+	"time"
+
+	"git.eeqj.de/sneak/neoirc/internal/hashcash"
+)
+
+const testBits = 2
+
+// mintStampWithDate creates a valid hashcash stamp using
+// the given date string.
+func mintStampWithDate(
+	tb testing.TB,
+	bits int,
+	resource string,
+	date string,
+) string {
+	tb.Helper()
+
+	prefix := fmt.Sprintf(
+		"1:%d:%s:%s::", bits, date, resource,
+	)
+
+	for {
+		counterVal, err := rand.Int(
+			rand.Reader, big.NewInt(1<<48),
+		)
+		if err != nil {
+			tb.Fatalf("random counter: %v", err)
+		}
+
+		stamp := prefix + hex.EncodeToString(
+			counterVal.Bytes(),
+		)
+		hash := sha256.Sum256([]byte(stamp))
+
+		if hasLeadingZeroBits(hash[:], bits) {
+			return stamp
+		}
+	}
+}
+
+// hasLeadingZeroBits checks if hash has at least numBits
+// leading zero bits. Duplicated here for test minting.
+func hasLeadingZeroBits(
+	hash []byte,
+	numBits int,
+) bool {
+	fullBytes := numBits / 8
+	remainBits := numBits % 8
+
+	for idx := range fullBytes {
+		if hash[idx] != 0 {
+			return false
+		}
+	}
+
+	if remainBits > 0 && fullBytes < len(hash) {
+		mask := byte(0xFF << (8 - remainBits))
+
+		if hash[fullBytes]&mask != 0 {
+			return false
+		}
+	}
+
+	return true
+}
+
+func todayDate() string {
+	return time.Now().UTC().Format("060102")
+}
+
+func TestMintAndValidate(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewValidator("test-resource")
+	stamp := mintStampWithDate(
+		t, testBits, "test-resource", todayDate(),
+	)
+
+	err := validator.Validate(stamp, testBits)
+	if err != nil {
+		t.Fatalf("valid stamp rejected: %v", err)
+	}
+}
+
+func TestReplayDetection(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewValidator("test-resource")
+	stamp := mintStampWithDate(
+		t, testBits, "test-resource", todayDate(),
+	)
+
+	err := validator.Validate(stamp, testBits)
+	if err != nil {
+		t.Fatalf("first use failed: %v", err)
+	}
+
+	err = validator.Validate(stamp, testBits)
+	if err == nil {
+		t.Fatal("replay not detected")
+	}
+}
+
+func TestResourceMismatch(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewValidator("correct-resource")
+	stamp := mintStampWithDate(
+		t, testBits, "wrong-resource", todayDate(),
+	)
+
+	err := validator.Validate(stamp, testBits)
+	if err == nil {
+		t.Fatal("expected resource mismatch error")
+	}
+}
+
+func TestInvalidStampFormat(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewValidator("test-resource")
+
+	err := validator.Validate(
+		"not:a:valid:stamp", testBits,
+	)
+	if err == nil {
+		t.Fatal("expected error for bad format")
+	}
+}
+
+func TestBadVersion(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewValidator("test-resource")
+	stamp := fmt.Sprintf(
+		"2:%d:%s:%s::abc123",
+		testBits, todayDate(), "test-resource",
+	)
+
+	err := validator.Validate(stamp, testBits)
+	if err == nil {
+		t.Fatal("expected bad version error")
+	}
+}
+
+func TestInsufficientDifficulty(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewValidator("test-resource")
+	// Claimed bits=1, but we require testBits=2.
+	stamp := fmt.Sprintf(
+		"1:1:%s:%s::counter",
+		todayDate(), "test-resource",
+	)
+
+	err := validator.Validate(stamp, testBits)
+	if err == nil {
+		t.Fatal("expected insufficient bits error")
+	}
+}
+
+func TestExpiredStamp(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewValidator("test-resource")
+	oldDate := time.Now().Add(-72 * time.Hour).
+		UTC().Format("060102")
+	stamp := mintStampWithDate(
+		t, testBits, "test-resource", oldDate,
+	)
+
+	err := validator.Validate(stamp, testBits)
+	if err == nil {
+		t.Fatal("expected expired stamp error")
+	}
+}
+
+func TestZeroBitsSkipsValidation(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewValidator("test-resource")
+
+	err := validator.Validate("garbage", 0)
+	if err != nil {
+		t.Fatalf("zero bits should skip: %v", err)
+	}
+}
+
+func TestLongDateFormat(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewValidator("test-resource")
+	longDate := time.Now().UTC().Format("060102150405")
+	stamp := mintStampWithDate(
+		t, testBits, "test-resource", longDate,
+	)
+
+	err := validator.Validate(stamp, testBits)
+	if err != nil {
+		t.Fatalf("long date stamp rejected: %v", err)
+	}
+}
+
+func TestBadDateFormat(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewValidator("test-resource")
+	stamp := fmt.Sprintf(
+		"1:%d:BADDATE:%s::counter",
+		testBits, "test-resource",
+	)
+
+	err := validator.Validate(stamp, testBits)
+	if err == nil {
+		t.Fatal("expected bad date error")
+	}
+}
+
+func TestMultipleUniqueStamps(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewValidator("test-resource")
+
+	for range 5 {
+		stamp := mintStampWithDate(
+			t, testBits, "test-resource", todayDate(),
+		)
+
+		err := validator.Validate(stamp, testBits)
+		if err != nil {
+			t.Fatalf("unique stamp rejected: %v", err)
+		}
+	}
+}
+
+func TestHigherBitsStillValid(t *testing.T) {
+	t.Parallel()
+
+	// Mint with bits=4 but validate requiring only 2.
+	validator := hashcash.NewValidator("test-resource")
+	stamp := mintStampWithDate(
+		t, 4, "test-resource", todayDate(),
+	)
+
+	err := validator.Validate(stamp, testBits)
+	if err != nil {
+		t.Fatalf(
+			"higher-difficulty stamp rejected: %v",
+			err,
+		)
+	}
+}

internal/healthcheck/healthcheck.go

@@ -6,10 +6,11 @@ import (
 	"log/slog"
 	"time"
 
-	"git.eeqj.de/sneak/chat/internal/config"
+	"git.eeqj.de/sneak/neoirc/internal/config"
-	"git.eeqj.de/sneak/chat/internal/db"
+	"git.eeqj.de/sneak/neoirc/internal/db"
-	"git.eeqj.de/sneak/chat/internal/globals"
+	"git.eeqj.de/sneak/neoirc/internal/globals"
-	"git.eeqj.de/sneak/chat/internal/logger"
+	"git.eeqj.de/sneak/neoirc/internal/logger"
+	"git.eeqj.de/sneak/neoirc/internal/stats"
 	"go.uber.org/fx"
 )
 
@@ -21,6 +22,7 @@ type Params struct {
 	Config   *config.Config
 	Logger   *logger.Logger
 	Database *db.Database
+	Stats    *stats.Tracker
 }
 
 // Healthcheck tracks server uptime and provides health status.
@@ -64,11 +66,22 @@ type Response struct {
 	Version       string `json:"version"`
 	Appname       string `json:"appname"`
 	Maintenance   bool   `json:"maintenanceMode"`
+
+	// Runtime statistics.
+	Sessions             int64 `json:"sessions"`
+	Clients              int64 `json:"clients"`
+	QueuedLines          int64 `json:"queuedLines"`
+	Channels             int64 `json:"channels"`
+	ConnectionsSinceBoot int64 `json:"connectionsSinceBoot"`
+	SessionsSinceBoot    int64 `json:"sessionsSinceBoot"`
+	MessagesSinceBoot    int64 `json:"messagesSinceBoot"`
 }
 
 // Healthcheck returns the current health status of the server.
-func (hcheck *Healthcheck) Healthcheck() *Response {
+func (hcheck *Healthcheck) Healthcheck(
-	return &Response{
+	ctx context.Context,
+) *Response {
+	resp := &Response{
 		Status:        "ok",
 		Now:           time.Now().UTC().Format(time.RFC3339Nano),
 		UptimeSeconds: int64(hcheck.uptime().Seconds()),
@@ -76,6 +89,64 @@ func (hcheck *Healthcheck) Healthcheck() *Response {
 		Appname:       hcheck.params.Globals.Appname,
 		Version:       hcheck.params.Globals.Version,
 		Maintenance:   hcheck.params.Config.MaintenanceMode,
+
+		Sessions:             0,
+		Clients:              0,
+		QueuedLines:          0,
+		Channels:             0,
+		ConnectionsSinceBoot: hcheck.params.Stats.ConnectionsSinceBoot(),
+		SessionsSinceBoot:    hcheck.params.Stats.SessionsSinceBoot(),
+		MessagesSinceBoot:    hcheck.params.Stats.MessagesSinceBoot(),
+	}
+
+	hcheck.populateDBStats(ctx, resp)
+
+	return resp
+}
+
+// populateDBStats fills in database-derived counters.
+func (hcheck *Healthcheck) populateDBStats(
+	ctx context.Context,
+	resp *Response,
+) {
+	sessions, err := hcheck.params.Database.GetUserCount(ctx)
+	if err != nil {
+		hcheck.log.Error(
+			"healthcheck: session count failed",
+			"error", err,
+		)
+	} else {
+		resp.Sessions = sessions
+	}
+
+	clients, err := hcheck.params.Database.GetClientCount(ctx)
+	if err != nil {
+		hcheck.log.Error(
+			"healthcheck: client count failed",
+			"error", err,
+		)
+	} else {
+		resp.Clients = clients
+	}
+
+	queued, err := hcheck.params.Database.GetQueueEntryCount(ctx)
+	if err != nil {
+		hcheck.log.Error(
+			"healthcheck: queue entry count failed",
+			"error", err,
+		)
+	} else {
+		resp.QueuedLines = queued
+	}
+
+	channels, err := hcheck.params.Database.GetChannelCount(ctx)
+	if err != nil {
+		hcheck.log.Error(
+			"healthcheck: channel count failed",
+			"error", err,
+		)
+	} else {
+		resp.Channels = channels
 	}
 }
 

internal/logger/logger.go

@@ -5,7 +5,7 @@ import (
 	"log/slog"
 	"os"
 
-	"git.eeqj.de/sneak/chat/internal/globals"
+	"git.eeqj.de/sneak/neoirc/internal/globals"
 	"go.uber.org/fx"
 )
 

internal/middleware/middleware.go

@@ -1,4 +1,4 @@
-// Package middleware provides HTTP middleware for the chat server.
+// Package middleware provides HTTP middleware for the neoirc server.
 package middleware
 
 import (
@@ -7,11 +7,11 @@ import (
 	"net/http"
 	"time"
 
-	"git.eeqj.de/sneak/chat/internal/config"
+	"git.eeqj.de/sneak/neoirc/internal/config"
-	"git.eeqj.de/sneak/chat/internal/globals"
+	"git.eeqj.de/sneak/neoirc/internal/globals"
-	"git.eeqj.de/sneak/chat/internal/logger"
+	"git.eeqj.de/sneak/neoirc/internal/logger"
 	basicauth "github.com/99designs/basicauth-go"
-	chimw "github.com/go-chi/chi/middleware"
+	chimw "github.com/go-chi/chi/v5/middleware"
 	"github.com/go-chi/cors"
 	metrics "github.com/slok/go-http-metrics/metrics/prometheus"
 	ghmm "github.com/slok/go-http-metrics/middleware"
@@ -126,36 +126,27 @@ func (mware *Middleware) Logging() func(http.Handler) http.Handler {
 }
 
 // CORS returns middleware that handles Cross-Origin Resource Sharing.
+// AllowCredentials is true so browsers include cookies in
+// cross-origin API requests.
 func (mware *Middleware) CORS() func(http.Handler) http.Handler {
 	return cors.Handler(cors.Options{ //nolint:exhaustruct // optional fields
-		AllowedOrigins: []string{"*"},
+		AllowOriginFunc: func(
+			_ *http.Request, _ string,
+		) bool {
+			return true
+		},
 		AllowedMethods: []string{
 			"GET", "POST", "PUT", "DELETE", "OPTIONS",
 		},
 		AllowedHeaders: []string{
-			"Accept", "Authorization",
+			"Accept", "Content-Type", "X-CSRF-Token",
-			"Content-Type", "X-CSRF-Token",
 		},
 		ExposedHeaders:   []string{"Link"},
-		AllowCredentials: false,
+		AllowCredentials: true,
 		MaxAge:           corsMaxAge,
 	})
 }
 
-// Auth returns middleware that performs authentication.
-func (mware *Middleware) Auth() func(http.Handler) http.Handler {
-	return func(next http.Handler) http.Handler {
-		return http.HandlerFunc(
-			func(
-				writer http.ResponseWriter,
-				request *http.Request,
-			) {
-				mware.log.Info("AUTH: before request")
-				next.ServeHTTP(writer, request)
-			})
-	}
-}
-
 // Metrics returns middleware that records HTTP metrics.
 func (mware *Middleware) Metrics() func(http.Handler) http.Handler {
 	metricsMiddleware := ghmm.New(ghmm.Config{ //nolint:exhaustruct // optional fields
@@ -180,3 +171,36 @@ func (mware *Middleware) MetricsAuth() func(http.Handler) http.Handler {
 		},
 	)
 }
+
+// cspPolicy is the Content-Security-Policy header value applied to all
+// responses.  The embedded SPA loads scripts and styles from same-origin
+// files only (no inline scripts or inline style attributes), so a strict
+// policy works without 'unsafe-inline'.
+const cspPolicy = "default-src 'self'; " +
+	"script-src 'self'; " +
+	"style-src 'self'; " +
+	"connect-src 'self'; " +
+	"img-src 'self'; " +
+	"font-src 'self'; " +
+	"object-src 'none'; " +
+	"frame-ancestors 'none'; " +
+	"base-uri 'self'; " +
+	"form-action 'self'"
+
+// CSP returns middleware that sets the Content-Security-Policy header on
+// every response for defense-in-depth against XSS.
+func (mware *Middleware) CSP() func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(
+			func(
+				writer http.ResponseWriter,
+				request *http.Request,
+			) {
+				writer.Header().Set(
+					"Content-Security-Policy",
+					cspPolicy,
+				)
+				next.ServeHTTP(writer, request)
+			})
+	}
+}

internal/ratelimit/ratelimit.go

@@ -0,0 +1,122 @@
+// Package ratelimit provides per-IP rate limiting for HTTP endpoints.
+package ratelimit
+
+import (
+	"sync"
+	"time"
+
+	"golang.org/x/time/rate"
+)
+
+const (
+	// DefaultRate is the default number of allowed requests per second.
+	DefaultRate = 1.0
+
+	// DefaultBurst is the default maximum burst size.
+	DefaultBurst = 5
+
+	// DefaultSweepInterval controls how often stale entries are pruned.
+	DefaultSweepInterval = 10 * time.Minute
+
+	// DefaultEntryTTL is how long an unused entry lives before eviction.
+	DefaultEntryTTL = 15 * time.Minute
+)
+
+// entry tracks a per-IP rate limiter and when it was last used.
+type entry struct {
+	limiter  *rate.Limiter
+	lastSeen time.Time
+}
+
+// Limiter manages per-key rate limiters with automatic cleanup
+// of stale entries.
+type Limiter struct {
+	mu       sync.Mutex
+	entries  map[string]*entry
+	rate     rate.Limit
+	burst    int
+	entryTTL time.Duration
+	stopCh   chan struct{}
+}
+
+// New creates a new per-key rate Limiter.
+// The ratePerSec parameter sets how many requests per second are
+// allowed per key.  The burst parameter sets the maximum number of
+// requests that can be made in a single burst.
+func New(ratePerSec float64, burst int) *Limiter {
+	limiter := &Limiter{
+		mu:       sync.Mutex{},
+		entries:  make(map[string]*entry),
+		rate:     rate.Limit(ratePerSec),
+		burst:    burst,
+		entryTTL: DefaultEntryTTL,
+		stopCh:   make(chan struct{}),
+	}
+
+	go limiter.sweepLoop()
+
+	return limiter
+}
+
+// Allow reports whether a request from the given key should be
+// allowed.  It consumes one token from the key's rate limiter.
+func (l *Limiter) Allow(key string) bool {
+	l.mu.Lock()
+	ent, exists := l.entries[key]
+
+	if !exists {
+		ent = &entry{
+			limiter:  rate.NewLimiter(l.rate, l.burst),
+			lastSeen: time.Now(),
+		}
+		l.entries[key] = ent
+	} else {
+		ent.lastSeen = time.Now()
+	}
+	l.mu.Unlock()
+
+	return ent.limiter.Allow()
+}
+
+// Stop terminates the background sweep goroutine.
+func (l *Limiter) Stop() {
+	close(l.stopCh)
+}
+
+// Len returns the number of tracked keys (for testing).
+func (l *Limiter) Len() int {
+	l.mu.Lock()
+	defer l.mu.Unlock()
+
+	return len(l.entries)
+}
+
+// sweepLoop periodically removes entries that haven't been seen
+// within the TTL.
+func (l *Limiter) sweepLoop() {
+	ticker := time.NewTicker(DefaultSweepInterval)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ticker.C:
+			l.sweep()
+		case <-l.stopCh:
+			return
+		}
+	}
+}
+
+// sweep removes stale entries.
+func (l *Limiter) sweep() {
+	l.mu.Lock()
+	defer l.mu.Unlock()
+
+	cutoff := time.Now().Add(-l.entryTTL)
+
+	for key, ent := range l.entries {
+		if ent.lastSeen.Before(cutoff) {
+			delete(l.entries, key)
+		}
+	}
+}

internal/ratelimit/ratelimit_test.go

@@ -0,0 +1,106 @@
+package ratelimit_test
+
+import (
+	"testing"
+
+	"git.eeqj.de/sneak/neoirc/internal/ratelimit"
+)
+
+func TestNewCreatesLimiter(t *testing.T) {
+	t.Parallel()
+
+	limiter := ratelimit.New(1.0, 5)
+	defer limiter.Stop()
+
+	if limiter == nil {
+		t.Fatal("expected non-nil limiter")
+	}
+}
+
+func TestAllowWithinBurst(t *testing.T) {
+	t.Parallel()
+
+	limiter := ratelimit.New(1.0, 3)
+	defer limiter.Stop()
+
+	for i := range 3 {
+		if !limiter.Allow("192.168.1.1") {
+			t.Fatalf(
+				"request %d should be allowed within burst",
+				i+1,
+			)
+		}
+	}
+}
+
+func TestAllowExceedsBurst(t *testing.T) {
+	t.Parallel()
+
+	// Rate of 0 means no token replenishment, only burst.
+	limiter := ratelimit.New(0, 3)
+	defer limiter.Stop()
+
+	for range 3 {
+		limiter.Allow("10.0.0.1")
+	}
+
+	if limiter.Allow("10.0.0.1") {
+		t.Fatal("fourth request should be denied after burst exhausted")
+	}
+}
+
+func TestAllowSeparateKeys(t *testing.T) {
+	t.Parallel()
+
+	// Rate of 0, burst of 1 — only one request per key.
+	limiter := ratelimit.New(0, 1)
+	defer limiter.Stop()
+
+	if !limiter.Allow("10.0.0.1") {
+		t.Fatal("first request for key A should be allowed")
+	}
+
+	if !limiter.Allow("10.0.0.2") {
+		t.Fatal("first request for key B should be allowed")
+	}
+
+	if limiter.Allow("10.0.0.1") {
+		t.Fatal("second request for key A should be denied")
+	}
+
+	if limiter.Allow("10.0.0.2") {
+		t.Fatal("second request for key B should be denied")
+	}
+}
+
+func TestLenTracksKeys(t *testing.T) {
+	t.Parallel()
+
+	limiter := ratelimit.New(1.0, 5)
+	defer limiter.Stop()
+
+	if limiter.Len() != 0 {
+		t.Fatalf("expected 0 entries, got %d", limiter.Len())
+	}
+
+	limiter.Allow("10.0.0.1")
+	limiter.Allow("10.0.0.2")
+
+	if limiter.Len() != 2 {
+		t.Fatalf("expected 2 entries, got %d", limiter.Len())
+	}
+
+	// Same key again should not increase count.
+	limiter.Allow("10.0.0.1")
+
+	if limiter.Len() != 2 {
+		t.Fatalf("expected 2 entries, got %d", limiter.Len())
+	}
+}
+
+func TestStopDoesNotPanic(t *testing.T) {
+	t.Parallel()
+
+	limiter := ratelimit.New(1.0, 5)
+	limiter.Stop()
+}

internal/server/routes.go

@@ -5,11 +5,11 @@ import (
 	"net/http"
 	"time"
 
-	"git.eeqj.de/sneak/chat/web"
+	"git.eeqj.de/sneak/neoirc/web"
 
 	sentryhttp "github.com/getsentry/sentry-go/http"
-	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/v5"
-	"github.com/go-chi/chi/middleware"
+	"github.com/go-chi/chi/v5/middleware"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"github.com/spf13/viper"
 )
@@ -29,6 +29,7 @@ func (srv *Server) SetupRoutes() {
 	}
 
 	srv.router.Use(srv.mw.CORS())
+	srv.router.Use(srv.mw.CSP())
 	srv.router.Use(middleware.Timeout(routeTimeout))
 
 	if srv.sentryEnabled {
@@ -74,10 +75,6 @@ func (srv *Server) setupAPIv1(router chi.Router) {
 		"/session",
 		srv.handlers.HandleCreateSession(),
 	)
-	router.Post(
-		"/register",
-		srv.handlers.HandleRegister(),
-	)
 	router.Post(
 		"/login",
 		srv.handlers.HandleLogin(),

internal/server/server.go

@@ -1,4 +1,4 @@
-// Package server implements the main HTTP server for the chat application.
+// Package server implements the main HTTP server for the neoirc application.
 package server
 
 import (
@@ -12,15 +12,15 @@ import (
 	"syscall"
 	"time"
 
-	"git.eeqj.de/sneak/chat/internal/config"
+	"git.eeqj.de/sneak/neoirc/internal/config"
-	"git.eeqj.de/sneak/chat/internal/globals"
+	"git.eeqj.de/sneak/neoirc/internal/globals"
-	"git.eeqj.de/sneak/chat/internal/handlers"
+	"git.eeqj.de/sneak/neoirc/internal/handlers"
-	"git.eeqj.de/sneak/chat/internal/logger"
+	"git.eeqj.de/sneak/neoirc/internal/logger"
-	"git.eeqj.de/sneak/chat/internal/middleware"
+	"git.eeqj.de/sneak/neoirc/internal/middleware"
 	"go.uber.org/fx"
 
 	"github.com/getsentry/sentry-go"
-	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/v5"
 
 	_ "github.com/joho/godotenv/autoload" // loads .env file
 )

internal/stats/stats.go

@@ -0,0 +1,52 @@
+// Package stats tracks runtime statistics since server boot.
+package stats
+
+import (
+	"sync/atomic"
+)
+
+// Tracker holds atomic counters for runtime statistics
+// that accumulate since the server started.
+type Tracker struct {
+	connectionsSinceBoot atomic.Int64
+	sessionsSinceBoot    atomic.Int64
+	messagesSinceBoot    atomic.Int64
+}
+
+// New creates a new Tracker with all counters at zero.
+func New() *Tracker {
+	return &Tracker{} //nolint:exhaustruct // atomic fields have zero-value defaults
+}
+
+// IncrConnections increments the total connection count.
+func (t *Tracker) IncrConnections() {
+	t.connectionsSinceBoot.Add(1)
+}
+
+// IncrSessions increments the total session count.
+func (t *Tracker) IncrSessions() {
+	t.sessionsSinceBoot.Add(1)
+}
+
+// IncrMessages increments the total PRIVMSG/NOTICE count.
+func (t *Tracker) IncrMessages() {
+	t.messagesSinceBoot.Add(1)
+}
+
+// ConnectionsSinceBoot returns the total number of
+// client connections since boot.
+func (t *Tracker) ConnectionsSinceBoot() int64 {
+	return t.connectionsSinceBoot.Load()
+}
+
+// SessionsSinceBoot returns the total number of sessions
+// created since boot.
+func (t *Tracker) SessionsSinceBoot() int64 {
+	return t.sessionsSinceBoot.Load()
+}
+
+// MessagesSinceBoot returns the total number of
+// PRIVMSG/NOTICE messages sent since boot.
+func (t *Tracker) MessagesSinceBoot() int64 {
+	return t.messagesSinceBoot.Load()
+}

internal/stats/stats_test.go

@@ -0,0 +1,117 @@
+package stats_test
+
+import (
+	"testing"
+
+	"git.eeqj.de/sneak/neoirc/internal/stats"
+)
+
+func TestNew(t *testing.T) {
+	t.Parallel()
+
+	tracker := stats.New()
+	if tracker == nil {
+		t.Fatal("expected non-nil tracker")
+	}
+
+	if tracker.ConnectionsSinceBoot() != 0 {
+		t.Errorf(
+			"expected 0 connections, got %d",
+			tracker.ConnectionsSinceBoot(),
+		)
+	}
+
+	if tracker.SessionsSinceBoot() != 0 {
+		t.Errorf(
+			"expected 0 sessions, got %d",
+			tracker.SessionsSinceBoot(),
+		)
+	}
+
+	if tracker.MessagesSinceBoot() != 0 {
+		t.Errorf(
+			"expected 0 messages, got %d",
+			tracker.MessagesSinceBoot(),
+		)
+	}
+}
+
+func TestIncrConnections(t *testing.T) {
+	t.Parallel()
+
+	tracker := stats.New()
+
+	tracker.IncrConnections()
+	tracker.IncrConnections()
+	tracker.IncrConnections()
+
+	got := tracker.ConnectionsSinceBoot()
+	if got != 3 {
+		t.Errorf(
+			"expected 3 connections, got %d", got,
+		)
+	}
+}
+
+func TestIncrSessions(t *testing.T) {
+	t.Parallel()
+
+	tracker := stats.New()
+
+	tracker.IncrSessions()
+	tracker.IncrSessions()
+
+	got := tracker.SessionsSinceBoot()
+	if got != 2 {
+		t.Errorf(
+			"expected 2 sessions, got %d", got,
+		)
+	}
+}
+
+func TestIncrMessages(t *testing.T) {
+	t.Parallel()
+
+	tracker := stats.New()
+
+	tracker.IncrMessages()
+
+	got := tracker.MessagesSinceBoot()
+	if got != 1 {
+		t.Errorf(
+			"expected 1 message, got %d", got,
+		)
+	}
+}
+
+func TestCountersAreIndependent(t *testing.T) {
+	t.Parallel()
+
+	tracker := stats.New()
+
+	tracker.IncrConnections()
+	tracker.IncrSessions()
+	tracker.IncrMessages()
+	tracker.IncrMessages()
+
+	if tracker.ConnectionsSinceBoot() != 1 {
+		t.Errorf(
+			"expected 1 connection, got %d",
+			tracker.ConnectionsSinceBoot(),
+		)
+	}
+
+	if tracker.SessionsSinceBoot() != 1 {
+		t.Errorf(
+			"expected 1 session, got %d",
+			tracker.SessionsSinceBoot(),
+		)
+	}
+
+	if tracker.MessagesSinceBoot() != 2 {
+		t.Errorf(
+			"expected 2 messages, got %d",
+			tracker.MessagesSinceBoot(),
+		)
+	}
+}

pkg/irc/commands.go

@@ -0,0 +1,26 @@
+package irc
+
+// IRC command names (RFC 1459 / RFC 2812).
+const (
+	CmdAway    = "AWAY"
+	CmdInvite  = "INVITE"
+	CmdJoin    = "JOIN"
+	CmdKick    = "KICK"
+	CmdList    = "LIST"
+	CmdLusers  = "LUSERS"
+	CmdMode    = "MODE"
+	CmdMotd    = "MOTD"
+	CmdNames   = "NAMES"
+	CmdNick    = "NICK"
+	CmdNotice  = "NOTICE"
+	CmdOper    = "OPER"
+	CmdPass    = "PASS"
+	CmdPart    = "PART"
+	CmdPing    = "PING"
+	CmdPong    = "PONG"
+	CmdPrivmsg = "PRIVMSG"
+	CmdQuit    = "QUIT"
+	CmdTopic   = "TOPIC"
+	CmdWho     = "WHO"
+	CmdWhois   = "WHOIS"
+)

pkg/irc/numerics.go

@@ -0,0 +1,393 @@
+// Package irc provides constants and utilities for the
+// IRC protocol, including numeric reply codes from
+// RFC 1459 and RFC 2812, and standard command names.
+package irc
+
+import (
+	"errors"
+	"fmt"
+)
+
+// IRCMessageType represents an IRC numeric reply or error code.
+type IRCMessageType int //nolint:revive // Name requested by project owner.
+
+// Name returns the standard IRC name for this numeric code
+// (e.g., IRCMessageType(252).Name() returns "RPL_LUSEROP").
+// Returns an empty string if the code is unknown.
+func (t IRCMessageType) Name() string {
+	return names[t]
+}
+
+// String returns the name and numeric code in angle brackets
+// (e.g., IRCMessageType(252).String() returns "RPL_LUSEROP <252>").
+// If the code is unknown, returns "UNKNOWN <NNN>".
+func (t IRCMessageType) String() string {
+	n := names[t]
+	if n == "" {
+		n = "UNKNOWN"
+	}
+
+	return fmt.Sprintf("%s <%03d>", n, int(t))
+}
+
+// Code returns the three-digit zero-padded string representation
+// of the numeric code (e.g., IRCMessageType(252).Code() returns "252").
+func (t IRCMessageType) Code() string {
+	return fmt.Sprintf("%03d", int(t))
+}
+
+// Int returns the bare integer value of the numeric code.
+func (t IRCMessageType) Int() int {
+	return int(t)
+}
+
+// ErrUnknownNumeric is returned by FromInt when the numeric code is not recognized.
+var ErrUnknownNumeric = errors.New("unknown IRC numeric code")
+
+// FromInt converts an integer to an IRCMessageType, returning an error
+// if the numeric code is not a known IRC reply or error code.
+func FromInt(n int) (IRCMessageType, error) {
+	t := IRCMessageType(n)
+	if _, ok := names[t]; !ok {
+		return 0, fmt.Errorf("%w: %d", ErrUnknownNumeric, n)
+	}
+
+	return t, nil
+}
+
+// Connection registration replies (001-005).
+const (
+	RplWelcome  IRCMessageType = 1
+	RplYourHost IRCMessageType = 2
+	RplCreated  IRCMessageType = 3
+	RplMyInfo   IRCMessageType = 4
+	RplBounce   IRCMessageType = 5 // RFC 2812; also known as RPL_ISUPPORT in practice
+	RplIsupport IRCMessageType = 5 // De-facto standard (same numeric as RplBounce)
+)
+
+// Command responses (200-399).
+const (
+	// RFC 2812 trace/stats/links replies (200-219).
+	RplTraceLink       IRCMessageType = 200
+	RplTraceConnecting IRCMessageType = 201
+	RplTraceHandshake  IRCMessageType = 202
+	RplTraceUnknown    IRCMessageType = 203
+	RplTraceOperator   IRCMessageType = 204
+	RplTraceUser       IRCMessageType = 205
+	RplTraceServer     IRCMessageType = 206
+	RplTraceService    IRCMessageType = 207
+	RplTraceNewType    IRCMessageType = 208
+	RplTraceClass      IRCMessageType = 209
+	RplStatsLinkInfo   IRCMessageType = 211
+	RplStatsCommands   IRCMessageType = 212
+	RplStatsCLine      IRCMessageType = 213
+	RplStatsNLine      IRCMessageType = 214
+	RplStatsILine      IRCMessageType = 215
+	RplStatsKLine      IRCMessageType = 216
+	RplStatsQLine      IRCMessageType = 217
+	RplStatsYLine      IRCMessageType = 218
+	RplEndOfStats      IRCMessageType = 219
+
+	RplUmodeIs      IRCMessageType = 221
+	RplServList     IRCMessageType = 234
+	RplServListEnd  IRCMessageType = 235
+	RplStatsLLine   IRCMessageType = 241
+	RplStatsUptime  IRCMessageType = 242
+	RplStatsOLine   IRCMessageType = 243
+	RplStatsHLine   IRCMessageType = 244
+	RplLuserClient  IRCMessageType = 251
+	RplLuserOp      IRCMessageType = 252
+	RplLuserUnknown IRCMessageType = 253
+
+	RplLuserChannels IRCMessageType = 254
+	RplLuserMe       IRCMessageType = 255
+	RplAdminMe       IRCMessageType = 256
+	RplAdminLoc1     IRCMessageType = 257
+	RplAdminLoc2     IRCMessageType = 258
+	RplAdminEmail    IRCMessageType = 259
+	RplTraceLog      IRCMessageType = 261
+	RplTraceEnd      IRCMessageType = 262
+	RplTryAgain      IRCMessageType = 263
+
+	RplAway          IRCMessageType = 301
+	RplUserHost      IRCMessageType = 302
+	RplIson          IRCMessageType = 303
+	RplUnaway        IRCMessageType = 305
+	RplNowAway       IRCMessageType = 306
+	RplWhoisUser     IRCMessageType = 311
+	RplWhoisServer   IRCMessageType = 312
+	RplWhoisOperator IRCMessageType = 313
+	RplWhoWasUser    IRCMessageType = 314
+	RplEndOfWho      IRCMessageType = 315
+	RplWhoisIdle     IRCMessageType = 317
+	RplEndOfWhois    IRCMessageType = 318
+	RplWhoisChannels IRCMessageType = 319
+	RplListStart     IRCMessageType = 321
+	RplList          IRCMessageType = 322
+	RplListEnd       IRCMessageType = 323
+	RplChannelModeIs IRCMessageType = 324
+
+	RplUniqOpIs        IRCMessageType = 325
+	RplCreationTime    IRCMessageType = 329
+	RplNoTopic         IRCMessageType = 331
+	RplTopic           IRCMessageType = 332
+	RplTopicWhoTime    IRCMessageType = 333
+	RplWhoisActually   IRCMessageType = 338
+	RplInviting        IRCMessageType = 341
+	RplSummoning       IRCMessageType = 342
+	RplInviteList      IRCMessageType = 346
+	RplEndOfInviteList IRCMessageType = 347
+	RplExceptList      IRCMessageType = 348
+	RplEndOfExceptList IRCMessageType = 349
+	RplVersion         IRCMessageType = 351
+	RplWhoReply        IRCMessageType = 352
+	RplNamReply        IRCMessageType = 353
+	RplLinks           IRCMessageType = 364
+	RplEndOfLinks      IRCMessageType = 365
+	RplEndOfNames      IRCMessageType = 366
+	RplBanList         IRCMessageType = 367
+	RplEndOfBanList    IRCMessageType = 368
+	RplEndOfWhowas     IRCMessageType = 369
+	RplInfo            IRCMessageType = 371
+	RplMotd            IRCMessageType = 372
+	RplEndOfInfo       IRCMessageType = 374
+	RplMotdStart       IRCMessageType = 375
+	RplEndOfMotd       IRCMessageType = 376
+	RplYoureOper       IRCMessageType = 381
+	RplRehashing       IRCMessageType = 382
+	RplYoureService    IRCMessageType = 383
+	RplTime            IRCMessageType = 391
+	RplUsersStart      IRCMessageType = 392
+	RplUsers           IRCMessageType = 393
+	RplEndOfUsers      IRCMessageType = 394
+	RplNoUsers         IRCMessageType = 395
+)
+
+// Error replies (400-599).
+const (
+	ErrNoSuchNick       IRCMessageType = 401
+	ErrNoSuchServer     IRCMessageType = 402
+	ErrNoSuchChannel    IRCMessageType = 403
+	ErrCannotSendToChan IRCMessageType = 404
+	ErrTooManyChannels  IRCMessageType = 405
+	ErrWasNoSuchNick    IRCMessageType = 406
+	ErrTooManyTargets   IRCMessageType = 407
+	ErrNoSuchService    IRCMessageType = 408
+	ErrNoOrigin         IRCMessageType = 409
+	ErrNoRecipient      IRCMessageType = 411
+	ErrNoTextToSend     IRCMessageType = 412
+	ErrNoTopLevel       IRCMessageType = 413
+	ErrWildTopLevel     IRCMessageType = 414
+	ErrBadMask          IRCMessageType = 415
+	ErrUnknownCommand   IRCMessageType = 421
+	ErrNoMotd           IRCMessageType = 422
+	ErrNoAdminInfo      IRCMessageType = 423
+	ErrFileError        IRCMessageType = 424
+	ErrNoNicknameGiven  IRCMessageType = 431
+	ErrErroneusNickname IRCMessageType = 432
+	ErrNicknameInUse    IRCMessageType = 433
+	ErrNickCollision    IRCMessageType = 436
+	ErrUnavailResource  IRCMessageType = 437
+
+	ErrUserNotInChannel  IRCMessageType = 441
+	ErrNotOnChannel      IRCMessageType = 442
+	ErrUserOnChannel     IRCMessageType = 443
+	ErrNoLogin           IRCMessageType = 444
+	ErrSummonDisabled    IRCMessageType = 445
+	ErrUsersDisabled     IRCMessageType = 446
+	ErrNotRegistered     IRCMessageType = 451
+	ErrNeedMoreParams    IRCMessageType = 461
+	ErrAlreadyRegistered IRCMessageType = 462
+	ErrNoPermForHost     IRCMessageType = 463
+	ErrPasswdMismatch    IRCMessageType = 464
+	ErrYoureBannedCreep  IRCMessageType = 465
+	ErrYouWillBeBanned   IRCMessageType = 466
+	ErrKeySet            IRCMessageType = 467
+	ErrChannelIsFull     IRCMessageType = 471
+	ErrUnknownMode       IRCMessageType = 472
+	ErrInviteOnlyChan    IRCMessageType = 473
+	ErrBannedFromChan    IRCMessageType = 474
+	ErrBadChannelKey     IRCMessageType = 475
+	ErrBadChanMask       IRCMessageType = 476
+	ErrNoChanModes       IRCMessageType = 477
+	ErrBanListFull       IRCMessageType = 478
+	ErrNoPrivileges      IRCMessageType = 481
+	ErrChanOpPrivsNeeded IRCMessageType = 482
+	ErrCantKillServer    IRCMessageType = 483
+	ErrRestricted        IRCMessageType = 484
+	ErrUniqOpPrivsNeeded IRCMessageType = 485
+	ErrNoOperHost        IRCMessageType = 491
+
+	ErrUmodeUnknownFlag IRCMessageType = 501
+	ErrUsersDoNotMatch  IRCMessageType = 502
+)
+
+// names maps numeric codes to their standard IRC names.
+//
+//nolint:gochecknoglobals
+var names = map[IRCMessageType]string{
+	RplWelcome:  "RPL_WELCOME",
+	RplYourHost: "RPL_YOURHOST",
+	RplCreated:  "RPL_CREATED",
+	RplMyInfo:   "RPL_MYINFO",
+	RplBounce:   "RPL_BOUNCE",
+
+	RplTraceLink:       "RPL_TRACELINK",
+	RplTraceConnecting: "RPL_TRACECONNECTING",
+	RplTraceHandshake:  "RPL_TRACEHANDSHAKE",
+	RplTraceUnknown:    "RPL_TRACEUNKNOWN",
+	RplTraceOperator:   "RPL_TRACEOPERATOR",
+	RplTraceUser:       "RPL_TRACEUSER",
+	RplTraceServer:     "RPL_TRACESERVER",
+	RplTraceService:    "RPL_TRACESERVICE",
+	RplTraceNewType:    "RPL_TRACENEWTYPE",
+	RplTraceClass:      "RPL_TRACECLASS",
+	RplStatsLinkInfo:   "RPL_STATSLINKINFO",
+	RplStatsCommands:   "RPL_STATSCOMMANDS",
+	RplStatsCLine:      "RPL_STATSCLINE",
+	RplStatsNLine:      "RPL_STATSNLINE",
+	RplStatsILine:      "RPL_STATSILINE",
+	RplStatsKLine:      "RPL_STATSKLINE",
+	RplStatsQLine:      "RPL_STATSQLINE",
+	RplStatsYLine:      "RPL_STATSYLINE",
+	RplEndOfStats:      "RPL_ENDOFSTATS",
+
+	RplUmodeIs:      "RPL_UMODEIS",
+	RplServList:     "RPL_SERVLIST",
+	RplServListEnd:  "RPL_SERVLISTEND",
+	RplStatsLLine:   "RPL_STATSLLINE",
+	RplStatsUptime:  "RPL_STATSUPTIME",
+	RplStatsOLine:   "RPL_STATSOLINE",
+	RplStatsHLine:   "RPL_STATSHLINE",
+	RplLuserClient:  "RPL_LUSERCLIENT",
+	RplLuserOp:      "RPL_LUSEROP",
+	RplLuserUnknown: "RPL_LUSERUNKNOWN",
+
+	RplLuserChannels: "RPL_LUSERCHANNELS",
+	RplLuserMe:       "RPL_LUSERME",
+	RplAdminMe:       "RPL_ADMINME",
+	RplAdminLoc1:     "RPL_ADMINLOC1",
+	RplAdminLoc2:     "RPL_ADMINLOC2",
+	RplAdminEmail:    "RPL_ADMINEMAIL",
+	RplTraceLog:      "RPL_TRACELOG",
+	RplTraceEnd:      "RPL_TRACEEND",
+	RplTryAgain:      "RPL_TRYAGAIN",
+
+	RplAway:          "RPL_AWAY",
+	RplUserHost:      "RPL_USERHOST",
+	RplIson:          "RPL_ISON",
+	RplUnaway:        "RPL_UNAWAY",
+	RplNowAway:       "RPL_NOWAWAY",
+	RplWhoisUser:     "RPL_WHOISUSER",
+	RplWhoisServer:   "RPL_WHOISSERVER",
+	RplWhoisOperator: "RPL_WHOISOPERATOR",
+	RplWhoWasUser:    "RPL_WHOWASUSER",
+	RplEndOfWho:      "RPL_ENDOFWHO",
+	RplWhoisIdle:     "RPL_WHOISIDLE",
+	RplEndOfWhois:    "RPL_ENDOFWHOIS",
+	RplWhoisChannels: "RPL_WHOISCHANNELS",
+	RplListStart:     "RPL_LISTSTART",
+	RplList:          "RPL_LIST",
+	RplListEnd:       "RPL_LISTEND", //nolint:misspell
+	RplChannelModeIs: "RPL_CHANNELMODEIS",
+
+	RplUniqOpIs:        "RPL_UNIQOPIS",
+	RplCreationTime:    "RPL_CREATIONTIME",
+	RplNoTopic:         "RPL_NOTOPIC",
+	RplTopic:           "RPL_TOPIC",
+	RplTopicWhoTime:    "RPL_TOPICWHOTIME",
+	RplWhoisActually:   "RPL_WHOISACTUALLY",
+	RplInviting:        "RPL_INVITING",
+	RplSummoning:       "RPL_SUMMONING",
+	RplInviteList:      "RPL_INVITELIST",
+	RplEndOfInviteList: "RPL_ENDOFINVITELIST",
+	RplExceptList:      "RPL_EXCEPTLIST",
+	RplEndOfExceptList: "RPL_ENDOFEXCEPTLIST",
+	RplVersion:         "RPL_VERSION",
+	RplWhoReply:        "RPL_WHOREPLY",
+	RplNamReply:        "RPL_NAMREPLY",
+	RplLinks:           "RPL_LINKS",
+	RplEndOfLinks:      "RPL_ENDOFLINKS",
+	RplEndOfNames:      "RPL_ENDOFNAMES",
+	RplBanList:         "RPL_BANLIST",
+	RplEndOfBanList:    "RPL_ENDOFBANLIST",
+	RplEndOfWhowas:     "RPL_ENDOFWHOWAS",
+	RplInfo:            "RPL_INFO",
+	RplMotd:            "RPL_MOTD",
+	RplEndOfInfo:       "RPL_ENDOFINFO",
+	RplMotdStart:       "RPL_MOTDSTART",
+	RplEndOfMotd:       "RPL_ENDOFMOTD",
+	RplYoureOper:       "RPL_YOUREOPER",
+	RplRehashing:       "RPL_REHASHING",
+	RplYoureService:    "RPL_YOURESERVICE",
+	RplTime:            "RPL_TIME",
+	RplUsersStart:      "RPL_USERSSTART",
+	RplUsers:           "RPL_USERS",
+	RplEndOfUsers:      "RPL_ENDOFUSERS",
+	RplNoUsers:         "RPL_NOUSERS",
+
+	ErrNoSuchNick:       "ERR_NOSUCHNICK",
+	ErrNoSuchServer:     "ERR_NOSUCHSERVER",
+	ErrNoSuchChannel:    "ERR_NOSUCHCHANNEL",
+	ErrCannotSendToChan: "ERR_CANNOTSENDTOCHAN",
+	ErrTooManyChannels:  "ERR_TOOMANYCHANNELS",
+	ErrWasNoSuchNick:    "ERR_WASNOSUCHNICK",
+	ErrTooManyTargets:   "ERR_TOOMANYTARGETS",
+	ErrNoSuchService:    "ERR_NOSUCHSERVICE",
+	ErrNoOrigin:         "ERR_NOORIGIN",
+	ErrNoRecipient:      "ERR_NORECIPIENT",
+	ErrNoTextToSend:     "ERR_NOTEXTTOSEND",
+	ErrNoTopLevel:       "ERR_NOTOPLEVEL",
+	ErrWildTopLevel:     "ERR_WILDTOPLEVEL",
+	ErrBadMask:          "ERR_BADMASK",
+	ErrUnknownCommand:   "ERR_UNKNOWNCOMMAND",
+	ErrNoMotd:           "ERR_NOMOTD",
+	ErrNoAdminInfo:      "ERR_NOADMININFO",
+	ErrFileError:        "ERR_FILEERROR",
+	ErrNoNicknameGiven:  "ERR_NONICKNAMEGIVEN",
+	ErrErroneusNickname: "ERR_ERRONEUSNICKNAME",
+	ErrNicknameInUse:    "ERR_NICKNAMEINUSE",
+	ErrNickCollision:    "ERR_NICKCOLLISION",
+	ErrUnavailResource:  "ERR_UNAVAILRESOURCE",
+
+	ErrUserNotInChannel:  "ERR_USERNOTINCHANNEL",
+	ErrNotOnChannel:      "ERR_NOTONCHANNEL",
+	ErrUserOnChannel:     "ERR_USERONCHANNEL",
+	ErrNoLogin:           "ERR_NOLOGIN",
+	ErrSummonDisabled:    "ERR_SUMMONDISABLED",
+	ErrUsersDisabled:     "ERR_USERSDISABLED",
+	ErrNotRegistered:     "ERR_NOTREGISTERED",
+	ErrNeedMoreParams:    "ERR_NEEDMOREPARAMS",
+	ErrAlreadyRegistered: "ERR_ALREADYREGISTERED",
+	ErrNoPermForHost:     "ERR_NOPERMFORHOST",
+	ErrPasswdMismatch:    "ERR_PASSWDMISMATCH",
+	ErrYoureBannedCreep:  "ERR_YOUREBANNEDCREEP",
+	ErrYouWillBeBanned:   "ERR_YOUWILLBEBANNED",
+	ErrKeySet:            "ERR_KEYSET",
+	ErrChannelIsFull:     "ERR_CHANNELISFULL",
+	ErrUnknownMode:       "ERR_UNKNOWNMODE",
+	ErrInviteOnlyChan:    "ERR_INVITEONLYCHAN",
+	ErrBannedFromChan:    "ERR_BANNEDFROMCHAN",
+	ErrBadChannelKey:     "ERR_BADCHANNELKEY",
+	ErrBadChanMask:       "ERR_BADCHANMASK",
+	ErrNoChanModes:       "ERR_NOCHANMODES",
+	ErrBanListFull:       "ERR_BANLISTFULL",
+	ErrNoPrivileges:      "ERR_NOPRIVILEGES",
+	ErrChanOpPrivsNeeded: "ERR_CHANOPRIVSNEEDED",
+	ErrCantKillServer:    "ERR_CANTKILLSERVER",
+	ErrRestricted:        "ERR_RESTRICTED",
+	ErrUniqOpPrivsNeeded: "ERR_UNIQOPPRIVSNEEDED",
+	ErrNoOperHost:        "ERR_NOOPERHOST",
+
+	ErrUmodeUnknownFlag: "ERR_UMODEUNKNOWNFLAG",
+	ErrUsersDoNotMatch:  "ERR_USERSDONTMATCH",
+}
+
+// Name returns the standard IRC name for a numeric code
+// (e.g., Name(2) returns "RPL_YOURHOST"). Returns an
+// empty string if the code is unknown.
+//
+// Deprecated: Use IRCMessageType.Name() instead.
+func Name(code IRCMessageType) string {
+	return names[code]
+}

pkg/irc/numerics_test.go

@@ -0,0 +1,163 @@
+package irc_test
+
+import (
+	"errors"
+	"testing"
+
+	"git.eeqj.de/sneak/neoirc/pkg/irc"
+)
+
+func TestName(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		numeric irc.IRCMessageType
+		want    string
+	}{
+		{irc.RplWelcome, "RPL_WELCOME"},
+		{irc.RplBounce, "RPL_BOUNCE"},
+		{irc.RplLuserOp, "RPL_LUSEROP"},
+		{irc.ErrCannotSendToChan, "ERR_CANNOTSENDTOCHAN"},
+		{irc.ErrNicknameInUse, "ERR_NICKNAMEINUSE"},
+	}
+
+	for _, tc := range tests {
+		if got := tc.numeric.Name(); got != tc.want {
+			t.Errorf("IRCMessageType(%d).Name() = %q, want %q", tc.numeric.Int(), got, tc.want)
+		}
+	}
+}
+
+func TestString(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		numeric irc.IRCMessageType
+		want    string
+	}{
+		{irc.RplWelcome, "RPL_WELCOME <001>"},
+		{irc.RplBounce, "RPL_BOUNCE <005>"},
+		{irc.RplLuserOp, "RPL_LUSEROP <252>"},
+		{irc.ErrCannotSendToChan, "ERR_CANNOTSENDTOCHAN <404>"},
+	}
+
+	for _, tc := range tests {
+		if got := tc.numeric.String(); got != tc.want {
+			t.Errorf("IRCMessageType(%d).String() = %q, want %q", tc.numeric.Int(), got, tc.want)
+		}
+	}
+}
+
+func TestCode(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		numeric irc.IRCMessageType
+		want    string
+	}{
+		{irc.RplWelcome, "001"},
+		{irc.RplBounce, "005"},
+		{irc.RplLuserOp, "252"},
+		{irc.ErrCannotSendToChan, "404"},
+	}
+
+	for _, tc := range tests {
+		if got := tc.numeric.Code(); got != tc.want {
+			t.Errorf("IRCMessageType(%d).Code() = %q, want %q", tc.numeric.Int(), got, tc.want)
+		}
+	}
+}
+
+func TestInt(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		numeric irc.IRCMessageType
+		want    int
+	}{
+		{irc.RplWelcome, 1},
+		{irc.RplBounce, 5},
+		{irc.RplLuserOp, 252},
+		{irc.ErrCannotSendToChan, 404},
+	}
+
+	for _, tc := range tests {
+		if got := tc.numeric.Int(); got != tc.want {
+			t.Errorf("IRCMessageType(%d).Int() = %d, want %d", tc.want, got, tc.want)
+		}
+	}
+}
+
+func TestFromInt_Known(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		code int
+		want irc.IRCMessageType
+	}{
+		{1, irc.RplWelcome},
+		{5, irc.RplBounce},
+		{252, irc.RplLuserOp},
+		{404, irc.ErrCannotSendToChan},
+		{433, irc.ErrNicknameInUse},
+	}
+
+	for _, test := range tests {
+		got, err := irc.FromInt(test.code)
+		if err != nil {
+			t.Errorf("FromInt(%d) returned unexpected error: %v", test.code, err)
+
+			continue
+		}
+
+		if got != test.want {
+			t.Errorf("FromInt(%d) = %v, want %v", test.code, got, test.want)
+		}
+	}
+}
+
+func TestFromInt_Unknown(t *testing.T) {
+	t.Parallel()
+
+	unknowns := []int{0, 999, 600, -1}
+	for _, code := range unknowns {
+		_, err := irc.FromInt(code)
+		if err == nil {
+			t.Errorf("FromInt(%d) expected error, got nil", code)
+
+			continue
+		}
+
+		if !errors.Is(err, irc.ErrUnknownNumeric) {
+			t.Errorf("FromInt(%d) error = %v, want ErrUnknownNumeric", code, err)
+		}
+	}
+}
+
+func TestUnknownNumeric_Name(t *testing.T) {
+	t.Parallel()
+
+	unknown := irc.IRCMessageType(999)
+	if got := unknown.Name(); got != "" {
+		t.Errorf("IRCMessageType(999).Name() = %q, want empty string", got)
+	}
+}
+
+func TestUnknownNumeric_String(t *testing.T) {
+	t.Parallel()
+
+	unknown := irc.IRCMessageType(999)
+	want := "UNKNOWN <999>"
+
+	if got := unknown.String(); got != want {
+		t.Errorf("IRCMessageType(999).String() = %q, want %q", got, want)
+	}
+}
+
+func TestDeprecatedNameFunc(t *testing.T) {
+	t.Parallel()
+
+	if got := irc.Name(irc.RplYourHost); got != "RPL_YOURHOST" {
+		t.Errorf("Name(RplYourHost) = %q, want %q", got, "RPL_YOURHOST")
+	}
+}

schema/README.md

@@ -1,6 +1,6 @@
 # Message Schemas
 
-JSON Schema definitions (draft 2020-12) for the chat protocol. Messages use
+JSON Schema definitions (draft 2020-12) for the neoirc protocol. Messages use
 **IRC command names and numeric reply codes** (RFC 1459/2812) encoded as JSON
 over HTTP.
 

schema/commands/JOIN.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/commands/JOIN.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/commands/JOIN.json",
   "title": "JOIN",
   "description": "Join a channel. C2S: request to join. S2C: notification that a user joined. RFC 1459 §4.2.1.",
   "$ref": "../message.json",

schema/commands/KICK.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/commands/KICK.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/commands/KICK.json",
   "title": "KICK",
   "description": "Kick a user from a channel. RFC 1459 §4.2.8.",
   "$ref": "../message.json",

schema/commands/MODE.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/commands/MODE.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/commands/MODE.json",
   "title": "MODE",
   "description": "Set or query channel/user modes. RFC 1459 §4.2.3.",
   "$ref": "../message.json",

schema/commands/NICK.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/commands/NICK.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/commands/NICK.json",
   "title": "NICK",
   "description": "Change nickname. C2S: request new nick. S2C: notification of nick change. RFC 1459 §4.1.2.",
   "$ref": "../message.json",

schema/commands/NOTICE.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/commands/NOTICE.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/commands/NOTICE.json",
   "title": "NOTICE",
   "description": "Send a notice. Like PRIVMSG but must not trigger automatic replies. RFC 1459 §4.4.2.",
   "$ref": "../message.json",

schema/commands/PART.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/commands/PART.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/commands/PART.json",
   "title": "PART",
   "description": "Leave a channel. C2S: request to leave. S2C: notification that a user left. RFC 1459 §4.2.2.",
   "$ref": "../message.json",

schema/commands/PING.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/commands/PING.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/commands/PING.json",
   "title": "PING",
   "description": "Keepalive. C2S or S2S. Server responds with PONG. RFC 1459 §4.6.2.",
   "$ref": "../message.json",

schema/commands/PONG.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/commands/PONG.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/commands/PONG.json",
   "title": "PONG",
   "description": "Keepalive response. S2C or S2S. RFC 1459 §4.6.3.",
   "$ref": "../message.json",

schema/commands/PRIVMSG.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/commands/PRIVMSG.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/commands/PRIVMSG.json",
   "title": "PRIVMSG",
   "description": "Send a message to a channel or user. C2S: client sends to server. S2C: server relays to recipients. RFC 1459 §4.4.1.",
   "$ref": "../message.json",

schema/commands/PUBKEY.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/commands/PUBKEY.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/commands/PUBKEY.json",
   "title": "PUBKEY",
   "description": "Announce or relay a user's public signing key. C2S: client announces key to channel or server. S2C: server relays to channel members. Protocol extension (not in RFC 1459). Body is a structured object (not an array) containing the key material.",
   "$ref": "../message.json",

schema/commands/QUIT.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/commands/QUIT.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/commands/QUIT.json",
   "title": "QUIT",
   "description": "User disconnected. S2C only. RFC 1459 §4.1.6.",
   "$ref": "../message.json",

schema/commands/TOPIC.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/commands/TOPIC.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/commands/TOPIC.json",
   "title": "TOPIC",
   "description": "Get or set channel topic. C2S: set topic (body present) or query (body absent). S2C: topic change notification. RFC 1459 §4.2.4.",
   "$ref": "../message.json",
@@ -17,6 +17,6 @@
   },
   "required": ["command", "to"],
   "examples": [
-    { "command": "TOPIC", "from": "alice", "to": "#general", "body": ["Welcome to the chat"] }
+    { "command": "TOPIC", "from": "alice", "to": "#general", "body": ["Welcome to the channel"] }
   ]
 }

schema/message.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/message.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/message.json",
   "title": "IRC Message Envelope",
   "description": "Base envelope for all messages. Mirrors IRC wire format (RFC 1459/2812) encoded as JSON over HTTP. The 'command' field carries either an IRC command name (PRIVMSG, JOIN, etc.) or a three-digit numeric reply code (001, 353, 433, etc.).",
   "type": "object",

schema/numerics/001.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/001.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/001.json",
   "title": "001 RPL_WELCOME",
   "description": "Welcome message sent after successful session creation. RFC 2812 \u00a75.1.",
   "$ref": "../message.json",

schema/numerics/002.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/002.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/002.json",
   "title": "002 RPL_YOURHOST",
   "description": "Server host info sent after session creation. RFC 2812 \u00a75.1.",
   "$ref": "../message.json",
@@ -29,7 +29,7 @@
       "command": "002",
       "to": "alice",
       "body": [
-        "Your host is chat.example.com, running version 0.1.0"
+        "Your host is neoirc.example.com, running version 0.1.0"
       ]
     }
   ]

schema/numerics/003.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/003.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/003.json",
   "title": "003 RPL_CREATED",
   "description": "Server creation date. RFC 2812 \u00a75.1.",
   "$ref": "../message.json",

schema/numerics/004.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/004.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/004.json",
   "title": "004 RPL_MYINFO",
   "description": "Server info (name, version, available modes). RFC 2812 \u00a75.1.",
   "$ref": "../message.json",
@@ -29,7 +29,7 @@
       "command": "004",
       "to": "alice",
       "params": [
-        "chat.example.com",
+        "neoirc.example.com",
         "0.1.0",
         "o",
         "imnst+ov"

schema/numerics/322.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/322.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/322.json",
   "title": "322 RPL_LIST",
   "description": "Channel list entry. One per channel in response to LIST. RFC 1459 \u00a76.2.",
   "$ref": "../message.json",

schema/numerics/323.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/323.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/323.json",
   "title": "323 RPL_LISTEND",
   "description": "End of channel list. RFC 1459 \u00a76.2.",
   "$ref": "../message.json",

schema/numerics/332.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/332.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/332.json",
   "title": "332 RPL_TOPIC",
   "description": "Channel topic (sent on JOIN or TOPIC query). RFC 1459 \u00a76.2.",
   "$ref": "../message.json",
@@ -40,7 +40,7 @@
         "#general"
       ],
       "body": [
-        "Welcome to the chat"
+        "Welcome to the channel"
       ]
     }
   ]

schema/numerics/353.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/353.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/353.json",
   "title": "353 RPL_NAMREPLY",
   "description": "Channel member list. Sent on JOIN or NAMES query. RFC 1459 \u00a76.2.",
   "$ref": "../message.json",

schema/numerics/366.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/366.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/366.json",
   "title": "366 RPL_ENDOFNAMES",
   "description": "End of NAMES list. RFC 1459 \u00a76.2.",
   "$ref": "../message.json",

schema/numerics/372.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/372.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/372.json",
   "title": "372 RPL_MOTD",
   "description": "MOTD line. One message per line of the MOTD. RFC 2812 \u00a75.1.",
   "$ref": "../message.json",

schema/numerics/375.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/375.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/375.json",
   "title": "375 RPL_MOTDSTART",
   "description": "Start of MOTD. RFC 2812 \u00a75.1.",
   "$ref": "../message.json",

schema/numerics/376.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/376.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/376.json",
   "title": "376 RPL_ENDOFMOTD",
   "description": "End of MOTD. RFC 2812 \u00a75.1.",
   "$ref": "../message.json",

schema/numerics/401.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/401.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/401.json",
   "title": "401 ERR_NOSUCHNICK",
   "description": "No such nick/channel. RFC 1459 \u00a76.1.",
   "$ref": "../message.json",

schema/numerics/403.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/403.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/403.json",
   "title": "403 ERR_NOSUCHCHANNEL",
   "description": "No such channel. RFC 1459 \u00a76.1.",
   "$ref": "../message.json",

schema/numerics/433.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/433.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/433.json",
   "title": "433 ERR_NICKNAMEINUSE",
   "description": "Nickname is already in use. RFC 1459 \u00a76.1.",
   "$ref": "../message.json",

schema/numerics/442.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/442.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/442.json",
   "title": "442 ERR_NOTONCHANNEL",
   "description": "You're not on that channel. RFC 1459 \u00a76.1.",
   "$ref": "../message.json",

schema/numerics/482.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/482.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/482.json",
   "title": "482 ERR_CHANOPRIVSNEEDED",
   "description": "You're not channel operator. RFC 1459 \u00a76.1.",
   "$ref": "../message.json",

web/build.sh

@@ -16,19 +16,11 @@ fi
 
 mkdir -p dist
 
-# Build JS bundle
+# Build JS bundle — preact must be bundled (no CDN/external loader)
-${NPX:+$NPX} esbuild src/app.jsx \
-  --bundle \
-  --minify \
-  --jsx-factory=h \
-  --jsx-fragment=Fragment \
-  --define:process.env.NODE_ENV=\"production\" \
-  --external:preact \
-  --outfile=dist/app.js \
-  2>/dev/null || \
 ${NPX:+$NPX} esbuild src/app.jsx \
   --bundle \
   --minify \
+  --format=esm \
   --jsx-factory=h \
   --jsx-fragment=Fragment \
   --define:process.env.NODE_ENV=\"production\" \

web/dist/index.html

@@ -1,13 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-  <meta charset="UTF-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>Chat</title>
-  <link rel="stylesheet" href="/style.css">
-</head>
-<body>
-  <div id="root"></div>
-  <script src="/app.js"></script>
-</body>
-</html>

web/dist/style.css

@@ -1,317 +0,0 @@
-* { margin: 0; padding: 0; box-sizing: border-box; }
-
-:root {
-  --bg: #1a1a2e;
-  --bg-secondary: #16213e;
-  --bg-input: #0f3460;
-  --text: #e0e0e0;
-  --text-muted: #888;
-  --accent: #e94560;
-  --accent2: #0f3460;
-  --border: #2a2a4a;
-  --nick: #53a8b6;
-  --timestamp: #666;
-  --tab-active: #e94560;
-  --tab-bg: #16213e;
-  --tab-hover: #1a1a3e;
-  --topic-bg: #121a30;
-  --unread-bg: #e94560;
-  --warn: #f0ad4e;
-}
-
-html, body, #root {
-  height: 100%;
-  font-family: 'Courier New', Courier, monospace;
-  font-size: 14px;
-  background: var(--bg);
-  color: var(--text);
-}
-
-/* Login screen */
-.login-screen {
-  display: flex;
-  flex-direction: column;
-  align-items: center;
-  justify-content: center;
-  height: 100%;
-  gap: 16px;
-}
-
-.login-screen h1 {
-  color: var(--accent);
-  font-size: 2em;
-}
-
-.login-screen input {
-  padding: 10px 16px;
-  font-size: 16px;
-  font-family: inherit;
-  background: var(--bg-input);
-  border: 1px solid var(--border);
-  color: var(--text);
-  border-radius: 4px;
-  width: 280px;
-}
-
-.login-screen button {
-  padding: 10px 24px;
-  font-size: 16px;
-  font-family: inherit;
-  background: var(--accent);
-  border: none;
-  color: white;
-  border-radius: 4px;
-  cursor: pointer;
-}
-
-.login-screen .error {
-  color: var(--accent);
-}
-
-.login-screen .motd {
-  color: var(--text-muted);
-  max-width: 400px;
-  text-align: center;
-  white-space: pre-wrap;
-}
-
-/* Main layout */
-.app {
-  display: flex;
-  flex-direction: column;
-  height: 100%;
-}
-
-/* Tab bar */
-.tab-bar {
-  display: flex;
-  background: var(--bg-secondary);
-  border-bottom: 1px solid var(--border);
-  overflow-x: auto;
-  flex-shrink: 0;
-  align-items: center;
-}
-
-.tab {
-  padding: 8px 16px;
-  cursor: pointer;
-  border-bottom: 2px solid transparent;
-  white-space: nowrap;
-  color: var(--text-muted);
-  user-select: none;
-  position: relative;
-}
-
-.tab:hover {
-  background: var(--tab-hover);
-}
-
-.tab.active {
-  color: var(--text);
-  border-bottom-color: var(--tab-active);
-}
-
-.tab .close-btn {
-  margin-left: 8px;
-  color: var(--text-muted);
-  font-size: 12px;
-}
-
-.tab .close-btn:hover {
-  color: var(--accent);
-}
-
-.tab .unread-badge {
-  display: inline-block;
-  background: var(--unread-bg);
-  color: white;
-  font-size: 10px;
-  font-weight: bold;
-  padding: 1px 5px;
-  border-radius: 8px;
-  margin-left: 6px;
-  min-width: 16px;
-  text-align: center;
-}
-
-/* Connection status */
-.connection-status {
-  padding: 4px 12px;
-  background: var(--warn);
-  color: #1a1a2e;
-  font-size: 12px;
-  font-weight: bold;
-  white-space: nowrap;
-  flex-shrink: 0;
-}
-
-/* Topic bar */
-.topic-bar {
-  padding: 6px 12px;
-  background: var(--topic-bg);
-  border-bottom: 1px solid var(--border);
-  color: var(--text-muted);
-  font-size: 12px;
-  white-space: nowrap;
-  overflow: hidden;
-  text-overflow: ellipsis;
-  flex-shrink: 0;
-}
-
-/* Content area */
-.content {
-  display: flex;
-  flex: 1;
-  overflow: hidden;
-}
-
-/* Messages */
-.messages-pane {
-  flex: 1;
-  display: flex;
-  flex-direction: column;
-  overflow: hidden;
-}
-
-.messages {
-  flex: 1;
-  overflow-y: auto;
-  padding: 8px 12px;
-}
-
-.message {
-  padding: 2px 0;
-  line-height: 1.4;
-  word-wrap: break-word;
-}
-
-.message .timestamp {
-  color: var(--timestamp);
-  font-size: 12px;
-  margin-right: 8px;
-}
-
-.message .nick {
-  color: var(--nick);
-  font-weight: bold;
-  margin-right: 8px;
-}
-
-.message .nick::before { content: '<'; }
-.message .nick::after { content: '>'; }
-
-.message.system {
-  color: var(--text-muted);
-  font-style: italic;
-}
-
-.message.system .nick {
-  color: var(--text-muted);
-}
-
-.message.system .nick::before,
-.message.system .nick::after { content: ''; }
-
-/* Input */
-.input-bar {
-  display: flex;
-  border-top: 1px solid var(--border);
-  background: var(--bg-secondary);
-  flex-shrink: 0;
-}
-
-.input-bar input {
-  flex: 1;
-  padding: 10px 12px;
-  font-family: inherit;
-  font-size: 14px;
-  background: var(--bg-input);
-  border: none;
-  color: var(--text);
-  outline: none;
-}
-
-.input-bar button {
-  padding: 10px 16px;
-  font-family: inherit;
-  background: var(--accent);
-  border: none;
-  color: white;
-  cursor: pointer;
-}
-
-/* User list */
-.user-list {
-  width: 160px;
-  background: var(--bg-secondary);
-  border-left: 1px solid var(--border);
-  overflow-y: auto;
-  padding: 8px;
-  flex-shrink: 0;
-}
-
-.user-list h3 {
-  color: var(--text-muted);
-  font-size: 11px;
-  text-transform: uppercase;
-  margin-bottom: 8px;
-  letter-spacing: 1px;
-}
-
-.user-list .user {
-  padding: 3px 4px;
-  color: var(--nick);
-  font-size: 13px;
-  cursor: pointer;
-}
-
-.user-list .user:hover {
-  background: var(--tab-hover);
-}
-
-/* Server tab */
-.server-messages {
-  color: var(--text-muted);
-  padding: 12px;
-  white-space: pre-wrap;
-  overflow-y: auto;
-  flex: 1;
-}
-
-/* Channel join dialog */
-.join-dialog {
-  padding: 12px;
-  display: flex;
-  gap: 8px;
-  background: var(--bg-secondary);
-  border-bottom: 1px solid var(--border);
-  margin-left: auto;
-}
-
-.join-dialog input {
-  padding: 6px 10px;
-  font-family: inherit;
-  font-size: 13px;
-  background: var(--bg-input);
-  border: 1px solid var(--border);
-  color: var(--text);
-  border-radius: 3px;
-  width: 200px;
-}
-
-.join-dialog button {
-  padding: 6px 14px;
-  font-family: inherit;
-  font-size: 13px;
-  background: var(--accent2);
-  border: none;
-  color: var(--text);
-  border-radius: 3px;
-  cursor: pointer;
-}
-
-/* Responsive */
-@media (max-width: 600px) {
-  .user-list { display: none; }
-  .tab { padding: 6px 10px; font-size: 13px; }
-}

web/src/index.html

@@ -3,11 +3,11 @@
 <head>
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>Chat</title>
+  <title>NeoIRC</title>
   <link rel="stylesheet" href="/style.css">
 </head>
 <body>
   <div id="root"></div>
-  <script src="/app.js"></script>
+  <script type="module" src="/app.js"></script>
 </body>
 </html>

web/src/style.css

@@ -1,317 +1,466 @@
-* { margin: 0; padding: 0; box-sizing: border-box; }
+* {
+  margin: 0;
+  padding: 0;
+  box-sizing: border-box;
+}
 
 :root {
-  --bg: #1a1a2e;
+  --bg: #0a0e14;
-  --bg-secondary: #16213e;
+  --bg-panel: #0d1117;
-  --bg-input: #0f3460;
+  --bg-input: #0d1117;
-  --text: #e0e0e0;
+  --bg-tab: #161b22;
-  --text-muted: #888;
+  --bg-tab-active: #0d1117;
-  --accent: #e94560;
+  --bg-topic: #0d1117;
-  --accent2: #0f3460;
+  --text: #c9d1d9;
-  --border: #2a2a4a;
+  --text-dim: #6e7681;
-  --nick: #53a8b6;
+  --text-bright: #e6edf3;
-  --timestamp: #666;
+  --accent: #58a6ff;
-  --tab-active: #e94560;
+  --accent-dim: #1f6feb;
-  --tab-bg: #16213e;
+  --border: #21262d;
-  --tab-hover: #1a1a3e;
+  --system: #7d8590;
-  --topic-bg: #121a30;
+  --action: #d2a8ff;
-  --unread-bg: #e94560;
+  --warn: #d29922;
-  --warn: #f0ad4e;
+  --error: #f85149;
+  --unread: #f0883e;
+  --nick-brackets: #6e7681;
+  --timestamp: #484f58;
+  --input-bg: #161b22;
+  --prompt: #3fb950;
+  --tab-indicator: #58a6ff;
+  --user-list-bg: #0d1117;
+  --user-list-header: #484f58;
 }
 
-html, body, #root {
+html,
+body,
+#root {
   height: 100%;
-  font-family: 'Courier New', Courier, monospace;
+  font-family: "JetBrains Mono", "Cascadia Code", "Fira Code", "SF Mono",
-  font-size: 14px;
+    "Consolas", "Liberation Mono", "Courier New", monospace;
+  font-size: 13px;
   background: var(--bg);
   color: var(--text);
+  overflow: hidden;
 }
 
-/* Login screen */
+/* ============================================
+   Login Screen
+   ============================================ */
+
 .login-screen {
   display: flex;
-  flex-direction: column;
   align-items: center;
   justify-content: center;
   height: 100%;
-  gap: 16px;
+  background: var(--bg);
 }
 
-.login-screen h1 {
+.login-box {
-  color: var(--accent);
-  font-size: 2em;
-}
-
-.login-screen input {
-  padding: 10px 16px;
-  font-size: 16px;
-  font-family: inherit;
-  background: var(--bg-input);
-  border: 1px solid var(--border);
-  color: var(--text);
-  border-radius: 4px;
-  width: 280px;
-}
-
-.login-screen button {
-  padding: 10px 24px;
-  font-size: 16px;
-  font-family: inherit;
-  background: var(--accent);
-  border: none;
-  color: white;
-  border-radius: 4px;
-  cursor: pointer;
-}
-
-.login-screen .error {
-  color: var(--accent);
-}
-
-.login-screen .motd {
-  color: var(--text-muted);
-  max-width: 400px;
   text-align: center;
-  white-space: pre-wrap;
+  max-width: 360px;
+  width: 100%;
+  padding: 32px;
 }
 
-/* Main layout */
+.login-box h1 {
-.app {
+  color: var(--accent);
+  font-size: 1.8em;
+  margin-bottom: 16px;
+  font-weight: 400;
+}
+
+.login-box .motd {
+  color: var(--accent);
+  font-size: 11px;
+  margin-bottom: 20px;
+  text-align: left;
+  white-space: pre;
+  font-family: inherit;
+  line-height: 1.2;
+  overflow-x: auto;
+}
+
+.login-box form {
+  display: flex;
+  flex-direction: column;
+  gap: 8px;
+  align-items: stretch;
+}
+
+.login-box label {
+  color: var(--text-dim);
+  text-align: left;
+  font-size: 12px;
+}
+
+.login-box input {
+  padding: 8px 12px;
+  font-family: inherit;
+  font-size: 14px;
+  background: var(--input-bg);
+  border: 1px solid var(--border);
+  color: var(--text-bright);
+  border-radius: 3px;
+  outline: none;
+}
+
+.login-box input:focus {
+  border-color: var(--accent-dim);
+}
+
+.login-box button {
+  padding: 8px 16px;
+  font-family: inherit;
+  font-size: 14px;
+  background: var(--accent-dim);
+  border: none;
+  color: var(--text-bright);
+  border-radius: 3px;
+  cursor: pointer;
+  margin-top: 4px;
+}
+
+.login-box button:hover {
+  background: var(--accent);
+}
+
+.login-box .error {
+  color: var(--error);
+  font-size: 12px;
+  margin-top: 8px;
+}
+
+/* ============================================
+   IRC App Layout
+   ============================================ */
+
+.irc-app {
   display: flex;
   flex-direction: column;
   height: 100%;
+  overflow: hidden;
 }
 
-/* Tab bar */
+/* ============================================
+   Tab Bar
+   ============================================ */
+
 .tab-bar {
   display: flex;
-  background: var(--bg-secondary);
+  background: var(--bg-tab);
   border-bottom: 1px solid var(--border);
-  overflow-x: auto;
   flex-shrink: 0;
-  align-items: center;
+  height: 32px;
+  align-items: stretch;
+}
+
+.tabs {
+  display: flex;
+  overflow-x: auto;
+  flex: 1;
+  scrollbar-width: none;
+}
+
+.tabs::-webkit-scrollbar {
+  display: none;
 }
 
 .tab {
-  padding: 8px 16px;
+  display: flex;
+  align-items: center;
+  padding: 0 12px;
   cursor: pointer;
-  border-bottom: 2px solid transparent;
+  color: var(--text-dim);
   white-space: nowrap;
-  color: var(--text-muted);
   user-select: none;
+  border-right: 1px solid var(--border);
+  font-size: 12px;
+  gap: 4px;
   position: relative;
 }
 
 .tab:hover {
-  background: var(--tab-hover);
+  color: var(--text);
+  background: rgba(255, 255, 255, 0.03);
 }
 
 .tab.active {
-  color: var(--text);
+  color: var(--text-bright);
-  border-bottom-color: var(--tab-active);
+  background: var(--bg-tab-active);
+  border-bottom: 2px solid var(--tab-indicator);
+  margin-bottom: -1px;
 }
 
-.tab .close-btn {
+.tab.has-unread .tab-label {
-  margin-left: 8px;
+  color: var(--unread);
-  color: var(--text-muted);
-  font-size: 12px;
-}
-
-.tab .close-btn:hover {
-  color: var(--accent);
-}
-
-.tab .unread-badge {
-  display: inline-block;
-  background: var(--unread-bg);
-  color: white;
-  font-size: 10px;
   font-weight: bold;
-  padding: 1px 5px;
-  border-radius: 8px;
-  margin-left: 6px;
-  min-width: 16px;
-  text-align: center;
 }
 
-/* Connection status */
+.tab .unread-count {
-.connection-status {
+  color: var(--unread);
-  padding: 4px 12px;
+  font-size: 11px;
-  background: var(--warn);
-  color: #1a1a2e;
-  font-size: 12px;
   font-weight: bold;
-  white-space: nowrap;
+}
+
+.tab-close {
+  color: var(--text-dim);
+  font-size: 14px;
+  line-height: 1;
+  margin-left: 2px;
+}
+
+.tab-close:hover {
+  color: var(--error);
+}
+
+.status-area {
+  display: flex;
+  align-items: center;
+  gap: 10px;
+  padding: 0 12px;
   flex-shrink: 0;
+  font-size: 12px;
 }
 
-/* Topic bar */
+.status-nick {
+  color: var(--accent);
+  font-weight: bold;
+}
+
+.status-warn {
+  color: var(--warn);
+  animation: blink 1.5s ease-in-out infinite;
+}
+
+@keyframes blink {
+  0%,
+  100% {
+    opacity: 1;
+  }
+  50% {
+    opacity: 0.4;
+  }
+}
+
+/* ============================================
+   Topic Bar
+   ============================================ */
+
 .topic-bar {
-  padding: 6px 12px;
+  padding: 4px 12px;
-  background: var(--topic-bg);
+  background: var(--bg-topic);
   border-bottom: 1px solid var(--border);
-  color: var(--text-muted);
   font-size: 12px;
   white-space: nowrap;
   overflow: hidden;
   text-overflow: ellipsis;
   flex-shrink: 0;
+  line-height: 1.5;
 }
 
-/* Content area */
+.topic-label {
-.content {
+  color: var(--text-dim);
+}
+
+.topic-text {
+  color: var(--text);
+}
+
+/* ============================================
+   Main Content Area
+   ============================================ */
+
+.main-area {
   display: flex;
   flex: 1;
   overflow: hidden;
+  min-height: 0;
 }
 
-/* Messages */
+/* ============================================
-.messages-pane {
+   Messages Panel
+   ============================================ */
+
+.messages-panel {
   flex: 1;
   display: flex;
   flex-direction: column;
   overflow: hidden;
+  min-width: 0;
 }
 
-.messages {
+.messages-scroll {
   flex: 1;
   overflow-y: auto;
-  padding: 8px 12px;
+  padding: 4px 8px;
+  scrollbar-width: thin;
+  scrollbar-color: var(--border) transparent;
 }
 
+.messages-scroll::-webkit-scrollbar {
+  width: 8px;
+}
+
+.messages-scroll::-webkit-scrollbar-track {
+  background: transparent;
+}
+
+.messages-scroll::-webkit-scrollbar-thumb {
+  background: var(--border);
+  border-radius: 4px;
+}
+
+/* ============================================
+   Message Lines
+   ============================================ */
+
 .message {
-  padding: 2px 0;
+  padding: 1px 0;
   line-height: 1.4;
+  white-space: pre-wrap;
   word-wrap: break-word;
+  font-size: 13px;
 }
 
 .message .timestamp {
   color: var(--timestamp);
   font-size: 12px;
-  margin-right: 8px;
 }
 
 .message .nick {
-  color: var(--nick);
   font-weight: bold;
-  margin-right: 8px;
 }
 
-.message .nick::before { content: '<'; }
+.message .content {
-.message .nick::after { content: '>'; }
+  color: var(--text);
+}
 
-.message.system {
+/* System messages (joins, parts, quits, etc.) */
-  color: var(--text-muted);
+.system-message {
+  color: var(--system);
+}
+
+.system-message .system-text {
+  color: var(--system);
+}
+
+/* /me action messages */
+.action-message .action-text {
+  color: var(--action);
+}
+
+/* ============================================
+   User List (Right Panel)
+   ============================================ */
+
+.user-list {
+  width: 160px;
+  background: var(--user-list-bg);
+  border-left: 1px solid var(--border);
+  display: flex;
+  flex-direction: column;
+  flex-shrink: 0;
+  overflow: hidden;
+}
+
+.user-list-header {
+  padding: 6px 10px;
+  color: var(--user-list-header);
+  font-size: 11px;
+  text-transform: uppercase;
+  letter-spacing: 0.5px;
+  border-bottom: 1px solid var(--border);
+  flex-shrink: 0;
+}
+
+.user-list-entries {
+  overflow-y: auto;
+  padding: 4px 0;
+  flex: 1;
+  scrollbar-width: thin;
+  scrollbar-color: var(--border) transparent;
+}
+
+.nick-entry {
+  padding: 2px 10px;
+  font-size: 12px;
+  cursor: pointer;
+  white-space: nowrap;
+  overflow: hidden;
+  text-overflow: ellipsis;
+  line-height: 1.5;
+}
+
+.nick-entry:hover {
+  background: rgba(255, 255, 255, 0.04);
+}
+
+.nick-prefix {
+  color: var(--text-dim);
+  display: inline-block;
+  width: 1ch;
+  text-align: right;
+  margin-right: 1px;
+}
+
+.nick-name {
+  font-weight: normal;
+}
+
+/* ============================================
+   Input Line (Bottom)
+   ============================================ */
+
+.input-line {
+  display: flex;
+  align-items: center;
+  background: var(--input-bg);
+  border-top: 1px solid var(--border);
+  flex-shrink: 0;
+  height: 36px;
+  padding: 0 8px;
+  gap: 6px;
+}
+
+.input-prompt {
+  color: var(--prompt);
+  font-size: 13px;
+  flex-shrink: 0;
+  white-space: nowrap;
+}
+
+.input-line input {
+  flex: 1;
+  padding: 4px 0;
+  font-family: inherit;
+  font-size: 13px;
+  background: transparent;
+  border: none;
+  color: var(--text-bright);
+  outline: none;
+  caret-color: var(--accent);
+}
+
+.input-line input::placeholder {
+  color: var(--text-dim);
   font-style: italic;
 }
 
-.message.system .nick {
+/* ============================================
-  color: var(--text-muted);
+   Responsive
-}
+   ============================================ */
 
-.message.system .nick::before,
-.message.system .nick::after { content: ''; }
-
-/* Input */
-.input-bar {
-  display: flex;
-  border-top: 1px solid var(--border);
-  background: var(--bg-secondary);
-  flex-shrink: 0;
-}
-
-.input-bar input {
-  flex: 1;
-  padding: 10px 12px;
-  font-family: inherit;
-  font-size: 14px;
-  background: var(--bg-input);
-  border: none;
-  color: var(--text);
-  outline: none;
-}
-
-.input-bar button {
-  padding: 10px 16px;
-  font-family: inherit;
-  background: var(--accent);
-  border: none;
-  color: white;
-  cursor: pointer;
-}
-
-/* User list */
-.user-list {
-  width: 160px;
-  background: var(--bg-secondary);
-  border-left: 1px solid var(--border);
-  overflow-y: auto;
-  padding: 8px;
-  flex-shrink: 0;
-}
-
-.user-list h3 {
-  color: var(--text-muted);
-  font-size: 11px;
-  text-transform: uppercase;
-  margin-bottom: 8px;
-  letter-spacing: 1px;
-}
-
-.user-list .user {
-  padding: 3px 4px;
-  color: var(--nick);
-  font-size: 13px;
-  cursor: pointer;
-}
-
-.user-list .user:hover {
-  background: var(--tab-hover);
-}
-
-/* Server tab */
-.server-messages {
-  color: var(--text-muted);
-  padding: 12px;
-  white-space: pre-wrap;
-  overflow-y: auto;
-  flex: 1;
-}
-
-/* Channel join dialog */
-.join-dialog {
-  padding: 12px;
-  display: flex;
-  gap: 8px;
-  background: var(--bg-secondary);
-  border-bottom: 1px solid var(--border);
-  margin-left: auto;
-}
-
-.join-dialog input {
-  padding: 6px 10px;
-  font-family: inherit;
-  font-size: 13px;
-  background: var(--bg-input);
-  border: 1px solid var(--border);
-  color: var(--text);
-  border-radius: 3px;
-  width: 200px;
-}
-
-.join-dialog button {
-  padding: 6px 14px;
-  font-family: inherit;
-  font-size: 13px;
-  background: var(--accent2);
-  border: none;
-  color: var(--text);
-  border-radius: 3px;
-  cursor: pointer;
-}
-
-/* Responsive */
 @media (max-width: 600px) {
-  .user-list { display: none; }
+  .user-list {
-  .tab { padding: 6px 10px; font-size: 13px; }
+    display: none;
+  }
+
+  .tab {
+    padding: 0 8px;
+    font-size: 11px;
+  }
+
+  .input-prompt {
+    font-size: 12px;
+  }
 }