feat: add IRC wire protocol listener with shared service layer

Add a traditional IRC wire protocol listener (RFC 1459/2812) on
configurable port (default :6667), sharing business logic with
the HTTP API via a new service layer.

- IRC listener: NICK, USER, PASS, JOIN, PART, PRIVMSG, NOTICE,
  TOPIC, MODE, KICK, QUIT, NAMES, LIST, WHOIS, WHO, AWAY, OPER,
  INVITE, LUSERS, MOTD, PING/PONG, CAP
- Service layer: shared logic for both transports including
  channel join (with Tier 2 checks: ban/invite/key/limit),
  message send (with ban + moderation checks), nick change,
  topic, kick, mode, quit broadcast, away, oper, invite
- BroadcastQuit uses FanOut pattern (one insert, N enqueues)
- HTTP handlers delegate to service for all command logic
- Tier 2 mode operations (+b/+i/+s/+k/+l) use service methods

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.dockerignore

@@ -1,8 +1,8 @@
 .git
 *.md
 !README.md
-chatd
-chat-cli
+neoircd
+neoirc-cli
 data.db
 data.db-wal
 data.db-shm

.gitignore

@@ -21,7 +21,8 @@ node_modules/
 *.key
 
 # Build artifacts
-/chatd
+web/dist/
+/neoircd
 /bin/
 *.exe
 *.dll
@@ -34,5 +35,5 @@ vendor/
 # Project
 data.db
 debug.log
-/chat-cli
+/neoirc-cli
 web/node_modules/

AGENTS.md

@@ -5,7 +5,7 @@
 1. **Format**: `gofmt -s -w .` and `goimports -w .`
 2. **Lint**: `golangci-lint run --config .golangci.yml ./...` — zero issues
 3. **Test**: `go test -race ./...` — all passing
-4. **Build**: `go build ./cmd/chatd` — compiles clean
+4. **Build**: `go build ./cmd/neoircd` — compiles clean
 
 No commit lands on main with lint errors, test failures, or formatting issues.
 

Dockerfile

@@ -1,42 +1,59 @@
+# Web build stage — compile SPA from source
+# node:22-alpine, 2026-03-09
+FROM node@sha256:8094c002d08262dba12645a3b4a15cd6cd627d30bc782f53229a2ec13ee22a00 AS web-builder
+WORKDIR /web
+COPY web/package.json web/package-lock.json ./
+RUN npm ci
+COPY web/src/ src/
+COPY web/build.sh build.sh
+RUN sh build.sh
+
 # Lint stage — fast feedback on formatting and lint issues
-# golangci/golangci-lint:v2.1.6
+# golangci/golangci-lint:v2.1.6, 2026-03-02
 FROM golangci/golangci-lint@sha256:568ee1c1c53493575fa9494e280e579ac9ca865787bafe4df3023ae59ecf299b AS lint
 WORKDIR /src
 COPY go.mod go.sum ./
 RUN go mod download
 COPY . .
+# Create placeholder files so //go:embed dist/* in web/embed.go resolves
+# without depending on the web-builder stage (lint should fail fast)
+RUN mkdir -p web/dist && touch web/dist/index.html web/dist/style.css web/dist/app.js
 RUN make fmt-check
 RUN make lint
 
-# Build stage — tests and compilation
+# Build stage
 # golang:1.24-alpine, 2026-02-26
 FROM golang@sha256:8bee1901f1e530bfb4a7850aa7a479d17ae3a18beb6e09064ed54cfd245b7191 AS builder
 WORKDIR /src
 RUN apk add --no-cache git build-base make
 
-# Force BuildKit to run the lint stage by creating a stage dependency
+# Force BuildKit to run the lint stage before proceeding
 COPY --from=lint /src/go.sum /dev/null
 
 COPY go.mod go.sum ./
 RUN go mod download
 
 COPY . .
+COPY --from=web-builder /web/dist/ web/dist/
 
 RUN make test
 
 # Build static binaries (no cgo needed at runtime — modernc.org/sqlite is pure Go)
 ARG VERSION=dev
-RUN CGO_ENABLED=0 go build -trimpath -ldflags="-s -w -X main.Version=${VERSION}" -o /chatd ./cmd/chatd/
-RUN CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" -o /chat-cli ./cmd/chat-cli/
+RUN CGO_ENABLED=0 go build -trimpath -ldflags="-s -w -X main.Version=${VERSION}" -o /neoircd ./cmd/neoircd/
+RUN CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" -o /neoirc-cli ./cmd/neoirc-cli/
 
+# Runtime stage
 # alpine:3.21, 2026-02-26
 FROM alpine@sha256:c3f8e73fdb79deaebaa2037150150191b9dcbfba68b4a46d70103204c53f4709
 RUN apk add --no-cache ca-certificates \
-    && addgroup -S chat && adduser -S chat -G chat
-COPY --from=builder /chatd /usr/local/bin/chatd
+    && addgroup -S neoirc && adduser -S neoirc -G neoirc \
+    && mkdir -p /var/lib/neoirc \
+    && chown neoirc:neoirc /var/lib/neoirc
+COPY --from=builder /neoircd /usr/local/bin/neoircd
 
-USER chat
-EXPOSE 8080
+USER neoirc
+EXPOSE 8080 6667
 HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
     CMD wget -qO- http://localhost:8080/.well-known/healthcheck.json || exit 1
-ENTRYPOINT ["chatd"]
+ENTRYPOINT ["neoircd"]

Makefile

@@ -1,16 +1,27 @@
-.PHONY: all build lint fmt fmt-check test check clean run debug docker hooks
+.PHONY: all build lint fmt fmt-check test check clean run debug docker hooks ensure-web-dist
 
-BINARY := chatd
+BINARY := neoircd
 VERSION := $(shell git describe --tags --always --dirty 2>/dev/null || echo "dev")
 BUILDARCH := $(shell go env GOARCH)
 LDFLAGS := -X main.Version=$(VERSION) -X main.Buildarch=$(BUILDARCH)
 
 all: check build
 
-build:
-	go build -ldflags "$(LDFLAGS)" -o bin/$(BINARY) ./cmd/chatd
+# ensure-web-dist creates placeholder files so //go:embed dist/* in
+# web/embed.go resolves without a full Node.js build.  The real SPA is
+# built by the web-builder Docker stage; these placeholders let
+# "make test" and "make build" work outside Docker.
+ensure-web-dist:
+	@if [ ! -d web/dist ]; then \
+		mkdir -p web/dist && \
+		touch web/dist/index.html web/dist/style.css web/dist/app.js && \
+		echo "==> Created placeholder web/dist/ for go:embed"; \
+	fi
 
-lint:
+build: ensure-web-dist
+	go build -ldflags "$(LDFLAGS)" -o bin/$(BINARY) ./cmd/neoircd
+
+lint: ensure-web-dist
 	golangci-lint run --config .golangci.yml ./...
 
 fmt:
@@ -20,14 +31,14 @@ fmt:
 fmt-check:
 	@test -z "$$(gofmt -l .)" || (echo "Files not formatted:" && gofmt -l . && exit 1)
 
-test:
-	go test -timeout 30s -v -race -cover ./...
+test: ensure-web-dist
+	go test -timeout 30s -race -cover ./... || go test -timeout 30s -race -v ./...
 
 # check runs all validation without making changes
 # Used by CI and Docker build — fails if anything is wrong
 check: test lint fmt-check
 	@echo "==> Building..."
-	go build -ldflags "$(LDFLAGS)" -o /dev/null ./cmd/chatd
+	go build -ldflags "$(LDFLAGS)" -o /dev/null ./cmd/neoircd
 	@echo "==> All checks passed!"
 
 run: build
@@ -37,10 +48,10 @@ debug: build
 	DEBUG=1 GOTRACEBACK=all ./bin/$(BINARY)
 
 clean:
-	rm -rf bin/ chatd data.db
+	rm -rf bin/ neoircd
 
 docker:
-	docker build -t chat .
+	docker build -t neoirc .
 
 hooks:
 	@printf '#!/bin/sh\nset -e\n' > .git/hooks/pre-commit

REPO_POLICIES.md

@@ -1,6 +1,6 @@
 ---
 title: Repository Policies
-last_modified: 2026-02-22
+last_modified: 2026-03-09
 ---
 
 This document covers repository structure, tooling, and workflow standards. Code
@@ -98,6 +98,13 @@ style conventions are in separate documents:
   `https://git.eeqj.de/sneak/prompts/raw/branch/main/.gitignore` when setting up
   a new repo.
 
+- **No build artifacts in version control.** Code-derived data (compiled
+  bundles, minified output, generated assets) must never be committed to the
+  repository if it can be avoided. The build process (e.g. Dockerfile, Makefile)
+  should generate these at build time. Notable exception: Go protobuf generated
+  files (`.pb.go`) ARE committed because repos need to work with `go get`, which
+  downloads code but does not execute code generation.
+
 - Never use `git add -A` or `git add .`. Always stage files explicitly by name.
 
 - Never force-push to `main`.
@@ -144,8 +151,14 @@ style conventions are in separate documents:
 - Use SemVer.
 
 - Database migrations live in `internal/db/migrations/` and must be embedded in
-  the binary. Pre-1.0.0: modify existing migrations (no installed base assumed).
-  Post-1.0.0: add new migration files.
+  the binary.
+    - `000_migration.sql` — contains ONLY the creation of the migrations
+      tracking table itself. Nothing else.
+    - `001_schema.sql` — the full application schema.
+    - **Pre-1.0.0:** never add additional migration files (002, 003, etc.).
+      There is no installed base to migrate. Edit `001_schema.sql` directly.
+    - **Post-1.0.0:** add new numbered migration files for each schema change.
+      Never edit existing migrations after release.
 
 - All repos should have an `.editorconfig` enforcing the project's indentation
   settings.

cmd/chatd/main.go

@@ -1,41 +0,0 @@
-// Package main is the entry point for the chatd server.
-package main
-
-import (
-	"git.eeqj.de/sneak/chat/internal/config"
-	"git.eeqj.de/sneak/chat/internal/db"
-	"git.eeqj.de/sneak/chat/internal/globals"
-	"git.eeqj.de/sneak/chat/internal/handlers"
-	"git.eeqj.de/sneak/chat/internal/healthcheck"
-	"git.eeqj.de/sneak/chat/internal/logger"
-	"git.eeqj.de/sneak/chat/internal/middleware"
-	"git.eeqj.de/sneak/chat/internal/server"
-	"go.uber.org/fx"
-)
-
-var (
-	// Appname is the application name, set at build time.
-	Appname = "chat" //nolint:gochecknoglobals
-
-	// Version is the application version, set at build time.
-	Version string //nolint:gochecknoglobals
-)
-
-func main() {
-	globals.Appname = Appname
-	globals.Version = Version
-
-	fx.New(
-		fx.Provide(
-			config.New,
-			db.New,
-			globals.New,
-			handlers.New,
-			logger.New,
-			server.New,
-			middleware.New,
-			healthcheck.New,
-		),
-		fx.Invoke(func(*server.Server) {}),
-	).Run()
-}

cmd/neoirc-cli/main.go

@@ -0,0 +1,8 @@
+// Package main is the entry point for the neoirc-cli client.
+package main
+
+import "git.eeqj.de/sneak/neoirc/internal/cli"
+
+func main() {
+	cli.Run()
+}

cmd/neoircd/main.go

@@ -0,0 +1,53 @@
+// Package main is the entry point for the neoircd server.
+package main
+
+import (
+	"git.eeqj.de/sneak/neoirc/internal/broker"
+	"git.eeqj.de/sneak/neoirc/internal/config"
+	"git.eeqj.de/sneak/neoirc/internal/db"
+	"git.eeqj.de/sneak/neoirc/internal/globals"
+	"git.eeqj.de/sneak/neoirc/internal/handlers"
+	"git.eeqj.de/sneak/neoirc/internal/healthcheck"
+	"git.eeqj.de/sneak/neoirc/internal/ircserver"
+	"git.eeqj.de/sneak/neoirc/internal/logger"
+	"git.eeqj.de/sneak/neoirc/internal/middleware"
+	"git.eeqj.de/sneak/neoirc/internal/server"
+	"git.eeqj.de/sneak/neoirc/internal/service"
+	"git.eeqj.de/sneak/neoirc/internal/stats"
+	"go.uber.org/fx"
+)
+
+var (
+	// Appname is the application name, set at build time.
+	Appname = "neoirc" //nolint:gochecknoglobals
+
+	// Version is the application version, set at build time.
+	Version string //nolint:gochecknoglobals
+)
+
+func main() {
+	globals.Appname = Appname
+	globals.Version = Version
+
+	fx.New(
+		fx.Provide(
+			broker.New,
+			config.New,
+			db.New,
+			globals.New,
+			handlers.New,
+			ircserver.New,
+			logger.New,
+			server.New,
+			middleware.New,
+			healthcheck.New,
+			service.New,
+			stats.New,
+		),
+		fx.Invoke(func(
+			_ *server.Server,
+			_ *ircserver.Server,
+		) {
+		}),
+	).Run()
+}

go.mod

@@ -1,4 +1,4 @@
-module git.eeqj.de/sneak/chat
+module git.eeqj.de/sneak/neoirc
 
 go 1.24.0
 
@@ -6,7 +6,7 @@ require (
 	github.com/99designs/basicauth-go v0.0.0-20230316000542-bf6f9cbbf0f8
 	github.com/gdamore/tcell/v2 v2.13.8
 	github.com/getsentry/sentry-go v0.42.0
-	github.com/go-chi/chi v1.5.5
+	github.com/go-chi/chi/v5 v5.2.1
 	github.com/go-chi/cors v1.2.2
 	github.com/google/uuid v1.6.0
 	github.com/joho/godotenv v1.5.1
@@ -16,6 +16,7 @@ require (
 	github.com/spf13/viper v1.21.0
 	go.uber.org/fx v1.24.0
 	golang.org/x/crypto v0.48.0
+	golang.org/x/time v0.6.0
 	modernc.org/sqlite v1.45.0
 )
 

go.sum

@@ -18,8 +18,8 @@ github.com/gdamore/tcell/v2 v2.13.8 h1:Mys/Kl5wfC/GcC5Cx4C2BIQH9dbnhnkPgS9/wF3Rl
 github.com/gdamore/tcell/v2 v2.13.8/go.mod h1:+Wfe208WDdB7INEtCsNrAN6O2m+wsTPk1RAovjaILlo=
 github.com/getsentry/sentry-go v0.42.0 h1:eeFMACuZTbUQf90RE8dE4tXeSe4CZyfvR1MBL7RLEt8=
 github.com/getsentry/sentry-go v0.42.0/go.mod h1:eRXCoh3uvmjQLY6qu63BjUZnaBu5L5WhMV1RwYO8W5s=
-github.com/go-chi/chi v1.5.5 h1:vOB/HbEMt9QqBqErz07QehcOKHaWFtuj87tTDVz2qXE=
-github.com/go-chi/chi v1.5.5/go.mod h1:C9JqLr3tIYjDOZpzn+BCuxY8z8vmca43EeMgyZt7irw=
+github.com/go-chi/chi/v5 v5.2.1 h1:KOIHODQj58PmL80G2Eak4WdvUzjSJSm0vG72crDCqb8=
+github.com/go-chi/chi/v5 v5.2.1/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
 github.com/go-chi/cors v1.2.2 h1:Jmey33TE+b+rB7fT8MUy1u0I4L+NARQlK6LhzKPSyQE=
 github.com/go-chi/cors v1.2.2/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
@@ -151,6 +151,8 @@ golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
 golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
+golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U=
+golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=

internal/broker/broker_test.go

@@ -5,7 +5,7 @@ import (
 	"testing"
 	"time"
 
-	"git.eeqj.de/sneak/chat/internal/broker"
+	"git.eeqj.de/sneak/neoirc/internal/broker"
 )
 
 func TestNewBroker(t *testing.T) {

internal/cli/api/client.go

@@ -1,5 +1,5 @@
-// Package chatapi provides a client for the chat server API.
-package chatapi
+// Package neoircapi provides a client for the neoirc server API.
+package neoircapi
 
 import (
 	"bytes"
@@ -9,10 +9,13 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"net/http/cookiejar"
 	"net/url"
 	"strconv"
 	"strings"
 	"time"
+
+	"git.eeqj.de/sneak/neoirc/pkg/irc"
 )
 
 const (
@@ -23,31 +26,51 @@ const (
 
 var errHTTP = errors.New("HTTP error")
 
-// Client wraps HTTP calls to the chat server API.
+// Client wraps HTTP calls to the neoirc server API.
 type Client struct {
 	BaseURL    string
-	Token      string
 	HTTPClient *http.Client
 }
 
-// NewClient creates a new API client.
+// NewClient creates a new API client with a cookie jar
+// for automatic auth cookie management.
 func NewClient(baseURL string) *Client {
-	return &Client{ //nolint:exhaustruct // Token set after CreateSession
+	jar, _ := cookiejar.New(nil)
+
+	return &Client{
 		BaseURL: baseURL,
 		HTTPClient: &http.Client{ //nolint:exhaustruct // defaults fine
 			Timeout: httpTimeout,
+			Jar:     jar,
 		},
 	}
 }
 
 // CreateSession creates a new session on the server.
+// If the server requires hashcash proof-of-work, it
+// automatically fetches the difficulty and computes a
+// valid stamp.
 func (client *Client) CreateSession(
 	nick string,
 ) (*SessionResponse, error) {
+	// Fetch server info to check for hashcash requirement.
+	info, err := client.GetServerInfo()
+
+	var hashcashStamp string
+
+	if err == nil && info.HashcashBits > 0 {
+		resource := info.Name
+		if resource == "" {
+			resource = "neoirc"
+		}
+
+		hashcashStamp = MintHashcash(info.HashcashBits, resource)
+	}
+
 	data, err := client.do(
 		http.MethodPost,
 		"/api/v1/session",
-		&SessionRequest{Nick: nick},
+		&SessionRequest{Nick: nick, Hashcash: hashcashStamp},
 	)
 	if err != nil {
 		return nil, err
@@ -60,8 +83,6 @@ func (client *Client) CreateSession(
 		return nil, fmt.Errorf("decode session: %w", err)
 	}
 
-	client.Token = resp.Token
-
 	return &resp, nil
 }
 
@@ -102,6 +123,7 @@ func (client *Client) PollMessages(
 		Timeout: time.Duration(
 			timeout+pollExtraTime,
 		) * time.Second,
+		Jar: client.HTTPClient.Jar,
 	}
 
 	params := url.Values{}
@@ -126,10 +148,6 @@ func (client *Client) PollMessages(
 		return nil, fmt.Errorf("new request: %w", err)
 	}
 
-	request.Header.Set(
-		"Authorization", "Bearer "+client.Token,
-	)
-
 	resp, err := pollClient.Do(request)
 	if err != nil {
 		return nil, fmt.Errorf("poll request: %w", err)
@@ -168,7 +186,7 @@ func (client *Client) PollMessages(
 func (client *Client) JoinChannel(channel string) error {
 	return client.SendMessage(
 		&Message{ //nolint:exhaustruct // only command+to needed
-			Command: "JOIN", To: channel,
+			Command: irc.CmdJoin, To: channel,
 		},
 	)
 }
@@ -177,7 +195,7 @@ func (client *Client) JoinChannel(channel string) error {
 func (client *Client) PartChannel(channel string) error {
 	return client.SendMessage(
 		&Message{ //nolint:exhaustruct // only command+to needed
-			Command: "PART", To: channel,
+			Command: irc.CmdPart, To: channel,
 		},
 	)
 }
@@ -285,12 +303,6 @@ func (client *Client) do(
 		"Content-Type", "application/json",
 	)
 
-	if client.Token != "" {
-		request.Header.Set(
-			"Authorization", "Bearer "+client.Token,
-		)
-	}
-
 	resp, err := client.HTTPClient.Do(request)
 	if err != nil {
 		return nil, fmt.Errorf("http: %w", err)

internal/cli/api/hashcash.go

@@ -0,0 +1,98 @@
+package neoircapi
+
+import (
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"math/big"
+	"time"
+
+	"git.eeqj.de/sneak/neoirc/internal/hashcash"
+)
+
+const (
+	// bitsPerByte is the number of bits in a byte.
+	bitsPerByte = 8
+	// fullByteMask is 0xFF, a mask for all bits in a byte.
+	fullByteMask = 0xFF
+	// counterSpace is the range for random counter seeds.
+	counterSpace = 1 << 48
+)
+
+// MintHashcash computes a hashcash stamp with the given
+// difficulty (leading zero bits) and resource string.
+func MintHashcash(bits int, resource string) string {
+	date := time.Now().UTC().Format("060102")
+	prefix := fmt.Sprintf(
+		"1:%d:%s:%s::", bits, date, resource,
+	)
+
+	for {
+		counter := randomCounter()
+		stamp := prefix + counter
+		hash := sha256.Sum256([]byte(stamp))
+
+		if hasLeadingZeroBits(hash[:], bits) {
+			return stamp
+		}
+	}
+}
+
+// MintChannelHashcash computes a hashcash stamp bound to
+// a specific channel and message body. The stamp format
+// is 1:bits:YYMMDD:channel:bodyhash:counter where
+// bodyhash is the hex-encoded SHA-256 of the message
+// body bytes. Delegates to the internal/hashcash package.
+func MintChannelHashcash(
+	bits int,
+	channel string,
+	body []byte,
+) string {
+	bodyHash := hashcash.BodyHash(body)
+
+	return hashcash.MintChannelStamp(
+		bits, channel, bodyHash,
+	)
+}
+
+// hasLeadingZeroBits checks if hash has at least numBits
+// leading zero bits.
+func hasLeadingZeroBits(
+	hash []byte,
+	numBits int,
+) bool {
+	fullBytes := numBits / bitsPerByte
+	remainBits := numBits % bitsPerByte
+
+	for idx := range fullBytes {
+		if hash[idx] != 0 {
+			return false
+		}
+	}
+
+	if remainBits > 0 && fullBytes < len(hash) {
+		mask := byte(
+			fullByteMask << (bitsPerByte - remainBits),
+		)
+
+		if hash[fullBytes]&mask != 0 {
+			return false
+		}
+	}
+
+	return true
+}
+
+// randomCounter generates a random hex counter string.
+func randomCounter() string {
+	counterVal, err := rand.Int(
+		rand.Reader, big.NewInt(counterSpace),
+	)
+	if err != nil {
+		// Fallback to timestamp-based counter on error.
+		return fmt.Sprintf("%x", time.Now().UnixNano())
+	}
+
+	return hex.EncodeToString(counterVal.Bytes())
+}

internal/cli/api/types.go

@@ -1,17 +1,17 @@
-package chatapi
+package neoircapi
 
 import "time"
 
 // SessionRequest is the body for POST /api/v1/session.
 type SessionRequest struct {
-	Nick string `json:"nick"`
+	Nick     string `json:"nick"`
+	Hashcash string `json:"pow_token,omitempty"` //nolint:tagliatelle
 }
 
 // SessionResponse is the response from session creation.
 type SessionResponse struct {
-	ID    int64  `json:"id"`
-	Nick  string `json:"nick"`
-	Token string `json:"token"`
+	ID   int64  `json:"id"`
+	Nick string `json:"nick"`
 }
 
 // StateResponse is the response from GET /api/v1/state.
@@ -21,7 +21,7 @@ type StateResponse struct {
 	Channels []string `json:"channels"`
 }
 
-// Message represents a chat message envelope.
+// Message represents a neoirc message envelope.
 type Message struct {
 	Command string   `json:"command"`
 	From    string   `json:"from,omitempty"`
@@ -63,9 +63,10 @@ type Channel struct {
 
 // ServerInfo is the response from GET /api/v1/server.
 type ServerInfo struct {
-	Name    string `json:"name"`
-	MOTD    string `json:"motd"`
-	Version string `json:"version"`
+	Name         string `json:"name"`
+	MOTD         string `json:"motd"`
+	Version      string `json:"version"`
+	HashcashBits int    `json:"hashcash_bits"` //nolint:tagliatelle
 }
 
 // MessagesResponse wraps polling results.

internal/cli/app.go

@@ -1,5 +1,5 @@
-// Package main is the entry point for the chat-cli client.
-package main
+// Package cli implements the neoirc-cli terminal client.
+package cli
 
 import (
 	"fmt"
@@ -8,7 +8,8 @@ import (
 	"sync"
 	"time"
 
-	api "git.eeqj.de/sneak/chat/cmd/chat-cli/api"
+	api "git.eeqj.de/sneak/neoirc/internal/cli/api"
+	"git.eeqj.de/sneak/neoirc/pkg/irc"
 )
 
 const (
@@ -31,7 +32,8 @@ type App struct {
 	stopPoll  chan struct{}
 }
 
-func main() {
+// Run creates and runs the CLI application.
+func Run() {
 	app := &App{ //nolint:exhaustruct
 		ui:   NewUI(),
 		nick: "guest",
@@ -41,7 +43,7 @@ func main() {
 	app.ui.SetStatus(app.nick, "", "disconnected")
 
 	app.ui.AddStatus(
-		"Welcome to chat-cli — an IRC-style client",
+		"Welcome to neoirc-cli — an IRC-style client",
 	)
 	app.ui.AddStatus(
 		"Type [yellow]/connect <server-url>" +
@@ -86,7 +88,7 @@ func (a *App) handleInput(text string) {
 	}
 
 	err := a.client.SendMessage(&api.Message{ //nolint:exhaustruct
-		Command: "PRIVMSG",
+		Command: irc.CmdPrivmsg,
 		To:      target,
 		Body:    []string{text},
 	})
@@ -138,16 +140,29 @@ func (a *App) dispatchCommand(cmd, args string) {
 		a.cmdQuery(args)
 	case "/topic":
 		a.cmdTopic(args)
-	case "/names":
-		a.cmdNames()
-	case "/list":
-		a.cmdList()
 	case "/window", "/w":
 		a.cmdWindow(args)
 	case "/quit":
 		a.cmdQuit()
 	case "/help":
 		a.cmdHelp()
+	default:
+		a.dispatchInfoCommand(cmd, args)
+	}
+}
+
+func (a *App) dispatchInfoCommand(cmd, args string) {
+	switch cmd {
+	case "/names":
+		a.cmdNames()
+	case "/list":
+		a.cmdList()
+	case "/motd":
+		a.cmdMotd()
+	case "/who":
+		a.cmdWho(args)
+	case "/whois":
+		a.cmdWhois(args)
 	default:
 		a.ui.AddStatus(
 			"[red]Unknown command: " + cmd,
@@ -228,7 +243,7 @@ func (a *App) cmdNick(nick string) {
 	}
 
 	err := a.client.SendMessage(&api.Message{ //nolint:exhaustruct
-		Command: "NICK",
+		Command: irc.CmdNick,
 		Body:    []string{nick},
 	})
 	if err != nil {
@@ -363,7 +378,7 @@ func (a *App) cmdMsg(args string) {
 	}
 
 	err := a.client.SendMessage(&api.Message{ //nolint:exhaustruct
-		Command: "PRIVMSG",
+		Command: irc.CmdPrivmsg,
 		To:      target,
 		Body:    []string{text},
 	})
@@ -421,7 +436,7 @@ func (a *App) cmdTopic(args string) {
 
 	if args == "" {
 		err := a.client.SendMessage(&api.Message{ //nolint:exhaustruct
-			Command: "TOPIC",
+			Command: irc.CmdTopic,
 			To:      target,
 		})
 		if err != nil {
@@ -434,7 +449,7 @@ func (a *App) cmdTopic(args string) {
 	}
 
 	err := a.client.SendMessage(&api.Message{ //nolint:exhaustruct
-		Command: "TOPIC",
+		Command: irc.CmdTopic,
 		To:      target,
 		Body:    []string{args},
 	})
@@ -510,6 +525,96 @@ func (a *App) cmdList() {
 	a.ui.AddStatus("[cyan]*** End of channel list")
 }
 
+func (a *App) cmdMotd() {
+	a.mu.Lock()
+	connected := a.connected
+	a.mu.Unlock()
+
+	if !connected {
+		a.ui.AddStatus("[red]Not connected")
+
+		return
+	}
+
+	err := a.client.SendMessage(
+		&api.Message{Command: irc.CmdMotd}, //nolint:exhaustruct
+	)
+	if err != nil {
+		a.ui.AddStatus(fmt.Sprintf(
+			"[red]MOTD failed: %v", err,
+		))
+	}
+}
+
+func (a *App) cmdWho(args string) {
+	a.mu.Lock()
+	connected := a.connected
+	target := a.target
+	a.mu.Unlock()
+
+	if !connected {
+		a.ui.AddStatus("[red]Not connected")
+
+		return
+	}
+
+	channel := args
+	if channel == "" {
+		channel = target
+	}
+
+	if channel == "" ||
+		!strings.HasPrefix(channel, "#") {
+		a.ui.AddStatus(
+			"[red]Usage: /who #channel",
+		)
+
+		return
+	}
+
+	err := a.client.SendMessage(
+		&api.Message{ //nolint:exhaustruct
+			Command: irc.CmdWho, To: channel,
+		},
+	)
+	if err != nil {
+		a.ui.AddStatus(fmt.Sprintf(
+			"[red]WHO failed: %v", err,
+		))
+	}
+}
+
+func (a *App) cmdWhois(args string) {
+	a.mu.Lock()
+	connected := a.connected
+	a.mu.Unlock()
+
+	if !connected {
+		a.ui.AddStatus("[red]Not connected")
+
+		return
+	}
+
+	if args == "" {
+		a.ui.AddStatus(
+			"[red]Usage: /whois <nick>",
+		)
+
+		return
+	}
+
+	err := a.client.SendMessage(
+		&api.Message{ //nolint:exhaustruct
+			Command: irc.CmdWhois, To: args,
+		},
+	)
+	if err != nil {
+		a.ui.AddStatus(fmt.Sprintf(
+			"[red]WHOIS failed: %v", err,
+		))
+	}
+}
+
 func (a *App) cmdWindow(args string) {
 	if args == "" {
 		a.ui.AddStatus(
@@ -550,7 +655,7 @@ func (a *App) cmdQuit() {
 
 	if a.connected && a.client != nil {
 		_ = a.client.SendMessage(
-			&api.Message{Command: "QUIT"}, //nolint:exhaustruct
+			&api.Message{Command: irc.CmdQuit}, //nolint:exhaustruct
 		)
 	}
 
@@ -564,7 +669,7 @@ func (a *App) cmdQuit() {
 
 func (a *App) cmdHelp() {
 	help := []string{
-		"[cyan]*** chat-cli commands:",
+		"[cyan]*** neoirc-cli commands:",
 		"  /connect <url>  — Connect to server",
 		"  /nick <name>    — Change nickname",
 		"  /join #channel  — Join channel",
@@ -574,6 +679,9 @@ func (a *App) cmdHelp() {
 		"  /topic [text]   — View/set topic",
 		"  /names          — List channel members",
 		"  /list           — List channels",
+		"  /who [#channel] — List users in channel",
+		"  /whois <nick>   — Show user info",
+		"  /motd           — Show message of the day",
 		"  /window <n>     — Switch buffer",
 		"  /quit           — Disconnect and exit",
 		"  /help           — This help",
@@ -632,19 +740,19 @@ func (a *App) handleServerMessage(msg *api.Message) {
 	a.mu.Unlock()
 
 	switch msg.Command {
-	case "PRIVMSG":
+	case irc.CmdPrivmsg:
 		a.handlePrivmsgEvent(msg, timestamp, myNick)
-	case "JOIN":
+	case irc.CmdJoin:
 		a.handleJoinEvent(msg, timestamp)
-	case "PART":
+	case irc.CmdPart:
 		a.handlePartEvent(msg, timestamp)
-	case "QUIT":
+	case irc.CmdQuit:
 		a.handleQuitEvent(msg, timestamp)
-	case "NICK":
+	case irc.CmdNick:
 		a.handleNickEvent(msg, timestamp, myNick)
-	case "NOTICE":
+	case irc.CmdNotice:
 		a.handleNoticeEvent(msg, timestamp)
-	case "TOPIC":
+	case irc.CmdTopic:
 		a.handleTopicEvent(msg, timestamp)
 	default:
 		a.handleDefaultEvent(msg, timestamp)

internal/cli/ui.go

@@ -1,4 +1,4 @@
-package main
+package cli
 
 import (
 	"fmt"

internal/config/config.go

@@ -5,14 +5,22 @@ import (
 	"errors"
 	"log/slog"
 
-	"git.eeqj.de/sneak/chat/internal/globals"
-	"git.eeqj.de/sneak/chat/internal/logger"
+	"git.eeqj.de/sneak/neoirc/internal/globals"
+	"git.eeqj.de/sneak/neoirc/internal/logger"
 	"github.com/spf13/viper"
 	"go.uber.org/fx"
 
 	_ "github.com/joho/godotenv/autoload" // loads .env file
 )
 
+const defaultMOTD = ` _ __   ___  ___  (_)_ __ ___
+| '_ \ / _ \/ _ \ | | '__/ __|
+| | | |  __/ (_) || | | | (__
+|_| |_|\___|\___/ |_|_|  \___|
+
+Welcome to NeoIRC — IRC semantics over HTTP.
+Type /help for available commands.`
+
 // Params defines the dependencies for creating a Config.
 type Params struct {
 	fx.In
@@ -30,12 +38,19 @@ type Config struct {
 	MetricsUsername    string
 	Port               int
 	SentryDSN          string
-	MaxHistory         int
+	MessageMaxAge      string
 	MaxMessageSize     int
+	QueueMaxAge        string
 	MOTD               string
 	ServerName         string
 	FederationKey      string
 	SessionIdleTimeout string
+	HashcashBits       int
+	OperName           string
+	OperPassword       string
+	LoginRateLimit     float64
+	LoginRateBurst     int
+	IRCListenAddr      string
 	params             *Params
 	log                *slog.Logger
 }
@@ -56,16 +71,23 @@ func New(
 	viper.SetDefault("DEBUG", "false")
 	viper.SetDefault("MAINTENANCE_MODE", "false")
 	viper.SetDefault("PORT", "8080")
-	viper.SetDefault("DBURL", "file:./data.db?_journal_mode=WAL")
+	viper.SetDefault("DBURL", "file:///var/lib/neoirc/state.db?_journal_mode=WAL")
 	viper.SetDefault("SENTRY_DSN", "")
 	viper.SetDefault("METRICS_USERNAME", "")
 	viper.SetDefault("METRICS_PASSWORD", "")
-	viper.SetDefault("MAX_HISTORY", "10000")
+	viper.SetDefault("MESSAGE_MAX_AGE", "720h")
 	viper.SetDefault("MAX_MESSAGE_SIZE", "4096")
-	viper.SetDefault("MOTD", "")
+	viper.SetDefault("QUEUE_MAX_AGE", "720h")
+	viper.SetDefault("MOTD", defaultMOTD)
 	viper.SetDefault("SERVER_NAME", "")
 	viper.SetDefault("FEDERATION_KEY", "")
-	viper.SetDefault("SESSION_IDLE_TIMEOUT", "24h")
+	viper.SetDefault("SESSION_IDLE_TIMEOUT", "720h")
+	viper.SetDefault("NEOIRC_HASHCASH_BITS", "20")
+	viper.SetDefault("NEOIRC_OPER_NAME", "")
+	viper.SetDefault("NEOIRC_OPER_PASSWORD", "")
+	viper.SetDefault("LOGIN_RATE_LIMIT", "1")
+	viper.SetDefault("LOGIN_RATE_BURST", "5")
+	viper.SetDefault("IRC_LISTEN_ADDR", ":6667")
 
 	err := viper.ReadInConfig()
 	if err != nil {
@@ -84,12 +106,19 @@ func New(
 		MaintenanceMode:    viper.GetBool("MAINTENANCE_MODE"),
 		MetricsUsername:    viper.GetString("METRICS_USERNAME"),
 		MetricsPassword:    viper.GetString("METRICS_PASSWORD"),
-		MaxHistory:         viper.GetInt("MAX_HISTORY"),
+		MessageMaxAge:      viper.GetString("MESSAGE_MAX_AGE"),
 		MaxMessageSize:     viper.GetInt("MAX_MESSAGE_SIZE"),
+		QueueMaxAge:        viper.GetString("QUEUE_MAX_AGE"),
 		MOTD:               viper.GetString("MOTD"),
 		ServerName:         viper.GetString("SERVER_NAME"),
 		FederationKey:      viper.GetString("FEDERATION_KEY"),
 		SessionIdleTimeout: viper.GetString("SESSION_IDLE_TIMEOUT"),
+		HashcashBits:       viper.GetInt("NEOIRC_HASHCASH_BITS"),
+		OperName:           viper.GetString("NEOIRC_OPER_NAME"),
+		OperPassword:       viper.GetString("NEOIRC_OPER_PASSWORD"),
+		LoginRateLimit:     viper.GetFloat64("LOGIN_RATE_LIMIT"),
+		LoginRateBurst:     viper.GetInt("LOGIN_RATE_BURST"),
+		IRCListenAddr:      viper.GetString("IRC_LISTEN_ADDR"),
 		log:                log,
 		params:             &params,
 	}

internal/db/auth.go

@@ -10,91 +10,46 @@ import (
 	"golang.org/x/crypto/bcrypt"
 )
 
-const bcryptCost = bcrypt.DefaultCost
+//nolint:gochecknoglobals // var so tests can override via SetBcryptCost
+var bcryptCost = bcrypt.DefaultCost
+
+// SetBcryptCost overrides the bcrypt cost.
+// Use bcrypt.MinCost in tests to avoid slow hashing.
+func SetBcryptCost(cost int) { bcryptCost = cost }
 
 var errNoPassword = errors.New(
 	"account has no password set",
 )
 
-// RegisterUser creates a session with a hashed password
-// and returns session ID, client ID, and token.
-func (database *Database) RegisterUser(
+// SetPassword sets a bcrypt-hashed password on a session,
+// enabling multi-client login via POST /api/v1/login.
+func (database *Database) SetPassword(
 	ctx context.Context,
-	nick, password string,
-) (int64, int64, string, error) {
+	sessionID int64,
+	password string,
+) error {
 	hash, err := bcrypt.GenerateFromPassword(
 		[]byte(password), bcryptCost,
 	)
 	if err != nil {
-		return 0, 0, "", fmt.Errorf(
-			"hash password: %w", err,
-		)
+		return fmt.Errorf("hash password: %w", err)
 	}
 
-	sessionUUID := uuid.New().String()
-	clientUUID := uuid.New().String()
-
-	token, err := generateToken()
+	_, err = database.conn.ExecContext(ctx,
+		"UPDATE sessions SET password_hash = ? WHERE id = ?",
+		string(hash), sessionID)
 	if err != nil {
-		return 0, 0, "", err
+		return fmt.Errorf("set password: %w", err)
 	}
 
-	now := time.Now()
-
-	transaction, err := database.conn.BeginTx(ctx, nil)
-	if err != nil {
-		return 0, 0, "", fmt.Errorf(
-			"begin tx: %w", err,
-		)
-	}
-
-	res, err := transaction.ExecContext(ctx,
-		`INSERT INTO sessions
-		 (uuid, nick, password_hash,
-		  created_at, last_seen)
-		 VALUES (?, ?, ?, ?, ?)`,
-		sessionUUID, nick, string(hash), now, now)
-	if err != nil {
-		_ = transaction.Rollback()
-
-		return 0, 0, "", fmt.Errorf(
-			"create session: %w", err,
-		)
-	}
-
-	sessionID, _ := res.LastInsertId()
-
-	clientRes, err := transaction.ExecContext(ctx,
-		`INSERT INTO clients
-		 (uuid, session_id, token,
-		  created_at, last_seen)
-		 VALUES (?, ?, ?, ?, ?)`,
-		clientUUID, sessionID, token, now, now)
-	if err != nil {
-		_ = transaction.Rollback()
-
-		return 0, 0, "", fmt.Errorf(
-			"create client: %w", err,
-		)
-	}
-
-	clientID, _ := clientRes.LastInsertId()
-
-	err = transaction.Commit()
-	if err != nil {
-		return 0, 0, "", fmt.Errorf(
-			"commit registration: %w", err,
-		)
-	}
-
-	return sessionID, clientID, token, nil
+	return nil
 }
 
 // LoginUser verifies a nick/password and creates a new
 // client token.
 func (database *Database) LoginUser(
 	ctx context.Context,
-	nick, password string,
+	nick, password, remoteIP, hostname string,
 ) (int64, int64, string, error) {
 	var (
 		sessionID    int64
@@ -137,12 +92,15 @@ func (database *Database) LoginUser(
 
 	now := time.Now()
 
+	tokenHash := hashToken(token)
+
 	res, err := database.conn.ExecContext(ctx,
 		`INSERT INTO clients
-		 (uuid, session_id, token,
+		 (uuid, session_id, token, ip, hostname,
 		  created_at, last_seen)
-		 VALUES (?, ?, ?, ?, ?)`,
-		clientUUID, sessionID, token, now, now)
+		 VALUES (?, ?, ?, ?, ?, ?, ?)`,
+		clientUUID, sessionID, tokenHash,
+		remoteIP, hostname, now, now)
 	if err != nil {
 		return 0, 0, "", fmt.Errorf(
 			"create login client: %w", err,

internal/db/auth_test.go

@@ -6,63 +6,65 @@ import (
 	_ "modernc.org/sqlite"
 )
 
-func TestRegisterUser(t *testing.T) {
+func TestSetPassword(t *testing.T) {
 	t.Parallel()
 
 	database := setupTestDB(t)
 	ctx := t.Context()
 
-	sessionID, clientID, token, err :=
-		database.RegisterUser(ctx, "reguser", "password123")
+	sessionID, _, _, err :=
+		database.CreateSession(ctx, "passuser", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
 
-	if sessionID == 0 || clientID == 0 || token == "" {
+	err = database.SetPassword(
+		ctx, sessionID, "password123",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Verify we can now log in with the password.
+	loginSID, loginCID, loginToken, err :=
+		database.LoginUser(ctx, "passuser", "password123", "", "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if loginSID == 0 || loginCID == 0 || loginToken == "" {
 		t.Fatal("expected valid ids and token")
 	}
-
-	// Verify session works via token lookup.
-	sid, cid, nick, err :=
-		database.GetSessionByToken(ctx, token)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if sid != sessionID || cid != clientID {
-		t.Fatal("session/client id mismatch")
-	}
-
-	if nick != "reguser" {
-		t.Fatalf("expected reguser, got %s", nick)
-	}
 }
 
-func TestRegisterUserDuplicateNick(t *testing.T) {
+func TestSetPasswordThenWrongLogin(t *testing.T) {
 	t.Parallel()
 
 	database := setupTestDB(t)
 	ctx := t.Context()
 
-	regSID, regCID, regToken, err :=
-		database.RegisterUser(ctx, "dupnick", "password123")
+	sessionID, _, _, err :=
+		database.CreateSession(ctx, "wrongpw", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
 
-	_ = regSID
-	_ = regCID
-	_ = regToken
-
-	dupSID, dupCID, dupToken, dupErr :=
-		database.RegisterUser(ctx, "dupnick", "other12345")
-	if dupErr == nil {
-		t.Fatal("expected error for duplicate nick")
+	err = database.SetPassword(
+		ctx, sessionID, "correctpass",
+	)
+	if err != nil {
+		t.Fatal(err)
 	}
 
-	_ = dupSID
-	_ = dupCID
-	_ = dupToken
+	loginSID, loginCID, loginToken, loginErr :=
+		database.LoginUser(ctx, "wrongpw", "wrongpass12", "", "")
+	if loginErr == nil {
+		t.Fatal("expected error for wrong password")
+	}
+
+	_ = loginSID
+	_ = loginCID
+	_ = loginToken
 }
 
 func TestLoginUser(t *testing.T) {
@@ -71,23 +73,26 @@ func TestLoginUser(t *testing.T) {
 	database := setupTestDB(t)
 	ctx := t.Context()
 
-	regSID, regCID, regToken, err :=
-		database.RegisterUser(ctx, "loginuser", "mypassword")
+	sessionID, _, _, err :=
+		database.CreateSession(ctx, "loginuser", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
 
-	_ = regSID
-	_ = regCID
-	_ = regToken
-
-	sessionID, clientID, token, err :=
-		database.LoginUser(ctx, "loginuser", "mypassword")
+	err = database.SetPassword(
+		ctx, sessionID, "mypassword",
+	)
 	if err != nil {
 		t.Fatal(err)
 	}
 
-	if sessionID == 0 || clientID == 0 || token == "" {
+	loginSID, loginCID, token, err :=
+		database.LoginUser(ctx, "loginuser", "mypassword", "", "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if loginSID == 0 || loginCID == 0 || token == "" {
 		t.Fatal("expected valid ids and token")
 	}
 
@@ -103,33 +108,6 @@ func TestLoginUser(t *testing.T) {
 	}
 }
 
-func TestLoginUserWrongPassword(t *testing.T) {
-	t.Parallel()
-
-	database := setupTestDB(t)
-	ctx := t.Context()
-
-	regSID, regCID, regToken, err :=
-		database.RegisterUser(ctx, "wrongpw", "correctpass")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	_ = regSID
-	_ = regCID
-	_ = regToken
-
-	loginSID, loginCID, loginToken, loginErr :=
-		database.LoginUser(ctx, "wrongpw", "wrongpass12")
-	if loginErr == nil {
-		t.Fatal("expected error for wrong password")
-	}
-
-	_ = loginSID
-	_ = loginCID
-	_ = loginToken
-}
-
 func TestLoginUserNoPassword(t *testing.T) {
 	t.Parallel()
 
@@ -138,7 +116,7 @@ func TestLoginUserNoPassword(t *testing.T) {
 
 	// Create anonymous session (no password).
 	anonSID, anonCID, anonToken, err :=
-		database.CreateSession(ctx, "anon")
+		database.CreateSession(ctx, "anon", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -148,7 +126,7 @@ func TestLoginUserNoPassword(t *testing.T) {
 	_ = anonToken
 
 	loginSID, loginCID, loginToken, loginErr :=
-		database.LoginUser(ctx, "anon", "anything1")
+		database.LoginUser(ctx, "anon", "anything1", "", "")
 	if loginErr == nil {
 		t.Fatal(
 			"expected error for login on passwordless account",
@@ -167,7 +145,7 @@ func TestLoginUserNonexistent(t *testing.T) {
 	ctx := t.Context()
 
 	loginSID, loginCID, loginToken, err :=
-		database.LoginUser(ctx, "ghost", "password123")
+		database.LoginUser(ctx, "ghost", "password123", "", "")
 	if err == nil {
 		t.Fatal("expected error for nonexistent user")
 	}

internal/db/db.go

@@ -12,8 +12,8 @@ import (
 	"strconv"
 	"strings"
 
-	"git.eeqj.de/sneak/chat/internal/config"
-	"git.eeqj.de/sneak/chat/internal/logger"
+	"git.eeqj.de/sneak/neoirc/internal/config"
+	"git.eeqj.de/sneak/neoirc/internal/logger"
 	"go.uber.org/fx"
 
 	_ "github.com/joho/godotenv/autoload" // .env
@@ -87,7 +87,7 @@ func (database *Database) GetDB() *sql.DB {
 func (database *Database) connect(ctx context.Context) error {
 	dbURL := database.params.Config.DBURL
 	if dbURL == "" {
-		dbURL = "file:./data.db?_journal_mode=WAL&_busy_timeout=5000"
+		dbURL = "file:///var/lib/neoirc/state.db?_journal_mode=WAL&_busy_timeout=5000"
 	}
 
 	database.log.Info(

internal/db/errors.go

@@ -0,0 +1,20 @@
+// Package db provides database access and migration management.
+package db
+
+import (
+	"errors"
+
+	"modernc.org/sqlite"
+	sqlite3 "modernc.org/sqlite/lib"
+)
+
+// IsUniqueConstraintError reports whether err is a SQLite
+// unique-constraint violation.
+func IsUniqueConstraintError(err error) bool {
+	var sqliteErr *sqlite.Error
+	if !errors.As(err, &sqliteErr) {
+		return false
+	}
+
+	return sqliteErr.Code() == sqlite3.SQLITE_CONSTRAINT_UNIQUE
+}

internal/db/main_test.go

@@ -0,0 +1,14 @@
+package db_test
+
+import (
+	"os"
+	"testing"
+
+	"git.eeqj.de/sneak/neoirc/internal/db"
+	"golang.org/x/crypto/bcrypt"
+)
+
+func TestMain(m *testing.M) {
+	db.SetBcryptCost(bcrypt.MinCost)
+	os.Exit(m.Run())
+}

internal/db/queries_test.go

@@ -4,7 +4,7 @@ import (
 	"encoding/json"
 	"testing"
 
-	"git.eeqj.de/sneak/chat/internal/db"
+	"git.eeqj.de/sneak/neoirc/internal/db"
 
 	_ "modernc.org/sqlite"
 )
@@ -34,7 +34,7 @@ func TestCreateSession(t *testing.T) {
 	ctx := t.Context()
 
 	sessionID, _, token, err := database.CreateSession(
-		ctx, "alice",
+		ctx, "alice", "", "", "",
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -45,7 +45,7 @@ func TestCreateSession(t *testing.T) {
 	}
 
 	_, _, dupToken, dupErr := database.CreateSession(
-		ctx, "alice",
+		ctx, "alice", "", "", "",
 	)
 	if dupErr == nil {
 		t.Fatal("expected error for duplicate nick")
@@ -54,13 +54,249 @@ func TestCreateSession(t *testing.T) {
 	_ = dupToken
 }
 
+// assertSessionHostInfo creates a session and verifies
+// the stored username and hostname match expectations.
+func assertSessionHostInfo(
+	t *testing.T,
+	database *db.Database,
+	nick, inputUser, inputHost,
+	expectUser, expectHost string,
+) {
+	t.Helper()
+
+	sessionID, _, _, err := database.CreateSession(
+		t.Context(), nick, inputUser, inputHost, "",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	info, err := database.GetSessionHostInfo(
+		t.Context(), sessionID,
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if info.Username != expectUser {
+		t.Fatalf(
+			"expected username %s, got %s",
+			expectUser, info.Username,
+		)
+	}
+
+	if info.Hostname != expectHost {
+		t.Fatalf(
+			"expected hostname %s, got %s",
+			expectHost, info.Hostname,
+		)
+	}
+}
+
+func TestCreateSessionWithUserHost(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+
+	assertSessionHostInfo(
+		t, database,
+		"hostuser", "myident", "example.com",
+		"myident", "example.com",
+	)
+}
+
+func TestCreateSessionDefaultUsername(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+
+	// Empty username defaults to nick.
+	assertSessionHostInfo(
+		t, database,
+		"defaultu", "", "host.local",
+		"defaultu", "host.local",
+	)
+}
+
+func TestCreateSessionStoresIP(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	sessionID, clientID, _, err := database.CreateSession(
+		ctx, "ipuser", "ident", "host.example.com",
+		"192.168.1.42",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	info, err := database.GetSessionHostInfo(
+		ctx, sessionID,
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if info.IP != "192.168.1.42" {
+		t.Fatalf(
+			"expected session IP 192.168.1.42, got %s",
+			info.IP,
+		)
+	}
+
+	clientInfo, err := database.GetClientHostInfo(
+		ctx, clientID,
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if clientInfo.IP != "192.168.1.42" {
+		t.Fatalf(
+			"expected client IP 192.168.1.42, got %s",
+			clientInfo.IP,
+		)
+	}
+
+	if clientInfo.Hostname != "host.example.com" {
+		t.Fatalf(
+			"expected client hostname host.example.com, got %s",
+			clientInfo.Hostname,
+		)
+	}
+}
+
+func TestGetClientHostInfoNotFound(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+
+	_, err := database.GetClientHostInfo(
+		t.Context(), 99999,
+	)
+	if err == nil {
+		t.Fatal("expected error for nonexistent client")
+	}
+}
+
+func TestGetSessionHostInfoNotFound(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+
+	_, err := database.GetSessionHostInfo(
+		t.Context(), 99999,
+	)
+	if err == nil {
+		t.Fatal("expected error for nonexistent session")
+	}
+}
+
+func TestFormatHostmask(t *testing.T) {
+	t.Parallel()
+
+	result := db.FormatHostmask(
+		"nick", "user", "host.com",
+	)
+	if result != "nick!user@host.com" {
+		t.Fatalf(
+			"expected nick!user@host.com, got %s",
+			result,
+		)
+	}
+}
+
+func TestFormatHostmaskDefaults(t *testing.T) {
+	t.Parallel()
+
+	result := db.FormatHostmask("nick", "", "")
+	if result != "nick!nick@*" {
+		t.Fatalf(
+			"expected nick!nick@*, got %s",
+			result,
+		)
+	}
+}
+
+func TestMemberInfoHostmask(t *testing.T) {
+	t.Parallel()
+
+	member := &db.MemberInfo{ //nolint:exhaustruct // test only uses hostmask fields
+		Nick:     "alice",
+		Username: "aliceident",
+		Hostname: "alice.example.com",
+	}
+
+	hostmask := member.Hostmask()
+	expected := "alice!aliceident@alice.example.com"
+
+	if hostmask != expected {
+		t.Fatalf(
+			"expected %s, got %s", expected, hostmask,
+		)
+	}
+}
+
+func TestChannelMembersIncludeUserHost(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	sid, _, _, err := database.CreateSession(
+		ctx, "memuser", "myuser", "myhost.net", "",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	chID, err := database.GetOrCreateChannel(
+		ctx, "#hostchan",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = database.JoinChannel(ctx, chID, sid)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	members, err := database.ChannelMembers(ctx, chID)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(members) != 1 {
+		t.Fatalf(
+			"expected 1 member, got %d", len(members),
+		)
+	}
+
+	if members[0].Username != "myuser" {
+		t.Fatalf(
+			"expected username myuser, got %s",
+			members[0].Username,
+		)
+	}
+
+	if members[0].Hostname != "myhost.net" {
+		t.Fatalf(
+			"expected hostname myhost.net, got %s",
+			members[0].Hostname,
+		)
+	}
+}
+
 func TestGetSessionByToken(t *testing.T) {
 	t.Parallel()
 
 	database := setupTestDB(t)
 	ctx := t.Context()
 
-	_, _, token, err := database.CreateSession(ctx, "bob")
+	_, _, token, err := database.CreateSession(ctx, "bob", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -93,7 +329,7 @@ func TestGetSessionByNick(t *testing.T) {
 	ctx := t.Context()
 
 	charlieID, charlieClientID, charlieToken, err :=
-		database.CreateSession(ctx, "charlie")
+		database.CreateSession(ctx, "charlie", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -150,7 +386,7 @@ func TestJoinAndPart(t *testing.T) {
 	database := setupTestDB(t)
 	ctx := t.Context()
 
-	sid, _, _, err := database.CreateSession(ctx, "user1")
+	sid, _, _, err := database.CreateSession(ctx, "user1", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -199,7 +435,7 @@ func TestDeleteChannelIfEmpty(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	sid, _, _, err := database.CreateSession(ctx, "temp")
+	sid, _, _, err := database.CreateSession(ctx, "temp", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -234,7 +470,7 @@ func createSessionWithChannels(
 
 	ctx := t.Context()
 
-	sid, _, _, err := database.CreateSession(ctx, nick)
+	sid, _, _, err := database.CreateSession(ctx, nick, "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -317,7 +553,7 @@ func TestChangeNick(t *testing.T) {
 	ctx := t.Context()
 
 	sid, _, token, err := database.CreateSession(
-		ctx, "old",
+		ctx, "old", "", "", "",
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -383,7 +619,7 @@ func TestInsertMessage(t *testing.T) {
 	body := json.RawMessage(`["hello"]`)
 
 	dbID, msgUUID, err := database.InsertMessage(
-		ctx, "PRIVMSG", "poller", "#test", body, nil,
+		ctx, "PRIVMSG", "poller", "#test", nil, body, nil,
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -401,7 +637,7 @@ func TestPollMessages(t *testing.T) {
 	ctx := t.Context()
 
 	sid, _, token, err := database.CreateSession(
-		ctx, "poller",
+		ctx, "poller", "", "", "",
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -417,7 +653,7 @@ func TestPollMessages(t *testing.T) {
 	body := json.RawMessage(`["hello"]`)
 
 	dbID, _, err := database.InsertMessage(
-		ctx, "PRIVMSG", "poller", "#test", body, nil,
+		ctx, "PRIVMSG", "poller", "#test", nil, body, nil,
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -475,7 +711,7 @@ func TestGetHistory(t *testing.T) {
 	for range msgCount {
 		_, _, err := database.InsertMessage(
 			ctx, "PRIVMSG", "user", "#hist",
-			json.RawMessage(`["msg"]`), nil,
+			nil, json.RawMessage(`["msg"]`), nil,
 		)
 		if err != nil {
 			t.Fatal(err)
@@ -508,7 +744,7 @@ func TestDeleteSession(t *testing.T) {
 	ctx := t.Context()
 
 	sid, _, _, err := database.CreateSession(
-		ctx, "deleteme",
+		ctx, "deleteme", "", "", "",
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -548,12 +784,12 @@ func TestChannelMembers(t *testing.T) {
 	database := setupTestDB(t)
 	ctx := t.Context()
 
-	sid1, _, _, err := database.CreateSession(ctx, "m1")
+	sid1, _, _, err := database.CreateSession(ctx, "m1", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
 
-	sid2, _, _, err := database.CreateSession(ctx, "m2")
+	sid2, _, _, err := database.CreateSession(ctx, "m2", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -611,7 +847,7 @@ func TestEnqueueToClient(t *testing.T) {
 	ctx := t.Context()
 
 	_, _, token, err := database.CreateSession(
-		ctx, "enqclient",
+		ctx, "enqclient", "", "", "",
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -627,7 +863,7 @@ func TestEnqueueToClient(t *testing.T) {
 	body := json.RawMessage(`["test"]`)
 
 	dbID, _, err := database.InsertMessage(
-		ctx, "PRIVMSG", "sender", "#ch", body, nil,
+		ctx, "PRIVMSG", "sender", "#ch", nil, body, nil,
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -651,3 +887,604 @@ func TestEnqueueToClient(t *testing.T) {
 		t.Fatalf("expected 1, got %d", len(msgs))
 	}
 }
+
+func TestSetAndCheckSessionOper(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	sessionID, _, _, err := database.CreateSession(
+		ctx, "opernick", "", "", "",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Initially not oper.
+	isOper, err := database.IsSessionOper(ctx, sessionID)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if isOper {
+		t.Fatal("expected session not to be oper")
+	}
+
+	// Set oper.
+	err = database.SetSessionOper(ctx, sessionID, true)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	isOper, err = database.IsSessionOper(ctx, sessionID)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if !isOper {
+		t.Fatal("expected session to be oper")
+	}
+
+	// Unset oper.
+	err = database.SetSessionOper(ctx, sessionID, false)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	isOper, err = database.IsSessionOper(ctx, sessionID)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if isOper {
+		t.Fatal("expected session not to be oper")
+	}
+}
+
+func TestGetLatestClientForSession(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	sessionID, _, _, err := database.CreateSession(
+		ctx, "clientnick", "", "", "10.0.0.1",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	clientInfo, err := database.GetLatestClientForSession(
+		ctx, sessionID,
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if clientInfo.IP != "10.0.0.1" {
+		t.Fatalf(
+			"expected IP 10.0.0.1, got %s",
+			clientInfo.IP,
+		)
+	}
+}
+
+func TestGetOperCount(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	// Create two sessions.
+	sid1, _, _, err := database.CreateSession(
+		ctx, "user1", "", "", "",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	sid2, _, _, err := database.CreateSession(
+		ctx, "user2", "", "", "",
+	)
+	_ = sid2
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Initially zero opers.
+	count, err := database.GetOperCount(ctx)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if count != 0 {
+		t.Fatalf("expected 0 opers, got %d", count)
+	}
+
+	// Set one as oper.
+	err = database.SetSessionOper(ctx, sid1, true)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	count, err = database.GetOperCount(ctx)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if count != 1 {
+		t.Fatalf("expected 1 oper, got %d", count)
+	}
+}
+
+// --- Tier 2 Tests ---
+
+func TestWildcardMatch(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		pattern string
+		input   string
+		match   bool
+	}{
+		{"*!*@*", "nick!user@host", true},
+		{"*!*@*.example.com", "nick!user@foo.example.com", true},
+		{"*!*@*.example.com", "nick!user@other.net", false},
+		{"badnick!*@*", "badnick!user@host", true},
+		{"badnick!*@*", "goodnick!user@host", false},
+		{"nick!user@host", "nick!user@host", true},
+		{"nick!user@host", "nick!user@other", false},
+		{"*", "anything", true},
+		{"?ick!*@*", "nick!user@host", true},
+		{"?ick!*@*", "nn!user@host", false},
+		// Case-insensitive.
+		{"Nick!*@*", "nick!user@host", true},
+	}
+
+	for _, tc := range tests {
+		result := db.MatchBanMask(tc.pattern, tc.input)
+		if result != tc.match {
+			t.Errorf(
+				"MatchBanMask(%q, %q) = %v, want %v",
+				tc.pattern, tc.input, result, tc.match,
+			)
+		}
+	}
+}
+
+func TestChannelBanCRUD(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	chID, err := database.GetOrCreateChannel(ctx, "#test")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// No bans initially.
+	bans, err := database.ListChannelBans(ctx, chID)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(bans) != 0 {
+		t.Fatalf("expected 0 bans, got %d", len(bans))
+	}
+
+	// Add a ban.
+	err = database.AddChannelBan(
+		ctx, chID, "*!*@evil.com", "op",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	bans, err = database.ListChannelBans(ctx, chID)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(bans) != 1 {
+		t.Fatalf("expected 1 ban, got %d", len(bans))
+	}
+
+	if bans[0].Mask != "*!*@evil.com" {
+		t.Fatalf("wrong mask: %s", bans[0].Mask)
+	}
+
+	// Duplicate add is ignored (OR IGNORE).
+	err = database.AddChannelBan(
+		ctx, chID, "*!*@evil.com", "op2",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	bans, _ = database.ListChannelBans(ctx, chID)
+	if len(bans) != 1 {
+		t.Fatalf("expected 1 ban after dup, got %d", len(bans))
+	}
+
+	// Remove ban.
+	err = database.RemoveChannelBan(
+		ctx, chID, "*!*@evil.com",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	bans, _ = database.ListChannelBans(ctx, chID)
+	if len(bans) != 0 {
+		t.Fatalf("expected 0 bans after remove, got %d", len(bans))
+	}
+}
+
+func TestIsSessionBanned(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	sid, _, _, err := database.CreateSession(
+		ctx, "victim", "victim", "evil.com", "",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	chID, err := database.GetOrCreateChannel(ctx, "#bantest")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Not banned initially.
+	banned, err := database.IsSessionBanned(ctx, chID, sid)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if banned {
+		t.Fatal("should not be banned initially")
+	}
+
+	// Add ban matching the hostmask.
+	err = database.AddChannelBan(
+		ctx, chID, "*!*@evil.com", "op",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	banned, err = database.IsSessionBanned(ctx, chID, sid)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if !banned {
+		t.Fatal("should be banned")
+	}
+}
+
+func TestChannelInviteOnly(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	chID, err := database.GetOrCreateChannel(ctx, "#invite")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Default: not invite-only.
+	isIO, err := database.IsChannelInviteOnly(ctx, chID)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if isIO {
+		t.Fatal("should not be invite-only by default")
+	}
+
+	// Set invite-only.
+	err = database.SetChannelInviteOnly(ctx, chID, true)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	isIO, _ = database.IsChannelInviteOnly(ctx, chID)
+	if !isIO {
+		t.Fatal("should be invite-only")
+	}
+
+	// Unset.
+	err = database.SetChannelInviteOnly(ctx, chID, false)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	isIO, _ = database.IsChannelInviteOnly(ctx, chID)
+	if isIO {
+		t.Fatal("should not be invite-only")
+	}
+}
+
+func TestChannelInviteCRUD(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	sid, _, _, err := database.CreateSession(
+		ctx, "invited", "", "", "",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	chID, err := database.GetOrCreateChannel(ctx, "#inv")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// No invite initially.
+	has, err := database.HasChannelInvite(ctx, chID, sid)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if has {
+		t.Fatal("should not have invite")
+	}
+
+	// Add invite.
+	err = database.AddChannelInvite(ctx, chID, sid, "op")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	has, _ = database.HasChannelInvite(ctx, chID, sid)
+	if !has {
+		t.Fatal("should have invite")
+	}
+
+	// Clear invite.
+	err = database.ClearChannelInvite(ctx, chID, sid)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	has, _ = database.HasChannelInvite(ctx, chID, sid)
+	if has {
+		t.Fatal("invite should be cleared")
+	}
+}
+
+func TestChannelSecret(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	chID, err := database.GetOrCreateChannel(ctx, "#secret")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Default: not secret.
+	isSec, err := database.IsChannelSecret(ctx, chID)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if isSec {
+		t.Fatal("should not be secret by default")
+	}
+
+	err = database.SetChannelSecret(ctx, chID, true)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	isSec, _ = database.IsChannelSecret(ctx, chID)
+	if !isSec {
+		t.Fatal("should be secret")
+	}
+}
+
+// createTestSession is a helper to create a session and
+// return only the session ID.
+func createTestSession(
+	t *testing.T,
+	database *db.Database,
+	nick string,
+) int64 {
+	t.Helper()
+
+	sid, _, _, err := database.CreateSession(
+		t.Context(), nick, "", "", "",
+	)
+	if err != nil {
+		t.Fatalf("create session %s: %v", nick, err)
+	}
+
+	return sid
+}
+
+func TestSecretChannelFiltering(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	// Create two sessions.
+	sid1 := createTestSession(t, database, "member")
+	sid2 := createTestSession(t, database, "outsider")
+
+	// Create a secret channel.
+	chID, _ := database.GetOrCreateChannel(ctx, "#secret")
+	_ = database.SetChannelSecret(ctx, chID, true)
+	_ = database.JoinChannel(ctx, chID, sid1)
+
+	// Create a non-secret channel.
+	chID2, _ := database.GetOrCreateChannel(ctx, "#public")
+	_ = database.JoinChannel(ctx, chID2, sid1)
+
+	// Member should see both.
+	list, err := database.ListAllChannelsWithCountsFiltered(
+		ctx, sid1,
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(list) != 2 {
+		t.Fatalf("member should see 2 channels, got %d", len(list))
+	}
+
+	// Outsider should only see public.
+	list, _ = database.ListAllChannelsWithCountsFiltered(
+		ctx, sid2,
+	)
+	if len(list) != 1 {
+		t.Fatalf("outsider should see 1 channel, got %d", len(list))
+	}
+
+	if list[0].Name != "#public" {
+		t.Fatalf("outsider should see #public, got %s", list[0].Name)
+	}
+}
+
+func TestWhoisChannelFiltering(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	sid1 := createTestSession(t, database, "target")
+	sid2 := createTestSession(t, database, "querier")
+
+	// Create secret channel, target joins it.
+	chID, _ := database.GetOrCreateChannel(ctx, "#hidden")
+	_ = database.SetChannelSecret(ctx, chID, true)
+	_ = database.JoinChannel(ctx, chID, sid1)
+
+	// Querier (non-member) should not see the channel.
+	channels, err := database.GetSessionChannelsFiltered(
+		ctx, sid1, sid2,
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(channels) != 0 {
+		t.Fatalf(
+			"querier should see 0 channels, got %d",
+			len(channels),
+		)
+	}
+
+	// Target querying self should see it.
+	channels, _ = database.GetSessionChannelsFiltered(
+		ctx, sid1, sid1,
+	)
+	if len(channels) != 1 {
+		t.Fatalf(
+			"self-query should see 1 channel, got %d",
+			len(channels),
+		)
+	}
+}
+
+//nolint:dupl // structurally similar to TestChannelUserLimit
+func TestChannelKey(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	chID, err := database.GetOrCreateChannel(ctx, "#keyed")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Default: no key.
+	key, err := database.GetChannelKey(ctx, chID)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if key != "" {
+		t.Fatalf("expected empty key, got %q", key)
+	}
+
+	// Set key.
+	err = database.SetChannelKey(ctx, chID, "secret123")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	key, _ = database.GetChannelKey(ctx, chID)
+	if key != "secret123" {
+		t.Fatalf("expected secret123, got %q", key)
+	}
+
+	// Clear key.
+	err = database.SetChannelKey(ctx, chID, "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	key, _ = database.GetChannelKey(ctx, chID)
+	if key != "" {
+		t.Fatalf("expected empty key, got %q", key)
+	}
+}
+
+//nolint:dupl // structurally similar to TestChannelKey
+func TestChannelUserLimit(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	chID, err := database.GetOrCreateChannel(ctx, "#limited")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Default: no limit.
+	limit, err := database.GetChannelUserLimit(ctx, chID)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if limit != 0 {
+		t.Fatalf("expected 0 limit, got %d", limit)
+	}
+
+	// Set limit.
+	err = database.SetChannelUserLimit(ctx, chID, 50)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	limit, _ = database.GetChannelUserLimit(ctx, chID)
+	if limit != 50 {
+		t.Fatalf("expected 50, got %d", limit)
+	}
+
+	// Clear limit.
+	err = database.SetChannelUserLimit(ctx, chID, 0)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	limit, _ = database.GetChannelUserLimit(ctx, chID)
+	if limit != 0 {
+		t.Fatalf("expected 0, got %d", limit)
+	}
+}

internal/db/schema/001_initial.sql

@@ -6,8 +6,13 @@ CREATE TABLE IF NOT EXISTS sessions (
     id INTEGER PRIMARY KEY AUTOINCREMENT,
     uuid TEXT NOT NULL UNIQUE,
     nick TEXT NOT NULL UNIQUE,
+    username TEXT NOT NULL DEFAULT '',
+    hostname TEXT NOT NULL DEFAULT '',
+    ip TEXT NOT NULL DEFAULT '',
+    is_oper INTEGER NOT NULL DEFAULT 0,
     password_hash TEXT NOT NULL DEFAULT '',
     signing_key TEXT NOT NULL DEFAULT '',
+    away_message TEXT NOT NULL DEFAULT '',
     created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
     last_seen DATETIME DEFAULT CURRENT_TIMESTAMP
 );
@@ -19,6 +24,8 @@ CREATE TABLE IF NOT EXISTS clients (
     uuid TEXT NOT NULL UNIQUE,
     session_id INTEGER NOT NULL REFERENCES sessions(id) ON DELETE CASCADE,
     token TEXT NOT NULL UNIQUE,
+    ip TEXT NOT NULL DEFAULT '',
+    hostname TEXT NOT NULL DEFAULT '',
     created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
     last_seen DATETIME DEFAULT CURRENT_TIMESTAMP
 );
@@ -30,15 +37,48 @@ CREATE TABLE IF NOT EXISTS channels (
     id INTEGER PRIMARY KEY AUTOINCREMENT,
     name TEXT NOT NULL UNIQUE,
     topic TEXT NOT NULL DEFAULT '',
+    topic_set_by TEXT NOT NULL DEFAULT '',
+    topic_set_at DATETIME,
+    hashcash_bits INTEGER NOT NULL DEFAULT 0,
+    is_moderated INTEGER NOT NULL DEFAULT 0,
+    is_topic_locked INTEGER NOT NULL DEFAULT 1,
+    is_invite_only INTEGER NOT NULL DEFAULT 0,
+    is_secret INTEGER NOT NULL DEFAULT 0,
+    channel_key TEXT NOT NULL DEFAULT '',
+    user_limit INTEGER NOT NULL DEFAULT 0,
     created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
     updated_at DATETIME DEFAULT CURRENT_TIMESTAMP
 );
 
+-- Channel bans
+CREATE TABLE IF NOT EXISTS channel_bans (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    channel_id INTEGER NOT NULL REFERENCES channels(id) ON DELETE CASCADE,
+    mask TEXT NOT NULL,
+    set_by TEXT NOT NULL,
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+    UNIQUE(channel_id, mask)
+);
+CREATE INDEX IF NOT EXISTS idx_channel_bans_channel ON channel_bans(channel_id);
+
+-- Channel invites (in-memory would be simpler but DB survives restarts)
+CREATE TABLE IF NOT EXISTS channel_invites (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    channel_id INTEGER NOT NULL REFERENCES channels(id) ON DELETE CASCADE,
+    session_id INTEGER NOT NULL REFERENCES sessions(id) ON DELETE CASCADE,
+    invited_by TEXT NOT NULL DEFAULT '',
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+    UNIQUE(channel_id, session_id)
+);
+CREATE INDEX IF NOT EXISTS idx_channel_invites_channel ON channel_invites(channel_id);
+
 -- Channel members
 CREATE TABLE IF NOT EXISTS channel_members (
     id INTEGER PRIMARY KEY AUTOINCREMENT,
     channel_id INTEGER NOT NULL REFERENCES channels(id) ON DELETE CASCADE,
     session_id INTEGER NOT NULL REFERENCES sessions(id) ON DELETE CASCADE,
+    is_operator INTEGER NOT NULL DEFAULT 0,
+    is_voiced INTEGER NOT NULL DEFAULT 0,
     joined_at DATETIME DEFAULT CURRENT_TIMESTAMP,
     UNIQUE(channel_id, session_id)
 );
@@ -50,6 +90,7 @@ CREATE TABLE IF NOT EXISTS messages (
     command TEXT NOT NULL DEFAULT 'PRIVMSG',
     msg_from TEXT NOT NULL DEFAULT '',
     msg_to TEXT NOT NULL DEFAULT '',
+    params TEXT NOT NULL DEFAULT '[]',
     body TEXT NOT NULL DEFAULT '[]',
     meta TEXT NOT NULL DEFAULT '{}',
     created_at DATETIME DEFAULT CURRENT_TIMESTAMP
@@ -57,6 +98,14 @@ CREATE TABLE IF NOT EXISTS messages (
 CREATE INDEX IF NOT EXISTS idx_messages_to_id ON messages(msg_to, id);
 CREATE INDEX IF NOT EXISTS idx_messages_created ON messages(created_at);
 
+-- Spent hashcash tokens for replay prevention (1-year TTL)
+CREATE TABLE IF NOT EXISTS spent_hashcash (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    stamp_hash TEXT NOT NULL UNIQUE,
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP
+);
+CREATE INDEX IF NOT EXISTS idx_spent_hashcash_created ON spent_hashcash(created_at);
+
 -- Per-client message queues for fan-out delivery
 CREATE TABLE IF NOT EXISTS client_queues (
     id INTEGER PRIMARY KEY AUTOINCREMENT,

internal/db/testing.go

@@ -0,0 +1,25 @@
+package db
+
+import (
+	"context"
+	"database/sql"
+	"log/slog"
+)
+
+// NewTestDatabaseFromConn creates a Database wrapping an
+// existing *sql.DB connection.  Intended for integration
+// tests in other packages.
+func NewTestDatabaseFromConn(conn *sql.DB) *Database {
+	return &Database{ //nolint:exhaustruct
+		conn: conn,
+		log:  slog.Default(),
+	}
+}
+
+// RunMigrations applies all schema migrations.  Exposed
+// for integration tests in other packages.
+func (database *Database) RunMigrations(
+	ctx context.Context,
+) error {
+	return database.runMigrations(ctx)
+}

internal/globals/globals.go

@@ -2,6 +2,8 @@
 package globals
 
 import (
+	"time"
+
 	"go.uber.org/fx"
 )
 
@@ -15,16 +17,18 @@ var (
 
 // Globals holds application-wide metadata.
 type Globals struct {
-	Appname string
-	Version string
+	Appname   string
+	Version   string
+	StartTime time.Time
 }
 
 // New creates a new Globals instance from the global state.
 func New(_ fx.Lifecycle) (*Globals, error) {
-	n := &Globals{
-		Appname: Appname,
-		Version: Version,
+	result := &Globals{
+		Appname:   Appname,
+		Version:   Version,
+		StartTime: time.Now(),
 	}
 
-	return n, nil
+	return result, nil
 }

internal/handlers/auth.go

@@ -4,116 +4,12 @@ import (
 	"encoding/json"
 	"net/http"
 	"strings"
+
+	"git.eeqj.de/sneak/neoirc/pkg/irc"
 )
 
 const minPasswordLength = 8
 
-// HandleRegister creates a new user with a password.
-func (hdlr *Handlers) HandleRegister() http.HandlerFunc {
-	return func(
-		writer http.ResponseWriter,
-		request *http.Request,
-	) {
-		request.Body = http.MaxBytesReader(
-			writer, request.Body, hdlr.maxBodySize(),
-		)
-
-		hdlr.handleRegister(writer, request)
-	}
-}
-
-func (hdlr *Handlers) handleRegister(
-	writer http.ResponseWriter,
-	request *http.Request,
-) {
-	type registerRequest struct {
-		Nick     string `json:"nick"`
-		Password string `json:"password"`
-	}
-
-	var payload registerRequest
-
-	err := json.NewDecoder(request.Body).Decode(&payload)
-	if err != nil {
-		hdlr.respondError(
-			writer, request,
-			"invalid request body",
-			http.StatusBadRequest,
-		)
-
-		return
-	}
-
-	payload.Nick = strings.TrimSpace(payload.Nick)
-
-	if !validNickRe.MatchString(payload.Nick) {
-		hdlr.respondError(
-			writer, request,
-			"invalid nick format",
-			http.StatusBadRequest,
-		)
-
-		return
-	}
-
-	if len(payload.Password) < minPasswordLength {
-		hdlr.respondError(
-			writer, request,
-			"password must be at least 8 characters",
-			http.StatusBadRequest,
-		)
-
-		return
-	}
-
-	sessionID, clientID, token, err :=
-		hdlr.params.Database.RegisterUser(
-			request.Context(),
-			payload.Nick,
-			payload.Password,
-		)
-	if err != nil {
-		hdlr.handleRegisterError(
-			writer, request, err,
-		)
-
-		return
-	}
-
-	hdlr.deliverMOTD(request, clientID, sessionID)
-
-	hdlr.respondJSON(writer, request, map[string]any{
-		"id":    sessionID,
-		"nick":  payload.Nick,
-		"token": token,
-	}, http.StatusCreated)
-}
-
-func (hdlr *Handlers) handleRegisterError(
-	writer http.ResponseWriter,
-	request *http.Request,
-	err error,
-) {
-	if strings.Contains(err.Error(), "UNIQUE") {
-		hdlr.respondError(
-			writer, request,
-			"nick already taken",
-			http.StatusConflict,
-		)
-
-		return
-	}
-
-	hdlr.log.Error(
-		"register user failed", "error", err,
-	)
-	hdlr.respondError(
-		writer, request,
-		"internal error",
-		http.StatusInternalServerError,
-	)
-}
-
 // HandleLogin authenticates a user with nick and password.
 func (hdlr *Handlers) HandleLogin() http.HandlerFunc {
 	return func(
@@ -132,6 +28,21 @@ func (hdlr *Handlers) handleLogin(
 	writer http.ResponseWriter,
 	request *http.Request,
 ) {
+	ip := clientIP(request)
+
+	if !hdlr.loginLimiter.Allow(ip) {
+		writer.Header().Set(
+			"Retry-After", "1",
+		)
+		hdlr.respondError(
+			writer, request,
+			"too many login attempts, try again later",
+			http.StatusTooManyRequests,
+		)
+
+		return
+	}
+
 	type loginRequest struct {
 		Nick     string `json:"nick"`
 		Password string `json:"password"`
@@ -162,11 +73,27 @@ func (hdlr *Handlers) handleLogin(
 		return
 	}
 
-	sessionID, _, token, err :=
+	hdlr.executeLogin(
+		writer, request, payload.Nick, payload.Password,
+	)
+}
+
+func (hdlr *Handlers) executeLogin(
+	writer http.ResponseWriter,
+	request *http.Request,
+	nick, password string,
+) {
+	remoteIP := clientIP(request)
+
+	hostname := resolveHostname(
+		request.Context(), remoteIP,
+	)
+
+	sessionID, clientID, token, err :=
 		hdlr.params.Database.LoginUser(
 			request.Context(),
-			payload.Nick,
-			payload.Password,
+			nick, password,
+			remoteIP, hostname,
 		)
 	if err != nil {
 		hdlr.respondError(
@@ -178,9 +105,78 @@ func (hdlr *Handlers) handleLogin(
 		return
 	}
 
+	hdlr.stats.IncrConnections()
+
+	hdlr.deliverMOTD(
+		request, clientID, sessionID, nick,
+	)
+
+	// Initialize channel state so the new client knows
+	// which channels the session already belongs to.
+	hdlr.initChannelState(
+		request, clientID, sessionID, nick,
+	)
+
+	hdlr.setAuthCookie(writer, request, token)
+
 	hdlr.respondJSON(writer, request, map[string]any{
-		"id":    sessionID,
-		"nick":  payload.Nick,
-		"token": token,
+		"id":   sessionID,
+		"nick": nick,
 	}, http.StatusOK)
 }
+
+// handlePass handles the IRC PASS command to set a
+// password on the authenticated session, enabling
+// multi-client login via POST /api/v1/login.
+func (hdlr *Handlers) handlePass(
+	writer http.ResponseWriter,
+	request *http.Request,
+	sessionID, clientID int64,
+	nick string,
+	bodyLines func() []string,
+) {
+	lines := bodyLines()
+	if len(lines) == 0 || lines[0] == "" {
+		hdlr.respondIRCError(
+			writer, request, clientID, sessionID,
+			irc.ErrNeedMoreParams, nick,
+			[]string{irc.CmdPass},
+			"Not enough parameters",
+		)
+
+		return
+	}
+
+	password := lines[0]
+
+	if len(password) < minPasswordLength {
+		hdlr.respondIRCError(
+			writer, request, clientID, sessionID,
+			irc.ErrNeedMoreParams, nick,
+			[]string{irc.CmdPass},
+			"Password must be at least 8 characters",
+		)
+
+		return
+	}
+
+	err := hdlr.params.Database.SetPassword(
+		request.Context(), sessionID, password,
+	)
+	if err != nil {
+		hdlr.log.Error(
+			"set password failed", "error", err,
+		)
+		hdlr.respondError(
+			writer, request,
+			"internal error",
+			http.StatusInternalServerError,
+		)
+
+		return
+	}
+
+	hdlr.respondJSON(writer, request,
+		map[string]string{"status": "ok"},
+		http.StatusOK)
+}

internal/handlers/handlers.go

@@ -1,4 +1,4 @@
-// Package handlers provides HTTP request handlers for the chat server.
+// Package handlers provides HTTP request handlers for the neoirc server.
 package handlers
 
 import (
@@ -9,12 +9,16 @@ import (
 	"net/http"
 	"time"
 
-	"git.eeqj.de/sneak/chat/internal/broker"
-	"git.eeqj.de/sneak/chat/internal/config"
-	"git.eeqj.de/sneak/chat/internal/db"
-	"git.eeqj.de/sneak/chat/internal/globals"
-	"git.eeqj.de/sneak/chat/internal/healthcheck"
-	"git.eeqj.de/sneak/chat/internal/logger"
+	"git.eeqj.de/sneak/neoirc/internal/broker"
+	"git.eeqj.de/sneak/neoirc/internal/config"
+	"git.eeqj.de/sneak/neoirc/internal/db"
+	"git.eeqj.de/sneak/neoirc/internal/globals"
+	"git.eeqj.de/sneak/neoirc/internal/hashcash"
+	"git.eeqj.de/sneak/neoirc/internal/healthcheck"
+	"git.eeqj.de/sneak/neoirc/internal/logger"
+	"git.eeqj.de/sneak/neoirc/internal/ratelimit"
+	"git.eeqj.de/sneak/neoirc/internal/service"
+	"git.eeqj.de/sneak/neoirc/internal/stats"
 	"go.uber.org/fx"
 )
 
@@ -29,17 +33,30 @@ type Params struct {
 	Config      *config.Config
 	Database    *db.Database
 	Healthcheck *healthcheck.Healthcheck
+	Stats       *stats.Tracker
+	Broker      *broker.Broker
+	Service     *service.Service
 }
 
-const defaultIdleTimeout = 24 * time.Hour
+const defaultIdleTimeout = 30 * 24 * time.Hour
+
+// spentHashcashTTL is how long spent hashcash tokens are
+// retained for replay prevention. Per issue requirements,
+// this is 1 year.
+const spentHashcashTTL = 365 * 24 * time.Hour
 
 // Handlers manages HTTP request handling.
 type Handlers struct {
-	params        *Params
-	log           *slog.Logger
-	hc            *healthcheck.Healthcheck
-	broker        *broker.Broker
-	cancelCleanup context.CancelFunc
+	params          *Params
+	log             *slog.Logger
+	hc              *healthcheck.Healthcheck
+	broker          *broker.Broker
+	svc             *service.Service
+	hashcashVal     *hashcash.Validator
+	channelHashcash *hashcash.ChannelValidator
+	loginLimiter    *ratelimit.Limiter
+	stats           *stats.Tracker
+	cancelCleanup   context.CancelFunc
 }
 
 // New creates a new Handlers instance.
@@ -47,11 +64,31 @@ func New(
 	lifecycle fx.Lifecycle,
 	params Params,
 ) (*Handlers, error) {
+	resource := params.Config.ServerName
+	if resource == "" {
+		resource = "neoirc"
+	}
+
+	loginRate := params.Config.LoginRateLimit
+	if loginRate <= 0 {
+		loginRate = ratelimit.DefaultRate
+	}
+
+	loginBurst := params.Config.LoginRateBurst
+	if loginBurst <= 0 {
+		loginBurst = ratelimit.DefaultBurst
+	}
+
 	hdlr := &Handlers{ //nolint:exhaustruct // cancelCleanup set in startCleanup
-		params: &params,
-		log:    params.Logger.Get(),
-		hc:     params.Healthcheck,
-		broker: broker.New(),
+		params:          &params,
+		log:             params.Logger.Get(),
+		hc:              params.Healthcheck,
+		broker:          params.Broker,
+		svc:             params.Service,
+		hashcashVal:     hashcash.NewValidator(resource),
+		channelHashcash: hashcash.NewChannelValidator(),
+		loginLimiter:    ratelimit.New(loginRate, loginBurst),
+		stats:           params.Stats,
 	}
 
 	lifecycle.Append(fx.Hook{
@@ -143,6 +180,10 @@ func (hdlr *Handlers) stopCleanup() {
 	if hdlr.cancelCleanup != nil {
 		hdlr.cancelCleanup()
 	}
+
+	if hdlr.loginLimiter != nil {
+		hdlr.loginLimiter.Stop()
+	}
 }
 
 func (hdlr *Handlers) cleanupLoop(ctx context.Context) {
@@ -200,4 +241,93 @@ func (hdlr *Handlers) runCleanup(
 			"deleted", deleted,
 		)
 	}
+
+	hdlr.pruneQueuesAndMessages(ctx)
+}
+
+// parseDurationConfig parses a Go duration string,
+// returning zero on empty input and logging on error.
+func (hdlr *Handlers) parseDurationConfig(
+	name, raw string,
+) time.Duration {
+	if raw == "" {
+		return 0
+	}
+
+	dur, err := time.ParseDuration(raw)
+	if err != nil {
+		hdlr.log.Error(
+			"invalid duration config, skipping",
+			"name", name, "value", raw, "error", err,
+		)
+
+		return 0
+	}
+
+	return dur
+}
+
+// pruneQueuesAndMessages removes old client output queue
+// entries per QUEUE_MAX_AGE and old messages per
+// MESSAGE_MAX_AGE.
+func (hdlr *Handlers) pruneQueuesAndMessages(
+	ctx context.Context,
+) {
+	queueMaxAge := hdlr.parseDurationConfig(
+		"QUEUE_MAX_AGE",
+		hdlr.params.Config.QueueMaxAge,
+	)
+	if queueMaxAge > 0 {
+		queueCutoff := time.Now().Add(-queueMaxAge)
+
+		pruned, err := hdlr.params.Database.
+			PruneOldQueueEntries(ctx, queueCutoff)
+		if err != nil {
+			hdlr.log.Error(
+				"client output queue pruning failed", "error", err,
+			)
+		} else if pruned > 0 {
+			hdlr.log.Info(
+				"pruned old client output queue entries",
+				"deleted", pruned,
+			)
+		}
+	}
+
+	messageMaxAge := hdlr.parseDurationConfig(
+		"MESSAGE_MAX_AGE",
+		hdlr.params.Config.MessageMaxAge,
+	)
+	if messageMaxAge > 0 {
+		msgCutoff := time.Now().Add(-messageMaxAge)
+
+		pruned, err := hdlr.params.Database.
+			PruneOldMessages(ctx, msgCutoff)
+		if err != nil {
+			hdlr.log.Error(
+				"message pruning failed", "error", err,
+			)
+		} else if pruned > 0 {
+			hdlr.log.Info(
+				"pruned old messages",
+				"deleted", pruned,
+			)
+		}
+	}
+
+	// Prune spent hashcash tokens older than 1 year.
+	hashcashCutoff := time.Now().Add(-spentHashcashTTL)
+
+	pruned, err := hdlr.params.Database.
+		PruneSpentHashcash(ctx, hashcashCutoff)
+	if err != nil {
+		hdlr.log.Error(
+			"spent hashcash pruning failed", "error", err,
+		)
+	} else if pruned > 0 {
+		hdlr.log.Info(
+			"pruned spent hashcash tokens",
+			"deleted", pruned,
+		)
+	}
 }

internal/handlers/healthcheck.go

@@ -12,7 +12,7 @@ func (hdlr *Handlers) HandleHealthCheck() http.HandlerFunc {
 		writer http.ResponseWriter,
 		request *http.Request,
 	) {
-		resp := hdlr.hc.Healthcheck()
+		resp := hdlr.hc.Healthcheck(request.Context())
 		hdlr.respondJSON(writer, request, resp, httpStatusOK)
 	}
 }

internal/hashcash/channel.go

@@ -0,0 +1,186 @@
+package hashcash
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"strconv"
+	"strings"
+	"time"
+)
+
+var (
+	errBodyHashMismatch = errors.New(
+		"body hash mismatch",
+	)
+	errBodyHashMissing = errors.New(
+		"body hash missing",
+	)
+)
+
+// ChannelValidator checks hashcash stamps for
+// per-channel PRIVMSG validation. It verifies that
+// stamps are bound to a specific channel and message
+// body. Replay prevention is handled externally via
+// the database spent_hashcash table for persistence
+// across server restarts (1-year TTL).
+type ChannelValidator struct{}
+
+// NewChannelValidator creates a ChannelValidator.
+func NewChannelValidator() *ChannelValidator {
+	return &ChannelValidator{}
+}
+
+// BodyHash computes the hex-encoded SHA-256 hash of a
+// message body for use in hashcash stamp validation.
+func BodyHash(body []byte) string {
+	hash := sha256.Sum256(body)
+
+	return hex.EncodeToString(hash[:])
+}
+
+// ValidateStamp checks a channel hashcash stamp. It
+// verifies the stamp format, difficulty, date, channel
+// binding, body hash binding, and proof-of-work. Replay
+// detection is NOT performed here — callers must check
+// the spent_hashcash table separately.
+//
+// Stamp format: 1:bits:YYMMDD:channel:bodyhash:counter.
+func (cv *ChannelValidator) ValidateStamp(
+	stamp string,
+	requiredBits int,
+	channel string,
+	bodyHash string,
+) error {
+	if requiredBits <= 0 {
+		return nil
+	}
+
+	parts := strings.Split(stamp, ":")
+	if len(parts) != stampFields {
+		return fmt.Errorf(
+			"%w: expected %d, got %d",
+			errInvalidFields, stampFields, len(parts),
+		)
+	}
+
+	version := parts[0]
+	bitsStr := parts[1]
+	dateStr := parts[2]
+	resource := parts[3]
+	stampBodyHash := parts[4]
+
+	headerErr := validateChannelHeader(
+		version, bitsStr, resource,
+		requiredBits, channel,
+	)
+	if headerErr != nil {
+		return headerErr
+	}
+
+	stampTime, parseErr := parseStampDate(dateStr)
+	if parseErr != nil {
+		return parseErr
+	}
+
+	timeErr := validateTime(stampTime)
+	if timeErr != nil {
+		return timeErr
+	}
+
+	bodyErr := validateBodyHash(
+		stampBodyHash, bodyHash,
+	)
+	if bodyErr != nil {
+		return bodyErr
+	}
+
+	return validateProof(stamp, requiredBits)
+}
+
+// StampHash returns a deterministic hash of a stamp
+// string for use as a spent-token key.
+func StampHash(stamp string) string {
+	hash := sha256.Sum256([]byte(stamp))
+
+	return hex.EncodeToString(hash[:])
+}
+
+func validateChannelHeader(
+	version, bitsStr, resource string,
+	requiredBits int,
+	channel string,
+) error {
+	if version != stampVersion {
+		return fmt.Errorf(
+			"%w: %s", errBadVersion, version,
+		)
+	}
+
+	claimedBits, err := strconv.Atoi(bitsStr)
+	if err != nil || claimedBits < requiredBits {
+		return fmt.Errorf(
+			"%w: need %d bits",
+			errInsufficientBits, requiredBits,
+		)
+	}
+
+	if resource != channel {
+		return fmt.Errorf(
+			"%w: got %q, want %q",
+			errWrongResource, resource, channel,
+		)
+	}
+
+	return nil
+}
+
+func validateBodyHash(
+	stampBodyHash, expectedBodyHash string,
+) error {
+	if stampBodyHash == "" {
+		return errBodyHashMissing
+	}
+
+	if stampBodyHash != expectedBodyHash {
+		return fmt.Errorf(
+			"%w: got %q, want %q",
+			errBodyHashMismatch,
+			stampBodyHash, expectedBodyHash,
+		)
+	}
+
+	return nil
+}
+
+// MintChannelStamp computes a channel hashcash stamp
+// with the given difficulty, channel name, and body hash.
+// This is intended for clients to generate stamps before
+// sending PRIVMSG to hashcash-protected channels.
+//
+// Stamp format: 1:bits:YYMMDD:channel:bodyhash:counter.
+func MintChannelStamp(
+	bits int,
+	channel string,
+	bodyHash string,
+) string {
+	date := time.Now().UTC().Format(dateFormatShort)
+	prefix := fmt.Sprintf(
+		"1:%d:%s:%s:%s:",
+		bits, date, channel, bodyHash,
+	)
+
+	counter := uint64(0)
+
+	for {
+		stamp := prefix + strconv.FormatUint(counter, 16)
+		hash := sha256.Sum256([]byte(stamp))
+
+		if hasLeadingZeroBits(hash[:], bits) {
+			return stamp
+		}
+
+		counter++
+	}
+}

internal/hashcash/channel_test.go

@@ -0,0 +1,244 @@
+package hashcash_test
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"testing"
+
+	"git.eeqj.de/sneak/neoirc/internal/hashcash"
+)
+
+const (
+	testChannel  = "#general"
+	testBodyText = `["hello world"]`
+)
+
+func testBodyHash() string {
+	hash := sha256.Sum256([]byte(testBodyText))
+
+	return hex.EncodeToString(hash[:])
+}
+
+func TestChannelValidateHappyPath(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewChannelValidator()
+	bodyHash := testBodyHash()
+
+	stamp := hashcash.MintChannelStamp(
+		testBits, testChannel, bodyHash,
+	)
+
+	err := validator.ValidateStamp(
+		stamp, testBits, testChannel, bodyHash,
+	)
+	if err != nil {
+		t.Fatalf("valid channel stamp rejected: %v", err)
+	}
+}
+
+func TestChannelValidateWrongChannel(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewChannelValidator()
+	bodyHash := testBodyHash()
+
+	stamp := hashcash.MintChannelStamp(
+		testBits, testChannel, bodyHash,
+	)
+
+	err := validator.ValidateStamp(
+		stamp, testBits, "#other", bodyHash,
+	)
+	if err == nil {
+		t.Fatal("expected channel mismatch error")
+	}
+}
+
+func TestChannelValidateWrongBodyHash(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewChannelValidator()
+	bodyHash := testBodyHash()
+
+	stamp := hashcash.MintChannelStamp(
+		testBits, testChannel, bodyHash,
+	)
+
+	wrongHash := sha256.Sum256([]byte("different body"))
+	wrongBodyHash := hex.EncodeToString(wrongHash[:])
+
+	err := validator.ValidateStamp(
+		stamp, testBits, testChannel, wrongBodyHash,
+	)
+	if err == nil {
+		t.Fatal("expected body hash mismatch error")
+	}
+}
+
+func TestChannelValidateInsufficientBits(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewChannelValidator()
+	bodyHash := testBodyHash()
+
+	// Mint with 2 bits but require 4.
+	stamp := hashcash.MintChannelStamp(
+		testBits, testChannel, bodyHash,
+	)
+
+	err := validator.ValidateStamp(
+		stamp, 4, testChannel, bodyHash,
+	)
+	if err == nil {
+		t.Fatal("expected insufficient bits error")
+	}
+}
+
+func TestChannelValidateZeroBitsSkips(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewChannelValidator()
+
+	err := validator.ValidateStamp(
+		"garbage", 0, "#ch", "abc",
+	)
+	if err != nil {
+		t.Fatalf("zero bits should skip: %v", err)
+	}
+}
+
+func TestChannelValidateBadFormat(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewChannelValidator()
+
+	err := validator.ValidateStamp(
+		"not:valid", testBits, testChannel, "abc",
+	)
+	if err == nil {
+		t.Fatal("expected bad format error")
+	}
+}
+
+func TestChannelValidateBadVersion(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewChannelValidator()
+	bodyHash := testBodyHash()
+
+	stamp := "2:2:260317:#general:" + bodyHash + ":counter"
+
+	err := validator.ValidateStamp(
+		stamp, testBits, testChannel, bodyHash,
+	)
+	if err == nil {
+		t.Fatal("expected bad version error")
+	}
+}
+
+func TestChannelValidateExpiredStamp(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewChannelValidator()
+	bodyHash := testBodyHash()
+
+	// Mint with a very old date by manually constructing.
+	stamp := mintStampWithDate(
+		t, testBits, testChannel, "200101",
+	)
+
+	err := validator.ValidateStamp(
+		stamp, testBits, testChannel, bodyHash,
+	)
+	if err == nil {
+		t.Fatal("expected expired stamp error")
+	}
+}
+
+func TestChannelValidateMissingBodyHash(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewChannelValidator()
+	bodyHash := testBodyHash()
+
+	// Construct a stamp with empty body hash field.
+	stamp := mintStampWithDate(
+		t, testBits, testChannel, todayDate(),
+	)
+
+	// This uses the session-style stamp which has empty
+	// ext field — body hash is missing.
+	err := validator.ValidateStamp(
+		stamp, testBits, testChannel, bodyHash,
+	)
+	if err == nil {
+		t.Fatal("expected missing body hash error")
+	}
+}
+
+func TestBodyHash(t *testing.T) {
+	t.Parallel()
+
+	body := []byte(`["hello world"]`)
+	bodyHash := hashcash.BodyHash(body)
+
+	if len(bodyHash) != 64 {
+		t.Fatalf(
+			"expected 64-char hex hash, got %d",
+			len(bodyHash),
+		)
+	}
+
+	// Same input should produce same hash.
+	bodyHash2 := hashcash.BodyHash(body)
+	if bodyHash != bodyHash2 {
+		t.Fatal("body hash not deterministic")
+	}
+
+	// Different input should produce different hash.
+	bodyHash3 := hashcash.BodyHash([]byte("different"))
+	if bodyHash == bodyHash3 {
+		t.Fatal("different inputs produced same hash")
+	}
+}
+
+func TestStampHash(t *testing.T) {
+	t.Parallel()
+
+	hash1 := hashcash.StampHash("stamp1")
+	hash2 := hashcash.StampHash("stamp2")
+
+	if hash1 == hash2 {
+		t.Fatal("different stamps produced same hash")
+	}
+
+	// Same input should be deterministic.
+	hash1b := hashcash.StampHash("stamp1")
+	if hash1 != hash1b {
+		t.Fatal("stamp hash not deterministic")
+	}
+}
+
+func TestMintChannelStamp(t *testing.T) {
+	t.Parallel()
+
+	bodyHash := testBodyHash()
+	stamp := hashcash.MintChannelStamp(
+		testBits, testChannel, bodyHash,
+	)
+
+	if stamp == "" {
+		t.Fatal("expected non-empty stamp")
+	}
+
+	// Validate the minted stamp.
+	validator := hashcash.NewChannelValidator()
+
+	err := validator.ValidateStamp(
+		stamp, testBits, testChannel, bodyHash,
+	)
+	if err != nil {
+		t.Fatalf("minted stamp failed validation: %v", err)
+	}
+}

internal/hashcash/hashcash.go

@@ -0,0 +1,277 @@
+// Package hashcash implements SHA-256-based hashcash
+// proof-of-work validation for abuse prevention.
+//
+// Stamp format: 1:bits:YYMMDD:resource::counter.
+//
+// The SHA-256 hash of the entire stamp string must have
+// at least `bits` leading zero bits.
+package hashcash
+
+import (
+	"crypto/sha256"
+	"errors"
+	"fmt"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+)
+
+const (
+	// stampVersion is the only supported hashcash version.
+	stampVersion = "1"
+	// stampFields is the number of fields in a stamp.
+	stampFields = 6
+	// maxStampAge is how old a stamp can be before
+	// rejection.
+	maxStampAge = 48 * time.Hour
+	// maxFutureSkew allows stamps slightly in the future.
+	maxFutureSkew = 1 * time.Hour
+	// pruneInterval controls how often expired stamps are
+	// removed from the spent set.
+	pruneInterval = 10 * time.Minute
+	// dateFormatShort is the YYMMDD date layout.
+	dateFormatShort = "060102"
+	// dateFormatLong is the YYMMDDHHMMSS date layout.
+	dateFormatLong = "060102150405"
+	// dateShortLen is the length of YYMMDD.
+	dateShortLen = 6
+	// dateLongLen is the length of YYMMDDHHMMSS.
+	dateLongLen = 12
+	// bitsPerByte is the number of bits in a byte.
+	bitsPerByte = 8
+	// fullByteMask is 0xFF, a mask for all bits in a byte.
+	fullByteMask = 0xFF
+)
+
+var (
+	errInvalidFields    = errors.New("invalid stamp field count")
+	errBadVersion       = errors.New("unsupported stamp version")
+	errInsufficientBits = errors.New("insufficient difficulty")
+	errWrongResource    = errors.New("wrong resource")
+	errStampExpired     = errors.New("stamp expired")
+	errStampFuture      = errors.New("stamp date in future")
+	errProofFailed      = errors.New("proof-of-work failed")
+	errStampReused      = errors.New("stamp already used")
+	errBadDateFormat    = errors.New("unrecognized date format")
+)
+
+// Validator checks hashcash stamps for validity and
+// prevents replay attacks via an in-memory spent set.
+type Validator struct {
+	resource string
+	mu       sync.Mutex
+	spent    map[string]time.Time
+}
+
+// NewValidator creates a Validator for the given resource.
+func NewValidator(resource string) *Validator {
+	validator := &Validator{
+		resource: resource,
+		mu:       sync.Mutex{},
+		spent:    make(map[string]time.Time),
+	}
+
+	go validator.pruneLoop()
+
+	return validator
+}
+
+// Validate checks a hashcash stamp. It returns nil if the
+// stamp is valid and has not been seen before.
+func (v *Validator) Validate(
+	stamp string,
+	requiredBits int,
+) error {
+	if requiredBits <= 0 {
+		return nil
+	}
+
+	parts := strings.Split(stamp, ":")
+	if len(parts) != stampFields {
+		return fmt.Errorf(
+			"%w: expected %d, got %d",
+			errInvalidFields, stampFields, len(parts),
+		)
+	}
+
+	version := parts[0]
+	bitsStr := parts[1]
+	dateStr := parts[2]
+	resource := parts[3]
+
+	if err := v.validateHeader(
+		version, bitsStr, resource, requiredBits,
+	); err != nil {
+		return err
+	}
+
+	stampTime, err := parseStampDate(dateStr)
+	if err != nil {
+		return err
+	}
+
+	if err := validateTime(stampTime); err != nil {
+		return err
+	}
+
+	if err := validateProof(
+		stamp, requiredBits,
+	); err != nil {
+		return err
+	}
+
+	return v.checkAndRecordStamp(stamp, stampTime)
+}
+
+func (v *Validator) validateHeader(
+	version, bitsStr, resource string,
+	requiredBits int,
+) error {
+	if version != stampVersion {
+		return fmt.Errorf(
+			"%w: %s", errBadVersion, version,
+		)
+	}
+
+	claimedBits, err := strconv.Atoi(bitsStr)
+	if err != nil || claimedBits < requiredBits {
+		return fmt.Errorf(
+			"%w: need %d bits",
+			errInsufficientBits, requiredBits,
+		)
+	}
+
+	if resource != v.resource {
+		return fmt.Errorf(
+			"%w: got %q, want %q",
+			errWrongResource, resource, v.resource,
+		)
+	}
+
+	return nil
+}
+
+func validateTime(stampTime time.Time) error {
+	now := time.Now()
+
+	if now.Sub(stampTime) > maxStampAge {
+		return errStampExpired
+	}
+
+	if stampTime.Sub(now) > maxFutureSkew {
+		return errStampFuture
+	}
+
+	return nil
+}
+
+func validateProof(stamp string, requiredBits int) error {
+	hash := sha256.Sum256([]byte(stamp))
+	if !hasLeadingZeroBits(hash[:], requiredBits) {
+		return fmt.Errorf(
+			"%w: need %d leading zero bits",
+			errProofFailed, requiredBits,
+		)
+	}
+
+	return nil
+}
+
+func (v *Validator) checkAndRecordStamp(
+	stamp string,
+	stampTime time.Time,
+) error {
+	v.mu.Lock()
+	defer v.mu.Unlock()
+
+	if _, ok := v.spent[stamp]; ok {
+		return errStampReused
+	}
+
+	v.spent[stamp] = stampTime
+
+	return nil
+}
+
+// hasLeadingZeroBits checks if the hash has at least n
+// leading zero bits.
+func hasLeadingZeroBits(hash []byte, numBits int) bool {
+	fullBytes := numBits / bitsPerByte
+	remainBits := numBits % bitsPerByte
+
+	for idx := range fullBytes {
+		if hash[idx] != 0 {
+			return false
+		}
+	}
+
+	if remainBits > 0 && fullBytes < len(hash) {
+		mask := byte(
+			fullByteMask << (bitsPerByte - remainBits),
+		)
+
+		if hash[fullBytes]&mask != 0 {
+			return false
+		}
+	}
+
+	return true
+}
+
+// parseStampDate parses a hashcash date stamp.
+// Supports YYMMDD and YYMMDDHHMMSS formats.
+func parseStampDate(dateStr string) (time.Time, error) {
+	switch len(dateStr) {
+	case dateShortLen:
+		parsed, err := time.Parse(
+			dateFormatShort, dateStr,
+		)
+		if err != nil {
+			return time.Time{}, fmt.Errorf(
+				"parse date: %w", err,
+			)
+		}
+
+		return parsed, nil
+	case dateLongLen:
+		parsed, err := time.Parse(
+			dateFormatLong, dateStr,
+		)
+		if err != nil {
+			return time.Time{}, fmt.Errorf(
+				"parse date: %w", err,
+			)
+		}
+
+		return parsed, nil
+	default:
+		return time.Time{}, fmt.Errorf(
+			"%w: %q", errBadDateFormat, dateStr,
+		)
+	}
+}
+
+// pruneLoop periodically removes expired stamps from the
+// spent set.
+func (v *Validator) pruneLoop() {
+	ticker := time.NewTicker(pruneInterval)
+	defer ticker.Stop()
+
+	for range ticker.C {
+		v.prune()
+	}
+}
+
+func (v *Validator) prune() {
+	cutoff := time.Now().Add(-maxStampAge)
+
+	v.mu.Lock()
+	defer v.mu.Unlock()
+
+	for stamp, stampTime := range v.spent {
+		if stampTime.Before(cutoff) {
+			delete(v.spent, stamp)
+		}
+	}
+}

internal/hashcash/hashcash_test.go

@@ -0,0 +1,261 @@
+package hashcash_test
+
+import (
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"math/big"
+	"testing"
+	"time"
+
+	"git.eeqj.de/sneak/neoirc/internal/hashcash"
+)
+
+const testBits = 2
+
+// mintStampWithDate creates a valid hashcash stamp using
+// the given date string.
+func mintStampWithDate(
+	tb testing.TB,
+	bits int,
+	resource string,
+	date string,
+) string {
+	tb.Helper()
+
+	prefix := fmt.Sprintf(
+		"1:%d:%s:%s::", bits, date, resource,
+	)
+
+	for {
+		counterVal, err := rand.Int(
+			rand.Reader, big.NewInt(1<<48),
+		)
+		if err != nil {
+			tb.Fatalf("random counter: %v", err)
+		}
+
+		stamp := prefix + hex.EncodeToString(
+			counterVal.Bytes(),
+		)
+		hash := sha256.Sum256([]byte(stamp))
+
+		if hasLeadingZeroBits(hash[:], bits) {
+			return stamp
+		}
+	}
+}
+
+// hasLeadingZeroBits checks if hash has at least numBits
+// leading zero bits. Duplicated here for test minting.
+func hasLeadingZeroBits(
+	hash []byte,
+	numBits int,
+) bool {
+	fullBytes := numBits / 8
+	remainBits := numBits % 8
+
+	for idx := range fullBytes {
+		if hash[idx] != 0 {
+			return false
+		}
+	}
+
+	if remainBits > 0 && fullBytes < len(hash) {
+		mask := byte(0xFF << (8 - remainBits))
+
+		if hash[fullBytes]&mask != 0 {
+			return false
+		}
+	}
+
+	return true
+}
+
+func todayDate() string {
+	return time.Now().UTC().Format("060102")
+}
+
+func TestMintAndValidate(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewValidator("test-resource")
+	stamp := mintStampWithDate(
+		t, testBits, "test-resource", todayDate(),
+	)
+
+	err := validator.Validate(stamp, testBits)
+	if err != nil {
+		t.Fatalf("valid stamp rejected: %v", err)
+	}
+}
+
+func TestReplayDetection(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewValidator("test-resource")
+	stamp := mintStampWithDate(
+		t, testBits, "test-resource", todayDate(),
+	)
+
+	err := validator.Validate(stamp, testBits)
+	if err != nil {
+		t.Fatalf("first use failed: %v", err)
+	}
+
+	err = validator.Validate(stamp, testBits)
+	if err == nil {
+		t.Fatal("replay not detected")
+	}
+}
+
+func TestResourceMismatch(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewValidator("correct-resource")
+	stamp := mintStampWithDate(
+		t, testBits, "wrong-resource", todayDate(),
+	)
+
+	err := validator.Validate(stamp, testBits)
+	if err == nil {
+		t.Fatal("expected resource mismatch error")
+	}
+}
+
+func TestInvalidStampFormat(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewValidator("test-resource")
+
+	err := validator.Validate(
+		"not:a:valid:stamp", testBits,
+	)
+	if err == nil {
+		t.Fatal("expected error for bad format")
+	}
+}
+
+func TestBadVersion(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewValidator("test-resource")
+	stamp := fmt.Sprintf(
+		"2:%d:%s:%s::abc123",
+		testBits, todayDate(), "test-resource",
+	)
+
+	err := validator.Validate(stamp, testBits)
+	if err == nil {
+		t.Fatal("expected bad version error")
+	}
+}
+
+func TestInsufficientDifficulty(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewValidator("test-resource")
+	// Claimed bits=1, but we require testBits=2.
+	stamp := fmt.Sprintf(
+		"1:1:%s:%s::counter",
+		todayDate(), "test-resource",
+	)
+
+	err := validator.Validate(stamp, testBits)
+	if err == nil {
+		t.Fatal("expected insufficient bits error")
+	}
+}
+
+func TestExpiredStamp(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewValidator("test-resource")
+	oldDate := time.Now().Add(-72 * time.Hour).
+		UTC().Format("060102")
+	stamp := mintStampWithDate(
+		t, testBits, "test-resource", oldDate,
+	)
+
+	err := validator.Validate(stamp, testBits)
+	if err == nil {
+		t.Fatal("expected expired stamp error")
+	}
+}
+
+func TestZeroBitsSkipsValidation(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewValidator("test-resource")
+
+	err := validator.Validate("garbage", 0)
+	if err != nil {
+		t.Fatalf("zero bits should skip: %v", err)
+	}
+}
+
+func TestLongDateFormat(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewValidator("test-resource")
+	longDate := time.Now().UTC().Format("060102150405")
+	stamp := mintStampWithDate(
+		t, testBits, "test-resource", longDate,
+	)
+
+	err := validator.Validate(stamp, testBits)
+	if err != nil {
+		t.Fatalf("long date stamp rejected: %v", err)
+	}
+}
+
+func TestBadDateFormat(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewValidator("test-resource")
+	stamp := fmt.Sprintf(
+		"1:%d:BADDATE:%s::counter",
+		testBits, "test-resource",
+	)
+
+	err := validator.Validate(stamp, testBits)
+	if err == nil {
+		t.Fatal("expected bad date error")
+	}
+}
+
+func TestMultipleUniqueStamps(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewValidator("test-resource")
+
+	for range 5 {
+		stamp := mintStampWithDate(
+			t, testBits, "test-resource", todayDate(),
+		)
+
+		err := validator.Validate(stamp, testBits)
+		if err != nil {
+			t.Fatalf("unique stamp rejected: %v", err)
+		}
+	}
+}
+
+func TestHigherBitsStillValid(t *testing.T) {
+	t.Parallel()
+
+	// Mint with bits=4 but validate requiring only 2.
+	validator := hashcash.NewValidator("test-resource")
+	stamp := mintStampWithDate(
+		t, 4, "test-resource", todayDate(),
+	)
+
+	err := validator.Validate(stamp, testBits)
+	if err != nil {
+		t.Fatalf(
+			"higher-difficulty stamp rejected: %v",
+			err,
+		)
+	}
+}

internal/healthcheck/healthcheck.go

@@ -6,10 +6,11 @@ import (
 	"log/slog"
 	"time"
 
-	"git.eeqj.de/sneak/chat/internal/config"
-	"git.eeqj.de/sneak/chat/internal/db"
-	"git.eeqj.de/sneak/chat/internal/globals"
-	"git.eeqj.de/sneak/chat/internal/logger"
+	"git.eeqj.de/sneak/neoirc/internal/config"
+	"git.eeqj.de/sneak/neoirc/internal/db"
+	"git.eeqj.de/sneak/neoirc/internal/globals"
+	"git.eeqj.de/sneak/neoirc/internal/logger"
+	"git.eeqj.de/sneak/neoirc/internal/stats"
 	"go.uber.org/fx"
 )
 
@@ -21,6 +22,7 @@ type Params struct {
 	Config   *config.Config
 	Logger   *logger.Logger
 	Database *db.Database
+	Stats    *stats.Tracker
 }
 
 // Healthcheck tracks server uptime and provides health status.
@@ -64,11 +66,22 @@ type Response struct {
 	Version       string `json:"version"`
 	Appname       string `json:"appname"`
 	Maintenance   bool   `json:"maintenanceMode"`
+
+	// Runtime statistics.
+	Sessions             int64 `json:"sessions"`
+	Clients              int64 `json:"clients"`
+	QueuedLines          int64 `json:"queuedLines"`
+	Channels             int64 `json:"channels"`
+	ConnectionsSinceBoot int64 `json:"connectionsSinceBoot"`
+	SessionsSinceBoot    int64 `json:"sessionsSinceBoot"`
+	MessagesSinceBoot    int64 `json:"messagesSinceBoot"`
 }
 
 // Healthcheck returns the current health status of the server.
-func (hcheck *Healthcheck) Healthcheck() *Response {
-	return &Response{
+func (hcheck *Healthcheck) Healthcheck(
+	ctx context.Context,
+) *Response {
+	resp := &Response{
 		Status:        "ok",
 		Now:           time.Now().UTC().Format(time.RFC3339Nano),
 		UptimeSeconds: int64(hcheck.uptime().Seconds()),
@@ -76,6 +89,64 @@ func (hcheck *Healthcheck) Healthcheck() *Response {
 		Appname:       hcheck.params.Globals.Appname,
 		Version:       hcheck.params.Globals.Version,
 		Maintenance:   hcheck.params.Config.MaintenanceMode,
+
+		Sessions:             0,
+		Clients:              0,
+		QueuedLines:          0,
+		Channels:             0,
+		ConnectionsSinceBoot: hcheck.params.Stats.ConnectionsSinceBoot(),
+		SessionsSinceBoot:    hcheck.params.Stats.SessionsSinceBoot(),
+		MessagesSinceBoot:    hcheck.params.Stats.MessagesSinceBoot(),
+	}
+
+	hcheck.populateDBStats(ctx, resp)
+
+	return resp
+}
+
+// populateDBStats fills in database-derived counters.
+func (hcheck *Healthcheck) populateDBStats(
+	ctx context.Context,
+	resp *Response,
+) {
+	sessions, err := hcheck.params.Database.GetUserCount(ctx)
+	if err != nil {
+		hcheck.log.Error(
+			"healthcheck: session count failed",
+			"error", err,
+		)
+	} else {
+		resp.Sessions = sessions
+	}
+
+	clients, err := hcheck.params.Database.GetClientCount(ctx)
+	if err != nil {
+		hcheck.log.Error(
+			"healthcheck: client count failed",
+			"error", err,
+		)
+	} else {
+		resp.Clients = clients
+	}
+
+	queued, err := hcheck.params.Database.GetQueueEntryCount(ctx)
+	if err != nil {
+		hcheck.log.Error(
+			"healthcheck: queue entry count failed",
+			"error", err,
+		)
+	} else {
+		resp.QueuedLines = queued
+	}
+
+	channels, err := hcheck.params.Database.GetChannelCount(ctx)
+	if err != nil {
+		hcheck.log.Error(
+			"healthcheck: channel count failed",
+			"error", err,
+		)
+	} else {
+		resp.Channels = channels
 	}
 }
 

internal/ircserver/conn.go

@@ -0,0 +1,501 @@
+package ircserver
+
+import (
+	"bufio"
+	"context"
+	"fmt"
+	"log/slog"
+	"net"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+
+	"git.eeqj.de/sneak/neoirc/internal/broker"
+	"git.eeqj.de/sneak/neoirc/internal/config"
+	"git.eeqj.de/sneak/neoirc/internal/db"
+	"git.eeqj.de/sneak/neoirc/internal/service"
+	"git.eeqj.de/sneak/neoirc/pkg/irc"
+)
+
+const (
+	maxLineLen     = 512
+	readTimeout    = 5 * time.Minute
+	writeTimeout   = 30 * time.Second
+	dnsTimeout     = 3 * time.Second
+	pollInterval   = 100 * time.Millisecond
+	pingInterval   = 90 * time.Second
+	pongDeadline   = 30 * time.Second
+	maxNickLen     = 32
+	minPasswordLen = 8
+)
+
+// cmdHandler is the signature for registered IRC command
+// handlers.
+type cmdHandler func(ctx context.Context, msg *Message)
+
+// Conn represents a single IRC client TCP connection.
+type Conn struct {
+	conn      net.Conn
+	log       *slog.Logger
+	database  *db.Database
+	brk       *broker.Broker
+	cfg       *config.Config
+	svc       *service.Service
+	serverSfx string
+	commands  map[string]cmdHandler
+
+	mu        sync.Mutex
+	nick      string
+	username  string
+	realname  string
+	hostname  string
+	remoteIP  string
+	sessionID int64
+	clientID  int64
+
+	registered bool
+	gotNick    bool
+	gotUser    bool
+	passWord   string
+
+	lastQueueID int64
+	closed      bool
+	cancel      context.CancelFunc
+}
+
+func newConn(
+	ctx context.Context,
+	tcpConn net.Conn,
+	log *slog.Logger,
+	database *db.Database,
+	brk *broker.Broker,
+	cfg *config.Config,
+	svc *service.Service,
+) *Conn {
+	host, _, _ := net.SplitHostPort(tcpConn.RemoteAddr().String())
+
+	srvName := cfg.ServerName
+	if srvName == "" {
+		srvName = "neoirc"
+	}
+
+	conn := &Conn{ //nolint:exhaustruct // zero-value defaults
+		conn:      tcpConn,
+		log:       log,
+		database:  database,
+		brk:       brk,
+		cfg:       cfg,
+		svc:       svc,
+		serverSfx: srvName,
+		remoteIP:  host,
+		hostname:  resolveHost(ctx, host),
+	}
+
+	conn.commands = conn.buildCommandMap()
+
+	return conn
+}
+
+// buildCommandMap returns a map from IRC command strings
+// to handler functions.
+func (c *Conn) buildCommandMap() map[string]cmdHandler {
+	return map[string]cmdHandler{
+		irc.CmdPing: func(_ context.Context, msg *Message) {
+			c.handlePing(msg)
+		},
+		"PONG":         func(context.Context, *Message) {},
+		irc.CmdNick:    c.handleNick,
+		irc.CmdPrivmsg: c.handlePrivmsg,
+		irc.CmdNotice:  c.handlePrivmsg,
+		irc.CmdJoin:    c.handleJoin,
+		irc.CmdPart:    c.handlePart,
+		irc.CmdQuit: func(_ context.Context, msg *Message) {
+			c.handleQuit(msg)
+		},
+		irc.CmdTopic:  c.handleTopic,
+		irc.CmdMode:   c.handleMode,
+		irc.CmdNames:  c.handleNames,
+		irc.CmdList:   func(ctx context.Context, _ *Message) { c.handleList(ctx) },
+		irc.CmdWhois:  c.handleWhois,
+		irc.CmdWho:    c.handleWho,
+		irc.CmdLusers: func(ctx context.Context, _ *Message) { c.handleLusers(ctx) },
+		irc.CmdMotd:   func(context.Context, *Message) { c.deliverMOTD() },
+		irc.CmdOper:   c.handleOper,
+		irc.CmdAway:   c.handleAway,
+		irc.CmdKick:   c.handleKick,
+		irc.CmdPass:   c.handlePassPostReg,
+		"INVITE":      c.handleInvite,
+		"CAP": func(_ context.Context, msg *Message) {
+			c.handleCAP(msg)
+		},
+		"USERHOST": c.handleUserhost,
+	}
+}
+
+// resolveHost does a reverse DNS lookup, returning the IP
+// on failure.
+func resolveHost(ctx context.Context, addr string) string {
+	ctx, cancel := context.WithTimeout(ctx, dnsTimeout)
+	defer cancel()
+
+	resolver := &net.Resolver{} //nolint:exhaustruct
+
+	names, err := resolver.LookupAddr(ctx, addr)
+	if err != nil || len(names) == 0 {
+		return addr
+	}
+
+	return strings.TrimSuffix(names[0], ".")
+}
+
+// serve is the main loop for a single IRC client connection.
+func (c *Conn) serve(ctx context.Context) {
+	ctx, c.cancel = context.WithCancel(ctx)
+	defer c.cleanup(ctx)
+
+	scanner := bufio.NewScanner(c.conn)
+	scanner.Buffer(make([]byte, maxLineLen), maxLineLen)
+
+	for {
+		_ = c.conn.SetReadDeadline(
+			time.Now().Add(readTimeout),
+		)
+
+		if !scanner.Scan() {
+			return
+		}
+
+		line := scanner.Text()
+		if line == "" {
+			continue
+		}
+
+		msg := ParseMessage(line)
+		if msg == nil {
+			continue
+		}
+
+		c.handleMessage(ctx, msg)
+
+		if c.closed {
+			return
+		}
+	}
+}
+
+func (c *Conn) cleanup(ctx context.Context) {
+	c.mu.Lock()
+	wasRegistered := c.registered
+	sessID := c.sessionID
+	nick := c.nick
+	c.closed = true
+	c.mu.Unlock()
+
+	if wasRegistered && sessID > 0 {
+		c.svc.BroadcastQuit(
+			ctx, sessID, nick, "Connection closed",
+		)
+	}
+
+	c.conn.Close() //nolint:errcheck,gosec
+}
+
+// send writes a formatted IRC line to the connection.
+func (c *Conn) send(line string) {
+	_ = c.conn.SetWriteDeadline(
+		time.Now().Add(writeTimeout),
+	)
+
+	_, _ = fmt.Fprintf(c.conn, "%s\r\n", line)
+}
+
+// sendNumeric sends a numeric reply from the server.
+func (c *Conn) sendNumeric(
+	code irc.IRCMessageType,
+	params ...string,
+) {
+	nick := c.nick
+	if nick == "" {
+		nick = "*"
+	}
+
+	allParams := make([]string, 0, 1+len(params))
+	allParams = append(allParams, nick)
+	allParams = append(allParams, params...)
+
+	c.send(FormatMessage(
+		c.serverSfx, code.Code(), allParams...,
+	))
+}
+
+// sendFromServer sends a message from the server.
+func (c *Conn) sendFromServer(
+	command string, params ...string,
+) {
+	c.send(FormatMessage(c.serverSfx, command, params...))
+}
+
+// hostmask returns the client's full hostmask
+// (nick!user@host).
+func (c *Conn) hostmask() string {
+	user := c.username
+	if user == "" {
+		user = c.nick
+	}
+
+	host := c.hostname
+	if host == "" {
+		host = c.remoteIP
+	}
+
+	return c.nick + "!" + user + "@" + host
+}
+
+// handleMessage dispatches a parsed IRC message using
+// the command handler map.
+func (c *Conn) handleMessage(
+	ctx context.Context,
+	msg *Message,
+) {
+	// Before registration, only NICK, USER, PASS, PING,
+	// QUIT, and CAP are accepted.
+	if !c.registered {
+		c.handlePreRegistration(ctx, msg)
+
+		return
+	}
+
+	handler, ok := c.commands[msg.Command]
+	if !ok {
+		c.sendNumeric(
+			irc.ErrUnknownCommand,
+			msg.Command, "Unknown command",
+		)
+
+		return
+	}
+
+	handler(ctx, msg)
+}
+
+// handlePreRegistration handles messages before the
+// connection is registered (NICK+USER received).
+func (c *Conn) handlePreRegistration(
+	ctx context.Context,
+	msg *Message,
+) {
+	switch msg.Command {
+	case irc.CmdPass:
+		if len(msg.Params) < 1 {
+			c.sendNumeric(
+				irc.ErrNeedMoreParams,
+				"PASS", "Not enough parameters",
+			)
+
+			return
+		}
+
+		c.passWord = msg.Params[0]
+	case irc.CmdNick:
+		if len(msg.Params) < 1 {
+			c.sendNumeric(
+				irc.ErrNoNicknameGiven,
+				"No nickname given",
+			)
+
+			return
+		}
+
+		c.nick = msg.Params[0]
+		if len(c.nick) > maxNickLen {
+			c.nick = c.nick[:maxNickLen]
+		}
+
+		c.gotNick = true
+	case irc.CmdUser:
+		if len(msg.Params) < 4 { //nolint:mnd
+			c.sendNumeric(
+				irc.ErrNeedMoreParams,
+				"USER", "Not enough parameters",
+			)
+
+			return
+		}
+
+		c.username = msg.Params[0]
+		c.realname = msg.Params[3]
+		c.gotUser = true
+	case irc.CmdPing:
+		c.handlePing(msg)
+
+		return
+	case irc.CmdQuit:
+		c.handleQuit(msg)
+
+		return
+	case "CAP":
+		c.handleCAP(msg)
+
+		return
+	default:
+		c.sendNumeric(
+			irc.ErrNotRegistered,
+			"You have not registered",
+		)
+
+		return
+	}
+
+	// Try to complete registration once we have both
+	// NICK and USER.
+	if c.gotNick && c.gotUser {
+		c.completeRegistration(ctx)
+	}
+}
+
+// completeRegistration creates a session and sends the
+// welcome burst.
+func (c *Conn) completeRegistration(ctx context.Context) {
+	// Check if nick is valid.
+	if c.nick == "" {
+		c.sendNumeric(
+			irc.ErrNoNicknameGiven, "No nickname given",
+		)
+
+		return
+	}
+
+	// Create session in DB.
+	sessionID, clientID, _, err := c.database.CreateSession(
+		ctx, c.nick, c.username, c.hostname, c.remoteIP,
+	)
+	if err != nil {
+		if strings.Contains(err.Error(), "UNIQUE constraint") ||
+			strings.Contains(err.Error(), "nick") {
+			c.sendNumeric(
+				irc.ErrNicknameInUse,
+				c.nick, "Nickname is already in use",
+			)
+
+			return
+		}
+
+		c.log.Error(
+			"failed to create session", "error", err,
+		)
+		c.send("ERROR :Internal server error")
+		c.closed = true
+
+		return
+	}
+
+	c.mu.Lock()
+	c.sessionID = sessionID
+	c.clientID = clientID
+	c.registered = true
+	c.mu.Unlock()
+
+	// If PASS was provided before registration, set the
+	// session password.
+	if c.passWord != "" && len(c.passWord) >= minPasswordLen {
+		c.setPassword(ctx, c.passWord)
+	}
+
+	// Send welcome burst.
+	c.deliverWelcome()
+	c.deliverLusers(ctx)
+	c.deliverMOTD()
+
+	// Start the message relay goroutine.
+	go c.relayMessages(ctx)
+}
+
+// deliverWelcome sends 001-005 welcome numerics.
+func (c *Conn) deliverWelcome() {
+	c.sendNumeric(irc.RplWelcome, fmt.Sprintf(
+		"Welcome to the %s Network, %s",
+		c.serverSfx, c.hostmask(),
+	))
+	c.sendNumeric(irc.RplYourHost, fmt.Sprintf(
+		"Your host is %s, running version neoirc",
+		c.serverSfx,
+	))
+	c.sendNumeric(
+		irc.RplCreated,
+		"This server was created recently",
+	)
+	c.sendNumeric(
+		irc.RplMyInfo,
+		c.serverSfx, "neoirc", "", "mnst",
+	)
+	c.sendNumeric(
+		irc.RplIsupport,
+		"CHANTYPES=#",
+		"NICKLEN=32",
+		"PREFIX=(ov)@+",
+		"CHANMODES=,,H,mnst",
+		"NETWORK="+c.serverSfx,
+		"are supported by this server",
+	)
+}
+
+// deliverLusers sends 251/252/254/255 server statistics.
+func (c *Conn) deliverLusers(ctx context.Context) {
+	users, _ := c.database.GetUserCount(ctx)
+	opers, _ := c.database.GetOperCount(ctx)
+	channels, _ := c.database.GetChannelCount(ctx)
+
+	c.sendNumeric(irc.RplLuserClient, fmt.Sprintf(
+		"There are %d users and 0 invisible on 1 servers",
+		users,
+	))
+	c.sendNumeric(
+		irc.RplLuserOp,
+		strconv.FormatInt(opers, 10),
+		"operator(s) online",
+	)
+	c.sendNumeric(
+		irc.RplLuserChannels,
+		strconv.FormatInt(channels, 10),
+		"channels formed",
+	)
+	c.sendNumeric(irc.RplLuserMe, fmt.Sprintf(
+		"I have %d clients and 1 servers", users,
+	))
+}
+
+// deliverMOTD sends 375/372/376 MOTD lines.
+func (c *Conn) deliverMOTD() {
+	motd := c.cfg.MOTD
+	if motd == "" {
+		c.sendNumeric(
+			irc.ErrNoMotd, "MOTD File is missing",
+		)
+
+		return
+	}
+
+	c.sendNumeric(irc.RplMotdStart, fmt.Sprintf(
+		"- %s Message of the Day -", c.serverSfx,
+	))
+
+	for _, line := range strings.Split(motd, "\n") {
+		c.sendNumeric(irc.RplMotd, "- "+line)
+	}
+
+	c.sendNumeric(
+		irc.RplEndOfMotd, "End of /MOTD command",
+	)
+}
+
+// setPassword sets a bcrypt password on the session.
+func (c *Conn) setPassword(ctx context.Context, pw string) {
+	// Use the database's auth module to hash and store.
+	err := c.database.SetPassword(ctx, c.sessionID, pw)
+	if err != nil {
+		c.log.Error(
+			"failed to set password", "error", err,
+		)
+	}
+}

internal/ircserver/export_test.go

@@ -0,0 +1,52 @@
+package ircserver
+
+import (
+	"context"
+	"log/slog"
+	"net"
+
+	"git.eeqj.de/sneak/neoirc/internal/broker"
+	"git.eeqj.de/sneak/neoirc/internal/config"
+	"git.eeqj.de/sneak/neoirc/internal/db"
+	"git.eeqj.de/sneak/neoirc/internal/service"
+)
+
+// NewTestServer creates a Server suitable for testing.
+// The caller must call Stop() when finished.
+func NewTestServer(
+	log *slog.Logger,
+	cfg *config.Config,
+	database *db.Database,
+	brk *broker.Broker,
+) *Server {
+	svc := &service.Service{
+		DB:     database,
+		Broker: brk,
+		Config: cfg,
+		Log:    log,
+	}
+
+	return &Server{ //nolint:exhaustruct
+		log:      log,
+		cfg:      cfg,
+		database: database,
+		brk:      brk,
+		svc:      svc,
+		conns:    make(map[*Conn]struct{}),
+	}
+}
+
+// Start exposes the unexported start method for tests.
+func (s *Server) Start(addr string) error {
+	return s.start(context.Background(), addr)
+}
+
+// Stop exposes the unexported stop method for tests.
+func (s *Server) Stop() {
+	s.stop()
+}
+
+// Listener returns the server's net.Listener for tests.
+func (s *Server) Listener() net.Listener {
+	return s.listener
+}

internal/ircserver/parser.go

@@ -0,0 +1,123 @@
+// Package ircserver implements a traditional IRC wire protocol
+// listener (RFC 1459/2812) that bridges to the neoirc HTTP/JSON
+// server internals.
+package ircserver
+
+import "strings"
+
+// Message represents a parsed IRC wire protocol message.
+type Message struct {
+	// Prefix is the optional :prefix at the start (may be
+	// empty for client-to-server messages).
+	Prefix string
+	// Command is the IRC command (e.g., "PRIVMSG", "NICK").
+	Command string
+	// Params holds the positional parameters, including the
+	// trailing parameter (which was preceded by ':' on the
+	// wire).
+	Params []string
+}
+
+// ParseMessage parses a single IRC wire protocol line
+// (without the trailing CR-LF) into a Message.
+// Returns nil if the line is empty.
+//
+// IRC message format (RFC 1459 §2.3.1):
+//
+//	[":" prefix SPACE] command { SPACE param } [SPACE ":" trailing]
+func ParseMessage(line string) *Message {
+	if line == "" {
+		return nil
+	}
+
+	msg := &Message{} //nolint:exhaustruct // fields set below
+
+	// Extract prefix if present.
+	if line[0] == ':' {
+		idx := strings.IndexByte(line, ' ')
+		if idx < 0 {
+			// Only a prefix, no command — invalid.
+			return nil
+		}
+
+		msg.Prefix = line[1:idx]
+		line = line[idx+1:]
+	}
+
+	// Skip leading spaces.
+	line = strings.TrimLeft(line, " ")
+	if line == "" {
+		return nil
+	}
+
+	// Extract command.
+	idx := strings.IndexByte(line, ' ')
+	if idx < 0 {
+		msg.Command = strings.ToUpper(line)
+
+		return msg
+	}
+
+	msg.Command = strings.ToUpper(line[:idx])
+	line = line[idx+1:]
+
+	// Extract parameters.
+	for line != "" {
+		line = strings.TrimLeft(line, " ")
+		if line == "" {
+			break
+		}
+
+		// Trailing parameter (everything after ':').
+		if line[0] == ':' {
+			msg.Params = append(msg.Params, line[1:])
+
+			break
+		}
+
+		idx = strings.IndexByte(line, ' ')
+		if idx < 0 {
+			msg.Params = append(msg.Params, line)
+
+			break
+		}
+
+		msg.Params = append(msg.Params, line[:idx])
+		line = line[idx+1:]
+	}
+
+	return msg
+}
+
+// FormatMessage formats an IRC message into wire protocol
+// format (without the trailing CR-LF).
+func FormatMessage(
+	prefix, command string,
+	params ...string,
+) string {
+	var buf strings.Builder
+
+	if prefix != "" {
+		buf.WriteByte(':')
+		buf.WriteString(prefix)
+		buf.WriteByte(' ')
+	}
+
+	buf.WriteString(command)
+
+	for i, param := range params {
+		buf.WriteByte(' ')
+
+		isLast := i == len(params)-1
+		needsColon := strings.Contains(param, " ") ||
+			param == "" || param[0] == ':'
+
+		if isLast && needsColon {
+			buf.WriteByte(':')
+		}
+
+		buf.WriteString(param)
+	}
+
+	return buf.String()
+}

internal/ircserver/parser_test.go

@@ -0,0 +1,328 @@
+package ircserver_test
+
+import (
+	"testing"
+
+	"git.eeqj.de/sneak/neoirc/internal/ircserver"
+)
+
+//nolint:funlen // table-driven test
+func TestParseMessage(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name    string
+		input   string
+		want    *ircserver.Message
+		wantNil bool
+	}{
+		{
+			name:    "empty",
+			input:   "",
+			want:    nil,
+			wantNil: true,
+		},
+		{
+			name:  "simple command",
+			input: "PING",
+			want: &ircserver.Message{
+				Prefix:  "",
+				Command: "PING",
+				Params:  nil,
+			},
+			wantNil: false,
+		},
+		{
+			name:  "command with one param",
+			input: "NICK alice",
+			want: &ircserver.Message{
+				Prefix:  "",
+				Command: "NICK",
+				Params:  []string{"alice"},
+			},
+			wantNil: false,
+		},
+		{
+			name:  "command case insensitive",
+			input: "nick Alice",
+			want: &ircserver.Message{
+				Prefix:  "",
+				Command: "NICK",
+				Params:  []string{"Alice"},
+			},
+			wantNil: false,
+		},
+		{
+			name:  "privmsg with trailing",
+			input: "PRIVMSG #general :hello world",
+			want: &ircserver.Message{
+				Prefix:  "",
+				Command: "PRIVMSG",
+				Params:  []string{"#general", "hello world"},
+			},
+			wantNil: false,
+		},
+		{
+			name:  "with prefix",
+			input: ":server.example.com 001 alice :Welcome to IRC",
+			want: &ircserver.Message{
+				Prefix:  "server.example.com",
+				Command: "001",
+				Params:  []string{"alice", "Welcome to IRC"},
+			},
+			wantNil: false,
+		},
+		{
+			name:  "user command",
+			input: "USER alice 0 * :Alice Smith",
+			want: &ircserver.Message{
+				Prefix:  "",
+				Command: "USER",
+				Params: []string{
+					"alice", "0", "*", "Alice Smith",
+				},
+			},
+			wantNil: false,
+		},
+		{
+			name:  "join channel",
+			input: "JOIN #general",
+			want: &ircserver.Message{
+				Prefix:  "",
+				Command: "JOIN",
+				Params:  []string{"#general"},
+			},
+			wantNil: false,
+		},
+		{
+			name:  "quit with trailing",
+			input: "QUIT :leaving now",
+			want: &ircserver.Message{
+				Prefix:  "",
+				Command: "QUIT",
+				Params:  []string{"leaving now"},
+			},
+			wantNil: false,
+		},
+		{
+			name:  "quit without reason",
+			input: "QUIT",
+			want: &ircserver.Message{
+				Prefix:  "",
+				Command: "QUIT",
+				Params:  nil,
+			},
+			wantNil: false,
+		},
+		{
+			name:  "mode query",
+			input: "MODE #general",
+			want: &ircserver.Message{
+				Prefix:  "",
+				Command: "MODE",
+				Params:  []string{"#general"},
+			},
+			wantNil: false,
+		},
+		{
+			name:  "kick with reason",
+			input: "KICK #general bob :misbehaving",
+			want: &ircserver.Message{
+				Prefix:  "",
+				Command: "KICK",
+				Params: []string{
+					"#general", "bob", "misbehaving",
+				},
+			},
+			wantNil: false,
+		},
+		{
+			name:  "empty trailing",
+			input: "PRIVMSG #general :",
+			want: &ircserver.Message{
+				Prefix:  "",
+				Command: "PRIVMSG",
+				Params:  []string{"#general", ""},
+			},
+			wantNil: false,
+		},
+		{
+			name:  "pass command",
+			input: "PASS mysecret",
+			want: &ircserver.Message{
+				Prefix:  "",
+				Command: "PASS",
+				Params:  []string{"mysecret"},
+			},
+			wantNil: false,
+		},
+		{
+			name:  "ping with server",
+			input: "PING :irc.example.com",
+			want: &ircserver.Message{
+				Prefix:  "",
+				Command: "PING",
+				Params:  []string{"irc.example.com"},
+			},
+			wantNil: false,
+		},
+		{
+			name:  "topic with trailing spaces",
+			input: "TOPIC #general :Welcome to the channel!",
+			want: &ircserver.Message{
+				Prefix:  "",
+				Command: "TOPIC",
+				Params: []string{
+					"#general",
+					"Welcome to the channel!",
+				},
+			},
+			wantNil: false,
+		},
+	}
+
+	for _, testCase := range tests {
+		t.Run(testCase.name, func(t *testing.T) {
+			t.Parallel()
+
+			got := ircserver.ParseMessage(testCase.input)
+			if testCase.wantNil {
+				if got != nil {
+					t.Fatalf("expected nil, got %+v", got)
+				}
+
+				return
+			}
+
+			if got == nil {
+				t.Fatal("expected non-nil message")
+			}
+
+			if got.Prefix != testCase.want.Prefix {
+				t.Errorf(
+					"prefix: got %q, want %q",
+					got.Prefix, testCase.want.Prefix,
+				)
+			}
+
+			if got.Command != testCase.want.Command {
+				t.Errorf(
+					"command: got %q, want %q",
+					got.Command, testCase.want.Command,
+				)
+			}
+
+			if len(got.Params) != len(testCase.want.Params) {
+				t.Fatalf(
+					"params length: got %d, want %d (%v vs %v)",
+					len(got.Params),
+					len(testCase.want.Params),
+					got.Params,
+					testCase.want.Params,
+				)
+			}
+
+			for i, p := range got.Params {
+				if p != testCase.want.Params[i] {
+					t.Errorf(
+						"param[%d]: got %q, want %q",
+						i, p, testCase.want.Params[i],
+					)
+				}
+			}
+		})
+	}
+}
+
+func TestFormatMessage(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name    string
+		prefix  string
+		command string
+		params  []string
+		want    string
+	}{
+		{
+			name:    "simple command",
+			prefix:  "",
+			command: "PING",
+			params:  nil,
+			want:    "PING",
+		},
+		{
+			name:    "with prefix",
+			prefix:  "server",
+			command: "PONG",
+			params:  []string{"server"},
+			want:    ":server PONG server",
+		},
+		{
+			name:    "privmsg with trailing",
+			prefix:  "alice!alice@host",
+			command: "PRIVMSG",
+			params:  []string{"#general", "hello world"},
+			want:    ":alice!alice@host PRIVMSG #general :hello world",
+		},
+		{
+			name:    "numeric reply",
+			prefix:  "server",
+			command: "001",
+			params:  []string{"alice", "Welcome to IRC"},
+			want:    ":server 001 alice :Welcome to IRC",
+		},
+		{
+			name:    "empty trailing",
+			prefix:  "server",
+			command: "PRIVMSG",
+			params:  []string{"#chan", ""},
+			want:    ":server PRIVMSG #chan :",
+		},
+	}
+
+	for _, testCase := range tests {
+		t.Run(testCase.name, func(t *testing.T) {
+			t.Parallel()
+
+			got := ircserver.FormatMessage(
+				testCase.prefix, testCase.command, testCase.params...,
+			)
+			if got != testCase.want {
+				t.Errorf("got %q, want %q", got, testCase.want)
+			}
+		})
+	}
+}
+
+func TestParseFormatRoundTrip(t *testing.T) {
+	t.Parallel()
+
+	// Round-trip only works for lines where the last
+	// parameter either contains a space (gets ':' prefix
+	// on format) or is a non-trailing single token.
+	lines := []string{
+		"PING",
+		"NICK alice",
+		"PRIVMSG #general :hello world",
+		"JOIN #general",
+		"MODE #general",
+	}
+
+	for _, line := range lines {
+		msg := ircserver.ParseMessage(line)
+		if msg == nil {
+			t.Fatalf("failed to parse: %q", line)
+		}
+
+		formatted := ircserver.FormatMessage(
+			msg.Prefix, msg.Command, msg.Params...,
+		)
+		if formatted != line {
+			t.Errorf(
+				"round-trip failed: input %q, got %q",
+				line, formatted,
+			)
+		}
+	}
+}

internal/ircserver/relay.go

@@ -0,0 +1,319 @@
+package ircserver
+
+import (
+	"context"
+	"encoding/json"
+	"strings"
+	"time"
+
+	"git.eeqj.de/sneak/neoirc/internal/db"
+	"git.eeqj.de/sneak/neoirc/pkg/irc"
+)
+
+// relayMessages polls the client output queue and delivers
+// IRC-formatted messages to the TCP connection.  It runs
+// in a goroutine for the lifetime of the connection.
+func (c *Conn) relayMessages(ctx context.Context) {
+	// Use a ticker as a fallback; primary wakeup is via
+	// broker notification.
+	ticker := time.NewTicker(pollInterval)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		default:
+		}
+
+		// Drain any available messages.
+		delivered := c.drainQueue(ctx)
+
+		if delivered {
+			// Tight loop while there are messages.
+			continue
+		}
+
+		// Wait for notification or timeout.
+		waitCh := c.brk.Wait(c.sessionID)
+
+		select {
+		case <-waitCh:
+			// New message notification — loop back.
+		case <-ticker.C:
+			// Periodic check.
+		case <-ctx.Done():
+			c.brk.Remove(c.sessionID, waitCh)
+
+			return
+		}
+	}
+}
+
+const relayPollLimit = 100
+
+// drainQueue polls the output queue and delivers all
+// pending messages.  Returns true if at least one message
+// was delivered.
+func (c *Conn) drainQueue(ctx context.Context) bool {
+	msgs, lastID, err := c.database.PollMessages(
+		ctx, c.clientID, c.lastQueueID, relayPollLimit,
+	)
+	if err != nil {
+		return false
+	}
+
+	if len(msgs) == 0 {
+		return false
+	}
+
+	for i := range msgs {
+		c.deliverIRCMessage(ctx, &msgs[i])
+	}
+
+	if lastID > c.lastQueueID {
+		c.lastQueueID = lastID
+	}
+
+	return true
+}
+
+// deliverIRCMessage converts a db.IRCMessage to wire
+// protocol and sends it.
+//
+//nolint:cyclop // dispatch table
+func (c *Conn) deliverIRCMessage(
+	_ context.Context,
+	msg *db.IRCMessage,
+) {
+	command := msg.Command
+
+	// Decode body as []string for the trailing text.
+	var bodyLines []string
+
+	if msg.Body != nil {
+		_ = json.Unmarshal(msg.Body, &bodyLines)
+	}
+
+	text := ""
+	if len(bodyLines) > 0 {
+		text = bodyLines[0]
+	}
+
+	// Route by command type.
+	switch {
+	case isNumeric(command):
+		c.deliverNumeric(msg, text)
+	case command == irc.CmdPrivmsg || command == irc.CmdNotice:
+		c.deliverTextMessage(msg, command, text)
+	case command == irc.CmdJoin:
+		c.deliverJoin(msg)
+	case command == irc.CmdPart:
+		c.deliverPart(msg, text)
+	case command == irc.CmdNick:
+		c.deliverNickChange(msg, text)
+	case command == irc.CmdQuit:
+		c.deliverQuitMsg(msg, text)
+	case command == irc.CmdTopic:
+		c.deliverTopicChange(msg, text)
+	case command == irc.CmdKick:
+		c.deliverKickMsg(msg, text)
+	case command == "INVITE":
+		c.deliverInviteMsg(msg, text)
+	case command == irc.CmdMode:
+		c.deliverMode(msg, text)
+	case command == irc.CmdPing:
+		// Server-originated PING — reply with PONG.
+		c.sendFromServer("PING", c.serverSfx)
+	default:
+		// Unknown command — deliver as server notice.
+		if text != "" {
+			c.sendFromServer("NOTICE", c.nick, text)
+		}
+	}
+}
+
+// isNumeric returns true if the command is a 3-digit
+// numeric code.
+func isNumeric(cmd string) bool {
+	return len(cmd) == 3 &&
+		cmd[0] >= '0' && cmd[0] <= '9' &&
+		cmd[1] >= '0' && cmd[1] <= '9' &&
+		cmd[2] >= '0' && cmd[2] <= '9'
+}
+
+// deliverNumeric sends a numeric reply.
+func (c *Conn) deliverNumeric(
+	msg *db.IRCMessage,
+	text string,
+) {
+	from := msg.From
+	if from == "" {
+		from = c.serverSfx
+	}
+
+	var params []string
+
+	if msg.Params != nil {
+		_ = json.Unmarshal(msg.Params, &params)
+	}
+
+	allParams := make([]string, 0, 1+len(params)+1)
+	allParams = append(allParams, c.nick)
+	allParams = append(allParams, params...)
+
+	if text != "" {
+		allParams = append(allParams, text)
+	}
+
+	c.send(FormatMessage(from, msg.Command, allParams...))
+}
+
+// deliverTextMessage sends PRIVMSG or NOTICE.
+func (c *Conn) deliverTextMessage(
+	msg *db.IRCMessage,
+	command, text string,
+) {
+	from := msg.From
+	target := msg.To
+
+	// Don't echo our own messages back.
+	if strings.EqualFold(from, c.nick) {
+		return
+	}
+
+	prefix := from
+	if !strings.Contains(prefix, "!") {
+		prefix = from + "!" + from + "@*"
+	}
+
+	c.send(FormatMessage(prefix, command, target, text))
+}
+
+// deliverJoin sends a JOIN notification.
+func (c *Conn) deliverJoin(msg *db.IRCMessage) {
+	// Don't echo our own JOINs (we already sent them
+	// during joinChannel).
+	if strings.EqualFold(msg.From, c.nick) {
+		return
+	}
+
+	prefix := msg.From + "!" + msg.From + "@*"
+	channel := msg.To
+
+	c.send(FormatMessage(prefix, "JOIN", channel))
+}
+
+// deliverPart sends a PART notification.
+func (c *Conn) deliverPart(msg *db.IRCMessage, text string) {
+	if strings.EqualFold(msg.From, c.nick) {
+		return
+	}
+
+	prefix := msg.From + "!" + msg.From + "@*"
+	channel := msg.To
+
+	if text != "" {
+		c.send(FormatMessage(
+			prefix, "PART", channel, text,
+		))
+	} else {
+		c.send(FormatMessage(prefix, "PART", channel))
+	}
+}
+
+// deliverNickChange sends a NICK change notification.
+func (c *Conn) deliverNickChange(
+	msg *db.IRCMessage,
+	newNick string,
+) {
+	if strings.EqualFold(msg.From, c.nick) {
+		return
+	}
+
+	prefix := msg.From + "!" + msg.From + "@*"
+
+	c.send(FormatMessage(prefix, "NICK", newNick))
+}
+
+// deliverQuitMsg sends a QUIT notification.
+func (c *Conn) deliverQuitMsg(
+	msg *db.IRCMessage,
+	text string,
+) {
+	if strings.EqualFold(msg.From, c.nick) {
+		return
+	}
+
+	prefix := msg.From + "!" + msg.From + "@*"
+
+	if text != "" {
+		c.send(FormatMessage(
+			prefix, "QUIT", "Quit: "+text,
+		))
+	} else {
+		c.send(FormatMessage(prefix, "QUIT", "Quit"))
+	}
+}
+
+// deliverTopicChange sends a TOPIC change notification.
+func (c *Conn) deliverTopicChange(
+	msg *db.IRCMessage,
+	text string,
+) {
+	prefix := msg.From + "!" + msg.From + "@*"
+	channel := msg.To
+
+	c.send(FormatMessage(prefix, "TOPIC", channel, text))
+}
+
+// deliverKickMsg sends a KICK notification.
+func (c *Conn) deliverKickMsg(
+	msg *db.IRCMessage,
+	text string,
+) {
+	prefix := msg.From + "!" + msg.From + "@*"
+	channel := msg.To
+
+	var params []string
+
+	if msg.Params != nil {
+		_ = json.Unmarshal(msg.Params, &params)
+	}
+
+	kickTarget := ""
+	if len(params) > 0 {
+		kickTarget = params[0]
+	}
+
+	if kickTarget != "" {
+		c.send(FormatMessage(
+			prefix, "KICK", channel, kickTarget, text,
+		))
+	} else {
+		c.send(FormatMessage(
+			prefix, "KICK", channel, "?", text,
+		))
+	}
+}
+
+// deliverInviteMsg sends an INVITE notification.
+func (c *Conn) deliverInviteMsg(
+	_ *db.IRCMessage,
+	text string,
+) {
+	c.sendFromServer("NOTICE", c.nick, text)
+}
+
+// deliverMode sends a MODE change notification.
+func (c *Conn) deliverMode(
+	msg *db.IRCMessage,
+	text string,
+) {
+	prefix := msg.From + "!" + msg.From + "@*"
+	target := msg.To
+
+	if text != "" {
+		c.send(FormatMessage(prefix, "MODE", target, text))
+	}
+}

internal/ircserver/server.go

@@ -0,0 +1,157 @@
+package ircserver
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"net"
+	"sync"
+
+	"git.eeqj.de/sneak/neoirc/internal/broker"
+	"git.eeqj.de/sneak/neoirc/internal/config"
+	"git.eeqj.de/sneak/neoirc/internal/db"
+	"git.eeqj.de/sneak/neoirc/internal/logger"
+	"git.eeqj.de/sneak/neoirc/internal/service"
+	"go.uber.org/fx"
+)
+
+// Params defines the dependencies for creating an IRC
+// Server.
+type Params struct {
+	fx.In
+
+	Logger   *logger.Logger
+	Config   *config.Config
+	Database *db.Database
+	Broker   *broker.Broker
+	Service  *service.Service
+}
+
+// Server is the TCP IRC protocol server.
+type Server struct {
+	log      *slog.Logger
+	cfg      *config.Config
+	database *db.Database
+	brk      *broker.Broker
+	svc      *service.Service
+	listener net.Listener
+	mu       sync.Mutex
+	conns    map[*Conn]struct{}
+	cancel   context.CancelFunc
+}
+
+// New creates a new IRC Server and registers its lifecycle
+// hooks.  The listener is only started if IRC_LISTEN_ADDR
+// is configured; otherwise the server is inert.
+func New(
+	lifecycle fx.Lifecycle,
+	params Params,
+) *Server {
+	srv := &Server{
+		log:      params.Logger.Get(),
+		cfg:      params.Config,
+		database: params.Database,
+		brk:      params.Broker,
+		svc:      params.Service,
+		conns:    make(map[*Conn]struct{}),
+		listener: nil,
+		cancel:   nil,
+		mu:       sync.Mutex{},
+	}
+
+	listenAddr := params.Config.IRCListenAddr
+	if listenAddr == "" {
+		return srv
+	}
+
+	lifecycle.Append(fx.Hook{
+		OnStart: func(ctx context.Context) error {
+			return srv.start(ctx, listenAddr)
+		},
+		OnStop: func(_ context.Context) error {
+			srv.stop()
+
+			return nil
+		},
+	})
+
+	return srv
+}
+
+// start begins listening for TCP connections.
+//
+//nolint:contextcheck // long-lived server ctx, not the short Fx one
+func (s *Server) start(_ context.Context, addr string) error {
+	ln, err := net.Listen("tcp", addr)
+	if err != nil {
+		return fmt.Errorf("irc listen: %w", err)
+	}
+
+	s.listener = ln
+
+	ctx, cancel := context.WithCancel(context.Background())
+	s.cancel = cancel
+
+	s.log.Info(
+		"irc server listening", "addr", addr,
+	)
+
+	go s.acceptLoop(ctx)
+
+	return nil
+}
+
+// stop shuts down the listener and all connections.
+func (s *Server) stop() {
+	if s.cancel != nil {
+		s.cancel()
+	}
+
+	if s.listener != nil {
+		s.listener.Close() //nolint:errcheck,gosec
+	}
+
+	s.mu.Lock()
+	for c := range s.conns {
+		c.conn.Close() //nolint:errcheck,gosec
+	}
+	s.mu.Unlock()
+}
+
+// acceptLoop accepts new connections.
+func (s *Server) acceptLoop(ctx context.Context) {
+	for {
+		tcpConn, err := s.listener.Accept()
+		if err != nil {
+			select {
+			case <-ctx.Done():
+				return
+			default:
+				s.log.Error(
+					"irc accept error", "error", err,
+				)
+
+				continue
+			}
+		}
+
+		client := newConn(
+			ctx, tcpConn, s.log,
+			s.database, s.brk, s.cfg, s.svc,
+		)
+
+		s.mu.Lock()
+		s.conns[client] = struct{}{}
+		s.mu.Unlock()
+
+		go func() {
+			defer func() {
+				s.mu.Lock()
+				delete(s.conns, client)
+				s.mu.Unlock()
+			}()
+
+			client.serve(ctx)
+		}()
+	}
+}

internal/ircserver/server_test.go

@@ -0,0 +1,625 @@
+package ircserver_test
+
+import (
+	"bufio"
+	"database/sql"
+	"fmt"
+	"log/slog"
+	"net"
+	"os"
+	"strings"
+	"testing"
+	"time"
+
+	"git.eeqj.de/sneak/neoirc/internal/broker"
+	"git.eeqj.de/sneak/neoirc/internal/config"
+	"git.eeqj.de/sneak/neoirc/internal/db"
+	"git.eeqj.de/sneak/neoirc/internal/ircserver"
+
+	_ "modernc.org/sqlite"
+)
+
+const testTimeout = 5 * time.Second
+
+func TestMain(m *testing.M) {
+	db.SetBcryptCost(4)
+
+	os.Exit(m.Run())
+}
+
+// testEnv holds the shared test infrastructure.
+type testEnv struct {
+	database *db.Database
+	brk      *broker.Broker
+	cfg      *config.Config
+	srv      *ircserver.Server
+}
+
+func newTestEnv(t *testing.T) *testEnv {
+	t.Helper()
+
+	dsn := fmt.Sprintf(
+		"file:%s?mode=memory&cache=shared&_journal_mode=WAL",
+		t.Name(),
+	)
+
+	conn, err := sql.Open("sqlite", dsn)
+	if err != nil {
+		t.Fatalf("open db: %v", err)
+	}
+
+	conn.SetMaxOpenConns(1)
+
+	_, err = conn.ExecContext(
+		t.Context(), "PRAGMA foreign_keys = ON",
+	)
+	if err != nil {
+		t.Fatalf("pragma: %v", err)
+	}
+
+	database := db.NewTestDatabaseFromConn(conn)
+
+	err = database.RunMigrations(t.Context())
+	if err != nil {
+		t.Fatalf("migrate: %v", err)
+	}
+
+	brk := broker.New()
+
+	cfg := &config.Config{ //nolint:exhaustruct
+		ServerName: "test.irc",
+		MOTD:       "Welcome to test IRC",
+	}
+
+	listener, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("listen: %v", err)
+	}
+
+	addr := listener.Addr().String()
+
+	err = listener.Close()
+	if err != nil {
+		t.Fatalf("close listener: %v", err)
+	}
+
+	log := slog.New(slog.NewTextHandler(
+		os.Stderr,
+		&slog.HandlerOptions{Level: slog.LevelError}, //nolint:exhaustruct
+	))
+
+	srv := ircserver.NewTestServer(log, cfg, database, brk)
+
+	err = srv.Start(addr)
+	if err != nil {
+		t.Fatalf("start irc server: %v", err)
+	}
+
+	t.Cleanup(func() {
+		srv.Stop()
+
+		err := conn.Close()
+		if err != nil {
+			t.Logf("close db: %v", err)
+		}
+	})
+
+	return &testEnv{
+		database: database,
+		brk:      brk,
+		cfg:      cfg,
+		srv:      srv,
+	}
+}
+
+// dial connects to the test server.
+func (env *testEnv) dial(t *testing.T) *testClient {
+	t.Helper()
+
+	conn, err := net.DialTimeout(
+		"tcp",
+		env.srv.Listener().Addr().String(),
+		testTimeout,
+	)
+	if err != nil {
+		t.Fatalf("dial: %v", err)
+	}
+
+	t.Cleanup(func() {
+		err := conn.Close()
+		if err != nil {
+			t.Logf("close conn: %v", err)
+		}
+	})
+
+	return &testClient{
+		t:       t,
+		conn:    conn,
+		scanner: bufio.NewScanner(conn),
+	}
+}
+
+// testClient wraps a raw TCP connection with helpers.
+type testClient struct {
+	t       *testing.T
+	conn    net.Conn
+	scanner *bufio.Scanner
+}
+
+func (tc *testClient) send(line string) {
+	tc.t.Helper()
+
+	_ = tc.conn.SetWriteDeadline(
+		time.Now().Add(testTimeout),
+	)
+
+	_, err := fmt.Fprintf(tc.conn, "%s\r\n", line)
+	if err != nil {
+		tc.t.Fatalf("send: %v", err)
+	}
+}
+
+func (tc *testClient) readLine() string {
+	tc.t.Helper()
+
+	_ = tc.conn.SetReadDeadline(
+		time.Now().Add(testTimeout),
+	)
+
+	if !tc.scanner.Scan() {
+		err := tc.scanner.Err()
+		if err != nil {
+			tc.t.Fatalf("read: %v", err)
+		}
+
+		tc.t.Fatal("connection closed unexpectedly")
+	}
+
+	return tc.scanner.Text()
+}
+
+// readUntil reads lines until one matches the predicate.
+func (tc *testClient) readUntil(
+	pred func(string) bool,
+) []string {
+	tc.t.Helper()
+
+	var lines []string
+
+	for {
+		line := tc.readLine()
+		lines = append(lines, line)
+
+		if pred(line) {
+			return lines
+		}
+	}
+}
+
+// register sends NICK + USER and reads through the welcome
+// burst.
+func (tc *testClient) register(nick string) []string {
+	tc.t.Helper()
+
+	tc.send("NICK " + nick)
+	tc.send("USER " + nick + " 0 * :Test User")
+
+	return tc.readUntil(func(line string) bool {
+		return strings.Contains(line, " 376 ") ||
+			strings.Contains(line, " 422 ")
+	})
+}
+
+// assertContains checks that at least one line matches the
+// given substring.
+func assertContains(
+	t *testing.T,
+	lines []string,
+	substr, description string,
+) {
+	t.Helper()
+
+	for _, line := range lines {
+		if strings.Contains(line, substr) {
+			return
+		}
+	}
+
+	t.Errorf("did not find %q in output: %s", substr, description)
+}
+
+// joinAndDrain joins a channel and reads until
+// RPL_ENDOFNAMES.
+func (tc *testClient) joinAndDrain(channel string) {
+	tc.t.Helper()
+
+	tc.send("JOIN " + channel)
+
+	tc.readUntil(func(line string) bool {
+		return strings.Contains(line, " 366 ")
+	})
+}
+
+// sendAndExpect sends a command and reads until a line
+// containing the expected substring is found.
+func (tc *testClient) sendAndExpect(
+	cmd, expect string,
+) []string {
+	tc.t.Helper()
+
+	tc.send(cmd)
+
+	return tc.readUntil(func(line string) bool {
+		return strings.Contains(line, expect)
+	})
+}
+
+func TestRegistration(t *testing.T) {
+	t.Parallel()
+
+	env := newTestEnv(t)
+	client := env.dial(t)
+
+	lines := client.register("alice")
+	assertContains(t, lines, " 001 ", "RPL_WELCOME")
+}
+
+func TestWelcomeContainsNick(t *testing.T) {
+	t.Parallel()
+
+	env := newTestEnv(t)
+	client := env.dial(t)
+
+	lines := client.register("bob")
+
+	for _, line := range lines {
+		if strings.Contains(line, " 001 ") &&
+			!strings.Contains(line, "bob") {
+			t.Errorf("001 should contain nick: %s", line)
+		}
+	}
+}
+
+func TestPingPong(t *testing.T) {
+	t.Parallel()
+
+	env := newTestEnv(t)
+	client := env.dial(t)
+
+	client.register("pingtest")
+	lines := client.sendAndExpect("PING :hello", "PONG")
+	assertContains(t, lines, "PONG", "PONG response")
+}
+
+func TestJoinChannel(t *testing.T) {
+	t.Parallel()
+
+	env := newTestEnv(t)
+	client := env.dial(t)
+
+	client.register("joiner")
+	client.send("JOIN #test")
+
+	lines := client.readUntil(func(line string) bool {
+		return strings.Contains(line, " 366 ")
+	})
+
+	assertContains(t, lines, "JOIN", "JOIN echo")
+	assertContains(t, lines, " 366 ", "RPL_ENDOFNAMES")
+}
+
+func TestPrivmsgBetweenClients(t *testing.T) {
+	t.Parallel()
+
+	env := newTestEnv(t)
+
+	alice := env.dial(t)
+	alice.register("alice_pm")
+
+	bob := env.dial(t)
+	bob.register("bob_pm")
+
+	alice.joinAndDrain("#chat")
+	bob.joinAndDrain("#chat")
+
+	alice.send("PRIVMSG #chat :hello bob!")
+	lines := bob.sendAndExpect("PING :sync", "hello bob!")
+	assertContains(t, lines, "hello bob!", "channel PRIVMSG")
+}
+
+func TestNickChange(t *testing.T) {
+	t.Parallel()
+
+	env := newTestEnv(t)
+	client := env.dial(t)
+
+	client.register("oldnick")
+	lines := client.sendAndExpect("NICK newnick", "newnick")
+	assertContains(t, lines, "NICK", "NICK change echo")
+}
+
+func TestDuplicateNick(t *testing.T) {
+	t.Parallel()
+
+	env := newTestEnv(t)
+
+	first := env.dial(t)
+	first.register("taken")
+
+	second := env.dial(t)
+	second.send("NICK taken")
+	second.send("USER taken 0 * :Test")
+
+	lines := second.readUntil(func(line string) bool {
+		return strings.Contains(line, " 433 ")
+	})
+
+	assertContains(t, lines, " 433 ", "ERR_NICKNAMEINUSE")
+}
+
+func TestListChannels(t *testing.T) {
+	t.Parallel()
+
+	env := newTestEnv(t)
+	client := env.dial(t)
+
+	client.register("lister")
+	client.joinAndDrain("#listtest")
+	lines := client.sendAndExpect("LIST", " 323 ")
+	assertContains(t, lines, " 323 ", "RPL_LISTEND") //nolint:misspell // IRC term
+}
+
+func TestWhois(t *testing.T) {
+	t.Parallel()
+
+	env := newTestEnv(t)
+	client := env.dial(t)
+
+	client.register("whoistest")
+	lines := client.sendAndExpect(
+		"WHOIS whoistest", " 318 ",
+	)
+
+	assertContains(t, lines, " 311 ", "RPL_WHOISUSER")
+	assertContains(t, lines, " 318 ", "RPL_ENDOFWHOIS")
+}
+
+func TestQuit(t *testing.T) {
+	t.Parallel()
+
+	env := newTestEnv(t)
+	client := env.dial(t)
+
+	client.register("quitter")
+	lines := client.sendAndExpect(
+		"QUIT :goodbye", "ERROR",
+	)
+
+	assertContains(t, lines, "goodbye", "QUIT reason")
+}
+
+func TestTopicSetAndGet(t *testing.T) {
+	t.Parallel()
+
+	env := newTestEnv(t)
+	client := env.dial(t)
+
+	client.register("topicuser")
+	client.joinAndDrain("#topictest")
+	lines := client.sendAndExpect(
+		"TOPIC #topictest :New topic here",
+		"New topic here",
+	)
+
+	assertContains(
+		t, lines, "New topic here", "TOPIC echo",
+	)
+}
+
+func TestUnknownCommand(t *testing.T) {
+	t.Parallel()
+
+	env := newTestEnv(t)
+	client := env.dial(t)
+
+	client.register("unknowncmd")
+	lines := client.sendAndExpect("FOOBAR", " 421 ")
+	assertContains(t, lines, " 421 ", "ERR_UNKNOWNCOMMAND")
+}
+
+func TestDirectMessage(t *testing.T) {
+	t.Parallel()
+
+	env := newTestEnv(t)
+
+	sender := env.dial(t)
+	sender.register("dmsender")
+
+	receiver := env.dial(t)
+	receiver.register("dmreceiver")
+
+	// Give relay goroutines time to start.
+	time.Sleep(100 * time.Millisecond)
+
+	sender.send("PRIVMSG dmreceiver :hello privately")
+
+	lines := receiver.readUntil(func(line string) bool {
+		return strings.Contains(line, "hello privately")
+	})
+
+	assertContains(
+		t, lines, "hello privately", "direct PRIVMSG",
+	)
+}
+
+func TestCAPNegotiation(t *testing.T) {
+	t.Parallel()
+
+	env := newTestEnv(t)
+	client := env.dial(t)
+
+	client.send("CAP LS 302")
+
+	line := client.readLine()
+	if !strings.Contains(line, "CAP") {
+		t.Errorf("expected CAP response, got: %s", line)
+	}
+
+	client.send("CAP END")
+	lines := client.register("capuser")
+	assertContains(t, lines, " 001 ", "registration after CAP")
+}
+
+func TestPartChannel(t *testing.T) {
+	t.Parallel()
+
+	env := newTestEnv(t)
+	client := env.dial(t)
+
+	client.register("parter")
+	client.joinAndDrain("#parttest")
+	lines := client.sendAndExpect(
+		"PART #parttest :leaving", "PART",
+	)
+
+	assertContains(t, lines, "#parttest", "PART echo")
+}
+
+func TestModeQuery(t *testing.T) {
+	t.Parallel()
+
+	env := newTestEnv(t)
+	client := env.dial(t)
+
+	client.register("modeuser")
+	client.joinAndDrain("#modetest")
+	lines := client.sendAndExpect(
+		"MODE #modetest", " 324 ",
+	)
+
+	assertContains(
+		t, lines, " 324 ", "RPL_CHANNELMODEIS",
+	)
+}
+
+func TestWhoChannel(t *testing.T) {
+	t.Parallel()
+
+	env := newTestEnv(t)
+	client := env.dial(t)
+
+	client.register("whouser")
+	client.joinAndDrain("#whotest")
+	lines := client.sendAndExpect("WHO #whotest", " 315 ")
+	assertContains(t, lines, " 352 ", "RPL_WHOREPLY")
+}
+
+func TestLusers(t *testing.T) {
+	t.Parallel()
+
+	env := newTestEnv(t)
+	client := env.dial(t)
+
+	client.register("luseruser")
+	lines := client.sendAndExpect("LUSERS", " 255 ")
+	assertContains(t, lines, " 251 ", "RPL_LUSERCLIENT")
+}
+
+func TestMotd(t *testing.T) {
+	t.Parallel()
+
+	env := newTestEnv(t)
+	client := env.dial(t)
+
+	client.register("motduser")
+	lines := client.sendAndExpect("MOTD", " 376 ")
+	assertContains(t, lines, " 376 ", "RPL_ENDOFMOTD")
+}
+
+func TestAwaySetAndClear(t *testing.T) {
+	t.Parallel()
+
+	env := newTestEnv(t)
+	client := env.dial(t)
+
+	client.register("awayuser")
+
+	setLines := client.sendAndExpect(
+		"AWAY :brb lunch", " 306 ",
+	)
+	assertContains(t, setLines, " 306 ", "RPL_NOWAWAY")
+
+	clearLines := client.sendAndExpect("AWAY", " 305 ")
+	assertContains(t, clearLines, " 305 ", "RPL_UNAWAY")
+}
+
+func TestHandlePassPostRegistration(t *testing.T) {
+	t.Parallel()
+
+	env := newTestEnv(t)
+	client := env.dial(t)
+
+	client.register("passuser")
+	lines := client.sendAndExpect(
+		"PASS :mypassword123", "Password set",
+	)
+
+	assertContains(
+		t, lines, "Password set", "password confirmation",
+	)
+}
+
+func TestPreRegistrationNotRegistered(t *testing.T) {
+	t.Parallel()
+
+	env := newTestEnv(t)
+	client := env.dial(t)
+
+	client.send("PRIVMSG #test :hello")
+
+	line := client.readLine()
+	if !strings.Contains(line, " 451 ") {
+		t.Errorf(
+			"expected ERR_NOTREGISTERED (451), got: %s",
+			line,
+		)
+	}
+}
+
+func TestNamesNonExistentChannel(t *testing.T) {
+	t.Parallel()
+
+	env := newTestEnv(t)
+	client := env.dial(t)
+
+	client.register("namesuser")
+	lines := client.sendAndExpect(
+		"NAMES #doesnotexist", " 366 ",
+	)
+
+	assertContains(
+		t, lines, " 366 ",
+		"RPL_ENDOFNAMES for non-existent channel",
+	)
+}
+
+func BenchmarkParseMessage(b *testing.B) {
+	line := ":nick!user@host PRIVMSG #channel :Hello, world!"
+
+	b.ResetTimer()
+
+	for range b.N {
+		_ = ircserver.ParseMessage(line)
+	}
+}
+
+func BenchmarkFormatMessage(b *testing.B) {
+	b.ResetTimer()
+
+	for range b.N {
+		_ = ircserver.FormatMessage(
+			"nick!user@host", "PRIVMSG",
+			"#channel", "Hello, world!",
+		)
+	}
+}

internal/logger/logger.go

@@ -5,7 +5,7 @@ import (
 	"log/slog"
 	"os"
 
-	"git.eeqj.de/sneak/chat/internal/globals"
+	"git.eeqj.de/sneak/neoirc/internal/globals"
 	"go.uber.org/fx"
 )
 

internal/middleware/middleware.go

@@ -1,4 +1,4 @@
-// Package middleware provides HTTP middleware for the chat server.
+// Package middleware provides HTTP middleware for the neoirc server.
 package middleware
 
 import (
@@ -7,11 +7,11 @@ import (
 	"net/http"
 	"time"
 
-	"git.eeqj.de/sneak/chat/internal/config"
-	"git.eeqj.de/sneak/chat/internal/globals"
-	"git.eeqj.de/sneak/chat/internal/logger"
+	"git.eeqj.de/sneak/neoirc/internal/config"
+	"git.eeqj.de/sneak/neoirc/internal/globals"
+	"git.eeqj.de/sneak/neoirc/internal/logger"
 	basicauth "github.com/99designs/basicauth-go"
-	chimw "github.com/go-chi/chi/middleware"
+	chimw "github.com/go-chi/chi/v5/middleware"
 	"github.com/go-chi/cors"
 	metrics "github.com/slok/go-http-metrics/metrics/prometheus"
 	ghmm "github.com/slok/go-http-metrics/middleware"
@@ -126,36 +126,27 @@ func (mware *Middleware) Logging() func(http.Handler) http.Handler {
 }
 
 // CORS returns middleware that handles Cross-Origin Resource Sharing.
+// AllowCredentials is true so browsers include cookies in
+// cross-origin API requests.
 func (mware *Middleware) CORS() func(http.Handler) http.Handler {
 	return cors.Handler(cors.Options{ //nolint:exhaustruct // optional fields
-		AllowedOrigins: []string{"*"},
+		AllowOriginFunc: func(
+			_ *http.Request, _ string,
+		) bool {
+			return true
+		},
 		AllowedMethods: []string{
 			"GET", "POST", "PUT", "DELETE", "OPTIONS",
 		},
 		AllowedHeaders: []string{
-			"Accept", "Authorization",
-			"Content-Type", "X-CSRF-Token",
+			"Accept", "Content-Type", "X-CSRF-Token",
 		},
 		ExposedHeaders:   []string{"Link"},
-		AllowCredentials: false,
+		AllowCredentials: true,
 		MaxAge:           corsMaxAge,
 	})
 }
 
-// Auth returns middleware that performs authentication.
-func (mware *Middleware) Auth() func(http.Handler) http.Handler {
-	return func(next http.Handler) http.Handler {
-		return http.HandlerFunc(
-			func(
-				writer http.ResponseWriter,
-				request *http.Request,
-			) {
-				mware.log.Info("AUTH: before request")
-				next.ServeHTTP(writer, request)
-			})
-	}
-}
-
 // Metrics returns middleware that records HTTP metrics.
 func (mware *Middleware) Metrics() func(http.Handler) http.Handler {
 	metricsMiddleware := ghmm.New(ghmm.Config{ //nolint:exhaustruct // optional fields
@@ -180,3 +171,36 @@ func (mware *Middleware) MetricsAuth() func(http.Handler) http.Handler {
 		},
 	)
 }
+
+// cspPolicy is the Content-Security-Policy header value applied to all
+// responses.  The embedded SPA loads scripts and styles from same-origin
+// files only (no inline scripts or inline style attributes), so a strict
+// policy works without 'unsafe-inline'.
+const cspPolicy = "default-src 'self'; " +
+	"script-src 'self'; " +
+	"style-src 'self'; " +
+	"connect-src 'self'; " +
+	"img-src 'self'; " +
+	"font-src 'self'; " +
+	"object-src 'none'; " +
+	"frame-ancestors 'none'; " +
+	"base-uri 'self'; " +
+	"form-action 'self'"
+
+// CSP returns middleware that sets the Content-Security-Policy header on
+// every response for defense-in-depth against XSS.
+func (mware *Middleware) CSP() func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(
+			func(
+				writer http.ResponseWriter,
+				request *http.Request,
+			) {
+				writer.Header().Set(
+					"Content-Security-Policy",
+					cspPolicy,
+				)
+				next.ServeHTTP(writer, request)
+			})
+	}
+}

internal/ratelimit/ratelimit.go

@@ -0,0 +1,122 @@
+// Package ratelimit provides per-IP rate limiting for HTTP endpoints.
+package ratelimit
+
+import (
+	"sync"
+	"time"
+
+	"golang.org/x/time/rate"
+)
+
+const (
+	// DefaultRate is the default number of allowed requests per second.
+	DefaultRate = 1.0
+
+	// DefaultBurst is the default maximum burst size.
+	DefaultBurst = 5
+
+	// DefaultSweepInterval controls how often stale entries are pruned.
+	DefaultSweepInterval = 10 * time.Minute
+
+	// DefaultEntryTTL is how long an unused entry lives before eviction.
+	DefaultEntryTTL = 15 * time.Minute
+)
+
+// entry tracks a per-IP rate limiter and when it was last used.
+type entry struct {
+	limiter  *rate.Limiter
+	lastSeen time.Time
+}
+
+// Limiter manages per-key rate limiters with automatic cleanup
+// of stale entries.
+type Limiter struct {
+	mu       sync.Mutex
+	entries  map[string]*entry
+	rate     rate.Limit
+	burst    int
+	entryTTL time.Duration
+	stopCh   chan struct{}
+}
+
+// New creates a new per-key rate Limiter.
+// The ratePerSec parameter sets how many requests per second are
+// allowed per key.  The burst parameter sets the maximum number of
+// requests that can be made in a single burst.
+func New(ratePerSec float64, burst int) *Limiter {
+	limiter := &Limiter{
+		mu:       sync.Mutex{},
+		entries:  make(map[string]*entry),
+		rate:     rate.Limit(ratePerSec),
+		burst:    burst,
+		entryTTL: DefaultEntryTTL,
+		stopCh:   make(chan struct{}),
+	}
+
+	go limiter.sweepLoop()
+
+	return limiter
+}
+
+// Allow reports whether a request from the given key should be
+// allowed.  It consumes one token from the key's rate limiter.
+func (l *Limiter) Allow(key string) bool {
+	l.mu.Lock()
+	ent, exists := l.entries[key]
+
+	if !exists {
+		ent = &entry{
+			limiter:  rate.NewLimiter(l.rate, l.burst),
+			lastSeen: time.Now(),
+		}
+		l.entries[key] = ent
+	} else {
+		ent.lastSeen = time.Now()
+	}
+	l.mu.Unlock()
+
+	return ent.limiter.Allow()
+}
+
+// Stop terminates the background sweep goroutine.
+func (l *Limiter) Stop() {
+	close(l.stopCh)
+}
+
+// Len returns the number of tracked keys (for testing).
+func (l *Limiter) Len() int {
+	l.mu.Lock()
+	defer l.mu.Unlock()
+
+	return len(l.entries)
+}
+
+// sweepLoop periodically removes entries that haven't been seen
+// within the TTL.
+func (l *Limiter) sweepLoop() {
+	ticker := time.NewTicker(DefaultSweepInterval)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ticker.C:
+			l.sweep()
+		case <-l.stopCh:
+			return
+		}
+	}
+}
+
+// sweep removes stale entries.
+func (l *Limiter) sweep() {
+	l.mu.Lock()
+	defer l.mu.Unlock()
+
+	cutoff := time.Now().Add(-l.entryTTL)
+
+	for key, ent := range l.entries {
+		if ent.lastSeen.Before(cutoff) {
+			delete(l.entries, key)
+		}
+	}
+}

internal/ratelimit/ratelimit_test.go

@@ -0,0 +1,106 @@
+package ratelimit_test
+
+import (
+	"testing"
+
+	"git.eeqj.de/sneak/neoirc/internal/ratelimit"
+)
+
+func TestNewCreatesLimiter(t *testing.T) {
+	t.Parallel()
+
+	limiter := ratelimit.New(1.0, 5)
+	defer limiter.Stop()
+
+	if limiter == nil {
+		t.Fatal("expected non-nil limiter")
+	}
+}
+
+func TestAllowWithinBurst(t *testing.T) {
+	t.Parallel()
+
+	limiter := ratelimit.New(1.0, 3)
+	defer limiter.Stop()
+
+	for i := range 3 {
+		if !limiter.Allow("192.168.1.1") {
+			t.Fatalf(
+				"request %d should be allowed within burst",
+				i+1,
+			)
+		}
+	}
+}
+
+func TestAllowExceedsBurst(t *testing.T) {
+	t.Parallel()
+
+	// Rate of 0 means no token replenishment, only burst.
+	limiter := ratelimit.New(0, 3)
+	defer limiter.Stop()
+
+	for range 3 {
+		limiter.Allow("10.0.0.1")
+	}
+
+	if limiter.Allow("10.0.0.1") {
+		t.Fatal("fourth request should be denied after burst exhausted")
+	}
+}
+
+func TestAllowSeparateKeys(t *testing.T) {
+	t.Parallel()
+
+	// Rate of 0, burst of 1 — only one request per key.
+	limiter := ratelimit.New(0, 1)
+	defer limiter.Stop()
+
+	if !limiter.Allow("10.0.0.1") {
+		t.Fatal("first request for key A should be allowed")
+	}
+
+	if !limiter.Allow("10.0.0.2") {
+		t.Fatal("first request for key B should be allowed")
+	}
+
+	if limiter.Allow("10.0.0.1") {
+		t.Fatal("second request for key A should be denied")
+	}
+
+	if limiter.Allow("10.0.0.2") {
+		t.Fatal("second request for key B should be denied")
+	}
+}
+
+func TestLenTracksKeys(t *testing.T) {
+	t.Parallel()
+
+	limiter := ratelimit.New(1.0, 5)
+	defer limiter.Stop()
+
+	if limiter.Len() != 0 {
+		t.Fatalf("expected 0 entries, got %d", limiter.Len())
+	}
+
+	limiter.Allow("10.0.0.1")
+	limiter.Allow("10.0.0.2")
+
+	if limiter.Len() != 2 {
+		t.Fatalf("expected 2 entries, got %d", limiter.Len())
+	}
+
+	// Same key again should not increase count.
+	limiter.Allow("10.0.0.1")
+
+	if limiter.Len() != 2 {
+		t.Fatalf("expected 2 entries, got %d", limiter.Len())
+	}
+}
+
+func TestStopDoesNotPanic(t *testing.T) {
+	t.Parallel()
+
+	limiter := ratelimit.New(1.0, 5)
+	limiter.Stop()
+}

internal/server/routes.go

@@ -5,11 +5,11 @@ import (
 	"net/http"
 	"time"
 
-	"git.eeqj.de/sneak/chat/web"
+	"git.eeqj.de/sneak/neoirc/web"
 
 	sentryhttp "github.com/getsentry/sentry-go/http"
-	"github.com/go-chi/chi"
-	"github.com/go-chi/chi/middleware"
+	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/chi/v5/middleware"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"github.com/spf13/viper"
 )
@@ -29,6 +29,7 @@ func (srv *Server) SetupRoutes() {
 	}
 
 	srv.router.Use(srv.mw.CORS())
+	srv.router.Use(srv.mw.CSP())
 	srv.router.Use(middleware.Timeout(routeTimeout))
 
 	if srv.sentryEnabled {
@@ -74,10 +75,6 @@ func (srv *Server) setupAPIv1(router chi.Router) {
 		"/session",
 		srv.handlers.HandleCreateSession(),
 	)
-	router.Post(
-		"/register",
-		srv.handlers.HandleRegister(),
-	)
 	router.Post(
 		"/login",
 		srv.handlers.HandleLogin(),

internal/server/server.go

@@ -1,4 +1,4 @@
-// Package server implements the main HTTP server for the chat application.
+// Package server implements the main HTTP server for the neoirc application.
 package server
 
 import (
@@ -12,15 +12,15 @@ import (
 	"syscall"
 	"time"
 
-	"git.eeqj.de/sneak/chat/internal/config"
-	"git.eeqj.de/sneak/chat/internal/globals"
-	"git.eeqj.de/sneak/chat/internal/handlers"
-	"git.eeqj.de/sneak/chat/internal/logger"
-	"git.eeqj.de/sneak/chat/internal/middleware"
+	"git.eeqj.de/sneak/neoirc/internal/config"
+	"git.eeqj.de/sneak/neoirc/internal/globals"
+	"git.eeqj.de/sneak/neoirc/internal/handlers"
+	"git.eeqj.de/sneak/neoirc/internal/logger"
+	"git.eeqj.de/sneak/neoirc/internal/middleware"
 	"go.uber.org/fx"
 
 	"github.com/getsentry/sentry-go"
-	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/v5"
 
 	_ "github.com/joho/godotenv/autoload" // loads .env file
 )

internal/service/service.go

@@ -0,0 +1,745 @@
+// Package service provides shared business logic for both
+// the IRC wire protocol and HTTP/JSON transports.
+package service
+
+import (
+	"context"
+	"crypto/subtle"
+	"encoding/json"
+	"fmt"
+	"log/slog"
+	"strings"
+
+	"git.eeqj.de/sneak/neoirc/internal/broker"
+	"git.eeqj.de/sneak/neoirc/internal/config"
+	"git.eeqj.de/sneak/neoirc/internal/db"
+	"git.eeqj.de/sneak/neoirc/internal/logger"
+	"git.eeqj.de/sneak/neoirc/pkg/irc"
+	"go.uber.org/fx"
+)
+
+// Params defines the dependencies for creating a Service.
+type Params struct {
+	fx.In
+
+	Logger   *logger.Logger
+	Config   *config.Config
+	Database *db.Database
+	Broker   *broker.Broker
+}
+
+// Service provides shared business logic for IRC commands.
+type Service struct {
+	DB     *db.Database
+	Broker *broker.Broker
+	Config *config.Config
+	Log    *slog.Logger
+}
+
+// New creates a new Service.
+func New(params Params) *Service {
+	return &Service{
+		DB:     params.Database,
+		Broker: params.Broker,
+		Config: params.Config,
+		Log:    params.Logger.Get(),
+	}
+}
+
+// IRCError represents an IRC protocol-level error with a
+// numeric code that both transports can map to responses.
+type IRCError struct {
+	Code    irc.IRCMessageType
+	Params  []string
+	Message string
+}
+
+func (e *IRCError) Error() string { return e.Message }
+
+// JoinResult contains the outcome of a channel join.
+type JoinResult struct {
+	ChannelID int64
+	IsCreator bool
+}
+
+// DirectMsgResult contains the outcome of a direct message.
+type DirectMsgResult struct {
+	UUID    string
+	AwayMsg string
+}
+
+// FanOut inserts a message and enqueues it to all given
+// session IDs, notifying each via the broker.
+func (s *Service) FanOut(
+	ctx context.Context,
+	command, from, to string,
+	params, body, meta json.RawMessage,
+	sessionIDs []int64,
+) (int64, string, error) {
+	dbID, msgUUID, err := s.DB.InsertMessage(
+		ctx, command, from, to, params, body, meta,
+	)
+	if err != nil {
+		return 0, "", fmt.Errorf("insert message: %w", err)
+	}
+
+	for _, sid := range sessionIDs {
+		_ = s.DB.EnqueueToSession(ctx, sid, dbID)
+		s.Broker.Notify(sid)
+	}
+
+	return dbID, msgUUID, nil
+}
+
+// excludeSession returns a copy of ids without the given
+// session.
+func excludeSession(
+	ids []int64,
+	exclude int64,
+) []int64 {
+	out := make([]int64, 0, len(ids))
+
+	for _, id := range ids {
+		if id != exclude {
+			out = append(out, id)
+		}
+	}
+
+	return out
+}
+
+// SendChannelMessage validates membership and moderation,
+// then fans out a message to all channel members except
+// the sender. Returns the database row ID, message UUID,
+// and any error. The dbID lets callers enqueue the same
+// message to the sender when echo is needed (HTTP
+// transport).
+func (s *Service) SendChannelMessage(
+	ctx context.Context,
+	sessionID int64,
+	nick, command, channel string,
+	body, meta json.RawMessage,
+) (int64, string, error) {
+	chID, err := s.DB.GetChannelByName(ctx, channel)
+	if err != nil {
+		return 0, "", &IRCError{
+			irc.ErrNoSuchChannel,
+			[]string{channel},
+			"No such channel",
+		}
+	}
+
+	isMember, _ := s.DB.IsChannelMember(
+		ctx, chID, sessionID,
+	)
+	if !isMember {
+		return 0, "", &IRCError{
+			irc.ErrCannotSendToChan,
+			[]string{channel},
+			"Cannot send to channel",
+		}
+	}
+
+	moderated, _ := s.DB.IsChannelModerated(ctx, chID)
+	if moderated {
+		isOp, _ := s.DB.IsChannelOperator(
+			ctx, chID, sessionID,
+		)
+		isVoiced, _ := s.DB.IsChannelVoiced(
+			ctx, chID, sessionID,
+		)
+
+		if !isOp && !isVoiced {
+			return 0, "", &IRCError{
+				irc.ErrCannotSendToChan,
+				[]string{channel},
+				"Cannot send to channel (+m)",
+			}
+		}
+	}
+
+	memberIDs, _ := s.DB.GetChannelMemberIDs(ctx, chID)
+	recipients := excludeSession(memberIDs, sessionID)
+
+	dbID, uuid, fanErr := s.FanOut(
+		ctx, command, nick, channel,
+		nil, body, meta, recipients,
+	)
+	if fanErr != nil {
+		return 0, "", fanErr
+	}
+
+	return dbID, uuid, nil
+}
+
+// SendDirectMessage validates the target and sends a
+// direct message, returning the message UUID and any away
+// message set on the target.
+func (s *Service) SendDirectMessage(
+	ctx context.Context,
+	sessionID int64,
+	nick, command, target string,
+	body, meta json.RawMessage,
+) (*DirectMsgResult, error) {
+	targetSID, err := s.DB.GetSessionByNick(ctx, target)
+	if err != nil {
+		return nil, &IRCError{
+			irc.ErrNoSuchNick,
+			[]string{target},
+			"No such nick",
+		}
+	}
+
+	away, _ := s.DB.GetAway(ctx, targetSID)
+
+	recipients := []int64{targetSID}
+	if targetSID != sessionID {
+		recipients = append(recipients, sessionID)
+	}
+
+	_, uuid, fanErr := s.FanOut(
+		ctx, command, nick, target,
+		nil, body, meta, recipients,
+	)
+	if fanErr != nil {
+		return nil, fanErr
+	}
+
+	return &DirectMsgResult{UUID: uuid, AwayMsg: away}, nil
+}
+
+// JoinChannel creates or joins a channel, making the
+// first joiner the operator. Fans out the JOIN to all
+// channel members.
+func (s *Service) JoinChannel(
+	ctx context.Context,
+	sessionID int64,
+	nick, channel string,
+) (*JoinResult, error) {
+	chID, err := s.DB.GetOrCreateChannel(ctx, channel)
+	if err != nil {
+		return nil, fmt.Errorf("get/create channel: %w", err)
+	}
+
+	memberCount, countErr := s.DB.CountChannelMembers(
+		ctx, chID,
+	)
+	isCreator := countErr == nil && memberCount == 0
+
+	if isCreator {
+		err = s.DB.JoinChannelAsOperator(
+			ctx, chID, sessionID,
+		)
+	} else {
+		err = s.DB.JoinChannel(ctx, chID, sessionID)
+	}
+
+	if err != nil {
+		return nil, fmt.Errorf("join channel: %w", err)
+	}
+
+	memberIDs, _ := s.DB.GetChannelMemberIDs(ctx, chID)
+	body, _ := json.Marshal([]string{channel}) //nolint:errchkjson
+
+	_, _, _ = s.FanOut( //nolint:dogsled // fire-and-forget broadcast
+		ctx, irc.CmdJoin, nick, channel,
+		nil, body, nil, memberIDs,
+	)
+
+	return &JoinResult{
+		ChannelID: chID,
+		IsCreator: isCreator,
+	}, nil
+}
+
+// PartChannel validates membership, broadcasts PART to
+// remaining members, removes the user, and cleans up empty
+// channels.
+func (s *Service) PartChannel(
+	ctx context.Context,
+	sessionID int64,
+	nick, channel, reason string,
+) error {
+	chID, err := s.DB.GetChannelByName(ctx, channel)
+	if err != nil {
+		return &IRCError{
+			irc.ErrNoSuchChannel,
+			[]string{channel},
+			"No such channel",
+		}
+	}
+
+	isMember, _ := s.DB.IsChannelMember(
+		ctx, chID, sessionID,
+	)
+	if !isMember {
+		return &IRCError{
+			irc.ErrNotOnChannel,
+			[]string{channel},
+			"You're not on that channel",
+		}
+	}
+
+	memberIDs, _ := s.DB.GetChannelMemberIDs(ctx, chID)
+	recipients := excludeSession(memberIDs, sessionID)
+	body, _ := json.Marshal([]string{reason}) //nolint:errchkjson
+
+	_, _, _ = s.FanOut( //nolint:dogsled // fire-and-forget broadcast
+		ctx, irc.CmdPart, nick, channel,
+		nil, body, nil, recipients,
+	)
+
+	s.DB.PartChannel(ctx, chID, sessionID) //nolint:errcheck,gosec
+	s.DB.DeleteChannelIfEmpty(ctx, chID)   //nolint:errcheck,gosec
+
+	return nil
+}
+
+// SetTopic validates membership and topic-lock, sets the
+// topic, and broadcasts the change.
+func (s *Service) SetTopic(
+	ctx context.Context,
+	sessionID int64,
+	nick, channel, topic string,
+) error {
+	chID, err := s.DB.GetChannelByName(ctx, channel)
+	if err != nil {
+		return &IRCError{
+			irc.ErrNoSuchChannel,
+			[]string{channel},
+			"No such channel",
+		}
+	}
+
+	isMember, _ := s.DB.IsChannelMember(
+		ctx, chID, sessionID,
+	)
+	if !isMember {
+		return &IRCError{
+			irc.ErrNotOnChannel,
+			[]string{channel},
+			"You're not on that channel",
+		}
+	}
+
+	topicLocked, _ := s.DB.IsChannelTopicLocked(ctx, chID)
+	if topicLocked {
+		isOp, _ := s.DB.IsChannelOperator(
+			ctx, chID, sessionID,
+		)
+		if !isOp {
+			return &IRCError{
+				irc.ErrChanOpPrivsNeeded,
+				[]string{channel},
+				"You're not channel operator",
+			}
+		}
+	}
+
+	if setErr := s.DB.SetTopic(
+		ctx, channel, topic,
+	); setErr != nil {
+		return fmt.Errorf("set topic: %w", setErr)
+	}
+
+	_ = s.DB.SetTopicMeta(ctx, channel, topic, nick)
+
+	memberIDs, _ := s.DB.GetChannelMemberIDs(ctx, chID)
+	body, _ := json.Marshal([]string{topic}) //nolint:errchkjson
+
+	_, _, _ = s.FanOut( //nolint:dogsled // fire-and-forget broadcast
+		ctx, irc.CmdTopic, nick, channel,
+		nil, body, nil, memberIDs,
+	)
+
+	return nil
+}
+
+// KickUser validates operator status and target
+// membership, broadcasts the KICK, removes the target,
+// and cleans up empty channels.
+func (s *Service) KickUser(
+	ctx context.Context,
+	sessionID int64,
+	nick, channel, targetNick, reason string,
+) error {
+	chID, err := s.DB.GetChannelByName(ctx, channel)
+	if err != nil {
+		return &IRCError{
+			irc.ErrNoSuchChannel,
+			[]string{channel},
+			"No such channel",
+		}
+	}
+
+	isOp, _ := s.DB.IsChannelOperator(
+		ctx, chID, sessionID,
+	)
+	if !isOp {
+		return &IRCError{
+			irc.ErrChanOpPrivsNeeded,
+			[]string{channel},
+			"You're not channel operator",
+		}
+	}
+
+	targetSID, err := s.DB.GetSessionByNick(
+		ctx, targetNick,
+	)
+	if err != nil {
+		return &IRCError{
+			irc.ErrNoSuchNick,
+			[]string{targetNick},
+			"No such nick/channel",
+		}
+	}
+
+	isMember, _ := s.DB.IsChannelMember(
+		ctx, chID, targetSID,
+	)
+	if !isMember {
+		return &IRCError{
+			irc.ErrUserNotInChannel,
+			[]string{targetNick, channel},
+			"They aren't on that channel",
+		}
+	}
+
+	memberIDs, _ := s.DB.GetChannelMemberIDs(ctx, chID)
+	body, _ := json.Marshal([]string{reason}) //nolint:errchkjson
+	params, _ := json.Marshal(                //nolint:errchkjson
+		[]string{targetNick},
+	)
+
+	_, _, _ = s.FanOut( //nolint:dogsled // fire-and-forget broadcast
+		ctx, irc.CmdKick, nick, channel,
+		params, body, nil, memberIDs,
+	)
+
+	s.DB.PartChannel(ctx, chID, targetSID) //nolint:errcheck,gosec
+	s.DB.DeleteChannelIfEmpty(ctx, chID)   //nolint:errcheck,gosec
+
+	return nil
+}
+
+// ChangeNick changes a user's nickname and broadcasts the
+// change to all users sharing channels.
+func (s *Service) ChangeNick(
+	ctx context.Context,
+	sessionID int64,
+	oldNick, newNick string,
+) error {
+	err := s.DB.ChangeNick(ctx, sessionID, newNick)
+	if err != nil {
+		if strings.Contains(err.Error(), "UNIQUE") ||
+			db.IsUniqueConstraintError(err) {
+			return &IRCError{
+				irc.ErrNicknameInUse,
+				[]string{newNick},
+				"Nickname is already in use",
+			}
+		}
+
+		return &IRCError{
+			irc.ErrErroneusNickname,
+			[]string{newNick},
+			"Erroneous nickname",
+		}
+	}
+
+	s.broadcastNickChange(ctx, sessionID, oldNick, newNick)
+
+	return nil
+}
+
+// BroadcastQuit broadcasts a QUIT to all channel peers,
+// parts all channels, and deletes the session. Uses the
+// FanOut pattern: one message row fanned out to all unique
+// peer sessions.
+func (s *Service) BroadcastQuit(
+	ctx context.Context,
+	sessionID int64,
+	nick, reason string,
+) {
+	channels, err := s.DB.GetSessionChannels(
+		ctx, sessionID,
+	)
+	if err != nil {
+		return
+	}
+
+	notified := make(map[int64]bool)
+
+	for _, ch := range channels {
+		memberIDs, memErr := s.DB.GetChannelMemberIDs(
+			ctx, ch.ID,
+		)
+		if memErr != nil {
+			continue
+		}
+
+		for _, mid := range memberIDs {
+			if mid == sessionID || notified[mid] {
+				continue
+			}
+
+			notified[mid] = true
+		}
+	}
+
+	if len(notified) > 0 {
+		recipients := make([]int64, 0, len(notified))
+		for sid := range notified {
+			recipients = append(recipients, sid)
+		}
+
+		body, _ := json.Marshal([]string{reason}) //nolint:errchkjson
+
+		_, _, _ = s.FanOut(
+			ctx, irc.CmdQuit, nick, "",
+			nil, body, nil, recipients,
+		)
+	}
+
+	for _, ch := range channels {
+		s.DB.PartChannel(ctx, ch.ID, sessionID) //nolint:errcheck,gosec
+		s.DB.DeleteChannelIfEmpty(ctx, ch.ID)   //nolint:errcheck,gosec
+	}
+
+	s.DB.DeleteSession(ctx, sessionID) //nolint:errcheck,gosec
+}
+
+// SetAway sets or clears the away message. Returns true
+// if the message was cleared (empty string).
+func (s *Service) SetAway(
+	ctx context.Context,
+	sessionID int64,
+	message string,
+) (bool, error) {
+	err := s.DB.SetAway(ctx, sessionID, message)
+	if err != nil {
+		return false, fmt.Errorf("set away: %w", err)
+	}
+
+	return message == "", nil
+}
+
+// Oper validates operator credentials and grants oper
+// status to the session.
+func (s *Service) Oper(
+	ctx context.Context,
+	sessionID int64,
+	name, password string,
+) error {
+	cfgName := s.Config.OperName
+	cfgPassword := s.Config.OperPassword
+
+	// Use constant-time comparison and return the same
+	// error for all failures to prevent information
+	// leakage about valid operator names.
+	if cfgName == "" || cfgPassword == "" ||
+		subtle.ConstantTimeCompare(
+			[]byte(name), []byte(cfgName),
+		) != 1 ||
+		subtle.ConstantTimeCompare(
+			[]byte(password), []byte(cfgPassword),
+		) != 1 {
+		return &IRCError{
+			irc.ErrNoOperHost,
+			nil,
+			"No O-lines for your host",
+		}
+	}
+
+	_ = s.DB.SetSessionOper(ctx, sessionID, true)
+
+	return nil
+}
+
+// ValidateChannelOp checks that the session is a channel
+// operator. Returns the channel ID.
+func (s *Service) ValidateChannelOp(
+	ctx context.Context,
+	sessionID int64,
+	channel string,
+) (int64, error) {
+	chID, err := s.DB.GetChannelByName(ctx, channel)
+	if err != nil {
+		return 0, &IRCError{
+			irc.ErrNoSuchChannel,
+			[]string{channel},
+			"No such channel",
+		}
+	}
+
+	isOp, _ := s.DB.IsChannelOperator(
+		ctx, chID, sessionID,
+	)
+	if !isOp {
+		return 0, &IRCError{
+			irc.ErrChanOpPrivsNeeded,
+			[]string{channel},
+			"You're not channel operator",
+		}
+	}
+
+	return chID, nil
+}
+
+// ApplyMemberMode applies +o/-o or +v/-v on a channel
+// member after validating the target.
+func (s *Service) ApplyMemberMode(
+	ctx context.Context,
+	chID int64,
+	channel, targetNick string,
+	mode rune,
+	adding bool,
+) error {
+	targetSID, err := s.DB.GetSessionByNick(
+		ctx, targetNick,
+	)
+	if err != nil {
+		return &IRCError{
+			irc.ErrNoSuchNick,
+			[]string{targetNick},
+			"No such nick/channel",
+		}
+	}
+
+	isMember, _ := s.DB.IsChannelMember(
+		ctx, chID, targetSID,
+	)
+	if !isMember {
+		return &IRCError{
+			irc.ErrUserNotInChannel,
+			[]string{targetNick, channel},
+			"They aren't on that channel",
+		}
+	}
+
+	switch mode {
+	case 'o':
+		_ = s.DB.SetChannelMemberOperator(
+			ctx, chID, targetSID, adding,
+		)
+	case 'v':
+		_ = s.DB.SetChannelMemberVoiced(
+			ctx, chID, targetSID, adding,
+		)
+	}
+
+	return nil
+}
+
+// SetChannelFlag applies +m/-m or +t/-t on a channel.
+func (s *Service) SetChannelFlag(
+	ctx context.Context,
+	chID int64,
+	flag rune,
+	setting bool,
+) error {
+	switch flag {
+	case 'm':
+		if err := s.DB.SetChannelModerated(
+			ctx, chID, setting,
+		); err != nil {
+			return fmt.Errorf("set moderated: %w", err)
+		}
+	case 't':
+		if err := s.DB.SetChannelTopicLocked(
+			ctx, chID, setting,
+		); err != nil {
+			return fmt.Errorf("set topic locked: %w", err)
+		}
+	}
+
+	return nil
+}
+
+// BroadcastMode fans out a MODE change to all channel
+// members.
+func (s *Service) BroadcastMode(
+	ctx context.Context,
+	nick, channel string,
+	chID int64,
+	modeText string,
+) {
+	memberIDs, _ := s.DB.GetChannelMemberIDs(ctx, chID)
+	body, _ := json.Marshal([]string{modeText}) //nolint:errchkjson
+
+	_, _, _ = s.FanOut( //nolint:dogsled // fire-and-forget broadcast
+		ctx, irc.CmdMode, nick, channel,
+		nil, body, nil, memberIDs,
+	)
+}
+
+// QueryChannelMode returns the channel mode string.
+func (s *Service) QueryChannelMode(
+	ctx context.Context,
+	chID int64,
+) string {
+	modes := "+"
+
+	moderated, _ := s.DB.IsChannelModerated(ctx, chID)
+	if moderated {
+		modes += "m"
+	}
+
+	topicLocked, _ := s.DB.IsChannelTopicLocked(ctx, chID)
+	if topicLocked {
+		modes += "t"
+	}
+
+	return modes
+}
+
+// broadcastNickChange notifies channel peers of a nick
+// change.
+func (s *Service) broadcastNickChange(
+	ctx context.Context,
+	sessionID int64,
+	oldNick, newNick string,
+) {
+	channels, err := s.DB.GetSessionChannels(
+		ctx, sessionID,
+	)
+	if err != nil {
+		return
+	}
+
+	body, _ := json.Marshal([]string{newNick}) //nolint:errchkjson
+	notified := make(map[int64]bool)
+
+	dbID, _, insErr := s.DB.InsertMessage(
+		ctx, irc.CmdNick, oldNick, "",
+		nil, body, nil,
+	)
+	if insErr != nil {
+		return
+	}
+
+	// Notify the user themselves (for multi-client sync).
+	_ = s.DB.EnqueueToSession(ctx, sessionID, dbID)
+	s.Broker.Notify(sessionID)
+	notified[sessionID] = true
+
+	for _, ch := range channels {
+		memberIDs, memErr := s.DB.GetChannelMemberIDs(
+			ctx, ch.ID,
+		)
+		if memErr != nil {
+			continue
+		}
+
+		for _, mid := range memberIDs {
+			if notified[mid] {
+				continue
+			}
+
+			notified[mid] = true
+
+			_ = s.DB.EnqueueToSession(ctx, mid, dbID)
+			s.Broker.Notify(mid)
+		}
+	}
+}

internal/service/service_test.go

@@ -0,0 +1,365 @@
+// Tests use a global viper instance for configuration,
+// making parallel execution unsafe.
+//
+//nolint:paralleltest
+package service_test
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"os"
+	"testing"
+
+	"git.eeqj.de/sneak/neoirc/internal/broker"
+	"git.eeqj.de/sneak/neoirc/internal/config"
+	"git.eeqj.de/sneak/neoirc/internal/db"
+	"git.eeqj.de/sneak/neoirc/internal/globals"
+	"git.eeqj.de/sneak/neoirc/internal/logger"
+	"git.eeqj.de/sneak/neoirc/internal/service"
+	"git.eeqj.de/sneak/neoirc/pkg/irc"
+	"go.uber.org/fx"
+	"go.uber.org/fx/fxtest"
+	"golang.org/x/crypto/bcrypt"
+)
+
+func TestMain(m *testing.M) {
+	db.SetBcryptCost(bcrypt.MinCost)
+	os.Exit(m.Run())
+}
+
+// testEnv holds all dependencies for a service test.
+type testEnv struct {
+	svc    *service.Service
+	db     *db.Database
+	broker *broker.Broker
+	app    *fxtest.App
+}
+
+func newTestEnv(t *testing.T) *testEnv {
+	t.Helper()
+
+	dbURL := fmt.Sprintf(
+		"file:svc_test_%p?mode=memory&cache=shared",
+		t,
+	)
+
+	var (
+		database *db.Database
+		svc      *service.Service
+	)
+
+	brk := broker.New()
+
+	app := fxtest.New(t,
+		fx.Provide(
+			func() *globals.Globals {
+				return &globals.Globals{ //nolint:exhaustruct
+					Appname: "neoirc-test",
+					Version: "test",
+				}
+			},
+			logger.New,
+			func(
+				lifecycle fx.Lifecycle,
+				globs *globals.Globals,
+				log *logger.Logger,
+			) (*config.Config, error) {
+				cfg, err := config.New(
+					lifecycle, config.Params{ //nolint:exhaustruct
+						Globals: globs, Logger: log,
+					},
+				)
+				if err != nil {
+					return nil, fmt.Errorf(
+						"test config: %w", err,
+					)
+				}
+
+				cfg.DBURL = dbURL
+				cfg.Port = 0
+				cfg.OperName = "admin"
+				cfg.OperPassword = "secret"
+
+				return cfg, nil
+			},
+			func(
+				lifecycle fx.Lifecycle,
+				log *logger.Logger,
+				cfg *config.Config,
+			) (*db.Database, error) {
+				return db.New(lifecycle, db.Params{ //nolint:exhaustruct
+					Logger: log, Config: cfg,
+				})
+			},
+			func() *broker.Broker { return brk },
+			service.New,
+		),
+		fx.Populate(&database, &svc),
+	)
+
+	app.RequireStart()
+
+	t.Cleanup(func() {
+		app.RequireStop()
+	})
+
+	return &testEnv{
+		svc:    svc,
+		db:     database,
+		broker: brk,
+		app:    app,
+	}
+}
+
+// createSession is a test helper that creates a session
+// and returns the session ID.
+func createSession(
+	ctx context.Context,
+	t *testing.T,
+	database *db.Database,
+	nick string,
+) int64 {
+	t.Helper()
+
+	sessionID, _, _, err := database.CreateSession(
+		ctx, nick, nick, "localhost", "127.0.0.1",
+	)
+	if err != nil {
+		t.Fatalf("create session %s: %v", nick, err)
+	}
+
+	return sessionID
+}
+
+func TestFanOut(t *testing.T) {
+	env := newTestEnv(t)
+	ctx := t.Context()
+
+	sid1 := createSession(ctx, t, env.db, "alice")
+	sid2 := createSession(ctx, t, env.db, "bob")
+
+	body, _ := json.Marshal([]string{"hello"}) //nolint:errchkjson
+
+	dbID, uuid, err := env.svc.FanOut(
+		ctx, irc.CmdPrivmsg, "alice", "#test",
+		nil, body, nil,
+		[]int64{sid1, sid2},
+	)
+	if err != nil {
+		t.Fatalf("FanOut: %v", err)
+	}
+
+	if dbID == 0 {
+		t.Error("expected non-zero dbID")
+	}
+
+	if uuid == "" {
+		t.Error("expected non-empty UUID")
+	}
+}
+
+func TestJoinChannel(t *testing.T) {
+	env := newTestEnv(t)
+	ctx := t.Context()
+
+	sid := createSession(ctx, t, env.db, "alice")
+
+	result, err := env.svc.JoinChannel(
+		ctx, sid, "alice", "#general",
+	)
+	if err != nil {
+		t.Fatalf("JoinChannel: %v", err)
+	}
+
+	if result.ChannelID == 0 {
+		t.Error("expected non-zero channel ID")
+	}
+
+	if !result.IsCreator {
+		t.Error("first joiner should be creator")
+	}
+
+	// Second user joins — not creator.
+	sid2 := createSession(ctx, t, env.db, "bob")
+
+	result2, err := env.svc.JoinChannel(
+		ctx, sid2, "bob", "#general",
+	)
+	if err != nil {
+		t.Fatalf("JoinChannel bob: %v", err)
+	}
+
+	if result2.IsCreator {
+		t.Error("second joiner should not be creator")
+	}
+
+	if result2.ChannelID != result.ChannelID {
+		t.Error("both should join the same channel")
+	}
+}
+
+func TestPartChannel(t *testing.T) {
+	env := newTestEnv(t)
+	ctx := t.Context()
+
+	sid := createSession(ctx, t, env.db, "alice")
+
+	_, err := env.svc.JoinChannel(
+		ctx, sid, "alice", "#general",
+	)
+	if err != nil {
+		t.Fatalf("JoinChannel: %v", err)
+	}
+
+	err = env.svc.PartChannel(
+		ctx, sid, "alice", "#general", "bye",
+	)
+	if err != nil {
+		t.Fatalf("PartChannel: %v", err)
+	}
+
+	// Parting a non-existent channel returns error.
+	err = env.svc.PartChannel(
+		ctx, sid, "alice", "#nonexistent", "",
+	)
+	if err == nil {
+		t.Error("expected error for non-existent channel")
+	}
+
+	var ircErr *service.IRCError
+	if !errors.As(err, &ircErr) {
+		t.Errorf("expected IRCError, got %T", err)
+	}
+}
+
+func TestSendChannelMessage(t *testing.T) {
+	env := newTestEnv(t)
+	ctx := t.Context()
+
+	sid1 := createSession(ctx, t, env.db, "alice")
+	sid2 := createSession(ctx, t, env.db, "bob")
+
+	_, err := env.svc.JoinChannel(
+		ctx, sid1, "alice", "#chat",
+	)
+	if err != nil {
+		t.Fatalf("join alice: %v", err)
+	}
+
+	_, err = env.svc.JoinChannel(
+		ctx, sid2, "bob", "#chat",
+	)
+	if err != nil {
+		t.Fatalf("join bob: %v", err)
+	}
+
+	body, _ := json.Marshal([]string{"hello world"}) //nolint:errchkjson
+
+	dbID, uuid, err := env.svc.SendChannelMessage(
+		ctx, sid1, "alice",
+		irc.CmdPrivmsg, "#chat", body, nil,
+	)
+	if err != nil {
+		t.Fatalf("SendChannelMessage: %v", err)
+	}
+
+	if dbID == 0 {
+		t.Error("expected non-zero dbID")
+	}
+
+	if uuid == "" {
+		t.Error("expected non-empty UUID")
+	}
+
+	// Non-member cannot send.
+	sid3 := createSession(ctx, t, env.db, "charlie")
+
+	_, _, err = env.svc.SendChannelMessage(
+		ctx, sid3, "charlie",
+		irc.CmdPrivmsg, "#chat", body, nil,
+	)
+	if err == nil {
+		t.Error("expected error for non-member send")
+	}
+}
+
+func TestBroadcastQuit(t *testing.T) {
+	env := newTestEnv(t)
+	ctx := t.Context()
+
+	sid1 := createSession(ctx, t, env.db, "alice")
+	sid2 := createSession(ctx, t, env.db, "bob")
+
+	_, err := env.svc.JoinChannel(
+		ctx, sid1, "alice", "#room",
+	)
+	if err != nil {
+		t.Fatalf("join alice: %v", err)
+	}
+
+	_, err = env.svc.JoinChannel(
+		ctx, sid2, "bob", "#room",
+	)
+	if err != nil {
+		t.Fatalf("join bob: %v", err)
+	}
+
+	// BroadcastQuit should not panic and should clean up.
+	env.svc.BroadcastQuit(
+		ctx, sid1, "alice", "Goodbye",
+	)
+
+	// Session should be deleted.
+	_, lookupErr := env.db.GetSessionByNick(ctx, "alice")
+	if lookupErr == nil {
+		t.Error("expected session to be deleted after quit")
+	}
+}
+
+func TestSendChannelMessage_Moderated(t *testing.T) {
+	env := newTestEnv(t)
+	ctx := t.Context()
+
+	sid1 := createSession(ctx, t, env.db, "alice")
+	sid2 := createSession(ctx, t, env.db, "bob")
+
+	result, err := env.svc.JoinChannel(
+		ctx, sid1, "alice", "#modchat",
+	)
+	if err != nil {
+		t.Fatalf("join alice: %v", err)
+	}
+
+	_, err = env.svc.JoinChannel(
+		ctx, sid2, "bob", "#modchat",
+	)
+	if err != nil {
+		t.Fatalf("join bob: %v", err)
+	}
+
+	// Set channel to moderated.
+	chID := result.ChannelID
+	_ = env.svc.SetChannelFlag(ctx, chID, 'm', true)
+
+	body, _ := json.Marshal([]string{"test"}) //nolint:errchkjson
+
+	// Bob (non-op, non-voiced) should fail to send.
+	_, _, err = env.svc.SendChannelMessage(
+		ctx, sid2, "bob",
+		irc.CmdPrivmsg, "#modchat", body, nil,
+	)
+	if err == nil {
+		t.Error("expected error for non-voiced user in moderated channel")
+	}
+
+	// Alice (operator) should succeed.
+	_, _, err = env.svc.SendChannelMessage(
+		ctx, sid1, "alice",
+		irc.CmdPrivmsg, "#modchat", body, nil,
+	)
+	if err != nil {
+		t.Errorf("operator should be able to send in moderated channel: %v", err)
+	}
+}

internal/stats/stats.go

@@ -0,0 +1,52 @@
+// Package stats tracks runtime statistics since server boot.
+package stats
+
+import (
+	"sync/atomic"
+)
+
+// Tracker holds atomic counters for runtime statistics
+// that accumulate since the server started.
+type Tracker struct {
+	connectionsSinceBoot atomic.Int64
+	sessionsSinceBoot    atomic.Int64
+	messagesSinceBoot    atomic.Int64
+}
+
+// New creates a new Tracker with all counters at zero.
+func New() *Tracker {
+	return &Tracker{} //nolint:exhaustruct // atomic fields have zero-value defaults
+}
+
+// IncrConnections increments the total connection count.
+func (t *Tracker) IncrConnections() {
+	t.connectionsSinceBoot.Add(1)
+}
+
+// IncrSessions increments the total session count.
+func (t *Tracker) IncrSessions() {
+	t.sessionsSinceBoot.Add(1)
+}
+
+// IncrMessages increments the total PRIVMSG/NOTICE count.
+func (t *Tracker) IncrMessages() {
+	t.messagesSinceBoot.Add(1)
+}
+
+// ConnectionsSinceBoot returns the total number of
+// client connections since boot.
+func (t *Tracker) ConnectionsSinceBoot() int64 {
+	return t.connectionsSinceBoot.Load()
+}
+
+// SessionsSinceBoot returns the total number of sessions
+// created since boot.
+func (t *Tracker) SessionsSinceBoot() int64 {
+	return t.sessionsSinceBoot.Load()
+}
+
+// MessagesSinceBoot returns the total number of
+// PRIVMSG/NOTICE messages sent since boot.
+func (t *Tracker) MessagesSinceBoot() int64 {
+	return t.messagesSinceBoot.Load()
+}

internal/stats/stats_test.go

@@ -0,0 +1,117 @@
+package stats_test
+
+import (
+	"testing"
+
+	"git.eeqj.de/sneak/neoirc/internal/stats"
+)
+
+func TestNew(t *testing.T) {
+	t.Parallel()
+
+	tracker := stats.New()
+	if tracker == nil {
+		t.Fatal("expected non-nil tracker")
+	}
+
+	if tracker.ConnectionsSinceBoot() != 0 {
+		t.Errorf(
+			"expected 0 connections, got %d",
+			tracker.ConnectionsSinceBoot(),
+		)
+	}
+
+	if tracker.SessionsSinceBoot() != 0 {
+		t.Errorf(
+			"expected 0 sessions, got %d",
+			tracker.SessionsSinceBoot(),
+		)
+	}
+
+	if tracker.MessagesSinceBoot() != 0 {
+		t.Errorf(
+			"expected 0 messages, got %d",
+			tracker.MessagesSinceBoot(),
+		)
+	}
+}
+
+func TestIncrConnections(t *testing.T) {
+	t.Parallel()
+
+	tracker := stats.New()
+
+	tracker.IncrConnections()
+	tracker.IncrConnections()
+	tracker.IncrConnections()
+
+	got := tracker.ConnectionsSinceBoot()
+	if got != 3 {
+		t.Errorf(
+			"expected 3 connections, got %d", got,
+		)
+	}
+}
+
+func TestIncrSessions(t *testing.T) {
+	t.Parallel()
+
+	tracker := stats.New()
+
+	tracker.IncrSessions()
+	tracker.IncrSessions()
+
+	got := tracker.SessionsSinceBoot()
+	if got != 2 {
+		t.Errorf(
+			"expected 2 sessions, got %d", got,
+		)
+	}
+}
+
+func TestIncrMessages(t *testing.T) {
+	t.Parallel()
+
+	tracker := stats.New()
+
+	tracker.IncrMessages()
+
+	got := tracker.MessagesSinceBoot()
+	if got != 1 {
+		t.Errorf(
+			"expected 1 message, got %d", got,
+		)
+	}
+}
+
+func TestCountersAreIndependent(t *testing.T) {
+	t.Parallel()
+
+	tracker := stats.New()
+
+	tracker.IncrConnections()
+	tracker.IncrSessions()
+	tracker.IncrMessages()
+	tracker.IncrMessages()
+
+	if tracker.ConnectionsSinceBoot() != 1 {
+		t.Errorf(
+			"expected 1 connection, got %d",
+			tracker.ConnectionsSinceBoot(),
+		)
+	}
+
+	if tracker.SessionsSinceBoot() != 1 {
+		t.Errorf(
+			"expected 1 session, got %d",
+			tracker.SessionsSinceBoot(),
+		)
+	}
+
+	if tracker.MessagesSinceBoot() != 2 {
+		t.Errorf(
+			"expected 2 messages, got %d",
+			tracker.MessagesSinceBoot(),
+		)
+	}
+}

pkg/irc/commands.go

@@ -0,0 +1,27 @@
+package irc
+
+// IRC command names (RFC 1459 / RFC 2812).
+const (
+	CmdAway    = "AWAY"
+	CmdInvite  = "INVITE"
+	CmdJoin    = "JOIN"
+	CmdKick    = "KICK"
+	CmdList    = "LIST"
+	CmdLusers  = "LUSERS"
+	CmdMode    = "MODE"
+	CmdMotd    = "MOTD"
+	CmdNames   = "NAMES"
+	CmdNick    = "NICK"
+	CmdNotice  = "NOTICE"
+	CmdOper    = "OPER"
+	CmdPass    = "PASS"
+	CmdPart    = "PART"
+	CmdPing    = "PING"
+	CmdPong    = "PONG"
+	CmdPrivmsg = "PRIVMSG"
+	CmdQuit    = "QUIT"
+	CmdTopic   = "TOPIC"
+	CmdUser    = "USER"
+	CmdWho     = "WHO"
+	CmdWhois   = "WHOIS"
+)

pkg/irc/numerics.go

@@ -0,0 +1,393 @@
+// Package irc provides constants and utilities for the
+// IRC protocol, including numeric reply codes from
+// RFC 1459 and RFC 2812, and standard command names.
+package irc
+
+import (
+	"errors"
+	"fmt"
+)
+
+// IRCMessageType represents an IRC numeric reply or error code.
+type IRCMessageType int //nolint:revive // Name requested by project owner.
+
+// Name returns the standard IRC name for this numeric code
+// (e.g., IRCMessageType(252).Name() returns "RPL_LUSEROP").
+// Returns an empty string if the code is unknown.
+func (t IRCMessageType) Name() string {
+	return names[t]
+}
+
+// String returns the name and numeric code in angle brackets
+// (e.g., IRCMessageType(252).String() returns "RPL_LUSEROP <252>").
+// If the code is unknown, returns "UNKNOWN <NNN>".
+func (t IRCMessageType) String() string {
+	n := names[t]
+	if n == "" {
+		n = "UNKNOWN"
+	}
+
+	return fmt.Sprintf("%s <%03d>", n, int(t))
+}
+
+// Code returns the three-digit zero-padded string representation
+// of the numeric code (e.g., IRCMessageType(252).Code() returns "252").
+func (t IRCMessageType) Code() string {
+	return fmt.Sprintf("%03d", int(t))
+}
+
+// Int returns the bare integer value of the numeric code.
+func (t IRCMessageType) Int() int {
+	return int(t)
+}
+
+// ErrUnknownNumeric is returned by FromInt when the numeric code is not recognized.
+var ErrUnknownNumeric = errors.New("unknown IRC numeric code")
+
+// FromInt converts an integer to an IRCMessageType, returning an error
+// if the numeric code is not a known IRC reply or error code.
+func FromInt(n int) (IRCMessageType, error) {
+	t := IRCMessageType(n)
+	if _, ok := names[t]; !ok {
+		return 0, fmt.Errorf("%w: %d", ErrUnknownNumeric, n)
+	}
+
+	return t, nil
+}
+
+// Connection registration replies (001-005).
+const (
+	RplWelcome  IRCMessageType = 1
+	RplYourHost IRCMessageType = 2
+	RplCreated  IRCMessageType = 3
+	RplMyInfo   IRCMessageType = 4
+	RplBounce   IRCMessageType = 5 // RFC 2812; also known as RPL_ISUPPORT in practice
+	RplIsupport IRCMessageType = 5 // De-facto standard (same numeric as RplBounce)
+)
+
+// Command responses (200-399).
+const (
+	// RFC 2812 trace/stats/links replies (200-219).
+	RplTraceLink       IRCMessageType = 200
+	RplTraceConnecting IRCMessageType = 201
+	RplTraceHandshake  IRCMessageType = 202
+	RplTraceUnknown    IRCMessageType = 203
+	RplTraceOperator   IRCMessageType = 204
+	RplTraceUser       IRCMessageType = 205
+	RplTraceServer     IRCMessageType = 206
+	RplTraceService    IRCMessageType = 207
+	RplTraceNewType    IRCMessageType = 208
+	RplTraceClass      IRCMessageType = 209
+	RplStatsLinkInfo   IRCMessageType = 211
+	RplStatsCommands   IRCMessageType = 212
+	RplStatsCLine      IRCMessageType = 213
+	RplStatsNLine      IRCMessageType = 214
+	RplStatsILine      IRCMessageType = 215
+	RplStatsKLine      IRCMessageType = 216
+	RplStatsQLine      IRCMessageType = 217
+	RplStatsYLine      IRCMessageType = 218
+	RplEndOfStats      IRCMessageType = 219
+
+	RplUmodeIs      IRCMessageType = 221
+	RplServList     IRCMessageType = 234
+	RplServListEnd  IRCMessageType = 235
+	RplStatsLLine   IRCMessageType = 241
+	RplStatsUptime  IRCMessageType = 242
+	RplStatsOLine   IRCMessageType = 243
+	RplStatsHLine   IRCMessageType = 244
+	RplLuserClient  IRCMessageType = 251
+	RplLuserOp      IRCMessageType = 252
+	RplLuserUnknown IRCMessageType = 253
+
+	RplLuserChannels IRCMessageType = 254
+	RplLuserMe       IRCMessageType = 255
+	RplAdminMe       IRCMessageType = 256
+	RplAdminLoc1     IRCMessageType = 257
+	RplAdminLoc2     IRCMessageType = 258
+	RplAdminEmail    IRCMessageType = 259
+	RplTraceLog      IRCMessageType = 261
+	RplTraceEnd      IRCMessageType = 262
+	RplTryAgain      IRCMessageType = 263
+
+	RplAway          IRCMessageType = 301
+	RplUserHost      IRCMessageType = 302
+	RplIson          IRCMessageType = 303
+	RplUnaway        IRCMessageType = 305
+	RplNowAway       IRCMessageType = 306
+	RplWhoisUser     IRCMessageType = 311
+	RplWhoisServer   IRCMessageType = 312
+	RplWhoisOperator IRCMessageType = 313
+	RplWhoWasUser    IRCMessageType = 314
+	RplEndOfWho      IRCMessageType = 315
+	RplWhoisIdle     IRCMessageType = 317
+	RplEndOfWhois    IRCMessageType = 318
+	RplWhoisChannels IRCMessageType = 319
+	RplListStart     IRCMessageType = 321
+	RplList          IRCMessageType = 322
+	RplListEnd       IRCMessageType = 323
+	RplChannelModeIs IRCMessageType = 324
+
+	RplUniqOpIs        IRCMessageType = 325
+	RplCreationTime    IRCMessageType = 329
+	RplNoTopic         IRCMessageType = 331
+	RplTopic           IRCMessageType = 332
+	RplTopicWhoTime    IRCMessageType = 333
+	RplWhoisActually   IRCMessageType = 338
+	RplInviting        IRCMessageType = 341
+	RplSummoning       IRCMessageType = 342
+	RplInviteList      IRCMessageType = 346
+	RplEndOfInviteList IRCMessageType = 347
+	RplExceptList      IRCMessageType = 348
+	RplEndOfExceptList IRCMessageType = 349
+	RplVersion         IRCMessageType = 351
+	RplWhoReply        IRCMessageType = 352
+	RplNamReply        IRCMessageType = 353
+	RplLinks           IRCMessageType = 364
+	RplEndOfLinks      IRCMessageType = 365
+	RplEndOfNames      IRCMessageType = 366
+	RplBanList         IRCMessageType = 367
+	RplEndOfBanList    IRCMessageType = 368
+	RplEndOfWhowas     IRCMessageType = 369
+	RplInfo            IRCMessageType = 371
+	RplMotd            IRCMessageType = 372
+	RplEndOfInfo       IRCMessageType = 374
+	RplMotdStart       IRCMessageType = 375
+	RplEndOfMotd       IRCMessageType = 376
+	RplYoureOper       IRCMessageType = 381
+	RplRehashing       IRCMessageType = 382
+	RplYoureService    IRCMessageType = 383
+	RplTime            IRCMessageType = 391
+	RplUsersStart      IRCMessageType = 392
+	RplUsers           IRCMessageType = 393
+	RplEndOfUsers      IRCMessageType = 394
+	RplNoUsers         IRCMessageType = 395
+)
+
+// Error replies (400-599).
+const (
+	ErrNoSuchNick       IRCMessageType = 401
+	ErrNoSuchServer     IRCMessageType = 402
+	ErrNoSuchChannel    IRCMessageType = 403
+	ErrCannotSendToChan IRCMessageType = 404
+	ErrTooManyChannels  IRCMessageType = 405
+	ErrWasNoSuchNick    IRCMessageType = 406
+	ErrTooManyTargets   IRCMessageType = 407
+	ErrNoSuchService    IRCMessageType = 408
+	ErrNoOrigin         IRCMessageType = 409
+	ErrNoRecipient      IRCMessageType = 411
+	ErrNoTextToSend     IRCMessageType = 412
+	ErrNoTopLevel       IRCMessageType = 413
+	ErrWildTopLevel     IRCMessageType = 414
+	ErrBadMask          IRCMessageType = 415
+	ErrUnknownCommand   IRCMessageType = 421
+	ErrNoMotd           IRCMessageType = 422
+	ErrNoAdminInfo      IRCMessageType = 423
+	ErrFileError        IRCMessageType = 424
+	ErrNoNicknameGiven  IRCMessageType = 431
+	ErrErroneusNickname IRCMessageType = 432
+	ErrNicknameInUse    IRCMessageType = 433
+	ErrNickCollision    IRCMessageType = 436
+	ErrUnavailResource  IRCMessageType = 437
+
+	ErrUserNotInChannel  IRCMessageType = 441
+	ErrNotOnChannel      IRCMessageType = 442
+	ErrUserOnChannel     IRCMessageType = 443
+	ErrNoLogin           IRCMessageType = 444
+	ErrSummonDisabled    IRCMessageType = 445
+	ErrUsersDisabled     IRCMessageType = 446
+	ErrNotRegistered     IRCMessageType = 451
+	ErrNeedMoreParams    IRCMessageType = 461
+	ErrAlreadyRegistered IRCMessageType = 462
+	ErrNoPermForHost     IRCMessageType = 463
+	ErrPasswdMismatch    IRCMessageType = 464
+	ErrYoureBannedCreep  IRCMessageType = 465
+	ErrYouWillBeBanned   IRCMessageType = 466
+	ErrKeySet            IRCMessageType = 467
+	ErrChannelIsFull     IRCMessageType = 471
+	ErrUnknownMode       IRCMessageType = 472
+	ErrInviteOnlyChan    IRCMessageType = 473
+	ErrBannedFromChan    IRCMessageType = 474
+	ErrBadChannelKey     IRCMessageType = 475
+	ErrBadChanMask       IRCMessageType = 476
+	ErrNoChanModes       IRCMessageType = 477
+	ErrBanListFull       IRCMessageType = 478
+	ErrNoPrivileges      IRCMessageType = 481
+	ErrChanOpPrivsNeeded IRCMessageType = 482
+	ErrCantKillServer    IRCMessageType = 483
+	ErrRestricted        IRCMessageType = 484
+	ErrUniqOpPrivsNeeded IRCMessageType = 485
+	ErrNoOperHost        IRCMessageType = 491
+
+	ErrUmodeUnknownFlag IRCMessageType = 501
+	ErrUsersDoNotMatch  IRCMessageType = 502
+)
+
+// names maps numeric codes to their standard IRC names.
+//
+//nolint:gochecknoglobals
+var names = map[IRCMessageType]string{
+	RplWelcome:  "RPL_WELCOME",
+	RplYourHost: "RPL_YOURHOST",
+	RplCreated:  "RPL_CREATED",
+	RplMyInfo:   "RPL_MYINFO",
+	RplBounce:   "RPL_BOUNCE",
+
+	RplTraceLink:       "RPL_TRACELINK",
+	RplTraceConnecting: "RPL_TRACECONNECTING",
+	RplTraceHandshake:  "RPL_TRACEHANDSHAKE",
+	RplTraceUnknown:    "RPL_TRACEUNKNOWN",
+	RplTraceOperator:   "RPL_TRACEOPERATOR",
+	RplTraceUser:       "RPL_TRACEUSER",
+	RplTraceServer:     "RPL_TRACESERVER",
+	RplTraceService:    "RPL_TRACESERVICE",
+	RplTraceNewType:    "RPL_TRACENEWTYPE",
+	RplTraceClass:      "RPL_TRACECLASS",
+	RplStatsLinkInfo:   "RPL_STATSLINKINFO",
+	RplStatsCommands:   "RPL_STATSCOMMANDS",
+	RplStatsCLine:      "RPL_STATSCLINE",
+	RplStatsNLine:      "RPL_STATSNLINE",
+	RplStatsILine:      "RPL_STATSILINE",
+	RplStatsKLine:      "RPL_STATSKLINE",
+	RplStatsQLine:      "RPL_STATSQLINE",
+	RplStatsYLine:      "RPL_STATSYLINE",
+	RplEndOfStats:      "RPL_ENDOFSTATS",
+
+	RplUmodeIs:      "RPL_UMODEIS",
+	RplServList:     "RPL_SERVLIST",
+	RplServListEnd:  "RPL_SERVLISTEND",
+	RplStatsLLine:   "RPL_STATSLLINE",
+	RplStatsUptime:  "RPL_STATSUPTIME",
+	RplStatsOLine:   "RPL_STATSOLINE",
+	RplStatsHLine:   "RPL_STATSHLINE",
+	RplLuserClient:  "RPL_LUSERCLIENT",
+	RplLuserOp:      "RPL_LUSEROP",
+	RplLuserUnknown: "RPL_LUSERUNKNOWN",
+
+	RplLuserChannels: "RPL_LUSERCHANNELS",
+	RplLuserMe:       "RPL_LUSERME",
+	RplAdminMe:       "RPL_ADMINME",
+	RplAdminLoc1:     "RPL_ADMINLOC1",
+	RplAdminLoc2:     "RPL_ADMINLOC2",
+	RplAdminEmail:    "RPL_ADMINEMAIL",
+	RplTraceLog:      "RPL_TRACELOG",
+	RplTraceEnd:      "RPL_TRACEEND",
+	RplTryAgain:      "RPL_TRYAGAIN",
+
+	RplAway:          "RPL_AWAY",
+	RplUserHost:      "RPL_USERHOST",
+	RplIson:          "RPL_ISON",
+	RplUnaway:        "RPL_UNAWAY",
+	RplNowAway:       "RPL_NOWAWAY",
+	RplWhoisUser:     "RPL_WHOISUSER",
+	RplWhoisServer:   "RPL_WHOISSERVER",
+	RplWhoisOperator: "RPL_WHOISOPERATOR",
+	RplWhoWasUser:    "RPL_WHOWASUSER",
+	RplEndOfWho:      "RPL_ENDOFWHO",
+	RplWhoisIdle:     "RPL_WHOISIDLE",
+	RplEndOfWhois:    "RPL_ENDOFWHOIS",
+	RplWhoisChannels: "RPL_WHOISCHANNELS",
+	RplListStart:     "RPL_LISTSTART",
+	RplList:          "RPL_LIST",
+	RplListEnd:       "RPL_LISTEND", //nolint:misspell
+	RplChannelModeIs: "RPL_CHANNELMODEIS",
+
+	RplUniqOpIs:        "RPL_UNIQOPIS",
+	RplCreationTime:    "RPL_CREATIONTIME",
+	RplNoTopic:         "RPL_NOTOPIC",
+	RplTopic:           "RPL_TOPIC",
+	RplTopicWhoTime:    "RPL_TOPICWHOTIME",
+	RplWhoisActually:   "RPL_WHOISACTUALLY",
+	RplInviting:        "RPL_INVITING",
+	RplSummoning:       "RPL_SUMMONING",
+	RplInviteList:      "RPL_INVITELIST",
+	RplEndOfInviteList: "RPL_ENDOFINVITELIST",
+	RplExceptList:      "RPL_EXCEPTLIST",
+	RplEndOfExceptList: "RPL_ENDOFEXCEPTLIST",
+	RplVersion:         "RPL_VERSION",
+	RplWhoReply:        "RPL_WHOREPLY",
+	RplNamReply:        "RPL_NAMREPLY",
+	RplLinks:           "RPL_LINKS",
+	RplEndOfLinks:      "RPL_ENDOFLINKS",
+	RplEndOfNames:      "RPL_ENDOFNAMES",
+	RplBanList:         "RPL_BANLIST",
+	RplEndOfBanList:    "RPL_ENDOFBANLIST",
+	RplEndOfWhowas:     "RPL_ENDOFWHOWAS",
+	RplInfo:            "RPL_INFO",
+	RplMotd:            "RPL_MOTD",
+	RplEndOfInfo:       "RPL_ENDOFINFO",
+	RplMotdStart:       "RPL_MOTDSTART",
+	RplEndOfMotd:       "RPL_ENDOFMOTD",
+	RplYoureOper:       "RPL_YOUREOPER",
+	RplRehashing:       "RPL_REHASHING",
+	RplYoureService:    "RPL_YOURESERVICE",
+	RplTime:            "RPL_TIME",
+	RplUsersStart:      "RPL_USERSSTART",
+	RplUsers:           "RPL_USERS",
+	RplEndOfUsers:      "RPL_ENDOFUSERS",
+	RplNoUsers:         "RPL_NOUSERS",
+
+	ErrNoSuchNick:       "ERR_NOSUCHNICK",
+	ErrNoSuchServer:     "ERR_NOSUCHSERVER",
+	ErrNoSuchChannel:    "ERR_NOSUCHCHANNEL",
+	ErrCannotSendToChan: "ERR_CANNOTSENDTOCHAN",
+	ErrTooManyChannels:  "ERR_TOOMANYCHANNELS",
+	ErrWasNoSuchNick:    "ERR_WASNOSUCHNICK",
+	ErrTooManyTargets:   "ERR_TOOMANYTARGETS",
+	ErrNoSuchService:    "ERR_NOSUCHSERVICE",
+	ErrNoOrigin:         "ERR_NOORIGIN",
+	ErrNoRecipient:      "ERR_NORECIPIENT",
+	ErrNoTextToSend:     "ERR_NOTEXTTOSEND",
+	ErrNoTopLevel:       "ERR_NOTOPLEVEL",
+	ErrWildTopLevel:     "ERR_WILDTOPLEVEL",
+	ErrBadMask:          "ERR_BADMASK",
+	ErrUnknownCommand:   "ERR_UNKNOWNCOMMAND",
+	ErrNoMotd:           "ERR_NOMOTD",
+	ErrNoAdminInfo:      "ERR_NOADMININFO",
+	ErrFileError:        "ERR_FILEERROR",
+	ErrNoNicknameGiven:  "ERR_NONICKNAMEGIVEN",
+	ErrErroneusNickname: "ERR_ERRONEUSNICKNAME",
+	ErrNicknameInUse:    "ERR_NICKNAMEINUSE",
+	ErrNickCollision:    "ERR_NICKCOLLISION",
+	ErrUnavailResource:  "ERR_UNAVAILRESOURCE",
+
+	ErrUserNotInChannel:  "ERR_USERNOTINCHANNEL",
+	ErrNotOnChannel:      "ERR_NOTONCHANNEL",
+	ErrUserOnChannel:     "ERR_USERONCHANNEL",
+	ErrNoLogin:           "ERR_NOLOGIN",
+	ErrSummonDisabled:    "ERR_SUMMONDISABLED",
+	ErrUsersDisabled:     "ERR_USERSDISABLED",
+	ErrNotRegistered:     "ERR_NOTREGISTERED",
+	ErrNeedMoreParams:    "ERR_NEEDMOREPARAMS",
+	ErrAlreadyRegistered: "ERR_ALREADYREGISTERED",
+	ErrNoPermForHost:     "ERR_NOPERMFORHOST",
+	ErrPasswdMismatch:    "ERR_PASSWDMISMATCH",
+	ErrYoureBannedCreep:  "ERR_YOUREBANNEDCREEP",
+	ErrYouWillBeBanned:   "ERR_YOUWILLBEBANNED",
+	ErrKeySet:            "ERR_KEYSET",
+	ErrChannelIsFull:     "ERR_CHANNELISFULL",
+	ErrUnknownMode:       "ERR_UNKNOWNMODE",
+	ErrInviteOnlyChan:    "ERR_INVITEONLYCHAN",
+	ErrBannedFromChan:    "ERR_BANNEDFROMCHAN",
+	ErrBadChannelKey:     "ERR_BADCHANNELKEY",
+	ErrBadChanMask:       "ERR_BADCHANMASK",
+	ErrNoChanModes:       "ERR_NOCHANMODES",
+	ErrBanListFull:       "ERR_BANLISTFULL",
+	ErrNoPrivileges:      "ERR_NOPRIVILEGES",
+	ErrChanOpPrivsNeeded: "ERR_CHANOPRIVSNEEDED",
+	ErrCantKillServer:    "ERR_CANTKILLSERVER",
+	ErrRestricted:        "ERR_RESTRICTED",
+	ErrUniqOpPrivsNeeded: "ERR_UNIQOPPRIVSNEEDED",
+	ErrNoOperHost:        "ERR_NOOPERHOST",
+
+	ErrUmodeUnknownFlag: "ERR_UMODEUNKNOWNFLAG",
+	ErrUsersDoNotMatch:  "ERR_USERSDONTMATCH",
+}
+
+// Name returns the standard IRC name for a numeric code
+// (e.g., Name(2) returns "RPL_YOURHOST"). Returns an
+// empty string if the code is unknown.
+//
+// Deprecated: Use IRCMessageType.Name() instead.
+func Name(code IRCMessageType) string {
+	return names[code]
+}

pkg/irc/numerics_test.go

@@ -0,0 +1,163 @@
+package irc_test
+
+import (
+	"errors"
+	"testing"
+
+	"git.eeqj.de/sneak/neoirc/pkg/irc"
+)
+
+func TestName(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		numeric irc.IRCMessageType
+		want    string
+	}{
+		{irc.RplWelcome, "RPL_WELCOME"},
+		{irc.RplBounce, "RPL_BOUNCE"},
+		{irc.RplLuserOp, "RPL_LUSEROP"},
+		{irc.ErrCannotSendToChan, "ERR_CANNOTSENDTOCHAN"},
+		{irc.ErrNicknameInUse, "ERR_NICKNAMEINUSE"},
+	}
+
+	for _, tc := range tests {
+		if got := tc.numeric.Name(); got != tc.want {
+			t.Errorf("IRCMessageType(%d).Name() = %q, want %q", tc.numeric.Int(), got, tc.want)
+		}
+	}
+}
+
+func TestString(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		numeric irc.IRCMessageType
+		want    string
+	}{
+		{irc.RplWelcome, "RPL_WELCOME <001>"},
+		{irc.RplBounce, "RPL_BOUNCE <005>"},
+		{irc.RplLuserOp, "RPL_LUSEROP <252>"},
+		{irc.ErrCannotSendToChan, "ERR_CANNOTSENDTOCHAN <404>"},
+	}
+
+	for _, tc := range tests {
+		if got := tc.numeric.String(); got != tc.want {
+			t.Errorf("IRCMessageType(%d).String() = %q, want %q", tc.numeric.Int(), got, tc.want)
+		}
+	}
+}
+
+func TestCode(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		numeric irc.IRCMessageType
+		want    string
+	}{
+		{irc.RplWelcome, "001"},
+		{irc.RplBounce, "005"},
+		{irc.RplLuserOp, "252"},
+		{irc.ErrCannotSendToChan, "404"},
+	}
+
+	for _, tc := range tests {
+		if got := tc.numeric.Code(); got != tc.want {
+			t.Errorf("IRCMessageType(%d).Code() = %q, want %q", tc.numeric.Int(), got, tc.want)
+		}
+	}
+}
+
+func TestInt(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		numeric irc.IRCMessageType
+		want    int
+	}{
+		{irc.RplWelcome, 1},
+		{irc.RplBounce, 5},
+		{irc.RplLuserOp, 252},
+		{irc.ErrCannotSendToChan, 404},
+	}
+
+	for _, tc := range tests {
+		if got := tc.numeric.Int(); got != tc.want {
+			t.Errorf("IRCMessageType(%d).Int() = %d, want %d", tc.want, got, tc.want)
+		}
+	}
+}
+
+func TestFromInt_Known(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		code int
+		want irc.IRCMessageType
+	}{
+		{1, irc.RplWelcome},
+		{5, irc.RplBounce},
+		{252, irc.RplLuserOp},
+		{404, irc.ErrCannotSendToChan},
+		{433, irc.ErrNicknameInUse},
+	}
+
+	for _, test := range tests {
+		got, err := irc.FromInt(test.code)
+		if err != nil {
+			t.Errorf("FromInt(%d) returned unexpected error: %v", test.code, err)
+
+			continue
+		}
+
+		if got != test.want {
+			t.Errorf("FromInt(%d) = %v, want %v", test.code, got, test.want)
+		}
+	}
+}
+
+func TestFromInt_Unknown(t *testing.T) {
+	t.Parallel()
+
+	unknowns := []int{0, 999, 600, -1}
+	for _, code := range unknowns {
+		_, err := irc.FromInt(code)
+		if err == nil {
+			t.Errorf("FromInt(%d) expected error, got nil", code)
+
+			continue
+		}
+
+		if !errors.Is(err, irc.ErrUnknownNumeric) {
+			t.Errorf("FromInt(%d) error = %v, want ErrUnknownNumeric", code, err)
+		}
+	}
+}
+
+func TestUnknownNumeric_Name(t *testing.T) {
+	t.Parallel()
+
+	unknown := irc.IRCMessageType(999)
+	if got := unknown.Name(); got != "" {
+		t.Errorf("IRCMessageType(999).Name() = %q, want empty string", got)
+	}
+}
+
+func TestUnknownNumeric_String(t *testing.T) {
+	t.Parallel()
+
+	unknown := irc.IRCMessageType(999)
+	want := "UNKNOWN <999>"
+
+	if got := unknown.String(); got != want {
+		t.Errorf("IRCMessageType(999).String() = %q, want %q", got, want)
+	}
+}
+
+func TestDeprecatedNameFunc(t *testing.T) {
+	t.Parallel()
+
+	if got := irc.Name(irc.RplYourHost); got != "RPL_YOURHOST" {
+		t.Errorf("Name(RplYourHost) = %q, want %q", got, "RPL_YOURHOST")
+	}
+}

schema/README.md

@@ -1,6 +1,6 @@
 # Message Schemas
 
-JSON Schema definitions (draft 2020-12) for the chat protocol. Messages use
+JSON Schema definitions (draft 2020-12) for the neoirc protocol. Messages use
 **IRC command names and numeric reply codes** (RFC 1459/2812) encoded as JSON
 over HTTP.
 

schema/commands/JOIN.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/commands/JOIN.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/commands/JOIN.json",
   "title": "JOIN",
   "description": "Join a channel. C2S: request to join. S2C: notification that a user joined. RFC 1459 §4.2.1.",
   "$ref": "../message.json",

schema/commands/KICK.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/commands/KICK.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/commands/KICK.json",
   "title": "KICK",
   "description": "Kick a user from a channel. RFC 1459 §4.2.8.",
   "$ref": "../message.json",

schema/commands/MODE.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/commands/MODE.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/commands/MODE.json",
   "title": "MODE",
   "description": "Set or query channel/user modes. RFC 1459 §4.2.3.",
   "$ref": "../message.json",

schema/commands/NICK.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/commands/NICK.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/commands/NICK.json",
   "title": "NICK",
   "description": "Change nickname. C2S: request new nick. S2C: notification of nick change. RFC 1459 §4.1.2.",
   "$ref": "../message.json",

schema/commands/NOTICE.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/commands/NOTICE.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/commands/NOTICE.json",
   "title": "NOTICE",
   "description": "Send a notice. Like PRIVMSG but must not trigger automatic replies. RFC 1459 §4.4.2.",
   "$ref": "../message.json",

schema/commands/PART.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/commands/PART.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/commands/PART.json",
   "title": "PART",
   "description": "Leave a channel. C2S: request to leave. S2C: notification that a user left. RFC 1459 §4.2.2.",
   "$ref": "../message.json",

schema/commands/PING.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/commands/PING.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/commands/PING.json",
   "title": "PING",
   "description": "Keepalive. C2S or S2S. Server responds with PONG. RFC 1459 §4.6.2.",
   "$ref": "../message.json",

schema/commands/PONG.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/commands/PONG.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/commands/PONG.json",
   "title": "PONG",
   "description": "Keepalive response. S2C or S2S. RFC 1459 §4.6.3.",
   "$ref": "../message.json",

schema/commands/PRIVMSG.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/commands/PRIVMSG.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/commands/PRIVMSG.json",
   "title": "PRIVMSG",
   "description": "Send a message to a channel or user. C2S: client sends to server. S2C: server relays to recipients. RFC 1459 §4.4.1.",
   "$ref": "../message.json",

schema/commands/PUBKEY.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/commands/PUBKEY.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/commands/PUBKEY.json",
   "title": "PUBKEY",
   "description": "Announce or relay a user's public signing key. C2S: client announces key to channel or server. S2C: server relays to channel members. Protocol extension (not in RFC 1459). Body is a structured object (not an array) containing the key material.",
   "$ref": "../message.json",

schema/commands/QUIT.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/commands/QUIT.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/commands/QUIT.json",
   "title": "QUIT",
   "description": "User disconnected. S2C only. RFC 1459 §4.1.6.",
   "$ref": "../message.json",

schema/commands/TOPIC.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/commands/TOPIC.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/commands/TOPIC.json",
   "title": "TOPIC",
   "description": "Get or set channel topic. C2S: set topic (body present) or query (body absent). S2C: topic change notification. RFC 1459 §4.2.4.",
   "$ref": "../message.json",
@@ -17,6 +17,6 @@
   },
   "required": ["command", "to"],
   "examples": [
-    { "command": "TOPIC", "from": "alice", "to": "#general", "body": ["Welcome to the chat"] }
+    { "command": "TOPIC", "from": "alice", "to": "#general", "body": ["Welcome to the channel"] }
   ]
 }

schema/message.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/message.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/message.json",
   "title": "IRC Message Envelope",
   "description": "Base envelope for all messages. Mirrors IRC wire format (RFC 1459/2812) encoded as JSON over HTTP. The 'command' field carries either an IRC command name (PRIVMSG, JOIN, etc.) or a three-digit numeric reply code (001, 353, 433, etc.).",
   "type": "object",

schema/numerics/001.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/001.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/001.json",
   "title": "001 RPL_WELCOME",
   "description": "Welcome message sent after successful session creation. RFC 2812 \u00a75.1.",
   "$ref": "../message.json",

schema/numerics/002.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/002.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/002.json",
   "title": "002 RPL_YOURHOST",
   "description": "Server host info sent after session creation. RFC 2812 \u00a75.1.",
   "$ref": "../message.json",
@@ -29,7 +29,7 @@
       "command": "002",
       "to": "alice",
       "body": [
-        "Your host is chat.example.com, running version 0.1.0"
+        "Your host is neoirc.example.com, running version 0.1.0"
       ]
     }
   ]

schema/numerics/003.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/003.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/003.json",
   "title": "003 RPL_CREATED",
   "description": "Server creation date. RFC 2812 \u00a75.1.",
   "$ref": "../message.json",

schema/numerics/004.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/004.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/004.json",
   "title": "004 RPL_MYINFO",
   "description": "Server info (name, version, available modes). RFC 2812 \u00a75.1.",
   "$ref": "../message.json",
@@ -29,7 +29,7 @@
       "command": "004",
       "to": "alice",
       "params": [
-        "chat.example.com",
+        "neoirc.example.com",
         "0.1.0",
         "o",
         "imnst+ov"

schema/numerics/322.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/322.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/322.json",
   "title": "322 RPL_LIST",
   "description": "Channel list entry. One per channel in response to LIST. RFC 1459 \u00a76.2.",
   "$ref": "../message.json",

schema/numerics/323.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/323.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/323.json",
   "title": "323 RPL_LISTEND",
   "description": "End of channel list. RFC 1459 \u00a76.2.",
   "$ref": "../message.json",

schema/numerics/332.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/332.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/332.json",
   "title": "332 RPL_TOPIC",
   "description": "Channel topic (sent on JOIN or TOPIC query). RFC 1459 \u00a76.2.",
   "$ref": "../message.json",
@@ -40,7 +40,7 @@
         "#general"
       ],
       "body": [
-        "Welcome to the chat"
+        "Welcome to the channel"
       ]
     }
   ]

schema/numerics/353.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/353.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/353.json",
   "title": "353 RPL_NAMREPLY",
   "description": "Channel member list. Sent on JOIN or NAMES query. RFC 1459 \u00a76.2.",
   "$ref": "../message.json",

schema/numerics/366.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/366.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/366.json",
   "title": "366 RPL_ENDOFNAMES",
   "description": "End of NAMES list. RFC 1459 \u00a76.2.",
   "$ref": "../message.json",

schema/numerics/372.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/372.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/372.json",
   "title": "372 RPL_MOTD",
   "description": "MOTD line. One message per line of the MOTD. RFC 2812 \u00a75.1.",
   "$ref": "../message.json",

schema/numerics/375.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/375.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/375.json",
   "title": "375 RPL_MOTDSTART",
   "description": "Start of MOTD. RFC 2812 \u00a75.1.",
   "$ref": "../message.json",

schema/numerics/376.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/376.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/376.json",
   "title": "376 RPL_ENDOFMOTD",
   "description": "End of MOTD. RFC 2812 \u00a75.1.",
   "$ref": "../message.json",

schema/numerics/401.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/401.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/401.json",
   "title": "401 ERR_NOSUCHNICK",
   "description": "No such nick/channel. RFC 1459 \u00a76.1.",
   "$ref": "../message.json",

schema/numerics/403.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/403.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/403.json",
   "title": "403 ERR_NOSUCHCHANNEL",
   "description": "No such channel. RFC 1459 \u00a76.1.",
   "$ref": "../message.json",

schema/numerics/433.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/433.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/433.json",
   "title": "433 ERR_NICKNAMEINUSE",
   "description": "Nickname is already in use. RFC 1459 \u00a76.1.",
   "$ref": "../message.json",

schema/numerics/442.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/442.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/442.json",
   "title": "442 ERR_NOTONCHANNEL",
   "description": "You're not on that channel. RFC 1459 \u00a76.1.",
   "$ref": "../message.json",

schema/numerics/482.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://git.eeqj.de/sneak/chat/schema/numerics/482.json",
+  "$id": "https://git.eeqj.de/sneak/neoirc/schema/numerics/482.json",
   "title": "482 ERR_CHANOPRIVSNEEDED",
   "description": "You're not channel operator. RFC 1459 \u00a76.1.",
   "$ref": "../message.json",

web/build.sh

@@ -16,19 +16,11 @@ fi
 
 mkdir -p dist
 
-# Build JS bundle
-${NPX:+$NPX} esbuild src/app.jsx \
-  --bundle \
-  --minify \
-  --jsx-factory=h \
-  --jsx-fragment=Fragment \
-  --define:process.env.NODE_ENV=\"production\" \
-  --external:preact \
-  --outfile=dist/app.js \
-  2>/dev/null || \
+# Build JS bundle — preact must be bundled (no CDN/external loader)
 ${NPX:+$NPX} esbuild src/app.jsx \
   --bundle \
   --minify \
+  --format=esm \
   --jsx-factory=h \
   --jsx-fragment=Fragment \
   --define:process.env.NODE_ENV=\"production\" \

web/dist/index.html

@@ -1,13 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-  <meta charset="UTF-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>Chat</title>
-  <link rel="stylesheet" href="/style.css">
-</head>
-<body>
-  <div id="root"></div>
-  <script src="/app.js"></script>
-</body>
-</html>

web/dist/style.css

@@ -1,317 +0,0 @@
-* { margin: 0; padding: 0; box-sizing: border-box; }
-
-:root {
-  --bg: #1a1a2e;
-  --bg-secondary: #16213e;
-  --bg-input: #0f3460;
-  --text: #e0e0e0;
-  --text-muted: #888;
-  --accent: #e94560;
-  --accent2: #0f3460;
-  --border: #2a2a4a;
-  --nick: #53a8b6;
-  --timestamp: #666;
-  --tab-active: #e94560;
-  --tab-bg: #16213e;
-  --tab-hover: #1a1a3e;
-  --topic-bg: #121a30;
-  --unread-bg: #e94560;
-  --warn: #f0ad4e;
-}
-
-html, body, #root {
-  height: 100%;
-  font-family: 'Courier New', Courier, monospace;
-  font-size: 14px;
-  background: var(--bg);
-  color: var(--text);
-}
-
-/* Login screen */
-.login-screen {
-  display: flex;
-  flex-direction: column;
-  align-items: center;
-  justify-content: center;
-  height: 100%;
-  gap: 16px;
-}
-
-.login-screen h1 {
-  color: var(--accent);
-  font-size: 2em;
-}
-
-.login-screen input {
-  padding: 10px 16px;
-  font-size: 16px;
-  font-family: inherit;
-  background: var(--bg-input);
-  border: 1px solid var(--border);
-  color: var(--text);
-  border-radius: 4px;
-  width: 280px;
-}
-
-.login-screen button {
-  padding: 10px 24px;
-  font-size: 16px;
-  font-family: inherit;
-  background: var(--accent);
-  border: none;
-  color: white;
-  border-radius: 4px;
-  cursor: pointer;
-}
-
-.login-screen .error {
-  color: var(--accent);
-}
-
-.login-screen .motd {
-  color: var(--text-muted);
-  max-width: 400px;
-  text-align: center;
-  white-space: pre-wrap;
-}
-
-/* Main layout */
-.app {
-  display: flex;
-  flex-direction: column;
-  height: 100%;
-}
-
-/* Tab bar */
-.tab-bar {
-  display: flex;
-  background: var(--bg-secondary);
-  border-bottom: 1px solid var(--border);
-  overflow-x: auto;
-  flex-shrink: 0;
-  align-items: center;
-}
-
-.tab {
-  padding: 8px 16px;
-  cursor: pointer;
-  border-bottom: 2px solid transparent;
-  white-space: nowrap;
-  color: var(--text-muted);
-  user-select: none;
-  position: relative;
-}
-
-.tab:hover {
-  background: var(--tab-hover);
-}
-
-.tab.active {
-  color: var(--text);
-  border-bottom-color: var(--tab-active);
-}
-
-.tab .close-btn {
-  margin-left: 8px;
-  color: var(--text-muted);
-  font-size: 12px;
-}
-
-.tab .close-btn:hover {
-  color: var(--accent);
-}
-
-.tab .unread-badge {
-  display: inline-block;
-  background: var(--unread-bg);
-  color: white;
-  font-size: 10px;
-  font-weight: bold;
-  padding: 1px 5px;
-  border-radius: 8px;
-  margin-left: 6px;
-  min-width: 16px;
-  text-align: center;
-}
-
-/* Connection status */
-.connection-status {
-  padding: 4px 12px;
-  background: var(--warn);
-  color: #1a1a2e;
-  font-size: 12px;
-  font-weight: bold;
-  white-space: nowrap;
-  flex-shrink: 0;
-}
-
-/* Topic bar */
-.topic-bar {
-  padding: 6px 12px;
-  background: var(--topic-bg);
-  border-bottom: 1px solid var(--border);
-  color: var(--text-muted);
-  font-size: 12px;
-  white-space: nowrap;
-  overflow: hidden;
-  text-overflow: ellipsis;
-  flex-shrink: 0;
-}
-
-/* Content area */
-.content {
-  display: flex;
-  flex: 1;
-  overflow: hidden;
-}
-
-/* Messages */
-.messages-pane {
-  flex: 1;
-  display: flex;
-  flex-direction: column;
-  overflow: hidden;
-}
-
-.messages {
-  flex: 1;
-  overflow-y: auto;
-  padding: 8px 12px;
-}
-
-.message {
-  padding: 2px 0;
-  line-height: 1.4;
-  word-wrap: break-word;
-}
-
-.message .timestamp {
-  color: var(--timestamp);
-  font-size: 12px;
-  margin-right: 8px;
-}
-
-.message .nick {
-  color: var(--nick);
-  font-weight: bold;
-  margin-right: 8px;
-}
-
-.message .nick::before { content: '<'; }
-.message .nick::after { content: '>'; }
-
-.message.system {
-  color: var(--text-muted);
-  font-style: italic;
-}
-
-.message.system .nick {
-  color: var(--text-muted);
-}
-
-.message.system .nick::before,
-.message.system .nick::after { content: ''; }
-
-/* Input */
-.input-bar {
-  display: flex;
-  border-top: 1px solid var(--border);
-  background: var(--bg-secondary);
-  flex-shrink: 0;
-}
-
-.input-bar input {
-  flex: 1;
-  padding: 10px 12px;
-  font-family: inherit;
-  font-size: 14px;
-  background: var(--bg-input);
-  border: none;
-  color: var(--text);
-  outline: none;
-}
-
-.input-bar button {
-  padding: 10px 16px;
-  font-family: inherit;
-  background: var(--accent);
-  border: none;
-  color: white;
-  cursor: pointer;
-}
-
-/* User list */
-.user-list {
-  width: 160px;
-  background: var(--bg-secondary);
-  border-left: 1px solid var(--border);
-  overflow-y: auto;
-  padding: 8px;
-  flex-shrink: 0;
-}
-
-.user-list h3 {
-  color: var(--text-muted);
-  font-size: 11px;
-  text-transform: uppercase;
-  margin-bottom: 8px;
-  letter-spacing: 1px;
-}
-
-.user-list .user {
-  padding: 3px 4px;
-  color: var(--nick);
-  font-size: 13px;
-  cursor: pointer;
-}
-
-.user-list .user:hover {
-  background: var(--tab-hover);
-}
-
-/* Server tab */
-.server-messages {
-  color: var(--text-muted);
-  padding: 12px;
-  white-space: pre-wrap;
-  overflow-y: auto;
-  flex: 1;
-}
-
-/* Channel join dialog */
-.join-dialog {
-  padding: 12px;
-  display: flex;
-  gap: 8px;
-  background: var(--bg-secondary);
-  border-bottom: 1px solid var(--border);
-  margin-left: auto;
-}
-
-.join-dialog input {
-  padding: 6px 10px;
-  font-family: inherit;
-  font-size: 13px;
-  background: var(--bg-input);
-  border: 1px solid var(--border);
-  color: var(--text);
-  border-radius: 3px;
-  width: 200px;
-}
-
-.join-dialog button {
-  padding: 6px 14px;
-  font-family: inherit;
-  font-size: 13px;
-  background: var(--accent2);
-  border: none;
-  color: var(--text);
-  border-radius: 3px;
-  cursor: pointer;
-}
-
-/* Responsive */
-@media (max-width: 600px) {
-  .user-list { display: none; }
-  .tab { padding: 6px 10px; font-size: 13px; }
-}

web/src/index.html

@@ -3,11 +3,11 @@
 <head>
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>Chat</title>
+  <title>NeoIRC</title>
   <link rel="stylesheet" href="/style.css">
 </head>
 <body>
   <div id="root"></div>
-  <script src="/app.js"></script>
+  <script type="module" src="/app.js"></script>
 </body>
 </html>

web/src/style.css

@@ -1,317 +1,466 @@
-* { margin: 0; padding: 0; box-sizing: border-box; }
+* {
+  margin: 0;
+  padding: 0;
+  box-sizing: border-box;
+}
 
 :root {
-  --bg: #1a1a2e;
-  --bg-secondary: #16213e;
-  --bg-input: #0f3460;
-  --text: #e0e0e0;
-  --text-muted: #888;
-  --accent: #e94560;
-  --accent2: #0f3460;
-  --border: #2a2a4a;
-  --nick: #53a8b6;
-  --timestamp: #666;
-  --tab-active: #e94560;
-  --tab-bg: #16213e;
-  --tab-hover: #1a1a3e;
-  --topic-bg: #121a30;
-  --unread-bg: #e94560;
-  --warn: #f0ad4e;
+  --bg: #0a0e14;
+  --bg-panel: #0d1117;
+  --bg-input: #0d1117;
+  --bg-tab: #161b22;
+  --bg-tab-active: #0d1117;
+  --bg-topic: #0d1117;
+  --text: #c9d1d9;
+  --text-dim: #6e7681;
+  --text-bright: #e6edf3;
+  --accent: #58a6ff;
+  --accent-dim: #1f6feb;
+  --border: #21262d;
+  --system: #7d8590;
+  --action: #d2a8ff;
+  --warn: #d29922;
+  --error: #f85149;
+  --unread: #f0883e;
+  --nick-brackets: #6e7681;
+  --timestamp: #484f58;
+  --input-bg: #161b22;
+  --prompt: #3fb950;
+  --tab-indicator: #58a6ff;
+  --user-list-bg: #0d1117;
+  --user-list-header: #484f58;
 }
 
-html, body, #root {
+html,
+body,
+#root {
   height: 100%;
-  font-family: 'Courier New', Courier, monospace;
-  font-size: 14px;
+  font-family: "JetBrains Mono", "Cascadia Code", "Fira Code", "SF Mono",
+    "Consolas", "Liberation Mono", "Courier New", monospace;
+  font-size: 13px;
   background: var(--bg);
   color: var(--text);
+  overflow: hidden;
 }
 
-/* Login screen */
+/* ============================================
+   Login Screen
+   ============================================ */
+
 .login-screen {
   display: flex;
-  flex-direction: column;
   align-items: center;
   justify-content: center;
   height: 100%;
-  gap: 16px;
+  background: var(--bg);
 }
 
-.login-screen h1 {
-  color: var(--accent);
-  font-size: 2em;
-}
-
-.login-screen input {
-  padding: 10px 16px;
-  font-size: 16px;
-  font-family: inherit;
-  background: var(--bg-input);
-  border: 1px solid var(--border);
-  color: var(--text);
-  border-radius: 4px;
-  width: 280px;
-}
-
-.login-screen button {
-  padding: 10px 24px;
-  font-size: 16px;
-  font-family: inherit;
-  background: var(--accent);
-  border: none;
-  color: white;
-  border-radius: 4px;
-  cursor: pointer;
-}
-
-.login-screen .error {
-  color: var(--accent);
-}
-
-.login-screen .motd {
-  color: var(--text-muted);
-  max-width: 400px;
+.login-box {
   text-align: center;
-  white-space: pre-wrap;
+  max-width: 360px;
+  width: 100%;
+  padding: 32px;
 }
 
-/* Main layout */
-.app {
+.login-box h1 {
+  color: var(--accent);
+  font-size: 1.8em;
+  margin-bottom: 16px;
+  font-weight: 400;
+}
+
+.login-box .motd {
+  color: var(--accent);
+  font-size: 11px;
+  margin-bottom: 20px;
+  text-align: left;
+  white-space: pre;
+  font-family: inherit;
+  line-height: 1.2;
+  overflow-x: auto;
+}
+
+.login-box form {
+  display: flex;
+  flex-direction: column;
+  gap: 8px;
+  align-items: stretch;
+}
+
+.login-box label {
+  color: var(--text-dim);
+  text-align: left;
+  font-size: 12px;
+}
+
+.login-box input {
+  padding: 8px 12px;
+  font-family: inherit;
+  font-size: 14px;
+  background: var(--input-bg);
+  border: 1px solid var(--border);
+  color: var(--text-bright);
+  border-radius: 3px;
+  outline: none;
+}
+
+.login-box input:focus {
+  border-color: var(--accent-dim);
+}
+
+.login-box button {
+  padding: 8px 16px;
+  font-family: inherit;
+  font-size: 14px;
+  background: var(--accent-dim);
+  border: none;
+  color: var(--text-bright);
+  border-radius: 3px;
+  cursor: pointer;
+  margin-top: 4px;
+}
+
+.login-box button:hover {
+  background: var(--accent);
+}
+
+.login-box .error {
+  color: var(--error);
+  font-size: 12px;
+  margin-top: 8px;
+}
+
+/* ============================================
+   IRC App Layout
+   ============================================ */
+
+.irc-app {
   display: flex;
   flex-direction: column;
   height: 100%;
+  overflow: hidden;
 }
 
-/* Tab bar */
+/* ============================================
+   Tab Bar
+   ============================================ */
+
 .tab-bar {
   display: flex;
-  background: var(--bg-secondary);
+  background: var(--bg-tab);
   border-bottom: 1px solid var(--border);
-  overflow-x: auto;
   flex-shrink: 0;
-  align-items: center;
+  height: 32px;
+  align-items: stretch;
+}
+
+.tabs {
+  display: flex;
+  overflow-x: auto;
+  flex: 1;
+  scrollbar-width: none;
+}
+
+.tabs::-webkit-scrollbar {
+  display: none;
 }
 
 .tab {
-  padding: 8px 16px;
+  display: flex;
+  align-items: center;
+  padding: 0 12px;
   cursor: pointer;
-  border-bottom: 2px solid transparent;
+  color: var(--text-dim);
   white-space: nowrap;
-  color: var(--text-muted);
   user-select: none;
+  border-right: 1px solid var(--border);
+  font-size: 12px;
+  gap: 4px;
   position: relative;
 }
 
 .tab:hover {
-  background: var(--tab-hover);
+  color: var(--text);
+  background: rgba(255, 255, 255, 0.03);
 }
 
 .tab.active {
-  color: var(--text);
-  border-bottom-color: var(--tab-active);
+  color: var(--text-bright);
+  background: var(--bg-tab-active);
+  border-bottom: 2px solid var(--tab-indicator);
+  margin-bottom: -1px;
 }
 
-.tab .close-btn {
-  margin-left: 8px;
-  color: var(--text-muted);
-  font-size: 12px;
-}
-
-.tab .close-btn:hover {
-  color: var(--accent);
-}
-
-.tab .unread-badge {
-  display: inline-block;
-  background: var(--unread-bg);
-  color: white;
-  font-size: 10px;
+.tab.has-unread .tab-label {
+  color: var(--unread);
   font-weight: bold;
-  padding: 1px 5px;
-  border-radius: 8px;
-  margin-left: 6px;
-  min-width: 16px;
-  text-align: center;
 }
 
-/* Connection status */
-.connection-status {
-  padding: 4px 12px;
-  background: var(--warn);
-  color: #1a1a2e;
-  font-size: 12px;
+.tab .unread-count {
+  color: var(--unread);
+  font-size: 11px;
   font-weight: bold;
-  white-space: nowrap;
+}
+
+.tab-close {
+  color: var(--text-dim);
+  font-size: 14px;
+  line-height: 1;
+  margin-left: 2px;
+}
+
+.tab-close:hover {
+  color: var(--error);
+}
+
+.status-area {
+  display: flex;
+  align-items: center;
+  gap: 10px;
+  padding: 0 12px;
   flex-shrink: 0;
+  font-size: 12px;
 }
 
-/* Topic bar */
+.status-nick {
+  color: var(--accent);
+  font-weight: bold;
+}
+
+.status-warn {
+  color: var(--warn);
+  animation: blink 1.5s ease-in-out infinite;
+}
+
+@keyframes blink {
+  0%,
+  100% {
+    opacity: 1;
+  }
+  50% {
+    opacity: 0.4;
+  }
+}
+
+/* ============================================
+   Topic Bar
+   ============================================ */
+
 .topic-bar {
-  padding: 6px 12px;
-  background: var(--topic-bg);
+  padding: 4px 12px;
+  background: var(--bg-topic);
   border-bottom: 1px solid var(--border);
-  color: var(--text-muted);
   font-size: 12px;
   white-space: nowrap;
   overflow: hidden;
   text-overflow: ellipsis;
   flex-shrink: 0;
+  line-height: 1.5;
 }
 
-/* Content area */
-.content {
+.topic-label {
+  color: var(--text-dim);
+}
+
+.topic-text {
+  color: var(--text);
+}
+
+/* ============================================
+   Main Content Area
+   ============================================ */
+
+.main-area {
   display: flex;
   flex: 1;
   overflow: hidden;
+  min-height: 0;
 }
 
-/* Messages */
-.messages-pane {
+/* ============================================
+   Messages Panel
+   ============================================ */
+
+.messages-panel {
   flex: 1;
   display: flex;
   flex-direction: column;
   overflow: hidden;
+  min-width: 0;
 }
 
-.messages {
+.messages-scroll {
   flex: 1;
   overflow-y: auto;
-  padding: 8px 12px;
+  padding: 4px 8px;
+  scrollbar-width: thin;
+  scrollbar-color: var(--border) transparent;
 }
 
+.messages-scroll::-webkit-scrollbar {
+  width: 8px;
+}
+
+.messages-scroll::-webkit-scrollbar-track {
+  background: transparent;
+}
+
+.messages-scroll::-webkit-scrollbar-thumb {
+  background: var(--border);
+  border-radius: 4px;
+}
+
+/* ============================================
+   Message Lines
+   ============================================ */
+
 .message {
-  padding: 2px 0;
+  padding: 1px 0;
   line-height: 1.4;
+  white-space: pre-wrap;
   word-wrap: break-word;
+  font-size: 13px;
 }
 
 .message .timestamp {
   color: var(--timestamp);
   font-size: 12px;
-  margin-right: 8px;
 }
 
 .message .nick {
-  color: var(--nick);
   font-weight: bold;
-  margin-right: 8px;
 }
 
-.message .nick::before { content: '<'; }
-.message .nick::after { content: '>'; }
+.message .content {
+  color: var(--text);
+}
 
-.message.system {
-  color: var(--text-muted);
+/* System messages (joins, parts, quits, etc.) */
+.system-message {
+  color: var(--system);
+}
+
+.system-message .system-text {
+  color: var(--system);
+}
+
+/* /me action messages */
+.action-message .action-text {
+  color: var(--action);
+}
+
+/* ============================================
+   User List (Right Panel)
+   ============================================ */
+
+.user-list {
+  width: 160px;
+  background: var(--user-list-bg);
+  border-left: 1px solid var(--border);
+  display: flex;
+  flex-direction: column;
+  flex-shrink: 0;
+  overflow: hidden;
+}
+
+.user-list-header {
+  padding: 6px 10px;
+  color: var(--user-list-header);
+  font-size: 11px;
+  text-transform: uppercase;
+  letter-spacing: 0.5px;
+  border-bottom: 1px solid var(--border);
+  flex-shrink: 0;
+}
+
+.user-list-entries {
+  overflow-y: auto;
+  padding: 4px 0;
+  flex: 1;
+  scrollbar-width: thin;
+  scrollbar-color: var(--border) transparent;
+}
+
+.nick-entry {
+  padding: 2px 10px;
+  font-size: 12px;
+  cursor: pointer;
+  white-space: nowrap;
+  overflow: hidden;
+  text-overflow: ellipsis;
+  line-height: 1.5;
+}
+
+.nick-entry:hover {
+  background: rgba(255, 255, 255, 0.04);
+}
+
+.nick-prefix {
+  color: var(--text-dim);
+  display: inline-block;
+  width: 1ch;
+  text-align: right;
+  margin-right: 1px;
+}
+
+.nick-name {
+  font-weight: normal;
+}
+
+/* ============================================
+   Input Line (Bottom)
+   ============================================ */
+
+.input-line {
+  display: flex;
+  align-items: center;
+  background: var(--input-bg);
+  border-top: 1px solid var(--border);
+  flex-shrink: 0;
+  height: 36px;
+  padding: 0 8px;
+  gap: 6px;
+}
+
+.input-prompt {
+  color: var(--prompt);
+  font-size: 13px;
+  flex-shrink: 0;
+  white-space: nowrap;
+}
+
+.input-line input {
+  flex: 1;
+  padding: 4px 0;
+  font-family: inherit;
+  font-size: 13px;
+  background: transparent;
+  border: none;
+  color: var(--text-bright);
+  outline: none;
+  caret-color: var(--accent);
+}
+
+.input-line input::placeholder {
+  color: var(--text-dim);
   font-style: italic;
 }
 
-.message.system .nick {
-  color: var(--text-muted);
-}
+/* ============================================
+   Responsive
+   ============================================ */
 
-.message.system .nick::before,
-.message.system .nick::after { content: ''; }
-
-/* Input */
-.input-bar {
-  display: flex;
-  border-top: 1px solid var(--border);
-  background: var(--bg-secondary);
-  flex-shrink: 0;
-}
-
-.input-bar input {
-  flex: 1;
-  padding: 10px 12px;
-  font-family: inherit;
-  font-size: 14px;
-  background: var(--bg-input);
-  border: none;
-  color: var(--text);
-  outline: none;
-}
-
-.input-bar button {
-  padding: 10px 16px;
-  font-family: inherit;
-  background: var(--accent);
-  border: none;
-  color: white;
-  cursor: pointer;
-}
-
-/* User list */
-.user-list {
-  width: 160px;
-  background: var(--bg-secondary);
-  border-left: 1px solid var(--border);
-  overflow-y: auto;
-  padding: 8px;
-  flex-shrink: 0;
-}
-
-.user-list h3 {
-  color: var(--text-muted);
-  font-size: 11px;
-  text-transform: uppercase;
-  margin-bottom: 8px;
-  letter-spacing: 1px;
-}
-
-.user-list .user {
-  padding: 3px 4px;
-  color: var(--nick);
-  font-size: 13px;
-  cursor: pointer;
-}
-
-.user-list .user:hover {
-  background: var(--tab-hover);
-}
-
-/* Server tab */
-.server-messages {
-  color: var(--text-muted);
-  padding: 12px;
-  white-space: pre-wrap;
-  overflow-y: auto;
-  flex: 1;
-}
-
-/* Channel join dialog */
-.join-dialog {
-  padding: 12px;
-  display: flex;
-  gap: 8px;
-  background: var(--bg-secondary);
-  border-bottom: 1px solid var(--border);
-  margin-left: auto;
-}
-
-.join-dialog input {
-  padding: 6px 10px;
-  font-family: inherit;
-  font-size: 13px;
-  background: var(--bg-input);
-  border: 1px solid var(--border);
-  color: var(--text);
-  border-radius: 3px;
-  width: 200px;
-}
-
-.join-dialog button {
-  padding: 6px 14px;
-  font-family: inherit;
-  font-size: 13px;
-  background: var(--accent2);
-  border: none;
-  color: var(--text);
-  border-radius: 3px;
-  cursor: pointer;
-}
-
-/* Responsive */
 @media (max-width: 600px) {
-  .user-list { display: none; }
-  .tab { padding: 6px 10px; font-size: 13px; }
+  .user-list {
+    display: none;
+  }
+
+  .tab {
+    padding: 0 8px;
+    font-size: 11px;
+  }
+
+  .input-prompt {
+    font-size: 12px;
+  }
 }