fix: update internal/irc import to pkg/irc after rebase

fix: rename hashcash→pow_token JSON field reference in README
fix: complete pow_token rename in README documentation
2026-03-10 11:41:12 -07:00 · 2026-03-10 11:40:33 -07:00 · 2026-03-10 11:40:33 -07:00 · 2026-03-10 11:40:33 -07:00 · 2026-03-10 11:40:33 -07:00 · 2026-03-10 11:40:33 -07:00
76 changed files with 5082 additions and 1417 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,8 +1,8 @@
 .git
 *.md
 !README.md
-chatd
+neoircd
-chat-cli
+neoirc-cli
 data.db
 data.db-wal
 data.db-shm
--- a/.gitignore
+++ b/.gitignore
@@ -21,7 +21,8 @@ node_modules/
 *.key
 # Build artifacts
-/chatd
+web/dist/
 /neoircd
 /bin/
 *.exe
 *.dll
@@ -34,5 +35,5 @@ vendor/
 # Project
 data.db
 debug.log
-/chat-cli
+/neoirc-cli
 web/node_modules/
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -5,7 +5,7 @@
 1. **Format**: `gofmt -s -w .` and `goimports -w .`
 2. **Lint**: `golangci-lint run --config .golangci.yml ./...` — zero issues
 3. **Test**: `go test -race ./...` — all passing
-4. **Build**: `go build ./cmd/chatd` — compiles clean
+4. **Build**: `go build ./cmd/neoircd` — compiles clean
 No commit lands on main with lint errors, test failures, or formatting issues.
--- a/35
+++ b/35
@@ -1,42 +1,59 @@
 # Web build stage — compile SPA from source
 # node:22-alpine, 2026-03-09
 FROM node@sha256:8094c002d08262dba12645a3b4a15cd6cd627d30bc782f53229a2ec13ee22a00 AS web-builder
 WORKDIR /web
 COPY web/package.json web/package-lock.json ./
 RUN npm ci
 COPY web/src/ src/
 COPY web/build.sh build.sh
 RUN sh build.sh
 # Lint stage — fast feedback on formatting and lint issues
-# golangci/golangci-lint:v2.1.6
+# golangci/golangci-lint:v2.1.6, 2026-03-02
 FROM golangci/golangci-lint@sha256:568ee1c1c53493575fa9494e280e579ac9ca865787bafe4df3023ae59ecf299b AS lint
 WORKDIR /src
 COPY go.mod go.sum ./
 RUN go mod download
 COPY . .
 # Create placeholder files so //go:embed dist/* in web/embed.go resolves
 # without depending on the web-builder stage (lint should fail fast)
 RUN mkdir -p web/dist && touch web/dist/index.html web/dist/style.css web/dist/app.js
 RUN make fmt-check
 RUN make lint
-# Build stage — tests and compilation
+# Build stage
 # golang:1.24-alpine, 2026-02-26
 FROM golang@sha256:8bee1901f1e530bfb4a7850aa7a479d17ae3a18beb6e09064ed54cfd245b7191 AS builder
 WORKDIR /src
 RUN apk add --no-cache git build-base make
-# Force BuildKit to run the lint stage by creating a stage dependency
+# Force BuildKit to run the lint stage before proceeding
 COPY --from=lint /src/go.sum /dev/null
 COPY go.mod go.sum ./
 RUN go mod download
 COPY . .
 COPY --from=web-builder /web/dist/ web/dist/
 RUN make test
 # Build static binaries (no cgo needed at runtime — modernc.org/sqlite is pure Go)
 ARG VERSION=dev
-RUN CGO_ENABLED=0 go build -trimpath -ldflags="-s -w -X main.Version=${VERSION}" -o /chatd ./cmd/chatd/
+RUN CGO_ENABLED=0 go build -trimpath -ldflags="-s -w -X main.Version=${VERSION}" -o /neoircd ./cmd/neoircd/
-RUN CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" -o /chat-cli ./cmd/chat-cli/
+RUN CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" -o /neoirc-cli ./cmd/neoirc-cli/
 # Runtime stage
 # alpine:3.21, 2026-02-26
 FROM alpine@sha256:c3f8e73fdb79deaebaa2037150150191b9dcbfba68b4a46d70103204c53f4709
 RUN apk add --no-cache ca-certificates \
-    && addgroup -S chat && adduser -S chat -G chat
+    && addgroup -S neoirc && adduser -S neoirc -G neoirc \
-COPY --from=builder /chatd /usr/local/bin/chatd
+    && mkdir -p /var/lib/neoirc \
    && chown neoirc:neoirc /var/lib/neoirc
 COPY --from=builder /neoircd /usr/local/bin/neoircd
-USER chat
+USER neoirc
 EXPOSE 8080
 HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
    CMD wget -qO- http://localhost:8080/.well-known/healthcheck.json || exit 1
-ENTRYPOINT ["chatd"]
+ENTRYPOINT ["neoircd"]
--- a/10
+++ b/10
@@ -1,6 +1,6 @@
 .PHONY: all build lint fmt fmt-check test check clean run debug docker hooks
-BINARY := chatd
+BINARY := neoircd
 VERSION := $(shell git describe --tags --always --dirty 2>/dev/null || echo "dev")
 BUILDARCH := $(shell go env GOARCH)
 LDFLAGS := -X main.Version=$(VERSION) -X main.Buildarch=$(BUILDARCH)
@@ -8,7 +8,7 @@ LDFLAGS := -X main.Version=$(VERSION) -X main.Buildarch=$(BUILDARCH)
 all: check build
 build:
-	go build -ldflags "$(LDFLAGS)" -o bin/$(BINARY) ./cmd/chatd
+	go build -ldflags "$(LDFLAGS)" -o bin/$(BINARY) ./cmd/neoircd
 lint:
 	golangci-lint run --config .golangci.yml ./...
@@ -27,7 +27,7 @@ test:
 # Used by CI and Docker build — fails if anything is wrong
 check: test lint fmt-check
 	@echo "==> Building..."
-	go build -ldflags "$(LDFLAGS)" -o /dev/null ./cmd/chatd
+	go build -ldflags "$(LDFLAGS)" -o /dev/null ./cmd/neoircd
 	@echo "==> All checks passed!"
 run: build
@@ -37,10 +37,10 @@ debug: build
 	DEBUG=1 GOTRACEBACK=all ./bin/$(BINARY)
 clean:
-	rm -rf bin/ chatd data.db
+	rm -rf bin/ neoircd
 docker:
-	docker build -t chat .
+	docker build -t neoirc .
 hooks:
 	@printf '#!/bin/sh\nset -e\n' > .git/hooks/pre-commit
--- a/README.md
+++ b/README.md
@@ -1,9 +1,9 @@
-# chat
+# neoirc
 **IRC semantics, structured message metadata, cryptographic signing, and
 server-held session state with per-client delivery queues. All over HTTP+JSON.**
-A chat server written in Go that decouples session state from transport
+An IRC-inspired server written in Go that decouples session state from transport
 connections, enabling mobile-friendly persistent sessions over plain HTTP.
 The **HTTP API is the primary interface**. It's designed to be simple enough
@@ -44,7 +44,7 @@ IRC is in decline because session state is tied to the TCP connection. In a
 mobile-first world, that's a nonstarter. Not everyone wants to run a bouncer
 or pay for IRCCloud.
-This project builds a chat server that:
+This project builds a server that:
 - Holds session state server-side (message queues, presence, channel membership)
 - Exposes a minimal, clean HTTP+JSON API — easy to build clients against
@@ -132,7 +132,7 @@ makes signing consistent — you sign the same structure you send.
 ### Why not XMPP or Matrix?
-XMPP is XML-based, overengineered for chat, and the ecosystem is fragmented
+XMPP is XML-based, overengineered for messaging, and the ecosystem is fragmented
 across incompatible extensions (XEPs). Matrix is a federated append-only event
 graph with a spec that runs to hundreds of pages. Both are fine protocols, but
 they're solving different problems at different scales.
@@ -249,8 +249,8 @@ Key properties:
 - **Ordered**: Queue entries have monotonically increasing IDs. Messages are
  always delivered in order within a client's queue.
 - **No delivery/read receipts** for channel messages. DM receipts are planned.
- **Queue depth**: Server-configurable via `QUEUE_MAX_AGE`. Default is 48
+- **Client output queue depth**: Server-configurable via `QUEUE_MAX_AGE`.
-  hours. Entries older than this are pruned.
+  Default is 30 days. Entries older than this are pruned.
 ### Long-Polling
@@ -764,21 +764,98 @@ not pollute the message queue.
 **IRC reference:** RFC 1459 §4.6.2, §4.6.3
-#### MODE — Set/Query Modes (Planned)
+#### MODE — Query Modes
-Set channel or user modes.
+Query channel or user modes. Returns the current mode string and, for
 channels, the creation timestamp.
 **C2S:**
 ```json
-{"command": "MODE", "to": "#general", "params": ["+m"]}
+{"command": "MODE", "to": "#general"}
-{"command": "MODE", "to": "#general", "params": ["+o", "alice"]}
+{"command": "MODE", "to": "alice"}
 ```
-**Status:** Not yet implemented. See [Channel Modes](#channel-modes) for the
+**S2C (via message queue):**
-planned mode set.
+
 For channels, the server sends RPL_CHANNELMODEIS (324) and
 RPL_CREATIONTIME (329):
 ```json
 {"command": "324", "to": "alice", "params": ["#general", "+n"]}
 {"command": "329", "to": "alice", "params": ["#general", "1709251200"]}
 ```
 For users, the server sends RPL_UMODEIS (221):
 ```json
 {"command": "221", "to": "alice", "body": ["+"]}
 ```
 **Note:** Mode changes (setting/unsetting modes) are not yet implemented.
 Currently only query is supported.
 **IRC reference:** RFC 1459 §4.2.3
 #### NAMES — Channel Member List
 Request the member list for a channel. Returns RPL_NAMREPLY (353) and
 RPL_ENDOFNAMES (366).
 **C2S:**
 ```json
 {"command": "NAMES", "to": "#general"}
 ```
 **IRC reference:** RFC 1459 §4.2.5
 #### LIST — List Channels
 Request a list of all channels with member counts. Returns RPL_LIST (322)
 for each channel followed by RPL_LISTEND (323).
 **C2S:**
 ```json
 {"command": "LIST"}
 ```
 **IRC reference:** RFC 1459 §4.2.6
 #### WHOIS — User Information
 Query information about a user. Returns RPL_WHOISUSER (311),
 RPL_WHOISSERVER (312), RPL_WHOISCHANNELS (319), and RPL_ENDOFWHOIS (318).
 **C2S:**
 ```json
 {"command": "WHOIS", "to": "alice"}
 ```
 **IRC reference:** RFC 1459 §4.5.2
 #### WHO — Channel User List
 Query users in a channel. Returns RPL_WHOREPLY (352) for each user followed
 by RPL_ENDOFWHO (315).
 **C2S:**
 ```json
 {"command": "WHO", "to": "#general"}
 ```
 **IRC reference:** RFC 1459 §4.5.1
 #### LUSERS — Server Statistics
 Request server user/channel statistics. Returns RPL_LUSERCLIENT (251),
 RPL_LUSEROP (252), RPL_LUSERCHANNELS (254), and RPL_LUSERME (255).
 **C2S:**
 ```json
 {"command": "LUSERS"}
 ```
 LUSERS replies are also sent automatically during connection registration.
 **IRC reference:** RFC 1459 §4.3.2
 #### KICK — Kick User (Planned)
 Remove a user from a channel.
@@ -828,27 +905,46 @@ the server to the client (never C2S) and use 3-digit string codes in the
 | Code | Name                 | When Sent | Example |
 |------|----------------------|-----------|---------|
 | `001` | RPL_WELCOME         | After session creation | `{"command":"001","to":"alice","body":["Welcome to the network, alice"]}` |
-| `002` | RPL_YOURHOST        | After session creation | `{"command":"002","to":"alice","body":["Your host is chatserver, running version 0.1"]}` |
+| `002` | RPL_YOURHOST        | After session creation | `{"command":"002","to":"alice","body":["Your host is neoirc, running version 0.1"]}` |
 | `003` | RPL_CREATED         | After session creation | `{"command":"003","to":"alice","body":["This server was created 2026-02-10"]}` |
-| `004` | RPL_MYINFO          | After session creation | `{"command":"004","to":"alice","params":["chatserver","0.1","","imnst"]}` |
+| `004` | RPL_MYINFO          | After session creation | `{"command":"004","to":"alice","params":["neoirc","0.1","","imnst"]}` |
-| `322` | RPL_LIST            | In response to LIST | `{"command":"322","to":"alice","params":["#general","5"],"body":["General chat"]}` |
+| `005` | RPL_ISUPPORT        | After session creation | `{"command":"005","to":"alice","params":["CHANTYPES=#","NICKLEN=32","NETWORK=neoirc"],"body":["are supported by this server"]}` |
 | `221` | RPL_UMODEIS         | In response to user MODE query | `{"command":"221","to":"alice","body":["+"]}` |
 | `251` | RPL_LUSERCLIENT     | On connect or LUSERS command | `{"command":"251","to":"alice","body":["There are 5 users and 0 invisible on 1 servers"]}` |
 | `252` | RPL_LUSEROP         | On connect or LUSERS command | `{"command":"252","to":"alice","params":["0"],"body":["operator(s) online"]}` |
 | `254` | RPL_LUSERCHANNELS   | On connect or LUSERS command | `{"command":"254","to":"alice","params":["3"],"body":["channels formed"]}` |
 | `255` | RPL_LUSERME         | On connect or LUSERS command | `{"command":"255","to":"alice","body":["I have 5 clients and 1 servers"]}` |
 | `311` | RPL_WHOISUSER       | In response to WHOIS | `{"command":"311","to":"alice","params":["bob","bob","neoirc","*"],"body":["bob"]}` |
 | `312` | RPL_WHOISSERVER     | In response to WHOIS | `{"command":"312","to":"alice","params":["bob","neoirc"],"body":["neoirc server"]}` |
 | `315` | RPL_ENDOFWHO        | End of WHO response | `{"command":"315","to":"alice","params":["#general"],"body":["End of /WHO list"]}` |
 | `318` | RPL_ENDOFWHOIS      | End of WHOIS response | `{"command":"318","to":"alice","params":["bob"],"body":["End of /WHOIS list"]}` |
 | `319` | RPL_WHOISCHANNELS   | In response to WHOIS | `{"command":"319","to":"alice","params":["bob"],"body":["#general #dev"]}` |
 | `322` | RPL_LIST            | In response to LIST | `{"command":"322","to":"alice","params":["#general","5"],"body":["General discussion"]}` |
 | `323` | RPL_LISTEND         | End of LIST response | `{"command":"323","to":"alice","body":["End of /LIST"]}` |
 | `324` | RPL_CHANNELMODEIS   | In response to channel MODE query | `{"command":"324","to":"alice","params":["#general","+n"]}` |
 | `329` | RPL_CREATIONTIME    | After channel MODE query | `{"command":"329","to":"alice","params":["#general","1709251200"]}` |
 | `331` | RPL_NOTOPIC         | Channel has no topic (on JOIN) | `{"command":"331","to":"alice","params":["#general"],"body":["No topic is set"]}` |
 | `332` | RPL_TOPIC           | On JOIN or TOPIC query | `{"command":"332","to":"alice","params":["#general"],"body":["Welcome!"]}` |
 | `352` | RPL_WHOREPLY        | In response to WHO | `{"command":"352","to":"alice","params":["#general","bob","neoirc","neoirc","bob","H"],"body":["0 bob"]}` |
 | `353` | RPL_NAMREPLY        | On JOIN or NAMES query | `{"command":"353","to":"alice","params":["=","#general"],"body":["@op1 alice bob +voiced1"]}` |
 | `366` | RPL_ENDOFNAMES      | End of NAMES response | `{"command":"366","to":"alice","params":["#general"],"body":["End of /NAMES list"]}` |
 | `372` | RPL_MOTD            | MOTD line | `{"command":"372","to":"alice","body":["Welcome to the server"]}` |
-| `375` | RPL_MOTDSTART       | Start of MOTD | `{"command":"375","to":"alice","body":["- chatserver Message of the Day -"]}` |
+| `375` | RPL_MOTDSTART       | Start of MOTD | `{"command":"375","to":"alice","body":["- neoirc-server Message of the Day -"]}` |
 | `376` | RPL_ENDOFMOTD       | End of MOTD | `{"command":"376","to":"alice","body":["End of /MOTD command"]}` |
 | `401` | ERR_NOSUCHNICK      | DM to nonexistent nick | `{"command":"401","to":"alice","params":["bob"],"body":["No such nick/channel"]}` |
 | `403` | ERR_NOSUCHCHANNEL   | Action on nonexistent channel | `{"command":"403","to":"alice","params":["#nope"],"body":["No such channel"]}` |
 | `421` | ERR_UNKNOWNCOMMAND  | Unrecognized command | `{"command":"421","to":"alice","params":["FOO"],"body":["Unknown command"]}` |
 | `432` | ERR_ERRONEUSNICKNAME | Invalid nick format | `{"command":"432","to":"alice","params":["bad nick!"],"body":["Erroneous nickname"]}` |
 | `433` | ERR_NICKNAMEINUSE   | NICK to taken nick | `{"command":"433","to":"*","params":["alice"],"body":["Nickname is already in use"]}` |
 | `442` | ERR_NOTONCHANNEL    | Action on unjoined channel | `{"command":"442","to":"alice","params":["#general"],"body":["You're not on that channel"]}` |
 | `461` | ERR_NEEDMOREPARAMS  | Missing required fields | `{"command":"461","to":"alice","params":["JOIN"],"body":["Not enough parameters"]}` |
 | `482` | ERR_CHANOPRIVSNEEDED | Non-op tries op action | `{"command":"482","to":"alice","params":["#general"],"body":["You're not channel operator"]}` |
-**Note:** Numeric replies are planned for full implementation. The current MVP
+**Note:** Numeric replies are now implemented. All IRC command responses
-returns standard HTTP error responses (4xx/5xx with JSON error bodies) instead
+(success and error) are delivered as numeric replies through the message queue.
-of numeric replies for error conditions. Numeric replies in the message queue
+HTTP error codes are reserved for transport-level issues (auth failures,
-will be added post-MVP.
+malformed requests, server errors). The `params` field in the message envelope
 carries IRC-style parameters (e.g., channel name, target nick).
 ### Channel Modes
@@ -891,14 +987,20 @@ the format:
 Create a new user session. This is the entry point for all clients.
-**Request:**
+If the server requires hashcash proof-of-work (see
 [Hashcash Proof-of-Work](#hashcash-proof-of-work)), the client must include a
 valid stamp in the `pow_token` field of the JSON request body. The required
 difficulty is advertised via `GET /api/v1/server` in the `hashcash_bits` field.
 **Request Body:**
 ```json
-{"nick": "alice"}
+{"nick": "alice", "pow_token": "1:20:260310:neoirc::3a2f1"}
 ```
-| Field  | Type   | Required | Constraints |
+| Field      | Type   | Required    | Constraints |
-|--------|--------|----------|-------------|
+|------------|--------|-------------|-------------|
-| `nick` | string | Yes      | 1–32 characters, must be unique on the server |
+| `nick`     | string | Yes         | 1–32 characters, must be unique on the server |
 | `pow_token` | string | Conditional | Hashcash stamp (required when server has `hashcash_bits` > 0) |
 **Response:** `201 Created`
 ```json
@@ -920,13 +1022,15 @@ Create a new user session. This is the entry point for all clients.
 | Status | Error | When |
 |--------|-------|------|
 | 400    | `nick must be 1-32 characters` | Empty or too-long nick |
 | 402    | `hashcash proof-of-work required` | Missing `pow_token` field in request body when hashcash is enabled |
 | 402    | `invalid hashcash stamp: ...` | Stamp fails validation (wrong bits, expired, reused, etc.) |
 | 409    | `nick already taken` | Another active session holds this nick |
 **curl example:**
 ```bash
 TOKEN=$(curl -s -X POST http://localhost:8080/api/v1/session \
  -H 'Content-Type: application/json' \
-  -d '{"nick":"alice"}' | jq -r .token)
+  -d '{"nick":"alice","pow_token":"1:20:260310:neoirc::3a2f1"}' | jq -r .token)
 echo $TOKEN
 ```
@@ -936,6 +1040,12 @@ Return the current user's session state.
 **Request:** No body. Requires auth.
 **Query Parameters:**
 | Parameter | Type   | Default | Description |
 |-----------|--------|---------|-------------|
 | `initChannelState` | string | (none) | When set to `1`, enqueues synthetic JOIN + TOPIC + NAMES messages for every channel the session belongs to into the calling client's queue. Used by the SPA on reconnect to restore channel tabs without re-sending JOIN commands. |
 **Response:** `200 OK`
 ```json
 {
@@ -968,6 +1078,12 @@ curl -s http://localhost:8080/api/v1/state \
  -H "Authorization: Bearer $TOKEN" | jq .
 ```
 **Reconnect with channel state initialization:**
 ```bash
 curl -s "http://localhost:8080/api/v1/state?initChannelState=1" \
  -H "Authorization: Bearer $TOKEN" | jq .
 ```
 ### GET /api/v1/messages — Poll Messages (Long-Poll)
 Retrieve messages from the client's delivery queue. This is the primary
@@ -1054,27 +1170,78 @@ reference with all required and optional fields.
 | Command   | Required Fields     | Optional      | Response Status |
 |-----------|---------------------|---------------|-----------------|
-| `PRIVMSG` | `to`, `body`        | `meta`        | 201 Created     |
+| `PRIVMSG` | `to`, `body`        | `meta`        | 200 OK          |
-| `NOTICE`  | `to`, `body`        | `meta`        | 201 Created     |
+| `NOTICE`  | `to`, `body`        | `meta`        | 200 OK          |
 | `JOIN`    | `to`                |               | 200 OK          |
 | `PART`    | `to`                | `body`        | 200 OK          |
 | `NICK`    | `body`              |               | 200 OK          |
 | `TOPIC`   | `to`, `body`        |               | 200 OK          |
 | `MODE`    | `to`                |               | 200 OK          |
 | `NAMES`   | `to`                |               | 200 OK          |
 | `LIST`    |                     |               | 200 OK          |
 | `WHOIS`   | `to` or `body`      |               | 200 OK          |
 | `WHO`     | `to`                |               | 200 OK          |
 | `LUSERS`  |                     |               | 200 OK          |
 | `QUIT`    |                     | `body`        | 200 OK          |
 | `PING`    |                     |               | 200 OK          |
-**Errors (all commands):**
+All IRC commands return HTTP 200 OK. IRC-level success and error responses
 are delivered as **numeric replies** through the message queue (see
 [Numeric Replies](#numeric-replies) below). HTTP error codes (4xx/5xx) are
 reserved for transport-level problems: malformed JSON (400), missing/invalid
 auth tokens (401), and server errors (500).
 **HTTP errors (transport-level only):**
 | Status | Error | When |
 |--------|-------|------|
-| 400    | `invalid request` | Malformed JSON |
+| 400    | `invalid request` | Malformed JSON or empty command |
 | 400    | `to field required` | Missing `to` for commands that need it |
 | 400    | `body required` | Missing `body` for commands that need it |
 | 400    | `unknown command: X` | Unrecognized command |
 | 401    | `unauthorized` | Missing or invalid auth token |
-| 404    | `channel not found` | Target channel doesn't exist |
+| 500    | `internal error` | Server-side failure |
-| 404    | `user not found` | DM target nick doesn't exist |
+
-| 409    | `nick already in use` | NICK target is taken |
+**IRC numeric error replies (delivered via message queue):**
 | Numeric | Name | When |
 |---------|------|------|
 | 401     | ERR_NOSUCHNICK | DM target nick doesn't exist |
 | 403     | ERR_NOSUCHCHANNEL | Target channel doesn't exist or invalid name |
 | 421     | ERR_UNKNOWNCOMMAND | Unrecognized command |
 | 432     | ERR_ERRONEUSNICKNAME | Invalid nickname format |
 | 433     | ERR_NICKNAMEINUSE | NICK target is taken |
 | 442     | ERR_NOTONCHANNEL | Not a member of the target channel |
 | 461     | ERR_NEEDMOREPARAMS | Missing required fields (to, body) |
 **IRC numeric success replies (delivered via message queue):**
 | Numeric | Name | When |
 |---------|------|------|
 | 001     | RPL_WELCOME | Sent on session creation/login |
 | 002     | RPL_YOURHOST | Sent on session creation/login |
 | 003     | RPL_CREATED | Sent on session creation/login |
 | 004     | RPL_MYINFO | Sent on session creation/login |
 | 005     | RPL_ISUPPORT | Sent on session creation/login |
 | 221     | RPL_UMODEIS | In response to user MODE query |
 | 251     | RPL_LUSERCLIENT | On connect or LUSERS command |
 | 252     | RPL_LUSEROP | On connect or LUSERS command |
 | 254     | RPL_LUSERCHANNELS | On connect or LUSERS command |
 | 255     | RPL_LUSERME | On connect or LUSERS command |
 | 311     | RPL_WHOISUSER | WHOIS user info |
 | 312     | RPL_WHOISSERVER | WHOIS server info |
 | 315     | RPL_ENDOFWHO | End of WHO list |
 | 318     | RPL_ENDOFWHOIS | End of WHOIS list |
 | 319     | RPL_WHOISCHANNELS | WHOIS channels list |
 | 322     | RPL_LIST | Channel in LIST response |
 | 323     | RPL_LISTEND | End of LIST |
 | 324     | RPL_CHANNELMODEIS | Channel mode query response |
 | 329     | RPL_CREATIONTIME | Channel creation timestamp |
 | 331     | RPL_NOTOPIC | Channel has no topic (on JOIN) |
 | 332     | RPL_TOPIC | Channel topic (on JOIN, TOPIC set) |
 | 352     | RPL_WHOREPLY | User in WHO response |
 | 353     | RPL_NAMREPLY | Channel member list (on JOIN, NAMES) |
 | 366     | RPL_ENDOFNAMES | End of NAMES list |
 | 375     | RPL_MOTDSTART | Start of MOTD |
 | 372     | RPL_MOTD | MOTD line |
 | 376     | RPL_ENDOFMOTD | End of MOTD |
 ### GET /api/v1/history — Message History
@@ -1214,17 +1381,21 @@ Return server metadata. No authentication required.
 **Response:** `200 OK`
 ```json
 {
-  "name": "My Chat Server",
+  "name": "My NeoIRC Server",
  "version": "0.1.0",
  "motd": "Welcome! Be nice.",
-  "users": 42
+  "users": 42,
  "hashcash_bits": 20
 }
 ```
-| Field   | Type    | Description |
+| Field           | Type    | Description |
-|---------|---------|-------------|
+|-----------------|---------|-------------|
-| `name`  | string  | Server display name |
+| `name`          | string  | Server display name |
-| `motd`  | string  | Message of the day |
+| `version`       | string  | Server version |
-| `users` | integer | Number of currently active user sessions |
+| `motd`          | string  | Message of the day |
 | `users`         | integer | Number of currently active user sessions |
 | `hashcash_bits` | integer | Required proof-of-work difficulty (leading zero bits). Only present when > 0. See [Hashcash Proof-of-Work](#hashcash-proof-of-work). |
 ### GET /.well-known/healthcheck.json — Health Check
@@ -1463,12 +1634,16 @@ authenticity.
  termination.
 - **CORS**: The server allows all origins by default (`Access-Control-Allow-Origin: *`).
  Restrict this in production via reverse proxy configuration if needed.
 - **Content-Security-Policy**: The server sets a strict CSP header on all
  responses, restricting resource loading to same-origin and disabling
  dangerous features (object embeds, framing, base tag injection). The
  embedded SPA works without `'unsafe-inline'` for scripts or styles.
 ---
 ## Federation (Server-to-Server)
-Federation allows multiple chat servers to link together, forming a network
+Federation allows multiple neoirc servers to link together, forming a network
 where users on different servers can share channels — similar to IRC server
 linking.
@@ -1623,14 +1798,14 @@ skew issues) and simpler than UUIDs (integer comparison vs. string comparison).
 ### Data Lifecycle
- **Messages**: Stored indefinitely in the current implementation. Rotation
+- **Messages**: Pruned automatically when older than `MESSAGE_MAX_AGE`
-  per `MAX_HISTORY` is planned.
+  (default 30 days).
- **Queue entries**: Stored until pruned. Pruning by `QUEUE_MAX_AGE` is
+- **Client output queue entries**: Pruned automatically when older than
-  planned.
+  `QUEUE_MAX_AGE` (default 30 days).
 - **Channels**: Deleted when the last member leaves (ephemeral).
 - **Users/sessions**: Deleted on `QUIT` or `POST /api/v1/logout`. Idle
  sessions are automatically expired after `SESSION_IDLE_TIMEOUT` (default
-  24h) — the server runs a background cleanup loop that parts idle users
+  30 days) — the server runs a background cleanup loop that parts idle users
  from all channels, broadcasts QUIT, and releases their nicks.
 ---
@@ -1645,11 +1820,11 @@ directory is also loaded automatically via
 | Variable           | Type    | Default                              | Description |
 |--------------------|---------|--------------------------------------|-------------|
 | `PORT`             | int     | `8080`                               | HTTP listen port |
-| `DBURL`            | string  | `file:./data.db?_journal_mode=WAL`   | SQLite connection string. For file-based: `file:./path.db?_journal_mode=WAL`. For in-memory (testing): `file::memory:?cache=shared`. |
+| `DBURL`            | string  | `file:///var/lib/neoirc/state.db?_journal_mode=WAL` | SQLite connection string. For file-based: `file:///path/to/db.db?_journal_mode=WAL`. For in-memory (testing): `file::memory:?cache=shared`. |
 | `DEBUG`            | bool    | `false`                              | Enable debug logging (verbose request/response logging) |
-| `MAX_HISTORY`      | int     | `10000`                              | Maximum messages retained per channel before rotation (planned) |
+| `MESSAGE_MAX_AGE`  | string  | `720h`                               | Maximum age of messages as a Go duration string (e.g. `720h`, `24h`). Messages older than this are pruned. Default is 30 days. |
-| `SESSION_IDLE_TIMEOUT` | string | `24h`                            | Session idle timeout as a Go duration string (e.g. `24h`, `30m`). Sessions with no activity for this long are expired and the nick is released. |
+| `SESSION_IDLE_TIMEOUT` | string | `720h`                           | Session idle timeout as a Go duration string (e.g. `720h`, `24h`). Sessions with no activity for this long are expired and the nick is released. Default is 30 days. |
-| `QUEUE_MAX_AGE`    | int     | `172800`                             | Maximum age of client queue entries in seconds (48h). Entries older than this are pruned (planned). |
+| `QUEUE_MAX_AGE`    | string  | `720h`                               | Maximum age of client output queue entries as a Go duration string (e.g. `720h`, `24h`). Entries older than this are pruned. Default is 30 days. |
 | `MAX_MESSAGE_SIZE` | int     | `4096`                               | Maximum message body size in bytes (planned enforcement) |
 | `LONG_POLL_TIMEOUT`| int     | `15`                                 | Default long-poll timeout in seconds (client can override via query param, server caps at 30) |
 | `MOTD`             | string  | `""`                                 | Message of the day, shown to clients via `GET /api/v1/server` |
@@ -1658,17 +1833,19 @@ directory is also loaded automatically via
 | `SENTRY_DSN`       | string  | `""`                                 | Sentry error tracking DSN (optional) |
 | `METRICS_USERNAME` | string  | `""`                                 | Basic auth username for `/metrics` endpoint. If empty, metrics endpoint is disabled. |
 | `METRICS_PASSWORD` | string  | `""`                                 | Basic auth password for `/metrics` endpoint |
 | `NEOIRC_HASHCASH_BITS` | int | `20`                               | Required hashcash proof-of-work difficulty (leading zero bits in SHA-256) for session creation. Set to `0` to disable. |
 | `MAINTENANCE_MODE` | bool    | `false`                              | Maintenance mode flag (reserved) |
 ### Example `.env` file
 ```bash
 PORT=8080
-SERVER_NAME=My Chat Server
+SERVER_NAME=My NeoIRC Server
 MOTD=Welcome! Be excellent to each other.
 DEBUG=false
-DBURL=file:./data.db?_journal_mode=WAL
+DBURL=file:///var/lib/neoirc/state.db?_journal_mode=WAL
-SESSION_IDLE_TIMEOUT=24h
+SESSION_IDLE_TIMEOUT=720h
 NEOIRC_HASHCASH_BITS=20
 ```
 ---
@@ -1677,52 +1854,41 @@ SESSION_IDLE_TIMEOUT=24h
 ### Docker (Recommended)
-The Docker image contains a single static binary (`chatd`) and nothing else.
+The Docker image contains a single static binary (`neoircd`) and nothing else.
 ```bash
 # Build
-docker build -t chat .
+docker build -t neoirc .
 # Run
 docker run -p 8080:8080 \
-  -v chat-data:/data \
+  -v neoirc-data:/var/lib/neoirc \
  -e DBURL="file:/data/chat.db?_journal_mode=WAL" \
  -e SERVER_NAME="My Server" \
  -e MOTD="Welcome!" \
-  chat
+  neoirc
 ```
-The Dockerfile is a multi-stage build:
+The Dockerfile is a four-stage build:
-1. **Build stage**: Compiles `chatd` and `chat-cli` (CLI built to verify
+1. **web-builder**: Installs Node dependencies and compiles the SPA (JSX →
   bundled JS via esbuild) into `web/dist/`
 2. **lint**: Runs formatting checks and golangci-lint against the Go source
   (uses empty placeholder files for `web/dist/` so it runs independently of
   web-builder for fast feedback)
 3. **builder**: Runs tests and compiles static `neoircd` and `neoirc-cli`
   binaries with the real SPA assets from web-builder (CLI built to verify
   compilation, not included in final image)
-2. **Final stage**: Alpine Linux + `chatd` binary only
+4. **final**: Minimal Alpine image with only the `neoircd` binary
 ```dockerfile
 FROM golang:1.24-alpine AS builder
 WORKDIR /src
 RUN apk add --no-cache make
 COPY go.mod go.sum ./
 RUN go mod download
 COPY . .
 RUN go build -o /chatd ./cmd/chatd/
 RUN go build -o /chat-cli ./cmd/chat-cli/
 FROM alpine:latest
 COPY --from=builder /chatd /usr/local/bin/chatd
 EXPOSE 8080
 CMD ["chatd"]
 ```
 ### Binary
 ```bash
 # Build from source
 make build
-# Binary at ./bin/chatd
+# Binary at ./bin/neoircd
 # Run
-./bin/chatd
+./bin/neoircd
-# Listens on :8080, creates ./data.db
+# Listens on :8080, writes to /var/lib/neoirc/state.db
 ```
 ### Reverse Proxy (Production)
@@ -1731,7 +1897,7 @@ For production, run behind a TLS-terminating reverse proxy.
 **Caddy:**
 ```
-chat.example.com {
+neoirc.example.com {
    reverse_proxy localhost:8080
 }
 ```
@@ -1740,7 +1906,7 @@ chat.example.com {
 ```nginx
 server {
    listen 443 ssl;
-    server_name chat.example.com;
+    server_name neoirc.example.com;
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;
@@ -1763,15 +1929,15 @@ seconds to accommodate long-poll connections.
  string). This allows concurrent reads during writes.
 - **Single writer**: SQLite allows only one writer at a time. For high-traffic
  servers, Postgres support is planned.
- **Backup**: The database is a single file. Back it up with `sqlite3 data.db ".backup backup.db"` or just copy the file (safe with WAL mode).
+- **Backup**: The database is a single file. Back it up with `sqlite3 /var/lib/neoirc/state.db ".backup backup.db"` or just copy the file (safe with WAL mode).
- **Location**: By default, `data.db` is created in the working directory.
+- **Location**: By default, `state.db` is created in `/var/lib/neoirc/`.
  Use the `DBURL` env var to place it elsewhere.
 ---
 ## Client Development Guide
-This section explains how to write a client against the chat API. The API is
+This section explains how to write a client against the neoirc API. The API is
 designed to be simple enough that a basic client can be written in any language
 with an HTTP client library.
@@ -1952,62 +2118,102 @@ Clients should handle these message commands from the queue:
 ## Rate Limiting & Abuse Prevention
-Session creation (`POST /api/v1/session`) will require a
+### Hashcash Proof-of-Work
 Session creation (`POST /api/v1/session`) requires a
 [hashcash](https://en.wikipedia.org/wiki/Hashcash)-style proof-of-work token.
 This is the primary defense against resource exhaustion — no CAPTCHAs, no
 account registration, no IP-based rate limits that punish shared networks.
 ### How It Works
-1. Client requests a challenge: `GET /api/v1/challenge`
+1. Client fetches server info: `GET /api/v1/server` returns a `hashcash_bits`
-   ```json
+   field (e.g., `20`) indicating the required difficulty.
-   → {"nonce": "random-hex-string", "difficulty": 20, "expires": "2026-02-10T20:01:00Z"}
+2. Client computes a hashcash stamp: find a counter value such that the
-   ```
+   SHA-256 hash of the stamp string has the required number of leading zero
-2. Server returns a nonce and a required difficulty (number of leading zero
+   bits.
-   bits in the SHA-256 hash)
+3. Client includes the stamp in the `pow_token` field of the JSON request body when creating
-3. Client finds a counter value such that `SHA-256(nonce || ":" || counter)`
+   a session: `POST /api/v1/session`.
-   has the required number of leading zero bits:
+4. Server validates the stamp:
-   ```
+   - Version is `1`
-   SHA-256("a1b2c3:0")     = 0xf3a1...  (0 leading zeros — no good)
+   - Claimed bits ≥ required bits
-   SHA-256("a1b2c3:1")     = 0x8c72...  (0 leading zeros — no good)
+   - Resource matches the server name
-   ...
+   - Date is within 48 hours (not expired, not too far in the future)
-   SHA-256("a1b2c3:94217") = 0x00003a... (20 leading zero bits — success!)
+   - SHA-256 hash has the required leading zero bits
-   ```
+   - Stamp has not been used before (replay prevention)
 4. Client submits the proof with the session request:
   ```json
   POST /api/v1/session
   {"nick": "alice", "proof": {"nonce": "a1b2c3", "counter": 94217}}
   ```
 5. Server verifies:
   - Nonce was issued by this server and hasn't expired
   - Nonce hasn't been used before (prevent replay)
   - `SHA-256(nonce || ":" || counter)` has the required leading zeros
   - If valid, create the session normally
-### Adaptive Difficulty
+### Stamp Format
-The required difficulty scales with server load. Under normal conditions, the
+Standard hashcash format:
 cost is negligible (a few milliseconds of CPU). As concurrent sessions or
 session creation rate increases, difficulty rises — making bulk session creation
 exponentially more expensive for attackers while remaining cheap for legitimate
 single-user connections.
-| Server Load        | Difficulty (bits) | Approx. Client CPU |
+```
-|--------------------|-------------------|--------------------|
+1:bits:date:resource::counter
-| Normal (< 100/min) | 16                | ~1ms               |
+```
 | Elevated           | 20                | ~15ms              |
 | High               | 24                | ~250ms             |
 | Under attack       | 28+               | ~4s+               |
-Each additional bit of difficulty doubles the expected work. An attacker
+| Field      | Description |
-creating 1000 sessions at difficulty 28 needs ~4000 CPU-seconds; a legitimate
+|------------|-------------|
-user creating one session needs ~4 seconds once and never again for the
+| `1`        | Version (always `1`) |
-duration of their session.
+| `bits`     | Claimed difficulty (must be ≥ server's `hashcash_bits`) |
 | `date`     | Date stamp in `YYMMDD` or `YYMMDDHHMMSS` format (UTC) |
 | `resource` | The server name (from `GET /api/v1/server`; defaults to `neoirc`) |
 | (empty)    | Extension field (unused) |
 | `counter`  | Hex counter value found by the client to satisfy the PoW |
 **Example stamp:** `1:20:260310:neoirc::3a2f1b`
 The SHA-256 hash of this entire string must have at least 20 leading zero bits.
 ### Computing a Stamp
 ```bash
 # Pseudocode
 bits = 20
 resource = "neoirc"
 date = "260310"         # YYMMDD in UTC
 counter = 0
 loop:
    stamp = "1:{bits}:{date}:{resource}::{hex(counter)}"
    hash = SHA-256(stamp)
    if leading_zero_bits(hash) >= bits:
        return stamp
    counter++
 ```
 At difficulty 20, this requires approximately 2^20 (~1M) hash attempts on
 average, taking roughly 0.5–2 seconds on modern hardware.
 ### Client Integration
 Both the embedded web SPA and the CLI client automatically handle hashcash:
 1. Fetch `GET /api/v1/server` to read `hashcash_bits`
 2. If `hashcash_bits > 0`, compute a valid stamp
 3. Include the stamp in the `pow_token` field of the JSON body on `POST /api/v1/session`
 The web SPA uses the Web Crypto API (`crypto.subtle.digest`) for SHA-256
 computation with batched parallelism. The CLI client uses Go's `crypto/sha256`.
 ### Configuration
 Set `NEOIRC_HASHCASH_BITS` to control difficulty:
 | Value | Effect | Approx. Client CPU |
 |-------|--------|---------------------|
 | `0`   | Disabled (no proof-of-work required) | — |
 | `16`  | Light protection | ~1ms |
 | `20`  | Default — good balance | ~0.5–2s |
 | `24`  | Strong protection | ~10–30s |
 | `28`  | Very strong (may frustrate users) | ~2–10min |
 Each additional bit doubles the expected work. An attacker creating 1000
 sessions at difficulty 20 needs ~1000–2000 CPU-seconds; a legitimate user
 creating one session pays once and keeps their session.
 ### Why Hashcash and Not Rate Limits?
 - **No state to track**: No IP tables, no token buckets, no sliding windows.
-  The server only needs to verify a hash.
+  The server only needs to verify a single hash.
 - **Works through NATs and proxies**: Doesn't punish shared IPs (university
  campuses, corporate networks, Tor exits). Every client computes their own
  proof independently.
@@ -2015,36 +2221,9 @@ duration of their session.
  (one SHA-256 hash) regardless of difficulty. Only the client does more work.
 - **Fits the "no accounts" philosophy**: Proof-of-work is the cost of entry.
  No registration, no email, no phone number, no CAPTCHA. Just compute.
 - **Trivial for legitimate clients**: A single-user client pays ~1ms of CPU
  once. A botnet trying to create thousands of sessions pays exponentially more.
 - **Language-agnostic**: SHA-256 is available in every programming language.
  The proof computation is trivially implementable in any client.
 ### Challenge Endpoint (Planned)
 ```
 GET /api/v1/challenge
 ```
 **Response:** `200 OK`
 ```json
 {
  "nonce": "a1b2c3d4e5f6...",
  "difficulty": 20,
  "algorithm": "sha256",
  "expires": "2026-02-10T20:01:00Z"
 }
 ```
 | Field        | Type    | Description |
 |--------------|---------|-------------|
 | `nonce`      | string  | Server-generated random hex string (32+ chars) |
 | `difficulty` | integer | Required number of leading zero bits in the hash |
 | `algorithm`  | string  | Hash algorithm (always `sha256` for now) |
 | `expires`    | string  | ISO 8601 expiry time for this challenge |
 **Status:** Not yet implemented. Tracked for post-MVP.
 ---
 ## Roadmap
@@ -2061,7 +2240,7 @@ GET /api/v1/challenge
 - [x] NICK change with broadcast
 - [x] QUIT with broadcast and cleanup
 - [x] Embedded web SPA client
- [x] CLI client (chat-cli)
+- [x] CLI client (neoirc-cli)
 - [x] SQLite storage with WAL mode
 - [x] Docker deployment
 - [x] Prometheus metrics endpoint
@@ -2073,15 +2252,23 @@ GET /api/v1/challenge
 ### Post-MVP (Planned)
- [ ] **Hashcash proof-of-work** for session creation (abuse prevention)
+- [x] **Hashcash proof-of-work** for session creation (abuse prevention)
- [ ] **Queue pruning** — delete old queue entries per `QUEUE_MAX_AGE`
+- [x] **Client output queue pruning** — delete old client output queue entries per `QUEUE_MAX_AGE`
- [ ] **Message rotation** — enforce `MAX_HISTORY` per channel
+- [x] **Message rotation** — prune messages older than `MESSAGE_MAX_AGE`
 - [ ] **Channel modes** — enforce `+i`, `+m`, `+s`, `+t`, `+n`
 - [ ] **User channel modes** — `+o` (operator), `+v` (voice)
- [ ] **MODE command** — set/query channel and user modes
+- [x] **MODE command** — query channel and user modes (set not yet implemented)
 - [x] **NAMES command** — query channel member list
 - [x] **LIST command** — list all channels with member counts
 - [x] **WHOIS command** — query user information and channel membership
 - [x] **WHO command** — query channel user list
 - [x] **LUSERS command** — query server statistics
 - [x] **Connection registration numerics** — 001-005 sent on session creation
 - [x] **LUSERS numerics** — 251/252/254/255 sent on connect and via /LUSERS
 - [ ] **KICK command** — remove users from channels
- [ ] **Numeric replies** — send IRC numeric codes via the message queue
+- [x] **Numeric replies** — send IRC numeric codes via the message queue
-  (001 welcome, 353 NAMES, 332 TOPIC, etc.)
+  (001-005 welcome, 251-255 LUSERS, 311-319 WHOIS, 322-329 LIST/MODE,
  331-332 TOPIC, 352-353 WHO/NAMES, 366, 372-376 MOTD, 401-461 errors)
 - [ ] **Max message size enforcement** — reject oversized messages
 - [ ] **NOTICE command** — distinct from PRIVMSG (no auto-reply flag)
 - [ ] **Multi-client sessions** — add client to existing session
@@ -2101,7 +2288,7 @@ GET /api/v1/challenge
 - [ ] **Push notifications** — optional webhook/push for mobile clients
  when messages arrive during disconnect
 - [ ] **Message search** — full-text search over channel history
- [ ] **User info command** — WHOIS-equivalent for querying user metadata
+- [x] **User info command** — WHOIS for querying user info and channels
 - [ ] **Connection flood protection** — per-IP connection limits as a
  complement to hashcash
 - [ ] **Invite system** — `INVITE` command for `+i` channels
@@ -2114,19 +2301,22 @@ GET /api/v1/challenge
 Following [gohttpserver CONVENTIONS.md](https://git.eeqj.de/sneak/gohttpserver/src/branch/main/CONVENTIONS.md):
 ```
-chat/
+neoirc/
 ├── cmd/
-│   ├── chatd/              # Server binary entry point
+│   ├── neoircd/            # Server binary entry point
 │   │   └── main.go
-│   └── chat-cli/           # TUI client
+│   └── neoirc-cli/         # TUI client entry point
-│       ├── main.go         # Command handling, poll loop
+│       └── main.go         # Minimal bootstrapping (calls internal/cli)
 │       ├── ui.go           # tview-based terminal UI
 │       └── api/
 │           ├── client.go   # HTTP API client library
 │           └── types.go    # Request/response types
 ├── internal/
 │   ├── broker/             # In-memory pub/sub for long-poll notifications
 │   │   └── broker.go
 │   ├── cli/                # TUI client implementation
 │   │   ├── app.go          # App struct, command handling, poll loop
 │   │   ├── ui.go           # tview-based terminal UI
 │   │   └── api/
 │   │       ├── client.go   # HTTP API client library
 │   │       ├── types.go    # Request/response types
 │   │       └── hashcash.go # Hashcash proof-of-work minting
 │   ├── config/             # Viper-based configuration
 │   │   └── config.go
 │   ├── db/                 # Database access and migrations
@@ -2152,10 +2342,14 @@ chat/
 │       └── http.go         # HTTP timeouts
 ├── web/
 │   ├── embed.go            # go:embed directive for SPA
-│   └── dist/               # Built SPA (vanilla JS, no build step)
+│   ├── build.sh            # SPA build script (esbuild, runs in Docker)
-│       ├── index.html
+│   ├── package.json        # Node dependencies (preact, esbuild)
-│       ├── style.css
+│   ├── package-lock.json
-│       └── app.js
+│   ├── src/                # SPA source files (JSX + HTML + CSS)
 │   │   ├── app.jsx
 │   │   ├── index.html
 │   │   └── style.css
 │   └── dist/               # Generated at Docker build time (not committed)
 ├── schema/                 # JSON Schema definitions (planned)
 ├── go.mod
 ├── go.sum
@@ -2249,7 +2443,7 @@ chat/
 - IRC message envelope format with per-client queue fan-out
 - Long-polling with in-memory broker
 - Embedded web SPA client
- TUI client (chat-cli)
+- TUI client (neoirc-cli)
 - Docker image
 - Prometheus metrics
--- a/REPO_POLICIES.md
+++ b/REPO_POLICIES.md
@@ -1,6 +1,6 @@
 ---
 title: Repository Policies
-last_modified: 2026-02-22
+last_modified: 2026-03-09
 ---
 This document covers repository structure, tooling, and workflow standards. Code
@@ -98,6 +98,13 @@ style conventions are in separate documents:
  `https://git.eeqj.de/sneak/prompts/raw/branch/main/.gitignore` when setting up
  a new repo.
 - **No build artifacts in version control.** Code-derived data (compiled
  bundles, minified output, generated assets) must never be committed to the
  repository if it can be avoided. The build process (e.g. Dockerfile, Makefile)
  should generate these at build time. Notable exception: Go protobuf generated
  files (`.pb.go`) ARE committed because repos need to work with `go get`, which
  downloads code but does not execute code generation.
 - Never use `git add -A` or `git add .`. Always stage files explicitly by name.
 - Never force-push to `main`.
@@ -144,8 +151,14 @@ style conventions are in separate documents:
 - Use SemVer.
 - Database migrations live in `internal/db/migrations/` and must be embedded in
-  the binary. Pre-1.0.0: modify existing migrations (no installed base assumed).
+  the binary.
-  Post-1.0.0: add new migration files.
+    - `000_migration.sql` — contains ONLY the creation of the migrations
      tracking table itself. Nothing else.
    - `001_schema.sql` — the full application schema.
    - **Pre-1.0.0:** never add additional migration files (002, 003, etc.).
      There is no installed base to migrate. Edit `001_schema.sql` directly.
    - **Post-1.0.0:** add new numbered migration files for each schema change.
      Never edit existing migrations after release.
 - All repos should have an `.editorconfig` enforcing the project's indentation
  settings.
--- a/cmd/neoirc-cli/main.go
+++ b/cmd/neoirc-cli/main.go
@@ -0,0 +1,8 @@
 // Package main is the entry point for the neoirc-cli client.
 package main
 import "git.eeqj.de/sneak/neoirc/internal/cli"
 func main() {
 	cli.Run()
 }
--- a/cmd/neoircd/main.go
+++ b/cmd/neoircd/main.go
@@ -1,21 +1,21 @@
-// Package main is the entry point for the chatd server.
+// Package main is the entry point for the neoircd server.
 package main
 import (
-	"git.eeqj.de/sneak/chat/internal/config"
+	"git.eeqj.de/sneak/neoirc/internal/config"
-	"git.eeqj.de/sneak/chat/internal/db"
+	"git.eeqj.de/sneak/neoirc/internal/db"
-	"git.eeqj.de/sneak/chat/internal/globals"
+	"git.eeqj.de/sneak/neoirc/internal/globals"
-	"git.eeqj.de/sneak/chat/internal/handlers"
+	"git.eeqj.de/sneak/neoirc/internal/handlers"
-	"git.eeqj.de/sneak/chat/internal/healthcheck"
+	"git.eeqj.de/sneak/neoirc/internal/healthcheck"
-	"git.eeqj.de/sneak/chat/internal/logger"
+	"git.eeqj.de/sneak/neoirc/internal/logger"
-	"git.eeqj.de/sneak/chat/internal/middleware"
+	"git.eeqj.de/sneak/neoirc/internal/middleware"
-	"git.eeqj.de/sneak/chat/internal/server"
+	"git.eeqj.de/sneak/neoirc/internal/server"
 	"go.uber.org/fx"
 )
 var (
 	// Appname is the application name, set at build time.
-	Appname = "chat" //nolint:gochecknoglobals
+	Appname = "neoirc" //nolint:gochecknoglobals
 	// Version is the application version, set at build time.
 	Version string //nolint:gochecknoglobals
--- a/go.mod
+++ b/go.mod
@@ -1,4 +1,4 @@
-module git.eeqj.de/sneak/chat
+module git.eeqj.de/sneak/neoirc
 go 1.24.0
--- a/internal/broker/broker_test.go
+++ b/internal/broker/broker_test.go
@@ -5,7 +5,7 @@ import (
 	"testing"
 	"time"
-	"git.eeqj.de/sneak/chat/internal/broker"
+	"git.eeqj.de/sneak/neoirc/internal/broker"
 )
 func TestNewBroker(t *testing.T) {
--- a/internal/cli/api/client.go
+++ b/internal/cli/api/client.go
@@ -1,5 +1,5 @@
-// Package chatapi provides a client for the chat server API.
+// Package neoircapi provides a client for the neoirc server API.
-package chatapi
+package neoircapi
 import (
 	"bytes"
@@ -13,6 +13,8 @@ import (
 	"strconv"
 	"strings"
 	"time"
 	"git.eeqj.de/sneak/neoirc/pkg/irc"
 )
 const (
@@ -23,7 +25,7 @@ const (
 var errHTTP = errors.New("HTTP error")
-// Client wraps HTTP calls to the chat server API.
+// Client wraps HTTP calls to the neoirc server API.
 type Client struct {
 	BaseURL    string
 	Token      string
@@ -41,13 +43,30 @@ func NewClient(baseURL string) *Client {
 }
 // CreateSession creates a new session on the server.
 // If the server requires hashcash proof-of-work, it
 // automatically fetches the difficulty and computes a
 // valid stamp.
 func (client *Client) CreateSession(
 	nick string,
 ) (*SessionResponse, error) {
 	// Fetch server info to check for hashcash requirement.
 	info, err := client.GetServerInfo()
 	var hashcashStamp string
 	if err == nil && info.HashcashBits > 0 {
 		resource := info.Name
 		if resource == "" {
 			resource = "neoirc"
 		}
 		hashcashStamp = MintHashcash(info.HashcashBits, resource)
 	}
 	data, err := client.do(
 		http.MethodPost,
 		"/api/v1/session",
-		&SessionRequest{Nick: nick},
+		&SessionRequest{Nick: nick, Hashcash: hashcashStamp},
 	)
 	if err != nil {
 		return nil, err
@@ -168,7 +187,7 @@ func (client *Client) PollMessages(
 func (client *Client) JoinChannel(channel string) error {
 	return client.SendMessage(
 		&Message{ //nolint:exhaustruct // only command+to needed
-			Command: "JOIN", To: channel,
+			Command: irc.CmdJoin, To: channel,
 		},
 	)
 }
@@ -177,7 +196,7 @@ func (client *Client) JoinChannel(channel string) error {
 func (client *Client) PartChannel(channel string) error {
 	return client.SendMessage(
 		&Message{ //nolint:exhaustruct // only command+to needed
-			Command: "PART", To: channel,
+			Command: irc.CmdPart, To: channel,
 		},
 	)
 }
--- a/internal/cli/api/hashcash.go
+++ b/internal/cli/api/hashcash.go
@@ -0,0 +1,79 @@
 package neoircapi
 import (
 	"crypto/rand"
 	"crypto/sha256"
 	"encoding/hex"
 	"fmt"
 	"math/big"
 	"time"
 )
 const (
 	// bitsPerByte is the number of bits in a byte.
 	bitsPerByte = 8
 	// fullByteMask is 0xFF, a mask for all bits in a byte.
 	fullByteMask = 0xFF
 	// counterSpace is the range for random counter seeds.
 	counterSpace = 1 << 48
 )
 // MintHashcash computes a hashcash stamp with the given
 // difficulty (leading zero bits) and resource string.
 func MintHashcash(bits int, resource string) string {
 	date := time.Now().UTC().Format("060102")
 	prefix := fmt.Sprintf(
 		"1:%d:%s:%s::", bits, date, resource,
 	)
 	for {
 		counter := randomCounter()
 		stamp := prefix + counter
 		hash := sha256.Sum256([]byte(stamp))
 		if hasLeadingZeroBits(hash[:], bits) {
 			return stamp
 		}
 	}
 }
 // hasLeadingZeroBits checks if hash has at least numBits
 // leading zero bits.
 func hasLeadingZeroBits(
 	hash []byte,
 	numBits int,
 ) bool {
 	fullBytes := numBits / bitsPerByte
 	remainBits := numBits % bitsPerByte
 	for idx := range fullBytes {
 		if hash[idx] != 0 {
 			return false
 		}
 	}
 	if remainBits > 0 && fullBytes < len(hash) {
 		mask := byte(
 			fullByteMask << (bitsPerByte - remainBits),
 		)
 		if hash[fullBytes]&mask != 0 {
 			return false
 		}
 	}
 	return true
 }
 // randomCounter generates a random hex counter string.
 func randomCounter() string {
 	counterVal, err := rand.Int(
 		rand.Reader, big.NewInt(counterSpace),
 	)
 	if err != nil {
 		// Fallback to timestamp-based counter on error.
 		return fmt.Sprintf("%x", time.Now().UnixNano())
 	}
 	return hex.EncodeToString(counterVal.Bytes())
 }
--- a/internal/cli/api/types.go
+++ b/internal/cli/api/types.go
@@ -1,10 +1,11 @@
-package chatapi
+package neoircapi
 import "time"
 // SessionRequest is the body for POST /api/v1/session.
 type SessionRequest struct {
-	Nick string `json:"nick"`
+	Nick     string `json:"nick"`
 	Hashcash string `json:"pow_token,omitempty"` //nolint:tagliatelle
 }
 // SessionResponse is the response from session creation.
@@ -21,7 +22,7 @@ type StateResponse struct {
 	Channels []string `json:"channels"`
 }
-// Message represents a chat message envelope.
+// Message represents a neoirc message envelope.
 type Message struct {
 	Command string   `json:"command"`
 	From    string   `json:"from,omitempty"`
@@ -63,9 +64,10 @@ type Channel struct {
 // ServerInfo is the response from GET /api/v1/server.
 type ServerInfo struct {
-	Name    string `json:"name"`
+	Name         string `json:"name"`
-	MOTD    string `json:"motd"`
+	MOTD         string `json:"motd"`
-	Version string `json:"version"`
+	Version      string `json:"version"`
 	HashcashBits int    `json:"hashcash_bits"` //nolint:tagliatelle
 }
 // MessagesResponse wraps polling results.
--- a/cmd/chat-cli/main.go
+++ b/cmd/chat-cli/main.go
@@ -1,5 +1,5 @@
-// Package main is the entry point for the chat-cli client.
+// Package cli implements the neoirc-cli terminal client.
-package main
+package cli
 import (
 	"fmt"
@@ -8,7 +8,8 @@ import (
 	"sync"
 	"time"
-	api "git.eeqj.de/sneak/chat/cmd/chat-cli/api"
+	api "git.eeqj.de/sneak/neoirc/internal/cli/api"
 	"git.eeqj.de/sneak/neoirc/pkg/irc"
 )
 const (
@@ -31,7 +32,8 @@ type App struct {
 	stopPoll  chan struct{}
 }
-func main() {
+// Run creates and runs the CLI application.
 func Run() {
 	app := &App{ //nolint:exhaustruct
 		ui:   NewUI(),
 		nick: "guest",
@@ -41,7 +43,7 @@ func main() {
 	app.ui.SetStatus(app.nick, "", "disconnected")
 	app.ui.AddStatus(
-		"Welcome to chat-cli — an IRC-style client",
+		"Welcome to neoirc-cli — an IRC-style client",
 	)
 	app.ui.AddStatus(
 		"Type [yellow]/connect <server-url>" +
@@ -86,7 +88,7 @@ func (a *App) handleInput(text string) {
 	}
 	err := a.client.SendMessage(&api.Message{ //nolint:exhaustruct
-		Command: "PRIVMSG",
+		Command: irc.CmdPrivmsg,
 		To:      target,
 		Body:    []string{text},
 	})
@@ -138,16 +140,29 @@ func (a *App) dispatchCommand(cmd, args string) {
 		a.cmdQuery(args)
 	case "/topic":
 		a.cmdTopic(args)
 	case "/names":
 		a.cmdNames()
 	case "/list":
 		a.cmdList()
 	case "/window", "/w":
 		a.cmdWindow(args)
 	case "/quit":
 		a.cmdQuit()
 	case "/help":
 		a.cmdHelp()
 	default:
 		a.dispatchInfoCommand(cmd, args)
 	}
 }
 func (a *App) dispatchInfoCommand(cmd, args string) {
 	switch cmd {
 	case "/names":
 		a.cmdNames()
 	case "/list":
 		a.cmdList()
 	case "/motd":
 		a.cmdMotd()
 	case "/who":
 		a.cmdWho(args)
 	case "/whois":
 		a.cmdWhois(args)
 	default:
 		a.ui.AddStatus(
 			"[red]Unknown command: " + cmd,
@@ -228,7 +243,7 @@ func (a *App) cmdNick(nick string) {
 	}
 	err := a.client.SendMessage(&api.Message{ //nolint:exhaustruct
-		Command: "NICK",
+		Command: irc.CmdNick,
 		Body:    []string{nick},
 	})
 	if err != nil {
@@ -363,7 +378,7 @@ func (a *App) cmdMsg(args string) {
 	}
 	err := a.client.SendMessage(&api.Message{ //nolint:exhaustruct
-		Command: "PRIVMSG",
+		Command: irc.CmdPrivmsg,
 		To:      target,
 		Body:    []string{text},
 	})
@@ -421,7 +436,7 @@ func (a *App) cmdTopic(args string) {
 	if args == "" {
 		err := a.client.SendMessage(&api.Message{ //nolint:exhaustruct
-			Command: "TOPIC",
+			Command: irc.CmdTopic,
 			To:      target,
 		})
 		if err != nil {
@@ -434,7 +449,7 @@ func (a *App) cmdTopic(args string) {
 	}
 	err := a.client.SendMessage(&api.Message{ //nolint:exhaustruct
-		Command: "TOPIC",
+		Command: irc.CmdTopic,
 		To:      target,
 		Body:    []string{args},
 	})
@@ -510,6 +525,96 @@ func (a *App) cmdList() {
 	a.ui.AddStatus("[cyan]*** End of channel list")
 }
 func (a *App) cmdMotd() {
 	a.mu.Lock()
 	connected := a.connected
 	a.mu.Unlock()
 	if !connected {
 		a.ui.AddStatus("[red]Not connected")
 		return
 	}
 	err := a.client.SendMessage(
 		&api.Message{Command: irc.CmdMotd}, //nolint:exhaustruct
 	)
 	if err != nil {
 		a.ui.AddStatus(fmt.Sprintf(
 			"[red]MOTD failed: %v", err,
 		))
 	}
 }
 func (a *App) cmdWho(args string) {
 	a.mu.Lock()
 	connected := a.connected
 	target := a.target
 	a.mu.Unlock()
 	if !connected {
 		a.ui.AddStatus("[red]Not connected")
 		return
 	}
 	channel := args
 	if channel == "" {
 		channel = target
 	}
 	if channel == "" ||
 		!strings.HasPrefix(channel, "#") {
 		a.ui.AddStatus(
 			"[red]Usage: /who #channel",
 		)
 		return
 	}
 	err := a.client.SendMessage(
 		&api.Message{ //nolint:exhaustruct
 			Command: irc.CmdWho, To: channel,
 		},
 	)
 	if err != nil {
 		a.ui.AddStatus(fmt.Sprintf(
 			"[red]WHO failed: %v", err,
 		))
 	}
 }
 func (a *App) cmdWhois(args string) {
 	a.mu.Lock()
 	connected := a.connected
 	a.mu.Unlock()
 	if !connected {
 		a.ui.AddStatus("[red]Not connected")
 		return
 	}
 	if args == "" {
 		a.ui.AddStatus(
 			"[red]Usage: /whois <nick>",
 		)
 		return
 	}
 	err := a.client.SendMessage(
 		&api.Message{ //nolint:exhaustruct
 			Command: irc.CmdWhois, To: args,
 		},
 	)
 	if err != nil {
 		a.ui.AddStatus(fmt.Sprintf(
 			"[red]WHOIS failed: %v", err,
 		))
 	}
 }
 func (a *App) cmdWindow(args string) {
 	if args == "" {
 		a.ui.AddStatus(
@@ -550,7 +655,7 @@ func (a *App) cmdQuit() {
 	if a.connected && a.client != nil {
 		_ = a.client.SendMessage(
-			&api.Message{Command: "QUIT"}, //nolint:exhaustruct
+			&api.Message{Command: irc.CmdQuit}, //nolint:exhaustruct
 		)
 	}
@@ -564,7 +669,7 @@ func (a *App) cmdQuit() {
 func (a *App) cmdHelp() {
 	help := []string{
-		"[cyan]*** chat-cli commands:",
+		"[cyan]*** neoirc-cli commands:",
 		"  /connect <url>  — Connect to server",
 		"  /nick <name>    — Change nickname",
 		"  /join #channel  — Join channel",
@@ -574,6 +679,9 @@ func (a *App) cmdHelp() {
 		"  /topic [text]   — View/set topic",
 		"  /names          — List channel members",
 		"  /list           — List channels",
 		"  /who [#channel] — List users in channel",
 		"  /whois <nick>   — Show user info",
 		"  /motd           — Show message of the day",
 		"  /window <n>     — Switch buffer",
 		"  /quit           — Disconnect and exit",
 		"  /help           — This help",
@@ -632,19 +740,19 @@ func (a *App) handleServerMessage(msg *api.Message) {
 	a.mu.Unlock()
 	switch msg.Command {
-	case "PRIVMSG":
+	case irc.CmdPrivmsg:
 		a.handlePrivmsgEvent(msg, timestamp, myNick)
-	case "JOIN":
+	case irc.CmdJoin:
 		a.handleJoinEvent(msg, timestamp)
-	case "PART":
+	case irc.CmdPart:
 		a.handlePartEvent(msg, timestamp)
-	case "QUIT":
+	case irc.CmdQuit:
 		a.handleQuitEvent(msg, timestamp)
-	case "NICK":
+	case irc.CmdNick:
 		a.handleNickEvent(msg, timestamp, myNick)
-	case "NOTICE":
+	case irc.CmdNotice:
 		a.handleNoticeEvent(msg, timestamp)
-	case "TOPIC":
+	case irc.CmdTopic:
 		a.handleTopicEvent(msg, timestamp)
 	default:
 		a.handleDefaultEvent(msg, timestamp)
--- a/internal/cli/ui.go
+++ b/internal/cli/ui.go
@@ -1,4 +1,4 @@
-package main
+package cli
 import (
 	"fmt"
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -5,14 +5,22 @@ import (
 	"errors"
 	"log/slog"
-	"git.eeqj.de/sneak/chat/internal/globals"
+	"git.eeqj.de/sneak/neoirc/internal/globals"
-	"git.eeqj.de/sneak/chat/internal/logger"
+	"git.eeqj.de/sneak/neoirc/internal/logger"
 	"github.com/spf13/viper"
 	"go.uber.org/fx"
 	_ "github.com/joho/godotenv/autoload" // loads .env file
 )
 const defaultMOTD = ` _ __   ___  ___  (_)_ __ ___
 | '_ \ / _ \/ _ \ | | '__/ __|
 | | | |  __/ (_) || | | | (__
 |_| |_|\___|\___/ |_|_|  \___|
 Welcome to NeoIRC — IRC semantics over HTTP.
 Type /help for available commands.`
 // Params defines the dependencies for creating a Config.
 type Params struct {
 	fx.In
@@ -30,12 +38,14 @@ type Config struct {
 	MetricsUsername    string
 	Port               int
 	SentryDSN          string
-	MaxHistory         int
+	MessageMaxAge      string
 	MaxMessageSize     int
 	QueueMaxAge        string
 	MOTD               string
 	ServerName         string
 	FederationKey      string
 	SessionIdleTimeout string
 	HashcashBits       int
 	params             *Params
 	log                *slog.Logger
 }
@@ -56,16 +66,18 @@ func New(
 	viper.SetDefault("DEBUG", "false")
 	viper.SetDefault("MAINTENANCE_MODE", "false")
 	viper.SetDefault("PORT", "8080")
-	viper.SetDefault("DBURL", "file:./data.db?_journal_mode=WAL")
+	viper.SetDefault("DBURL", "file:///var/lib/neoirc/state.db?_journal_mode=WAL")
 	viper.SetDefault("SENTRY_DSN", "")
 	viper.SetDefault("METRICS_USERNAME", "")
 	viper.SetDefault("METRICS_PASSWORD", "")
-	viper.SetDefault("MAX_HISTORY", "10000")
+	viper.SetDefault("MESSAGE_MAX_AGE", "720h")
 	viper.SetDefault("MAX_MESSAGE_SIZE", "4096")
-	viper.SetDefault("MOTD", "")
+	viper.SetDefault("QUEUE_MAX_AGE", "720h")
 	viper.SetDefault("MOTD", defaultMOTD)
 	viper.SetDefault("SERVER_NAME", "")
 	viper.SetDefault("FEDERATION_KEY", "")
-	viper.SetDefault("SESSION_IDLE_TIMEOUT", "24h")
+	viper.SetDefault("SESSION_IDLE_TIMEOUT", "720h")
 	viper.SetDefault("NEOIRC_HASHCASH_BITS", "20")
 	err := viper.ReadInConfig()
 	if err != nil {
@@ -84,12 +96,14 @@ func New(
 		MaintenanceMode:    viper.GetBool("MAINTENANCE_MODE"),
 		MetricsUsername:    viper.GetString("METRICS_USERNAME"),
 		MetricsPassword:    viper.GetString("METRICS_PASSWORD"),
-		MaxHistory:         viper.GetInt("MAX_HISTORY"),
+		MessageMaxAge:      viper.GetString("MESSAGE_MAX_AGE"),
 		MaxMessageSize:     viper.GetInt("MAX_MESSAGE_SIZE"),
 		QueueMaxAge:        viper.GetString("QUEUE_MAX_AGE"),
 		MOTD:               viper.GetString("MOTD"),
 		ServerName:         viper.GetString("SERVER_NAME"),
 		FederationKey:      viper.GetString("FEDERATION_KEY"),
 		SessionIdleTimeout: viper.GetString("SESSION_IDLE_TIMEOUT"),
 		HashcashBits:       viper.GetInt("NEOIRC_HASHCASH_BITS"),
 		log:                log,
 		params:             &params,
 	}
--- a/internal/db/auth.go
+++ b/internal/db/auth.go
@@ -64,12 +64,14 @@ func (database *Database) RegisterUser(
 	sessionID, _ := res.LastInsertId()
 	tokenHash := hashToken(token)
 	clientRes, err := transaction.ExecContext(ctx,
 		`INSERT INTO clients
 		 (uuid, session_id, token,
 		  created_at, last_seen)
 		 VALUES (?, ?, ?, ?, ?)`,
-		clientUUID, sessionID, token, now, now)
+		clientUUID, sessionID, tokenHash, now, now)
 	if err != nil {
 		_ = transaction.Rollback()
@@ -137,12 +139,14 @@ func (database *Database) LoginUser(
 	now := time.Now()
 	tokenHash := hashToken(token)
 	res, err := database.conn.ExecContext(ctx,
 		`INSERT INTO clients
 		 (uuid, session_id, token,
 		  created_at, last_seen)
 		 VALUES (?, ?, ?, ?, ?)`,
-		clientUUID, sessionID, token, now, now)
+		clientUUID, sessionID, tokenHash, now, now)
 	if err != nil {
 		return 0, 0, "", fmt.Errorf(
 			"create login client: %w", err,
--- a/internal/db/db.go
+++ b/internal/db/db.go
@@ -12,8 +12,8 @@ import (
 	"strconv"
 	"strings"
-	"git.eeqj.de/sneak/chat/internal/config"
+	"git.eeqj.de/sneak/neoirc/internal/config"
-	"git.eeqj.de/sneak/chat/internal/logger"
+	"git.eeqj.de/sneak/neoirc/internal/logger"
 	"go.uber.org/fx"
 	_ "github.com/joho/godotenv/autoload" // .env
@@ -87,7 +87,7 @@ func (database *Database) GetDB() *sql.DB {
 func (database *Database) connect(ctx context.Context) error {
 	dbURL := database.params.Config.DBURL
 	if dbURL == "" {
-		dbURL = "file:./data.db?_journal_mode=WAL&_busy_timeout=5000"
+		dbURL = "file:///var/lib/neoirc/state.db?_journal_mode=WAL&_busy_timeout=5000"
 	}
 	database.log.Info(
--- a/internal/db/errors.go
+++ b/internal/db/errors.go
@@ -0,0 +1,20 @@
 // Package db provides database access and migration management.
 package db
 import (
 	"errors"
 	"modernc.org/sqlite"
 	sqlite3 "modernc.org/sqlite/lib"
 )
 // IsUniqueConstraintError reports whether err is a SQLite
 // unique-constraint violation.
 func IsUniqueConstraintError(err error) bool {
 	var sqliteErr *sqlite.Error
 	if !errors.As(err, &sqliteErr) {
 		return false
 	}
 	return sqliteErr.Code() == sqlite3.SQLITE_CONSTRAINT_UNIQUE
 }
--- a/internal/db/queries.go
+++ b/internal/db/queries.go
@@ -3,12 +3,15 @@ package db
 import (
 	"context"
 	"crypto/rand"
 	"crypto/sha256"
 	"database/sql"
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"strconv"
 	"time"
 	"git.eeqj.de/sneak/neoirc/pkg/irc"
 	"github.com/google/uuid"
 )
@@ -29,18 +32,37 @@ func generateToken() (string, error) {
 	return hex.EncodeToString(buf), nil
 }
 // hashToken returns the lowercase hex-encoded SHA-256
 // digest of a plaintext token string.
 func hashToken(token string) string {
 	sum := sha256.Sum256([]byte(token))
 	return hex.EncodeToString(sum[:])
 }
 // IRCMessage is the IRC envelope for all messages.
 type IRCMessage struct {
 	ID      string          `json:"id"`
 	Command string          `json:"command"`
 	Code    int             `json:"code,omitempty"`
 	From    string          `json:"from,omitempty"`
 	To      string          `json:"to,omitempty"`
 	Params  json.RawMessage `json:"params,omitempty"`
 	Body    json.RawMessage `json:"body,omitempty"`
 	TS      string          `json:"ts"`
 	Meta    json.RawMessage `json:"meta,omitempty"`
 	DBID    int64           `json:"-"`
 }
 // isNumericCode returns true if s is exactly a 3-digit
 // IRC numeric reply code.
 func isNumericCode(s string) bool {
 	return len(s) == 3 &&
 		s[0] >= '0' && s[0] <= '9' &&
 		s[1] >= '0' && s[1] <= '9' &&
 		s[2] >= '0' && s[2] <= '9'
 }
 // ChannelInfo is a lightweight channel representation.
 type ChannelInfo struct {
 	ID    int64  `json:"id"`
@@ -92,12 +114,14 @@ func (database *Database) CreateSession(
 	sessionID, _ := res.LastInsertId()
 	tokenHash := hashToken(token)
 	clientRes, err := transaction.ExecContext(ctx,
 		`INSERT INTO clients
 		 (uuid, session_id, token,
 		  created_at, last_seen)
 		 VALUES (?, ?, ?, ?, ?)`,
-		clientUUID, sessionID, token, now, now)
+		clientUUID, sessionID, tokenHash, now, now)
 	if err != nil {
 		_ = transaction.Rollback()
@@ -130,6 +154,8 @@ func (database *Database) GetSessionByToken(
 		nick      string
 	)
 	tokenHash := hashToken(token)
 	err := database.conn.QueryRowContext(
 		ctx,
 		`SELECT s.id, c.id, s.nick
@@ -137,7 +163,7 @@ func (database *Database) GetSessionByToken(
 		 INNER JOIN sessions s
 		   ON s.id = c.session_id
 		 WHERE c.token = ?`,
-		token,
+		tokenHash,
 	).Scan(&sessionID, &clientID, &nick)
 	if err != nil {
 		return 0, 0, "", fmt.Errorf(
@@ -491,12 +517,17 @@ func (database *Database) GetSessionChannelIDs(
 func (database *Database) InsertMessage(
 	ctx context.Context,
 	command, from, target string,
 	params json.RawMessage,
 	body json.RawMessage,
 	meta json.RawMessage,
 ) (int64, string, error) {
 	msgUUID := uuid.New().String()
 	now := time.Now().UTC()
 	if params == nil {
 		params = json.RawMessage("[]")
 	}
 	if body == nil {
 		body = json.RawMessage("[]")
 	}
@@ -508,10 +539,10 @@ func (database *Database) InsertMessage(
 	res, err := database.conn.ExecContext(ctx,
 		`INSERT INTO messages
 		 (uuid, command, msg_from, msg_to,
-		  body, meta, created_at)
+		  params, body, meta, created_at)
-		 VALUES (?, ?, ?, ?, ?, ?, ?)`,
+		 VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
 		msgUUID, command, from, target,
-		string(body), string(meta), now)
+		string(params), string(body), string(meta), now)
 	if err != nil {
 		return 0, "", fmt.Errorf(
 			"insert message: %w", err,
@@ -578,7 +609,7 @@ func (database *Database) PollMessages(
 	rows, err := database.conn.QueryContext(ctx,
 		`SELECT cq.id, m.uuid, m.command,
 		   m.msg_from, m.msg_to,
-		   m.body, m.meta, m.created_at
+		   m.params, m.body, m.meta, m.created_at
 		 FROM client_queues cq
 		 INNER JOIN messages m
 		   ON m.id = cq.message_id
@@ -642,7 +673,7 @@ func (database *Database) queryHistory(
 	if beforeID > 0 {
 		rows, err := database.conn.QueryContext(ctx,
 			`SELECT id, uuid, command, msg_from,
-			   msg_to, body, meta, created_at
+			   msg_to, params, body, meta, created_at
 			 FROM messages
 			 WHERE msg_to = ? AND id < ?
 			   AND command = 'PRIVMSG'
@@ -659,7 +690,7 @@ func (database *Database) queryHistory(
 	rows, err := database.conn.QueryContext(ctx,
 		`SELECT id, uuid, command, msg_from,
-		   msg_to, body, meta, created_at
+		   msg_to, params, body, meta, created_at
 		 FROM messages
 		 WHERE msg_to = ?
 		   AND command = 'PRIVMSG'
@@ -684,16 +715,16 @@ func scanMessages(
 	for rows.Next() {
 		var (
-			msg        IRCMessage
+			msg                IRCMessage
-			qID        int64
+			qID                int64
-			body, meta string
+			params, body, meta string
-			createdAt  time.Time
+			createdAt          time.Time
 		)
 		err := rows.Scan(
 			&qID, &msg.ID, &msg.Command,
 			&msg.From, &msg.To,
-			&body, &meta, &createdAt,
+			&params, &body, &meta, &createdAt,
 		)
 		if err != nil {
 			return nil, fallbackQID, fmt.Errorf(
@@ -701,12 +732,25 @@ func scanMessages(
 			)
 		}
 		if params != "" && params != "[]" {
 			msg.Params = json.RawMessage(params)
 		}
 		msg.Body = json.RawMessage(body)
 		msg.Meta = json.RawMessage(meta)
 		msg.TS = createdAt.Format(time.RFC3339Nano)
 		msg.DBID = qID
 		lastQID = qID
 		if isNumericCode(msg.Command) {
 			code, _ := strconv.Atoi(msg.Command)
 			msg.Code = code
 			if mt, err := irc.FromInt(code); err == nil {
 				msg.Command = mt.Name()
 			}
 		}
 		msgs = append(msgs, msg)
 	}
@@ -943,3 +987,167 @@ func (database *Database) GetSessionChannels(
 	return scanChannels(rows)
 }
 // GetChannelCount returns the total number of channels.
 func (database *Database) GetChannelCount(
 	ctx context.Context,
 ) (int64, error) {
 	var count int64
 	err := database.conn.QueryRowContext(
 		ctx,
 		"SELECT COUNT(*) FROM channels",
 	).Scan(&count)
 	if err != nil {
 		return 0, fmt.Errorf(
 			"get channel count: %w", err,
 		)
 	}
 	return count, nil
 }
 // ChannelInfoFull contains extended channel information.
 type ChannelInfoFull struct {
 	ID          int64  `json:"id"`
 	Name        string `json:"name"`
 	Topic       string `json:"topic"`
 	MemberCount int64  `json:"memberCount"`
 }
 // ListAllChannelsWithCounts returns every channel
 // with its member count.
 func (database *Database) ListAllChannelsWithCounts(
 	ctx context.Context,
 ) ([]ChannelInfoFull, error) {
 	rows, err := database.conn.QueryContext(ctx,
 		`SELECT c.id, c.name, c.topic,
 		   COUNT(cm.session_id) AS member_count
 		 FROM channels c
 		 LEFT JOIN channel_members cm
 		   ON cm.channel_id = c.id
 		 GROUP BY c.id
 		 ORDER BY c.name`)
 	if err != nil {
 		return nil, fmt.Errorf(
 			"list channels with counts: %w", err,
 		)
 	}
 	defer func() { _ = rows.Close() }()
 	var out []ChannelInfoFull
 	for rows.Next() {
 		var chanInfo ChannelInfoFull
 		err = rows.Scan(
 			&chanInfo.ID, &chanInfo.Name,
 			&chanInfo.Topic, &chanInfo.MemberCount,
 		)
 		if err != nil {
 			return nil, fmt.Errorf(
 				"scan channel full: %w", err,
 			)
 		}
 		out = append(out, chanInfo)
 	}
 	err = rows.Err()
 	if err != nil {
 		return nil, fmt.Errorf("rows error: %w", err)
 	}
 	if out == nil {
 		out = []ChannelInfoFull{}
 	}
 	return out, nil
 }
 // GetChannelCreatedAt returns the creation time of a
 // channel.
 func (database *Database) GetChannelCreatedAt(
 	ctx context.Context,
 	channelID int64,
 ) (time.Time, error) {
 	var createdAt time.Time
 	err := database.conn.QueryRowContext(
 		ctx,
 		"SELECT created_at FROM channels WHERE id = ?",
 		channelID,
 	).Scan(&createdAt)
 	if err != nil {
 		return time.Time{}, fmt.Errorf(
 			"get channel created_at: %w", err,
 		)
 	}
 	return createdAt, nil
 }
 // GetSessionCreatedAt returns the creation time of a
 // session.
 func (database *Database) GetSessionCreatedAt(
 	ctx context.Context,
 	sessionID int64,
 ) (time.Time, error) {
 	var createdAt time.Time
 	err := database.conn.QueryRowContext(
 		ctx,
 		"SELECT created_at FROM sessions WHERE id = ?",
 		sessionID,
 	).Scan(&createdAt)
 	if err != nil {
 		return time.Time{}, fmt.Errorf(
 			"get session created_at: %w", err,
 		)
 	}
 	return createdAt, nil
 }
 // PruneOldQueueEntries deletes client output queue entries
 // older than cutoff and returns the number of rows removed.
 func (database *Database) PruneOldQueueEntries(
 	ctx context.Context,
 	cutoff time.Time,
 ) (int64, error) {
 	res, err := database.conn.ExecContext(ctx,
 		"DELETE FROM client_queues WHERE created_at < ?",
 		cutoff,
 	)
 	if err != nil {
 		return 0, fmt.Errorf(
 			"prune old client output queue entries: %w", err,
 		)
 	}
 	deleted, _ := res.RowsAffected()
 	return deleted, nil
 }
 // PruneOldMessages deletes messages older than cutoff and
 // returns the number of rows removed.
 func (database *Database) PruneOldMessages(
 	ctx context.Context,
 	cutoff time.Time,
 ) (int64, error) {
 	res, err := database.conn.ExecContext(ctx,
 		"DELETE FROM messages WHERE created_at < ?",
 		cutoff,
 	)
 	if err != nil {
 		return 0, fmt.Errorf(
 			"prune old messages: %w", err,
 		)
 	}
 	deleted, _ := res.RowsAffected()
 	return deleted, nil
 }
--- a/internal/db/queries_test.go
+++ b/internal/db/queries_test.go
@@ -4,7 +4,7 @@ import (
 	"encoding/json"
 	"testing"
-	"git.eeqj.de/sneak/chat/internal/db"
+	"git.eeqj.de/sneak/neoirc/internal/db"
 	_ "modernc.org/sqlite"
 )
@@ -383,7 +383,7 @@ func TestInsertMessage(t *testing.T) {
 	body := json.RawMessage(`["hello"]`)
 	dbID, msgUUID, err := database.InsertMessage(
-		ctx, "PRIVMSG", "poller", "#test", body, nil,
+		ctx, "PRIVMSG", "poller", "#test", nil, body, nil,
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -417,7 +417,7 @@ func TestPollMessages(t *testing.T) {
 	body := json.RawMessage(`["hello"]`)
 	dbID, _, err := database.InsertMessage(
-		ctx, "PRIVMSG", "poller", "#test", body, nil,
+		ctx, "PRIVMSG", "poller", "#test", nil, body, nil,
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -475,7 +475,7 @@ func TestGetHistory(t *testing.T) {
 	for range msgCount {
 		_, _, err := database.InsertMessage(
 			ctx, "PRIVMSG", "user", "#hist",
-			json.RawMessage(`["msg"]`), nil,
+			nil, json.RawMessage(`["msg"]`), nil,
 		)
 		if err != nil {
 			t.Fatal(err)
@@ -627,7 +627,7 @@ func TestEnqueueToClient(t *testing.T) {
 	body := json.RawMessage(`["test"]`)
 	dbID, _, err := database.InsertMessage(
-		ctx, "PRIVMSG", "sender", "#ch", body, nil,
+		ctx, "PRIVMSG", "sender", "#ch", nil, body, nil,
 	)
 	if err != nil {
 		t.Fatal(err)
--- a/internal/db/schema/001_initial.sql
+++ b/internal/db/schema/001_initial.sql
@@ -50,6 +50,7 @@ CREATE TABLE IF NOT EXISTS messages (
    command TEXT NOT NULL DEFAULT 'PRIVMSG',
    msg_from TEXT NOT NULL DEFAULT '',
    msg_to TEXT NOT NULL DEFAULT '',
    params TEXT NOT NULL DEFAULT '[]',
    body TEXT NOT NULL DEFAULT '[]',
    meta TEXT NOT NULL DEFAULT '{}',
    created_at DATETIME DEFAULT CURRENT_TIMESTAMP
--- a/internal/globals/globals.go
+++ b/internal/globals/globals.go
@@ -2,6 +2,8 @@
 package globals
 import (
 	"time"
 	"go.uber.org/fx"
 )
@@ -15,16 +17,18 @@ var (
 // Globals holds application-wide metadata.
 type Globals struct {
-	Appname string
+	Appname   string
-	Version string
+	Version   string
 	StartTime time.Time
 }
 // New creates a new Globals instance from the global state.
 func New(_ fx.Lifecycle) (*Globals, error) {
-	n := &Globals{
+	result := &Globals{
-		Appname: Appname,
+		Appname:   Appname,
-		Version: Version,
+		Version:   Version,
 		StartTime: time.Now(),
 	}
-	return n, nil
+	return result, nil
 }
--- a/internal/handlers/api.go
+++ b/internal/handlers/api.go
--- a/internal/handlers/api_test.go
+++ b/internal/handlers/api_test.go
@@ -12,19 +12,20 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"path/filepath"
 	"strconv"
 	"strings"
 	"sync"
 	"testing"
 	"time"
-	"git.eeqj.de/sneak/chat/internal/config"
+	"git.eeqj.de/sneak/neoirc/internal/config"
-	"git.eeqj.de/sneak/chat/internal/db"
+	"git.eeqj.de/sneak/neoirc/internal/db"
-	"git.eeqj.de/sneak/chat/internal/globals"
+	"git.eeqj.de/sneak/neoirc/internal/globals"
-	"git.eeqj.de/sneak/chat/internal/handlers"
+	"git.eeqj.de/sneak/neoirc/internal/handlers"
-	"git.eeqj.de/sneak/chat/internal/healthcheck"
+	"git.eeqj.de/sneak/neoirc/internal/healthcheck"
-	"git.eeqj.de/sneak/chat/internal/logger"
+	"git.eeqj.de/sneak/neoirc/internal/logger"
-	"git.eeqj.de/sneak/chat/internal/middleware"
+	"git.eeqj.de/sneak/neoirc/internal/middleware"
-	"git.eeqj.de/sneak/chat/internal/server"
+	"git.eeqj.de/sneak/neoirc/internal/server"
 	"go.uber.org/fx"
 	"go.uber.org/fx/fxtest"
 )
@@ -84,6 +85,7 @@ func newTestServer(
 				cfg.DBURL = dbURL
 				cfg.Port = 0
 				cfg.HashcashBits = 0
 				return cfg, nil
 			},
@@ -115,8 +117,9 @@ func newTestServer(
 func newTestGlobals() *globals.Globals {
 	return &globals.Globals{
-		Appname: "chat-test",
+		Appname:   "neoirc-test",
-		Version: "test",
+		Version:   "test",
 		StartTime: time.Now(),
 	}
 }
@@ -462,6 +465,22 @@ func findMessage(
 	return false
 }
 func findNumeric(
 	msgs []map[string]any,
 	numeric string,
 ) bool {
 	want, _ := strconv.Atoi(numeric)
 	for _, msg := range msgs {
 		code, ok := msg["code"].(float64)
 		if ok && int(code) == want {
 			return true
 		}
 	}
 	return false
 }
 // --- Tests ---
 func TestCreateSessionValid(t *testing.T) {
@@ -473,6 +492,47 @@ func TestCreateSessionValid(t *testing.T) {
 	}
 }
 func TestWelcomeNumeric(t *testing.T) {
 	tserver := newTestServer(t)
 	token := tserver.createSession("welcomer")
 	msgs, _ := tserver.pollMessages(token, 0)
 	if !findNumeric(msgs, "001") {
 		t.Fatalf(
 			"expected RPL_WELCOME (001), got %v",
 			msgs,
 		)
 	}
 }
 func TestJoinNumerics(t *testing.T) {
 	tserver := newTestServer(t)
 	token := tserver.createSession("jnumtest")
 	_, lastID := tserver.pollMessages(token, 0)
 	tserver.sendCommand(token, map[string]any{
 		commandKey: joinCmd, toKey: "#numtest",
 	})
 	msgs, _ := tserver.pollMessages(token, lastID)
 	if !findNumeric(msgs, "353") {
 		t.Fatalf(
 			"expected RPL_NAMREPLY (353), got %v",
 			msgs,
 		)
 	}
 	if !findNumeric(msgs, "366") {
 		t.Fatalf(
 			"expected RPL_ENDOFNAMES (366), got %v",
 			msgs,
 		)
 	}
 }
 func TestCreateSessionDuplicate(t *testing.T) {
 	tserver := newTestServer(t)
 	tserver.createSession("alice")
@@ -668,11 +728,23 @@ func TestJoinMissingTo(t *testing.T) {
 	tserver := newTestServer(t)
 	token := tserver.createSession("joiner3")
 	// Drain initial MOTD/welcome numerics.
 	_, lastID := tserver.pollMessages(token, 0)
 	status, _ := tserver.sendCommand(
 		token, map[string]any{commandKey: joinCmd},
 	)
-	if status != http.StatusBadRequest {
+	if status != http.StatusOK {
-		t.Fatalf("expected 400, got %d", status)
+		t.Fatalf("expected 200, got %d", status)
 	}
 	msgs, _ := tserver.pollMessages(token, lastID)
 	if !findNumeric(msgs, "461") {
 		t.Fatalf(
 			"expected ERR_NEEDMOREPARAMS (461), got %v",
 			msgs,
 		)
 	}
 }
@@ -682,10 +754,10 @@ func TestChannelMessage(t *testing.T) {
 	bobToken := tserver.createSession("bob_msg")
 	tserver.sendCommand(aliceToken, map[string]any{
-		commandKey: joinCmd, toKey: "#chat",
+		commandKey: joinCmd, toKey: "#test",
 	})
 	tserver.sendCommand(bobToken, map[string]any{
-		commandKey: joinCmd, toKey: "#chat",
+		commandKey: joinCmd, toKey: "#test",
 	})
 	_, _ = tserver.pollMessages(aliceToken, 0)
@@ -695,13 +767,13 @@ func TestChannelMessage(t *testing.T) {
 		aliceToken,
 		map[string]any{
 			commandKey: privmsgCmd,
-			toKey:      "#chat",
+			toKey:      "#test",
 			bodyKey:    []string{"hello world"},
 		},
 	)
-	if status != http.StatusCreated {
+	if status != http.StatusOK {
 		t.Fatalf(
-			"expected 201, got %d: %v", status, result,
+			"expected 200, got %d: %v", status, result,
 		)
 	}
@@ -725,14 +797,25 @@ func TestMessageMissingBody(t *testing.T) {
 	token := tserver.createSession("nobody")
 	tserver.sendCommand(token, map[string]any{
-		commandKey: joinCmd, toKey: "#chat",
+		commandKey: joinCmd, toKey: "#test",
 	})
 	_, lastID := tserver.pollMessages(token, 0)
 	status, _ := tserver.sendCommand(token, map[string]any{
-		commandKey: privmsgCmd, toKey: "#chat",
+		commandKey: privmsgCmd, toKey: "#test",
 	})
-	if status != http.StatusBadRequest {
+	if status != http.StatusOK {
-		t.Fatalf("expected 400, got %d", status)
+		t.Fatalf("expected 200, got %d", status)
 	}
 	msgs, _ := tserver.pollMessages(token, lastID)
 	if !findNumeric(msgs, "461") {
 		t.Fatalf(
 			"expected ERR_NEEDMOREPARAMS (461), got %v",
 			msgs,
 		)
 	}
 }
@@ -740,12 +823,23 @@ func TestMessageMissingTo(t *testing.T) {
 	tserver := newTestServer(t)
 	token := tserver.createSession("noto")
 	_, lastID := tserver.pollMessages(token, 0)
 	status, _ := tserver.sendCommand(token, map[string]any{
 		commandKey: privmsgCmd,
 		bodyKey:    []string{"hello"},
 	})
-	if status != http.StatusBadRequest {
+	if status != http.StatusOK {
-		t.Fatalf("expected 400, got %d", status)
+		t.Fatalf("expected 200, got %d", status)
 	}
 	msgs, _ := tserver.pollMessages(token, lastID)
 	if !findNumeric(msgs, "461") {
 		t.Fatalf(
 			"expected ERR_NEEDMOREPARAMS (461), got %v",
 			msgs,
 		)
 	}
 }
@@ -759,6 +853,8 @@ func TestNonMemberCannotSend(t *testing.T) {
 		commandKey: joinCmd, toKey: "#private",
 	})
 	_, lastID := tserver.pollMessages(aliceToken, 0)
 	// Alice tries to send without joining.
 	status, _ := tserver.sendCommand(
 		aliceToken,
@@ -768,8 +864,17 @@ func TestNonMemberCannotSend(t *testing.T) {
 			bodyKey:    []string{"sneaky"},
 		},
 	)
-	if status != http.StatusForbidden {
+	if status != http.StatusOK {
-		t.Fatalf("expected 403, got %d", status)
+		t.Fatalf("expected 200, got %d", status)
 	}
 	msgs, _ := tserver.pollMessages(aliceToken, lastID)
 	if !findNumeric(msgs, "442") {
 		t.Fatalf(
 			"expected ERR_NOTONCHANNEL (442), got %v",
 			msgs,
 		)
 	}
 }
@@ -786,9 +891,9 @@ func TestDirectMessage(t *testing.T) {
 			bodyKey:    []string{"hey bob"},
 		},
 	)
-	if status != http.StatusCreated {
+	if status != http.StatusOK {
 		t.Fatalf(
-			"expected 201, got %d: %v", status, result,
+			"expected 200, got %d: %v", status, result,
 		)
 	}
@@ -818,13 +923,24 @@ func TestDMToNonexistentUser(t *testing.T) {
 	tserver := newTestServer(t)
 	token := tserver.createSession("dmsender")
 	_, lastID := tserver.pollMessages(token, 0)
 	status, _ := tserver.sendCommand(token, map[string]any{
 		commandKey: privmsgCmd,
 		toKey:      "nobody",
 		bodyKey:    []string{"hello?"},
 	})
-	if status != http.StatusNotFound {
+	if status != http.StatusOK {
-		t.Fatalf("expected 404, got %d", status)
+		t.Fatalf("expected 200, got %d", status)
 	}
 	msgs, _ := tserver.pollMessages(token, lastID)
 	if !findNumeric(msgs, "401") {
 		t.Fatalf(
 			"expected ERR_NOSUCHNICK (401), got %v",
 			msgs,
 		)
 	}
 }
@@ -871,12 +987,23 @@ func TestNickCollision(t *testing.T) {
 	tserver.createSession("taken_nick")
 	_, lastID := tserver.pollMessages(token, 0)
 	status, _ := tserver.sendCommand(token, map[string]any{
 		commandKey: "NICK",
 		bodyKey:    []string{"taken_nick"},
 	})
-	if status != http.StatusConflict {
+	if status != http.StatusOK {
-		t.Fatalf("expected 409, got %d", status)
+		t.Fatalf("expected 200, got %d", status)
 	}
 	msgs, _ := tserver.pollMessages(token, lastID)
 	if !findNumeric(msgs, "433") {
 		t.Fatalf(
 			"expected ERR_NICKNAMEINUSE (433), got %v",
 			msgs,
 		)
 	}
 }
@@ -884,12 +1011,23 @@ func TestNickInvalid(t *testing.T) {
 	tserver := newTestServer(t)
 	token := tserver.createSession("nickval")
 	_, lastID := tserver.pollMessages(token, 0)
 	status, _ := tserver.sendCommand(token, map[string]any{
 		commandKey: "NICK",
 		bodyKey:    []string{"bad nick!"},
 	})
-	if status != http.StatusBadRequest {
+	if status != http.StatusOK {
-		t.Fatalf("expected 400, got %d", status)
+		t.Fatalf("expected 200, got %d", status)
 	}
 	msgs, _ := tserver.pollMessages(token, lastID)
 	if !findNumeric(msgs, "432") {
 		t.Fatalf(
 			"expected ERR_ERRONEUSNICKNAME (432), got %v",
 			msgs,
 		)
 	}
 }
@@ -897,11 +1035,22 @@ func TestNickEmptyBody(t *testing.T) {
 	tserver := newTestServer(t)
 	token := tserver.createSession("nicknobody")
 	_, lastID := tserver.pollMessages(token, 0)
 	status, _ := tserver.sendCommand(
 		token, map[string]any{commandKey: "NICK"},
 	)
-	if status != http.StatusBadRequest {
+	if status != http.StatusOK {
-		t.Fatalf("expected 400, got %d", status)
+		t.Fatalf("expected 200, got %d", status)
 	}
 	msgs, _ := tserver.pollMessages(token, lastID)
 	if !findNumeric(msgs, "461") {
 		t.Fatalf(
 			"expected ERR_NEEDMOREPARAMS (461), got %v",
 			msgs,
 		)
 	}
 }
@@ -938,12 +1087,23 @@ func TestTopicMissingTo(t *testing.T) {
 	tserver := newTestServer(t)
 	token := tserver.createSession("topicnoto")
 	_, lastID := tserver.pollMessages(token, 0)
 	status, _ := tserver.sendCommand(token, map[string]any{
 		commandKey: "TOPIC",
 		bodyKey:    []string{"topic"},
 	})
-	if status != http.StatusBadRequest {
+	if status != http.StatusOK {
-		t.Fatalf("expected 400, got %d", status)
+		t.Fatalf("expected 200, got %d", status)
 	}
 	msgs, _ := tserver.pollMessages(token, lastID)
 	if !findNumeric(msgs, "461") {
 		t.Fatalf(
 			"expected ERR_NEEDMOREPARAMS (461), got %v",
 			msgs,
 		)
 	}
 }
@@ -955,11 +1115,22 @@ func TestTopicMissingBody(t *testing.T) {
 		commandKey: joinCmd, toKey: "#topictest",
 	})
 	_, lastID := tserver.pollMessages(token, 0)
 	status, _ := tserver.sendCommand(token, map[string]any{
 		commandKey: "TOPIC", toKey: "#topictest",
 	})
-	if status != http.StatusBadRequest {
+	if status != http.StatusOK {
-		t.Fatalf("expected 400, got %d", status)
+		t.Fatalf("expected 200, got %d", status)
 	}
 	msgs, _ := tserver.pollMessages(token, lastID)
 	if !findNumeric(msgs, "461") {
 		t.Fatalf(
 			"expected ERR_NEEDMOREPARAMS (461), got %v",
 			msgs,
 		)
 	}
 }
@@ -1027,11 +1198,22 @@ func TestUnknownCommand(t *testing.T) {
 	tserver := newTestServer(t)
 	token := tserver.createSession("cmdtest")
 	_, lastID := tserver.pollMessages(token, 0)
 	status, _ := tserver.sendCommand(
 		token, map[string]any{commandKey: "BOGUS"},
 	)
-	if status != http.StatusBadRequest {
+	if status != http.StatusOK {
-		t.Fatalf("expected 400, got %d", status)
+		t.Fatalf("expected 200, got %d", status)
 	}
 	msgs, _ := tserver.pollMessages(token, lastID)
 	if !findNumeric(msgs, "421") {
 		t.Fatalf(
 			"expected ERR_UNKNOWNCOMMAND (421), got %v",
 			msgs,
 		)
 	}
 }
@@ -1278,12 +1460,18 @@ func TestLongPollTimeout(t *testing.T) {
 	tserver := newTestServer(t)
 	token := tserver.createSession("lp_timeout")
 	// Drain initial welcome/MOTD numerics.
 	_, lastID := tserver.pollMessages(token, 0)
 	start := time.Now()
 	resp, err := doRequestAuth(
 		t,
 		http.MethodGet,
-		tserver.url(apiMessages+"?timeout=1"),
+		tserver.url(fmt.Sprintf(
 			"%s?timeout=1&after=%d",
 			apiMessages, lastID,
 		)),
 		token,
 		nil,
 	)
--- a/internal/handlers/auth.go
+++ b/internal/handlers/auth.go
@@ -4,6 +4,8 @@ import (
 	"encoding/json"
 	"net/http"
 	"strings"
 	"git.eeqj.de/sneak/neoirc/internal/db"
 )
 const minPasswordLength = 8
@@ -80,7 +82,7 @@ func (hdlr *Handlers) handleRegister(
 		return
 	}
-	hdlr.deliverMOTD(request, clientID, sessionID)
+	hdlr.deliverMOTD(request, clientID, sessionID, payload.Nick)
 	hdlr.respondJSON(writer, request, map[string]any{
 		"id":    sessionID,
@@ -94,7 +96,7 @@ func (hdlr *Handlers) handleRegisterError(
 	request *http.Request,
 	err error,
 ) {
-	if strings.Contains(err.Error(), "UNIQUE") {
+	if db.IsUniqueConstraintError(err) {
 		hdlr.respondError(
 			writer, request,
 			"nick already taken",
@@ -162,7 +164,7 @@ func (hdlr *Handlers) handleLogin(
 		return
 	}
-	sessionID, _, token, err :=
+	sessionID, clientID, token, err :=
 		hdlr.params.Database.LoginUser(
 			request.Context(),
 			payload.Nick,
@@ -178,6 +180,16 @@ func (hdlr *Handlers) handleLogin(
 		return
 	}
 	hdlr.deliverMOTD(
 		request, clientID, sessionID, payload.Nick,
 	)
 	// Initialize channel state so the new client knows
 	// which channels the session already belongs to.
 	hdlr.initChannelState(
 		request, clientID, sessionID, payload.Nick,
 	)
 	hdlr.respondJSON(writer, request, map[string]any{
 		"id":    sessionID,
 		"nick":  payload.Nick,
--- a/internal/handlers/handlers.go
+++ b/internal/handlers/handlers.go
@@ -1,4 +1,4 @@
-// Package handlers provides HTTP request handlers for the chat server.
+// Package handlers provides HTTP request handlers for the neoirc server.
 package handlers
 import (
@@ -9,12 +9,13 @@ import (
 	"net/http"
 	"time"
-	"git.eeqj.de/sneak/chat/internal/broker"
+	"git.eeqj.de/sneak/neoirc/internal/broker"
-	"git.eeqj.de/sneak/chat/internal/config"
+	"git.eeqj.de/sneak/neoirc/internal/config"
-	"git.eeqj.de/sneak/chat/internal/db"
+	"git.eeqj.de/sneak/neoirc/internal/db"
-	"git.eeqj.de/sneak/chat/internal/globals"
+	"git.eeqj.de/sneak/neoirc/internal/globals"
-	"git.eeqj.de/sneak/chat/internal/healthcheck"
+	"git.eeqj.de/sneak/neoirc/internal/hashcash"
-	"git.eeqj.de/sneak/chat/internal/logger"
+	"git.eeqj.de/sneak/neoirc/internal/healthcheck"
 	"git.eeqj.de/sneak/neoirc/internal/logger"
 	"go.uber.org/fx"
 )
@@ -31,7 +32,7 @@ type Params struct {
 	Healthcheck *healthcheck.Healthcheck
 }
-const defaultIdleTimeout = 24 * time.Hour
+const defaultIdleTimeout = 30 * 24 * time.Hour
 // Handlers manages HTTP request handling.
 type Handlers struct {
@@ -39,6 +40,7 @@ type Handlers struct {
 	log           *slog.Logger
 	hc            *healthcheck.Healthcheck
 	broker        *broker.Broker
 	hashcashVal   *hashcash.Validator
 	cancelCleanup context.CancelFunc
 }
@@ -47,11 +49,17 @@ func New(
 	lifecycle fx.Lifecycle,
 	params Params,
 ) (*Handlers, error) {
 	resource := params.Config.ServerName
 	if resource == "" {
 		resource = "neoirc"
 	}
 	hdlr := &Handlers{ //nolint:exhaustruct // cancelCleanup set in startCleanup
-		params: &params,
+		params:      &params,
-		log:    params.Logger.Get(),
+		log:         params.Logger.Get(),
-		hc:     params.Healthcheck,
+		hc:          params.Healthcheck,
-		broker: broker.New(),
+		broker:      broker.New(),
 		hashcashVal: hashcash.NewValidator(resource),
 	}
 	lifecycle.Append(fx.Hook{
@@ -200,4 +208,77 @@ func (hdlr *Handlers) runCleanup(
 			"deleted", deleted,
 		)
 	}
 	hdlr.pruneQueuesAndMessages(ctx)
 }
 // parseDurationConfig parses a Go duration string,
 // returning zero on empty input and logging on error.
 func (hdlr *Handlers) parseDurationConfig(
 	name, raw string,
 ) time.Duration {
 	if raw == "" {
 		return 0
 	}
 	dur, err := time.ParseDuration(raw)
 	if err != nil {
 		hdlr.log.Error(
 			"invalid duration config, skipping",
 			"name", name, "value", raw, "error", err,
 		)
 		return 0
 	}
 	return dur
 }
 // pruneQueuesAndMessages removes old client output queue
 // entries per QUEUE_MAX_AGE and old messages per
 // MESSAGE_MAX_AGE.
 func (hdlr *Handlers) pruneQueuesAndMessages(
 	ctx context.Context,
 ) {
 	queueMaxAge := hdlr.parseDurationConfig(
 		"QUEUE_MAX_AGE",
 		hdlr.params.Config.QueueMaxAge,
 	)
 	if queueMaxAge > 0 {
 		queueCutoff := time.Now().Add(-queueMaxAge)
 		pruned, err := hdlr.params.Database.
 			PruneOldQueueEntries(ctx, queueCutoff)
 		if err != nil {
 			hdlr.log.Error(
 				"client output queue pruning failed", "error", err,
 			)
 		} else if pruned > 0 {
 			hdlr.log.Info(
 				"pruned old client output queue entries",
 				"deleted", pruned,
 			)
 		}
 	}
 	messageMaxAge := hdlr.parseDurationConfig(
 		"MESSAGE_MAX_AGE",
 		hdlr.params.Config.MessageMaxAge,
 	)
 	if messageMaxAge > 0 {
 		msgCutoff := time.Now().Add(-messageMaxAge)
 		pruned, err := hdlr.params.Database.
 			PruneOldMessages(ctx, msgCutoff)
 		if err != nil {
 			hdlr.log.Error(
 				"message pruning failed", "error", err,
 			)
 		} else if pruned > 0 {
 			hdlr.log.Info(
 				"pruned old messages",
 				"deleted", pruned,
 			)
 		}
 	}
 }
--- a/internal/hashcash/hashcash.go
+++ b/internal/hashcash/hashcash.go
@@ -0,0 +1,277 @@
 // Package hashcash implements SHA-256-based hashcash
 // proof-of-work validation for abuse prevention.
 //
 // Stamp format: 1:bits:YYMMDD:resource::counter.
 //
 // The SHA-256 hash of the entire stamp string must have
 // at least `bits` leading zero bits.
 package hashcash
 import (
 	"crypto/sha256"
 	"errors"
 	"fmt"
 	"strconv"
 	"strings"
 	"sync"
 	"time"
 )
 const (
 	// stampVersion is the only supported hashcash version.
 	stampVersion = "1"
 	// stampFields is the number of fields in a stamp.
 	stampFields = 6
 	// maxStampAge is how old a stamp can be before
 	// rejection.
 	maxStampAge = 48 * time.Hour
 	// maxFutureSkew allows stamps slightly in the future.
 	maxFutureSkew = 1 * time.Hour
 	// pruneInterval controls how often expired stamps are
 	// removed from the spent set.
 	pruneInterval = 10 * time.Minute
 	// dateFormatShort is the YYMMDD date layout.
 	dateFormatShort = "060102"
 	// dateFormatLong is the YYMMDDHHMMSS date layout.
 	dateFormatLong = "060102150405"
 	// dateShortLen is the length of YYMMDD.
 	dateShortLen = 6
 	// dateLongLen is the length of YYMMDDHHMMSS.
 	dateLongLen = 12
 	// bitsPerByte is the number of bits in a byte.
 	bitsPerByte = 8
 	// fullByteMask is 0xFF, a mask for all bits in a byte.
 	fullByteMask = 0xFF
 )
 var (
 	errInvalidFields    = errors.New("invalid stamp field count")
 	errBadVersion       = errors.New("unsupported stamp version")
 	errInsufficientBits = errors.New("insufficient difficulty")
 	errWrongResource    = errors.New("wrong resource")
 	errStampExpired     = errors.New("stamp expired")
 	errStampFuture      = errors.New("stamp date in future")
 	errProofFailed      = errors.New("proof-of-work failed")
 	errStampReused      = errors.New("stamp already used")
 	errBadDateFormat    = errors.New("unrecognized date format")
 )
 // Validator checks hashcash stamps for validity and
 // prevents replay attacks via an in-memory spent set.
 type Validator struct {
 	resource string
 	mu       sync.Mutex
 	spent    map[string]time.Time
 }
 // NewValidator creates a Validator for the given resource.
 func NewValidator(resource string) *Validator {
 	validator := &Validator{
 		resource: resource,
 		mu:       sync.Mutex{},
 		spent:    make(map[string]time.Time),
 	}
 	go validator.pruneLoop()
 	return validator
 }
 // Validate checks a hashcash stamp. It returns nil if the
 // stamp is valid and has not been seen before.
 func (v *Validator) Validate(
 	stamp string,
 	requiredBits int,
 ) error {
 	if requiredBits <= 0 {
 		return nil
 	}
 	parts := strings.Split(stamp, ":")
 	if len(parts) != stampFields {
 		return fmt.Errorf(
 			"%w: expected %d, got %d",
 			errInvalidFields, stampFields, len(parts),
 		)
 	}
 	version := parts[0]
 	bitsStr := parts[1]
 	dateStr := parts[2]
 	resource := parts[3]
 	if err := v.validateHeader(
 		version, bitsStr, resource, requiredBits,
 	); err != nil {
 		return err
 	}
 	stampTime, err := parseStampDate(dateStr)
 	if err != nil {
 		return err
 	}
 	if err := validateTime(stampTime); err != nil {
 		return err
 	}
 	if err := validateProof(
 		stamp, requiredBits,
 	); err != nil {
 		return err
 	}
 	return v.checkAndRecordStamp(stamp, stampTime)
 }
 func (v *Validator) validateHeader(
 	version, bitsStr, resource string,
 	requiredBits int,
 ) error {
 	if version != stampVersion {
 		return fmt.Errorf(
 			"%w: %s", errBadVersion, version,
 		)
 	}
 	claimedBits, err := strconv.Atoi(bitsStr)
 	if err != nil || claimedBits < requiredBits {
 		return fmt.Errorf(
 			"%w: need %d bits",
 			errInsufficientBits, requiredBits,
 		)
 	}
 	if resource != v.resource {
 		return fmt.Errorf(
 			"%w: got %q, want %q",
 			errWrongResource, resource, v.resource,
 		)
 	}
 	return nil
 }
 func validateTime(stampTime time.Time) error {
 	now := time.Now()
 	if now.Sub(stampTime) > maxStampAge {
 		return errStampExpired
 	}
 	if stampTime.Sub(now) > maxFutureSkew {
 		return errStampFuture
 	}
 	return nil
 }
 func validateProof(stamp string, requiredBits int) error {
 	hash := sha256.Sum256([]byte(stamp))
 	if !hasLeadingZeroBits(hash[:], requiredBits) {
 		return fmt.Errorf(
 			"%w: need %d leading zero bits",
 			errProofFailed, requiredBits,
 		)
 	}
 	return nil
 }
 func (v *Validator) checkAndRecordStamp(
 	stamp string,
 	stampTime time.Time,
 ) error {
 	v.mu.Lock()
 	defer v.mu.Unlock()
 	if _, ok := v.spent[stamp]; ok {
 		return errStampReused
 	}
 	v.spent[stamp] = stampTime
 	return nil
 }
 // hasLeadingZeroBits checks if the hash has at least n
 // leading zero bits.
 func hasLeadingZeroBits(hash []byte, numBits int) bool {
 	fullBytes := numBits / bitsPerByte
 	remainBits := numBits % bitsPerByte
 	for idx := range fullBytes {
 		if hash[idx] != 0 {
 			return false
 		}
 	}
 	if remainBits > 0 && fullBytes < len(hash) {
 		mask := byte(
 			fullByteMask << (bitsPerByte - remainBits),
 		)
 		if hash[fullBytes]&mask != 0 {
 			return false
 		}
 	}
 	return true
 }
 // parseStampDate parses a hashcash date stamp.
 // Supports YYMMDD and YYMMDDHHMMSS formats.
 func parseStampDate(dateStr string) (time.Time, error) {
 	switch len(dateStr) {
 	case dateShortLen:
 		parsed, err := time.Parse(
 			dateFormatShort, dateStr,
 		)
 		if err != nil {
 			return time.Time{}, fmt.Errorf(
 				"parse date: %w", err,
 			)
 		}
 		return parsed, nil
 	case dateLongLen:
 		parsed, err := time.Parse(
 			dateFormatLong, dateStr,
 		)
 		if err != nil {
 			return time.Time{}, fmt.Errorf(
 				"parse date: %w", err,
 			)
 		}
 		return parsed, nil
 	default:
 		return time.Time{}, fmt.Errorf(
 			"%w: %q", errBadDateFormat, dateStr,
 		)
 	}
 }
 // pruneLoop periodically removes expired stamps from the
 // spent set.
 func (v *Validator) pruneLoop() {
 	ticker := time.NewTicker(pruneInterval)
 	defer ticker.Stop()
 	for range ticker.C {
 		v.prune()
 	}
 }
 func (v *Validator) prune() {
 	cutoff := time.Now().Add(-maxStampAge)
 	v.mu.Lock()
 	defer v.mu.Unlock()
 	for stamp, stampTime := range v.spent {
 		if stampTime.Before(cutoff) {
 			delete(v.spent, stamp)
 		}
 	}
 }
--- a/internal/hashcash/hashcash_test.go
+++ b/internal/hashcash/hashcash_test.go
@@ -0,0 +1,261 @@
 package hashcash_test
 import (
 	"crypto/rand"
 	"crypto/sha256"
 	"encoding/hex"
 	"fmt"
 	"math/big"
 	"testing"
 	"time"
 	"git.eeqj.de/sneak/neoirc/internal/hashcash"
 )
 const testBits = 2
 // mintStampWithDate creates a valid hashcash stamp using
 // the given date string.
 func mintStampWithDate(
 	tb testing.TB,
 	bits int,
 	resource string,
 	date string,
 ) string {
 	tb.Helper()
 	prefix := fmt.Sprintf(
 		"1:%d:%s:%s::", bits, date, resource,
 	)
 	for {
 		counterVal, err := rand.Int(
 			rand.Reader, big.NewInt(1<<48),
 		)
 		if err != nil {
 			tb.Fatalf("random counter: %v", err)
 		}
 		stamp := prefix + hex.EncodeToString(
 			counterVal.Bytes(),
 		)
 		hash := sha256.Sum256([]byte(stamp))
 		if hasLeadingZeroBits(hash[:], bits) {
 			return stamp
 		}
 	}
 }
 // hasLeadingZeroBits checks if hash has at least numBits
 // leading zero bits. Duplicated here for test minting.
 func hasLeadingZeroBits(
 	hash []byte,
 	numBits int,
 ) bool {
 	fullBytes := numBits / 8
 	remainBits := numBits % 8
 	for idx := range fullBytes {
 		if hash[idx] != 0 {
 			return false
 		}
 	}
 	if remainBits > 0 && fullBytes < len(hash) {
 		mask := byte(0xFF << (8 - remainBits))
 		if hash[fullBytes]&mask != 0 {
 			return false
 		}
 	}
 	return true
 }
 func todayDate() string {
 	return time.Now().UTC().Format("060102")
 }
 func TestMintAndValidate(t *testing.T) {
 	t.Parallel()
 	validator := hashcash.NewValidator("test-resource")
 	stamp := mintStampWithDate(
 		t, testBits, "test-resource", todayDate(),
 	)
 	err := validator.Validate(stamp, testBits)
 	if err != nil {
 		t.Fatalf("valid stamp rejected: %v", err)
 	}
 }
 func TestReplayDetection(t *testing.T) {
 	t.Parallel()
 	validator := hashcash.NewValidator("test-resource")
 	stamp := mintStampWithDate(
 		t, testBits, "test-resource", todayDate(),
 	)
 	err := validator.Validate(stamp, testBits)
 	if err != nil {
 		t.Fatalf("first use failed: %v", err)
 	}
 	err = validator.Validate(stamp, testBits)
 	if err == nil {
 		t.Fatal("replay not detected")
 	}
 }
 func TestResourceMismatch(t *testing.T) {
 	t.Parallel()
 	validator := hashcash.NewValidator("correct-resource")
 	stamp := mintStampWithDate(
 		t, testBits, "wrong-resource", todayDate(),
 	)
 	err := validator.Validate(stamp, testBits)
 	if err == nil {
 		t.Fatal("expected resource mismatch error")
 	}
 }
 func TestInvalidStampFormat(t *testing.T) {
 	t.Parallel()
 	validator := hashcash.NewValidator("test-resource")
 	err := validator.Validate(
 		"not:a:valid:stamp", testBits,
 	)
 	if err == nil {
 		t.Fatal("expected error for bad format")
 	}
 }
 func TestBadVersion(t *testing.T) {
 	t.Parallel()
 	validator := hashcash.NewValidator("test-resource")
 	stamp := fmt.Sprintf(
 		"2:%d:%s:%s::abc123",
 		testBits, todayDate(), "test-resource",
 	)
 	err := validator.Validate(stamp, testBits)
 	if err == nil {
 		t.Fatal("expected bad version error")
 	}
 }
 func TestInsufficientDifficulty(t *testing.T) {
 	t.Parallel()
 	validator := hashcash.NewValidator("test-resource")
 	// Claimed bits=1, but we require testBits=2.
 	stamp := fmt.Sprintf(
 		"1:1:%s:%s::counter",
 		todayDate(), "test-resource",
 	)
 	err := validator.Validate(stamp, testBits)
 	if err == nil {
 		t.Fatal("expected insufficient bits error")
 	}
 }
 func TestExpiredStamp(t *testing.T) {
 	t.Parallel()
 	validator := hashcash.NewValidator("test-resource")
 	oldDate := time.Now().Add(-72 * time.Hour).
 		UTC().Format("060102")
 	stamp := mintStampWithDate(
 		t, testBits, "test-resource", oldDate,
 	)
 	err := validator.Validate(stamp, testBits)
 	if err == nil {
 		t.Fatal("expected expired stamp error")
 	}
 }
 func TestZeroBitsSkipsValidation(t *testing.T) {
 	t.Parallel()
 	validator := hashcash.NewValidator("test-resource")
 	err := validator.Validate("garbage", 0)
 	if err != nil {
 		t.Fatalf("zero bits should skip: %v", err)
 	}
 }
 func TestLongDateFormat(t *testing.T) {
 	t.Parallel()
 	validator := hashcash.NewValidator("test-resource")
 	longDate := time.Now().UTC().Format("060102150405")
 	stamp := mintStampWithDate(
 		t, testBits, "test-resource", longDate,
 	)
 	err := validator.Validate(stamp, testBits)
 	if err != nil {
 		t.Fatalf("long date stamp rejected: %v", err)
 	}
 }
 func TestBadDateFormat(t *testing.T) {
 	t.Parallel()
 	validator := hashcash.NewValidator("test-resource")
 	stamp := fmt.Sprintf(
 		"1:%d:BADDATE:%s::counter",
 		testBits, "test-resource",
 	)
 	err := validator.Validate(stamp, testBits)
 	if err == nil {
 		t.Fatal("expected bad date error")
 	}
 }
 func TestMultipleUniqueStamps(t *testing.T) {
 	t.Parallel()
 	validator := hashcash.NewValidator("test-resource")
 	for range 5 {
 		stamp := mintStampWithDate(
 			t, testBits, "test-resource", todayDate(),
 		)
 		err := validator.Validate(stamp, testBits)
 		if err != nil {
 			t.Fatalf("unique stamp rejected: %v", err)
 		}
 	}
 }
 func TestHigherBitsStillValid(t *testing.T) {
 	t.Parallel()
 	// Mint with bits=4 but validate requiring only 2.
 	validator := hashcash.NewValidator("test-resource")
 	stamp := mintStampWithDate(
 		t, 4, "test-resource", todayDate(),
 	)
 	err := validator.Validate(stamp, testBits)
 	if err != nil {
 		t.Fatalf(
 			"higher-difficulty stamp rejected: %v",
 			err,
 		)
 	}
 }
--- a/internal/healthcheck/healthcheck.go
+++ b/internal/healthcheck/healthcheck.go
@@ -6,10 +6,10 @@ import (
 	"log/slog"
 	"time"
-	"git.eeqj.de/sneak/chat/internal/config"
+	"git.eeqj.de/sneak/neoirc/internal/config"
-	"git.eeqj.de/sneak/chat/internal/db"
+	"git.eeqj.de/sneak/neoirc/internal/db"
-	"git.eeqj.de/sneak/chat/internal/globals"
+	"git.eeqj.de/sneak/neoirc/internal/globals"
-	"git.eeqj.de/sneak/chat/internal/logger"
+	"git.eeqj.de/sneak/neoirc/internal/logger"
 	"go.uber.org/fx"
 )
--- a/internal/logger/logger.go
+++ b/internal/logger/logger.go
@@ -5,7 +5,7 @@ import (
 	"log/slog"
 	"os"
-	"git.eeqj.de/sneak/chat/internal/globals"
+	"git.eeqj.de/sneak/neoirc/internal/globals"
 	"go.uber.org/fx"
 )
--- a/internal/middleware/middleware.go
+++ b/internal/middleware/middleware.go
@@ -1,4 +1,4 @@
-// Package middleware provides HTTP middleware for the chat server.
+// Package middleware provides HTTP middleware for the neoirc server.
 package middleware
 import (
@@ -7,9 +7,9 @@ import (
 	"net/http"
 	"time"
-	"git.eeqj.de/sneak/chat/internal/config"
+	"git.eeqj.de/sneak/neoirc/internal/config"
-	"git.eeqj.de/sneak/chat/internal/globals"
+	"git.eeqj.de/sneak/neoirc/internal/globals"
-	"git.eeqj.de/sneak/chat/internal/logger"
+	"git.eeqj.de/sneak/neoirc/internal/logger"
 	basicauth "github.com/99designs/basicauth-go"
 	chimw "github.com/go-chi/chi/middleware"
 	"github.com/go-chi/cors"
@@ -142,20 +142,6 @@ func (mware *Middleware) CORS() func(http.Handler) http.Handler {
 	})
 }
 // Auth returns middleware that performs authentication.
 func (mware *Middleware) Auth() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(
 			func(
 				writer http.ResponseWriter,
 				request *http.Request,
 			) {
 				mware.log.Info("AUTH: before request")
 				next.ServeHTTP(writer, request)
 			})
 	}
 }
 // Metrics returns middleware that records HTTP metrics.
 func (mware *Middleware) Metrics() func(http.Handler) http.Handler {
 	metricsMiddleware := ghmm.New(ghmm.Config{ //nolint:exhaustruct // optional fields
@@ -180,3 +166,36 @@ func (mware *Middleware) MetricsAuth() func(http.Handler) http.Handler {
 		},
 	)
 }
 // cspPolicy is the Content-Security-Policy header value applied to all
 // responses.  The embedded SPA loads scripts and styles from same-origin
 // files only (no inline scripts or inline style attributes), so a strict
 // policy works without 'unsafe-inline'.
 const cspPolicy = "default-src 'self'; " +
 	"script-src 'self'; " +
 	"style-src 'self'; " +
 	"connect-src 'self'; " +
 	"img-src 'self'; " +
 	"font-src 'self'; " +
 	"object-src 'none'; " +
 	"frame-ancestors 'none'; " +
 	"base-uri 'self'; " +
 	"form-action 'self'"
 // CSP returns middleware that sets the Content-Security-Policy header on
 // every response for defense-in-depth against XSS.
 func (mware *Middleware) CSP() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(
 			func(
 				writer http.ResponseWriter,
 				request *http.Request,
 			) {
 				writer.Header().Set(
 					"Content-Security-Policy",
 					cspPolicy,
 				)
 				next.ServeHTTP(writer, request)
 			})
 	}
 }
--- a/internal/server/routes.go
+++ b/internal/server/routes.go
@@ -5,7 +5,7 @@ import (
 	"net/http"
 	"time"
-	"git.eeqj.de/sneak/chat/web"
+	"git.eeqj.de/sneak/neoirc/web"
 	sentryhttp "github.com/getsentry/sentry-go/http"
 	"github.com/go-chi/chi"
@@ -29,6 +29,7 @@ func (srv *Server) SetupRoutes() {
 	}
 	srv.router.Use(srv.mw.CORS())
 	srv.router.Use(srv.mw.CSP())
 	srv.router.Use(middleware.Timeout(routeTimeout))
 	if srv.sentryEnabled {
--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -1,4 +1,4 @@
-// Package server implements the main HTTP server for the chat application.
+// Package server implements the main HTTP server for the neoirc application.
 package server
 import (
@@ -12,11 +12,11 @@ import (
 	"syscall"
 	"time"
-	"git.eeqj.de/sneak/chat/internal/config"
+	"git.eeqj.de/sneak/neoirc/internal/config"
-	"git.eeqj.de/sneak/chat/internal/globals"
+	"git.eeqj.de/sneak/neoirc/internal/globals"
-	"git.eeqj.de/sneak/chat/internal/handlers"
+	"git.eeqj.de/sneak/neoirc/internal/handlers"
-	"git.eeqj.de/sneak/chat/internal/logger"
+	"git.eeqj.de/sneak/neoirc/internal/logger"
-	"git.eeqj.de/sneak/chat/internal/middleware"
+	"git.eeqj.de/sneak/neoirc/internal/middleware"
 	"go.uber.org/fx"
 	"github.com/getsentry/sentry-go"
--- a/pkg/irc/commands.go
+++ b/pkg/irc/commands.go
@@ -0,0 +1,21 @@
 package irc
 // IRC command names (RFC 1459 / RFC 2812).
 const (
 	CmdJoin    = "JOIN"
 	CmdList    = "LIST"
 	CmdLusers  = "LUSERS"
 	CmdMode    = "MODE"
 	CmdMotd    = "MOTD"
 	CmdNames   = "NAMES"
 	CmdNick    = "NICK"
 	CmdNotice  = "NOTICE"
 	CmdPart    = "PART"
 	CmdPing    = "PING"
 	CmdPong    = "PONG"
 	CmdPrivmsg = "PRIVMSG"
 	CmdQuit    = "QUIT"
 	CmdTopic   = "TOPIC"
 	CmdWho     = "WHO"
 	CmdWhois   = "WHOIS"
 )
--- a/pkg/irc/numerics.go
+++ b/pkg/irc/numerics.go
@@ -0,0 +1,391 @@
 // Package irc provides constants and utilities for the
 // IRC protocol, including numeric reply codes from
 // RFC 1459 and RFC 2812, and standard command names.
 package irc
 import (
 	"errors"
 	"fmt"
 )
 // IRCMessageType represents an IRC numeric reply or error code.
 type IRCMessageType int //nolint:revive // Name requested by project owner.
 // Name returns the standard IRC name for this numeric code
 // (e.g., IRCMessageType(252).Name() returns "RPL_LUSEROP").
 // Returns an empty string if the code is unknown.
 func (t IRCMessageType) Name() string {
 	return names[t]
 }
 // String returns the name and numeric code in angle brackets
 // (e.g., IRCMessageType(252).String() returns "RPL_LUSEROP <252>").
 // If the code is unknown, returns "UNKNOWN <NNN>".
 func (t IRCMessageType) String() string {
 	n := names[t]
 	if n == "" {
 		n = "UNKNOWN"
 	}
 	return fmt.Sprintf("%s <%03d>", n, int(t))
 }
 // Code returns the three-digit zero-padded string representation
 // of the numeric code (e.g., IRCMessageType(252).Code() returns "252").
 func (t IRCMessageType) Code() string {
 	return fmt.Sprintf("%03d", int(t))
 }
 // Int returns the bare integer value of the numeric code.
 func (t IRCMessageType) Int() int {
 	return int(t)
 }
 // ErrUnknownNumeric is returned by FromInt when the numeric code is not recognized.
 var ErrUnknownNumeric = errors.New("unknown IRC numeric code")
 // FromInt converts an integer to an IRCMessageType, returning an error
 // if the numeric code is not a known IRC reply or error code.
 func FromInt(n int) (IRCMessageType, error) {
 	t := IRCMessageType(n)
 	if _, ok := names[t]; !ok {
 		return 0, fmt.Errorf("%w: %d", ErrUnknownNumeric, n)
 	}
 	return t, nil
 }
 // Connection registration replies (001-005).
 const (
 	RplWelcome  IRCMessageType = 1
 	RplYourHost IRCMessageType = 2
 	RplCreated  IRCMessageType = 3
 	RplMyInfo   IRCMessageType = 4
 	RplBounce   IRCMessageType = 5 // RFC 2812; also known as RPL_ISUPPORT in practice
 	RplIsupport IRCMessageType = 5 // De-facto standard (same numeric as RplBounce)
 )
 // Command responses (200-399).
 const (
 	// RFC 2812 trace/stats/links replies (200-219).
 	RplTraceLink       IRCMessageType = 200
 	RplTraceConnecting IRCMessageType = 201
 	RplTraceHandshake  IRCMessageType = 202
 	RplTraceUnknown    IRCMessageType = 203
 	RplTraceOperator   IRCMessageType = 204
 	RplTraceUser       IRCMessageType = 205
 	RplTraceServer     IRCMessageType = 206
 	RplTraceService    IRCMessageType = 207
 	RplTraceNewType    IRCMessageType = 208
 	RplTraceClass      IRCMessageType = 209
 	RplStatsLinkInfo   IRCMessageType = 211
 	RplStatsCommands   IRCMessageType = 212
 	RplStatsCLine      IRCMessageType = 213
 	RplStatsNLine      IRCMessageType = 214
 	RplStatsILine      IRCMessageType = 215
 	RplStatsKLine      IRCMessageType = 216
 	RplStatsQLine      IRCMessageType = 217
 	RplStatsYLine      IRCMessageType = 218
 	RplEndOfStats      IRCMessageType = 219
 	RplUmodeIs      IRCMessageType = 221
 	RplServList     IRCMessageType = 234
 	RplServListEnd  IRCMessageType = 235
 	RplStatsLLine   IRCMessageType = 241
 	RplStatsUptime  IRCMessageType = 242
 	RplStatsOLine   IRCMessageType = 243
 	RplStatsHLine   IRCMessageType = 244
 	RplLuserClient  IRCMessageType = 251
 	RplLuserOp      IRCMessageType = 252
 	RplLuserUnknown IRCMessageType = 253
 	RplLuserChannels IRCMessageType = 254
 	RplLuserMe       IRCMessageType = 255
 	RplAdminMe       IRCMessageType = 256
 	RplAdminLoc1     IRCMessageType = 257
 	RplAdminLoc2     IRCMessageType = 258
 	RplAdminEmail    IRCMessageType = 259
 	RplTraceLog      IRCMessageType = 261
 	RplTraceEnd      IRCMessageType = 262
 	RplTryAgain      IRCMessageType = 263
 	RplAway          IRCMessageType = 301
 	RplUserHost      IRCMessageType = 302
 	RplIson          IRCMessageType = 303
 	RplUnaway        IRCMessageType = 305
 	RplNowAway       IRCMessageType = 306
 	RplWhoisUser     IRCMessageType = 311
 	RplWhoisServer   IRCMessageType = 312
 	RplWhoisOperator IRCMessageType = 313
 	RplWhoWasUser    IRCMessageType = 314
 	RplEndOfWho      IRCMessageType = 315
 	RplWhoisIdle     IRCMessageType = 317
 	RplEndOfWhois    IRCMessageType = 318
 	RplWhoisChannels IRCMessageType = 319
 	RplListStart     IRCMessageType = 321
 	RplList          IRCMessageType = 322
 	RplListEnd       IRCMessageType = 323
 	RplChannelModeIs IRCMessageType = 324
 	RplUniqOpIs        IRCMessageType = 325
 	RplCreationTime    IRCMessageType = 329
 	RplNoTopic         IRCMessageType = 331
 	RplTopic           IRCMessageType = 332
 	RplTopicWhoTime    IRCMessageType = 333
 	RplInviting        IRCMessageType = 341
 	RplSummoning       IRCMessageType = 342
 	RplInviteList      IRCMessageType = 346
 	RplEndOfInviteList IRCMessageType = 347
 	RplExceptList      IRCMessageType = 348
 	RplEndOfExceptList IRCMessageType = 349
 	RplVersion         IRCMessageType = 351
 	RplWhoReply        IRCMessageType = 352
 	RplNamReply        IRCMessageType = 353
 	RplLinks           IRCMessageType = 364
 	RplEndOfLinks      IRCMessageType = 365
 	RplEndOfNames      IRCMessageType = 366
 	RplBanList         IRCMessageType = 367
 	RplEndOfBanList    IRCMessageType = 368
 	RplEndOfWhowas     IRCMessageType = 369
 	RplInfo            IRCMessageType = 371
 	RplMotd            IRCMessageType = 372
 	RplEndOfInfo       IRCMessageType = 374
 	RplMotdStart       IRCMessageType = 375
 	RplEndOfMotd       IRCMessageType = 376
 	RplYoureOper       IRCMessageType = 381
 	RplRehashing       IRCMessageType = 382
 	RplYoureService    IRCMessageType = 383
 	RplTime            IRCMessageType = 391
 	RplUsersStart      IRCMessageType = 392
 	RplUsers           IRCMessageType = 393
 	RplEndOfUsers      IRCMessageType = 394
 	RplNoUsers         IRCMessageType = 395
 )
 // Error replies (400-599).
 const (
 	ErrNoSuchNick       IRCMessageType = 401
 	ErrNoSuchServer     IRCMessageType = 402
 	ErrNoSuchChannel    IRCMessageType = 403
 	ErrCannotSendToChan IRCMessageType = 404
 	ErrTooManyChannels  IRCMessageType = 405
 	ErrWasNoSuchNick    IRCMessageType = 406
 	ErrTooManyTargets   IRCMessageType = 407
 	ErrNoSuchService    IRCMessageType = 408
 	ErrNoOrigin         IRCMessageType = 409
 	ErrNoRecipient      IRCMessageType = 411
 	ErrNoTextToSend     IRCMessageType = 412
 	ErrNoTopLevel       IRCMessageType = 413
 	ErrWildTopLevel     IRCMessageType = 414
 	ErrBadMask          IRCMessageType = 415
 	ErrUnknownCommand   IRCMessageType = 421
 	ErrNoMotd           IRCMessageType = 422
 	ErrNoAdminInfo      IRCMessageType = 423
 	ErrFileError        IRCMessageType = 424
 	ErrNoNicknameGiven  IRCMessageType = 431
 	ErrErroneusNickname IRCMessageType = 432
 	ErrNicknameInUse    IRCMessageType = 433
 	ErrNickCollision    IRCMessageType = 436
 	ErrUnavailResource  IRCMessageType = 437
 	ErrUserNotInChannel  IRCMessageType = 441
 	ErrNotOnChannel      IRCMessageType = 442
 	ErrUserOnChannel     IRCMessageType = 443
 	ErrNoLogin           IRCMessageType = 444
 	ErrSummonDisabled    IRCMessageType = 445
 	ErrUsersDisabled     IRCMessageType = 446
 	ErrNotRegistered     IRCMessageType = 451
 	ErrNeedMoreParams    IRCMessageType = 461
 	ErrAlreadyRegistered IRCMessageType = 462
 	ErrNoPermForHost     IRCMessageType = 463
 	ErrPasswdMismatch    IRCMessageType = 464
 	ErrYoureBannedCreep  IRCMessageType = 465
 	ErrYouWillBeBanned   IRCMessageType = 466
 	ErrKeySet            IRCMessageType = 467
 	ErrChannelIsFull     IRCMessageType = 471
 	ErrUnknownMode       IRCMessageType = 472
 	ErrInviteOnlyChan    IRCMessageType = 473
 	ErrBannedFromChan    IRCMessageType = 474
 	ErrBadChannelKey     IRCMessageType = 475
 	ErrBadChanMask       IRCMessageType = 476
 	ErrNoChanModes       IRCMessageType = 477
 	ErrBanListFull       IRCMessageType = 478
 	ErrNoPrivileges      IRCMessageType = 481
 	ErrChanOpPrivsNeeded IRCMessageType = 482
 	ErrCantKillServer    IRCMessageType = 483
 	ErrRestricted        IRCMessageType = 484
 	ErrUniqOpPrivsNeeded IRCMessageType = 485
 	ErrNoOperHost        IRCMessageType = 491
 	ErrUmodeUnknownFlag IRCMessageType = 501
 	ErrUsersDoNotMatch  IRCMessageType = 502
 )
 // names maps numeric codes to their standard IRC names.
 //
 //nolint:gochecknoglobals
 var names = map[IRCMessageType]string{
 	RplWelcome:  "RPL_WELCOME",
 	RplYourHost: "RPL_YOURHOST",
 	RplCreated:  "RPL_CREATED",
 	RplMyInfo:   "RPL_MYINFO",
 	RplBounce:   "RPL_BOUNCE",
 	RplTraceLink:       "RPL_TRACELINK",
 	RplTraceConnecting: "RPL_TRACECONNECTING",
 	RplTraceHandshake:  "RPL_TRACEHANDSHAKE",
 	RplTraceUnknown:    "RPL_TRACEUNKNOWN",
 	RplTraceOperator:   "RPL_TRACEOPERATOR",
 	RplTraceUser:       "RPL_TRACEUSER",
 	RplTraceServer:     "RPL_TRACESERVER",
 	RplTraceService:    "RPL_TRACESERVICE",
 	RplTraceNewType:    "RPL_TRACENEWTYPE",
 	RplTraceClass:      "RPL_TRACECLASS",
 	RplStatsLinkInfo:   "RPL_STATSLINKINFO",
 	RplStatsCommands:   "RPL_STATSCOMMANDS",
 	RplStatsCLine:      "RPL_STATSCLINE",
 	RplStatsNLine:      "RPL_STATSNLINE",
 	RplStatsILine:      "RPL_STATSILINE",
 	RplStatsKLine:      "RPL_STATSKLINE",
 	RplStatsQLine:      "RPL_STATSQLINE",
 	RplStatsYLine:      "RPL_STATSYLINE",
 	RplEndOfStats:      "RPL_ENDOFSTATS",
 	RplUmodeIs:      "RPL_UMODEIS",
 	RplServList:     "RPL_SERVLIST",
 	RplServListEnd:  "RPL_SERVLISTEND",
 	RplStatsLLine:   "RPL_STATSLLINE",
 	RplStatsUptime:  "RPL_STATSUPTIME",
 	RplStatsOLine:   "RPL_STATSOLINE",
 	RplStatsHLine:   "RPL_STATSHLINE",
 	RplLuserClient:  "RPL_LUSERCLIENT",
 	RplLuserOp:      "RPL_LUSEROP",
 	RplLuserUnknown: "RPL_LUSERUNKNOWN",
 	RplLuserChannels: "RPL_LUSERCHANNELS",
 	RplLuserMe:       "RPL_LUSERME",
 	RplAdminMe:       "RPL_ADMINME",
 	RplAdminLoc1:     "RPL_ADMINLOC1",
 	RplAdminLoc2:     "RPL_ADMINLOC2",
 	RplAdminEmail:    "RPL_ADMINEMAIL",
 	RplTraceLog:      "RPL_TRACELOG",
 	RplTraceEnd:      "RPL_TRACEEND",
 	RplTryAgain:      "RPL_TRYAGAIN",
 	RplAway:          "RPL_AWAY",
 	RplUserHost:      "RPL_USERHOST",
 	RplIson:          "RPL_ISON",
 	RplUnaway:        "RPL_UNAWAY",
 	RplNowAway:       "RPL_NOWAWAY",
 	RplWhoisUser:     "RPL_WHOISUSER",
 	RplWhoisServer:   "RPL_WHOISSERVER",
 	RplWhoisOperator: "RPL_WHOISOPERATOR",
 	RplWhoWasUser:    "RPL_WHOWASUSER",
 	RplEndOfWho:      "RPL_ENDOFWHO",
 	RplWhoisIdle:     "RPL_WHOISIDLE",
 	RplEndOfWhois:    "RPL_ENDOFWHOIS",
 	RplWhoisChannels: "RPL_WHOISCHANNELS",
 	RplListStart:     "RPL_LISTSTART",
 	RplList:          "RPL_LIST",
 	RplListEnd:       "RPL_LISTEND", //nolint:misspell
 	RplChannelModeIs: "RPL_CHANNELMODEIS",
 	RplUniqOpIs:        "RPL_UNIQOPIS",
 	RplCreationTime:    "RPL_CREATIONTIME",
 	RplNoTopic:         "RPL_NOTOPIC",
 	RplTopic:           "RPL_TOPIC",
 	RplTopicWhoTime:    "RPL_TOPICWHOTIME",
 	RplInviting:        "RPL_INVITING",
 	RplSummoning:       "RPL_SUMMONING",
 	RplInviteList:      "RPL_INVITELIST",
 	RplEndOfInviteList: "RPL_ENDOFINVITELIST",
 	RplExceptList:      "RPL_EXCEPTLIST",
 	RplEndOfExceptList: "RPL_ENDOFEXCEPTLIST",
 	RplVersion:         "RPL_VERSION",
 	RplWhoReply:        "RPL_WHOREPLY",
 	RplNamReply:        "RPL_NAMREPLY",
 	RplLinks:           "RPL_LINKS",
 	RplEndOfLinks:      "RPL_ENDOFLINKS",
 	RplEndOfNames:      "RPL_ENDOFNAMES",
 	RplBanList:         "RPL_BANLIST",
 	RplEndOfBanList:    "RPL_ENDOFBANLIST",
 	RplEndOfWhowas:     "RPL_ENDOFWHOWAS",
 	RplInfo:            "RPL_INFO",
 	RplMotd:            "RPL_MOTD",
 	RplEndOfInfo:       "RPL_ENDOFINFO",
 	RplMotdStart:       "RPL_MOTDSTART",
 	RplEndOfMotd:       "RPL_ENDOFMOTD",
 	RplYoureOper:       "RPL_YOUREOPER",
 	RplRehashing:       "RPL_REHASHING",
 	RplYoureService:    "RPL_YOURESERVICE",
 	RplTime:            "RPL_TIME",
 	RplUsersStart:      "RPL_USERSSTART",
 	RplUsers:           "RPL_USERS",
 	RplEndOfUsers:      "RPL_ENDOFUSERS",
 	RplNoUsers:         "RPL_NOUSERS",
 	ErrNoSuchNick:       "ERR_NOSUCHNICK",
 	ErrNoSuchServer:     "ERR_NOSUCHSERVER",
 	ErrNoSuchChannel:    "ERR_NOSUCHCHANNEL",
 	ErrCannotSendToChan: "ERR_CANNOTSENDTOCHAN",
 	ErrTooManyChannels:  "ERR_TOOMANYCHANNELS",
 	ErrWasNoSuchNick:    "ERR_WASNOSUCHNICK",
 	ErrTooManyTargets:   "ERR_TOOMANYTARGETS",
 	ErrNoSuchService:    "ERR_NOSUCHSERVICE",
 	ErrNoOrigin:         "ERR_NOORIGIN",
 	ErrNoRecipient:      "ERR_NORECIPIENT",
 	ErrNoTextToSend:     "ERR_NOTEXTTOSEND",
 	ErrNoTopLevel:       "ERR_NOTOPLEVEL",
 	ErrWildTopLevel:     "ERR_WILDTOPLEVEL",
 	ErrBadMask:          "ERR_BADMASK",
 	ErrUnknownCommand:   "ERR_UNKNOWNCOMMAND",
 	ErrNoMotd:           "ERR_NOMOTD",
 	ErrNoAdminInfo:      "ERR_NOADMININFO",
 	ErrFileError:        "ERR_FILEERROR",
 	ErrNoNicknameGiven:  "ERR_NONICKNAMEGIVEN",
 	ErrErroneusNickname: "ERR_ERRONEUSNICKNAME",
 	ErrNicknameInUse:    "ERR_NICKNAMEINUSE",
 	ErrNickCollision:    "ERR_NICKCOLLISION",
 	ErrUnavailResource:  "ERR_UNAVAILRESOURCE",
 	ErrUserNotInChannel:  "ERR_USERNOTINCHANNEL",
 	ErrNotOnChannel:      "ERR_NOTONCHANNEL",
 	ErrUserOnChannel:     "ERR_USERONCHANNEL",
 	ErrNoLogin:           "ERR_NOLOGIN",
 	ErrSummonDisabled:    "ERR_SUMMONDISABLED",
 	ErrUsersDisabled:     "ERR_USERSDISABLED",
 	ErrNotRegistered:     "ERR_NOTREGISTERED",
 	ErrNeedMoreParams:    "ERR_NEEDMOREPARAMS",
 	ErrAlreadyRegistered: "ERR_ALREADYREGISTERED",
 	ErrNoPermForHost:     "ERR_NOPERMFORHOST",
 	ErrPasswdMismatch:    "ERR_PASSWDMISMATCH",
 	ErrYoureBannedCreep:  "ERR_YOUREBANNEDCREEP",
 	ErrYouWillBeBanned:   "ERR_YOUWILLBEBANNED",
 	ErrKeySet:            "ERR_KEYSET",
 	ErrChannelIsFull:     "ERR_CHANNELISFULL",
 	ErrUnknownMode:       "ERR_UNKNOWNMODE",
 	ErrInviteOnlyChan:    "ERR_INVITEONLYCHAN",
 	ErrBannedFromChan:    "ERR_BANNEDFROMCHAN",
 	ErrBadChannelKey:     "ERR_BADCHANNELKEY",
 	ErrBadChanMask:       "ERR_BADCHANMASK",
 	ErrNoChanModes:       "ERR_NOCHANMODES",
 	ErrBanListFull:       "ERR_BANLISTFULL",
 	ErrNoPrivileges:      "ERR_NOPRIVILEGES",
 	ErrChanOpPrivsNeeded: "ERR_CHANOPRIVSNEEDED",
 	ErrCantKillServer:    "ERR_CANTKILLSERVER",
 	ErrRestricted:        "ERR_RESTRICTED",
 	ErrUniqOpPrivsNeeded: "ERR_UNIQOPPRIVSNEEDED",
 	ErrNoOperHost:        "ERR_NOOPERHOST",
 	ErrUmodeUnknownFlag: "ERR_UMODEUNKNOWNFLAG",
 	ErrUsersDoNotMatch:  "ERR_USERSDONTMATCH",
 }
 // Name returns the standard IRC name for a numeric code
 // (e.g., Name(2) returns "RPL_YOURHOST"). Returns an
 // empty string if the code is unknown.
 //
 // Deprecated: Use IRCMessageType.Name() instead.
 func Name(code IRCMessageType) string {
 	return names[code]
 }
--- a/pkg/irc/numerics_test.go
+++ b/pkg/irc/numerics_test.go
@@ -0,0 +1,163 @@
 package irc_test
 import (
 	"errors"
 	"testing"
 	"git.eeqj.de/sneak/neoirc/pkg/irc"
 )
 func TestName(t *testing.T) {
 	t.Parallel()
 	tests := []struct {
 		numeric irc.IRCMessageType
 		want    string
 	}{
 		{irc.RplWelcome, "RPL_WELCOME"},
 		{irc.RplBounce, "RPL_BOUNCE"},
 		{irc.RplLuserOp, "RPL_LUSEROP"},
 		{irc.ErrCannotSendToChan, "ERR_CANNOTSENDTOCHAN"},
 		{irc.ErrNicknameInUse, "ERR_NICKNAMEINUSE"},
 	}
 	for _, tc := range tests {
 		if got := tc.numeric.Name(); got != tc.want {
 			t.Errorf("IRCMessageType(%d).Name() = %q, want %q", tc.numeric.Int(), got, tc.want)
 		}
 	}
 }
 func TestString(t *testing.T) {
 	t.Parallel()
 	tests := []struct {
 		numeric irc.IRCMessageType
 		want    string
 	}{
 		{irc.RplWelcome, "RPL_WELCOME <001>"},
 		{irc.RplBounce, "RPL_BOUNCE <005>"},
 		{irc.RplLuserOp, "RPL_LUSEROP <252>"},
 		{irc.ErrCannotSendToChan, "ERR_CANNOTSENDTOCHAN <404>"},
 	}
 	for _, tc := range tests {
 		if got := tc.numeric.String(); got != tc.want {
 			t.Errorf("IRCMessageType(%d).String() = %q, want %q", tc.numeric.Int(), got, tc.want)
 		}
 	}
 }
 func TestCode(t *testing.T) {
 	t.Parallel()
 	tests := []struct {
 		numeric irc.IRCMessageType
 		want    string
 	}{
 		{irc.RplWelcome, "001"},
 		{irc.RplBounce, "005"},
 		{irc.RplLuserOp, "252"},
 		{irc.ErrCannotSendToChan, "404"},
 	}
 	for _, tc := range tests {
 		if got := tc.numeric.Code(); got != tc.want {
 			t.Errorf("IRCMessageType(%d).Code() = %q, want %q", tc.numeric.Int(), got, tc.want)
 		}
 	}
 }
 func TestInt(t *testing.T) {
 	t.Parallel()
 	tests := []struct {
 		numeric irc.IRCMessageType
 		want    int
 	}{
 		{irc.RplWelcome, 1},
 		{irc.RplBounce, 5},
 		{irc.RplLuserOp, 252},
 		{irc.ErrCannotSendToChan, 404},
 	}
 	for _, tc := range tests {
 		if got := tc.numeric.Int(); got != tc.want {
 			t.Errorf("IRCMessageType(%d).Int() = %d, want %d", tc.want, got, tc.want)
 		}
 	}
 }
 func TestFromInt_Known(t *testing.T) {
 	t.Parallel()
 	tests := []struct {
 		code int
 		want irc.IRCMessageType
 	}{
 		{1, irc.RplWelcome},
 		{5, irc.RplBounce},
 		{252, irc.RplLuserOp},
 		{404, irc.ErrCannotSendToChan},
 		{433, irc.ErrNicknameInUse},
 	}
 	for _, test := range tests {
 		got, err := irc.FromInt(test.code)
 		if err != nil {
 			t.Errorf("FromInt(%d) returned unexpected error: %v", test.code, err)
 			continue
 		}
 		if got != test.want {
 			t.Errorf("FromInt(%d) = %v, want %v", test.code, got, test.want)
 		}
 	}
 }
 func TestFromInt_Unknown(t *testing.T) {
 	t.Parallel()
 	unknowns := []int{0, 999, 600, -1}
 	for _, code := range unknowns {
 		_, err := irc.FromInt(code)
 		if err == nil {
 			t.Errorf("FromInt(%d) expected error, got nil", code)
 			continue
 		}
 		if !errors.Is(err, irc.ErrUnknownNumeric) {
 			t.Errorf("FromInt(%d) error = %v, want ErrUnknownNumeric", code, err)
 		}
 	}
 }
 func TestUnknownNumeric_Name(t *testing.T) {
 	t.Parallel()
 	unknown := irc.IRCMessageType(999)
 	if got := unknown.Name(); got != "" {
 		t.Errorf("IRCMessageType(999).Name() = %q, want empty string", got)
 	}
 }
 func TestUnknownNumeric_String(t *testing.T) {
 	t.Parallel()
 	unknown := irc.IRCMessageType(999)
 	want := "UNKNOWN <999>"
 	if got := unknown.String(); got != want {
 		t.Errorf("IRCMessageType(999).String() = %q, want %q", got, want)
 	}
 }
 func TestDeprecatedNameFunc(t *testing.T) {
 	t.Parallel()
 	if got := irc.Name(irc.RplYourHost); got != "RPL_YOURHOST" {
 		t.Errorf("Name(RplYourHost) = %q, want %q", got, "RPL_YOURHOST")
 	}
 }
--- a/schema/README.md
+++ b/schema/README.md
@@ -1,6 +1,6 @@
 # Message Schemas
-JSON Schema definitions (draft 2020-12) for the chat protocol. Messages use
+JSON Schema definitions (draft 2020-12) for the neoirc protocol. Messages use
 **IRC command names and numeric reply codes** (RFC 1459/2812) encoded as JSON
 over HTTP.
--- a/schema/commands/JOIN.json
+++ b/schema/commands/JOIN.json
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/commands/JOIN.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/commands/JOIN.json",
  "title": "JOIN",
  "description": "Join a channel. C2S: request to join. S2C: notification that a user joined. RFC 1459 §4.2.1.",
  "$ref": "../message.json",
--- a/schema/commands/KICK.json
+++ b/schema/commands/KICK.json
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/commands/KICK.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/commands/KICK.json",
  "title": "KICK",
  "description": "Kick a user from a channel. RFC 1459 §4.2.8.",
  "$ref": "../message.json",
--- a/schema/commands/MODE.json
+++ b/schema/commands/MODE.json
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/commands/MODE.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/commands/MODE.json",
  "title": "MODE",
  "description": "Set or query channel/user modes. RFC 1459 §4.2.3.",
  "$ref": "../message.json",
--- a/schema/commands/NICK.json
+++ b/schema/commands/NICK.json
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/commands/NICK.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/commands/NICK.json",
  "title": "NICK",
  "description": "Change nickname. C2S: request new nick. S2C: notification of nick change. RFC 1459 §4.1.2.",
  "$ref": "../message.json",
--- a/schema/commands/NOTICE.json
+++ b/schema/commands/NOTICE.json
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/commands/NOTICE.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/commands/NOTICE.json",
  "title": "NOTICE",
  "description": "Send a notice. Like PRIVMSG but must not trigger automatic replies. RFC 1459 §4.4.2.",
  "$ref": "../message.json",
--- a/schema/commands/PART.json
+++ b/schema/commands/PART.json
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/commands/PART.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/commands/PART.json",
  "title": "PART",
  "description": "Leave a channel. C2S: request to leave. S2C: notification that a user left. RFC 1459 §4.2.2.",
  "$ref": "../message.json",
--- a/schema/commands/PING.json
+++ b/schema/commands/PING.json
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/commands/PING.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/commands/PING.json",
  "title": "PING",
  "description": "Keepalive. C2S or S2S. Server responds with PONG. RFC 1459 §4.6.2.",
  "$ref": "../message.json",
--- a/schema/commands/PONG.json
+++ b/schema/commands/PONG.json
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/commands/PONG.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/commands/PONG.json",
  "title": "PONG",
  "description": "Keepalive response. S2C or S2S. RFC 1459 §4.6.3.",
  "$ref": "../message.json",
--- a/schema/commands/PRIVMSG.json
+++ b/schema/commands/PRIVMSG.json
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/commands/PRIVMSG.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/commands/PRIVMSG.json",
  "title": "PRIVMSG",
  "description": "Send a message to a channel or user. C2S: client sends to server. S2C: server relays to recipients. RFC 1459 §4.4.1.",
  "$ref": "../message.json",
--- a/schema/commands/PUBKEY.json
+++ b/schema/commands/PUBKEY.json
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/commands/PUBKEY.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/commands/PUBKEY.json",
  "title": "PUBKEY",
  "description": "Announce or relay a user's public signing key. C2S: client announces key to channel or server. S2C: server relays to channel members. Protocol extension (not in RFC 1459). Body is a structured object (not an array) containing the key material.",
  "$ref": "../message.json",
--- a/schema/commands/QUIT.json
+++ b/schema/commands/QUIT.json
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/commands/QUIT.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/commands/QUIT.json",
  "title": "QUIT",
  "description": "User disconnected. S2C only. RFC 1459 §4.1.6.",
  "$ref": "../message.json",
--- a/schema/commands/TOPIC.json
+++ b/schema/commands/TOPIC.json
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/commands/TOPIC.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/commands/TOPIC.json",
  "title": "TOPIC",
  "description": "Get or set channel topic. C2S: set topic (body present) or query (body absent). S2C: topic change notification. RFC 1459 §4.2.4.",
  "$ref": "../message.json",
@@ -17,6 +17,6 @@
  },
  "required": ["command", "to"],
  "examples": [
-    { "command": "TOPIC", "from": "alice", "to": "#general", "body": ["Welcome to the chat"] }
+    { "command": "TOPIC", "from": "alice", "to": "#general", "body": ["Welcome to the channel"] }
  ]
 }
--- a/schema/message.json
+++ b/schema/message.json
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/message.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/message.json",
  "title": "IRC Message Envelope",
  "description": "Base envelope for all messages. Mirrors IRC wire format (RFC 1459/2812) encoded as JSON over HTTP. The 'command' field carries either an IRC command name (PRIVMSG, JOIN, etc.) or a three-digit numeric reply code (001, 353, 433, etc.).",
  "type": "object",
--- a/schema/numerics/001.json
+++ b/schema/numerics/001.json
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/001.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/001.json",
  "title": "001 RPL_WELCOME",
  "description": "Welcome message sent after successful session creation. RFC 2812 \u00a75.1.",
  "$ref": "../message.json",
--- a/schema/numerics/002.json
+++ b/schema/numerics/002.json
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/002.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/002.json",
  "title": "002 RPL_YOURHOST",
  "description": "Server host info sent after session creation. RFC 2812 \u00a75.1.",
  "$ref": "../message.json",
@@ -29,7 +29,7 @@
      "command": "002",
      "to": "alice",
      "body": [
-        "Your host is chat.example.com, running version 0.1.0"
+        "Your host is neoirc.example.com, running version 0.1.0"
      ]
    }
  ]
--- a/schema/numerics/003.json
+++ b/schema/numerics/003.json
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/003.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/003.json",
  "title": "003 RPL_CREATED",
  "description": "Server creation date. RFC 2812 \u00a75.1.",
  "$ref": "../message.json",
--- a/schema/numerics/004.json
+++ b/schema/numerics/004.json
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/004.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/004.json",
  "title": "004 RPL_MYINFO",
  "description": "Server info (name, version, available modes). RFC 2812 \u00a75.1.",
  "$ref": "../message.json",
@@ -29,7 +29,7 @@
      "command": "004",
      "to": "alice",
      "params": [
-        "chat.example.com",
+        "neoirc.example.com",
        "0.1.0",
        "o",
        "imnst+ov"
--- a/schema/numerics/322.json
+++ b/schema/numerics/322.json
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/322.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/322.json",
  "title": "322 RPL_LIST",
  "description": "Channel list entry. One per channel in response to LIST. RFC 1459 \u00a76.2.",
  "$ref": "../message.json",
--- a/schema/numerics/323.json
+++ b/schema/numerics/323.json
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/323.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/323.json",
  "title": "323 RPL_LISTEND",
  "description": "End of channel list. RFC 1459 \u00a76.2.",
  "$ref": "../message.json",
--- a/schema/numerics/332.json
+++ b/schema/numerics/332.json
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/332.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/332.json",
  "title": "332 RPL_TOPIC",
  "description": "Channel topic (sent on JOIN or TOPIC query). RFC 1459 \u00a76.2.",
  "$ref": "../message.json",
@@ -40,7 +40,7 @@
        "#general"
      ],
      "body": [
-        "Welcome to the chat"
+        "Welcome to the channel"
      ]
    }
  ]
--- a/schema/numerics/353.json
+++ b/schema/numerics/353.json
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/353.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/353.json",
  "title": "353 RPL_NAMREPLY",
  "description": "Channel member list. Sent on JOIN or NAMES query. RFC 1459 \u00a76.2.",
  "$ref": "../message.json",
--- a/schema/numerics/366.json
+++ b/schema/numerics/366.json
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/366.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/366.json",
  "title": "366 RPL_ENDOFNAMES",
  "description": "End of NAMES list. RFC 1459 \u00a76.2.",
  "$ref": "../message.json",
--- a/schema/numerics/372.json
+++ b/schema/numerics/372.json
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/372.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/372.json",
  "title": "372 RPL_MOTD",
  "description": "MOTD line. One message per line of the MOTD. RFC 2812 \u00a75.1.",
  "$ref": "../message.json",
--- a/schema/numerics/375.json
+++ b/schema/numerics/375.json
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/375.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/375.json",
  "title": "375 RPL_MOTDSTART",
  "description": "Start of MOTD. RFC 2812 \u00a75.1.",
  "$ref": "../message.json",
--- a/schema/numerics/376.json
+++ b/schema/numerics/376.json
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/376.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/376.json",
  "title": "376 RPL_ENDOFMOTD",
  "description": "End of MOTD. RFC 2812 \u00a75.1.",
  "$ref": "../message.json",
--- a/schema/numerics/401.json
+++ b/schema/numerics/401.json
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/401.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/401.json",
  "title": "401 ERR_NOSUCHNICK",
  "description": "No such nick/channel. RFC 1459 \u00a76.1.",
  "$ref": "../message.json",
--- a/schema/numerics/403.json
+++ b/schema/numerics/403.json
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/403.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/403.json",
  "title": "403 ERR_NOSUCHCHANNEL",
  "description": "No such channel. RFC 1459 \u00a76.1.",
  "$ref": "../message.json",
--- a/schema/numerics/433.json
+++ b/schema/numerics/433.json
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/433.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/433.json",
  "title": "433 ERR_NICKNAMEINUSE",
  "description": "Nickname is already in use. RFC 1459 \u00a76.1.",
  "$ref": "../message.json",
--- a/schema/numerics/442.json
+++ b/schema/numerics/442.json
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/442.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/442.json",
  "title": "442 ERR_NOTONCHANNEL",
  "description": "You're not on that channel. RFC 1459 \u00a76.1.",
  "$ref": "../message.json",
--- a/schema/numerics/482.json
+++ b/schema/numerics/482.json
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/482.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/482.json",
  "title": "482 ERR_CHANOPRIVSNEEDED",
  "description": "You're not channel operator. RFC 1459 \u00a76.1.",
  "$ref": "../message.json",
--- a/web/build.sh
+++ b/web/build.sh
@@ -16,19 +16,11 @@ fi
 mkdir -p dist
-# Build JS bundle
+# Build JS bundle — preact must be bundled (no CDN/external loader)
 ${NPX:+$NPX} esbuild src/app.jsx \
  --bundle \
  --minify \
  --jsx-factory=h \
  --jsx-fragment=Fragment \
  --define:process.env.NODE_ENV=\"production\" \
  --external:preact \
  --outfile=dist/app.js \
  2>/dev/null || \
 ${NPX:+$NPX} esbuild src/app.jsx \
  --bundle \
  --minify \
  --format=esm \
  --jsx-factory=h \
  --jsx-fragment=Fragment \
  --define:process.env.NODE_ENV=\"production\" \
--- a/web/dist/app.js
+++ b/web/dist/app.js
--- a/web/dist/index.html
+++ b/web/dist/index.html
@@ -1,13 +0,0 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>Chat</title>
  <link rel="stylesheet" href="/style.css">
 </head>
 <body>
  <div id="root"></div>
  <script src="/app.js"></script>
 </body>
 </html>
--- a/web/dist/style.css
+++ b/web/dist/style.css
@@ -1,317 +0,0 @@
 * { margin: 0; padding: 0; box-sizing: border-box; }
 :root {
  --bg: #1a1a2e;
  --bg-secondary: #16213e;
  --bg-input: #0f3460;
  --text: #e0e0e0;
  --text-muted: #888;
  --accent: #e94560;
  --accent2: #0f3460;
  --border: #2a2a4a;
  --nick: #53a8b6;
  --timestamp: #666;
  --tab-active: #e94560;
  --tab-bg: #16213e;
  --tab-hover: #1a1a3e;
  --topic-bg: #121a30;
  --unread-bg: #e94560;
  --warn: #f0ad4e;
 }
 html, body, #root {
  height: 100%;
  font-family: 'Courier New', Courier, monospace;
  font-size: 14px;
  background: var(--bg);
  color: var(--text);
 }
 /* Login screen */
 .login-screen {
  display: flex;
  flex-direction: column;
  align-items: center;
  justify-content: center;
  height: 100%;
  gap: 16px;
 }
 .login-screen h1 {
  color: var(--accent);
  font-size: 2em;
 }
 .login-screen input {
  padding: 10px 16px;
  font-size: 16px;
  font-family: inherit;
  background: var(--bg-input);
  border: 1px solid var(--border);
  color: var(--text);
  border-radius: 4px;
  width: 280px;
 }
 .login-screen button {
  padding: 10px 24px;
  font-size: 16px;
  font-family: inherit;
  background: var(--accent);
  border: none;
  color: white;
  border-radius: 4px;
  cursor: pointer;
 }
 .login-screen .error {
  color: var(--accent);
 }
 .login-screen .motd {
  color: var(--text-muted);
  max-width: 400px;
  text-align: center;
  white-space: pre-wrap;
 }
 /* Main layout */
 .app {
  display: flex;
  flex-direction: column;
  height: 100%;
 }
 /* Tab bar */
 .tab-bar {
  display: flex;
  background: var(--bg-secondary);
  border-bottom: 1px solid var(--border);
  overflow-x: auto;
  flex-shrink: 0;
  align-items: center;
 }
 .tab {
  padding: 8px 16px;
  cursor: pointer;
  border-bottom: 2px solid transparent;
  white-space: nowrap;
  color: var(--text-muted);
  user-select: none;
  position: relative;
 }
 .tab:hover {
  background: var(--tab-hover);
 }
 .tab.active {
  color: var(--text);
  border-bottom-color: var(--tab-active);
 }
 .tab .close-btn {
  margin-left: 8px;
  color: var(--text-muted);
  font-size: 12px;
 }
 .tab .close-btn:hover {
  color: var(--accent);
 }
 .tab .unread-badge {
  display: inline-block;
  background: var(--unread-bg);
  color: white;
  font-size: 10px;
  font-weight: bold;
  padding: 1px 5px;
  border-radius: 8px;
  margin-left: 6px;
  min-width: 16px;
  text-align: center;
 }
 /* Connection status */
 .connection-status {
  padding: 4px 12px;
  background: var(--warn);
  color: #1a1a2e;
  font-size: 12px;
  font-weight: bold;
  white-space: nowrap;
  flex-shrink: 0;
 }
 /* Topic bar */
 .topic-bar {
  padding: 6px 12px;
  background: var(--topic-bg);
  border-bottom: 1px solid var(--border);
  color: var(--text-muted);
  font-size: 12px;
  white-space: nowrap;
  overflow: hidden;
  text-overflow: ellipsis;
  flex-shrink: 0;
 }
 /* Content area */
 .content {
  display: flex;
  flex: 1;
  overflow: hidden;
 }
 /* Messages */
 .messages-pane {
  flex: 1;
  display: flex;
  flex-direction: column;
  overflow: hidden;
 }
 .messages {
  flex: 1;
  overflow-y: auto;
  padding: 8px 12px;
 }
 .message {
  padding: 2px 0;
  line-height: 1.4;
  word-wrap: break-word;
 }
 .message .timestamp {
  color: var(--timestamp);
  font-size: 12px;
  margin-right: 8px;
 }
 .message .nick {
  color: var(--nick);
  font-weight: bold;
  margin-right: 8px;
 }
 .message .nick::before { content: '<'; }
 .message .nick::after { content: '>'; }
 .message.system {
  color: var(--text-muted);
  font-style: italic;
 }
 .message.system .nick {
  color: var(--text-muted);
 }
 .message.system .nick::before,
 .message.system .nick::after { content: ''; }
 /* Input */
 .input-bar {
  display: flex;
  border-top: 1px solid var(--border);
  background: var(--bg-secondary);
  flex-shrink: 0;
 }
 .input-bar input {
  flex: 1;
  padding: 10px 12px;
  font-family: inherit;
  font-size: 14px;
  background: var(--bg-input);
  border: none;
  color: var(--text);
  outline: none;
 }
 .input-bar button {
  padding: 10px 16px;
  font-family: inherit;
  background: var(--accent);
  border: none;
  color: white;
  cursor: pointer;
 }
 /* User list */
 .user-list {
  width: 160px;
  background: var(--bg-secondary);
  border-left: 1px solid var(--border);
  overflow-y: auto;
  padding: 8px;
  flex-shrink: 0;
 }
 .user-list h3 {
  color: var(--text-muted);
  font-size: 11px;
  text-transform: uppercase;
  margin-bottom: 8px;
  letter-spacing: 1px;
 }
 .user-list .user {
  padding: 3px 4px;
  color: var(--nick);
  font-size: 13px;
  cursor: pointer;
 }
 .user-list .user:hover {
  background: var(--tab-hover);
 }
 /* Server tab */
 .server-messages {
  color: var(--text-muted);
  padding: 12px;
  white-space: pre-wrap;
  overflow-y: auto;
  flex: 1;
 }
 /* Channel join dialog */
 .join-dialog {
  padding: 12px;
  display: flex;
  gap: 8px;
  background: var(--bg-secondary);
  border-bottom: 1px solid var(--border);
  margin-left: auto;
 }
 .join-dialog input {
  padding: 6px 10px;
  font-family: inherit;
  font-size: 13px;
  background: var(--bg-input);
  border: 1px solid var(--border);
  color: var(--text);
  border-radius: 3px;
  width: 200px;
 }
 .join-dialog button {
  padding: 6px 14px;
  font-family: inherit;
  font-size: 13px;
  background: var(--accent2);
  border: none;
  color: var(--text);
  border-radius: 3px;
  cursor: pointer;
 }
 /* Responsive */
@media (max-width: 600px) {
  .user-list { display: none; }
  .tab { padding: 6px 10px; font-size: 13px; }
 }
--- a/web/src/app.jsx
+++ b/web/src/app.jsx
--- a/web/src/index.html
+++ b/web/src/index.html
@@ -3,11 +3,11 @@
 <head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>Chat</title>
+  <title>NeoIRC</title>
  <link rel="stylesheet" href="/style.css">
 </head>
 <body>
  <div id="root"></div>
-  <script src="/app.js"></script>
+  <script type="module" src="/app.js"></script>
 </body>
 </html>
--- a/web/src/style.css
+++ b/web/src/style.css
@@ -1,317 +1,466 @@
-* { margin: 0; padding: 0; box-sizing: border-box; }
+* {
  margin: 0;
  padding: 0;
  box-sizing: border-box;
 }
 :root {
-  --bg: #1a1a2e;
+  --bg: #0a0e14;
-  --bg-secondary: #16213e;
+  --bg-panel: #0d1117;
-  --bg-input: #0f3460;
+  --bg-input: #0d1117;
-  --text: #e0e0e0;
+  --bg-tab: #161b22;
-  --text-muted: #888;
+  --bg-tab-active: #0d1117;
-  --accent: #e94560;
+  --bg-topic: #0d1117;
-  --accent2: #0f3460;
+  --text: #c9d1d9;
-  --border: #2a2a4a;
+  --text-dim: #6e7681;
-  --nick: #53a8b6;
+  --text-bright: #e6edf3;
-  --timestamp: #666;
+  --accent: #58a6ff;
-  --tab-active: #e94560;
+  --accent-dim: #1f6feb;
-  --tab-bg: #16213e;
+  --border: #21262d;
-  --tab-hover: #1a1a3e;
+  --system: #7d8590;
-  --topic-bg: #121a30;
+  --action: #d2a8ff;
-  --unread-bg: #e94560;
+  --warn: #d29922;
-  --warn: #f0ad4e;
+  --error: #f85149;
  --unread: #f0883e;
  --nick-brackets: #6e7681;
  --timestamp: #484f58;
  --input-bg: #161b22;
  --prompt: #3fb950;
  --tab-indicator: #58a6ff;
  --user-list-bg: #0d1117;
  --user-list-header: #484f58;
 }
-html, body, #root {
+html,
 body,
 #root {
  height: 100%;
-  font-family: 'Courier New', Courier, monospace;
+  font-family: "JetBrains Mono", "Cascadia Code", "Fira Code", "SF Mono",
-  font-size: 14px;
+    "Consolas", "Liberation Mono", "Courier New", monospace;
  font-size: 13px;
  background: var(--bg);
  color: var(--text);
  overflow: hidden;
 }
-/* Login screen */
+/* ============================================
   Login Screen
   ============================================ */
 .login-screen {
  display: flex;
  flex-direction: column;
  align-items: center;
  justify-content: center;
  height: 100%;
-  gap: 16px;
+  background: var(--bg);
 }
-.login-screen h1 {
+.login-box {
  color: var(--accent);
  font-size: 2em;
 }
 .login-screen input {
  padding: 10px 16px;
  font-size: 16px;
  font-family: inherit;
  background: var(--bg-input);
  border: 1px solid var(--border);
  color: var(--text);
  border-radius: 4px;
  width: 280px;
 }
 .login-screen button {
  padding: 10px 24px;
  font-size: 16px;
  font-family: inherit;
  background: var(--accent);
  border: none;
  color: white;
  border-radius: 4px;
  cursor: pointer;
 }
 .login-screen .error {
  color: var(--accent);
 }
 .login-screen .motd {
  color: var(--text-muted);
  max-width: 400px;
  text-align: center;
-  white-space: pre-wrap;
+  max-width: 360px;
  width: 100%;
  padding: 32px;
 }
-/* Main layout */
+.login-box h1 {
-.app {
+  color: var(--accent);
  font-size: 1.8em;
  margin-bottom: 16px;
  font-weight: 400;
 }
 .login-box .motd {
  color: var(--accent);
  font-size: 11px;
  margin-bottom: 20px;
  text-align: left;
  white-space: pre;
  font-family: inherit;
  line-height: 1.2;
  overflow-x: auto;
 }
 .login-box form {
  display: flex;
  flex-direction: column;
  gap: 8px;
  align-items: stretch;
 }
 .login-box label {
  color: var(--text-dim);
  text-align: left;
  font-size: 12px;
 }
 .login-box input {
  padding: 8px 12px;
  font-family: inherit;
  font-size: 14px;
  background: var(--input-bg);
  border: 1px solid var(--border);
  color: var(--text-bright);
  border-radius: 3px;
  outline: none;
 }
 .login-box input:focus {
  border-color: var(--accent-dim);
 }
 .login-box button {
  padding: 8px 16px;
  font-family: inherit;
  font-size: 14px;
  background: var(--accent-dim);
  border: none;
  color: var(--text-bright);
  border-radius: 3px;
  cursor: pointer;
  margin-top: 4px;
 }
 .login-box button:hover {
  background: var(--accent);
 }
 .login-box .error {
  color: var(--error);
  font-size: 12px;
  margin-top: 8px;
 }
 /* ============================================
   IRC App Layout
   ============================================ */
 .irc-app {
  display: flex;
  flex-direction: column;
  height: 100%;
  overflow: hidden;
 }
-/* Tab bar */
+/* ============================================
   Tab Bar
   ============================================ */
 .tab-bar {
  display: flex;
-  background: var(--bg-secondary);
+  background: var(--bg-tab);
  border-bottom: 1px solid var(--border);
  overflow-x: auto;
  flex-shrink: 0;
-  align-items: center;
+  height: 32px;
  align-items: stretch;
 }
 .tabs {
  display: flex;
  overflow-x: auto;
  flex: 1;
  scrollbar-width: none;
 }
 .tabs::-webkit-scrollbar {
  display: none;
 }
 .tab {
-  padding: 8px 16px;
+  display: flex;
  align-items: center;
  padding: 0 12px;
  cursor: pointer;
-  border-bottom: 2px solid transparent;
+  color: var(--text-dim);
  white-space: nowrap;
  color: var(--text-muted);
  user-select: none;
  border-right: 1px solid var(--border);
  font-size: 12px;
  gap: 4px;
  position: relative;
 }
 .tab:hover {
-  background: var(--tab-hover);
+  color: var(--text);
  background: rgba(255, 255, 255, 0.03);
 }
 .tab.active {
-  color: var(--text);
+  color: var(--text-bright);
-  border-bottom-color: var(--tab-active);
+  background: var(--bg-tab-active);
  border-bottom: 2px solid var(--tab-indicator);
  margin-bottom: -1px;
 }
-.tab .close-btn {
+.tab.has-unread .tab-label {
-  margin-left: 8px;
+  color: var(--unread);
  color: var(--text-muted);
  font-size: 12px;
 }
 .tab .close-btn:hover {
  color: var(--accent);
 }
 .tab .unread-badge {
  display: inline-block;
  background: var(--unread-bg);
  color: white;
  font-size: 10px;
  font-weight: bold;
  padding: 1px 5px;
  border-radius: 8px;
  margin-left: 6px;
  min-width: 16px;
  text-align: center;
 }
-/* Connection status */
+.tab .unread-count {
-.connection-status {
+  color: var(--unread);
-  padding: 4px 12px;
+  font-size: 11px;
  background: var(--warn);
  color: #1a1a2e;
  font-size: 12px;
  font-weight: bold;
-  white-space: nowrap;
+}
 .tab-close {
  color: var(--text-dim);
  font-size: 14px;
  line-height: 1;
  margin-left: 2px;
 }
 .tab-close:hover {
  color: var(--error);
 }
 .status-area {
  display: flex;
  align-items: center;
  gap: 10px;
  padding: 0 12px;
  flex-shrink: 0;
  font-size: 12px;
 }
-/* Topic bar */
+.status-nick {
  color: var(--accent);
  font-weight: bold;
 }
 .status-warn {
  color: var(--warn);
  animation: blink 1.5s ease-in-out infinite;
 }
@keyframes blink {
  0%,
  100% {
    opacity: 1;
  }
  50% {
    opacity: 0.4;
  }
 }
 /* ============================================
   Topic Bar
   ============================================ */
 .topic-bar {
-  padding: 6px 12px;
+  padding: 4px 12px;
-  background: var(--topic-bg);
+  background: var(--bg-topic);
  border-bottom: 1px solid var(--border);
  color: var(--text-muted);
  font-size: 12px;
  white-space: nowrap;
  overflow: hidden;
  text-overflow: ellipsis;
  flex-shrink: 0;
  line-height: 1.5;
 }
-/* Content area */
+.topic-label {
-.content {
+  color: var(--text-dim);
 }
 .topic-text {
  color: var(--text);
 }
 /* ============================================
   Main Content Area
   ============================================ */
 .main-area {
  display: flex;
  flex: 1;
  overflow: hidden;
  min-height: 0;
 }
-/* Messages */
+/* ============================================
-.messages-pane {
+   Messages Panel
   ============================================ */
 .messages-panel {
  flex: 1;
  display: flex;
  flex-direction: column;
  overflow: hidden;
  min-width: 0;
 }
-.messages {
+.messages-scroll {
  flex: 1;
  overflow-y: auto;
-  padding: 8px 12px;
+  padding: 4px 8px;
  scrollbar-width: thin;
  scrollbar-color: var(--border) transparent;
 }
 .messages-scroll::-webkit-scrollbar {
  width: 8px;
 }
 .messages-scroll::-webkit-scrollbar-track {
  background: transparent;
 }
 .messages-scroll::-webkit-scrollbar-thumb {
  background: var(--border);
  border-radius: 4px;
 }
 /* ============================================
   Message Lines
   ============================================ */
 .message {
-  padding: 2px 0;
+  padding: 1px 0;
  line-height: 1.4;
  white-space: pre-wrap;
  word-wrap: break-word;
  font-size: 13px;
 }
 .message .timestamp {
  color: var(--timestamp);
  font-size: 12px;
  margin-right: 8px;
 }
 .message .nick {
  color: var(--nick);
  font-weight: bold;
  margin-right: 8px;
 }
-.message .nick::before { content: '<'; }
+.message .content {
-.message .nick::after { content: '>'; }
+  color: var(--text);
 }
-.message.system {
+/* System messages (joins, parts, quits, etc.) */
-  color: var(--text-muted);
+.system-message {
  color: var(--system);
 }
 .system-message .system-text {
  color: var(--system);
 }
 /* /me action messages */
 .action-message .action-text {
  color: var(--action);
 }
 /* ============================================
   User List (Right Panel)
   ============================================ */
 .user-list {
  width: 160px;
  background: var(--user-list-bg);
  border-left: 1px solid var(--border);
  display: flex;
  flex-direction: column;
  flex-shrink: 0;
  overflow: hidden;
 }
 .user-list-header {
  padding: 6px 10px;
  color: var(--user-list-header);
  font-size: 11px;
  text-transform: uppercase;
  letter-spacing: 0.5px;
  border-bottom: 1px solid var(--border);
  flex-shrink: 0;
 }
 .user-list-entries {
  overflow-y: auto;
  padding: 4px 0;
  flex: 1;
  scrollbar-width: thin;
  scrollbar-color: var(--border) transparent;
 }
 .nick-entry {
  padding: 2px 10px;
  font-size: 12px;
  cursor: pointer;
  white-space: nowrap;
  overflow: hidden;
  text-overflow: ellipsis;
  line-height: 1.5;
 }
 .nick-entry:hover {
  background: rgba(255, 255, 255, 0.04);
 }
 .nick-prefix {
  color: var(--text-dim);
  display: inline-block;
  width: 1ch;
  text-align: right;
  margin-right: 1px;
 }
 .nick-name {
  font-weight: normal;
 }
 /* ============================================
   Input Line (Bottom)
   ============================================ */
 .input-line {
  display: flex;
  align-items: center;
  background: var(--input-bg);
  border-top: 1px solid var(--border);
  flex-shrink: 0;
  height: 36px;
  padding: 0 8px;
  gap: 6px;
 }
 .input-prompt {
  color: var(--prompt);
  font-size: 13px;
  flex-shrink: 0;
  white-space: nowrap;
 }
 .input-line input {
  flex: 1;
  padding: 4px 0;
  font-family: inherit;
  font-size: 13px;
  background: transparent;
  border: none;
  color: var(--text-bright);
  outline: none;
  caret-color: var(--accent);
 }
 .input-line input::placeholder {
  color: var(--text-dim);
  font-style: italic;
 }
-.message.system .nick {
+/* ============================================
-  color: var(--text-muted);
+   Responsive
-}
+   ============================================ */
 .message.system .nick::before,
 .message.system .nick::after { content: ''; }
 /* Input */
 .input-bar {
  display: flex;
  border-top: 1px solid var(--border);
  background: var(--bg-secondary);
  flex-shrink: 0;
 }
 .input-bar input {
  flex: 1;
  padding: 10px 12px;
  font-family: inherit;
  font-size: 14px;
  background: var(--bg-input);
  border: none;
  color: var(--text);
  outline: none;
 }
 .input-bar button {
  padding: 10px 16px;
  font-family: inherit;
  background: var(--accent);
  border: none;
  color: white;
  cursor: pointer;
 }
 /* User list */
 .user-list {
  width: 160px;
  background: var(--bg-secondary);
  border-left: 1px solid var(--border);
  overflow-y: auto;
  padding: 8px;
  flex-shrink: 0;
 }
 .user-list h3 {
  color: var(--text-muted);
  font-size: 11px;
  text-transform: uppercase;
  margin-bottom: 8px;
  letter-spacing: 1px;
 }
 .user-list .user {
  padding: 3px 4px;
  color: var(--nick);
  font-size: 13px;
  cursor: pointer;
 }
 .user-list .user:hover {
  background: var(--tab-hover);
 }
 /* Server tab */
 .server-messages {
  color: var(--text-muted);
  padding: 12px;
  white-space: pre-wrap;
  overflow-y: auto;
  flex: 1;
 }
 /* Channel join dialog */
 .join-dialog {
  padding: 12px;
  display: flex;
  gap: 8px;
  background: var(--bg-secondary);
  border-bottom: 1px solid var(--border);
  margin-left: auto;
 }
 .join-dialog input {
  padding: 6px 10px;
  font-family: inherit;
  font-size: 13px;
  background: var(--bg-input);
  border: 1px solid var(--border);
  color: var(--text);
  border-radius: 3px;
  width: 200px;
 }
 .join-dialog button {
  padding: 6px 14px;
  font-family: inherit;
  font-size: 13px;
  background: var(--accent2);
  border: none;
  color: var(--text);
  border-radius: 3px;
  cursor: pointer;
 }
 /* Responsive */
@media (max-width: 600px) {
-  .user-list { display: none; }
+  .user-list {
-  .tab { padding: 6px 10px; font-size: 13px; }
+    display: none;
  }
  .tab {
    padding: 0 8px;
    font-size: 11px;
  }
  .input-prompt {
    font-size: 12px;
  }
 }
`@@ -1,4 +1,4 @@`
	`module git.eeqj.de/sneak/chat`	`module git.eeqj.de/sneak/neoirc`

	`go 1.24.0`	`go 1.24.0`